# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
-# EAP types NOT listed here may be supported via the "eap2" module.
-# See experimental.conf for documentation.
-#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
ca_file = ${cadir}/ca.pem
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+ # it sometimes gets the chains right from a certificate
+ # signature view, but wrong from the clients view.
+ #
+ # When setting "auto_chain = no", the server certificate
+ # file MUST include the full certificate chain.
+ # auto_chain = yes
+
#
# If OpenSSL supports TLS-PSK, then we can use
# a PSK identity and (hex) password. When the
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
- # openssl dhparam -out certs/dh 1024
+ # openssl dhparam -out certs/dh 2048
#
dh_file = ${certdir}/dh
# write to files in its configuration
# directory.
#
-# random_file = ${certdir}/random
+ # random_file = /dev/urandom
#
# This can never exceed the size of a RADIUS
#
# include_length = yes
+
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
- # 3) uncomment the line below.
+ # 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
+
+ # Check if intermediate CAs have been revoked.
+ # check_all_crl = yes
+
ca_path = ${cadir}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
+ #
+ # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ #
cipher_list = "DEFAULT"
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
+
+ # Work-arounds for OpenSSL nonsense
+ # OpenSSL 1.0.1f and 1.0.1g do not calculate
+ # the EAP keys correctly. The fix is to upgrade
+ # OpenSSL, or disable TLS 1.2 here.
+ #
+ # For EAP-FAST, this MUST be set to "yes".
+ #
+# disable_tlsv1_2 = no
+
#
#
#
cache {
#
- # Enable it. The default is "no".
- # Deleting the entire "cache" subsection
- # also disables caching.
+ # Enable it. The default is "no". Deleting the entire "cache"
+ # subsection also disables caching.
#
- # You can disallow resumption for a
- # particular user by adding the following
- # attribute to the control item list:
+ # As of version 3.0.14, the session cache requires the use
+ # of the "name" and "persist_dir" configuration items, below.
#
- # Allow-Session-Resumption = No
+ # The internal OpenSSL session cache has been permanently
+ # disabled.
#
- # If "enable = no" below, you CANNOT
- # enable resumption for just one user
- # by setting the above attribute to "yes".
+ # You can disallow resumption for a particular user by adding the
+ # following attribute to the control item list:
#
- enable = yes
-
+ # Allow-Session-Resumption = No
#
- # Lifetime of the cached entries, in hours.
- # The sessions will be deleted after this
- # time.
+ # If "enable = no" below, you CANNOT enable resumption for just one
+ # user by setting the above attribute to "yes".
#
- lifetime = 24 # hours
+ enable = no
#
- # The maximum number of entries in the
- # cache. Set to "0" for "infinite".
- #
- # This could be set to the number of users
- # who are logged in... which can be a LOT.
+ # Lifetime of the cached entries, in hours. The sessions will be
+ # deleted/invalidated after this time.
#
- max_entries = 255
+ lifetime = 24 # hours
#
- # Internal "name" of the session cache.
- # Used to distinguish which TLS context
- # sessions belong to.
+ # Internal "name" of the session cache. Used to
+ # distinguish which TLS context sessions belong to.
#
- # The server will generate a random value
- # if unset. This will change across server
- # restart so you MUST set the "name" if you
- # want to persist sessions (see below).
+ # The server will generate a random value if unset.
+ # This will change across server restart so you MUST
+ # set the "name" if you want to persist sessions (see
+ # below).
#
#name = "EAP module"
# state and the cached VPs. This will persist session
# across server restarts.
#
+ # The default directory is ${logdir}, for historical
+ # reasons. You should ${db_dir} instead. And check
+ # the value of db_dir in the main radiusd.conf file.
+ # It should not point to ${raddb}
+ #
# The server will need write perms, and the directory
# should be secured from anyone else. You might want
# a script to remove old files from here periodically:
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
+ # If OCSP checking is enabled, and the OCSP checks fail,
+ # the verify section is not run.
+ #
+ # If OCSP checking is disabled, the verify section is
+ # run on successful certificate validation.
+ #
verify {
+ # If the OCSP checks succeed, the verify section
+ # is run to allow additional checks.
+ #
+ # If you want to skip verify on OCSP success,
+ # uncomment this configuration item, and set it
+ # to "yes".
+ # skip_if_ocsp_ok = no
+
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
override_cert_url = yes
#
- # If the OCSP Responder address is not
- # extracted from the certificate, the
- # URL can be defined here.
-
- #
- # Limitation: Currently the HTTP
- # Request is not sending the "Host: "
- # information to the web-server. This
- # can be a problem if the OCSP
- # Responder is running as a vhost.
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
#
url = "http://127.0.0.1/ocsp/"
# working.
#
# send_error = no
+
+ # Server identifier to send back in the challenge.
+ # This should generally be the host name of the
+ # RADIUS server. Or, some information to uniquely
+ # identify it.
+# identity = "FreeRADIUS"
}
+
+ ## EAP-FAST
+ #
+ # The FAST module implements the EAP-FAST protocol
+ #
+# fast {
+ # Point to the common TLS configuration
+ #
+ # cipher_list though must include "ADH" for anonymous provisioning.
+ # This is not as straight forward as appending "ADH" alongside
+ # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+ #
+# tls = tls-common
+
+ # PAC lifetime in seconds (default: seven days)
+ #
+# pac_lifetime = 604800
+
+ # Authority ID of the server
+ #
+ # if you are running a cluster of RADIUS servers, you should make
+ # the value chosen here (and for "pac_opaque_key") the same on all
+ # your RADIUS servers. This value should be unique to your
+ # installation. We suggest using a domain name.
+ #
+# authority_identity = "1234"
+
+ # PAC Opaque encryption key (must be exactly 32 bytes in size)
+ #
+ # This value MUST be secret, and MUST be generated using
+ # a secure method, such as via 'openssl rand -hex 32'
+ #
+# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+ # Same as for TTLS, PEAP, etc.
+ #
+# virtual_server = inner-tunnel
+# }
}