blob: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
# -*- text -*-
#
# $Id$
#
# Sample configuration for an EAP module that occurs *inside*
# of a tunneled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
#
# See raddb/mods-available/eap for full documentation on the meaning of these
# configuration entries.
#
eap inner-eap {
# This is the best choice for PEAP.
default_eap_type = mschapv2
timer_expire = 60
# This should be the same as the outer eap "max sessions"
max_sessions = 2048
# Supported EAP-types
md5 {
}
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
mschapv2 {
# See eap for documentation
# send_error = no
}
# No TTLS or PEAP configuration should be listed here.
## EAP-TLS
#
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
# You can create the "inner-server.pem" file by doing:
#
# cd raddb/certs
# vi inner-server.cnf
# make inner-server
#
# The certificate MUST be different from the "server.cnf"
# file.
#
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
# It might work, or it might not.
#
tls {
private_key_password = whatever
private_key_file = ${certdir}/inner-server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/inner-server.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
cipher_list = "DEFAULT"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
# outer EAP-TLS protocol.
#
# Try values and see if they work...
# fragment_size = 1024
# Other needful things
dh_file = ${certdir}/dh
random_file = /dev/urandom
# CRL and OCSP things go here. See the main "eap"
# file for details.
# check_crl = yes
# ca_path = /path/to/directory/with/ca_certs/and/crls/
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
#
# The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
#
}
}
|
