# -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ## $Id: a89a783663588017b12bcc076362e728261ba8f2 $ ####################################################################### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = ttls # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to "yes", you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. # ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. # cisco_accounting_username_bug = no # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. For simplicity, # this is taken from the "max_requests" directive in # radiusd.conf. # max_sessions = ${max_requests} ############################################################ # # Supported EAP-types # # EAP-MD5 # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # #md5 { #} # EAP-pwd -- secure password-based authentication # #pwd { # group = 19 # server_id = theserver@example.com # This has the same meaning as for TLS. # # fragment_size = 1020 # The virtual server which determines the # "known good" password for the user. # Note that unlike TLS, only the "authorize" # section is processed. EAP-PWD requests can be # distinguished by having a User-Name, but # no User-Password, CHAP-Password, EAP-Message, etc. # # virtual_server = "inner-tunnel" #} # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # #leap { #} # EAP-GTC -- Generic Token Card # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # #gtc { # The default challenge, which many clients # ignore.. # # challenge = "Password: " # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say "Local" instead of "PAP", then # the module will look for a User-Password # configured for the request, and do the # authentication itself. # # auth_type = PAP #} # Common TLS configuration for TLS-based EAP types # ------------------------------------------------ # # See raddb/certs/README for additional comments # on certificates. # # If OpenSSL was not found at the time the server was # built, the "tls", "ttls", and "peap" sections will # be ignored. # # If you do not currently have certificates signed by # a trusted CA you may use the 'snakeoil' certificates. # Included with the server in raddb/certs. # # If these certificates have not been auto-generated: # cd raddb/certs # make # # These test certificates SHOULD NOT be used in a normal # deployment. They are created only to make it easier # to install the server, and to perform some simple # tests with EAP-TLS, TTLS, or PEAP. # # Note that you should NOT use a globally known CA here! # e.g. using a Verisign cert as a "known CA" means that # ANYONE who has a certificate signed by them can # authenticate via EAP-TLS! This is likely not what you want. # tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/server.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below SHOULD also include all of # the intermediate CA certificates used to sign the # server certificate, but NOT the root CA. # # Including the ROOT CA certificate is not useful and # merely inflates the exchanged data volume during # the TLS negotiation. # # This file should contain the server certificate, # followed by intermediate certificates, in order. # i.e. If we have a server certificate signed by CA1, # which is signed by CA2, which is signed by a root # CA, then the "certificate_file" should contain # server.pem, followed by CA1.pem, followed by # CA2.pem. # # When using "ca_file" or "ca_dir", the # "certificate_file" should contain only # "server.pem". And then you may (or may not) need # to set "auto_chain", depending on your version of # OpenSSL. # # In short, SSL / TLS certificates are complex. # There are many versions of software, each of which # behave slightly differently. It is impossible to # give advice which will work everywhere. Instead, # we give general guidelines. # certificate_file = ${certdir}/server.pem # Trusted Root CA list # # This file can contain multiple CA certificates. # ALL of the CA's in this list will be trusted to # issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # ca_file = ${cadir}/ca.pem # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that # it sometimes gets the chains right from a certificate # signature view, but wrong from the clients view. # # When setting "auto_chain = no", the server certificate # file MUST include the full certificate chain. # # auto_chain = yes # If OpenSSL supports TLS-PSK, then we can use a # fixed PSK identity and (hex) password. As of # 3.0.18, these can be used at the same time as the # certificate configuration, but only for TLS 1.0 # through 1.2. # # If PSK and certificates are configured at the same # time for TLS 1.3, then the server will warn you, # and will disable TLS 1.3, as it will not work. # # The work around is to have two modules (or for # RadSec, two listen sections). One will have PSK # configured, and the other will have certificates # configured. # # psk_identity = "test" # psk_hexphrase = "036363823" # Dynamic queries for the PSK. If TLS-PSK is used, # and psk_query is set, then you MUST NOT use # psk_identity or psk_hexphrase. # # Instead, use a dynamic expansion similar to the one # below. It keys off of TLS-PSK-Identity. It should # return a of string no more than 512 hex characters. # That string will be converted to binary, and will # be used as the dynamic PSK hexphrase. # # Note that this query is just an example. You will # need to customize it for your installation. # # psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" # For DH cipher suites to work, you have to # run OpenSSL to create the DH file first: # # openssl dhparam -out certs/dh 2048 # dh_file = ${certdir}/dh # If your system doesn't have /dev/urandom, # you will need to create this file, and # periodically change its contents. # # For security reasons, FreeRADIUS doesn't # write to files in its configuration # directory. # # random_file = /dev/urandom # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accommodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash '. # 'c_rehash' is OpenSSL's command. # 3) uncomment the lines below. # 5) Restart radiusd # check_crl = yes # Check if intermediate CAs have been revoked. # check_all_crl = yes ca_path = ${cadir} # Accept an expired Certificate Revocation List # # allow_expired_crl = no # If check_cert_issuer is set, the value will # be checked against the DN of the issuer in # the client certificate. If the values do not # match, the certificate verification will fail, # rejecting the user. # # This check can be done more generally by checking # the value of the TLS-Client-Cert-Issuer attribute. # This check can be done via any mechanism you # choose. # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate verification # will fail rejecting the user. # # This check is done only if the previous # "check_cert_issuer" is not set, or if # the check succeeds. # # In 2.1.10 and later, this check can be done # more generally by checking the value of the # TLS-Client-Cert-Common-Name attribute. This check # can be done via any mechanism you choose. # # check_cert_cn = %{User-Name} # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". # # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" # cipher_list = "PROFILE=SYSTEM" # If enabled, OpenSSL will use server cipher list # (possibly defined by cipher_list option above) # for choosing right cipher suite rather than # using client-specified list which is OpenSSl default # behavior. Setting this to "yes" means that OpenSSL # will choose the servers ciphers, even if they do not # best match what the client sends. # # TLS negotiation is usually good, but can be imperfect. # This setting allows administrators to "fine tune" it # if necessary. # cipher_server_preference = no # You can selectively disable TLS versions for # compatability with old client devices. # # If your system has OpenSSL 1.1.0 or greater, do NOT # use these. Instead, set tls_min_version and # tls_max_version. # # disable_tlsv1_2 = no disable_tlsv1_1 = yes disable_tlsv1 = yes # Set min / max TLS version. Mainly for Debian # "trusty", which disables older versions of TLS, and # requires the application to manually enable them. # # If you are running Debian trusty, you should set # these options, otherwise older clients will not be # able to connect. # # Allowed values are "1.0", "1.1", "1.2", and "1.3". # # Note that the server WILL NOT permit negotiation of # TLS 1.3. The EAP-TLS standards for TLS 1.3 are NOT # finished. It is therefore impossible for the server # to negotiate EAP-TLS correctly with TLS 1.3. # # The values must be in quotes. # tls_min_version = "1.2" tls_max_version = "1.2" # Elliptical cryptography configuration # # Only for OpenSSL >= 0.9.8.f # ecdh_curve = "prime256v1" # Session resumption / fast reauthentication # cache. # # The cache contains the following information: # # session Id - unique identifier, managed by SSL # User-Name - from the Access-Accept # Stripped-User-Name - from the Access-Request # Cached-Session-Policy - from the Access-Accept # # See also the "store" subsection below for # additional attributes which can be cached. # # The "Cached-Session-Policy" is the name of a # policy which should be applied to the cached # session. This policy can be used to assign # VLANs, IP addresses, etc. It serves as a useful # way to re-apply the policy from the original # Access-Accept to the subsequent Access-Accept # for the cached session. # # On session resumption, these attributes are # copied from the cache, and placed into the # reply list. # # You probably also want "use_tunneled_reply = yes" # when using fast session resumption. # # You can check if a session has been resumed by # looking for the existence of the EAP-Session-Resumed # attribute. Note that this attribute will *only* # exist in the "post-auth" section. # # CAVEATS: The cache is stored and reloaded BEFORE # the "post-auth" section is run. This limitation # makes caching more difficult than it should be. In # practice, it means that the first authentication # session must set the reply attributes before the # post-auth section is run. # # When the session is resumed, the attributes are # restored and placed into the session-state list. # cache { # Enable it. The default is "no". Deleting the entire "cache" # subsection also disables caching. # # As of version 3.0.14, the session cache requires the use # of the "name" and "persist_dir" configuration items, below. # # The internal OpenSSL session cache has been permanently # disabled. # # You can disallow resumption for a particular user by adding the # following attribute to the control item list: # # Allow-Session-Resumption = No # # If "enable = no" below, you CANNOT enable resumption for just one # user by setting the above attribute to "yes". # enable = no # Lifetime of the cached entries, in hours. The sessions will be # deleted/invalidated after this time. # lifetime = 24 # hours # Internal "name" of the session cache. Used to # distinguish which TLS context sessions belong to. # # The server will generate a random value if unset. # This will change across server restart so you MUST # set the "name" if you want to persist sessions (see # below). # # name = "EAP module" # Simple directory-based storage of sessions. # Two files per session will be written, the SSL # state and the cached VPs. This will persist session # across server restarts. # # The default directory is ${logdir}, for historical # reasons. You should ${db_dir} instead. And check # the value of db_dir in the main radiusd.conf file. # It should not point to ${raddb} # # The server will need write perms, and the directory # should be secured from anyone else. You might want # a script to remove old files from here periodically: # # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; # # This feature REQUIRES "name" option be set above. # # persist_dir = "${logdir}/tlscache" # # As of 3.0.20, it is possible to partially # control which attributes exist in the # session cache. This subsection lists # attributes which are taken from the reply, # and saved to the on-disk cache. When the # session is resumed, these attributes are # added to the "session-state" list. The # default configuration will then take care # of copying them to the reply. # store { Tunnel-Private-Group-Id } } # As of version 2.1.10, client certificates can be # validated via an external command. This allows # dynamic CRLs or OCSP to be used. # # This configuration is commented out in the # default configuration. Uncomment it, and configure # the correct paths below to enable it. # # If OCSP checking is enabled, and the OCSP checks fail, # the verify section is not run. # # If OCSP checking is disabled, the verify section is # run on successful certificate validation. # verify { # If the OCSP checks succeed, the verify section # is run to allow additional checks. # # If you want to skip verify on OCSP success, # uncomment this configuration item, and set it # to "yes". # # skip_if_ocsp_ok = no # A temporary directory where the client # certificates are stored. This directory # MUST be owned by the UID of the server, # and MUST not be accessible by any other # users. When the server starts, it will do # "chmod go-rwx" on the directory, for # security reasons. The directory MUST # exist when the server starts. # # You should also delete all of the files # in the directory when the server starts. # # tmpdir = /var/run/radiusd/tmp # The command used to verify the client cert. # We recommend using the OpenSSL command-line # tool. # # The ${..ca_path} text is a reference to # the ca_path variable defined above. # # The %{TLS-Client-Cert-Filename} is the name # of the temporary file containing the cert # in PEM format. This file is automatically # deleted by the server when the command # returns. # # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } # OCSP Configuration # # Certificates can be verified against an OCSP # Responder. This makes it possible to immediately # revoke certificates without the distribution of # new Certificate Revocation Lists (CRLs). # ocsp { # Enable it. The default is "no". # Deleting the entire "ocsp" subsection # also disables ocsp checking # enable = no # The OCSP Responder URL can be automatically # extracted from the certificate in question. # To override the OCSP Responder URL set # "override_cert_url = yes". # override_cert_url = yes # If the OCSP Responder address is not extracted from # the certificate, the URL can be defined here. # url = "http://127.0.0.1/ocsp/" # If the OCSP Responder can not cope with nonce # in the request, then it can be disabled here. # # For security reasons, disabling this option # is not recommended as nonce protects against # replay attacks. # # Note that Microsoft AD Certificate Services OCSP # Responder does not enable nonce by default. It is # more secure to enable nonce on the responder than # to disable it in the query here. # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx # # use_nonce = yes # Number of seconds before giving up waiting # for OCSP response. 0 uses system default. # # timeout = 0 # Normally an error in querying the OCSP # responder (no response from server, server did # not understand the request, etc) will result in # a validation failure. # # To treat these errors as 'soft' failures and # still accept the certificate, enable this # option. # # Warning: this may enable clients with revoked # certificates to connect if the OCSP responder # is not available. Use with caution. # # softfail = no } } # EAP-TLS # # As of Version 3.0, the TLS configuration for TLS-based # EAP types is above in the "tls-config" section. # #tls { # Point to the common TLS configuration # # tls = tls-common # As part of checking a client certificate, the EAP-TLS # sets some attributes such as TLS-Client-Cert-Common-Name. This # virtual server has access to these attributes, and can # be used to accept or reject the request. # # virtual_server = check-eap-tls #} # EAP-TTLS -- Tunneled TLS # # The TTLS module implements the EAP-TTLS protocol, # which can be described as EAP inside of Diameter, # inside of TLS, inside of EAP, inside of RADIUS... # # Surprisingly, it works quite well. # ttls { # Which tls-config section the TLS negotiation parameters # are in - see EAP-TLS above for an explanation. # # In the case that an old configuration from FreeRADIUS # v2.x is being used, all the options of the tls-config # section may also appear instead in the 'tls' section # above. If that is done, the tls= option here (and in # tls above) MUST be commented out. # tls = tls-common # The tunneled EAP session needs a default EAP type # which is separate from the one for the non-tunneled # EAP module. Inside of the TTLS tunnel, we recommend # using EAP-MD5. If the request does not contain an # EAP conversation, then this configuration entry is # ignored. # default_eap_type = pap # The tunneled authentication request does not usually # contain useful attributes like 'Calling-Station-Id', # etc. These attributes are outside of the tunnel, # and normally unavailable to the tunneled # authentication request. # # By setting this configuration entry to 'yes', # any attribute which is NOT in the tunneled # authentication request, but which IS available # outside of the tunnel, is copied to the tunneled # request. # # allowed values: {no, yes} # copy_request_to_tunnel = no # As of version 3.0.5, this configuration item # is deprecated. Instead, you should use # # update outer.session-state { # ... # } # # This will cache attributes for the final Access-Accept. # # The reply attributes sent to the NAS are usually # based on the name of the user 'outside' of the # tunnel (usually 'anonymous'). If you want to send # the reply attributes based on the user name inside # of the tunnel, then set this configuration entry to # 'yes', and the reply to the NAS will be taken from # the reply to the tunneled request. # # allowed values: {no, yes} # use_tunneled_reply = no # The inner tunneled request can be sent # through a virtual server constructed # specifically for this purpose. # # A virtual server MUST be specified. # virtual_server = "labitat-inner" # This has the same meaning, and overwrites, the # same field in the "tls" configuration, above. # The default value here is "yes". # # include_length = yes # Unlike EAP-TLS, EAP-TTLS does not require a client # certificate. However, you can require one by setting the # following option. You can also override this option by # setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # # Note that the majority of supplicants do not support using a # client certificate with EAP-TTLS, so this option is unlikely # to be usable for most people. # # require_client_cert = yes } # EAP-PEAP # ################################################## # # !!!!! WARNINGS for Windows compatibility !!!!! # ################################################## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # https://support.microsoft.com/en-us/help/814394/ # # If is still doesn't work, and you're using Samba, # you may be encountering a Samba bug. See: # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # ################################################## # The tunneled EAP session needs a default EAP type # which is separate from the one for the non-tunneled # EAP module. Inside of the TLS/PEAP tunnel, we # recommend using EAP-MS-CHAPv2. # #peap { # Which tls-config section the TLS negotiation parameters # are in - see EAP-TLS above for an explanation. # # In the case that an old configuration from FreeRADIUS # v2.x is being used, all the options of the tls-config # section may also appear instead in the 'tls' section # above. If that is done, the tls= option here (and in # tls above) MUST be commented out. # # tls = tls-common # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. # # default_eap_type = mschapv2 # The PEAP module also has these configuration # items, which are the same as for TTLS. # # copy_request_to_tunnel = no # As of version 3.0.5, this configuration item # is deprecated. Instead, you should use # # update outer.session-state { # ... # } # # This will cache attributes for the final Access-Accept. # # use_tunneled_reply = no # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # # proxy_tunneled_request_as_eap = yes # The inner tunneled request can be sent # through a virtual server constructed # specifically for this purpose. # # A virtual server MUST be specified. # # virtual_server = "inner-tunnel" # This option enables support for MS-SoH # see doc/SoH.txt for more info. # It is disabled by default. # # soh = yes # The SoH reply will be turned into a request which # can be sent to a specific virtual server: # # soh_virtual_server = "soh-server" # Unlike EAP-TLS, PEAP does not require a client certificate. # However, you can require one by setting the following # option. You can also override this option by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. # # Note that the majority of supplicants do not support using a # client certificate with PEAP, so this option is unlikely to # be usable for most people. # # require_client_cert = yes #} # EAP-MSCHAPv2 # # Note that it is the EAP MS-CHAPv2 sub-module, not # the main 'mschap' module. # # Note also that in order for this sub-module to work, # the main 'mschap' module MUST ALSO be configured. # # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # #mschapv2 { # Prior to version 2.1.11, the module never # sent the MS-CHAP-Error message to the # client. This worked, but it had issues # when the cached password was wrong. The # server *should* send "E=691 R=0" to the # client, which tells it to prompt the user # for a new password. # # The default is to behave as in 2.1.10 and # earlier, which is known to work. If you # set "send_error = yes", then the error # message will be sent back to the client. # This *may* help some clients work better, # but *may* also cause other clients to stop # working. # # send_error = no # Server identifier to send back in the challenge. # This should generally be the host name of the # RADIUS server. Or, some information to uniquely # identify it. # # identity = "FreeRADIUS" #} # EAP-FAST # # The FAST module implements the EAP-FAST protocol # #fast { # Point to the common TLS configuration # # tls = tls-common # If 'cipher_list' is set here, it will over-ride the # 'cipher_list' configuration from the 'tls-common' # configuration. The EAP-FAST module has it's own # over-ride for 'cipher_list' because the # specifications mandata a different set of ciphers # than are used by the other EAP methods. # # cipher_list though must include "ADH" for anonymous provisioning. # This is not as straight forward as appending "ADH" alongside # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used # # Note - for OpenSSL 1.1.0 and above you may need # to add ":@SECLEVEL=0" # # cipher_list = "PROFILE=SYSTEM" # PAC lifetime in seconds (default: seven days) # # pac_lifetime = 604800 # Authority ID of the server # # If you are running a cluster of RADIUS servers, you should make # the value chosen here (and for "pac_opaque_key") the same on all # your RADIUS servers. This value should be unique to your # installation. We suggest using a domain name. # # authority_identity = "1234" # PAC Opaque encryption key (must be exactly 32 bytes in size) # # This value MUST be secret, and MUST be generated using # a secure method, such as via 'openssl rand -hex 32' # # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" # Same as for TTLS, PEAP, etc. # # virtual_server = inner-tunnel #} }