X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Feap.conf;h=4e769ee420a193fa992da2dde540a3abee0636d4;hb=c895d8f36a10ea79862f2b29e33a7abd9626bc54;hp=0de4884b63017e5a597942dbcb6c65f01bd01eac;hpb=4db89d7abc8f94dbbe37d8218b63a48b29e971fd;p=freeradius.git diff --git a/raddb/eap.conf b/raddb/eap.conf index 0de4884..4e769ee 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -225,7 +225,7 @@ # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes - # CA_path = /path/to/directory/with/ca_certs/and/crls/ + CA_path = ${cadir} # # If check_cert_issuer is set, the value will @@ -320,6 +320,44 @@ # max_entries = 255 } + + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + verify { + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..CA_path} text is a reference to + # the CA_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" + } } # The TTLS module implements the EAP-TTLS protocol,