smeserver
/
smeserver-radiusd
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
11_0_0-7_el8_sme
11_0_0-6_el8_sme
11_0_0-3_el8_sme
11_0_0-2_el8_sme
11_0_0-1_el8_sme
2.6.0-25
2.6.0
SME10.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bc28d49d0d'
${ noResults }
smeserver-radiusd/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon

131 lines
4.2 KiB
Plaintext
Raw Blame History

{
## EAP-TLS
#
# To generate ctest certificates, run the script
#
# ../scripts/certs.sh
#
# The documents on http://www.freeradius.org/doc
# are old, but may be helpful.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
}
tls-config tls-common \{
private_key_password = whatever
private_key_file = $\{raddbdir\}/certs/radiusd.pem
certificate_file = $\{raddbdir\}/certs/radiusd.pem
ca_file = $\{raddbdir\}/certs/radiusd.pem
dh_file = $\{raddbdir\}/certs/dh
random_file = $\{raddbdir\}/certs/random
{
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
} #fragment_size = 1024
{
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
} #include_length = yes
{
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) Add 'CA_path=<CA certs&CRLs directory>'
# to radiusd.conf's tls section.
# 4) uncomment the line below.
# 5) Restart radiusd
} #check_crl = yes
{
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
} #check_cert_cn = %\{User-Name\}
{
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
} cipher_list = "DEFAULT"
{
#
#
# Elliptical cryptography configuration
#
# Only for OpenSSL >= 0.9.8.f
#
} ecdh_curve = "prime256v1"
{
#
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
} cache \{
enable = yes
lifetime = 24 # hours
max_entries = 255
\}
{
#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
}
\}
View Git Blame Copy Permalink