|
|
|
@ -2,7 +2,7 @@ |
|
|
|
## |
|
|
|
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) |
|
|
|
## |
|
|
|
## $Id: 0e8d5caef5ad09dfa6acb14c5d475bae55cf4b27 $ |
|
|
|
## $Id: f67cbdbff9b6560cec9f68da1adb82b59723d2ef $ |
|
|
|
|
|
|
|
####################################################################### |
|
|
|
# |
|
|
|
@ -285,6 +285,10 @@ eap { |
|
|
|
|
|
|
|
ca_path = ${cadir} |
|
|
|
|
|
|
|
# Accept an expired Certificate Revocation List |
|
|
|
# |
|
|
|
# allow_expired_crl = no |
|
|
|
|
|
|
|
# |
|
|
|
# If check_cert_issuer is set, the value will |
|
|
|
# be checked against the DN of the issuer in |
|
|
|
@ -292,10 +296,10 @@ eap { |
|
|
|
# match, the certificate verification will fail, |
|
|
|
# rejecting the user. |
|
|
|
# |
|
|
|
# In 2.1.10 and later, this check can be done |
|
|
|
# more generally by checking the value of the |
|
|
|
# TLS-Client-Cert-Issuer attribute. This check |
|
|
|
# can be done via any mechanism you choose. |
|
|
|
# This check can be done more generally by checking |
|
|
|
# the value of the TLS-Client-Cert-Issuer attribute. |
|
|
|
# This check can be done via any mechanism you |
|
|
|
# choose. |
|
|
|
# |
|
|
|
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" |
|
|
|
|
|
|
|
@ -325,16 +329,42 @@ eap { |
|
|
|
# |
|
|
|
cipher_list = "DEFAULT" |
|
|
|
|
|
|
|
# Work-arounds for OpenSSL nonsense |
|
|
|
# OpenSSL 1.0.1f and 1.0.1g do not calculate |
|
|
|
# the EAP keys correctly. The fix is to upgrade |
|
|
|
# OpenSSL, or disable TLS 1.2 here. |
|
|
|
# If enabled, OpenSSL will use server cipher list |
|
|
|
# (possibly defined by cipher_list option above) |
|
|
|
# for choosing right cipher suite rather than |
|
|
|
# using client-specified list which is OpenSSl default |
|
|
|
# behavior. Having it set to yes is a current best practice |
|
|
|
# for TLS |
|
|
|
cipher_server_preference = no |
|
|
|
|
|
|
|
# |
|
|
|
# You can selectively disable TLS versions for |
|
|
|
# compatability with old client devices. |
|
|
|
# |
|
|
|
# For EAP-FAST, this MUST be set to "yes". |
|
|
|
# If your system has OpenSSL 1.1.0 or greater, do NOT |
|
|
|
# use these. Instead, set tls_min_version and |
|
|
|
# tls_max_version. |
|
|
|
# |
|
|
|
# disable_tlsv1_2 = no |
|
|
|
# disable_tlsv1_1 = no |
|
|
|
# disable_tlsv1 = no |
|
|
|
|
|
|
|
# |
|
|
|
# Set min / max TLS version. Mainly for Debian |
|
|
|
# "trusty", which disables older versions of TLS, and |
|
|
|
# requires the application to manually enable them. |
|
|
|
# |
|
|
|
# If you are running Debian trusty, you should set |
|
|
|
# these options, otherwise older clients will not be |
|
|
|
# able to connect. |
|
|
|
# |
|
|
|
# Allowed values are "1.0", "1.1", and "1.2". |
|
|
|
# |
|
|
|
# The values must be in quotes. |
|
|
|
# |
|
|
|
tls_min_version = "1.0" |
|
|
|
tls_max_version = "1.2" |
|
|
|
|
|
|
|
|
|
|
|
# |
|
|
|
# Elliptical cryptography configuration |
|
|
|
@ -374,6 +404,12 @@ eap { |
|
|
|
# Enable it. The default is "no". Deleting the entire "cache" |
|
|
|
# subsection also disables caching. |
|
|
|
# |
|
|
|
# As of version 3.0.14, the session cache requires the use |
|
|
|
# of the "name" and "persist_dir" configuration items, below. |
|
|
|
# |
|
|
|
# The internal OpenSSL session cache has been permanently |
|
|
|
# disabled. |
|
|
|
# |
|
|
|
# You can disallow resumption for a particular user by adding the |
|
|
|
# following attribute to the control item list: |
|
|
|
# |
|
|
|
@ -388,16 +424,7 @@ eap { |
|
|
|
# Lifetime of the cached entries, in hours. The sessions will be |
|
|
|
# deleted/invalidated after this time. |
|
|
|
# |
|
|
|
lifetime = 24 # hours |
|
|
|
|
|
|
|
# |
|
|
|
# The maximum number of entries in the |
|
|
|
# cache. Set to "0" for "infinite". |
|
|
|
# |
|
|
|
# This could be set to the number of users |
|
|
|
# who are logged in... which can be a LOT. |
|
|
|
# |
|
|
|
max_entries = 255 |
|
|
|
lifetime = 1 # hours |
|
|
|
|
|
|
|
# |
|
|
|
# Internal "name" of the session cache. Used to |
|
|
|
@ -416,6 +443,11 @@ eap { |
|
|
|
# state and the cached VPs. This will persist session |
|
|
|
# across server restarts. |
|
|
|
# |
|
|
|
# The default directory is ${logdir}, for historical |
|
|
|
# reasons. You should ${db_dir} instead. And check |
|
|
|
# the value of db_dir in the main radiusd.conf file. |
|
|
|
# It should not point to ${raddb} |
|
|
|
# |
|
|
|
# The server will need write perms, and the directory |
|
|
|
# should be secured from anyone else. You might want |
|
|
|
# a script to remove old files from here periodically: |
|
|
|
@ -663,6 +695,10 @@ eap { |
|
|
|
# |
|
|
|
# in the control items for a request. |
|
|
|
# |
|
|
|
# Note that the majority of supplicants do not support using a |
|
|
|
# client certificate with EAP-TTLS, so this option is unlikely |
|
|
|
# to be usable for most people. |
|
|
|
# |
|
|
|
# require_client_cert = yes |
|
|
|
} |
|
|
|
|
|
|
|
@ -789,6 +825,10 @@ eap { |
|
|
|
# |
|
|
|
# in the control items for a request. |
|
|
|
# |
|
|
|
# Note that the majority of supplicants do not support using a |
|
|
|
# client certificate with PEAP, so this option is unlikely to |
|
|
|
# be usable for most people. |
|
|
|
# |
|
|
|
# require_client_cert = yes |
|
|
|
} |
|
|
|
|
|
|
|
@ -839,13 +879,26 @@ eap { |
|
|
|
# fast { |
|
|
|
# Point to the common TLS configuration |
|
|
|
# |
|
|
|
# cipher_list though must include "ADH" for anonymous provisioning. |
|
|
|
# This is not as straight forward as appending "ADH" alongside |
|
|
|
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is |
|
|
|
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used |
|
|
|
# |
|
|
|
# tls = tls-common |
|
|
|
|
|
|
|
# |
|
|
|
# If 'cipher_list' is set here, it will over-ride the |
|
|
|
# 'cipher_list' configuration from the 'tls-common' |
|
|
|
# configuration. The EAP-FAST module has it's own |
|
|
|
# over-ride for 'cipher_list' because the |
|
|
|
# specifications mandata a different set of ciphers |
|
|
|
# than are used by the other EAP methods. |
|
|
|
# |
|
|
|
# cipher_list though must include "ADH" for anonymous provisioning. |
|
|
|
# This is not as straight forward as appending "ADH" alongside |
|
|
|
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is |
|
|
|
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used |
|
|
|
# |
|
|
|
# Note - for OpenSSL 1.1.0 and above you may need |
|
|
|
# to add ":@SECLEVEL=0" |
|
|
|
# |
|
|
|
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" |
|
|
|
|
|
|
|
# PAC lifetime in seconds (default: seven days) |
|
|
|
# |
|
|
|
# pac_lifetime = 604800 |
|
|
|
|
Gabriel Detraz
6 years ago
chirac