NoPaste

mods enabled eap

von Alternativende

SNIPPET_TEXT:
  1. # -*- text -*-
  2. ##
  3. ##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
  4. ##
  5. ##      $Id: f67cbdbff9b6560cec9f68da1adb82b59723d2ef $
  6.  
  7. #######################################################################
  8. #
  9. #  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
  10. #  is smart enough to figure this out on its own.  The most
  11. #  common side effect of setting 'Auth-Type := EAP' is that the
  12. #  users then cannot use ANY other authentication method.
  13. #
  14. eap {
  15.         #  Invoke the default supported EAP type when
  16.         #  EAP-Identity response is received.
  17.         #
  18.         #  The incoming EAP messages DO NOT specify which EAP
  19.         #  type they will be using, so it MUST be set here.
  20.         #
  21.         #  For now, only one default EAP type may be used at a time.
  22.         #
  23.         #  If the EAP-Type attribute is set by another module,
  24.         #  then that EAP type takes precedence over the
  25.         #  default type configured here.
  26.         #
  27.         default_eap_type = md5
  28.  
  29.         #  A list is maintained to correlate EAP-Response
  30.         #  packets with EAP-Request packets.  After a
  31.         #  configurable length of time, entries in the list
  32.         #  expire, and are deleted.
  33.         #
  34.         timer_expire     = 60
  35.  
  36.         #  There are many EAP types, but the server has support
  37.         #  for only a limited subset.  If the server receives
  38.         #  a request for an EAP type it does not support, then
  39.         #  it normally rejects the request.  By setting this
  40.         #  configuration to "yes", you can tell the server to
  41.         #  instead keep processing the request.  Another module
  42.         #  MUST then be configured to proxy the request to
  43.         #  another RADIUS server which supports that EAP type.
  44.         #
  45.         #  If another module is NOT configured to handle the
  46.         #  request, then the request will still end up being
  47.         #  rejected.
  48.         ignore_unknown_eap_types = no
  49.  
  50.         # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
  51.         # a User-Name attribute in an Access-Accept, it copies one
  52.         # more byte than it should.
  53.         #
  54.         # We can work around it by configurably adding an extra
  55.         # zero byte.
  56.         cisco_accounting_username_bug = no
  57.  
  58.         #
  59.         #  Help prevent DoS attacks by limiting the number of
  60.         #  sessions that the server is tracking.  For simplicity,
  61.         #  this is taken from the "max_requests" directive in
  62.         #  radiusd.conf.
  63.         max_sessions = ${max_requests}
  64.  
  65.         # Supported EAP-types
  66.  
  67.         #
  68.         #  We do NOT recommend using EAP-MD5 authentication
  69.         #  for wireless connections.  It is insecure, and does
  70.         #  not provide for dynamic WEP keys.
  71.         #
  72.         md5 {
  73.         }
  74.  
  75.         #
  76.         # EAP-pwd -- secure password-based authentication
  77.         #
  78. #       pwd {
  79. #               group = 19
  80.  
  81.                 #
  82. #               server_id = theserver@example.com
  83.  
  84.                 #  This has the same meaning as for TLS.
  85. #               fragment_size = 1020
  86.  
  87.                 # The virtual server which determines the
  88.                 # "known good" password for the user.
  89.                 # Note that unlike TLS, only the "authorize"
  90.                 # section is processed.  EAP-PWD requests can be
  91.                 # distinguished by having a User-Name, but
  92.                 # no User-Password, CHAP-Password, EAP-Message, etc.
  93. #               virtual_server = "inner-tunnel"
  94. #       }
  95.  
  96.         # Cisco LEAP
  97.         #
  98.         #  We do not recommend using LEAP in new deployments.  See:
  99.         #  http://www.securiteam.com/tools/5TP012ACKE.html
  100.         #
  101.         #  Cisco LEAP uses the MS-CHAP algorithm (but not
  102.         #  the MS-CHAP attributes) to perform it's authentication.
  103.         #
  104.         #  As a result, LEAP *requires* access to the plain-text
  105.         #  User-Password, or the NT-Password attributes.
  106.         #  'System' authentication is impossible with LEAP.
  107.         #
  108.         leap {
  109.         }
  110.  
  111.         #  Generic Token Card.
  112.         #
  113.         #  Currently, this is only permitted inside of EAP-TTLS,
  114.         #  or EAP-PEAP.  The module "challenges" the user with
  115.         #  text, and the response from the user is taken to be
  116.         #  the User-Password.
  117.         #
  118.         #  Proxying the tunneled EAP-GTC session is a bad idea,
  119.         #  the users password will go over the wire in plain-text,
  120.         #  for anyone to see.
  121.         #
  122.         gtc {
  123.                 #  The default challenge, which many clients
  124.                 #  ignore..
  125.                 #challenge = "Password: "
  126.  
  127.                 #  The plain-text response which comes back
  128.                 #  is put into a User-Password attribute,
  129.                 #  and passed to another module for
  130.                 #  authentication.  This allows the EAP-GTC
  131.                 #  response to be checked against plain-text,
  132.                 #  or crypt'd passwords.
  133.                 #
  134.                 #  If you say "Local" instead of "PAP", then
  135.                 #  the module will look for a User-Password
  136.                 #  configured for the request, and do the
  137.                 #  authentication itself.
  138.                 #
  139.                 auth_type = PAP
  140.         }
  141.  
  142.         ## Common TLS configuration for TLS-based EAP types
  143.         #
  144.         #  See raddb/certs/README for additional comments
  145.         #  on certificates.
  146.         #
  147.         #  If OpenSSL was not found at the time the server was
  148.         #  built, the "tls", "ttls", and "peap" sections will
  149.         #  be ignored.
  150.         #
  151.         #  If you do not currently have certificates signed by
  152.         #  a trusted CA you may use the 'snakeoil' certificates.
  153.         #  Included with the server in raddb/certs.
  154.         #
  155.         #  If these certificates have not been auto-generated:
  156.         #    cd raddb/certs
  157.         #    make
  158.         #
  159.         #  These test certificates SHOULD NOT be used in a normal
  160.         #  deployment.  They are created only to make it easier
  161.         #  to install the server, and to perform some simple
  162.         #  tests with EAP-TLS, TTLS, or PEAP.
  163.         #
  164.         #  See also:
  165.         #
  166.         #  http://www.dslreports.com/forum/remark,9286052~mode=flat
  167.         #
  168.         #  Note that you should NOT use a globally known CA here!
  169.         #  e.g. using a Verisign cert as a "known CA" means that
  170.         #  ANYONE who has a certificate signed by them can
  171.         #  authenticate via EAP-TLS!  This is likely not what you want.
  172.         tls-config tls-common {
  173.                 private_key_password = whatever
  174.                 private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
  175.  
  176.                 #  If Private key & Certificate are located in
  177.                 #  the same file, then private_key_file &
  178.                 #  certificate_file must contain the same file
  179.                 #  name.
  180.                 #
  181.                 #  If ca_file (below) is not used, then the
  182.                 #  certificate_file below MUST include not
  183.                 #  only the server certificate, but ALSO all
  184.                 #  of the CA certificates used to sign the
  185.                 #  server certificate.
  186.                 certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
  187.  
  188.                 #  Trusted Root CA list
  189.                 #
  190.                 #  ALL of the CA's in this list will be trusted
  191.                 #  to issue client certificates for authentication.
  192.                 #
  193.                 #  In general, you should use self-signed
  194.                 #  certificates for 802.1x (EAP) authentication.
  195.                 #  In that case, this CA file should contain
  196.                 #  *one* CA certificate.
  197.                 #
  198.                 ca_file = /etc/freeradius/3.0/certs/ca.pem
  199.                 # DURCH TKLASSEN GEANDERT # /etc/ssl/certs/ca-certificates.crt
  200.  
  201.                 #  OpenSSL will automatically create certificate chains,
  202.                 #  unless we tell it to not do that.  The problem is that
  203.                 #  it sometimes gets the chains right from a certificate
  204.                 #  signature view, but wrong from the clients view.
  205.                 #
  206.                 #  When setting "auto_chain = no", the server certificate
  207.                 #  file MUST include the full certificate chain.
  208.                 auto_chain = yes
  209.  
  210.                 #
  211.                 #  If OpenSSL supports TLS-PSK, then we can use
  212.                 #  a PSK identity and (hex) password.  When the
  213.                 #  following two configuration items are specified,
  214.                 #  then certificate-based configuration items are
  215.                 #  not allowed.  e.g.:
  216.                 #
  217.                 #       private_key_password
  218.                 #       private_key_file
  219.                 #       certificate_file
  220.                 #       ca_file
  221.                 #       ca_path
  222.                 #
  223.                 #  For now, the identity is fixed, and must be the
  224.                 #  same on the client.  The passphrase must be a hex
  225.                 #  value, and can be up to 256 hex digits.
  226.                 #
  227.                 #  Future versions of the server may be able to
  228.                 #  look up the shared key (hexphrase) based on the
  229.                 #  identity.
  230.                 #
  231.         #       psk_identity = "test"
  232.         #       psk_hexphrase = "036363823"
  233.  
  234.                 #
  235.                 #  For DH cipher suites to work, you have to
  236.                 #  run OpenSSL to create the DH file first:
  237.                 #
  238.                 #       openssl dhparam -out certs/dh 2048
  239.                 #
  240.                 dh_file = ${certdir}/dh
  241.  
  242.                 #
  243.                 #  If your system doesn't have /dev/urandom,
  244.                 #  you will need to create this file, and
  245.                 #  periodically change its contents.
  246.                 #
  247.                 #  For security reasons, FreeRADIUS doesn't
  248.                 #  write to files in its configuration
  249.                 #  directory.
  250.                 #
  251.         #       random_file = /dev/urandom
  252.  
  253.                 #
  254.                 #  This can never exceed the size of a RADIUS
  255.                 #  packet (4096 bytes), and is preferably half
  256.                 #  that, to accommodate other attributes in
  257.                 #  RADIUS packet.  On most APs the MAX packet
  258.                 #  length is configured between 1500 - 1600
  259.                 #  In these cases, fragment size should be
  260.                 #  1024 or less.
  261.                 #
  262.         #       fragment_size = 1024
  263.  
  264.                 #  include_length is a flag which is
  265.                 #  by default set to yes If set to
  266.                 #  yes, Total Length of the message is
  267.                 #  included in EVERY packet we send.
  268.                 #  If set to no, Total Length of the
  269.                 #  message is included ONLY in the
  270.                 #  First packet of a fragment series.
  271.                 #
  272.         #       include_length = yes
  273.  
  274.  
  275.                 #  Check the Certificate Revocation List
  276.                 #
  277.                 #  1) Copy CA certificates and CRLs to same directory.
  278.                 #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
  279.                 #    'c_rehash' is OpenSSL's command.
  280.                 #  3) uncomment the lines below.
  281.                 #  5) Restart radiusd
  282.         #       check_crl = yes
  283.  
  284.                 # Check if intermediate CAs have been revoked.
  285.         #       check_all_crl = yes
  286.  
  287.                 ca_path = ${cadir}
  288.  
  289.                 # Accept an expired Certificate Revocation List
  290.                 #
  291. #               allow_expired_crl = no
  292.  
  293.                 #
  294.                 #  If check_cert_issuer is set, the value will
  295.                 #  be checked against the DN of the issuer in
  296.                 #  the client certificate.  If the values do not
  297.                 #  match, the certificate verification will fail,
  298.                 #  rejecting the user.
  299.                 #
  300.                 #  This check can be done more generally by checking
  301.                 #  the value of the TLS-Client-Cert-Issuer attribute.
  302.                 #  This check can be done via any mechanism you
  303.                 #  choose.
  304.                 #
  305.         #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
  306.  
  307.                 #
  308.                 #  If check_cert_cn is set, the value will
  309.                 #  be xlat'ed and checked against the CN
  310.                 #  in the client certificate.  If the values
  311.                 #  do not match, the certificate verification
  312.                 #  will fail rejecting the user.
  313.                 #
  314.                 #  This check is done only if the previous
  315.                 #  "check_cert_issuer" is not set, or if
  316.                 #  the check succeeds.
  317.                 #
  318.                 #  In 2.1.10 and later, this check can be done
  319.                 #  more generally by checking the value of the
  320.                 #  TLS-Client-Cert-CN attribute.  This check
  321.                 #  can be done via any mechanism you choose.
  322.                 #
  323.         #       check_cert_cn = %{User-Name}
  324.                 #
  325.                 # Set this option to specify the allowed
  326.                 # TLS cipher suites.  The format is listed
  327.                 # in "man 1 ciphers".
  328.                 #
  329.                 # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
  330.                 #
  331.                 cipher_list = "DEFAULT"
  332.  
  333.                 # If enabled, OpenSSL will use server cipher list
  334.                 # (possibly defined by cipher_list option above)
  335.                 # for choosing right cipher suite rather than
  336.                 # using client-specified list which is OpenSSl default
  337.                 # behavior. Having it set to yes is a current best practice
  338.                 # for TLS
  339.                 cipher_server_preference = no
  340.  
  341.                 #
  342.                 #  You can selectively disable TLS versions for
  343.                 #  compatability with old client devices.
  344.                 #
  345.                 #  If your system has OpenSSL 1.1.0 or greater, do NOT
  346.                 #  use these.  Instead, set tls_min_version and
  347.                 #  tls_max_version.
  348.                 #
  349. #               disable_tlsv1_2 = no
  350. #               disable_tlsv1_1 = no
  351. #               disable_tlsv1 = no
  352.  
  353.                 #
  354.                 #  Set min / max TLS version.  Mainly for Debian
  355.                 #  "trusty", which disables older versions of TLS, and
  356.                 #  requires the application to manually enable them.
  357.                 #
  358.                 #  If you are running Debian trusty, you should set
  359.                 #  these options, otherwise older clients will not be
  360.                 #  able to connect.
  361.                 #
  362.                 #  Allowed values are "1.0", "1.1", and "1.2".
  363.                 #
  364.                 #  The values must be in quotes.
  365.                 #
  366. #               tls_min_version = "1.0"
  367. #               tls_max_version = "1.2"
  368.  
  369.  
  370.                 #
  371.                 #  Elliptical cryptography configuration
  372.                 #
  373.                 #  Only for OpenSSL >= 0.9.8.f
  374.                 #
  375.                 ecdh_curve = "prime256v1"
  376.  
  377.                 #
  378.                 #  Session resumption / fast reauthentication
  379.                 #  cache.
  380.                 #
  381.                 #  The cache contains the following information:
  382.                 #
  383.                 #  session Id - unique identifier, managed by SSL
  384.                 #  User-Name  - from the Access-Accept
  385.                 #  Stripped-User-Name - from the Access-Request
  386.                 #  Cached-Session-Policy - from the Access-Accept
  387.                 #
  388.                 #  The "Cached-Session-Policy" is the name of a
  389.                 #  policy which should be applied to the cached
  390.                 #  session.  This policy can be used to assign
  391.                 #  VLANs, IP addresses, etc.  It serves as a useful
  392.                 #  way to re-apply the policy from the original
  393.                 #  Access-Accept to the subsequent Access-Accept
  394.                 #  for the cached session.
  395.                 #
  396.                 #  On session resumption, these attributes are
  397.                 #  copied from the cache, and placed into the
  398.                 #  reply list.
  399.                 #
  400.                 #  You probably also want "use_tunneled_reply = yes"
  401.                 #  when using fast session resumption.
  402.                 #
  403.                 cache {
  404.                         #
  405.                         #  Enable it.  The default is "no". Deleting the entire "cache"
  406.                         #  subsection also disables caching.
  407.                         #
  408.                         #  As of version 3.0.14, the session cache requires the use
  409.                         #  of the "name" and "persist_dir" configuration items, below.
  410.                         #
  411.                         #  The internal OpenSSL session cache has been permanently
  412.                         #  disabled.
  413.                         #
  414.                         #  You can disallow resumption for a particular user by adding the
  415.                         #  following attribute to the control item list:
  416.                         #
  417.                         #    Allow-Session-Resumption = No
  418.                         #
  419.                         #  If "enable = no" below, you CANNOT enable resumption for just one
  420.                         #  user by setting the above attribute to "yes".
  421.                         #
  422.                         enable = no
  423.  
  424.                         #
  425.                         #  Lifetime of the cached entries, in hours. The sessions will be
  426.                         #  deleted/invalidated after this time.
  427.                         #
  428.                         lifetime = 24 # hours
  429.  
  430.                         #
  431.                         #  Internal "name" of the session cache. Used to
  432.                         #  distinguish which TLS context sessions belong to.
  433.                         #
  434.                         #  The server will generate a random value if unset.
  435.                         #  This will change across server restart so you MUST
  436.                         #  set the "name" if you want to persist sessions (see
  437.                         #  below).
  438.                         #
  439.                         #name = "EAP module"
  440.  
  441.                         #
  442.                         #  Simple directory-based storage of sessions.
  443.                         #  Two files per session will be written, the SSL
  444.                         #  state and the cached VPs. This will persist session
  445.                         #  across server restarts.
  446.                         #
  447.                         #  The default directory is ${logdir}, for historical
  448.                         #  reasons.  You should ${db_dir} instead.  And check
  449.                         #  the value of db_dir in the main radiusd.conf file.
  450.                         #  It should not point to ${raddb}
  451.                         #
  452.                         #  The server will need write perms, and the directory
  453.                         #  should be secured from anyone else. You might want
  454.                         #  a script to remove old files from here periodically:
  455.                         #
  456.                         #    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
  457.                         #
  458.                         #  This feature REQUIRES "name" option be set above.
  459.                         #
  460.                         #persist_dir = "${logdir}/tlscache"
  461.                 }
  462.  
  463.                 #
  464.                 #  As of version 2.1.10, client certificates can be
  465.                 #  validated via an external command.  This allows
  466.                 #  dynamic CRLs or OCSP to be used.
  467.                 #
  468.                 #  This configuration is commented out in the
  469.                 #  default configuration.  Uncomment it, and configure
  470.                 #  the correct paths below to enable it.
  471.                 #
  472.                 #  If OCSP checking is enabled, and the OCSP checks fail,
  473.                 #  the verify section is not run.
  474.                 #
  475.                 #  If OCSP checking is disabled, the verify section is
  476.                 #  run on successful certificate validation.
  477.                 #
  478.                 verify {
  479.                         #  If the OCSP checks succeed, the verify section
  480.                         #  is run to allow additional checks.
  481.                         #
  482.                         #  If you want to skip verify on OCSP success,
  483.                         #  uncomment this configuration item, and set it
  484.                         #  to "yes".
  485.         #               skip_if_ocsp_ok = no
  486.  
  487.                         #  A temporary directory where the client
  488.                         #  certificates are stored.  This directory
  489.                         #  MUST be owned by the UID of the server,
  490.                         #  and MUST not be accessible by any other
  491.                         #  users.  When the server starts, it will do
  492.                         #  "chmod go-rwx" on the directory, for
  493.                         #  security reasons.  The directory MUST
  494.                         #  exist when the server starts.
  495.                         #
  496.                         #  You should also delete all of the files
  497.                         #  in the directory when the server starts.
  498.         #               tmpdir = /tmp/radiusd
  499.  
  500.                         #  The command used to verify the client cert.
  501.                         #  We recommend using the OpenSSL command-line
  502.                         #  tool.
  503.                         #
  504.                         #  The ${..ca_path} text is a reference to
  505.                         #  the ca_path variable defined above.
  506.                         #
  507.                         #  The %{TLS-Client-Cert-Filename} is the name
  508.                         #  of the temporary file containing the cert
  509.                         #  in PEM format.  This file is automatically
  510.                         #  deleted by the server when the command
  511.                         #  returns.
  512.         #               client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
  513.                 }
  514.  
  515.                 #
  516.                 #  OCSP Configuration
  517.                 #  Certificates can be verified against an OCSP
  518.                 #  Responder. This makes it possible to immediately
  519.                 #  revoke certificates without the distribution of
  520.                 #  new Certificate Revocation Lists (CRLs).
  521.                 #
  522.                 ocsp {
  523.                         #
  524.                         #  Enable it.  The default is "no".
  525.                         #  Deleting the entire "ocsp" subsection
  526.                         #  also disables ocsp checking
  527.                         #
  528.                         enable = no
  529.  
  530.                         #
  531.                         #  The OCSP Responder URL can be automatically
  532.                         #  extracted from the certificate in question.
  533.                         #  To override the OCSP Responder URL set
  534.                         #  "override_cert_url = yes".
  535.                         #
  536.                         override_cert_url = yes
  537.  
  538.                         #
  539.                         #  If the OCSP Responder address is not extracted from
  540.                         #  the certificate, the URL can be defined here.
  541.                         #
  542.                         url = "http://127.0.0.1/ocsp/"
  543.  
  544.                         #
  545.                         # If the OCSP Responder can not cope with nonce
  546.                         # in the request, then it can be disabled here.
  547.                         #
  548.                         # For security reasons, disabling this option
  549.                         # is not recommended as nonce protects against
  550.                         # replay attacks.
  551.                         #
  552.                         # Note that Microsoft AD Certificate Services OCSP
  553.                         # Responder does not enable nonce by default. It is
  554.                         # more secure to enable nonce on the responder than
  555.                         # to disable it in the query here.
  556.                         # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
  557.                         #
  558.                         # use_nonce = yes
  559.  
  560.                         #
  561.                         # Number of seconds before giving up waiting
  562.                         # for OCSP response. 0 uses system default.
  563.                         #
  564.                         # timeout = 0
  565.  
  566.                         #
  567.                         # Normally an error in querying the OCSP
  568.                         # responder (no response from server, server did
  569.                         # not understand the request, etc) will result in
  570.                         # a validation failure.
  571.                         #
  572.                         # To treat these errors as 'soft' failures and
  573.                         # still accept the certificate, enable this
  574.                         # option.
  575.                         #
  576.                         # Warning: this may enable clients with revoked
  577.                         # certificates to connect if the OCSP responder
  578.                         # is not available. Use with caution.
  579.                         #
  580.                         # softfail = no
  581.                 }
  582.         }
  583.  
  584.         ## EAP-TLS
  585.         #
  586.         #  As of Version 3.0, the TLS configuration for TLS-based
  587.         #  EAP types is above in the "tls-config" section.
  588.         #
  589.         tls {
  590.                 # Point to the common TLS configuration
  591.                 tls = tls-common
  592.  
  593.                 #
  594.                 # As part of checking a client certificate, the EAP-TLS
  595.                 # sets some attributes such as TLS-Client-Cert-CN. This
  596.                 # virtual server has access to these attributes, and can
  597.                 # be used to accept or reject the request.
  598.                 #
  599.         #       virtual_server = check-eap-tls
  600.         }
  601.  
  602.  
  603.         ## EAP-TTLS
  604.         #
  605.         #  The TTLS module implements the EAP-TTLS protocol,
  606.         #  which can be described as EAP inside of Diameter,
  607.         #  inside of TLS, inside of EAP, inside of RADIUS...
  608.         #
  609.         #  Surprisingly, it works quite well.
  610.         #
  611.         ttls {
  612.                 #  Which tls-config section the TLS negotiation parameters
  613.                 #  are in - see EAP-TLS above for an explanation.
  614.                 #
  615.                 #  In the case that an old configuration from FreeRADIUS
  616.                 #  v2.x is being used, all the options of the tls-config
  617.                 #  section may also appear instead in the 'tls' section
  618.                 #  above. If that is done, the tls= option here (and in
  619.                 #  tls above) MUST be commented out.
  620.                 #
  621.                 tls = tls-common
  622.  
  623.                 #  The tunneled EAP session needs a default EAP type
  624.                 #  which is separate from the one for the non-tunneled
  625.                 #  EAP module.  Inside of the TTLS tunnel, we recommend
  626.                 #  using EAP-MD5.  If the request does not contain an
  627.                 #  EAP conversation, then this configuration entry is
  628.                 #  ignored.
  629.                 #
  630.                 default_eap_type = md5
  631.  
  632.                 #  The tunneled authentication request does not usually
  633.                 #  contain useful attributes like 'Calling-Station-Id',
  634.                 #  etc.  These attributes are outside of the tunnel,
  635.                 #  and normally unavailable to the tunneled
  636.                 #  authentication request.
  637.                 #
  638.                 #  By setting this configuration entry to 'yes',
  639.                 #  any attribute which is NOT in the tunneled
  640.                 #  authentication request, but which IS available
  641.                 #  outside of the tunnel, is copied to the tunneled
  642.                 #  request.
  643.                 #
  644.                 #  allowed values: {no, yes}
  645.                 #
  646.                 copy_request_to_tunnel = no
  647.  
  648.                 #
  649.                 #  As of version 3.0.5, this configuration item
  650.                 #  is deprecated.  Instead, you should use
  651.                 #
  652.                 #       update outer.session-state {
  653.                 #               ...
  654.                 #
  655.                 #       }
  656.                 #
  657.                 #  This will cache attributes for the final Access-Accept.
  658.                 #
  659.                 #  The reply attributes sent to the NAS are usually
  660.                 #  based on the name of the user 'outside' of the
  661.                 #  tunnel (usually 'anonymous').  If you want to send
  662.                 #  the reply attributes based on the user name inside
  663.                 #  of the tunnel, then set this configuration entry to
  664.                 #  'yes', and the reply to the NAS will be taken from
  665.                 #  the reply to the tunneled request.
  666.                 #
  667.                 #  allowed values: {no, yes}
  668.                 #
  669.                 use_tunneled_reply = no
  670.  
  671.                 #
  672.                 #  The inner tunneled request can be sent
  673.                 #  through a virtual server constructed
  674.                 #  specifically for this purpose.
  675.                 #
  676.                 #  If this entry is commented out, the inner
  677.                 #  tunneled request will be sent through
  678.                 #  the virtual server that processed the
  679.                 #  outer requests.
  680.                 #
  681.                 virtual_server = "inner-tunnel"
  682.  
  683.                 #  This has the same meaning, and overwrites, the
  684.                 #  same field in the "tls" configuration, above.
  685.                 #  The default value here is "yes".
  686.                 #
  687.         #       include_length = yes
  688.  
  689.                 #
  690.                 # Unlike EAP-TLS, EAP-TTLS does not require a client
  691.                 # certificate. However, you can require one by setting the
  692.                 # following option. You can also override this option by
  693.                 # setting
  694.                 #
  695.                 #       EAP-TLS-Require-Client-Cert = Yes
  696.                 #
  697.                 # in the control items for a request.
  698.                 #
  699.                 # Note that the majority of supplicants do not support using a
  700.                 # client certificate with EAP-TTLS, so this option is unlikely
  701.                 # to be usable for most people.
  702.                 #
  703.         #       require_client_cert = yes
  704.         }
  705.  
  706.  
  707.         ## EAP-PEAP
  708.         #
  709.  
  710.         ##################################################
  711.         #
  712.         #  !!!!! WARNINGS for Windows compatibility  !!!!!
  713.         #
  714.         ##################################################
  715.         #
  716.         #  If you see the server send an Access-Challenge,
  717.         #  and the client never sends another Access-Request,
  718.         #  then
  719.         #
  720.         #               STOP!
  721.         #
  722.         #  The server certificate has to have special OID's
  723.         #  in it, or else the Microsoft clients will silently
  724.         #  fail.  See the "scripts/xpextensions" file for
  725.         #  details, and the following page:
  726.         #
  727.         #       http://support.microsoft.com/kb/814394/en-us
  728.         #
  729.         #  For additional Windows XP SP2 issues, see:
  730.         #
  731.         #       http://support.microsoft.com/kb/885453/en-us
  732.         #
  733.         #
  734.         #  If is still doesn't work, and you're using Samba,
  735.         #  you may be encountering a Samba bug.  See:
  736.         #
  737.         #       https://bugzilla.samba.org/show_bug.cgi?id=6563
  738.         #
  739.         #  Note that we do not necessarily agree with their
  740.         #  explanation... but the fix does appear to work.
  741.         #
  742.         ##################################################
  743.  
  744.         #
  745.         #  The tunneled EAP session needs a default EAP type
  746.         #  which is separate from the one for the non-tunneled
  747.         #  EAP module.  Inside of the TLS/PEAP tunnel, we
  748.         #  recommend using EAP-MS-CHAPv2.
  749.         #
  750.         peap {
  751.                 #  Which tls-config section the TLS negotiation parameters
  752.                 #  are in - see EAP-TLS above for an explanation.
  753.                 #
  754.                 #  In the case that an old configuration from FreeRADIUS
  755.                 #  v2.x is being used, all the options of the tls-config
  756.                 #  section may also appear instead in the 'tls' section
  757.                 #  above. If that is done, the tls= option here (and in
  758.                 #  tls above) MUST be commented out.
  759.                 #
  760.                 tls = tls-common
  761.  
  762.                 #  The tunneled EAP session needs a default
  763.                 #  EAP type which is separate from the one for
  764.                 #  the non-tunneled EAP module.  Inside of the
  765.                 #  PEAP tunnel, we recommend using MS-CHAPv2,
  766.                 #  as that is the default type supported by
  767.                 #  Windows clients.
  768.                 #
  769.                 default_eap_type = mschapv2
  770.  
  771.                 #  The PEAP module also has these configuration
  772.                 #  items, which are the same as for TTLS.
  773.                 #
  774.                 copy_request_to_tunnel = no
  775.  
  776.                 #
  777.                 #  As of version 3.0.5, this configuration item
  778.                 #  is deprecated.  Instead, you should use
  779.                 #
  780.                 #       update outer.session-state {
  781.                 #               ...
  782.                 #
  783.                 #       }
  784.                 #
  785.                 #  This will cache attributes for the final Access-Accept.
  786.                 #
  787.                 use_tunneled_reply = no
  788.  
  789.                 #  When the tunneled session is proxied, the
  790.                 #  home server may not understand EAP-MSCHAP-V2.
  791.                 #  Set this entry to "no" to proxy the tunneled
  792.                 #  EAP-MSCHAP-V2 as normal MSCHAPv2.
  793.                 #
  794.         #       proxy_tunneled_request_as_eap = yes
  795.  
  796.                 #
  797.                 #  The inner tunneled request can be sent
  798.                 #  through a virtual server constructed
  799.                 #  specifically for this purpose.
  800.                 #
  801.                 #  If this entry is commented out, the inner
  802.                 #  tunneled request will be sent through
  803.                 #  the virtual server that processed the
  804.                 #  outer requests.
  805.                 #
  806.                 virtual_server = "inner-tunnel"
  807.  
  808.                 # This option enables support for MS-SoH
  809.                 # see doc/SoH.txt for more info.
  810.                 # It is disabled by default.
  811.                 #
  812.         #       soh = yes
  813.  
  814.                 #
  815.                 # The SoH reply will be turned into a request which
  816.                 # can be sent to a specific virtual server:
  817.                 #
  818.         #       soh_virtual_server = "soh-server"
  819.  
  820.                 #
  821.                 # Unlike EAP-TLS, PEAP does not require a client certificate.
  822.                 # However, you can require one by setting the following
  823.                 # option. You can also override this option by setting
  824.                 #
  825.                 #       EAP-TLS-Require-Client-Cert = Yes
  826.                 #
  827.                 # in the control items for a request.
  828.                 #
  829.                 # Note that the majority of supplicants do not support using a
  830.                 # client certificate with PEAP, so this option is unlikely to
  831.                 # be usable for most people.
  832.                 #
  833.         #       require_client_cert = yes
  834.         }
  835.  
  836.         #
  837.         #  This takes no configuration.
  838.         #
  839.         #  Note that it is the EAP MS-CHAPv2 sub-module, not
  840.         #  the main 'mschap' module.
  841.         #
  842.         #  Note also that in order for this sub-module to work,
  843.         #  the main 'mschap' module MUST ALSO be configured.
  844.         #
  845.         #  This module is the *Microsoft* implementation of MS-CHAPv2
  846.         #  in EAP.  There is another (incompatible) implementation
  847.         #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
  848.         #  currently support.
  849.         #
  850.         mschapv2 {
  851.                 #  Prior to version 2.1.11, the module never
  852.                 #  sent the MS-CHAP-Error message to the
  853.                 #  client.  This worked, but it had issues
  854.                 #  when the cached password was wrong.  The
  855.                 #  server *should* send "E=691 R=0" to the
  856.                 #  client, which tells it to prompt the user
  857.                 #  for a new password.
  858.                 #
  859.                 #  The default is to behave as in 2.1.10 and
  860.                 #  earlier, which is known to work.  If you
  861.                 #  set "send_error = yes", then the error
  862.                 #  message will be sent back to the client.
  863.                 #  This *may* help some clients work better,
  864.                 #  but *may* also cause other clients to stop
  865.                 #  working.
  866.                 #
  867. #               send_error = no
  868.  
  869.                 #  Server identifier to send back in the challenge.
  870.                 #  This should generally be the host name of the
  871.                 #  RADIUS server.  Or, some information to uniquely
  872.                 #  identify it.
  873. #               identity = "FreeRADIUS"
  874.         }
  875.  
  876.         ## EAP-FAST
  877.         #
  878.         #  The FAST module implements the EAP-FAST protocol
  879.         #
  880. #       fast {
  881.                 # Point to the common TLS configuration
  882.                 #
  883. #               tls = tls-common
  884.  
  885.                 #
  886.                 #  If 'cipher_list' is set here, it will over-ride the
  887.                 #  'cipher_list' configuration from the 'tls-common'
  888.                 #  configuration.  The EAP-FAST module has it's own
  889.                 #  over-ride for 'cipher_list' because the
  890.                 #  specifications mandata a different set of ciphers
  891.                 #  than are used by the other EAP methods.
  892.                 #
  893.                 #  cipher_list though must include "ADH" for anonymous provisioning.
  894.                 #  This is not as straight forward as appending "ADH" alongside
  895.                 #  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
  896.                 #  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
  897.                 #
  898.                 #  Note - for OpenSSL 1.1.0 and above you may need
  899.                 #  to add ":@SECLEVEL=0"
  900.                 #
  901. #               cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
  902.  
  903.                 # PAC lifetime in seconds (default: seven days)
  904.                 #
  905. #               pac_lifetime = 604800
  906.  
  907.                 # Authority ID of the server
  908.                 #
  909.                 # if you are running a cluster of RADIUS servers, you should make
  910.                 # the value chosen here (and for "pac_opaque_key") the same on all
  911.                 # your RADIUS servers.  This value should be unique to your
  912.                 # installation.  We suggest using a domain name.
  913.                 #
  914. #               authority_identity = "1234"
  915.  
  916.                 # PAC Opaque encryption key (must be exactly 32 bytes in size)
  917.                 #
  918.                 # This value MUST be secret, and MUST be generated using
  919.                 # a secure method, such as via 'openssl rand -hex 32'
  920.                 #
  921. #               pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
  922.  
  923.                 # Same as for TTLS, PEAP, etc.
  924.                 #
  925. #               virtual_server = inner-tunnel
  926. #       }
  927. }

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN