+# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
}
# Generic Token Card.
- #
+ #
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# include_length = yes
# Check the Certificate Revocation List
- #
+ #
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 5) Restart radiusd
# check_crl = yes
- #
- # If check_cert_cn is set, the value will
- # be xlat'ed and checked against the CN
- # in the client certificate. If the values
- # do not match, the certificate verification
- # will fail rejecting the user.
- #
- # check_cert_cn = %{User-Name}
+ #
+ # If check_cert_cn is set, the value will
+ # be xlat'ed and checked against the CN
+ # in the client certificate. If the values
+ # do not match, the certificate verification
+ # will fail rejecting the user.
+ #
+ # check_cert_cn = %{User-Name}
#}
# The TTLS module implements the EAP-TTLS protocol,
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
- # inside of the EAP packet. You will still need to
+ # inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
- # usually based on the name of the user
+ # usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# the tunneled request.
#
# allowed values: {no, yes}
- # use_tunneled_reply = no
-
+ # use_tunneled_reply = no
#}
#
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
- # inside of the EAP packet. You will still need to
+ # inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# as that is the default type supported by
# Windows clients.
# default_eap_type = mschapv2
+
+ # the PEAP module also has these configuration
+ # items, which are the same as for TTLS.
+ # copy_request_to_tunnel = no
+ # use_tunneled_reply = no
+
+ # When the tunneled session is proxied, the
+ # home server may not understand EAP-MSCHAP-V2.
+ # Set this entry to "no" to proxy the tunneled
+ # EAP-MSCHAP-V2 as normal MSCHAPv2.
+ # proxy_tunneled_request_as_eap = yes
#}
#