1 ######################################################################
3 # Initial implementation of RADIUS over TLS (radsec)
5 ######################################################################
12 # For now, only TCP transport is allowed.
17 # This is *exactly* the same configuration as used by the EAP-TLS
18 # module. It's OK for testing, but for production use it's a good
19 # idea to use different server certificates for EAP and for RADIUS
22 private_key_password = whatever
23 private_key_file = ${certdir}/server.pem
25 # If Private key & Certificate are located in
26 # the same file, then private_key_file &
27 # certificate_file must contain the same file
30 # If CA_file (below) is not used, then the
31 # certificate_file below MUST include not
32 # only the server certificate, but ALSO all
33 # of the CA certificates used to sign the
35 certificate_file = ${certdir}/server.pem
37 # Trusted Root CA list
39 # ALL of the CA's in this list will be trusted
40 # to issue client certificates for authentication.
42 # In general, you should use self-signed
43 # certificates for 802.1x (EAP) authentication.
44 # In that case, this CA file should contain
45 # *one* CA certificate.
47 # This parameter is used only for EAP-TLS,
48 # when you issue client certificates. If you do
49 # not use client certificates, and you do not want
50 # to permit EAP-TLS authentication, then delete
51 # this configuration item.
52 CA_file = ${cadir}/ca.pem
55 # For DH cipher suites to work, you have to
56 # run OpenSSL to create the DH file first:
58 # openssl dhparam -out certs/dh 1024
60 dh_file = ${certdir}/dh
61 random_file = ${certdir}/random
64 # This can never exceed the size of a RADIUS
65 # packet (4096 bytes), and is preferably half
66 # that, to accomodate other attributes in
67 # RADIUS packet. On most APs the MAX packet
68 # length is configured between 1500 - 1600
69 # In these cases, fragment size should be
72 # fragment_size = 1024
74 # include_length is a flag which is
75 # by default set to yes If set to
76 # yes, Total Length of the message is
77 # included in EVERY packet we send.
78 # If set to no, Total Length of the
79 # message is included ONLY in the
80 # First packet of a fragment series.
82 # include_length = yes
84 # Check the Certificate Revocation List
86 # 1) Copy CA certificates and CRLs to same directory.
87 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
88 # 'c_rehash' is OpenSSL's command.
89 # 3) uncomment the line below.
95 # If check_cert_issuer is set, the value will
96 # be checked against the DN of the issuer in
97 # the client certificate. If the values do not
98 # match, the cerficate verification will fail,
101 # In 2.1.10 and later, this check can be done
102 # more generally by checking the value of the
103 # TLS-Client-Cert-Issuer attribute. This check
104 # can be done via any mechanism you choose.
106 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
109 # If check_cert_cn is set, the value will
110 # be xlat'ed and checked against the CN
111 # in the client certificate. If the values
112 # do not match, the certificate verification
113 # will fail rejecting the user.
115 # This check is done only if the previous
116 # "check_cert_issuer" is not set, or if
117 # the check succeeds.
119 # In 2.1.10 and later, this check can be done
120 # more generally by checking the value of the
121 # TLS-Client-Cert-CN attribute. This check
122 # can be done via any mechanism you choose.
124 # check_cert_cn = %{User-Name}
126 # Set this option to specify the allowed
127 # TLS cipher suites. The format is listed
128 # in "man 1 ciphers".
129 cipher_list = "DEFAULT"
133 # This configuration entry should be deleted
134 # once the server is running in a normal
135 # configuration. It is here ONLY to make
136 # initial deployments easier.
139 # This is enabled in eap.conf, so we don't need it here.
141 # make_cert_command = "${certdir}/bootstrap"
144 # Session resumption / fast reauthentication
147 # The cache contains the following information:
149 # session Id - unique identifier, managed by SSL
150 # User-Name - from the Access-Accept
151 # Stripped-User-Name - from the Access-Request
152 # Cached-Session-Policy - from the Access-Accept
154 # The "Cached-Session-Policy" is the name of a
155 # policy which should be applied to the cached
156 # session. This policy can be used to assign
157 # VLANs, IP addresses, etc. It serves as a useful
158 # way to re-apply the policy from the original
159 # Access-Accept to the subsequent Access-Accept
160 # for the cached session.
162 # On session resumption, these attributes are
163 # copied from the cache, and placed into the
166 # You probably also want "use_tunneled_reply = yes"
167 # when using fast session resumption.
171 # Enable it. The default is "no".
172 # Deleting the entire "cache" subsection
173 # Also disables caching.
175 # You can disallow resumption for a
176 # particular user by adding the following
177 # attribute to the control item list:
179 # Allow-Session-Resumption = No
181 # If "enable = no" below, you CANNOT
182 # enable resumption for just one user
183 # by setting the above attribute to "yes".
188 # Lifetime of the cached entries, in hours.
189 # The sessions will be deleted after this
192 lifetime = 24 # hours
195 # The maximum number of entries in the
196 # cache. Set to "0" for "infinite".
198 # This could be set to the number of users
199 # who are logged in... which can be a LOT.
205 # Require a client certificate.
207 require_client_cert = yes
210 # As of version 2.1.10, client certificates can be
211 # validated via an external command. This allows
212 # dynamic CRLs or OCSP to be used.
214 # This configuration is commented out in the
215 # default configuration. Uncomment it, and configure
216 # the correct paths below to enable it.
219 # A temporary directory where the client
220 # certificates are stored. This directory
221 # MUST be owned by the UID of the server,
222 # and MUST not be accessible by any other
223 # users. When the server starts, it will do
224 # "chmod go-rwx" on the directory, for
225 # security reasons. The directory MUST
226 # exist when the server starts.
228 # You should also delete all of the files
229 # in the directory when the server starts.
230 # tmpdir = /tmp/radiusd
232 # The command used to verify the client cert.
233 # We recommend using the OpenSSL command-line
236 # The ${..CA_path} text is a reference to
237 # the CA_path variable defined above.
239 # The %{TLS-Client-Cert-Filename} is the name
240 # of the temporary file containing the cert
241 # in PEM format. This file is automatically
242 # deleted by the server when the command
244 # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
269 status_check = status-server
272 private_key_password = whatever
273 private_key_file = ${certdir}/client.pem
275 # If Private key & Certificate are located in
276 # the same file, then private_key_file &
277 # certificate_file must contain the same file
280 # If CA_file (below) is not used, then the
281 # certificate_file below MUST include not
282 # only the server certificate, but ALSO all
283 # of the CA certificates used to sign the
284 # server certificate.
285 certificate_file = ${certdir}/client.pem
287 # Trusted Root CA list
289 # ALL of the CA's in this list will be trusted
290 # to issue client certificates for authentication.
292 # In general, you should use self-signed
293 # certificates for 802.1x (EAP) authentication.
294 # In that case, this CA file should contain
295 # *one* CA certificate.
297 # This parameter is used only for EAP-TLS,
298 # when you issue client certificates. If you do
299 # not use client certificates, and you do not want
300 # to permit EAP-TLS authentication, then delete
301 # this configuration item.
302 CA_file = ${cadir}/ca.pem
305 # For DH cipher suites to work, you have to
306 # run OpenSSL to create the DH file first:
308 # openssl dhparam -out certs/dh 1024
310 dh_file = ${certdir}/dh
311 random_file = ${certdir}/random
314 # This can never exceed the size of a RADIUS
315 # packet (4096 bytes), and is preferably half
316 # that, to accomodate other attributes in
317 # RADIUS packet. On most APs the MAX packet
318 # length is configured between 1500 - 1600
319 # In these cases, fragment size should be
322 # fragment_size = 1024
324 # include_length is a flag which is
325 # by default set to yes If set to
326 # yes, Total Length of the message is
327 # included in EVERY packet we send.
328 # If set to no, Total Length of the
329 # message is included ONLY in the
330 # First packet of a fragment series.
332 # include_length = yes
334 # Check the Certificate Revocation List
336 # 1) Copy CA certificates and CRLs to same directory.
337 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
338 # 'c_rehash' is OpenSSL's command.
339 # 3) uncomment the line below.
345 # If check_cert_issuer is set, the value will
346 # be checked against the DN of the issuer in
347 # the client certificate. If the values do not
348 # match, the cerficate verification will fail,
349 # rejecting the user.
351 # In 2.1.10 and later, this check can be done
352 # more generally by checking the value of the
353 # TLS-Client-Cert-Issuer attribute. This check
354 # can be done via any mechanism you choose.
356 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
359 # If check_cert_cn is set, the value will
360 # be xlat'ed and checked against the CN
361 # in the client certificate. If the values
362 # do not match, the certificate verification
363 # will fail rejecting the user.
365 # This check is done only if the previous
366 # "check_cert_issuer" is not set, or if
367 # the check succeeds.
369 # In 2.1.10 and later, this check can be done
370 # more generally by checking the value of the
371 # TLS-Client-Cert-CN attribute. This check
372 # can be done via any mechanism you choose.
374 # check_cert_cn = %{User-Name}
376 # Set this option to specify the allowed
377 # TLS cipher suites. The format is listed
378 # in "man 1 ciphers".
379 cipher_list = "DEFAULT"
384 home_server_pool tls {