diff options
Diffstat (limited to '')
| -rw-r--r-- | raddb/sites-available/aws-nlb | 9 | ||||
| -rw-r--r-- | raddb/sites-available/default | 16 | ||||
| -rw-r--r-- | raddb/sites-available/inner-tunnel | 9 | ||||
| -rw-r--r-- | raddb/sites-available/tls | 44 |
4 files changed, 75 insertions, 3 deletions
diff --git a/raddb/sites-available/aws-nlb b/raddb/sites-available/aws-nlb index acea81e..06ca632 100644 --- a/raddb/sites-available/aws-nlb +++ b/raddb/sites-available/aws-nlb @@ -33,6 +33,15 @@ listen { proto = tcp ipaddr = * port = 8000 + + # + # Set limits so that unused connections get cleaned up quickly. + # + limit { + max_connections = 16 + lifetime = 5 + idle_timeout = 5 + } } # diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 78b7ae7..b4339bd 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -348,6 +348,20 @@ authorize { digest # + # The dpsk module implements dynamic PSK. + # + # If the request contains FreeRADIUS-802.1X-Anonce + # and FreeRADIUS-802.1X-EAPoL-Key-Msg, then it will set + # &control:Auth-Type := dpsk + # + # The "rewrite_called_station_id" policy creates the + # Called-Station-MAC attribute, which is needed by + # the dpsk module. + # +# rewrite_called_station_id +# dpsk + + # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. If you are using @@ -534,6 +548,8 @@ authenticate { pap } +# dpsk + # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index c178baa..1197e08 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -194,7 +194,7 @@ authorize { # LDAP servers can only do PAP. They cannot do CHAP, MS-CHAP, # or EAP. # -# if (!&control.Auth-Type && &User-Password) { +# if (!&control:Auth-Type && &User-Password) { # update control { # &Auth-Type := LDAP # } @@ -409,6 +409,13 @@ post-auth { &Module-Failure-Message := &request:Module-Failure-Message } } + + # + # Access-Challenge packets are sent through the Challenge sub-section + # of the post-auth section. + # + #Post-Auth-Type Challenge { + #} } # diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index 137fcbc..6eab1fe 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -56,12 +56,15 @@ listen { # type = auth+acct - # For now, only TCP transport is allowed. + # For now, only TCP transport is allowed. proto = tcp - # Send packets to the default virtual server + # Send packets to the default virtual server virtual_server = default + # + # We have clients specifically for TLS. + # clients = radsec # @@ -88,6 +91,22 @@ listen { # proxy_protocol = no # + # This configuration item should be enabled for all listen + # sections which do TLS. + # + # It is only disabled because we are careful about changing + # existing behavior in a stable release. + # + # Setting this configuration item to "yes" means that the + # server will be able to gracefully recover if a TLS + # connection is blocking at the network layer. + # + # Note that setting "nonblock = yes" is NOT possible for bare + # TCP connections. RADIUS/TCP should generally be avoided. + # +# nonblock = yes + + # # When this is set to "yes", new TLS connections # are processed through a section called # @@ -310,6 +329,11 @@ listen { tls_max_version = "1.3" # + # See mods-available/eap for documentation + # + ecdh_curve = "" + + # # Session resumption / fast reauthentication # cache. # @@ -514,6 +538,22 @@ home_server tls { proto = tcp status_check = none + # + # This configuration item should be enabled for all + # home_server sections which do TLS. + # + # It is only disabled because we are careful about changing + # existing behavior in a stable release. + # + # Setting this configuration item to "yes" means that the + # server will be able to gracefully recover if a TLS + # connection is blocking at the network layer. + # + # Note that setting "nonblock = yes" is NOT possible for bare + # TCP connections. RADIUS/TCP should generally be avoided. + # +# nonblock = yes + tls { # # Similarly to HTTP, the client can use Server Name |