1 ######################################################################
3 # Initial implementation of RADIUS over TLS (radsec)
5 ######################################################################
12 # For now, only TCP transport is allowed.
15 # Send packets to the default virtual server
16 virtual_server = default
21 # Connection limiting for sockets with "proto = tcp".
25 # Limit the number of simultaneous TCP connections to the socket
28 # Setting this to 0 means "no limit"
31 # The per-socket "max_requests" option does not exist.
34 # The lifetime, in seconds, of a TCP connection. After
35 # this lifetime, the connection will be closed.
37 # Setting this to 0 means "forever".
41 # The idle timeout, in seconds, of a TCP connection.
42 # If no packets have been received over the connection for
43 # this time, the connection will be closed.
45 # Setting this to 0 means "no timeout".
47 # We STRONGLY RECOMMEND that you set an idle timeout.
52 # This is *exactly* the same configuration as used by the EAP-TLS
53 # module. It's OK for testing, but for production use it's a good
54 # idea to use different server certificates for EAP and for RADIUS
57 private_key_password = whatever
58 private_key_file = ${certdir}/server.pem
60 # If Private key & Certificate are located in
61 # the same file, then private_key_file &
62 # certificate_file must contain the same file
65 # If ca_file (below) is not used, then the
66 # certificate_file below MUST include not
67 # only the server certificate, but ALSO all
68 # of the CA certificates used to sign the
70 certificate_file = ${certdir}/server.pem
72 # Trusted Root CA list
74 # ALL of the CA's in this list will be trusted
75 # to issue client certificates for authentication.
77 # In general, you should use self-signed
78 # certificates for 802.1x (EAP) authentication.
79 # In that case, this CA file should contain
80 # *one* CA certificate.
82 # This parameter is used only for EAP-TLS,
83 # when you issue client certificates. If you do
84 # not use client certificates, and you do not want
85 # to permit EAP-TLS authentication, then delete
86 # this configuration item.
87 ca_file = ${cadir}/ca.pem
90 # For DH cipher suites to work, you have to
91 # run OpenSSL to create the DH file first:
93 # openssl dhparam -out certs/dh 1024
95 dh_file = ${certdir}/dh
98 # If your system doesn't have /dev/urandom,
99 # you will need to create this file, and
100 # periodically change its contents.
102 # For security reasons, FreeRADIUS doesn't
103 # write to files in its configuration
106 # random_file = ${certdir}/random
109 # The default fragment size is 1K.
110 # However, it's possible to send much more data than
111 # that over a TCP connection. The upper limit is 64K.
112 # Setting the fragment size to more than 1K means that
113 # there are fewer round trips when setting up a TLS
114 # connection. But only if the certificates are large.
118 # include_length is a flag which is
119 # by default set to yes If set to
120 # yes, Total Length of the message is
121 # included in EVERY packet we send.
122 # If set to no, Total Length of the
123 # message is included ONLY in the
124 # First packet of a fragment series.
126 # include_length = yes
128 # Check the Certificate Revocation List
130 # 1) Copy CA certificates and CRLs to same directory.
131 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
132 # 'c_rehash' is OpenSSL's command.
133 # 3) uncomment the line below.
139 # If check_cert_issuer is set, the value will
140 # be checked against the DN of the issuer in
141 # the client certificate. If the values do not
142 # match, the certificate verification will fail,
143 # rejecting the user.
145 # In 2.1.10 and later, this check can be done
146 # more generally by checking the value of the
147 # TLS-Client-Cert-Issuer attribute. This check
148 # can be done via any mechanism you choose.
150 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
153 # If check_cert_cn is set, the value will
154 # be xlat'ed and checked against the CN
155 # in the client certificate. If the values
156 # do not match, the certificate verification
157 # will fail rejecting the user.
159 # This check is done only if the previous
160 # "check_cert_issuer" is not set, or if
161 # the check succeeds.
163 # In 2.1.10 and later, this check can be done
164 # more generally by checking the value of the
165 # TLS-Client-Cert-CN attribute. This check
166 # can be done via any mechanism you choose.
168 # check_cert_cn = %{User-Name}
170 # Set this option to specify the allowed
171 # TLS cipher suites. The format is listed
172 # in "man 1 ciphers".
173 cipher_list = "DEFAULT"
177 # This configuration entry should be deleted
178 # once the server is running in a normal
179 # configuration. It is here ONLY to make
180 # initial deployments easier.
183 # This is enabled in eap.conf, so we don't need it here.
185 # make_cert_command = "${certdir}/bootstrap"
188 # Session resumption / fast reauthentication
191 # The cache contains the following information:
193 # session Id - unique identifier, managed by SSL
194 # User-Name - from the Access-Accept
195 # Stripped-User-Name - from the Access-Request
196 # Cached-Session-Policy - from the Access-Accept
198 # The "Cached-Session-Policy" is the name of a
199 # policy which should be applied to the cached
200 # session. This policy can be used to assign
201 # VLANs, IP addresses, etc. It serves as a useful
202 # way to re-apply the policy from the original
203 # Access-Accept to the subsequent Access-Accept
204 # for the cached session.
206 # On session resumption, these attributes are
207 # copied from the cache, and placed into the
210 # You probably also want "use_tunneled_reply = yes"
211 # when using fast session resumption.
215 # Enable it. The default is "no".
216 # Deleting the entire "cache" subsection
217 # Also disables caching.
219 # You can disallow resumption for a
220 # particular user by adding the following
221 # attribute to the control item list:
223 # Allow-Session-Resumption = No
225 # If "enable = no" below, you CANNOT
226 # enable resumption for just one user
227 # by setting the above attribute to "yes".
232 # Lifetime of the cached entries, in hours.
233 # The sessions will be deleted after this
236 lifetime = 24 # hours
239 # The maximum number of entries in the
240 # cache. Set to "0" for "infinite".
242 # This could be set to the number of users
243 # who are logged in... which can be a LOT.
248 # Internal "name" of the session cache.
249 # Used to distinguish which TLS context
250 # sessions belong to.
252 # The server will generate a random value
253 # if unset. This will change across server
254 # restart so you MUST set the "name" if you
255 # want to persist sessions (see below).
257 # If you use IPv6, change the "ipaddr" below
260 #name = "TLS ${..ipaddr} ${..port} ${..proto}"
263 # Simple directory-based storage of sessions.
264 # Two files per session will be written, the SSL
265 # state and the cached VPs. This will persist session
266 # across server restarts.
268 # The server will need write perms, and the directory
269 # should be secured from anyone else. You might want
270 # a script to remove old files from here periodically:
272 # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
274 # This feature REQUIRES "name" option be set above.
276 #persist_dir = "${logdir}/tlscache"
280 # Require a client certificate.
282 require_client_cert = yes
285 # As of version 2.1.10, client certificates can be
286 # validated via an external command. This allows
287 # dynamic CRLs or OCSP to be used.
289 # This configuration is commented out in the
290 # default configuration. Uncomment it, and configure
291 # the correct paths below to enable it.
294 # A temporary directory where the client
295 # certificates are stored. This directory
296 # MUST be owned by the UID of the server,
297 # and MUST not be accessible by any other
298 # users. When the server starts, it will do
299 # "chmod go-rwx" on the directory, for
300 # security reasons. The directory MUST
301 # exist when the server starts.
303 # You should also delete all of the files
304 # in the directory when the server starts.
305 # tmpdir = /tmp/radiusd
307 # The command used to verify the client cert.
308 # We recommend using the OpenSSL command-line
311 # The ${..ca_path} text is a reference to
312 # the ca_path variable defined above.
314 # The %{TLS-Client-Cert-Filename} is the name
315 # of the temporary file containing the cert
316 # in PEM format. This file is automatically
317 # deleted by the server when the command
319 # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
329 # Ensure that this client is TLS *only*.
334 # TCP clients can have any shared secret.
336 # TLS clients MUST have the shared secret
337 # set to "radsec". Or, for "proto = tls",
338 # you can omit the secret, and it will
339 # automatically be set to "radsec".
344 # You can also use a "limit" section here.
345 # See raddb/clients.conf for examples.
347 # Note that BOTH limits are applied. You
348 # should therefore set the "listen" limits
349 # higher than the ones for each individual
370 private_key_password = whatever
371 private_key_file = ${certdir}/client.pem
373 # If Private key & Certificate are located in
374 # the same file, then private_key_file &
375 # certificate_file must contain the same file
378 # If ca_file (below) is not used, then the
379 # certificate_file below MUST include not
380 # only the server certificate, but ALSO all
381 # of the CA certificates used to sign the
382 # server certificate.
383 certificate_file = ${certdir}/client.pem
385 # Trusted Root CA list
387 # ALL of the CA's in this list will be trusted
388 # to issue client certificates for authentication.
390 # In general, you should use self-signed
391 # certificates for 802.1x (EAP) authentication.
392 # In that case, this CA file should contain
393 # *one* CA certificate.
395 # This parameter is used only for EAP-TLS,
396 # when you issue client certificates. If you do
397 # not use client certificates, and you do not want
398 # to permit EAP-TLS authentication, then delete
399 # this configuration item.
400 ca_file = ${cadir}/ca.pem
403 # For DH cipher suites to work, you have to
404 # run OpenSSL to create the DH file first:
406 # openssl dhparam -out certs/dh 1024
408 dh_file = ${certdir}/dh
409 random_file = ${certdir}/random
412 # The default fragment size is 1K.
413 # However, TLS can send 64K of data at once.
414 # It can be useful to set it higher.
418 # include_length is a flag which is
419 # by default set to yes If set to
420 # yes, Total Length of the message is
421 # included in EVERY packet we send.
422 # If set to no, Total Length of the
423 # message is included ONLY in the
424 # First packet of a fragment series.
426 # include_length = yes
428 # Check the Certificate Revocation List
430 # 1) Copy CA certificates and CRLs to same directory.
431 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
432 # 'c_rehash' is OpenSSL's command.
433 # 3) uncomment the line below.
439 # If check_cert_issuer is set, the value will
440 # be checked against the DN of the issuer in
441 # the client certificate. If the values do not
442 # match, the certificate verification will fail,
443 # rejecting the user.
445 # In 2.1.10 and later, this check can be done
446 # more generally by checking the value of the
447 # TLS-Client-Cert-Issuer attribute. This check
448 # can be done via any mechanism you choose.
450 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
453 # If check_cert_cn is set, the value will
454 # be xlat'ed and checked against the CN
455 # in the client certificate. If the values
456 # do not match, the certificate verification
457 # will fail rejecting the user.
459 # This check is done only if the previous
460 # "check_cert_issuer" is not set, or if
461 # the check succeeds.
463 # In 2.1.10 and later, this check can be done
464 # more generally by checking the value of the
465 # TLS-Client-Cert-CN attribute. This check
466 # can be done via any mechanism you choose.
468 # check_cert_cn = %{User-Name}
470 # Set this option to specify the allowed
471 # TLS cipher suites. The format is listed
472 # in "man 1 ciphers".
473 cipher_list = "DEFAULT"
478 home_server_pool tls {