X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Feap.conf;h=998b1b50b7216c813d047229532677546cc73f94;hb=2023c9f3d4df8c7160485b36dcfd23faf7cfca80;hp=dda069795d7087b7c5baa46279e56aaed12daf67;hpb=234b5becf33cc6da40f63067cb724ffcd22588f0;p=freeradius.git

diff --git a/raddb/eap.conf b/raddb/eap.conf
index dda0697..998b1b5 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -1,11 +1,18 @@
 # -*- text -*-
+##
+##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+##	$Id$
+
+#######################################################################
 #
 #  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
 #  is smart enough to figure this out on its own.  The most
 #  common side effect of setting 'Auth-Type := EAP' is that the
 #  users then cannot use ANY other authentication method.
 #
-#	$Id$
+#  EAP types NOT listed here may be supported via the "eap2" module.
+#  See experimental.conf for documentation.
 #
 	eap {
 		#  Invoke the default supported EAP type when
@@ -51,6 +58,13 @@
 		# zero byte.
 		cisco_accounting_username_bug = no
 
+		#
+		#  Help prevent DoS attacks by limiting the number of
+		#  sessions that the server is tracking.  Most systems
+		#  can handle ~30 EAP sessions/s, so the default limit
+		#  of 4096 should be OK.
+		max_sessions = 4096
+
 		# Supported EAP-types
 
 		#
@@ -109,6 +123,9 @@
 
 		## EAP-TLS
 		#
+		#  See raddb/certs/README for additional comments
+		#  on certificates.
+		#
 		#  If OpenSSL was not found at the time the server was
 		#  built, the "tls", "ttls", and "peap" sections will
 		#  be ignored.
@@ -127,12 +144,16 @@
 		#
 		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
 		#
+		#  Note that you should NOT use a globally known CA here!
+		#  e.g. using a Verisign cert as a "known CA" means that
+		#  ANYONE who has a certificate signed by them can
+		#  authenticate via EAP-TLS!  This is likey not what you want.
 		tls {
 			#
 			#  These is used to simplify later configurations.
 			#
-			certdir = ${raddbdir}/certs
-			cadir = ${raddbdir}/certs
+			certdir = ${confdir}/certs
+			cadir = ${confdir}/certs
 
 			private_key_password = whatever
 			private_key_file = ${certdir}/server.pem
@@ -141,9 +162,29 @@
 			#  the same file, then private_key_file &
 			#  certificate_file must contain the same file
 			#  name.
+			#
+			#  If CA_file (below) is not used, then the
+			#  certificate_file below MUST include not
+			#  only the server certificate, but ALSO all
+			#  of the CA certificates used to sign the
+			#  server certificate.
 			certificate_file = ${certdir}/server.pem
 
 			#  Trusted Root CA list
+			#
+			#  ALL of the CA's in this list will be trusted
+			#  to issue client certificates for authentication.
+			#
+			#  In general, you should use self-signed
+			#  certificates for 802.1x (EAP) authentication.
+			#  In that case, this CA file should contain
+			#  *one* CA certificate.
+			#
+			#  This parameter is used only for EAP-TLS,
+			#  when you issue client certificates.  If you do
+			#  not use client certificates, and you do not want
+			#  to permit EAP-TLS authentication, then delete
+			#  this configuration item.
 			CA_file = ${cadir}/ca.pem
 
 			#
@@ -181,11 +222,10 @@
 			#  1) Copy CA certificates and CRLs to same directory.
 			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
 			#    'c_rehash' is OpenSSL's command.
-			#  3) Add 'CA_path=<CA certs&CRLs directory>'
-			#      to radiusd.conf's tls section.
-			#  4) uncomment the line below.
+			#  3) uncomment the line below.
 			#  5) Restart radiusd
 		#	check_crl = yes
+			CA_path = ${cadir}
 
 		       #
 		       #  If check_cert_issuer is set, the value will
@@ -194,6 +234,11 @@
 		       #  match, the cerficate verification will fail,
 		       #  rejecting the user.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-Issuer attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
 		       #
@@ -207,6 +252,11 @@
 		       #  "check_cert_issuer" is not set, or if
 		       #  the check succeeds.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-CN attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#	check_cert_cn = %{User-Name}
 		#
 			# Set this option to specify the allowed
@@ -222,6 +272,105 @@
 			#  initial deployments easier.
 			#
 			make_cert_command = "${certdir}/bootstrap"
+
+			#
+			#  Session resumption / fast reauthentication
+			#  cache.
+			#
+			#  The cache contains the following information:
+			#
+			#  session Id - unique identifier, managed by SSL
+			#  User-Name  - from the Access-Accept
+			#  Stripped-User-Name - from the Access-Request
+			#  Cached-Session-Policy - from the Access-Accept
+			#
+			#  The "Cached-Session-Policy" is the name of a
+			#  policy which should be applied to the cached
+			#  session.  This policy can be used to assign
+			#  VLANs, IP addresses, etc.  It serves as a useful
+			#  way to re-apply the policy from the original
+			#  Access-Accept to the subsequent Access-Accept
+			#  for the cached session.
+			#
+			#  On session resumption, these attributes are
+			#  copied from the cache, and placed into the
+			#  reply list.
+			#
+			#  You probably also want "use_tunneled_reply = yes"
+			#  when using fast session resumption.
+			#
+			cache {
+			      #
+			      #  Enable it.  The default is "no".
+			      #  Deleting the entire "cache" subsection
+			      #  Also disables caching.
+			      #
+			      #  You can disallow resumption for a
+			      #  particular user by adding the following
+			      #  attribute to the control item list:
+			      #
+			      #		Allow-Session-Resumption = No
+			      #
+			      #  If "enable = no" below, you CANNOT
+			      #  enable resumption for just one user
+			      #  by setting the above attribute to "yes".
+			      #
+			      enable = no
+
+			      #
+			      #  Lifetime of the cached entries, in hours.
+			      #  The sessions will be deleted after this
+			      #  time.
+			      #
+			      lifetime = 24 # hours
+
+			      #
+			      #  The maximum number of entries in the
+			      #  cache.  Set to "0" for "infinite".
+			      #
+			      #  This could be set to the number of users
+			      #  who are logged in... which can be a LOT.
+			      #
+			      max_entries = 255
+			}
+
+			#
+			#  As of version 2.1.10, client certificates can be
+			#  validated via an external command.  This allows
+			#  dynamic CRLs or OCSP to be used.
+			#
+			#  This configuration is commented out in the
+			#  default configuration.  Uncomment it, and configure
+			#  the correct paths below to enable it.
+			#
+			verify {
+				#  A temporary directory where the client
+				#  certificates are stored.  This directory
+				#  MUST be owned by the UID of the server,
+				#  and MUST not be accessible by any other
+				#  users.  When the server starts, it will do
+				#  "chmod go-rwx" on the directory, for
+				#  security reasons.  The directory MUST
+				#  exist when the server starts.
+				#
+				#  You should also delete all of the files
+				#  in the directory when the server starts.
+		#     		tmpdir = /tmp/radiusd
+
+				#  The command used to verify the client cert.
+				#  We recommend using the OpenSSL command-line
+				#  tool.
+				#
+				#  The ${..CA_path} text is a reference to
+				#  the CA_path variable defined above.
+				#
+				#  The %{TLS-Client-Cert-Filename} is the name
+				#  of the temporary file containing the cert
+				#  in PEM format.  This file is automatically
+				#  deleted by the server when the command
+				#  returns.
+		#    		client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+			}
 		}
 
 		#  The TTLS module implements the EAP-TTLS protocol,
@@ -294,7 +443,12 @@
 			#  the virtual server that processed the
 			#  outer requests.
 			#
-			#virtual_server = "inner-tunnel"
+			virtual_server = "inner-tunnel"
+
+			#  This has the same meaning as the
+			#  same field in the "tls" module, above.
+			#  The default value here is "yes".
+		#	include_length = yes
 		}
 
 		##################################################
@@ -320,6 +474,12 @@
 		#
 		#	http://support.microsoft.com/kb/885453/en-us
 		#
+		#
+		#  If is still doesn't work, and you're using Samba,
+		#  you may be encountering a Samba bug.  See:
+		#
+		#	https://bugzilla.samba.org/show_bug.cgi?id=6563
+		#
 		#  Note that we do not necessarily agree with their
 		#  explanation... but the fix does appear to work.
 		#
@@ -341,7 +501,7 @@
 		#  require a client certificate.
 		#
 		#
-		#  You can make TTLS require a client cert by setting
+		#  You can make PEAP require a client cert by setting
 		#
 		#	EAP-TLS-Require-Client-Cert = Yes
 		#
@@ -377,7 +537,19 @@
 			#  the virtual server that processed the
 			#  outer requests.
 			#
-			#virtual_server = "inner-tunnel"
+			virtual_server = "inner-tunnel"
+
+			# This option enables support for MS-SoH
+			# see doc/SoH.txt for more info.
+			# It is disabled by default.
+			#
+		#	soh = yes
+
+			#
+			# The SoH reply will be turned into a request which
+			# can be sent to a specific virtual server:
+			#
+		#	soh_virtual_server = "soh-server"
 		}
 
 		#
@@ -397,4 +569,3 @@
 		mschapv2 {
 		}
 	}
-