1 ######################################################################
3 # Initial implementation of RADIUS over TLS (radsec)
5 ######################################################################
12 # For now, only TCP transport is allowed.
17 # This is *exactly* the same configuration as used by the EAP-TLS
18 # module. It's OK for testing, but for production use it's a good
19 # idea to use different server certificates for EAP and for RADIUS
22 private_key_password = whatever
23 private_key_file = ${certdir}/server.pem
25 # If Private key & Certificate are located in
26 # the same file, then private_key_file &
27 # certificate_file must contain the same file
30 # If CA_file (below) is not used, then the
31 # certificate_file below MUST include not
32 # only the server certificate, but ALSO all
33 # of the CA certificates used to sign the
35 certificate_file = ${certdir}/server.pem
37 # Trusted Root CA list
39 # ALL of the CA's in this list will be trusted
40 # to issue client certificates for authentication.
42 # In general, you should use self-signed
43 # certificates for 802.1x (EAP) authentication.
44 # In that case, this CA file should contain
45 # *one* CA certificate.
47 # This parameter is used only for EAP-TLS,
48 # when you issue client certificates. If you do
49 # not use client certificates, and you do not want
50 # to permit EAP-TLS authentication, then delete
51 # this configuration item.
52 CA_file = ${cadir}/ca.pem
55 # For DH cipher suites to work, you have to
56 # run OpenSSL to create the DH file first:
58 # openssl dhparam -out certs/dh 1024
60 dh_file = ${certdir}/dh
61 random_file = ${certdir}/random
64 # The default fragment size is 1K.
65 # However, it's possible to send much more data than
66 # that over a TCP connection. The upper limit is 64K.
67 # Setting the fragment size to more than 1K means that
68 # there are fewer round trips when setting up a TLS
69 # connection. But only if the certificates are large.
71 # fragment_size = 65536
73 # include_length is a flag which is
74 # by default set to yes If set to
75 # yes, Total Length of the message is
76 # included in EVERY packet we send.
77 # If set to no, Total Length of the
78 # message is included ONLY in the
79 # First packet of a fragment series.
81 # include_length = yes
83 # Check the Certificate Revocation List
85 # 1) Copy CA certificates and CRLs to same directory.
86 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
87 # 'c_rehash' is OpenSSL's command.
88 # 3) uncomment the line below.
94 # If check_cert_issuer is set, the value will
95 # be checked against the DN of the issuer in
96 # the client certificate. If the values do not
97 # match, the cerficate verification will fail,
100 # In 2.1.10 and later, this check can be done
101 # more generally by checking the value of the
102 # TLS-Client-Cert-Issuer attribute. This check
103 # can be done via any mechanism you choose.
105 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
108 # If check_cert_cn is set, the value will
109 # be xlat'ed and checked against the CN
110 # in the client certificate. If the values
111 # do not match, the certificate verification
112 # will fail rejecting the user.
114 # This check is done only if the previous
115 # "check_cert_issuer" is not set, or if
116 # the check succeeds.
118 # In 2.1.10 and later, this check can be done
119 # more generally by checking the value of the
120 # TLS-Client-Cert-CN attribute. This check
121 # can be done via any mechanism you choose.
123 # check_cert_cn = %{User-Name}
125 # Set this option to specify the allowed
126 # TLS cipher suites. The format is listed
127 # in "man 1 ciphers".
128 cipher_list = "DEFAULT"
132 # This configuration entry should be deleted
133 # once the server is running in a normal
134 # configuration. It is here ONLY to make
135 # initial deployments easier.
138 # This is enabled in eap.conf, so we don't need it here.
140 # make_cert_command = "${certdir}/bootstrap"
143 # Session resumption / fast reauthentication
146 # The cache contains the following information:
148 # session Id - unique identifier, managed by SSL
149 # User-Name - from the Access-Accept
150 # Stripped-User-Name - from the Access-Request
151 # Cached-Session-Policy - from the Access-Accept
153 # The "Cached-Session-Policy" is the name of a
154 # policy which should be applied to the cached
155 # session. This policy can be used to assign
156 # VLANs, IP addresses, etc. It serves as a useful
157 # way to re-apply the policy from the original
158 # Access-Accept to the subsequent Access-Accept
159 # for the cached session.
161 # On session resumption, these attributes are
162 # copied from the cache, and placed into the
165 # You probably also want "use_tunneled_reply = yes"
166 # when using fast session resumption.
170 # Enable it. The default is "no".
171 # Deleting the entire "cache" subsection
172 # Also disables caching.
174 # You can disallow resumption for a
175 # particular user by adding the following
176 # attribute to the control item list:
178 # Allow-Session-Resumption = No
180 # If "enable = no" below, you CANNOT
181 # enable resumption for just one user
182 # by setting the above attribute to "yes".
187 # Lifetime of the cached entries, in hours.
188 # The sessions will be deleted after this
191 lifetime = 24 # hours
194 # The maximum number of entries in the
195 # cache. Set to "0" for "infinite".
197 # This could be set to the number of users
198 # who are logged in... which can be a LOT.
204 # Require a client certificate.
206 require_client_cert = yes
209 # As of version 2.1.10, client certificates can be
210 # validated via an external command. This allows
211 # dynamic CRLs or OCSP to be used.
213 # This configuration is commented out in the
214 # default configuration. Uncomment it, and configure
215 # the correct paths below to enable it.
218 # A temporary directory where the client
219 # certificates are stored. This directory
220 # MUST be owned by the UID of the server,
221 # and MUST not be accessible by any other
222 # users. When the server starts, it will do
223 # "chmod go-rwx" on the directory, for
224 # security reasons. The directory MUST
225 # exist when the server starts.
227 # You should also delete all of the files
228 # in the directory when the server starts.
229 # tmpdir = /tmp/radiusd
231 # The command used to verify the client cert.
232 # We recommend using the OpenSSL command-line
235 # The ${..CA_path} text is a reference to
236 # the CA_path variable defined above.
238 # The %{TLS-Client-Cert-Filename} is the name
239 # of the temporary file containing the cert
240 # in PEM format. This file is automatically
241 # deleted by the server when the command
243 # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
271 private_key_password = whatever
272 private_key_file = ${certdir}/client.pem
274 # If Private key & Certificate are located in
275 # the same file, then private_key_file &
276 # certificate_file must contain the same file
279 # If CA_file (below) is not used, then the
280 # certificate_file below MUST include not
281 # only the server certificate, but ALSO all
282 # of the CA certificates used to sign the
283 # server certificate.
284 certificate_file = ${certdir}/client.pem
286 # Trusted Root CA list
288 # ALL of the CA's in this list will be trusted
289 # to issue client certificates for authentication.
291 # In general, you should use self-signed
292 # certificates for 802.1x (EAP) authentication.
293 # In that case, this CA file should contain
294 # *one* CA certificate.
296 # This parameter is used only for EAP-TLS,
297 # when you issue client certificates. If you do
298 # not use client certificates, and you do not want
299 # to permit EAP-TLS authentication, then delete
300 # this configuration item.
301 CA_file = ${cadir}/ca.pem
304 # For DH cipher suites to work, you have to
305 # run OpenSSL to create the DH file first:
307 # openssl dhparam -out certs/dh 1024
309 dh_file = ${certdir}/dh
310 random_file = ${certdir}/random
313 # The default fragment size is 1K.
314 # However, TLS can send 64K of data at once.
315 # It can be useful to set it higher.
317 # fragment_size = 65536
319 # include_length is a flag which is
320 # by default set to yes If set to
321 # yes, Total Length of the message is
322 # included in EVERY packet we send.
323 # If set to no, Total Length of the
324 # message is included ONLY in the
325 # First packet of a fragment series.
327 # include_length = yes
329 # Check the Certificate Revocation List
331 # 1) Copy CA certificates and CRLs to same directory.
332 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
333 # 'c_rehash' is OpenSSL's command.
334 # 3) uncomment the line below.
340 # If check_cert_issuer is set, the value will
341 # be checked against the DN of the issuer in
342 # the client certificate. If the values do not
343 # match, the cerficate verification will fail,
344 # rejecting the user.
346 # In 2.1.10 and later, this check can be done
347 # more generally by checking the value of the
348 # TLS-Client-Cert-Issuer attribute. This check
349 # can be done via any mechanism you choose.
351 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
354 # If check_cert_cn is set, the value will
355 # be xlat'ed and checked against the CN
356 # in the client certificate. If the values
357 # do not match, the certificate verification
358 # will fail rejecting the user.
360 # This check is done only if the previous
361 # "check_cert_issuer" is not set, or if
362 # the check succeeds.
364 # In 2.1.10 and later, this check can be done
365 # more generally by checking the value of the
366 # TLS-Client-Cert-CN attribute. This check
367 # can be done via any mechanism you choose.
369 # check_cert_cn = %{User-Name}
371 # Set this option to specify the allowed
372 # TLS cipher suites. The format is listed
373 # in "man 1 ciphers".
374 cipher_list = "DEFAULT"
379 home_server_pool tls {