X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Feap.conf;h=941ebe9b89744e9095799cea54e207ae61151fa2;hb=0cb868b4a840307218f86a4ebff0c9b9c20d837b;hp=a3c191b4cc2ba3d229fe743712808a5e0032f1e7;hpb=312a0835d68508697a65a5dd1889f9a93b4c58d4;p=freeradius.git diff --git a/raddb/eap.conf b/raddb/eap.conf index a3c191b..941ebe9 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -1,11 +1,18 @@ # -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id$ + +####################################################################### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # -# $Id$ +# EAP types NOT listed here may be supported via the "eap2" module. +# See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when @@ -51,6 +58,13 @@ # zero byte. cisco_accounting_username_bug = no + # + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. Most systems + # can handle ~30 EAP sessions/s, so the default limit + # of 4096 should be OK. + max_sessions = 4096 + # Supported EAP-types # @@ -109,32 +123,78 @@ ## EAP-TLS # - # To generate ctest certificates, run the script + # See raddb/certs/README for additional comments + # on certificates. # - # ../scripts/certs.sh + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. # - # The documents on http://www.freeradius.org/doc - # are old, but may be helpful. + # Otherwise, when the server first starts in debugging + # mode, test certificates will be created. See the + # "make_cert_command" below for details, and the README + # file in raddb/certs + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. # # See also: # # http://www.dslreports.com/forum/remark,9286052~mode=flat # - #tls { - # private_key_password = whatever - # private_key_file = ${raddbdir}/certs/cert-srv.pem + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likey not what you want. + tls { + # + # These is used to simplify later configurations. + # + certdir = ${confdir}/certs + cadir = ${confdir}/certs + + private_key_password = whatever + private_key_file = ${certdir}/server.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. - # certificate_file = ${raddbdir}/certs/cert-srv.pem + # + # If CA_file (below) is not used, then the + # certificate_file below MUST include not + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. + certificate_file = ${certdir}/server.pem # Trusted Root CA list - # CA_file = ${raddbdir}/certs/demoCA/cacert.pem + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + # This parameter is used only for EAP-TLS, + # when you issue client certificates. If you do + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. + CA_file = ${cadir}/ca.pem - # dh_file = ${raddbdir}/certs/dh - # random_file = ${raddbdir}/certs/random + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 1024 + # + dh_file = ${certdir}/dh + random_file = ${certdir}/random # # This can never exceed the size of a RADIUS @@ -162,11 +222,10 @@ # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash '. # 'c_rehash' is OpenSSL's command. - # 3) Add 'CA_path=' - # to radiusd.conf's tls section. - # 4) uncomment the line below. + # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes + CA_path = ${cadir} # # If check_cert_issuer is set, the value will @@ -175,6 +234,11 @@ # match, the cerficate verification will fail, # rejecting the user. # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Issuer attribute. This check + # can be done via any mechanism you choose. + # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # @@ -188,13 +252,136 @@ # "check_cert_issuer" is not set, or if # the check succeeds. # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-CN attribute. This check + # can be done via any mechanism you choose. + # # check_cert_cn = %{User-Name} # # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". - # cipher_list = "DEFAULT" - #} + cipher_list = "DEFAULT" + + # + + # This command creates the initial "snake oil" + # certificates when the server is run as root, + # and via "radiusd -X". + # + # As of 2.1.11, it *also* checks the server + # certificate for validity, including expiration. + # This means that radiusd will refuse to start + # when the certificate has expired. The alternative + # is to have the 802.1X clients refuse to connect + # when they discover the certificate has expired. + # + # Debugging client issues is hard, so it's better + # for the server to print out an error message, + # and refuse to start. + # + make_cert_command = "${certdir}/bootstrap" + + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + cache { + # + # Enable it. The default is "no". + # Deleting the entire "cache" subsection + # Also disables caching. + # + # You can disallow resumption for a + # particular user by adding the following + # attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT + # enable resumption for just one user + # by setting the above attribute to "yes". + # + enable = no + + # + # Lifetime of the cached entries, in hours. + # The sessions will be deleted after this + # time. + # + lifetime = 24 # hours + + # + # The maximum number of entries in the + # cache. Set to "0" for "infinite". + # + # This could be set to the number of users + # who are logged in... which can be a LOT. + # + max_entries = 255 + } + + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + verify { + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..CA_path} text is a reference to + # the CA_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" + } + } # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, @@ -211,7 +398,13 @@ # have a client certificate. EAP-TTLS does not # require a client certificate. # - #ttls { + # You can make TTLS require a client cert by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the @@ -219,7 +412,7 @@ # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. - # default_eap_type = md5 + default_eap_type = md5 # The tunneled authentication request does # not usually contain useful attributes @@ -235,7 +428,7 @@ # is copied to the tunneled request. # # allowed values: {no, yes} - # copy_request_to_tunnel = no + copy_request_to_tunnel = no # The reply attributes sent to the NAS are # usually based on the name of the user @@ -248,8 +441,25 @@ # the tunneled request. # # allowed values: {no, yes} - # use_tunneled_reply = no - #} + use_tunneled_reply = no + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This has the same meaning as the + # same field in the "tls" module, above. + # The default value here is "yes". + # include_length = yes + } ################################################## # @@ -274,6 +484,12 @@ # # http://support.microsoft.com/kb/885453/en-us # + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # @@ -294,26 +510,57 @@ # have a client certificate. EAP-PEAP does not # require a client certificate. # - # peap { + # + # You can make PEAP require a client cert by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. - # default_eap_type = mschapv2 + default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. - # copy_request_to_tunnel = no - # use_tunneled_reply = no + copy_request_to_tunnel = no + use_tunneled_reply = no # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # proxy_tunneled_request_as_eap = yes - #} + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # +# soh = yes + + # + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # +# soh_virtual_server = "soh-server" + } # # This takes no configuration. @@ -332,4 +579,3 @@ mschapv2 { } } -