X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Feap.conf;h=998b1b50b7216c813d047229532677546cc73f94;hb=2023c9f3d4df8c7160485b36dcfd23faf7cfca80;hp=8af54d5938df834944a38119547351b8974eda40;hpb=fbcfbf4d4ce2e54269a171940f9296effff7d879;p=freeradius.git diff --git a/raddb/eap.conf b/raddb/eap.conf index 8af54d5..998b1b5 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -1,10 +1,18 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id$ + +####################################################################### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # -# $Id$ +# EAP types NOT listed here may be supported via the "eap2" module. +# See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when @@ -50,6 +58,13 @@ # zero byte. cisco_accounting_username_bug = no + # + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. Most systems + # can handle ~30 EAP sessions/s, so the default limit + # of 4096 should be OK. + max_sessions = 4096 + # Supported EAP-types # @@ -76,7 +91,7 @@ } # Generic Token Card. - # + # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be @@ -108,32 +123,78 @@ ## EAP-TLS # - # To generate ctest certificates, run the script + # See raddb/certs/README for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. # - # ../scripts/certs.sh + # Otherwise, when the server first starts in debugging + # mode, test certificates will be created. See the + # "make_cert_command" below for details, and the README + # file in raddb/certs # - # The documents on http://www.freeradius.org/doc - # are old, but may be helpful. + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. # # See also: # # http://www.dslreports.com/forum/remark,9286052~mode=flat # - #tls { - # private_key_password = whatever - # private_key_file = ${raddbdir}/certs/cert-srv.pem + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likey not what you want. + tls { + # + # These is used to simplify later configurations. + # + certdir = ${confdir}/certs + cadir = ${confdir}/certs + + private_key_password = whatever + private_key_file = ${certdir}/server.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. - # certificate_file = ${raddbdir}/certs/cert-srv.pem + # + # If CA_file (below) is not used, then the + # certificate_file below MUST include not + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. + certificate_file = ${certdir}/server.pem # Trusted Root CA list - # CA_file = ${raddbdir}/certs/demoCA/cacert.pem + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + # This parameter is used only for EAP-TLS, + # when you issue client certificates. If you do + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. + CA_file = ${cadir}/ca.pem - # dh_file = ${raddbdir}/certs/dh - # random_file = ${raddbdir}/certs/random + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 1024 + # + dh_file = ${certdir}/dh + random_file = ${certdir}/random # # This can never exceed the size of a RADIUS @@ -157,25 +218,160 @@ # include_length = yes # Check the Certificate Revocation List - # + # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash '. # 'c_rehash' is OpenSSL's command. - # 3) Add 'CA_path=' - # to radiusd.conf's tls section. - # 4) uncomment the line below. + # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes + CA_path = ${cadir} + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the cerficate verification will fail, + # rejecting the user. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Issuer attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # check_cert_cn = %{User-Name} - #} + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-CN attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + cipher_list = "DEFAULT" + + # + + # This configuration entry should be deleted + # once the server is running in a normal + # configuration. It is here ONLY to make + # initial deployments easier. + # + make_cert_command = "${certdir}/bootstrap" + + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + cache { + # + # Enable it. The default is "no". + # Deleting the entire "cache" subsection + # Also disables caching. + # + # You can disallow resumption for a + # particular user by adding the following + # attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT + # enable resumption for just one user + # by setting the above attribute to "yes". + # + enable = no + + # + # Lifetime of the cached entries, in hours. + # The sessions will be deleted after this + # time. + # + lifetime = 24 # hours + + # + # The maximum number of entries in the + # cache. Set to "0" for "infinite". + # + # This could be set to the number of users + # who are logged in... which can be a LOT. + # + max_entries = 255 + } + + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + verify { + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..CA_path} text is a reference to + # the CA_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" + } + } # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, @@ -185,14 +381,20 @@ # # The TTLS module needs the TLS module to be installed # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to + # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-TTLS does not # require a client certificate. # - #ttls { + # You can make TTLS require a client cert by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the @@ -200,7 +402,7 @@ # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. - # default_eap_type = md5 + default_eap_type = md5 # The tunneled authentication request does # not usually contain useful attributes @@ -216,10 +418,10 @@ # is copied to the tunneled request. # # allowed values: {no, yes} - # copy_request_to_tunnel = no + copy_request_to_tunnel = no # The reply attributes sent to the NAS are - # usually based on the name of the user + # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name @@ -229,9 +431,59 @@ # the tunneled request. # # allowed values: {no, yes} - # use_tunneled_reply = no - - #} + use_tunneled_reply = no + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This has the same meaning as the + # same field in the "tls" module, above. + # The default value here is "yes". + # include_length = yes + } + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # http://support.microsoft.com/kb/814394/en-us + # + # For additional Windows XP SP2 issues, see: + # + # http://support.microsoft.com/kb/885453/en-us + # + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## # # The tunneled EAP session needs a default EAP type @@ -241,22 +493,64 @@ # # The PEAP module needs the TLS module to be installed # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to + # inside of the EAP packet. You will still need to # configure the TLS module, even if you do not want # to deploy EAP-TLS in your network. Users will not # be able to request EAP-TLS, as it requires them to # have a client certificate. EAP-PEAP does not # require a client certificate. # - # peap { + # + # You can make PEAP require a client cert by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. - # default_eap_type = mschapv2 - #} + default_eap_type = mschapv2 + + # the PEAP module also has these configuration + # items, which are the same as for TTLS. + copy_request_to_tunnel = no + use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # proxy_tunneled_request_as_eap = yes + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # + # soh = yes + + # + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # + # soh_virtual_server = "soh-server" + } # # This takes no configuration. @@ -275,4 +569,3 @@ mschapv2 { } } -