# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
-# EAP types NOT listed here may be supported via the "eap2" module.
-# See experimental.conf for documentation.
-#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# Help prevent DoS attacks by limiting the number of
- # sessions that the server is tracking. Most systems
- # can handle ~30 EAP sessions/s, so the default limit
- # of 4096 should be OK.
- max_sessions = 4096
+ # sessions that the server is tracking. For simplicity,
+ # this is taken from the "max_requests" directive in
+ # radiusd.conf.
+ max_sessions = ${max_requests}
# Supported EAP-types
md5 {
}
- #
+ #
# EAP-pwd -- secure password-based authentication
#
- pwd {
- group = 19
+# pwd {
+# group = 19
#
- server_id = theserver@example.com
+# server_id = theserver@example.com
# This has the same meaning as for TLS.
- fragment_size = 1020
+# fragment_size = 1020
- # The virtual server which determines the
+ # The virtual server which determines the
# "known good" password for the user.
# Note that unlike TLS, only the "authorize"
# section is processed. EAP-PWD requests can be
# distinguished by having a User-Name, but
# no User-Password, CHAP-Password, EAP-Message, etc.
- virtual_server = "inner-tunnel"
- }
+# virtual_server = "inner-tunnel"
+# }
# Cisco LEAP
#
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
- # Otherwise, when the server first starts in debugging
- # mode, test certificates will be created. See the
- # "make_cert_command" below for details, and the README
- # file in raddb/certs
+ # If you do not currently have certificates signed by
+ # a trusted CA you may use the 'snakeoil' certificates.
+ # Included with the server in raddb/certs.
+ #
+ # If these certificates have not been auto-generated:
+ # cd raddb/certs
+ # make
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# certificate_file must contain the same file
# name.
#
- # If CA_file (below) is not used, then the
+ # If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# In that case, this CA file should contain
# *one* CA certificate.
#
- # This parameter is used only for EAP-TLS,
- # when you issue client certificates. If you do
- # not use client certificates, and you do not want
- # to permit EAP-TLS authentication, then delete
- # this configuration item.
- CA_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/ca.pem
+
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+ # it sometimes gets the chains right from a certificate
+ # signature view, but wrong from the clients view.
+ #
+ # When setting "auto_chain = no", the server certificate
+ # file MUST include the full certificate chain.
+ # auto_chain = yes
#
# If OpenSSL supports TLS-PSK, then we can use
# private_key_password
# private_key_file
# certificate_file
- # CA_file
- # CA_path
+ # ca_file
+ # ca_path
#
# For now, the identity is fixed, and must be the
# same on the client. The passphrase must be a hex
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
- # openssl dhparam -out certs/dh 1024
+ # openssl dhparam -out certs/dh 2048
#
dh_file = ${certdir}/dh
- random_file = ${certdir}/random
+
+ #
+ # If your system doesn't have /dev/urandom,
+ # you will need to create this file, and
+ # periodically change its contents.
+ #
+ # For security reasons, FreeRADIUS doesn't
+ # write to files in its configuration
+ # directory.
+ #
+ # random_file = /dev/urandom
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
- # that, to accomodate other attributes in
+ # that, to accommodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
#
# include_length = yes
+
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
- # 3) uncomment the line below.
+ # 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
- CA_path = ${cadir}
-
- #
- # If check_cert_issuer is set, the value will
- # be checked against the DN of the issuer in
- # the client certificate. If the values do not
- # match, the cerficate verification will fail,
- # rejecting the user.
- #
- # In 2.1.10 and later, this check can be done
- # more generally by checking the value of the
- # TLS-Client-Cert-Issuer attribute. This check
- # can be done via any mechanism you choose.
- #
- # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
-
- #
- # If check_cert_cn is set, the value will
- # be xlat'ed and checked against the CN
- # in the client certificate. If the values
- # do not match, the certificate verification
- # will fail rejecting the user.
- #
- # This check is done only if the previous
- # "check_cert_issuer" is not set, or if
- # the check succeeds.
- #
- # In 2.1.10 and later, this check can be done
- # more generally by checking the value of the
- # TLS-Client-Cert-CN attribute. This check
- # can be done via any mechanism you choose.
- #
+
+ # Check if intermediate CAs have been revoked.
+ # check_all_crl = yes
+
+ ca_path = ${cadir}
+
+ #
+ # If check_cert_issuer is set, the value will
+ # be checked against the DN of the issuer in
+ # the client certificate. If the values do not
+ # match, the certificate verification will fail,
+ # rejecting the user.
+ #
+ # In 2.1.10 and later, this check can be done
+ # more generally by checking the value of the
+ # TLS-Client-Cert-Issuer attribute. This check
+ # can be done via any mechanism you choose.
+ #
+ # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+ #
+ # If check_cert_cn is set, the value will
+ # be xlat'ed and checked against the CN
+ # in the client certificate. If the values
+ # do not match, the certificate verification
+ # will fail rejecting the user.
+ #
+ # This check is done only if the previous
+ # "check_cert_issuer" is not set, or if
+ # the check succeeds.
+ #
+ # In 2.1.10 and later, this check can be done
+ # more generally by checking the value of the
+ # TLS-Client-Cert-CN attribute. This check
+ # can be done via any mechanism you choose.
+ #
# check_cert_cn = %{User-Name}
- #
+ #
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
+ #
+ # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ #
cipher_list = "DEFAULT"
- #
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
- # This command creates the initial "snake oil"
- # certificates when the server is run as root,
- # and via "radiusd -X".
+ # Work-arounds for OpenSSL nonsense
+ # OpenSSL 1.0.1f and 1.0.1g do not calculate
+ # the EAP keys correctly. The fix is to upgrade
+ # OpenSSL, or disable TLS 1.2 here.
#
- # As of 2.1.11, it *also* checks the server
- # certificate for validity, including expiration.
- # This means that radiusd will refuse to start
- # when the certificate has expired. The alternative
- # is to have the 802.1X clients refuse to connect
- # when they discover the certificate has expired.
+ # For EAP-FAST, this MUST be set to "yes".
#
- # Debugging client issues is hard, so it's better
- # for the server to print out an error message,
- # and refuse to start.
+# disable_tlsv1_2 = no
+
#
- make_cert_command = "${certdir}/bootstrap"
#
# Elliptical cryptography configuration
# when using fast session resumption.
#
cache {
- #
- # Enable it. The default is "no".
- # Deleting the entire "cache" subsection
- # Also disables caching.
- #
- # You can disallow resumption for a
- # particular user by adding the following
- # attribute to the control item list:
- #
- # Allow-Session-Resumption = No
- #
- # If "enable = no" below, you CANNOT
- # enable resumption for just one user
- # by setting the above attribute to "yes".
- #
- enable = yes
-
- #
- # Lifetime of the cached entries, in hours.
- # The sessions will be deleted after this
- # time.
- #
- lifetime = 24 # hours
-
- #
- # The maximum number of entries in the
- # cache. Set to "0" for "infinite".
- #
- # This could be set to the number of users
- # who are logged in... which can be a LOT.
- #
- max_entries = 255
+ #
+ # Enable it. The default is "no". Deleting the entire "cache"
+ # subsection also disables caching.
+ #
+ # You can disallow resumption for a particular user by adding the
+ # following attribute to the control item list:
+ #
+ # Allow-Session-Resumption = No
+ #
+ # If "enable = no" below, you CANNOT enable resumption for just one
+ # user by setting the above attribute to "yes".
+ #
+ enable = no
+
+ #
+ # Lifetime of the cached entries, in hours. The sessions will be
+ # deleted/invalidated after this time.
+ #
+ lifetime = 24 # hours
+
+ #
+ # The maximum number of entries in the
+ # cache. Set to "0" for "infinite".
+ #
+ # This could be set to the number of users
+ # who are logged in... which can be a LOT.
+ #
+ max_entries = 255
+
+ #
+ # Internal "name" of the session cache. Used to
+ # distinguish which TLS context sessions belong to.
+ #
+ # The server will generate a random value if unset.
+ # This will change across server restart so you MUST
+ # set the "name" if you want to persist sessions (see
+ # below).
+ #
+ #name = "EAP module"
+
+ #
+ # Simple directory-based storage of sessions.
+ # Two files per session will be written, the SSL
+ # state and the cached VPs. This will persist session
+ # across server restarts.
+ #
+ # The server will need write perms, and the directory
+ # should be secured from anyone else. You might want
+ # a script to remove old files from here periodically:
+ #
+ # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+ #
+ # This feature REQUIRES "name" option be set above.
+ #
+ #persist_dir = "${logdir}/tlscache"
}
#
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
+ # If OCSP checking is enabled, and the OCSP checks fail,
+ # the verify section is not run.
+ #
+ # If OCSP checking is disabled, the verify section is
+ # run on successful certificate validation.
+ #
verify {
+ # If the OCSP checks succeed, the verify section
+ # is run to allow additional checks.
+ #
+ # If you want to skip verify on OCSP success,
+ # uncomment this configuration item, and set it
+ # to "yes".
+ # skip_if_ocsp_ok = no
+
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
#
# You should also delete all of the files
# in the directory when the server starts.
- # tmpdir = /tmp/radiusd
+ # tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
- # The ${..CA_path} text is a reference to
- # the CA_path variable defined above.
+ # The ${..ca_path} text is a reference to
+ # the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
- # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+ # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
#
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
- # new Certificate Revokation Lists (CRLs).
+ # new Certificate Revocation Lists (CRLs).
#
ocsp {
- #
- # Enable it. The default is "no".
- # Deleting the entire "ocsp" subsection
- # Also disables ocsp checking
- #
- enable = no
-
- #
- # The OCSP Responder URL can be automatically
- # extracted from the certificate in question.
- # To override the OCSP Responder URL set
- # "override_cert_url = yes".
- #
- override_cert_url = yes
-
- #
- # If the OCSP Responder address is not
- # extracted from the certificate, the
- # URL can be defined here.
-
- #
- # Limitation: Currently the HTTP
- # Request is not sending the "Host: "
- # information to the web-server. This
- # can be a problem if the OCSP
- # Responder is running as a vhost.
- #
- url = "http://127.0.0.1/ocsp/"
-
- #
- # If the OCSP Responder can not cope with nonce
- # in the request, then it can be disabled here.
- #
- # For security reasons, disabling this option
- # is not recommended as nonce protects against
- # replay attacks.
- #
- # Note that Microsoft AD Certificate Services OCSP
- # Responder does not enable nonce by default. It is
- # more secure to enable nonce on the responder than
- # to disable it in the query here.
- # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
- #
- # use_nonce = yes
-
- #
- # Number of seconds before giving up waiting
- # for OCSP response. 0 uses system default.
- #
- # timeout = 0
-
- #
- # Normally an error in querying the OCSP
- # responder (no response from server, server did
- # not understand the request, etc) will result in
- # a validation failure.
- #
- # To treat these errors as 'soft' failures and
- # still accept the certificate, enable this
- # option.
- #
- # Warning: this may enable clients with revoked
- # certificates to connect if the OCSP responder
- # is not available. Use with caution.
- #
- # softfail = no
+ #
+ # Enable it. The default is "no".
+ # Deleting the entire "ocsp" subsection
+ # also disables ocsp checking
+ #
+ enable = no
+
+ #
+ # The OCSP Responder URL can be automatically
+ # extracted from the certificate in question.
+ # To override the OCSP Responder URL set
+ # "override_cert_url = yes".
+ #
+ override_cert_url = yes
+
+ #
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
+ #
+ url = "http://127.0.0.1/ocsp/"
+
+ #
+ # If the OCSP Responder can not cope with nonce
+ # in the request, then it can be disabled here.
+ #
+ # For security reasons, disabling this option
+ # is not recommended as nonce protects against
+ # replay attacks.
+ #
+ # Note that Microsoft AD Certificate Services OCSP
+ # Responder does not enable nonce by default. It is
+ # more secure to enable nonce on the responder than
+ # to disable it in the query here.
+ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+ #
+ # use_nonce = yes
+
+ #
+ # Number of seconds before giving up waiting
+ # for OCSP response. 0 uses system default.
+ #
+ # timeout = 0
+
+ #
+ # Normally an error in querying the OCSP
+ # responder (no response from server, server did
+ # not understand the request, etc) will result in
+ # a validation failure.
+ #
+ # To treat these errors as 'soft' failures and
+ # still accept the certificate, enable this
+ # option.
+ #
+ # Warning: this may enable clients with revoked
+ # certificates to connect if the OCSP responder
+ # is not available. Use with caution.
+ #
+ # softfail = no
}
}
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
- #
+ #
tls = tls-common
# The tunneled EAP session needs a default EAP type
#
copy_request_to_tunnel = no
+ #
+ # As of version 3.0.5, this configuration item
+ # is deprecated. Instead, you should use
+ #
+ # update outer.session-state {
+ # ...
+ #
+ # }
+ #
+ # This will cache attributes for the final Access-Accept.
+ #
# The reply attributes sent to the NAS are usually
# based on the name of the user 'outside' of the
# tunnel (usually 'anonymous'). If you want to send
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
- #
+ #
tls = tls-common
# The tunneled EAP session needs a default
# items, which are the same as for TTLS.
#
copy_request_to_tunnel = no
+
+ #
+ # As of version 3.0.5, this configuration item
+ # is deprecated. Instead, you should use
+ #
+ # update outer.session-state {
+ # ...
+ #
+ # }
+ #
+ # This will cache attributes for the final Access-Accept.
+ #
use_tunneled_reply = no
# When the tunneled session is proxied, the
# working.
#
# send_error = no
+
+ # Server identifier to send back in the challenge.
+ # This should generally be the host name of the
+ # RADIUS server. Or, some information to uniquely
+ # identify it.
+# identity = "FreeRADIUS"
}
+
+ ## EAP-FAST
+ #
+ # The FAST module implements the EAP-FAST protocol
+ #
+# fast {
+ # Point to the common TLS configuration
+ #
+ # cipher_list though must include "ADH" for anonymous provisioning.
+ # This is not as straight forward as appending "ADH" alongside
+ # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+ #
+# tls = tls-common
+
+ # PAC lifetime in seconds (default: seven days)
+ #
+# pac_lifetime = 604800
+
+ # Authority ID of the server
+ #
+ # if you are running a cluster of RADIUS servers, you should make
+ # the value chosen here (and for "pac_opaque_key") the same on all
+ # your RADIUS servers. This value should be unique to your
+ # installation. We suggest using a domain name.
+ #
+# authority_identity = "1234"
+
+ # PAC Opaque encryption key (must be exactly 32 bytes in size)
+ #
+ # This value MUST be secret, and MUST be generated using
+ # a secure method, such as via 'openssl rand -hex 32'
+ #
+# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+ # Same as for TTLS, PEAP, etc.
+ #
+# virtual_server = inner-tunnel
+# }
}