6 # Sample configuration for an EAP module that occurs *inside*
7 # of a tunneled method. It is used to limit the EAP types that
8 # can occur inside of the inner tunnel.
10 # See also raddb/sites-available/inner-tunnel
12 # To use this module, edit raddb/sites-available/inner-tunnel, and
13 # replace the references to "eap" with "inner-eap".
15 # See raddb/eap.conf for full documentation on the meaning of the
16 # configuration entries here.
19 # This is the best choice for PEAP.
20 default_eap_type = mschapv2
23 # This should be the same as the outer eap "max sessions"
31 # The default challenge, which many clients
33 #challenge = "Password: "
41 # No TTLS or PEAP configuration should be listed here.
45 # You SHOULD use different certificates than are used
46 # for the outer EAP configuration!
48 # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
52 # These is used to simplify later configurations.
54 certdir = ${confdir}/certs
55 cadir = ${confdir}/certs
57 private_key_password = whatever
58 private_key_file = ${certdir}/server.pem
60 # If Private key & Certificate are located in
61 # the same file, then private_key_file &
62 # certificate_file must contain the same file
65 # If CA_file (below) is not used, then the
66 # certificate_file below MUST include not
67 # only the server certificate, but ALSO all
68 # of the CA certificates used to sign the
70 certificate_file = ${certdir}/server.pem
72 # Trusted Root CA list
74 # ALL of the CA's in this list will be trusted
75 # to issue client certificates for authentication.
77 # In general, you should use self-signed
78 # certificates for 802.1x (EAP) authentication.
79 # In that case, this CA file should contain
80 # *one* CA certificate.
82 # This parameter is used only for EAP-TLS,
83 # when you issue client certificates. If you do
84 # not use client certificates, and you do not want
85 # to permit EAP-TLS authentication, then delete
86 # this configuration item.
87 CA_file = ${cadir}/ca.pem
90 # For DH cipher suites to work, you have to
91 # run OpenSSL to create the DH file first:
93 # openssl dhparam -out certs/dh 1024
95 dh_file = ${certdir}/dh
96 random_file = ${certdir}/random
99 # This can never exceed the size of a RADIUS
100 # packet (4096 bytes), and is preferably half
101 # that, to accomodate other attributes in
102 # RADIUS packet. On most APs the MAX packet
103 # length is configured between 1500 - 1600
104 # In these cases, fragment size should be
107 # fragment_size = 1024
109 # include_length is a flag which is
110 # by default set to yes If set to
111 # yes, Total Length of the message is
112 # included in EVERY packet we send.
113 # If set to no, Total Length of the
114 # message is included ONLY in the
115 # First packet of a fragment series.
117 # include_length = yes
119 # Check the Certificate Revocation List
121 # 1) Copy CA certificates and CRLs to same directory.
122 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
123 # 'c_rehash' is OpenSSL's command.
124 # 3) uncomment the line below.
127 # CA_path = /path/to/directory/with/ca_certs/and/crls/
130 # If check_cert_issuer is set, the value will
131 # be checked against the DN of the issuer in
132 # the client certificate. If the values do not
133 # match, the cerficate verification will fail,
134 # rejecting the user.
136 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
139 # If check_cert_cn is set, the value will
140 # be xlat'ed and checked against the CN
141 # in the client certificate. If the values
142 # do not match, the certificate verification
143 # will fail rejecting the user.
145 # This check is done only if the previous
146 # "check_cert_issuer" is not set, or if
147 # the check succeeds.
149 # check_cert_cn = %{User-Name}
151 # Set this option to specify the allowed
152 # TLS cipher suites. The format is listed
153 # in "man 1 ciphers".
154 cipher_list = "DEFAULT"
157 # The session resumption / fast reauthentication
158 # cache CANNOT be used for inner sessions.