1 ######################################################################
3 # Initial implementation of RADIUS over TLS (radsec)
5 ######################################################################
12 # For now, only TCP transport is allowed.
15 # Send packets to the default virtual server
16 virtual_server = default
20 # This is *exactly* the same configuration as used by the EAP-TLS
21 # module. It's OK for testing, but for production use it's a good
22 # idea to use different server certificates for EAP and for RADIUS
25 private_key_password = whatever
26 private_key_file = ${certdir}/server.pem
28 # If Private key & Certificate are located in
29 # the same file, then private_key_file &
30 # certificate_file must contain the same file
33 # If ca_file (below) is not used, then the
34 # certificate_file below MUST include not
35 # only the server certificate, but ALSO all
36 # of the CA certificates used to sign the
38 certificate_file = ${certdir}/server.pem
40 # Trusted Root CA list
42 # ALL of the CA's in this list will be trusted
43 # to issue client certificates for authentication.
45 # In general, you should use self-signed
46 # certificates for 802.1x (EAP) authentication.
47 # In that case, this CA file should contain
48 # *one* CA certificate.
50 # This parameter is used only for EAP-TLS,
51 # when you issue client certificates. If you do
52 # not use client certificates, and you do not want
53 # to permit EAP-TLS authentication, then delete
54 # this configuration item.
55 ca_file = ${cadir}/ca.pem
58 # For DH cipher suites to work, you have to
59 # run OpenSSL to create the DH file first:
61 # openssl dhparam -out certs/dh 1024
63 dh_file = ${certdir}/dh
66 # If your system doesn't have /dev/urandom,
67 # you will need to create this file, and
68 # periodically change its contents.
70 # For security reasons, FreeRADIUS doesn't
71 # write to files in its configuration
74 # random_file = ${certdir}/random
77 # The default fragment size is 1K.
78 # However, it's possible to send much more data than
79 # that over a TCP connection. The upper limit is 64K.
80 # Setting the fragment size to more than 1K means that
81 # there are fewer round trips when setting up a TLS
82 # connection. But only if the certificates are large.
86 # include_length is a flag which is
87 # by default set to yes If set to
88 # yes, Total Length of the message is
89 # included in EVERY packet we send.
90 # If set to no, Total Length of the
91 # message is included ONLY in the
92 # First packet of a fragment series.
94 # include_length = yes
96 # Check the Certificate Revocation List
98 # 1) Copy CA certificates and CRLs to same directory.
99 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
100 # 'c_rehash' is OpenSSL's command.
101 # 3) uncomment the line below.
107 # If check_cert_issuer is set, the value will
108 # be checked against the DN of the issuer in
109 # the client certificate. If the values do not
110 # match, the certificate verification will fail,
111 # rejecting the user.
113 # In 2.1.10 and later, this check can be done
114 # more generally by checking the value of the
115 # TLS-Client-Cert-Issuer attribute. This check
116 # can be done via any mechanism you choose.
118 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
121 # If check_cert_cn is set, the value will
122 # be xlat'ed and checked against the CN
123 # in the client certificate. If the values
124 # do not match, the certificate verification
125 # will fail rejecting the user.
127 # This check is done only if the previous
128 # "check_cert_issuer" is not set, or if
129 # the check succeeds.
131 # In 2.1.10 and later, this check can be done
132 # more generally by checking the value of the
133 # TLS-Client-Cert-CN attribute. This check
134 # can be done via any mechanism you choose.
136 # check_cert_cn = %{User-Name}
138 # Set this option to specify the allowed
139 # TLS cipher suites. The format is listed
140 # in "man 1 ciphers".
141 cipher_list = "DEFAULT"
145 # This configuration entry should be deleted
146 # once the server is running in a normal
147 # configuration. It is here ONLY to make
148 # initial deployments easier.
151 # This is enabled in eap.conf, so we don't need it here.
153 # make_cert_command = "${certdir}/bootstrap"
156 # Session resumption / fast reauthentication
159 # The cache contains the following information:
161 # session Id - unique identifier, managed by SSL
162 # User-Name - from the Access-Accept
163 # Stripped-User-Name - from the Access-Request
164 # Cached-Session-Policy - from the Access-Accept
166 # The "Cached-Session-Policy" is the name of a
167 # policy which should be applied to the cached
168 # session. This policy can be used to assign
169 # VLANs, IP addresses, etc. It serves as a useful
170 # way to re-apply the policy from the original
171 # Access-Accept to the subsequent Access-Accept
172 # for the cached session.
174 # On session resumption, these attributes are
175 # copied from the cache, and placed into the
178 # You probably also want "use_tunneled_reply = yes"
179 # when using fast session resumption.
183 # Enable it. The default is "no".
184 # Deleting the entire "cache" subsection
185 # Also disables caching.
187 # You can disallow resumption for a
188 # particular user by adding the following
189 # attribute to the control item list:
191 # Allow-Session-Resumption = No
193 # If "enable = no" below, you CANNOT
194 # enable resumption for just one user
195 # by setting the above attribute to "yes".
200 # Lifetime of the cached entries, in hours.
201 # The sessions will be deleted after this
204 lifetime = 24 # hours
207 # The maximum number of entries in the
208 # cache. Set to "0" for "infinite".
210 # This could be set to the number of users
211 # who are logged in... which can be a LOT.
216 # Internal "name" of the session cache.
217 # Used to distinguish which TLS context
218 # sessions belong to.
220 # The server will generate a random value
221 # if unset. This will change across server
222 # restart so you MUST set the "name" if you
223 # want to persist sessions (see below).
225 # If you use IPv6, change the "ipaddr" below
228 #name = "TLS ${..ipaddr} ${..port} ${..proto}"
231 # Simple directory-based storage of sessions.
232 # Two files per session will be written, the SSL
233 # state and the cached VPs. This will persist session
234 # across server restarts.
236 # The server will need write perms, and the directory
237 # should be secured from anyone else. You might want
238 # a script to remove old files from here periodically:
240 # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
242 # This feature REQUIRES "name" option be set above.
244 #persist_dir = "${logdir}/tlscache"
248 # Require a client certificate.
250 require_client_cert = yes
253 # As of version 2.1.10, client certificates can be
254 # validated via an external command. This allows
255 # dynamic CRLs or OCSP to be used.
257 # This configuration is commented out in the
258 # default configuration. Uncomment it, and configure
259 # the correct paths below to enable it.
262 # A temporary directory where the client
263 # certificates are stored. This directory
264 # MUST be owned by the UID of the server,
265 # and MUST not be accessible by any other
266 # users. When the server starts, it will do
267 # "chmod go-rwx" on the directory, for
268 # security reasons. The directory MUST
269 # exist when the server starts.
271 # You should also delete all of the files
272 # in the directory when the server starts.
273 # tmpdir = /tmp/radiusd
275 # The command used to verify the client cert.
276 # We recommend using the OpenSSL command-line
279 # The ${..ca_path} text is a reference to
280 # the ca_path variable defined above.
282 # The %{TLS-Client-Cert-Filename} is the name
283 # of the temporary file containing the cert
284 # in PEM format. This file is automatically
285 # deleted by the server when the command
287 # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
298 # TCP clients can have any shared secret.
300 # TLS clients MUST have the shared secret
322 private_key_password = whatever
323 private_key_file = ${certdir}/client.pem
325 # If Private key & Certificate are located in
326 # the same file, then private_key_file &
327 # certificate_file must contain the same file
330 # If ca_file (below) is not used, then the
331 # certificate_file below MUST include not
332 # only the server certificate, but ALSO all
333 # of the CA certificates used to sign the
334 # server certificate.
335 certificate_file = ${certdir}/client.pem
337 # Trusted Root CA list
339 # ALL of the CA's in this list will be trusted
340 # to issue client certificates for authentication.
342 # In general, you should use self-signed
343 # certificates for 802.1x (EAP) authentication.
344 # In that case, this CA file should contain
345 # *one* CA certificate.
347 # This parameter is used only for EAP-TLS,
348 # when you issue client certificates. If you do
349 # not use client certificates, and you do not want
350 # to permit EAP-TLS authentication, then delete
351 # this configuration item.
352 ca_file = ${cadir}/ca.pem
355 # For DH cipher suites to work, you have to
356 # run OpenSSL to create the DH file first:
358 # openssl dhparam -out certs/dh 1024
360 dh_file = ${certdir}/dh
361 random_file = ${certdir}/random
364 # The default fragment size is 1K.
365 # However, TLS can send 64K of data at once.
366 # It can be useful to set it higher.
370 # include_length is a flag which is
371 # by default set to yes If set to
372 # yes, Total Length of the message is
373 # included in EVERY packet we send.
374 # If set to no, Total Length of the
375 # message is included ONLY in the
376 # First packet of a fragment series.
378 # include_length = yes
380 # Check the Certificate Revocation List
382 # 1) Copy CA certificates and CRLs to same directory.
383 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
384 # 'c_rehash' is OpenSSL's command.
385 # 3) uncomment the line below.
391 # If check_cert_issuer is set, the value will
392 # be checked against the DN of the issuer in
393 # the client certificate. If the values do not
394 # match, the certificate verification will fail,
395 # rejecting the user.
397 # In 2.1.10 and later, this check can be done
398 # more generally by checking the value of the
399 # TLS-Client-Cert-Issuer attribute. This check
400 # can be done via any mechanism you choose.
402 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
405 # If check_cert_cn is set, the value will
406 # be xlat'ed and checked against the CN
407 # in the client certificate. If the values
408 # do not match, the certificate verification
409 # will fail rejecting the user.
411 # This check is done only if the previous
412 # "check_cert_issuer" is not set, or if
413 # the check succeeds.
415 # In 2.1.10 and later, this check can be done
416 # more generally by checking the value of the
417 # TLS-Client-Cert-CN attribute. This check
418 # can be done via any mechanism you choose.
420 # check_cert_cn = %{User-Name}
422 # Set this option to specify the allowed
423 # TLS cipher suites. The format is listed
424 # in "man 1 ciphers".
425 cipher_list = "DEFAULT"
430 home_server_pool tls {