1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
|
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
#
# Some supplicants may misbehave by starting many thousands
# of EAP sessions, but never finishing them. These sessions
# can cause the server to hit 'max_sessions' very quickly.
# The 'timer_expire' configuration above does not help as
# much as it could, because the old (duplicate) session
# should be deleted as soon as the new one comes in.
#
# If you set the 'dedup_key' below, whenever the EAP module
# starts a new session, it will check for a previous session
# which has the same dedup key. If a previous session
# is found, it is deleted.
#
# Setting this configuration item may cause issues if the
# same device uses multiple EAP sessions at the same time.
# But that device behavior should be rare to non-existent.
#
# The configuration item is commented out so that upgrades
# do not change existing behavior.
#
# dedup_key = "%{Calling-Station-Id}"
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
#
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
#
cisco_accounting_username_bug = no
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. For simplicity,
# this is taken from the "max_requests" directive in
# radiusd.conf.
#
max_sessions = ${max_requests}
############################################################
#
# Supported EAP-types
#
# EAP-MD5
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# EAP-pwd -- secure password-based authentication
#
#pwd {
# group = 19
# server_id = theserver@example.com
# This has the same meaning as for TLS.
#
# fragment_size = 1020
# The virtual server which determines the
# "known good" password for the user.
# Note that unlike TLS, only the "authorize"
# section is processed. EAP-PWD requests can be
# distinguished by having a User-Name, but
# no User-Password, CHAP-Password, EAP-Message, etc.
#
# virtual_server = "inner-tunnel"
#}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# LEAP is not supported.
# It is insecure, and no one should be using it.
#
# EAP-GTC -- Generic Token Card
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#
# challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
# Common TLS configuration for TLS-based EAP types
# ------------------------------------------------
#
# See raddb/certs/README.md for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# If you do not currently have certificates signed by
# a trusted CA you may use the 'snakeoil' certificates.
# Included with the server in raddb/certs.
#
# If these certificates have not been auto-generated:
# cd raddb/certs
# make
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
#
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below SHOULD also include all of
# the intermediate CA certificates used to sign the
# server certificate, but NOT the root CA.
#
# Including the ROOT CA certificate is not useful and
# merely inflates the exchanged data volume during
# the TLS negotiation.
#
# This file should contain the server certificate,
# followed by intermediate certificates, in order.
# i.e. If we have a server certificate signed by CA1,
# which is signed by CA2, which is signed by a root
# CA, then the "certificate_file" should contain
# server.pem, followed by CA1.pem, followed by
# CA2.pem.
#
# When using "ca_file" or "ca_path", the
# "certificate_file" should contain only
# "server.pem". And then you may (or may not) need
# to set "auto_chain", depending on your version of
# OpenSSL.
#
# In short, SSL / TLS certificates are complex.
# There are many versions of software, each of which
# behave slightly differently. It is impossible to
# give advice which will work everywhere. Instead,
# we give general guidelines.
#
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# This file can contain multiple CA certificates.
# ALL of the CA's in this list will be trusted to
# issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
ca_file = ${cadir}/ca.pem
#
# Directory where multiple CAs are stored. Both
# "ca_file" and "ca_path" can be used at the same time.
#
# Each file in this directory must contain one
# certificate, and ONLY one certificate.
#
ca_path = ${cadir}
# OpenSSL does not reload contents of ca_path dir over time.
# That means that if check_crl is enabled and CRLs are loaded
# from ca_path dir, at some point CRLs will expire and
# the server will stop authenticating users.
#
# If ca_path_reload_interval is non-zero, it will force OpenSSL
# to reload all data from ca_path periodically
#
# Flush ca_path each hour
# ca_path_reload_interval = 3600
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
# it sometimes gets the chains right from a certificate
# signature view, but wrong from the clients view.
#
# When setting "auto_chain = no", the server certificate
# file MUST include the full certificate chain.
#
# auto_chain = yes
# If OpenSSL supports TLS-PSK, then we can use a
# fixed PSK identity and (hex) password. These can
# be used at the same time as the certificate
# configuration, but only for TLS 1.0 through 1.2.
#
# If PSK and certificates are configured at the same
# time for TLS 1.3, then the server will warn you,
# and will disable TLS 1.3, as it will not work.
#
# The work around is to have two modules (or for
# RadSec, two listen sections). One will have PSK
# configured, and the other will have certificates
# configured.
#
# psk_identity = "test"
# psk_hexphrase = "036363823"
# Dynamic queries for the PSK. If TLS-PSK is used,
# and psk_query is set, then you MUST NOT use
# psk_identity or psk_hexphrase.
#
# Instead, use a dynamic expansion similar to the one
# below. It keys off of TLS-PSK-Identity. It should
# return a of string no more than 512 hex characters.
# That string will be converted to binary, and will
# be used as the dynamic PSK hexphrase.
#
# Note that this query is just an example. You will
# need to customize it for your installation.
#
# psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
# For DH cipher suites to work in OpenSSL < 1.1.0,
# you have to run OpenSSL to create the DH file
# first:
#
# openssl dhparam -out certs/dh 2048
#
# For OpenSSL >= 1.1.0, just leave this commented
# out, and OpenSSL will do the right thing.
#
# dh_file = ${certdir}/dh
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
# periodically change its contents.
#
# For security reasons, FreeRADIUS doesn't
# write to files in its configuration
# directory.
#
# random_file = /dev/urandom
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accommodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the certificate verification will fail,
# rejecting the user.
#
# This check can be done more generally by checking
# the value of the TLS-Client-Cert-Issuer attribute.
# This check can be done via any mechanism you
# choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# This check can be done more generally by writing
# "unlang" statements to examine the value of the
# TLS-Client-Cert-Common-Name attribute.
#
# check_cert_cn = %{User-Name}
#
# This configuration item only applies when there is
# an intermediate CA between the "root" CA, and the
# client certificate. If we trust the root CA, then
# by definition we also trust ANY intermediate CA
# which is signed by that root. This means ANOTHER
# intermediate CA can issue client certificates, and
# have them accepted by the EAP module.
#
# The solution is to list ONLY the trusted CAs in the
# FreeRADIUS configuration, and then set this
# configuration item to "yes".
#
# Then, when the server receives a client certificate
# from an untrusted CA, that authentication request
# can be rejected.
#
# It is possible to do these checks in "unlang", by
# checking for unknown names in the
# TLS-Cert-Common-Name attribute, but that is
# more complex. So we add a configuration option
# which can be set once, and which works for all
# possible intermediate CAs, no matter what their
# value.
#
# reject_unknown_intermediate_ca = no
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
#
cipher_list = "DEFAULT"
# Set this option to specify the allowed
# TLS signature algorithms for OpenSSL 1.1.1 and above.
# The format and available signature algorithms are listed
# in "man 3 SSL_CTX_set1_sigalgs_list".
#
# sigalgs_list = ""
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
# for choosing right cipher suite rather than
# using client-specified list which is OpenSSl default
# behavior. Setting this to "yes" means that OpenSSL
# will choose the servers ciphers, even if they do not
# best match what the client sends.
#
# TLS negotiation is usually good, but can be imperfect.
# This setting allows administrators to "fine tune" it
# if necessary.
#
cipher_server_preference = no
# You can selectively disable TLS versions for
# compatability with old client devices.
#
# If your system has OpenSSL 1.1.0 or greater, do NOT
# use these. Instead, set tls_min_version and
# tls_max_version.
#
# disable_tlsv1_2 = yes
# disable_tlsv1_1 = yes
# disable_tlsv1 = yes
# Set min / max TLS version.
#
# Generally speaking you should NOT use TLS 1.0 or
# TLS 1.1. They are old, possibly insecure, and
# deprecated. However, it is sometimes necessary to
# enable it for compatibility with legact systems.
# We recommend replacing those legacy systems, and
# using at least TLS 1.2.
#
# Some Debian versions disable older versions of TLS,
# and requires the application to manually enable
# them.
#
# If you are running such a distribution, you should
# set these options, otherwise older clients will not
# be able to connect.
#
# Allowed values are "1.0", "1.1", "1.2", and "1.3".
#
# As of 2021, it is STRONGLY RECOMMENDED to set
#
# tls_min_version = "1.2"
#
# Older TLS versions are insecure and deprecated.
#
# In order to enable TLS 1.0 and TLS 1.1, you may
# also need to update cipher_list below to:
#
# * OpenSSL >= 3.x
#
# cipher_list = "DEFAULT@SECLEVEL=0"
#
# * OpenSSL < 3.x
#
# cipher_list = "DEFAULT@SECLEVEL=1"
#
# The values must be in quotes.
#
# We also STRONGLY RECOMMEND to set
#
# tls_max_version = "1.2"
#
# While the server will accept "1.3" as a value,
# most EAP supplicants WILL NOT DO TLS 1.3 PROPERLY.
#
# i.e. they WILL NOT WORK, SO DO NOT ASK QUESTIONS ON
# THE LIST ABOUT WHY IT DOES NOT WORK.
#
# The TLS 1.3 support is here for future
# compatibility, as clients get upgraded, and people
# don't upgrade their copies of FreeRADIUS.
#
# Also note that we only support TLS 1.3 for EAP-TLS,
# TTLS, and PEAP. It is not supported for EAP-FAST.
#
tls_min_version = "1.2"
tls_max_version = "1.2"
# Elliptical cryptography configuration
#
# This configuration should be one of the following:
#
# * a name of the curve to use, e.g. "prime256v1".
#
# * a colon separated list of curve NIDs or names.
#
# * an empty string, in which case OpenSSL will choose
# the "best" curve for the situation.
#
# For supported curve names, please run
#
# openssl ecparam -list_curves
#
ecdh_curve = ""
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# See also the "store" subsection below for
# additional attributes which can be cached.
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
# You can check if a session has been resumed by
# looking for the existence of the EAP-Session-Resumed
# attribute. Note that this attribute will *only*
# exist in the "post-auth" section.
#
# CAVEATS: The cache is stored and reloaded BEFORE
# the "post-auth" section is run. This limitation
# makes caching more difficult than it should be. In
# practice, it means that the first authentication
# session must set the reply attributes before the
# post-auth section is run.
#
# When the session is resumed, the attributes are
# restored and placed into the session-state list.
#
cache {
# Enable it. The default is "no". Deleting the entire "cache"
# subsection also disables caching.
#
# The session cache requires the use of the
# "name" and "persist_dir" configuration
# items, below.
#
# The internal OpenSSL session cache has been permanently
# disabled.
#
# You can disallow resumption for a particular user by adding the
# following attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT enable resumption for just one
# user by setting the above attribute to "yes".
#
enable = no
# Lifetime of the cached entries, in hours. The sessions will be
# deleted/invalidated after this time.
#
lifetime = 24 # hours
# Internal "name" of the session cache. Used to
# distinguish which TLS context sessions belong to.
#
# The server will generate a random value if unset.
# This will change across server restart so you MUST
# set the "name" if you want to persist sessions (see
# below).
#
# name = "EAP module"
# Simple directory-based storage of sessions.
# Two files per session will be written, the SSL
# state and the cached VPs. This will persist session
# across server restarts.
#
# The default directory is ${logdir}, for historical
# reasons. You should ${db_dir} instead. And check
# the value of db_dir in the main radiusd.conf file.
# It should not point to ${raddb}
#
# The server will need write perms, and the directory
# should be secured from anyone else. You might want
# a script to remove old files from here periodically:
#
# find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
#
# This feature REQUIRES "name" option be set above.
#
# persist_dir = "${logdir}/tlscache"
#
# It is possible to partially
# control which attributes exist in the
# session cache. This subsection lists
# attributes which are taken from the reply,
# and saved to the on-disk cache. When the
# session is resumed, these attributes are
# added to the "session-state" list. The
# default configuration will then take care
# of copying them to the reply.
#
store {
Tunnel-Private-Group-Id
}
}
# Client certificates can be validated via an
# external command. This allows dynamic CRLs or OCSP
# to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
# If OCSP checking is enabled, and the OCSP checks fail,
# the verify section is not run.
#
# If OCSP checking is disabled, the verify section is
# run on successful certificate validation.
#
verify {
# If the OCSP checks succeed, the verify section
# is run to allow additional checks.
#
# If you want to skip verify on OCSP success,
# uncomment this configuration item, and set it
# to "yes".
#
# skip_if_ocsp_ok = no
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
#
# tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..ca_path} text is a reference to
# the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
#
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
# OCSP Configuration
#
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
# new Certificate Revocation Lists (CRLs).
#
ocsp {
# Enable it. The default is "no".
# Deleting the entire "ocsp" subsection
# also disables ocsp checking
#
enable = no
# The OCSP Responder URL can be automatically
# extracted from the certificate in question.
# To override the OCSP Responder URL set
# "override_cert_url = yes".
#
override_cert_url = yes
# If the OCSP Responder address is not extracted from
# the certificate, the URL can be defined here.
#
url = "http://127.0.0.1/ocsp/"
# If the OCSP Responder can not cope with nonce
# in the request, then it can be disabled here.
#
# For security reasons, disabling this option
# is not recommended as nonce protects against
# replay attacks.
#
# Note that Microsoft AD Certificate Services OCSP
# Responder does not enable nonce by default. It is
# more secure to enable nonce on the responder than
# to disable it in the query here.
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
#
# use_nonce = yes
# Number of seconds before giving up waiting
# for OCSP response. 0 uses system default.
#
# timeout = 0
# Normally an error in querying the OCSP
# responder (no response from server, server did
# not understand the request, etc) will result in
# a validation failure.
#
# To treat these errors as 'soft' failures and
# still accept the certificate, enable this
# option.
#
# Warning: this may enable clients with revoked
# certificates to connect if the OCSP responder
# is not available. Use with caution.
#
# softfail = no
}
#
# The server can present different certificates based
# on the realm presented in EAP. See
# raddb/certs/realms/README.md for examples of how to
# configure this.
#
# Note that the default is to use the same set of
# realm certificates for both EAP and RadSec! If
# this is not what you want, you should use different
# subdirectories or each, e.g. ${certdir}/realms/radsec/,
# and ${certdir}/realms/eap/
#
# realm_dir = ${certdir}/realms/
}
# EAP-TLS
#
# The TLS configuration for TLS-based EAP types is held in
# the "tls-config" section, above.
#
tls {
# Point to the common TLS configuration
#
tls = tls-common
# As part of checking a client certificate, the EAP-TLS
# sets some attributes such as TLS-Client-Cert-Common-Name. This
# virtual server has access to these attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
# You can control whether or not EAP-TLS requires a
# client certificate by setting
#
# configurable_client_cert = yes
#
# Once that setting has been changed, you can then set
#
# EAP-TLS-Require-Client-Cert = No
#
# in the control items for a request, and the EAP-TLS
# module will not require a client certificate from
# the supplicant.
#
# WARNING: This configuration should only be used
# when the users are placed into a "captive portal"
# or "walled garden", where they have limited network
# access. Otherwise the configuraton will allow
# anyone on the network, without authenticating them!
#
# configurable_client_cert = no
}
# EAP-TTLS -- Tunneled TLS
#
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
ttls {
# Which tls-config section the TLS negotiation parameters
# are in - see EAP-TLS above for an explanation.
#
# In the case that an old configuration from FreeRADIUS
# v2.x is being used, all the options of the tls-config
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TTLS tunnel, we recommend
# using EAP-MD5. If the request does not contain an
# EAP conversation, then this configuration entry is
# ignored.
#
default_eap_type = md5
# The tunneled authentication request does not usually
# contain useful attributes like 'Calling-Station-Id',
# etc. These attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to 'yes',
# any attribute which is NOT in the tunneled
# authentication request, but which IS available
# outside of the tunnel, is copied to the tunneled
# request.
#
# allowed values: {no, yes}
#
copy_request_to_tunnel = no
# This configuration item is deprecated. Instead,
# you should use:
#
# update outer.session-state {
# ...
# }
#
# This will cache attributes for the final Access-Accept.
#
# See "update outer.session-state" in the "post-auth"
# sections of sites-available/default, and of
# sites-available/inner-tunnel
#
# The reply attributes sent to the NAS are usually
# based on the name of the user 'outside' of the
# tunnel (usually 'anonymous'). If you want to send
# the reply attributes based on the user name inside
# of the tunnel, then set this configuration entry to
# 'yes', and the reply to the NAS will be taken from
# the reply to the tunneled request.
#
# allowed values: {no, yes}
#
use_tunneled_reply = no
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# A virtual server MUST be specified.
#
virtual_server = "inner-tunnel"
# This has the same meaning, and overwrites, the
# same field in the "tls" configuration, above.
# The default value here is "yes".
#
# include_length = yes
# Unlike EAP-TLS, EAP-TTLS does not require a client
# certificate. However, you can require one by setting the
# following option. You can also override this option by
# setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
# Note that the majority of supplicants do not support using a
# client certificate with EAP-TTLS, so this option is unlikely
# to be usable for most people.
#
# require_client_cert = yes
}
# EAP-PEAP
#
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# https://support.microsoft.com/en-us/help/814394/
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
peap {
# Which tls-config section the TLS negotiation parameters
# are in - see EAP-TLS above for an explanation.
#
# In the case that an old configuration from FreeRADIUS
# v2.x is being used, all the options of the tls-config
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
#
default_eap_type = mschapv2
# The PEAP module also has these configuration
# items, which are the same as for TTLS.
#
copy_request_to_tunnel = no
# This configuration item is deprecated. Instead,
# you should use:
#
# update outer.session-state {
# ...
# }
#
# This will cache attributes for the final Access-Accept.
#
# See "update outer.session-state" in the "post-auth"
# sections of sites-available/default, and of
# sites-available/inner-tunnel
#
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
#
# This setting can be over-ridden on a packet by
# packet basis by setting
#
# &control:Proxy-Tunneled-Request-As-EAP = yes
#
# proxy_tunneled_request_as_eap = yes
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# A virtual server MUST be specified.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
# Unlike EAP-TLS, PEAP does not require a client certificate.
# However, you can require one by setting the following
# option. You can also override this option by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
# Note that the majority of supplicants do not support using a
# client certificate with PEAP, so this option is unlikely to
# be usable for most people.
#
# require_client_cert = yes
}
# EAP-MSCHAPv2
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# In earlier versions of the server, this module
# never sent the MS-CHAP-Error message to the client.
# This worked, but it had issues when the cached
# password was wrong. The server *should* send
# "E=691 R=0" to the client, which tells it to prompt
# the user for a new password.
#
# The default is to use that functionality. which is
# known to work. If you set "send_error = yes", then
# the error message will be sent back to the client.
# This *may* help some clients work better, but *may*
# also cause other clients to stop working.
#
# send_error = no
# Server identifier to send back in the challenge.
# This should generally be the host name of the
# RADIUS server. Or, some information to uniquely
# identify it.
#
# identity = "FreeRADIUS"
}
# EAP-FAST
#
# The FAST module implements the EAP-FAST protocol
#
#fast {
# Point to the common TLS configuration
#
# tls = tls-common
# If 'cipher_list' is set here, it will over-ride the
# 'cipher_list' configuration from the 'tls-common'
# configuration. The EAP-FAST module has it's own
# over-ride for 'cipher_list' because the
# specifications mandata a different set of ciphers
# than are used by the other EAP methods.
#
# cipher_list though must include "ADH" for anonymous provisioning.
# This is not as straight forward as appending "ADH" alongside
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
#
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
# PAC lifetime in seconds (default: seven days)
#
# pac_lifetime = 604800
# Authority ID of the server
#
# If you are running a cluster of RADIUS servers, you should make
# the value chosen here (and for "pac_opaque_key") the same on all
# your RADIUS servers. This value should be unique to your
# installation. We suggest using a domain name.
#
# authority_identity = "1234"
# PAC Opaque encryption key (must be exactly 32 bytes in size)
#
# This value MUST be secret, and MUST be generated using
# a secure method, such as via 'openssl rand -hex 32'
#
# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
# Same as for TTLS, PEAP, etc.
#
# virtual_server = inner-tunnel
#}
# EAP-TEAP
#
# The TEAP module implements the EAP-TEAP protocol
#
#teap {
# Point to the common TLS configuration
#
# tls = tls-common
# default_eap_type = mschapv2
# If 'cipher_list' is set here, it will over-ride the
# 'cipher_list' configuration from the 'tls-common'
# configuration. The EAP-TEAP module has it's own
# over-ride for 'cipher_list' because the
# specifications mandata a different set of ciphers
# than are used by the other EAP methods.
#
# cipher_list though must include "ADH" for anonymous provisioning.
# This is not as straight forward as appending "ADH" alongside
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
#
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
# PAC lifetime in seconds (default: seven days)
#
# pac_lifetime = 604800
# Authority ID of the server
#
# If you are running a cluster of RADIUS servers, you should make
# the value chosen here (and for "pac_opaque_key") the same on all
# your RADIUS servers. This value should be unique to your
# installation. We suggest using a domain name.
#
# authority_identity = "1234"
# PAC Opaque encryption key (must be exactly 32 bytes in size)
#
# This value MUST be secret, and MUST be generated using
# a secure method, such as via 'openssl rand -hex 32'
#
# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
# Same as for TTLS, PEAP, etc.
#
# virtual_server = inner-tunnel
#}
}
|