# -*- text -*- # # $Id$ # # Sample configuration for an EAP module that occurs *inside* # of a tunneled method. It is used to limit the EAP types that # can occur inside of the inner tunnel. # # See also raddb/sites-available/inner-tunnel # # To use this module, edit raddb/sites-available/inner-tunnel, and # replace the references to "eap" with "inner-eap". # # See raddb/eap.conf for full documentation on the meaning of the # configuration entries here. # eap inner-eap { # This is the best choice for PEAP. default_eap_type = tls timer_expire = 60 # This should be the same as the outer eap "max sessions" max_sessions = 2048 # Supported EAP-types md5 { } gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " auth_type = PAP } mschapv2 { } # No TTLS or PEAP configuration should be listed here. ## EAP-TLS # # You SHOULD use different certificates than are used # for the outer EAP configuration! # # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. # tls { # # These is used to simplify later configurations. # certdir = ${confdir}/certs cadir = ${confdir}/certs ##private_key_password = whatever private_key_file = ${certdir}/radius-key.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/radius-cert.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. CA_file = ${cadir}/INFN-TERENA-CA.pem # # For DH cipher suites to work, you have to # run OpenSSL to create the DH file first: # # openssl dhparam -out certs/dh 1024 # dh_file = ${certdir}/dh random_file = ${certdir}/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash '. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes # CA_path = /path/to/directory/with/ca_certs/and/crls/ CA_path = ${cadir} # # If check_cert_issuer is set, the value will # be checked against the DN of the issuer in # the client certificate. If the values do not # match, the cerficate verification will fail, # rejecting the user. # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate verification # will fail rejecting the user. # # This check is done only if the previous # "check_cert_issuer" is not set, or if # the check succeeds. # # check_cert_cn = %{User-Name} # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". cipher_list = "DEFAULT" # # The session resumption / fast reauthentication # cache CANNOT be used for inner sessions. # } }