attribute. The latest release of Windows Phone needs this to be present
for the handset to validate the RADIUS server certificate. The RADIUS
server must have the URI defined but the CA need not have...however it
-is best practice for a CA to have a recovation URI. Note that whilst
+is best practice for a CA to have a revocation URI. Note that whilst
the Windows Mobile client cannot actually use the CRL when doing 802.1X
it is recommended that the URI be an actual working URL and contain a
-recovation format file as there may be other OS behaviour at play and
+revocation format file as there may be other OS behaviour at play and
future OSes that may do something with that URI.
In general, you should use self-signed certificates for 802.1x (EAP)
-authentication. When you list root CAs from other organizations in
+authentication. When you list root CAs from other organisations in
the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
to test 2048 bit keys.
- A 1GHz system will likely do 30 calculations/s. A 2Ghz system may
+ A 1GHz system will likely do 30 calculations/s. A 2GHz system may
do 50 calculations/s, or more. That number is also the number of
authentications/s that can be done for EAP-TLS (or TTLS, or PEAP).
The certificates created using this method are known to be compatible
with ALL operating systems. Some common issues are:
- - Windows requires certain OID's in the certificates. If it doesn't
- see them, it will stop doing EAP. The most visibile effect is
+ - Windows requires certain OIDs in the certificates. If it doesn't
+ see them, it will stop doing EAP. The most visible effect is
that the client starts EAP, gets a few Access-Challenge packets,
and then a little while later re-starts EAP. If this happens, see
the FAQ, and the comments in raddb/eap.conf for how to fix it.
digests, to maintain compatibility with network equipment that
supports only this algorithm.
-MD5 has known weaknesses and is discouraged in favor of SHA1 (see
+MD5 has known weaknesses and is discouraged in favour of SHA1 (see
http://www.kb.cert.org/vuls/id/836068 for details). If your network
equipment supports the SHA1 signature algorithm, we recommend that you
change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
#
-# File containing the OID's required for Windows.
+# File containing the OIDs required for Windows.
#
# http://support.microsoft.com/kb/814394/en-us
#
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
- # phrase, or anything else that is recognizable.
+ # phrase, or anything else that is recognisable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
# Configuration for the example module. Uncommenting it will cause it
- # to get loaded and initialized, but should have no real effect as long
+ # to get loaded and initialised, but should have no real effect as long
# it is not referenced in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
#
-# Cache EAP responses for resiliency on intermediary proxy failover
+# Cache EAP responses for resiliency on intermediary proxy fail-over
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
-# If the letter is ommited days will be assumed. In example:
+# If the letter is omitted days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# database the logged queries are going to be executed against.
dialect = "sqlite"
- # The submodule to use to execute queries. This should match
+ # The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are CUI queries available for:
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
- # The header can be customized by editing this
+ # The header can be customised by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
# $Id$
#
-# Internationalized domain names.
+# Internationalised domain names.
#
# The expansion string: %{idn: example.com} results in an ASCII
#
# Sample configuration for an EAP module that occurs *inside*
-# of a tunneled method. It is used to limit the EAP types that
+# of a tunnelled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
# ca_path = /path/to/directory/with/ca_certs/and/crls/
#
- # The session resumption / fast reauthentication
+ # The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
#
}
# "access_attribute" not existing means "allow access"
# positive_access = yes
- # If this is undefined, anyone is authorized.
+ # If this is undefined, anyone is authorised.
# If it is defined, the contents of this attribute
- # determine whether or not the user is authorized
+ # determine whether or not the user is authorised
# access_attribute = "dialupAccess"
}
# the same mapping scheme applied to user objects.
#
profile {
- # Filter for RAIDUS profile objects
+ # Filter for RADIUS profile objects
# filter = "(objectclass=radiusprofile)"
# The default profile applied to all users.
# Note: '=' is *not* supported.
# <value>: The value to add modify or delete.
#
- # WARNING: If using the ':=' operator with a multivalued LDAP
+ # WARNING: If using the ':=' operator with a multi-valued LDAP
# attribute, all instances of the attribute will be removed and
# replaced with a single attribute.
#
# LDAP connection-specific options.
#
- # These options set timeouts, keepalives, etc. for the connections.
+ # These options set timeouts, keep-alives, etc. for the connections.
#
options {
#
logintime {
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
- # allow the logon. Some NASes do not handle values
+ # allow the login. Some NAS do not handle values
# lower than 60 seconds well.
minimum_timeout = 60
}
# Whether or not to allow asynchronous ("pure" challenge/
# response) mode authentication. Since sync mode is much more
# usable, and all reasonable tokens support it, the typical
- # use of async mode is to allow resync of event based tokens.
+ # use of async mode is to allow re-sync of event based tokens.
# But because of the vulnerability of async mode with some tokens,
# you probably want to disable this and require that out-of-sync
- # users resync from specifically secured terminals.
+ # users re-sync from specifically secured terminals.
# See the otpd docs for more info.
# (default: no)
#allow_async = no
# on all your RADIUS servers would allow replay attacks!
# Also, for event based tokens, the user will be out of sync
# on the "other" servers. In order to use "yes" on all your
- # servers, you must either use gsmd, which synchronizes state
- # globally, or implement your own state synchronization method.
+ # servers, you must either use gsmd, which synchronises state
+ # globally, or implement your own state synchronisation method.
# (default: yes)
#allow_sync = yes
# If both allow_async and allow_sync are "yes", a challenge is
- # always presented to the user. This is incompatible with NAS's
+ # always presented to the user. This is incompatible with NAS
# that can't present or don't handle Access-Challenge's, e.g.
# PPTP servers. Even though a challenge is presented, the user
# can still enter their synchronous passcode.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
-# by some NASes, and converts the attributes into a form which
+# by some NAS, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${moddir}/huntgroups
hints = ${moddir}/hints
- # This hack changes Ascend's weird port numberings
+ # This hack changes Ascend's weird port numbering
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
# start deleting them
cleanup_delay = 300
- # connections last no more than "lifeime" seconds.
+ # connections last no more than "lifetime" seconds.
lifetime = 86400
# close idle connections are "idle_timeout" seconds
#
sql {
- # The submodule to use to execute queries. This should match
+ # The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# * rlm_sql_mysql
# the driver you selected above.
#
# If you're using rlm_sql_null, then it should be the type of
- # database the logged queries are going to be exected against.
+ # database the logged queries are going to be executed against.
dialect = "mysql"
# Connection info:
#
yubikey {
#
- # The length (number of ascii bytes) of the Public-ID portion
+ # The length (number of ASCII bytes) of the Public-ID portion
# of the OTP string.
#
# Yubikey defaults to a 6 byte ID (2 * 6 = 12)
# These attributes are available after authorization:
# * Yubikey-Public-ID - The public portion of the OTP string
#
- # These attributes are available after authentication (if successfull):
+ # These attributes are available after authentication (if successful):
# * Yubikey-Private-ID - The encrypted ID included in OTP data,
# must be verified if tokens share keys.
# * Yubikey-Counter - The last counter value (should be recorded).
# $Id$
#
# This configuration file is used to remove almost all of the
-# attributes From an Access-Challenge message. The RFC's say
+# attributes From an Access-Challenge message. The RFCs say
# that an Access-Challenge packet can contain only a few
# attributes. We enforce that here.
#
# $Id$
#
# This configuration file is used to remove almost all of the attributes
-# From an Access-Reject message. The RFC's say that an Access-Reject
+# From an Access-Reject message. The RFCs say that an Access-Reject
# packet can contain only a few attributes. We enforce that here.
#
DEFAULT