Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | ## |
| 3 | ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) |
| 4 | ## |
| 5 | ## $Id: 0fffa886244eb9cfce13103d551b7a30f6538802 $ |
| 6 | |
| 7 | ####################################################################### |
| 8 | # |
| 9 | # Whatever you do, do NOT set 'Auth-Type := EAP'. The server |
| 10 | # is smart enough to figure this out on its own. The most |
| 11 | # common side effect of setting 'Auth-Type := EAP' is that the |
| 12 | # users then cannot use ANY other authentication method. |
| 13 | # |
| 14 | # EAP types NOT listed here may be supported via the "eap2" module. |
| 15 | # See experimental.conf for documentation. |
| 16 | # |
| 17 | eap { |
| 18 | # Invoke the default supported EAP type when |
| 19 | # EAP-Identity response is received. |
| 20 | # |
| 21 | # The incoming EAP messages DO NOT specify which EAP |
| 22 | # type they will be using, so it MUST be set here. |
| 23 | # |
| 24 | # For now, only one default EAP type may be used at a time. |
| 25 | # |
| 26 | # If the EAP-Type attribute is set by another module, |
| 27 | # then that EAP type takes precedence over the |
| 28 | # default type configured here. |
| 29 | # |
| 30 | default_eap_type = TLS |
| 31 | # A list is maintained to correlate EAP-Response |
| 32 | # packets with EAP-Request packets. After a |
| 33 | # configurable length of time, entries in the list |
| 34 | # expire, and are deleted. |
| 35 | # |
| 36 | timer_expire = 60 |
| 37 | |
| 38 | # There are many EAP types, but the server has support |
| 39 | # for only a limited subset. If the server receives |
| 40 | # a request for an EAP type it does not support, then |
| 41 | # it normally rejects the request. By setting this |
| 42 | # configuration to "yes", you can tell the server to |
| 43 | # instead keep processing the request. Another module |
| 44 | # MUST then be configured to proxy the request to |
| 45 | # another RADIUS server which supports that EAP type. |
| 46 | # |
| 47 | # If another module is NOT configured to handle the |
| 48 | # request, then the request will still end up being |
| 49 | # rejected. |
| 50 | ignore_unknown_eap_types = no |
| 51 | |
| 52 | # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given |
| 53 | # a User-Name attribute in an Access-Accept, it copies one |
| 54 | # more byte than it should. |
| 55 | # |
| 56 | # We can work around it by configurably adding an extra |
| 57 | # zero byte. |
| 58 | cisco_accounting_username_bug = no |
| 59 | |
| 60 | # |
| 61 | # Help prevent DoS attacks by limiting the number of |
| 62 | # sessions that the server is tracking. For simplicity, |
| 63 | # this is taken from the "max_requests" directive in |
| 64 | # radiusd.conf. |
| 65 | max_sessions = ${max_requests} |
| 66 | |
| 67 | # Supported EAP-types |
| 68 | |
| 69 | # |
| 70 | # We do NOT recommend using EAP-MD5 authentication |
| 71 | # for wireless connections. It is insecure, and does |
| 72 | # not provide for dynamic WEP keys. |
| 73 | # |
| 74 | mschapv2 { |
| 75 | } |
| 76 | |
| 77 | # |
| 78 | # EAP-pwd -- secure password-based authentication |
| 79 | # |
| 80 | # pwd { |
| 81 | # group = 19 |
| 82 | |
| 83 | # |
| 84 | # server_id = theserver@example.com |
| 85 | |
| 86 | # This has the same meaning as for TLS. |
| 87 | # fragment_size = 1020 |
| 88 | |
| 89 | # The virtual server which determines the |
| 90 | # "known good" password for the user. |
| 91 | # Note that unlike TLS, only the "authorize" |
| 92 | # section is processed. EAP-PWD requests can be |
| 93 | # distinguished by having a User-Name, but |
| 94 | # no User-Password, CHAP-Password, EAP-Message, etc. |
| 95 | # virtual_server = "inner-tunnel" |
| 96 | # } |
| 97 | |
| 98 | # Cisco LEAP |
| 99 | # |
| 100 | # We do not recommend using LEAP in new deployments. See: |
| 101 | # http://www.securiteam.com/tools/5TP012ACKE.html |
| 102 | # |
| 103 | # Cisco LEAP uses the MS-CHAP algorithm (but not |
| 104 | # the MS-CHAP attributes) to perform it's authentication. |
| 105 | # |
| 106 | # As a result, LEAP *requires* access to the plain-text |
| 107 | # User-Password, or the NT-Password attributes. |
| 108 | # 'System' authentication is impossible with LEAP. |
| 109 | # |
| 110 | leap { |
| 111 | } |
| 112 | |
| 113 | # Generic Token Card. |
| 114 | # |
| 115 | # Currently, this is only permitted inside of EAP-TTLS, |
| 116 | # or EAP-PEAP. The module "challenges" the user with |
| 117 | # text, and the response from the user is taken to be |
| 118 | # the User-Password. |
| 119 | # |
| 120 | # Proxying the tunneled EAP-GTC session is a bad idea, |
| 121 | # the users password will go over the wire in plain-text, |
| 122 | # for anyone to see. |
| 123 | # |
| 124 | gtc { |
| 125 | # The default challenge, which many clients |
| 126 | # ignore.. |
| 127 | #challenge = "Password: " |
| 128 | |
| 129 | # The plain-text response which comes back |
| 130 | # is put into a User-Password attribute, |
| 131 | # and passed to another module for |
| 132 | # authentication. This allows the EAP-GTC |
| 133 | # response to be checked against plain-text, |
| 134 | # or crypt'd passwords. |
| 135 | # |
| 136 | # If you say "Local" instead of "PAP", then |
| 137 | # the module will look for a User-Password |
| 138 | # configured for the request, and do the |
| 139 | # authentication itself. |
| 140 | # |
| 141 | auth_type = PAP |
| 142 | } |
| 143 | |
| 144 | ## Common TLS configuration for TLS-based EAP types |
| 145 | # |
| 146 | # See raddb/certs/README for additional comments |
| 147 | # on certificates. |
| 148 | # |
| 149 | # If OpenSSL was not found at the time the server was |
| 150 | # built, the "tls", "ttls", and "peap" sections will |
| 151 | # be ignored. |
| 152 | # |
| 153 | # If you do not currently have certificates signed by |
| 154 | # a trusted CA you may use the 'snakeoil' certificates. |
| 155 | # Included with the server in raddb/certs. |
| 156 | # |
| 157 | # If these certificates have not been auto-generated: |
| 158 | # cd raddb/certs |
| 159 | # make |
| 160 | # |
| 161 | # These test certificates SHOULD NOT be used in a normal |
| 162 | # deployment. They are created only to make it easier |
| 163 | # to install the server, and to perform some simple |
| 164 | # tests with EAP-TLS, TTLS, or PEAP. |
| 165 | # |
| 166 | # See also: |
| 167 | # |
| 168 | # http://www.dslreports.com/forum/remark,9286052~mode=flat |
| 169 | # |
| 170 | # Note that you should NOT use a globally known CA here! |
| 171 | # e.g. using a Verisign cert as a "known CA" means that |
| 172 | # ANYONE who has a certificate signed by them can |
| 173 | # authenticate via EAP-TLS! This is likely not what you want. |
| 174 | tls-config tls-common { |
| 175 | #private_key_password = |
| 176 | private_key_file = ${certdir}/server.pem |
| 177 | |
| 178 | # If Private key & Certificate are located in |
| 179 | # the same file, then private_key_file & |
| 180 | # certificate_file must contain the same file |
| 181 | # name. |
| 182 | # |
| 183 | # If ca_file (below) is not used, then the |
| 184 | # certificate_file below MUST include not |
| 185 | # only the server certificate, but ALSO all |
| 186 | # of the CA certificates used to sign the |
| 187 | # server certificate. |
| 188 | certificate_file = ${certdir}/server.pem |
| 189 | # Trusted Root CA list |
| 190 | # |
| 191 | # ALL of the CA's in this list will be trusted |
| 192 | # to issue client certificates for authentication. |
| 193 | # |
| 194 | # In general, you should use self-signed |
| 195 | # certificates for 802.1x (EAP) authentication. |
| 196 | # In that case, this CA file should contain |
| 197 | # *one* CA certificate. |
| 198 | # |
| 199 | # This parameter is used only for EAP-TLS, |
| 200 | # when you issue client certificates. If you do |
| 201 | # not use client certificates, and you do not want |
| 202 | # to permit EAP-TLS authentication, then delete |
| 203 | # this configuration item. |
| 204 | ca_file = ${cadir}/ca.pem |
| 205 | |
| 206 | # |
| 207 | # If OpenSSL supports TLS-PSK, then we can use |
| 208 | # a PSK identity and (hex) password. When the |
| 209 | # following two configuration items are specified, |
| 210 | # then certificate-based configuration items are |
| 211 | # not allowed. e.g.: |
| 212 | # |
| 213 | # #private_key_password |
| 214 | # private_key_file |
| 215 | # certificate_file |
| 216 | # ca_file |
| 217 | # ca_path |
| 218 | # |
| 219 | # For now, the identity is fixed, and must be the |
| 220 | # same on the client. The passphrase must be a hex |
| 221 | # value, and can be up to 256 hex digits. |
| 222 | # |
| 223 | # Future versions of the server may be able to |
| 224 | # look up the shared key (hexphrase) based on the |
| 225 | # identity. |
| 226 | # |
| 227 | # psk_identity = "test" |
| 228 | # psk_hexphrase = "036363823" |
| 229 | |
| 230 | # |
| 231 | # For DH cipher suites to work, you have to |
| 232 | # run OpenSSL to create the DH file first: |
| 233 | # |
| 234 | # openssl dhparam -out certs/dh 1024 |
| 235 | # |
| 236 | dh_file = ${certdir}/dh |
| 237 | |
| 238 | # |
| 239 | # If your system doesn't have /dev/urandom, |
| 240 | # you will need to create this file, and |
| 241 | # periodically change its contents. |
| 242 | # |
| 243 | # For security reasons, FreeRADIUS doesn't |
| 244 | # write to files in its configuration |
| 245 | # directory. |
| 246 | # |
| 247 | # random_file = ${certdir}/random |
| 248 | |
| 249 | # |
| 250 | # This can never exceed the size of a RADIUS |
| 251 | # packet (4096 bytes), and is preferably half |
| 252 | # that, to accommodate other attributes in |
| 253 | # RADIUS packet. On most APs the MAX packet |
| 254 | # length is configured between 1500 - 1600 |
| 255 | # In these cases, fragment size should be |
| 256 | # 1024 or less. |
| 257 | # |
| 258 | # fragment_size = 1024 |
| 259 | |
| 260 | # include_length is a flag which is |
| 261 | # by default set to yes If set to |
| 262 | # yes, Total Length of the message is |
| 263 | # included in EVERY packet we send. |
| 264 | # If set to no, Total Length of the |
| 265 | # message is included ONLY in the |
| 266 | # First packet of a fragment series. |
| 267 | # |
| 268 | # include_length = yes |
| 269 | |
| 270 | # Check the Certificate Revocation List |
| 271 | # |
| 272 | # 1) Copy CA certificates and CRLs to same directory. |
| 273 | # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. |
| 274 | # 'c_rehash' is OpenSSL's command. |
| 275 | # 3) uncomment the line below. |
| 276 | # 5) Restart radiusd |
| 277 | # check_crl = yes |
| 278 | ca_path = ${cadir} |
| 279 | |
| 280 | # |
| 281 | # If check_cert_issuer is set, the value will |
| 282 | # be checked against the DN of the issuer in |
| 283 | # the client certificate. If the values do not |
| 284 | # match, the certificate verification will fail, |
| 285 | # rejecting the user. |
| 286 | # |
| 287 | # In 2.1.10 and later, this check can be done |
| 288 | # more generally by checking the value of the |
| 289 | # TLS-Client-Cert-Issuer attribute. This check |
| 290 | # can be done via any mechanism you choose. |
| 291 | # |
| 292 | # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" |
| 293 | |
| 294 | # |
| 295 | # If check_cert_cn is set, the value will |
| 296 | # be xlat'ed and checked against the CN |
| 297 | # in the client certificate. If the values |
| 298 | # do not match, the certificate verification |
| 299 | # will fail rejecting the user. |
| 300 | # |
| 301 | # This check is done only if the previous |
| 302 | # "check_cert_issuer" is not set, or if |
| 303 | # the check succeeds. |
| 304 | # |
| 305 | # In 2.1.10 and later, this check can be done |
| 306 | # more generally by checking the value of the |
| 307 | # TLS-Client-Cert-CN attribute. This check |
| 308 | # can be done via any mechanism you choose. |
| 309 | # |
| 310 | # check_cert_cn = %{User-Name} |
| 311 | # |
| 312 | # Set this option to specify the allowed |
| 313 | # TLS cipher suites. The format is listed |
| 314 | # in "man 1 ciphers". |
| 315 | cipher_list = "DEFAULT" |
| 316 | |
| 317 | # |
| 318 | |
| 319 | # |
| 320 | # Elliptical cryptography configuration |
| 321 | # |
| 322 | # Only for OpenSSL >= 0.9.8.f |
| 323 | # |
| 324 | ecdh_curve = "prime256v1" |
| 325 | |
| 326 | # |
| 327 | # Session resumption / fast reauthentication |
| 328 | # cache. |
| 329 | # |
| 330 | # The cache contains the following information: |
| 331 | # |
| 332 | # session Id - unique identifier, managed by SSL |
| 333 | # User-Name - from the Access-Accept |
| 334 | # Stripped-User-Name - from the Access-Request |
| 335 | # Cached-Session-Policy - from the Access-Accept |
| 336 | # |
| 337 | # The "Cached-Session-Policy" is the name of a |
| 338 | # policy which should be applied to the cached |
| 339 | # session. This policy can be used to assign |
| 340 | # VLANs, IP addresses, etc. It serves as a useful |
| 341 | # way to re-apply the policy from the original |
| 342 | # Access-Accept to the subsequent Access-Accept |
| 343 | # for the cached session. |
| 344 | # |
| 345 | # On session resumption, these attributes are |
| 346 | # copied from the cache, and placed into the |
| 347 | # reply list. |
| 348 | # |
| 349 | # You probably also want "use_tunneled_reply = yes" |
| 350 | # when using fast session resumption. |
| 351 | # |
| 352 | cache { |
| 353 | # |
| 354 | # Enable it. The default is "no". |
| 355 | # Deleting the entire "cache" subsection |
| 356 | # Also disables caching. |
| 357 | # |
| 358 | # You can disallow resumption for a |
| 359 | # particular user by adding the following |
| 360 | # attribute to the control item list: |
| 361 | # |
| 362 | # Allow-Session-Resumption = No |
| 363 | # |
| 364 | # If "enable = no" below, you CANNOT |
| 365 | # enable resumption for just one user |
| 366 | # by setting the above attribute to "yes". |
| 367 | # |
| 368 | enable = yes |
| 369 | |
| 370 | # |
| 371 | # Lifetime of the cached entries, in hours. |
| 372 | # The sessions will be deleted after this |
| 373 | # time. |
| 374 | # |
| 375 | lifetime = 24 # hours |
| 376 | |
| 377 | # |
| 378 | # The maximum number of entries in the |
| 379 | # cache. Set to "0" for "infinite". |
| 380 | # |
| 381 | # This could be set to the number of users |
| 382 | # who are logged in... which can be a LOT. |
| 383 | # |
| 384 | max_entries = 255 |
| 385 | |
| 386 | # |
| 387 | # Internal "name" of the session cache. |
| 388 | # Used to distinguish which TLS context |
| 389 | # sessions belong to. |
| 390 | # |
| 391 | # The server will generate a random value |
| 392 | # if unset. This will change across server |
| 393 | # restart so you MUST set the "name" if you |
| 394 | # want to persist sessions (see below). |
| 395 | # |
| 396 | #name = "EAP module" |
| 397 | |
| 398 | # |
| 399 | # Simple directory-based storage of sessions. |
| 400 | # Two files per session will be written, the SSL |
| 401 | # state and the cached VPs. This will persist session |
| 402 | # across server restarts. |
| 403 | # |
| 404 | # The server will need write perms, and the directory |
| 405 | # should be secured from anyone else. You might want |
| 406 | # a script to remove old files from here periodically: |
| 407 | # |
| 408 | # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; |
| 409 | # |
| 410 | # This feature REQUIRES "name" option be set above. |
| 411 | # |
| 412 | #persist_dir = "${logdir}/tlscache" |
| 413 | } |
| 414 | |
| 415 | # |
| 416 | # As of version 2.1.10, client certificates can be |
| 417 | # validated via an external command. This allows |
| 418 | # dynamic CRLs or OCSP to be used. |
| 419 | # |
| 420 | # This configuration is commented out in the |
| 421 | # default configuration. Uncomment it, and configure |
| 422 | # the correct paths below to enable it. |
| 423 | # |
| 424 | verify { |
| 425 | # A temporary directory where the client |
| 426 | # certificates are stored. This directory |
| 427 | # MUST be owned by the UID of the server, |
| 428 | # and MUST not be accessible by any other |
| 429 | # users. When the server starts, it will do |
| 430 | # "chmod go-rwx" on the directory, for |
| 431 | # security reasons. The directory MUST |
| 432 | # exist when the server starts. |
| 433 | # |
| 434 | # You should also delete all of the files |
| 435 | # in the directory when the server starts. |
| 436 | # tmpdir = /tmp/radiusd |
| 437 | |
| 438 | # The command used to verify the client cert. |
| 439 | # We recommend using the OpenSSL command-line |
| 440 | # tool. |
| 441 | # |
| 442 | # The ${..ca_path} text is a reference to |
| 443 | # the ca_path variable defined above. |
| 444 | # |
| 445 | # The %{TLS-Client-Cert-Filename} is the name |
| 446 | # of the temporary file containing the cert |
| 447 | # in PEM format. This file is automatically |
| 448 | # deleted by the server when the command |
| 449 | # returns. |
| 450 | # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" |
| 451 | } |
| 452 | |
| 453 | # |
| 454 | # OCSP Configuration |
| 455 | # Certificates can be verified against an OCSP |
| 456 | # Responder. This makes it possible to immediately |
| 457 | # revoke certificates without the distribution of |
| 458 | # new Certificate Revocation Lists (CRLs). |
| 459 | # |
| 460 | ocsp { |
| 461 | # |
| 462 | # Enable it. The default is "no". |
| 463 | # Deleting the entire "ocsp" subsection |
| 464 | # Also disables ocsp checking |
| 465 | # |
| 466 | enable = no |
| 467 | |
| 468 | # |
| 469 | # The OCSP Responder URL can be automatically |
| 470 | # extracted from the certificate in question. |
| 471 | # To override the OCSP Responder URL set |
| 472 | # "override_cert_url = yes". |
| 473 | # |
| 474 | override_cert_url = yes |
| 475 | |
| 476 | # |
| 477 | # If the OCSP Responder address is not |
| 478 | # extracted from the certificate, the |
| 479 | # URL can be defined here. |
| 480 | |
| 481 | # |
| 482 | # Limitation: Currently the HTTP |
| 483 | # Request is not sending the "Host: " |
| 484 | # information to the web-server. This |
| 485 | # can be a problem if the OCSP |
| 486 | # Responder is running as a vhost. |
| 487 | # |
| 488 | url = "http://127.0.0.1/ocsp/" |
| 489 | |
| 490 | # |
| 491 | # If the OCSP Responder can not cope with nonce |
| 492 | # in the request, then it can be disabled here. |
| 493 | # |
| 494 | # For security reasons, disabling this option |
| 495 | # is not recommended as nonce protects against |
| 496 | # replay attacks. |
| 497 | # |
| 498 | # Note that Microsoft AD Certificate Services OCSP |
| 499 | # Responder does not enable nonce by default. It is |
| 500 | # more secure to enable nonce on the responder than |
| 501 | # to disable it in the query here. |
| 502 | # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx |
| 503 | # |
| 504 | # use_nonce = yes |
| 505 | |
| 506 | # |
| 507 | # Number of seconds before giving up waiting |
| 508 | # for OCSP response. 0 uses system default. |
| 509 | # |
| 510 | # timeout = 0 |
| 511 | |
| 512 | # |
| 513 | # Normally an error in querying the OCSP |
| 514 | # responder (no response from server, server did |
| 515 | # not understand the request, etc) will result in |
| 516 | # a validation failure. |
| 517 | # |
| 518 | # To treat these errors as 'soft' failures and |
| 519 | # still accept the certificate, enable this |
| 520 | # option. |
| 521 | # |
| 522 | # Warning: this may enable clients with revoked |
| 523 | # certificates to connect if the OCSP responder |
| 524 | # is not available. Use with caution. |
| 525 | # |
| 526 | # softfail = no |
| 527 | } |
| 528 | } |
| 529 | |
| 530 | ## EAP-TLS |
| 531 | # |
| 532 | # As of Version 3.0, the TLS configuration for TLS-based |
| 533 | # EAP types is above in the "tls-config" section. |
| 534 | # |
| 535 | tls { |
| 536 | # Point to the common TLS configuration |
| 537 | tls = tls-common |
| 538 | |
| 539 | cipher_list = "DEFAULT" |
| 540 | # |
| 541 | # As part of checking a client certificate, the EAP-TLS |
| 542 | # sets some attributes such as TLS-Client-Cert-CN. This |
| 543 | # virtual server has access to these attributes, and can |
| 544 | # be used to accept or reject the request. |
| 545 | # |
| 546 | # virtual_server = check-eap-tls |
| 547 | } |
| 548 | |
| 549 | |
| 550 | ## EAP-TTLS |
| 551 | # |
| 552 | # The TTLS module implements the EAP-TTLS protocol, |
| 553 | # which can be described as EAP inside of Diameter, |
| 554 | # inside of TLS, inside of EAP, inside of RADIUS... |
| 555 | # |
| 556 | # Surprisingly, it works quite well. |
| 557 | # |
| 558 | ttls { |
| 559 | # Which tls-config section the TLS negotiation parameters |
| 560 | # are in - see EAP-TLS above for an explanation. |
| 561 | # |
| 562 | # In the case that an old configuration from FreeRADIUS |
| 563 | # v2.x is being used, all the options of the tls-config |
| 564 | # section may also appear instead in the 'tls' section |
| 565 | # above. If that is done, the tls= option here (and in |
| 566 | # tls above) MUST be commented out. |
| 567 | # |
| 568 | tls = tls-common |
| 569 | |
| 570 | # The tunneled EAP session needs a default EAP type |
| 571 | # which is separate from the one for the non-tunneled |
| 572 | # EAP module. Inside of the TTLS tunnel, we recommend |
| 573 | # using EAP-MD5. If the request does not contain an |
| 574 | # EAP conversation, then this configuration entry is |
| 575 | # ignored. |
| 576 | # |
| 577 | default_eap_type = mschapv2 |
| 578 | |
| 579 | # The tunneled authentication request does not usually |
| 580 | # contain useful attributes like 'Calling-Station-Id', |
| 581 | # etc. These attributes are outside of the tunnel, |
| 582 | # and normally unavailable to the tunneled |
| 583 | # authentication request. |
| 584 | # |
| 585 | # By setting this configuration entry to 'yes', |
| 586 | # any attribute which is NOT in the tunneled |
| 587 | # authentication request, but which IS available |
| 588 | # outside of the tunnel, is copied to the tunneled |
| 589 | # request. |
| 590 | # |
| 591 | # allowed values: {no, yes} |
| 592 | # |
| 593 | copy_request_to_tunnel = no |
| 594 | |
| 595 | # The reply attributes sent to the NAS are usually |
| 596 | # based on the name of the user 'outside' of the |
| 597 | # tunnel (usually 'anonymous'). If you want to send |
| 598 | # the reply attributes based on the user name inside |
| 599 | # of the tunnel, then set this configuration entry to |
| 600 | # 'yes', and the reply to the NAS will be taken from |
| 601 | # the reply to the tunneled request. |
| 602 | # |
| 603 | # allowed values: {no, yes} |
| 604 | # |
| 605 | use_tunneled_reply = no |
| 606 | |
| 607 | # |
| 608 | # The inner tunneled request can be sent |
| 609 | # through a virtual server constructed |
| 610 | # specifically for this purpose. |
| 611 | # |
| 612 | # If this entry is commented out, the inner |
| 613 | # tunneled request will be sent through |
| 614 | # the virtual server that processed the |
| 615 | # outer requests. |
| 616 | # |
| 617 | virtual_server = "inner-tunnel" |
| 618 | |
| 619 | # This has the same meaning, and overwrites, the |
| 620 | # same field in the "tls" configuration, above. |
| 621 | # The default value here is "yes". |
| 622 | # |
| 623 | # include_length = yes |
| 624 | |
| 625 | # |
| 626 | # Unlike EAP-TLS, EAP-TTLS does not require a client |
| 627 | # certificate. However, you can require one by setting the |
| 628 | # following option. You can also override this option by |
| 629 | # setting |
| 630 | # |
| 631 | # EAP-TLS-Require-Client-Cert = Yes |
| 632 | # |
| 633 | # in the control items for a request. |
| 634 | # |
| 635 | # require_client_cert = yes |
| 636 | } |
| 637 | |
| 638 | |
| 639 | ## EAP-PEAP |
| 640 | # |
| 641 | |
| 642 | ################################################## |
| 643 | # |
| 644 | # !!!!! WARNINGS for Windows compatibility !!!!! |
| 645 | # |
| 646 | ################################################## |
| 647 | # |
| 648 | # If you see the server send an Access-Challenge, |
| 649 | # and the client never sends another Access-Request, |
| 650 | # then |
| 651 | # |
| 652 | # STOP! |
| 653 | # |
| 654 | # The server certificate has to have special OID's |
| 655 | # in it, or else the Microsoft clients will silently |
| 656 | # fail. See the "scripts/xpextensions" file for |
| 657 | # details, and the following page: |
| 658 | # |
| 659 | # http://support.microsoft.com/kb/814394/en-us |
| 660 | # |
| 661 | # For additional Windows XP SP2 issues, see: |
| 662 | # |
| 663 | # http://support.microsoft.com/kb/885453/en-us |
| 664 | # |
| 665 | # |
| 666 | # If is still doesn't work, and you're using Samba, |
| 667 | # you may be encountering a Samba bug. See: |
| 668 | # |
| 669 | # https://bugzilla.samba.org/show_bug.cgi?id=6563 |
| 670 | # |
| 671 | # Note that we do not necessarily agree with their |
| 672 | # explanation... but the fix does appear to work. |
| 673 | # |
| 674 | ################################################## |
| 675 | |
| 676 | # |
| 677 | # The tunneled EAP session needs a default EAP type |
| 678 | # which is separate from the one for the non-tunneled |
| 679 | # EAP module. Inside of the TLS/PEAP tunnel, we |
| 680 | # recommend using EAP-MS-CHAPv2. |
| 681 | # |
| 682 | peap { |
| 683 | # Which tls-config section the TLS negotiation parameters |
| 684 | # are in - see EAP-TLS above for an explanation. |
| 685 | # |
| 686 | # In the case that an old configuration from FreeRADIUS |
| 687 | # v2.x is being used, all the options of the tls-config |
| 688 | # section may also appear instead in the 'tls' section |
| 689 | # above. If that is done, the tls= option here (and in |
| 690 | # tls above) MUST be commented out. |
| 691 | # |
| 692 | tls = tls-common |
| 693 | |
| 694 | # The tunneled EAP session needs a default |
| 695 | # EAP type which is separate from the one for |
| 696 | # the non-tunneled EAP module. Inside of the |
| 697 | # PEAP tunnel, we recommend using MS-CHAPv2, |
| 698 | # as that is the default type supported by |
| 699 | # Windows clients. |
| 700 | # |
| 701 | default_eap_type = mschapv2 |
| 702 | |
| 703 | # The PEAP module also has these configuration |
| 704 | # items, which are the same as for TTLS. |
| 705 | # |
| 706 | copy_request_to_tunnel = no |
| 707 | use_tunneled_reply = no |
| 708 | |
| 709 | # When the tunneled session is proxied, the |
| 710 | # home server may not understand EAP-MSCHAP-V2. |
| 711 | # Set this entry to "no" to proxy the tunneled |
| 712 | # EAP-MSCHAP-V2 as normal MSCHAPv2. |
| 713 | # |
| 714 | # proxy_tunneled_request_as_eap = yes |
| 715 | |
| 716 | # |
| 717 | # The inner tunneled request can be sent |
| 718 | # through a virtual server constructed |
| 719 | # specifically for this purpose. |
| 720 | # |
| 721 | # If this entry is commented out, the inner |
| 722 | # tunneled request will be sent through |
| 723 | # the virtual server that processed the |
| 724 | # outer requests. |
| 725 | # |
| 726 | virtual_server = "inner-tunnel" |
| 727 | |
| 728 | # This option enables support for MS-SoH |
| 729 | # see doc/SoH.txt for more info. |
| 730 | # It is disabled by default. |
| 731 | # |
| 732 | # soh = yes |
| 733 | |
| 734 | # |
| 735 | # The SoH reply will be turned into a request which |
| 736 | # can be sent to a specific virtual server: |
| 737 | # |
| 738 | # soh_virtual_server = "soh-server" |
| 739 | |
| 740 | # |
| 741 | # Unlike EAP-TLS, PEAP does not require a client certificate. |
| 742 | # However, you can require one by setting the following |
| 743 | # option. You can also override this option by setting |
| 744 | # |
| 745 | # EAP-TLS-Require-Client-Cert = Yes |
| 746 | # |
| 747 | # in the control items for a request. |
| 748 | # |
| 749 | # require_client_cert = yes |
| 750 | } |
| 751 | |
| 752 | # |
| 753 | # This takes no configuration. |
| 754 | # |
| 755 | # Note that it is the EAP MS-CHAPv2 sub-module, not |
| 756 | # the main 'mschap' module. |
| 757 | # |
| 758 | # Note also that in order for this sub-module to work, |
| 759 | # the main 'mschap' module MUST ALSO be configured. |
| 760 | # |
| 761 | # This module is the *Microsoft* implementation of MS-CHAPv2 |
| 762 | # in EAP. There is another (incompatible) implementation |
| 763 | # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not |
| 764 | # currently support. |
| 765 | # |
| 766 | mschapv2 { |
| 767 | # Prior to version 2.1.11, the module never |
| 768 | # sent the MS-CHAP-Error message to the |
| 769 | # client. This worked, but it had issues |
| 770 | # when the cached password was wrong. The |
| 771 | # server *should* send "E=691 R=0" to the |
| 772 | # client, which tells it to prompt the user |
| 773 | # for a new password. |
| 774 | # |
| 775 | # The default is to behave as in 2.1.10 and |
| 776 | # earlier, which is known to work. If you |
| 777 | # set "send_error = yes", then the error |
| 778 | # message will be sent back to the client. |
| 779 | # This *may* help some clients work better, |
| 780 | # but *may* also cause other clients to stop |
| 781 | # working. |
| 782 | # |
| 783 | # send_error = no |
| 784 | } |
| 785 | } |