File: inner-eap

package info (click to toggle)
freeradius 3.0.12+dfsg-5+deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 21,144 kB
  • ctags: 11,887
  • sloc: ansic: 109,067; sh: 5,176; perl: 2,648; sql: 1,397; python: 1,161; makefile: 374; xml: 62; tcl: 35; sed: 23; ruby: 22
file content (94 lines) | stat: -rw-r--r-- 2,318 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# -*- text -*-
#
#  $Id: 2b4df6267d26dc58bbb273656480d55a0e60e8bf $

#
#  Sample configuration for an EAP module that occurs *inside*
#  of a tunneled method.  It is used to limit the EAP types that
#  can occur inside of the inner tunnel.
#
#  See also raddb/sites-available/inner-tunnel
#
#  See raddb/mods-available/eap for full documentation on the meaning of these
#  configuration entries.
#
eap inner-eap {
	# This is the best choice for PEAP.
	default_eap_type = mschapv2

	timer_expire     = 60

	#  This should be the same as the outer eap "max sessions"
	max_sessions = 2048

	# Supported EAP-types
	md5 {
	}

	gtc {
		#  The default challenge, which many clients
		#  ignore..
		#challenge = "Password: "

		auth_type = PAP
	}

	mschapv2 {
		# See eap for documentation
#		send_error = no
	}

	# No TTLS or PEAP configuration should be listed here.

	## EAP-TLS
	#
	#  You SHOULD use different certificates than are used
	#  for the outer EAP configuration!
	#
	#  Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
	#  It might work, or it might not.
	#
	tls {
		private_key_password = whatever
		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

		#  If Private key & Certificate are located in
		#  the same file, then private_key_file &
		#  certificate_file must contain the same file
		#  name.
		#
		#  If ca_file (below) is not used, then the
		#  certificate_file below MUST include not
		#  only the server certificate, but ALSO all
		#  of the CA certificates used to sign the
		#  server certificate.
		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

		#  You may want different CAs for inner and outer
		#  certificates.  If so, edit this file.
		ca_file = /etc/ssl/certs/ca-certificates.crt

		cipher_list = "DEFAULT"

		#  You may want to set a very small fragment size.
		#  The TLS data here needs to go inside of the
		#  outer EAP-TLS protocol.
		#
		#  Try values and see if they work...
	#	fragment_size = 1024

		#  Other needful things
		dh_file = ${certdir}/dh
		random_file = /dev/urandom

		#  CRL and OCSP things go here.  See the main "eap"
		#  file for details.
	#	check_crl = yes
	#	ca_path = /path/to/directory/with/ca_certs/and/crls/

		#
		#  The session resumption / fast re-authentication
		#  cache CANNOT be used for inner sessions.
		#
	}
}