summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/sites-available')
-rw-r--r--raddb/sites-available/aws-nlb9
-rw-r--r--raddb/sites-available/default16
-rw-r--r--raddb/sites-available/inner-tunnel9
-rw-r--r--raddb/sites-available/tls44
4 files changed, 75 insertions, 3 deletions
diff --git a/raddb/sites-available/aws-nlb b/raddb/sites-available/aws-nlb
index acea81e..06ca632 100644
--- a/raddb/sites-available/aws-nlb
+++ b/raddb/sites-available/aws-nlb
@@ -33,6 +33,15 @@ listen {
proto = tcp
ipaddr = *
port = 8000
+
+ #
+ # Set limits so that unused connections get cleaned up quickly.
+ #
+ limit {
+ max_connections = 16
+ lifetime = 5
+ idle_timeout = 5
+ }
}
#
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 78b7ae7..b4339bd 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -348,6 +348,20 @@ authorize {
digest
#
+ # The dpsk module implements dynamic PSK.
+ #
+ # If the request contains FreeRADIUS-802.1X-Anonce
+ # and FreeRADIUS-802.1X-EAPoL-Key-Msg, then it will set
+ # &control:Auth-Type := dpsk
+ #
+ # The "rewrite_called_station_id" policy creates the
+ # Called-Station-MAC attribute, which is needed by
+ # the dpsk module.
+ #
+# rewrite_called_station_id
+# dpsk
+
+ #
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. If you are using
@@ -534,6 +548,8 @@ authenticate {
pap
}
+# dpsk
+
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel
index c178baa..1197e08 100644
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -194,7 +194,7 @@ authorize {
# LDAP servers can only do PAP. They cannot do CHAP, MS-CHAP,
# or EAP.
#
-# if (!&control.Auth-Type && &User-Password) {
+# if (!&control:Auth-Type && &User-Password) {
# update control {
# &Auth-Type := LDAP
# }
@@ -409,6 +409,13 @@ post-auth {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
+
+ #
+ # Access-Challenge packets are sent through the Challenge sub-section
+ # of the post-auth section.
+ #
+ #Post-Auth-Type Challenge {
+ #}
}
#
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 137fcbc..6eab1fe 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -56,12 +56,15 @@ listen {
#
type = auth+acct
- # For now, only TCP transport is allowed.
+ # For now, only TCP transport is allowed.
proto = tcp
- # Send packets to the default virtual server
+ # Send packets to the default virtual server
virtual_server = default
+ #
+ # We have clients specifically for TLS.
+ #
clients = radsec
#
@@ -88,6 +91,22 @@ listen {
# proxy_protocol = no
#
+ # This configuration item should be enabled for all listen
+ # sections which do TLS.
+ #
+ # It is only disabled because we are careful about changing
+ # existing behavior in a stable release.
+ #
+ # Setting this configuration item to "yes" means that the
+ # server will be able to gracefully recover if a TLS
+ # connection is blocking at the network layer.
+ #
+ # Note that setting "nonblock = yes" is NOT possible for bare
+ # TCP connections. RADIUS/TCP should generally be avoided.
+ #
+# nonblock = yes
+
+ #
# When this is set to "yes", new TLS connections
# are processed through a section called
#
@@ -310,6 +329,11 @@ listen {
tls_max_version = "1.3"
#
+ # See mods-available/eap for documentation
+ #
+ ecdh_curve = ""
+
+ #
# Session resumption / fast reauthentication
# cache.
#
@@ -514,6 +538,22 @@ home_server tls {
proto = tcp
status_check = none
+ #
+ # This configuration item should be enabled for all
+ # home_server sections which do TLS.
+ #
+ # It is only disabled because we are careful about changing
+ # existing behavior in a stable release.
+ #
+ # Setting this configuration item to "yes" means that the
+ # server will be able to gracefully recover if a TLS
+ # connection is blocking at the network layer.
+ #
+ # Note that setting "nonblock = yes" is NOT possible for bare
+ # TCP connections. RADIUS/TCP should generally be avoided.
+ #
+# nonblock = yes
+
tls {
#
# Similarly to HTTP, the client can use Server Name