You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
131 lines
4.2 KiB
Plaintext
131 lines
4.2 KiB
Plaintext
{
|
|
## EAP-TLS
|
|
#
|
|
# To generate ctest certificates, run the script
|
|
#
|
|
# ../scripts/certs.sh
|
|
#
|
|
# The documents on http://www.freeradius.org/doc
|
|
# are old, but may be helpful.
|
|
#
|
|
# See also:
|
|
#
|
|
# http://www.dslreports.com/forum/remark,9286052~mode=flat
|
|
#
|
|
# Note that you should NOT use a globally known CA here!
|
|
# e.g. using a Verisign cert as a "known CA" means that
|
|
# ANYONE who has a certificate signed by them can
|
|
# authenticate via EAP-TLS! This is likely not what you want.
|
|
}
|
|
tls-config tls-common \{
|
|
private_key_password = whatever
|
|
private_key_file = $\{raddbdir\}/certs/radiusd.pem
|
|
certificate_file = $\{raddbdir\}/certs/radiusd.pem
|
|
ca_file = $\{raddbdir\}/certs/radiusd.pem
|
|
dh_file = $\{raddbdir\}/certs/dh
|
|
random_file = $\{raddbdir\}/certs/random
|
|
{
|
|
#
|
|
# This can never exceed the size of a RADIUS
|
|
# packet (4096 bytes), and is preferably half
|
|
# that, to accomodate other attributes in
|
|
# RADIUS packet. On most APs the MAX packet
|
|
# length is configured between 1500 - 1600
|
|
# In these cases, fragment size should be
|
|
# 1024 or less.
|
|
#
|
|
} #fragment_size = 1024
|
|
{
|
|
# include_length is a flag which is
|
|
# by default set to yes If set to
|
|
# yes, Total Length of the message is
|
|
# included in EVERY packet we send.
|
|
# If set to no, Total Length of the
|
|
# message is included ONLY in the
|
|
# First packet of a fragment series.
|
|
#
|
|
} #include_length = yes
|
|
{
|
|
# Check the Certificate Revocation List
|
|
#
|
|
# 1) Copy CA certificates and CRLs to same directory.
|
|
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
|
# 'c_rehash' is OpenSSL's command.
|
|
# 3) Add 'CA_path=<CA certs&CRLs directory>'
|
|
# to radiusd.conf's tls section.
|
|
# 4) uncomment the line below.
|
|
# 5) Restart radiusd
|
|
} #check_crl = yes
|
|
{
|
|
#
|
|
# If check_cert_cn is set, the value will
|
|
# be xlat'ed and checked against the CN
|
|
# in the client certificate. If the values
|
|
# do not match, the certificate verification
|
|
# will fail rejecting the user.
|
|
#
|
|
} #check_cert_cn = %\{User-Name\}
|
|
{
|
|
#
|
|
# Set this option to specify the allowed
|
|
# TLS cipher suites. The format is listed
|
|
# in "man 1 ciphers".
|
|
} cipher_list = "DEFAULT"
|
|
{
|
|
#
|
|
|
|
#
|
|
# Elliptical cryptography configuration
|
|
#
|
|
# Only for OpenSSL >= 0.9.8.f
|
|
#
|
|
} ecdh_curve = "prime256v1"
|
|
|
|
{
|
|
#
|
|
# Session resumption / fast reauthentication
|
|
# cache.
|
|
#
|
|
# The cache contains the following information:
|
|
#
|
|
# session Id - unique identifier, managed by SSL
|
|
# User-Name - from the Access-Accept
|
|
# Stripped-User-Name - from the Access-Request
|
|
# Cached-Session-Policy - from the Access-Accept
|
|
#
|
|
# The "Cached-Session-Policy" is the name of a
|
|
# policy which should be applied to the cached
|
|
# session. This policy can be used to assign
|
|
# VLANs, IP addresses, etc. It serves as a useful
|
|
# way to re-apply the policy from the original
|
|
# Access-Accept to the subsequent Access-Accept
|
|
# for the cached session.
|
|
#
|
|
# On session resumption, these attributes are
|
|
# copied from the cache, and placed into the
|
|
# reply list.
|
|
#
|
|
# You probably also want "use_tunneled_reply = yes"
|
|
# when using fast session resumption.
|
|
#
|
|
} cache \{
|
|
enable = yes
|
|
lifetime = 24 # hours
|
|
max_entries = 255
|
|
\}
|
|
{
|
|
#
|
|
# As of version 2.1.10, client certificates can be
|
|
# validated via an external command. This allows
|
|
# dynamic CRLs or OCSP to be used.
|
|
#
|
|
# This configuration is commented out in the
|
|
# default configuration. Uncomment it, and configure
|
|
# the correct paths below to enable it.
|
|
#
|
|
}
|
|
|
|
|
|
|
|
\}
|