Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / dc3b68a0d1aa124d752de74065bf0c577acc1d6a / . / src / test / setup / radius-config / freeradius / sites-available / tls
blob: 0874951f93c7147064652b63d28a085b8c552599 [file] [log] [blame]
Chetan Gaonker7f4bf742016-05-04 15:56:08 -0700[diff] [blame]1######################################################################
2#
3# Initial implementation of RADIUS over TLS (radsec)
4#
5######################################################################
6
7listen {
8 ipaddr = *
9 port = 2083
10
11 #
12 # TCP and TLS sockets can accept Access-Request and
13 # Accounting-Request on the same socket.
14 #
15 # auth = only Access-Request
16 # acct = only Accounting-Request
17 # auth+acct = both
18 #
19 type = auth+acct
20
21 # For now, only TCP transport is allowed.
22 proto = tcp
23
24 # Send packets to the default virtual server
25 virtual_server = default
26
27 clients = radsec
28
29 #
30 # Connection limiting for sockets with "proto = tcp".
31 #
32 limit {
33 #
34 # Limit the number of simultaneous TCP connections to the socket
35 #
36 # The default is 16.
37 # Setting this to 0 means "no limit"
38 max_connections = 16
39
40 # The per-socket "max_requests" option does not exist.
41
42 #
43 # The lifetime, in seconds, of a TCP connection. After
44 # this lifetime, the connection will be closed.
45 #
46 # Setting this to 0 means "forever".
47 lifetime = 0
48
49 #
50 # The idle timeout, in seconds, of a TCP connection.
51 # If no packets have been received over the connection for
52 # this time, the connection will be closed.
53 #
54 # Setting this to 0 means "no timeout".
55 #
56 # We STRONGLY RECOMMEND that you set an idle timeout.
57 #
58 idle_timeout = 30
59 }
60
61 # This is *exactly* the same configuration as used by the EAP-TLS
62 # module. It's OK for testing, but for production use it's a good
63 # idea to use different server certificates for EAP and for RADIUS
64 # transport.
65 #
66 # If you want only one TLS configuration for multiple sockets,
67 # then we suggest putting "tls { ...}" into radiusd.conf.
68 # The subsection below can then be changed into a reference:
69 #
70 # tls = ${tls}
71 #
72 # Which means "the tls sub-section is not here, but instead is in
73 # the top-level section called 'tls'".
74 #
75 # If you have multiple tls configurations, you can put them into
76 # sub-sections of a top-level "tls" section. There's no need to
77 # call them all "tls". You can then use:
78 #
79 # tls = ${tls.site1}
80 #
81 # to refer to the "site1" sub-section of the "tls" section.
82 #
83 tls {
84 private_key_password = whatever
85 private_key_file = ${certdir}/server.pem
86
87 # If Private key & Certificate are located in
88 # the same file, then private_key_file &
89 # certificate_file must contain the same file
90 # name.
91 #
92 # If ca_file (below) is not used, then the
93 # certificate_file below MUST include not
94 # only the server certificate, but ALSO all
95 # of the CA certificates used to sign the
96 # server certificate.
97 certificate_file = ${certdir}/server.pem
98
99 # Trusted Root CA list
100 #
101 # ALL of the CA's in this list will be trusted
102 # to issue client certificates for authentication.
103 #
104 # In general, you should use self-signed
105 # certificates for 802.1x (EAP) authentication.
106 # In that case, this CA file should contain
107 # *one* CA certificate.
108 #
109 # This parameter is used only for EAP-TLS,
110 # when you issue client certificates. If you do
111 # not use client certificates, and you do not want
112 # to permit EAP-TLS authentication, then delete
113 # this configuration item.
114 ca_file = ${cadir}/ca.pem
115
116 #
117 # For DH cipher suites to work, you have to
118 # run OpenSSL to create the DH file first:
119 #
120 # openssl dhparam -out certs/dh 1024
121 #
122 dh_file = ${certdir}/dh
123
124 #
125 # If your system doesn't have /dev/urandom,
126 # you will need to create this file, and
127 # periodically change its contents.
128 #
129 # For security reasons, FreeRADIUS doesn't
130 # write to files in its configuration
131 # directory.
132 #
133# random_file = ${certdir}/random
134
135 #
136 # The default fragment size is 1K.
137 # However, it's possible to send much more data than
138 # that over a TCP connection. The upper limit is 64K.
139 # Setting the fragment size to more than 1K means that
140 # there are fewer round trips when setting up a TLS
141 # connection. But only if the certificates are large.
142 #
143 fragment_size = 8192
144
145 # include_length is a flag which is
146 # by default set to yes If set to
147 # yes, Total Length of the message is
148 # included in EVERY packet we send.
149 # If set to no, Total Length of the
150 # message is included ONLY in the
151 # First packet of a fragment series.
152 #
153 # include_length = yes
154
155 # Check the Certificate Revocation List
156 #
157 # 1) Copy CA certificates and CRLs to same directory.
158 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
159 # 'c_rehash' is OpenSSL's command.
160 # 3) uncomment the line below.
161 # 5) Restart radiusd
162 # check_crl = yes
163 ca_path = ${cadir}
164
165 #
166 # If check_cert_issuer is set, the value will
167 # be checked against the DN of the issuer in
168 # the client certificate. If the values do not
169 # match, the certificate verification will fail,
170 # rejecting the user.
171 #
172 # In 2.1.10 and later, this check can be done
173 # more generally by checking the value of the
174 # TLS-Client-Cert-Issuer attribute. This check
175 # can be done via any mechanism you choose.
176 #
177 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
178
179 #
180 # If check_cert_cn is set, the value will
181 # be xlat'ed and checked against the CN
182 # in the client certificate. If the values
183 # do not match, the certificate verification
184 # will fail rejecting the user.
185 #
186 # This check is done only if the previous
187 # "check_cert_issuer" is not set, or if
188 # the check succeeds.
189 #
190 # In 2.1.10 and later, this check can be done
191 # more generally by checking the value of the
192 # TLS-Client-Cert-CN attribute. This check
193 # can be done via any mechanism you choose.
194 #
195 # check_cert_cn = %{User-Name}
196 #
197 # Set this option to specify the allowed
198 # TLS cipher suites. The format is listed
199 # in "man 1 ciphers".
200 cipher_list = "DEFAULT"
201
202 #
203
204 # This configuration entry should be deleted
205 # once the server is running in a normal
206 # configuration. It is here ONLY to make
207 # initial deployments easier.
208 #
209 #
210 # This is enabled in eap.conf, so we don't need it here.
211 #
212# make_cert_command = "${certdir}/bootstrap"
213
214 #
215 # Session resumption / fast reauthentication
216 # cache.
217 #
218 # The cache contains the following information:
219 #
220 # session Id - unique identifier, managed by SSL
221 # User-Name - from the Access-Accept
222 # Stripped-User-Name - from the Access-Request
223 # Cached-Session-Policy - from the Access-Accept
224 #
225 # The "Cached-Session-Policy" is the name of a
226 # policy which should be applied to the cached
227 # session. This policy can be used to assign
228 # VLANs, IP addresses, etc. It serves as a useful
229 # way to re-apply the policy from the original
230 # Access-Accept to the subsequent Access-Accept
231 # for the cached session.
232 #
233 # On session resumption, these attributes are
234 # copied from the cache, and placed into the
235 # reply list.
236 #
237 # You probably also want "use_tunneled_reply = yes"
238 # when using fast session resumption.
239 #
240 cache {
241 #
242 # Enable it. The default is "no".
243 # Deleting the entire "cache" subsection
244 # Also disables caching.
245 #
246 # You can disallow resumption for a
247 # particular user by adding the following
248 # attribute to the control item list:
249 #
250 # Allow-Session-Resumption = No
251 #
252 # If "enable = no" below, you CANNOT
253 # enable resumption for just one user
254 # by setting the above attribute to "yes".
255 #
256 enable = no
257
258 #
259 # Lifetime of the cached entries, in hours.
260 # The sessions will be deleted after this
261 # time.
262 #
263 lifetime = 24 # hours
264
265 #
266 # The maximum number of entries in the
267 # cache. Set to "0" for "infinite".
268 #
269 # This could be set to the number of users
270 # who are logged in... which can be a LOT.
271 #
272 max_entries = 255
273
274 #
275 # Internal "name" of the session cache.
276 # Used to distinguish which TLS context
277 # sessions belong to.
278 #
279 # The server will generate a random value
280 # if unset. This will change across server
281 # restart so you MUST set the "name" if you
282 # want to persist sessions (see below).
283 #
284 # If you use IPv6, change the "ipaddr" below
285 # to "ipv6addr"
286 #
287 #name = "TLS ${..ipaddr} ${..port} ${..proto}"
288
289 #
290 # Simple directory-based storage of sessions.
291 # Two files per session will be written, the SSL
292 # state and the cached VPs. This will persist session
293 # across server restarts.
294 #
295 # The server will need write perms, and the directory
296 # should be secured from anyone else. You might want
297 # a script to remove old files from here periodically:
298 #
299 # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
300 #
301 # This feature REQUIRES "name" option be set above.
302 #
303 #persist_dir = "${logdir}/tlscache"
304 }
305
306 #
307 # Require a client certificate.
308 #
309 require_client_cert = yes
310
311 #
312 # As of version 2.1.10, client certificates can be
313 # validated via an external command. This allows
314 # dynamic CRLs or OCSP to be used.
315 #
316 # This configuration is commented out in the
317 # default configuration. Uncomment it, and configure
318 # the correct paths below to enable it.
319 #
320 verify {
321 # A temporary directory where the client
322 # certificates are stored. This directory
323 # MUST be owned by the UID of the server,
324 # and MUST not be accessible by any other
325 # users. When the server starts, it will do
326 # "chmod go-rwx" on the directory, for
327 # security reasons. The directory MUST
328 # exist when the server starts.
329 #
330 # You should also delete all of the files
331 # in the directory when the server starts.
332 # tmpdir = /tmp/radiusd
333
334 # The command used to verify the client cert.
335 # We recommend using the OpenSSL command-line
336 # tool.
337 #
338 # The ${..ca_path} text is a reference to
339 # the ca_path variable defined above.
340 #
341 # The %{TLS-Client-Cert-Filename} is the name
342 # of the temporary file containing the cert
343 # in PEM format. This file is automatically
344 # deleted by the server when the command
345 # returns.
346 # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
347 }
348 }
349}
350
351clients radsec {
352 client 127.0.0.1 {
353 ipaddr = 127.0.0.1
354
355 #
356 # Ensure that this client is TLS *only*.
357 #
358 proto = tls
359
360 #
361 # TCP clients can have any shared secret.
362 #
363 # TLS clients MUST have the shared secret
364 # set to "radsec". Or, for "proto = tls",
365 # you can omit the secret, and it will
366 # automatically be set to "radsec".
367 #
368 secret = radsec
369
370 #
371 # You can also use a "limit" section here.
372 # See raddb/clients.conf for examples.
373 #
374 # Note that BOTH limits are applied. You
375 # should therefore set the "listen" limits
376 # higher than the ones for each individual
377 # client.
378 #
379 }
380}
381
382home_server tls {
383 ipaddr = 127.0.0.1
384 port = 2083
385 type = auth
386 secret = testing123
387 proto = tcp
388 status_check = none
389
390 tls {
391 private_key_password = whatever
392 private_key_file = ${certdir}/client.pem
393
394 # If Private key & Certificate are located in
395 # the same file, then private_key_file &
396 # certificate_file must contain the same file
397 # name.
398 #
399 # If ca_file (below) is not used, then the
400 # certificate_file below MUST include not
401 # only the server certificate, but ALSO all
402 # of the CA certificates used to sign the
403 # server certificate.
404 certificate_file = ${certdir}/client.pem
405
406 # Trusted Root CA list
407 #
408 # ALL of the CA's in this list will be trusted
409 # to issue client certificates for authentication.
410 #
411 # In general, you should use self-signed
412 # certificates for 802.1x (EAP) authentication.
413 # In that case, this CA file should contain
414 # *one* CA certificate.
415 #
416 # This parameter is used only for EAP-TLS,
417 # when you issue client certificates. If you do
418 # not use client certificates, and you do not want
419 # to permit EAP-TLS authentication, then delete
420 # this configuration item.
421 ca_file = ${cadir}/ca.pem
422
423 #
424 # For DH cipher suites to work, you have to
425 # run OpenSSL to create the DH file first:
426 #
427 # openssl dhparam -out certs/dh 1024
428 #
429 dh_file = ${certdir}/dh
430 random_file = ${certdir}/random
431
432 #
433 # The default fragment size is 1K.
434 # However, TLS can send 64K of data at once.
435 # It can be useful to set it higher.
436 #
437 fragment_size = 8192
438
439 # include_length is a flag which is
440 # by default set to yes If set to
441 # yes, Total Length of the message is
442 # included in EVERY packet we send.
443 # If set to no, Total Length of the
444 # message is included ONLY in the
445 # First packet of a fragment series.
446 #
447 # include_length = yes
448
449 # Check the Certificate Revocation List
450 #
451 # 1) Copy CA certificates and CRLs to same directory.
452 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
453 # 'c_rehash' is OpenSSL's command.
454 # 3) uncomment the line below.
455 # 5) Restart radiusd
456 # check_crl = yes
457 ca_path = ${cadir}
458
459 #
460 # If check_cert_issuer is set, the value will
461 # be checked against the DN of the issuer in
462 # the client certificate. If the values do not
463 # match, the certificate verification will fail,
464 # rejecting the user.
465 #
466 # In 2.1.10 and later, this check can be done
467 # more generally by checking the value of the
468 # TLS-Client-Cert-Issuer attribute. This check
469 # can be done via any mechanism you choose.
470 #
471 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
472
473 #
474 # If check_cert_cn is set, the value will
475 # be xlat'ed and checked against the CN
476 # in the client certificate. If the values
477 # do not match, the certificate verification
478 # will fail rejecting the user.
479 #
480 # This check is done only if the previous
481 # "check_cert_issuer" is not set, or if
482 # the check succeeds.
483 #
484 # In 2.1.10 and later, this check can be done
485 # more generally by checking the value of the
486 # TLS-Client-Cert-CN attribute. This check
487 # can be done via any mechanism you choose.
488 #
489 # check_cert_cn = %{User-Name}
490 #
491 # Set this option to specify the allowed
492 # TLS cipher suites. The format is listed
493 # in "man 1 ciphers".
494 cipher_list = "DEFAULT"
495 }
496
497}
498
499home_server_pool tls {
500 type = fail-over
501 home_server = tls
502}
503
504realm tls {
505 auth_pool = tls
506}