From de8bf9112695763664912e340b265fa898188460 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 26 Aug 2024 12:41:52 +0200 Subject: Merging upstream version 3.2.5+dfsg. Signed-off-by: Daniel Baumann --- raddb/mods-available/eap | 75 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) (limited to 'raddb/mods-available/eap') diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index ee9e539..d149707 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -33,6 +33,28 @@ eap { # timer_expire = 60 + # + # Some supplicants may misbehave by starting many thousands + # of EAP sessions, but never finishing them. These sessions + # can cause the server to hit 'max_sessions' very quickly. + # The 'timer_expire' configuration above does not help as + # much as it could, because the old (duplicate) session + # should be deleted as soon as the new one comes in. + # + # If you set the 'dedup_key' below, whenever the EAP module + # starts a new session, it will check for a previous session + # which has the same dedup key. If a previous session + # is found, it is deleted. + # + # Setting this configuration item may cause issues if the + # same device uses multiple EAP sessions at the same time. + # But that device behavior should be rare to non-existent. + # + # The configuration item is commented out so that upgrades + # do not change existing behavior. + # +# dedup_key = "%{Calling-Station-Id}" + # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then @@ -231,6 +253,9 @@ eap { # Directory where multiple CAs are stored. Both # "ca_file" and "ca_path" can be used at the same time. # + # Each file in this directory must contain one + # certificate, and ONLY one certificate. + # ca_path = ${cadir} # OpenSSL does not reload contents of ca_path dir over time. @@ -1112,4 +1137,54 @@ eap { # # virtual_server = inner-tunnel #} + + # EAP-TEAP + # + # The TEAP module implements the EAP-TEAP protocol + # + #teap { + # Point to the common TLS configuration + # + # tls = tls-common + + # default_eap_type = mschapv2 + + # If 'cipher_list' is set here, it will over-ride the + # 'cipher_list' configuration from the 'tls-common' + # configuration. The EAP-TEAP module has it's own + # over-ride for 'cipher_list' because the + # specifications mandata a different set of ciphers + # than are used by the other EAP methods. + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # + # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + + # PAC lifetime in seconds (default: seven days) + # + # pac_lifetime = 604800 + + # Authority ID of the server + # + # If you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # + # authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # + # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # + # virtual_server = inner-tunnel + #} } -- cgit v1.2.3