2 # Whatever you do, do NOT set 'Auth-Type := EAP'. The server
3 # is smart enough to figure this out on its own. The most
4 # common side effect of setting 'Auth-Type := EAP' is that the
5 # users then cannot use ANY other authentication method.
10 # Invoke the default supported EAP type when
11 # EAP-Identity response is received.
13 # The incoming EAP messages DO NOT specify which EAP
14 # type they will be using, so it MUST be set here.
16 # For now, only one default EAP type may be used at a time.
18 # If the EAP-Type attribute is set by another module,
19 # then that EAP type takes precedence over the
20 # default type configured here.
22 default_eap_type = md5
24 # A list is maintained to correlate EAP-Response
25 # packets with EAP-Request packets. After a
26 # configurable length of time, entries in the list
27 # expire, and are deleted.
31 # There are many EAP types, but the server has support
32 # for only a limited subset. If the server receives
33 # a request for an EAP type it does not support, then
34 # it normally rejects the request. By setting this
35 # configuration to "yes", you can tell the server to
36 # instead keep processing the request. Another module
37 # MUST then be configured to proxy the request to
38 # another RADIUS server which supports that EAP type.
40 # If another module is NOT configured to handle the
41 # request, then the request will still end up being
43 ignore_unknown_eap_types = no
45 # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
46 # a User-Name attribute in an Access-Accept, it copies one
47 # more byte than it should.
49 # We can work around it by configurably adding an extra
51 cisco_accounting_username_bug = no
56 # We do NOT recommend using EAP-MD5 authentication
57 # for wireless connections. It is insecure, and does
58 # not provide for dynamic WEP keys.
65 # Cisco LEAP uses the MS-CHAP algorithm (but not
66 # the MS-CHAP attributes) to perform it's authentication.
68 # As a result, LEAP *requires* access to the plain-text
69 # User-Password, or the NT-Password attributes.
70 # 'System' authentication is impossible with LEAP.
77 # Currently, this is only permitted inside of EAP-TTLS,
78 # or EAP-PEAP. The module "challenges" the user with
79 # text, and the response from the user is taken to be
82 # Proxying the tunneled EAP-GTC session is a bad idea,
83 # the users password will go over the wire in plain-text,
87 # The default challenge, which many clients
89 #challenge = "Password: "
91 # The plain-text response which comes back
92 # is put into a User-Password attribute,
93 # and passed to another module for
94 # authentication. This allows the EAP-GTC
95 # response to be checked against plain-text,
96 # or crypt'd passwords.
98 # If you say "Local" instead of "PAP", then
99 # the module will look for a User-Password
100 # configured for the request, and do the
101 # authentication itself.
108 # To generate ctest certificates, run the script
110 # ../scripts/certs.sh
112 # The documents on http://www.freeradius.org/doc
113 # are old, but may be helpful.
117 # http://www.dslreports.com/forum/remark,9286052~mode=flat
120 # private_key_password = whatever
121 # private_key_file = ${raddbdir}/certs/cert-srv.pem
123 # If Private key & Certificate are located in
124 # the same file, then private_key_file &
125 # certificate_file must contain the same file
127 # certificate_file = ${raddbdir}/certs/cert-srv.pem
129 # Trusted Root CA list
130 # CA_file = ${raddbdir}/certs/demoCA/cacert.pem
132 # dh_file = ${raddbdir}/certs/dh
133 # random_file = ${raddbdir}/certs/random
136 # This can never exceed the size of a RADIUS
137 # packet (4096 bytes), and is preferably half
138 # that, to accomodate other attributes in
139 # RADIUS packet. On most APs the MAX packet
140 # length is configured between 1500 - 1600
141 # In these cases, fragment size should be
144 # fragment_size = 1024
146 # include_length is a flag which is
147 # by default set to yes If set to
148 # yes, Total Length of the message is
149 # included in EVERY packet we send.
150 # If set to no, Total Length of the
151 # message is included ONLY in the
152 # First packet of a fragment series.
154 # include_length = yes
156 # Check the Certificate Revocation List
158 # 1) Copy CA certificates and CRLs to same directory.
159 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
160 # 'c_rehash' is OpenSSL's command.
161 # 3) Add 'CA_path=<CA certs&CRLs directory>'
162 # to radiusd.conf's tls section.
163 # 4) uncomment the line below.
168 # The TTLS module implements the EAP-TTLS protocol,
169 # which can be described as EAP inside of Diameter,
170 # inside of TLS, inside of EAP, inside of RADIUS...
172 # Surprisingly, it works quite well.
174 # The TTLS module needs the TLS module to be installed
175 # and configured, in order to use the TLS tunnel
176 # inside of the EAP packet. You will still need to
177 # configure the TLS module, even if you do not want
178 # to deploy EAP-TLS in your network. Users will not
179 # be able to request EAP-TLS, as it requires them to
180 # have a client certificate. EAP-TTLS does not
181 # require a client certificate.
184 # The tunneled EAP session needs a default
185 # EAP type which is separate from the one for
186 # the non-tunneled EAP module. Inside of the
187 # TTLS tunnel, we recommend using EAP-MD5.
188 # If the request does not contain an EAP
189 # conversation, then this configuration entry
191 # default_eap_type = md5
193 # The tunneled authentication request does
194 # not usually contain useful attributes
195 # like 'Calling-Station-Id', etc. These
196 # attributes are outside of the tunnel,
197 # and normally unavailable to the tunneled
198 # authentication request.
200 # By setting this configuration entry to
201 # 'yes', any attribute which NOT in the
202 # tunneled authentication request, but
203 # which IS available outside of the tunnel,
204 # is copied to the tunneled request.
206 # allowed values: {no, yes}
207 # copy_request_to_tunnel = no
209 # The reply attributes sent to the NAS are
210 # usually based on the name of the user
211 # 'outside' of the tunnel (usually
212 # 'anonymous'). If you want to send the
213 # reply attributes based on the user name
214 # inside of the tunnel, then set this
215 # configuration entry to 'yes', and the reply
216 # to the NAS will be taken from the reply to
217 # the tunneled request.
219 # allowed values: {no, yes}
220 # use_tunneled_reply = no
225 # The tunneled EAP session needs a default EAP type
226 # which is separate from the one for the non-tunneled
227 # EAP module. Inside of the TLS/PEAP tunnel, we
228 # recommend using EAP-MS-CHAPv2.
230 # The PEAP module needs the TLS module to be installed
231 # and configured, in order to use the TLS tunnel
232 # inside of the EAP packet. You will still need to
233 # configure the TLS module, even if you do not want
234 # to deploy EAP-TLS in your network. Users will not
235 # be able to request EAP-TLS, as it requires them to
236 # have a client certificate. EAP-PEAP does not
237 # require a client certificate.
240 # The tunneled EAP session needs a default
241 # EAP type which is separate from the one for
242 # the non-tunneled EAP module. Inside of the
243 # PEAP tunnel, we recommend using MS-CHAPv2,
244 # as that is the default type supported by
246 # default_eap_type = mschapv2
250 # This takes no configuration.
252 # Note that it is the EAP MS-CHAPv2 sub-module, not
253 # the main 'mschap' module.
255 # Note also that in order for this sub-module to work,
256 # the main 'mschap' module MUST ALSO be configured.
258 # This module is the *Microsoft* implementation of MS-CHAPv2
259 # in EAP. There is another (incompatible) implementation
260 # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not