summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/eap
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/mods-available/eap')
-rw-r--r--raddb/mods-available/eap75
1 files changed, 75 insertions, 0 deletions
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index ee9e539..d149707 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -33,6 +33,28 @@ eap {
#
timer_expire = 60
+ #
+ # Some supplicants may misbehave by starting many thousands
+ # of EAP sessions, but never finishing them. These sessions
+ # can cause the server to hit 'max_sessions' very quickly.
+ # The 'timer_expire' configuration above does not help as
+ # much as it could, because the old (duplicate) session
+ # should be deleted as soon as the new one comes in.
+ #
+ # If you set the 'dedup_key' below, whenever the EAP module
+ # starts a new session, it will check for a previous session
+ # which has the same dedup key. If a previous session
+ # is found, it is deleted.
+ #
+ # Setting this configuration item may cause issues if the
+ # same device uses multiple EAP sessions at the same time.
+ # But that device behavior should be rare to non-existent.
+ #
+ # The configuration item is commented out so that upgrades
+ # do not change existing behavior.
+ #
+# dedup_key = "%{Calling-Station-Id}"
+
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
@@ -231,6 +253,9 @@ eap {
# Directory where multiple CAs are stored. Both
# "ca_file" and "ca_path" can be used at the same time.
#
+ # Each file in this directory must contain one
+ # certificate, and ONLY one certificate.
+ #
ca_path = ${cadir}
# OpenSSL does not reload contents of ca_path dir over time.
@@ -1112,4 +1137,54 @@ eap {
#
# virtual_server = inner-tunnel
#}
+
+ # EAP-TEAP
+ #
+ # The TEAP module implements the EAP-TEAP protocol
+ #
+ #teap {
+ # Point to the common TLS configuration
+ #
+ # tls = tls-common
+
+ # default_eap_type = mschapv2
+
+ # If 'cipher_list' is set here, it will over-ride the
+ # 'cipher_list' configuration from the 'tls-common'
+ # configuration. The EAP-TEAP module has it's own
+ # over-ride for 'cipher_list' because the
+ # specifications mandata a different set of ciphers
+ # than are used by the other EAP methods.
+ #
+ # cipher_list though must include "ADH" for anonymous provisioning.
+ # This is not as straight forward as appending "ADH" alongside
+ # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+ #
+ # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+
+ # PAC lifetime in seconds (default: seven days)
+ #
+ # pac_lifetime = 604800
+
+ # Authority ID of the server
+ #
+ # If you are running a cluster of RADIUS servers, you should make
+ # the value chosen here (and for "pac_opaque_key") the same on all
+ # your RADIUS servers. This value should be unique to your
+ # installation. We suggest using a domain name.
+ #
+ # authority_identity = "1234"
+
+ # PAC Opaque encryption key (must be exactly 32 bytes in size)
+ #
+ # This value MUST be secret, and MUST be generated using
+ # a secure method, such as via 'openssl rand -hex 32'
+ #
+ # pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+ # Same as for TTLS, PEAP, etc.
+ #
+ # virtual_server = inner-tunnel
+ #}
}