X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Feap.conf;h=941ebe9b89744e9095799cea54e207ae61151fa2;hb=0cb868b4a840307218f86a4ebff0c9b9c20d837b;hp=faaf8d8580e9ee4dc3d055d1aeda243fa1328e50;hpb=c72d8c2137a47386336d504287d225a7ecbe9a9e;p=freeradius.git

diff --git a/raddb/eap.conf b/raddb/eap.conf
index faaf8d8..941ebe9 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -225,7 +225,7 @@
 			#  3) uncomment the line below.
 			#  5) Restart radiusd
 		#	check_crl = yes
-		#	CA_path = /path/to/directory/with/ca_certs/and/crls/
+			CA_path = ${cadir}
 
 		       #
 		       #  If check_cert_issuer is set, the value will
@@ -234,6 +234,11 @@
 		       #  match, the cerficate verification will fail,
 		       #  rejecting the user.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-Issuer attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
 		       #
@@ -247,6 +252,11 @@
 		       #  "check_cert_issuer" is not set, or if
 		       #  the check succeeds.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-CN attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#	check_cert_cn = %{User-Name}
 		#
 			# Set this option to specify the allowed
@@ -256,10 +266,20 @@
 
 			#
 
-			#  This configuration entry should be deleted
-			#  once the server is running in a normal
-			#  configuration.  It is here ONLY to make
-			#  initial deployments easier.
+			# This command creates the initial "snake oil"
+			# certificates when the server is run as root,
+			# and via "radiusd -X".
+			#
+			# As of 2.1.11, it *also* checks the server
+			# certificate for validity, including expiration.
+			# This means that radiusd will refuse to start
+			# when the certificate has expired.  The alternative
+			# is to have the 802.1X clients refuse to connect
+			# when they discover the certificate has expired.
+			#
+			# Debugging client issues is hard, so it's better
+			# for the server to print out an error message,
+			# and refuse to start.
 			#
 			make_cert_command = "${certdir}/bootstrap"
 
@@ -267,6 +287,28 @@
 			#  Session resumption / fast reauthentication
 			#  cache.
 			#
+			#  The cache contains the following information:
+			#
+			#  session Id - unique identifier, managed by SSL
+			#  User-Name  - from the Access-Accept
+			#  Stripped-User-Name - from the Access-Request
+			#  Cached-Session-Policy - from the Access-Accept
+			#
+			#  The "Cached-Session-Policy" is the name of a
+			#  policy which should be applied to the cached
+			#  session.  This policy can be used to assign
+			#  VLANs, IP addresses, etc.  It serves as a useful
+			#  way to re-apply the policy from the original
+			#  Access-Accept to the subsequent Access-Accept
+			#  for the cached session.
+			#
+			#  On session resumption, these attributes are
+			#  copied from the cache, and placed into the
+			#  reply list.
+			#
+			#  You probably also want "use_tunneled_reply = yes"
+			#  when using fast session resumption.
+			#
 			cache {
 			      #
 			      #  Enable it.  The default is "no".
@@ -301,6 +343,44 @@
 			      #
 			      max_entries = 255
 			}
+
+			#
+			#  As of version 2.1.10, client certificates can be
+			#  validated via an external command.  This allows
+			#  dynamic CRLs or OCSP to be used.
+			#
+			#  This configuration is commented out in the
+			#  default configuration.  Uncomment it, and configure
+			#  the correct paths below to enable it.
+			#
+			verify {
+				#  A temporary directory where the client
+				#  certificates are stored.  This directory
+				#  MUST be owned by the UID of the server,
+				#  and MUST not be accessible by any other
+				#  users.  When the server starts, it will do
+				#  "chmod go-rwx" on the directory, for
+				#  security reasons.  The directory MUST
+				#  exist when the server starts.
+				#
+				#  You should also delete all of the files
+				#  in the directory when the server starts.
+		#     		tmpdir = /tmp/radiusd
+
+				#  The command used to verify the client cert.
+				#  We recommend using the OpenSSL command-line
+				#  tool.
+				#
+				#  The ${..CA_path} text is a reference to
+				#  the CA_path variable defined above.
+				#
+				#  The %{TLS-Client-Cert-Filename} is the name
+				#  of the temporary file containing the cert
+				#  in PEM format.  This file is automatically
+				#  deleted by the server when the command
+				#  returns.
+		#    		client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+			}
 		}
 
 		#  The TTLS module implements the EAP-TTLS protocol,
@@ -404,6 +484,12 @@
 		#
 		#	http://support.microsoft.com/kb/885453/en-us
 		#
+		#
+		#  If is still doesn't work, and you're using Samba,
+		#  you may be encountering a Samba bug.  See:
+		#
+		#	https://bugzilla.samba.org/show_bug.cgi?id=6563
+		#
 		#  Note that we do not necessarily agree with their
 		#  explanation... but the fix does appear to work.
 		#
@@ -462,6 +548,18 @@
 			#  outer requests.
 			#
 			virtual_server = "inner-tunnel"
+
+			# This option enables support for MS-SoH
+			# see doc/SoH.txt for more info.
+			# It is disabled by default.
+			#
+#			soh = yes
+
+			#
+			# The SoH reply will be turned into a request which
+			# can be sent to a specific virtual server:
+			#
+#			soh_virtual_server = "soh-server"
 		}
 
 		#