Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | ###################################################################### |
| 2 | # |
| 3 | # Initial implementation of RADIUS over TLS (radsec) |
| 4 | # |
| 5 | ###################################################################### |
| 6 | |
| 7 | listen { |
| 8 | ipaddr = * |
| 9 | port = 2083 |
| 10 | |
| 11 | # |
| 12 | # TCP and TLS sockets can accept Access-Request and |
| 13 | # Accounting-Request on the same socket. |
| 14 | # |
| 15 | # auth = only Access-Request |
| 16 | # acct = only Accounting-Request |
| 17 | # auth+acct = both |
| 18 | # |
| 19 | type = auth+acct |
| 20 | |
| 21 | # For now, only TCP transport is allowed. |
| 22 | proto = tcp |
| 23 | |
| 24 | # Send packets to the default virtual server |
| 25 | virtual_server = default |
| 26 | |
| 27 | clients = radsec |
| 28 | |
| 29 | # |
| 30 | # Connection limiting for sockets with "proto = tcp". |
| 31 | # |
| 32 | limit { |
| 33 | # |
| 34 | # Limit the number of simultaneous TCP connections to the socket |
| 35 | # |
| 36 | # The default is 16. |
| 37 | # Setting this to 0 means "no limit" |
| 38 | max_connections = 16 |
| 39 | |
| 40 | # The per-socket "max_requests" option does not exist. |
| 41 | |
| 42 | # |
| 43 | # The lifetime, in seconds, of a TCP connection. After |
| 44 | # this lifetime, the connection will be closed. |
| 45 | # |
| 46 | # Setting this to 0 means "forever". |
| 47 | lifetime = 0 |
| 48 | |
| 49 | # |
| 50 | # The idle timeout, in seconds, of a TCP connection. |
| 51 | # If no packets have been received over the connection for |
| 52 | # this time, the connection will be closed. |
| 53 | # |
| 54 | # Setting this to 0 means "no timeout". |
| 55 | # |
| 56 | # We STRONGLY RECOMMEND that you set an idle timeout. |
| 57 | # |
| 58 | idle_timeout = 30 |
| 59 | } |
| 60 | |
| 61 | # This is *exactly* the same configuration as used by the EAP-TLS |
| 62 | # module. It's OK for testing, but for production use it's a good |
| 63 | # idea to use different server certificates for EAP and for RADIUS |
| 64 | # transport. |
| 65 | # |
| 66 | # If you want only one TLS configuration for multiple sockets, |
| 67 | # then we suggest putting "tls { ...}" into radiusd.conf. |
| 68 | # The subsection below can then be changed into a reference: |
| 69 | # |
| 70 | # tls = ${tls} |
| 71 | # |
| 72 | # Which means "the tls sub-section is not here, but instead is in |
| 73 | # the top-level section called 'tls'". |
| 74 | # |
| 75 | # If you have multiple tls configurations, you can put them into |
| 76 | # sub-sections of a top-level "tls" section. There's no need to |
| 77 | # call them all "tls". You can then use: |
| 78 | # |
| 79 | # tls = ${tls.site1} |
| 80 | # |
| 81 | # to refer to the "site1" sub-section of the "tls" section. |
| 82 | # |
| 83 | tls { |
| 84 | private_key_password = whatever |
| 85 | private_key_file = ${certdir}/server.pem |
| 86 | |
| 87 | # If Private key & Certificate are located in |
| 88 | # the same file, then private_key_file & |
| 89 | # certificate_file must contain the same file |
| 90 | # name. |
| 91 | # |
| 92 | # If ca_file (below) is not used, then the |
| 93 | # certificate_file below MUST include not |
| 94 | # only the server certificate, but ALSO all |
| 95 | # of the CA certificates used to sign the |
| 96 | # server certificate. |
| 97 | certificate_file = ${certdir}/server.pem |
| 98 | |
| 99 | # Trusted Root CA list |
| 100 | # |
| 101 | # ALL of the CA's in this list will be trusted |
| 102 | # to issue client certificates for authentication. |
| 103 | # |
| 104 | # In general, you should use self-signed |
| 105 | # certificates for 802.1x (EAP) authentication. |
| 106 | # In that case, this CA file should contain |
| 107 | # *one* CA certificate. |
| 108 | # |
| 109 | # This parameter is used only for EAP-TLS, |
| 110 | # when you issue client certificates. If you do |
| 111 | # not use client certificates, and you do not want |
| 112 | # to permit EAP-TLS authentication, then delete |
| 113 | # this configuration item. |
| 114 | ca_file = ${cadir}/ca.pem |
| 115 | |
| 116 | # |
| 117 | # For DH cipher suites to work, you have to |
| 118 | # run OpenSSL to create the DH file first: |
| 119 | # |
| 120 | # openssl dhparam -out certs/dh 1024 |
| 121 | # |
| 122 | dh_file = ${certdir}/dh |
| 123 | |
| 124 | # |
| 125 | # If your system doesn't have /dev/urandom, |
| 126 | # you will need to create this file, and |
| 127 | # periodically change its contents. |
| 128 | # |
| 129 | # For security reasons, FreeRADIUS doesn't |
| 130 | # write to files in its configuration |
| 131 | # directory. |
| 132 | # |
| 133 | # random_file = ${certdir}/random |
| 134 | |
| 135 | # |
| 136 | # The default fragment size is 1K. |
| 137 | # However, it's possible to send much more data than |
| 138 | # that over a TCP connection. The upper limit is 64K. |
| 139 | # Setting the fragment size to more than 1K means that |
| 140 | # there are fewer round trips when setting up a TLS |
| 141 | # connection. But only if the certificates are large. |
| 142 | # |
| 143 | fragment_size = 8192 |
| 144 | |
| 145 | # include_length is a flag which is |
| 146 | # by default set to yes If set to |
| 147 | # yes, Total Length of the message is |
| 148 | # included in EVERY packet we send. |
| 149 | # If set to no, Total Length of the |
| 150 | # message is included ONLY in the |
| 151 | # First packet of a fragment series. |
| 152 | # |
| 153 | # include_length = yes |
| 154 | |
| 155 | # Check the Certificate Revocation List |
| 156 | # |
| 157 | # 1) Copy CA certificates and CRLs to same directory. |
| 158 | # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. |
| 159 | # 'c_rehash' is OpenSSL's command. |
| 160 | # 3) uncomment the line below. |
| 161 | # 5) Restart radiusd |
| 162 | # check_crl = yes |
| 163 | ca_path = ${cadir} |
| 164 | |
| 165 | # |
| 166 | # If check_cert_issuer is set, the value will |
| 167 | # be checked against the DN of the issuer in |
| 168 | # the client certificate. If the values do not |
| 169 | # match, the certificate verification will fail, |
| 170 | # rejecting the user. |
| 171 | # |
| 172 | # In 2.1.10 and later, this check can be done |
| 173 | # more generally by checking the value of the |
| 174 | # TLS-Client-Cert-Issuer attribute. This check |
| 175 | # can be done via any mechanism you choose. |
| 176 | # |
| 177 | # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" |
| 178 | |
| 179 | # |
| 180 | # If check_cert_cn is set, the value will |
| 181 | # be xlat'ed and checked against the CN |
| 182 | # in the client certificate. If the values |
| 183 | # do not match, the certificate verification |
| 184 | # will fail rejecting the user. |
| 185 | # |
| 186 | # This check is done only if the previous |
| 187 | # "check_cert_issuer" is not set, or if |
| 188 | # the check succeeds. |
| 189 | # |
| 190 | # In 2.1.10 and later, this check can be done |
| 191 | # more generally by checking the value of the |
| 192 | # TLS-Client-Cert-CN attribute. This check |
| 193 | # can be done via any mechanism you choose. |
| 194 | # |
| 195 | # check_cert_cn = %{User-Name} |
| 196 | # |
| 197 | # Set this option to specify the allowed |
| 198 | # TLS cipher suites. The format is listed |
| 199 | # in "man 1 ciphers". |
| 200 | cipher_list = "DEFAULT" |
| 201 | |
| 202 | # |
| 203 | |
| 204 | # This configuration entry should be deleted |
| 205 | # once the server is running in a normal |
| 206 | # configuration. It is here ONLY to make |
| 207 | # initial deployments easier. |
| 208 | # |
| 209 | # |
| 210 | # This is enabled in eap.conf, so we don't need it here. |
| 211 | # |
| 212 | # make_cert_command = "${certdir}/bootstrap" |
| 213 | |
| 214 | # |
| 215 | # Session resumption / fast reauthentication |
| 216 | # cache. |
| 217 | # |
| 218 | # The cache contains the following information: |
| 219 | # |
| 220 | # session Id - unique identifier, managed by SSL |
| 221 | # User-Name - from the Access-Accept |
| 222 | # Stripped-User-Name - from the Access-Request |
| 223 | # Cached-Session-Policy - from the Access-Accept |
| 224 | # |
| 225 | # The "Cached-Session-Policy" is the name of a |
| 226 | # policy which should be applied to the cached |
| 227 | # session. This policy can be used to assign |
| 228 | # VLANs, IP addresses, etc. It serves as a useful |
| 229 | # way to re-apply the policy from the original |
| 230 | # Access-Accept to the subsequent Access-Accept |
| 231 | # for the cached session. |
| 232 | # |
| 233 | # On session resumption, these attributes are |
| 234 | # copied from the cache, and placed into the |
| 235 | # reply list. |
| 236 | # |
| 237 | # You probably also want "use_tunneled_reply = yes" |
| 238 | # when using fast session resumption. |
| 239 | # |
| 240 | cache { |
| 241 | # |
| 242 | # Enable it. The default is "no". |
| 243 | # Deleting the entire "cache" subsection |
| 244 | # Also disables caching. |
| 245 | # |
| 246 | # You can disallow resumption for a |
| 247 | # particular user by adding the following |
| 248 | # attribute to the control item list: |
| 249 | # |
| 250 | # Allow-Session-Resumption = No |
| 251 | # |
| 252 | # If "enable = no" below, you CANNOT |
| 253 | # enable resumption for just one user |
| 254 | # by setting the above attribute to "yes". |
| 255 | # |
| 256 | enable = no |
| 257 | |
| 258 | # |
| 259 | # Lifetime of the cached entries, in hours. |
| 260 | # The sessions will be deleted after this |
| 261 | # time. |
| 262 | # |
| 263 | lifetime = 24 # hours |
| 264 | |
| 265 | # |
| 266 | # The maximum number of entries in the |
| 267 | # cache. Set to "0" for "infinite". |
| 268 | # |
| 269 | # This could be set to the number of users |
| 270 | # who are logged in... which can be a LOT. |
| 271 | # |
| 272 | max_entries = 255 |
| 273 | |
| 274 | # |
| 275 | # Internal "name" of the session cache. |
| 276 | # Used to distinguish which TLS context |
| 277 | # sessions belong to. |
| 278 | # |
| 279 | # The server will generate a random value |
| 280 | # if unset. This will change across server |
| 281 | # restart so you MUST set the "name" if you |
| 282 | # want to persist sessions (see below). |
| 283 | # |
| 284 | # If you use IPv6, change the "ipaddr" below |
| 285 | # to "ipv6addr" |
| 286 | # |
| 287 | #name = "TLS ${..ipaddr} ${..port} ${..proto}" |
| 288 | |
| 289 | # |
| 290 | # Simple directory-based storage of sessions. |
| 291 | # Two files per session will be written, the SSL |
| 292 | # state and the cached VPs. This will persist session |
| 293 | # across server restarts. |
| 294 | # |
| 295 | # The server will need write perms, and the directory |
| 296 | # should be secured from anyone else. You might want |
| 297 | # a script to remove old files from here periodically: |
| 298 | # |
| 299 | # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; |
| 300 | # |
| 301 | # This feature REQUIRES "name" option be set above. |
| 302 | # |
| 303 | #persist_dir = "${logdir}/tlscache" |
| 304 | } |
| 305 | |
| 306 | # |
| 307 | # Require a client certificate. |
| 308 | # |
| 309 | require_client_cert = yes |
| 310 | |
| 311 | # |
| 312 | # As of version 2.1.10, client certificates can be |
| 313 | # validated via an external command. This allows |
| 314 | # dynamic CRLs or OCSP to be used. |
| 315 | # |
| 316 | # This configuration is commented out in the |
| 317 | # default configuration. Uncomment it, and configure |
| 318 | # the correct paths below to enable it. |
| 319 | # |
| 320 | verify { |
| 321 | # A temporary directory where the client |
| 322 | # certificates are stored. This directory |
| 323 | # MUST be owned by the UID of the server, |
| 324 | # and MUST not be accessible by any other |
| 325 | # users. When the server starts, it will do |
| 326 | # "chmod go-rwx" on the directory, for |
| 327 | # security reasons. The directory MUST |
| 328 | # exist when the server starts. |
| 329 | # |
| 330 | # You should also delete all of the files |
| 331 | # in the directory when the server starts. |
| 332 | # tmpdir = /tmp/radiusd |
| 333 | |
| 334 | # The command used to verify the client cert. |
| 335 | # We recommend using the OpenSSL command-line |
| 336 | # tool. |
| 337 | # |
| 338 | # The ${..ca_path} text is a reference to |
| 339 | # the ca_path variable defined above. |
| 340 | # |
| 341 | # The %{TLS-Client-Cert-Filename} is the name |
| 342 | # of the temporary file containing the cert |
| 343 | # in PEM format. This file is automatically |
| 344 | # deleted by the server when the command |
| 345 | # returns. |
| 346 | # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" |
| 347 | } |
| 348 | } |
| 349 | } |
| 350 | |
| 351 | clients radsec { |
| 352 | client 127.0.0.1 { |
| 353 | ipaddr = 127.0.0.1 |
| 354 | |
| 355 | # |
| 356 | # Ensure that this client is TLS *only*. |
| 357 | # |
| 358 | proto = tls |
| 359 | |
| 360 | # |
| 361 | # TCP clients can have any shared secret. |
| 362 | # |
| 363 | # TLS clients MUST have the shared secret |
| 364 | # set to "radsec". Or, for "proto = tls", |
| 365 | # you can omit the secret, and it will |
| 366 | # automatically be set to "radsec". |
| 367 | # |
| 368 | secret = radsec |
| 369 | |
| 370 | # |
| 371 | # You can also use a "limit" section here. |
| 372 | # See raddb/clients.conf for examples. |
| 373 | # |
| 374 | # Note that BOTH limits are applied. You |
| 375 | # should therefore set the "listen" limits |
| 376 | # higher than the ones for each individual |
| 377 | # client. |
| 378 | # |
| 379 | } |
| 380 | } |
| 381 | |
| 382 | home_server tls { |
| 383 | ipaddr = 127.0.0.1 |
| 384 | port = 2083 |
| 385 | type = auth |
| 386 | secret = testing123 |
| 387 | proto = tcp |
| 388 | status_check = none |
| 389 | |
| 390 | tls { |
| 391 | private_key_password = whatever |
| 392 | private_key_file = ${certdir}/client.pem |
| 393 | |
| 394 | # If Private key & Certificate are located in |
| 395 | # the same file, then private_key_file & |
| 396 | # certificate_file must contain the same file |
| 397 | # name. |
| 398 | # |
| 399 | # If ca_file (below) is not used, then the |
| 400 | # certificate_file below MUST include not |
| 401 | # only the server certificate, but ALSO all |
| 402 | # of the CA certificates used to sign the |
| 403 | # server certificate. |
| 404 | certificate_file = ${certdir}/client.pem |
| 405 | |
| 406 | # Trusted Root CA list |
| 407 | # |
| 408 | # ALL of the CA's in this list will be trusted |
| 409 | # to issue client certificates for authentication. |
| 410 | # |
| 411 | # In general, you should use self-signed |
| 412 | # certificates for 802.1x (EAP) authentication. |
| 413 | # In that case, this CA file should contain |
| 414 | # *one* CA certificate. |
| 415 | # |
| 416 | # This parameter is used only for EAP-TLS, |
| 417 | # when you issue client certificates. If you do |
| 418 | # not use client certificates, and you do not want |
| 419 | # to permit EAP-TLS authentication, then delete |
| 420 | # this configuration item. |
| 421 | ca_file = ${cadir}/ca.pem |
| 422 | |
| 423 | # |
| 424 | # For DH cipher suites to work, you have to |
| 425 | # run OpenSSL to create the DH file first: |
| 426 | # |
| 427 | # openssl dhparam -out certs/dh 1024 |
| 428 | # |
| 429 | dh_file = ${certdir}/dh |
| 430 | random_file = ${certdir}/random |
| 431 | |
| 432 | # |
| 433 | # The default fragment size is 1K. |
| 434 | # However, TLS can send 64K of data at once. |
| 435 | # It can be useful to set it higher. |
| 436 | # |
| 437 | fragment_size = 8192 |
| 438 | |
| 439 | # include_length is a flag which is |
| 440 | # by default set to yes If set to |
| 441 | # yes, Total Length of the message is |
| 442 | # included in EVERY packet we send. |
| 443 | # If set to no, Total Length of the |
| 444 | # message is included ONLY in the |
| 445 | # First packet of a fragment series. |
| 446 | # |
| 447 | # include_length = yes |
| 448 | |
| 449 | # Check the Certificate Revocation List |
| 450 | # |
| 451 | # 1) Copy CA certificates and CRLs to same directory. |
| 452 | # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. |
| 453 | # 'c_rehash' is OpenSSL's command. |
| 454 | # 3) uncomment the line below. |
| 455 | # 5) Restart radiusd |
| 456 | # check_crl = yes |
| 457 | ca_path = ${cadir} |
| 458 | |
| 459 | # |
| 460 | # If check_cert_issuer is set, the value will |
| 461 | # be checked against the DN of the issuer in |
| 462 | # the client certificate. If the values do not |
| 463 | # match, the certificate verification will fail, |
| 464 | # rejecting the user. |
| 465 | # |
| 466 | # In 2.1.10 and later, this check can be done |
| 467 | # more generally by checking the value of the |
| 468 | # TLS-Client-Cert-Issuer attribute. This check |
| 469 | # can be done via any mechanism you choose. |
| 470 | # |
| 471 | # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" |
| 472 | |
| 473 | # |
| 474 | # If check_cert_cn is set, the value will |
| 475 | # be xlat'ed and checked against the CN |
| 476 | # in the client certificate. If the values |
| 477 | # do not match, the certificate verification |
| 478 | # will fail rejecting the user. |
| 479 | # |
| 480 | # This check is done only if the previous |
| 481 | # "check_cert_issuer" is not set, or if |
| 482 | # the check succeeds. |
| 483 | # |
| 484 | # In 2.1.10 and later, this check can be done |
| 485 | # more generally by checking the value of the |
| 486 | # TLS-Client-Cert-CN attribute. This check |
| 487 | # can be done via any mechanism you choose. |
| 488 | # |
| 489 | # check_cert_cn = %{User-Name} |
| 490 | # |
| 491 | # Set this option to specify the allowed |
| 492 | # TLS cipher suites. The format is listed |
| 493 | # in "man 1 ciphers". |
| 494 | cipher_list = "DEFAULT" |
| 495 | } |
| 496 | |
| 497 | } |
| 498 | |
| 499 | home_server_pool tls { |
| 500 | type = fail-over |
| 501 | home_server = tls |
| 502 | } |
| 503 | |
| 504 | realm tls { |
| 505 | auth_pool = tls |
| 506 | } |