1 ######################################################################
3 # Initial implementation of RADIUS over TLS (radsec)
5 ######################################################################
12 # TCP and TLS sockets can accept Access-Request and
13 # Accounting-Request on the same socket.
15 # auth = only Access-Request
16 # acct = only Accounting-Request
21 # For now, only TCP transport is allowed.
24 # Send packets to the default virtual server
25 virtual_server = default
30 # Connection limiting for sockets with "proto = tcp".
34 # Limit the number of simultaneous TCP connections to the socket
37 # Setting this to 0 means "no limit"
40 # The per-socket "max_requests" option does not exist.
43 # The lifetime, in seconds, of a TCP connection. After
44 # this lifetime, the connection will be closed.
46 # Setting this to 0 means "forever".
50 # The idle timeout, in seconds, of a TCP connection.
51 # If no packets have been received over the connection for
52 # this time, the connection will be closed.
54 # Setting this to 0 means "no timeout".
56 # We STRONGLY RECOMMEND that you set an idle timeout.
61 # This is *exactly* the same configuration as used by the EAP-TLS
62 # module. It's OK for testing, but for production use it's a good
63 # idea to use different server certificates for EAP and for RADIUS
66 # If you want only one TLS configuration for multiple sockets,
67 # then we suggest putting "tls { ...}" into radiusd.conf.
68 # The subsection below can then be changed into a reference:
72 # Which means "the tls sub-section is not here, but instead is in
73 # the top-level section called 'tls'".
75 # If you have multiple tls configurations, you can put them into
76 # sub-sections of a top-level "tls" section. There's no need to
77 # call them all "tls". You can then use:
81 # to refer to the "site1" sub-section of the "tls" section.
84 private_key_password = whatever
85 private_key_file = ${certdir}/server.pem
87 # If Private key & Certificate are located in
88 # the same file, then private_key_file &
89 # certificate_file must contain the same file
92 # If ca_file (below) is not used, then the
93 # certificate_file below MUST include not
94 # only the server certificate, but ALSO all
95 # of the CA certificates used to sign the
97 certificate_file = ${certdir}/server.pem
99 # Trusted Root CA list
101 # ALL of the CA's in this list will be trusted
102 # to issue client certificates for authentication.
104 # In general, you should use self-signed
105 # certificates for 802.1x (EAP) authentication.
106 # In that case, this CA file should contain
107 # *one* CA certificate.
109 # This parameter is used only for EAP-TLS,
110 # when you issue client certificates. If you do
111 # not use client certificates, and you do not want
112 # to permit EAP-TLS authentication, then delete
113 # this configuration item.
114 ca_file = ${cadir}/ca.pem
117 # For DH cipher suites to work, you have to
118 # run OpenSSL to create the DH file first:
120 # openssl dhparam -out certs/dh 1024
122 dh_file = ${certdir}/dh
125 # If your system doesn't have /dev/urandom,
126 # you will need to create this file, and
127 # periodically change its contents.
129 # For security reasons, FreeRADIUS doesn't
130 # write to files in its configuration
133 # random_file = ${certdir}/random
136 # The default fragment size is 1K.
137 # However, it's possible to send much more data than
138 # that over a TCP connection. The upper limit is 64K.
139 # Setting the fragment size to more than 1K means that
140 # there are fewer round trips when setting up a TLS
141 # connection. But only if the certificates are large.
145 # include_length is a flag which is
146 # by default set to yes If set to
147 # yes, Total Length of the message is
148 # included in EVERY packet we send.
149 # If set to no, Total Length of the
150 # message is included ONLY in the
151 # First packet of a fragment series.
153 # include_length = yes
155 # Check the Certificate Revocation List
157 # 1) Copy CA certificates and CRLs to same directory.
158 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
159 # 'c_rehash' is OpenSSL's command.
160 # 3) uncomment the line below.
166 # If check_cert_issuer is set, the value will
167 # be checked against the DN of the issuer in
168 # the client certificate. If the values do not
169 # match, the certificate verification will fail,
170 # rejecting the user.
172 # In 2.1.10 and later, this check can be done
173 # more generally by checking the value of the
174 # TLS-Client-Cert-Issuer attribute. This check
175 # can be done via any mechanism you choose.
177 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
180 # If check_cert_cn is set, the value will
181 # be xlat'ed and checked against the CN
182 # in the client certificate. If the values
183 # do not match, the certificate verification
184 # will fail rejecting the user.
186 # This check is done only if the previous
187 # "check_cert_issuer" is not set, or if
188 # the check succeeds.
190 # In 2.1.10 and later, this check can be done
191 # more generally by checking the value of the
192 # TLS-Client-Cert-CN attribute. This check
193 # can be done via any mechanism you choose.
195 # check_cert_cn = %{User-Name}
197 # Set this option to specify the allowed
198 # TLS cipher suites. The format is listed
199 # in "man 1 ciphers".
200 cipher_list = "DEFAULT"
204 # This configuration entry should be deleted
205 # once the server is running in a normal
206 # configuration. It is here ONLY to make
207 # initial deployments easier.
210 # This is enabled in eap.conf, so we don't need it here.
212 # make_cert_command = "${certdir}/bootstrap"
215 # Session resumption / fast reauthentication
218 # The cache contains the following information:
220 # session Id - unique identifier, managed by SSL
221 # User-Name - from the Access-Accept
222 # Stripped-User-Name - from the Access-Request
223 # Cached-Session-Policy - from the Access-Accept
225 # The "Cached-Session-Policy" is the name of a
226 # policy which should be applied to the cached
227 # session. This policy can be used to assign
228 # VLANs, IP addresses, etc. It serves as a useful
229 # way to re-apply the policy from the original
230 # Access-Accept to the subsequent Access-Accept
231 # for the cached session.
233 # On session resumption, these attributes are
234 # copied from the cache, and placed into the
237 # You probably also want "use_tunneled_reply = yes"
238 # when using fast session resumption.
242 # Enable it. The default is "no".
243 # Deleting the entire "cache" subsection
244 # Also disables caching.
246 # You can disallow resumption for a
247 # particular user by adding the following
248 # attribute to the control item list:
250 # Allow-Session-Resumption = No
252 # If "enable = no" below, you CANNOT
253 # enable resumption for just one user
254 # by setting the above attribute to "yes".
259 # Lifetime of the cached entries, in hours.
260 # The sessions will be deleted after this
263 lifetime = 24 # hours
266 # The maximum number of entries in the
267 # cache. Set to "0" for "infinite".
269 # This could be set to the number of users
270 # who are logged in... which can be a LOT.
275 # Internal "name" of the session cache.
276 # Used to distinguish which TLS context
277 # sessions belong to.
279 # The server will generate a random value
280 # if unset. This will change across server
281 # restart so you MUST set the "name" if you
282 # want to persist sessions (see below).
284 # If you use IPv6, change the "ipaddr" below
287 #name = "TLS ${..ipaddr} ${..port} ${..proto}"
290 # Simple directory-based storage of sessions.
291 # Two files per session will be written, the SSL
292 # state and the cached VPs. This will persist session
293 # across server restarts.
295 # The server will need write perms, and the directory
296 # should be secured from anyone else. You might want
297 # a script to remove old files from here periodically:
299 # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
301 # This feature REQUIRES "name" option be set above.
303 #persist_dir = "${logdir}/tlscache"
307 # Require a client certificate.
309 require_client_cert = yes
312 # As of version 2.1.10, client certificates can be
313 # validated via an external command. This allows
314 # dynamic CRLs or OCSP to be used.
316 # This configuration is commented out in the
317 # default configuration. Uncomment it, and configure
318 # the correct paths below to enable it.
321 # A temporary directory where the client
322 # certificates are stored. This directory
323 # MUST be owned by the UID of the server,
324 # and MUST not be accessible by any other
325 # users. When the server starts, it will do
326 # "chmod go-rwx" on the directory, for
327 # security reasons. The directory MUST
328 # exist when the server starts.
330 # You should also delete all of the files
331 # in the directory when the server starts.
332 # tmpdir = /tmp/radiusd
334 # The command used to verify the client cert.
335 # We recommend using the OpenSSL command-line
338 # The ${..ca_path} text is a reference to
339 # the ca_path variable defined above.
341 # The %{TLS-Client-Cert-Filename} is the name
342 # of the temporary file containing the cert
343 # in PEM format. This file is automatically
344 # deleted by the server when the command
346 # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
356 # Ensure that this client is TLS *only*.
361 # TCP clients can have any shared secret.
363 # TLS clients MUST have the shared secret
364 # set to "radsec". Or, for "proto = tls",
365 # you can omit the secret, and it will
366 # automatically be set to "radsec".
371 # You can also use a "limit" section here.
372 # See raddb/clients.conf for examples.
374 # Note that BOTH limits are applied. You
375 # should therefore set the "listen" limits
376 # higher than the ones for each individual
391 private_key_password = whatever
392 private_key_file = ${certdir}/client.pem
394 # If Private key & Certificate are located in
395 # the same file, then private_key_file &
396 # certificate_file must contain the same file
399 # If ca_file (below) is not used, then the
400 # certificate_file below MUST include not
401 # only the server certificate, but ALSO all
402 # of the CA certificates used to sign the
403 # server certificate.
404 certificate_file = ${certdir}/client.pem
406 # Trusted Root CA list
408 # ALL of the CA's in this list will be trusted
409 # to issue client certificates for authentication.
411 # In general, you should use self-signed
412 # certificates for 802.1x (EAP) authentication.
413 # In that case, this CA file should contain
414 # *one* CA certificate.
416 # This parameter is used only for EAP-TLS,
417 # when you issue client certificates. If you do
418 # not use client certificates, and you do not want
419 # to permit EAP-TLS authentication, then delete
420 # this configuration item.
421 ca_file = ${cadir}/ca.pem
424 # For DH cipher suites to work, you have to
425 # run OpenSSL to create the DH file first:
427 # openssl dhparam -out certs/dh 1024
429 dh_file = ${certdir}/dh
430 random_file = ${certdir}/random
433 # The default fragment size is 1K.
434 # However, TLS can send 64K of data at once.
435 # It can be useful to set it higher.
439 # include_length is a flag which is
440 # by default set to yes If set to
441 # yes, Total Length of the message is
442 # included in EVERY packet we send.
443 # If set to no, Total Length of the
444 # message is included ONLY in the
445 # First packet of a fragment series.
447 # include_length = yes
449 # Check the Certificate Revocation List
451 # 1) Copy CA certificates and CRLs to same directory.
452 # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
453 # 'c_rehash' is OpenSSL's command.
454 # 3) uncomment the line below.
460 # If check_cert_issuer is set, the value will
461 # be checked against the DN of the issuer in
462 # the client certificate. If the values do not
463 # match, the certificate verification will fail,
464 # rejecting the user.
466 # In 2.1.10 and later, this check can be done
467 # more generally by checking the value of the
468 # TLS-Client-Cert-Issuer attribute. This check
469 # can be done via any mechanism you choose.
471 # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
474 # If check_cert_cn is set, the value will
475 # be xlat'ed and checked against the CN
476 # in the client certificate. If the values
477 # do not match, the certificate verification
478 # will fail rejecting the user.
480 # This check is done only if the previous
481 # "check_cert_issuer" is not set, or if
482 # the check succeeds.
484 # In 2.1.10 and later, this check can be done
485 # more generally by checking the value of the
486 # TLS-Client-Cert-CN attribute. This check
487 # can be done via any mechanism you choose.
489 # check_cert_cn = %{User-Name}
491 # Set this option to specify the allowed
492 # TLS cipher suites. The format is listed
493 # in "man 1 ciphers".
494 cipher_list = "DEFAULT"
499 home_server_pool tls {