X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Feap.conf;h=b34acbe7b6157bc984950bb4559699876e326dbf;hb=1950077e6802158e211fa894e26727ff4a57fb6c;hp=e0be2154d2621dac2743fe5a756f1acced953781;hpb=a20963fdc84a9cce7ce2d8498324cc7cb4ffa055;p=freeradius.git

diff --git a/raddb/eap.conf b/raddb/eap.conf
index e0be215..b34acbe 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -62,8 +62,8 @@
 		#  Help prevent DoS attacks by limiting the number of
 		#  sessions that the server is tracking.  Most systems
 		#  can handle ~30 EAP sessions/s, so the default limit
-		#  of 2048 is more than enough.
-		max_sessions = 2048
+		#  of 4096 should be OK.
+		max_sessions = 4096
 
 		# Supported EAP-types
 
@@ -144,6 +144,10 @@
 		#
 		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
 		#
+		#  Note that you should NOT use a globally known CA here!
+		#  e.g. using a Verisign cert as a "known CA" means that
+		#  ANYONE who has a certificate signed by them can
+		#  authenticate via EAP-TLS!  This is likey not what you want.
 		tls {
 			#
 			#  These is used to simplify later configurations.
@@ -221,7 +225,7 @@
 			#  3) uncomment the line below.
 			#  5) Restart radiusd
 		#	check_crl = yes
-		#	CA_path = /path/to/directory/with/ca_certs/and/crls/
+			CA_path = ${cadir}
 
 		       #
 		       #  If check_cert_issuer is set, the value will
@@ -230,6 +234,11 @@
 		       #  match, the cerficate verification will fail,
 		       #  rejecting the user.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-Issuer attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
 		       #
@@ -243,6 +252,11 @@
 		       #  "check_cert_issuer" is not set, or if
 		       #  the check succeeds.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-CN attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#	check_cert_cn = %{User-Name}
 		#
 			# Set this option to specify the allowed
@@ -263,13 +277,45 @@
 			#  Session resumption / fast reauthentication
 			#  cache.
 			#
+			#  The cache contains the following information:
+			#
+			#  session Id - unique identifier, managed by SSL
+			#  User-Name  - from the Access-Accept
+			#  Stripped-User-Name - from the Access-Request
+			#  Cached-Session-Policy - from the Access-Accept
+			#
+			#  The "Cached-Session-Policy" is the name of a
+			#  policy which should be applied to the cached
+			#  session.  This policy can be used to assign
+			#  VLANs, IP addresses, etc.  It serves as a useful
+			#  way to re-apply the policy from the original
+			#  Access-Accept to the subsequent Access-Accept
+			#  for the cached session.
+			#
+			#  On session resumption, these attributes are
+			#  copied from the cache, and placed into the
+			#  reply list.
+			#
+			#  You probably also want "use_tunneled_reply = yes"
+			#  when using fast session resumption.
+			#
 			cache {
 			      #
 			      #  Enable it.  The default is "no".
 			      #  Deleting the entire "cache" subsection
 			      #  Also disables caching.
 			      #
-			      enable = yes
+			      #  You can disallow resumption for a
+			      #  particular user by adding the following
+			      #  attribute to the control item list:
+			      #
+			      #		Allow-Session-Resumption = No
+			      #
+			      #  If "enable = no" below, you CANNOT
+			      #  enable resumption for just one user
+			      #  by setting the above attribute to "yes".
+			      #
+			      enable = no
 
 			      #
 			      #  Lifetime of the cached entries, in hours.
@@ -287,6 +333,44 @@
 			      #
 			      max_entries = 255
 			}
+
+			#
+			#  As of version 2.1.10, client certificates can be
+			#  validated via an external command.  This allows
+			#  dynamic CRLs or OCSP to be used.
+			#
+			#  This configuration is commented out in the
+			#  default configuration.  Uncomment it, and configure
+			#  the correct paths below to enable it.
+			#
+			verify {
+				#  A temporary directory where the client
+				#  certificates are stored.  This directory
+				#  MUST be owned by the UID of the server,
+				#  and MUST not be accessible by any other
+				#  users.  When the server starts, it will do
+				#  "chmod go-rwx" on the directory, for
+				#  security reasons.  The directory MUST
+				#  exist when the server starts.
+				#
+				#  You should also delete all of the files
+				#  in the directory when the server starts.
+		#     		tmpdir = /tmp/radiusd
+
+				#  The command used to verify the client cert.
+				#  We recommend using the OpenSSL command-line
+				#  tool.
+				#
+				#  The ${..CA_path} text is a reference to
+				#  the CA_path variable defined above.
+				#
+				#  The %{TLS-Client-Cert-Filename} is the name
+				#  of the temporary file containing the cert
+				#  in PEM format.  This file is automatically
+				#  deleted by the server when the command
+				#  returns.
+		#    		client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+			}
 		}
 
 		#  The TTLS module implements the EAP-TTLS protocol,
@@ -360,6 +444,11 @@
 			#  outer requests.
 			#
 			virtual_server = "inner-tunnel"
+
+			#  This has the same meaning as the
+			#  same field in the "tls" module, above.
+			#  The default value here is "yes".
+		#	include_length = yes
 		}
 
 		##################################################
@@ -385,6 +474,12 @@
 		#
 		#	http://support.microsoft.com/kb/885453/en-us
 		#
+		#
+		#  If is still doesn't work, and you're using Samba,
+		#  you may be encountering a Samba bug.  See:
+		#
+		#	https://bugzilla.samba.org/show_bug.cgi?id=6563
+		#
 		#  Note that we do not necessarily agree with their
 		#  explanation... but the fix does appear to work.
 		#