aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files/radius/mods-available/eap
blob: 938370cfc767a178736891e507db704d9a99e0f5 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##	$Id: a89a783663588017b12bcc076362e728261ba8f2 $

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
eap {
	#  Invoke the default supported EAP type when
	#  EAP-Identity response is received.
	#
	#  The incoming EAP messages DO NOT specify which EAP
	#  type they will be using, so it MUST be set here.
	#
	#  For now, only one default EAP type may be used at a time.
	#
	#  If the EAP-Type attribute is set by another module,
	#  then that EAP type takes precedence over the
	#  default type configured here.
	#
	default_eap_type = ttls

	#  A list is maintained to correlate EAP-Response
	#  packets with EAP-Request packets.  After a
	#  configurable length of time, entries in the list
	#  expire, and are deleted.
	#
	timer_expire = 60

	#  There are many EAP types, but the server has support
	#  for only a limited subset.  If the server receives
	#  a request for an EAP type it does not support, then
	#  it normally rejects the request.  By setting this
	#  configuration to "yes", you can tell the server to
	#  instead keep processing the request.  Another module
	#  MUST then be configured to proxy the request to
	#  another RADIUS server which supports that EAP type.
	#
	#  If another module is NOT configured to handle the
	#  request, then the request will still end up being
	#  rejected.
	#
	ignore_unknown_eap_types = no

	# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
	# a User-Name attribute in an Access-Accept, it copies one
	# more byte than it should.
	#
	# We can work around it by configurably adding an extra
	# zero byte.
	#
	cisco_accounting_username_bug = no

	#  Help prevent DoS attacks by limiting the number of
	#  sessions that the server is tracking.  For simplicity,
	#  this is taken from the "max_requests" directive in
	#  radiusd.conf.
	#
	max_sessions = ${max_requests}


	############################################################
	#
	#  Supported EAP-types
	#


	#  EAP-MD5
	#
	#  We do NOT recommend using EAP-MD5 authentication
	#  for wireless connections.  It is insecure, and does
	#  not provide for dynamic WEP keys.
	#
	#md5 {
	#}


	#  EAP-pwd -- secure password-based authentication
	#
	#pwd {
	#	group = 19

	#	server_id = theserver@example.com

		#  This has the same meaning as for TLS.
		#
	#	fragment_size = 1020

		# The virtual server which determines the
		# "known good" password for the user.
		# Note that unlike TLS, only the "authorize"
		# section is processed.  EAP-PWD requests can be
		# distinguished by having a User-Name, but
		# no User-Password, CHAP-Password, EAP-Message, etc.
		#
	#	virtual_server = "inner-tunnel"
	#}


	#  Cisco LEAP
	#
	#  We do not recommend using LEAP in new deployments.  See:
	#  http://www.securiteam.com/tools/5TP012ACKE.html
	#
	#  Cisco LEAP uses the MS-CHAP algorithm (but not
	#  the MS-CHAP attributes) to perform it's authentication.
	#
	#  As a result, LEAP *requires* access to the plain-text
	#  User-Password, or the NT-Password attributes.
	#  'System' authentication is impossible with LEAP.
	#
	#leap {
	#}


	#  EAP-GTC -- Generic Token Card
	#
	#  Currently, this is only permitted inside of EAP-TTLS,
	#  or EAP-PEAP.  The module "challenges" the user with
	#  text, and the response from the user is taken to be
	#  the User-Password.
	#
	#  Proxying the tunneled EAP-GTC session is a bad idea,
	#  the users password will go over the wire in plain-text,
	#  for anyone to see.
	#
	#gtc {
		#  The default challenge, which many clients
		#  ignore..
		#
	#	challenge = "Password: "

		#  The plain-text response which comes back
		#  is put into a User-Password attribute,
		#  and passed to another module for
		#  authentication.  This allows the EAP-GTC
		#  response to be checked against plain-text,
		#  or crypt'd passwords.
		#
		#  If you say "Local" instead of "PAP", then
		#  the module will look for a User-Password
		#  configured for the request, and do the
		#  authentication itself.
		#
	#	auth_type = PAP
	#}


	#  Common TLS configuration for TLS-based EAP types
	#  ------------------------------------------------
	#
	#  See raddb/certs/README for additional comments
	#  on certificates.
	#
	#  If OpenSSL was not found at the time the server was
	#  built, the "tls", "ttls", and "peap" sections will
	#  be ignored.
	#
	#  If you do not currently have certificates signed by
	#  a trusted CA you may use the 'snakeoil' certificates.
	#  Included with the server in raddb/certs.
	#
	#  If these certificates have not been auto-generated:
	#    cd raddb/certs
	#    make
	#
	#  These test certificates SHOULD NOT be used in a normal
	#  deployment.  They are created only to make it easier
	#  to install the server, and to perform some simple
	#  tests with EAP-TLS, TTLS, or PEAP.
	#
	#  Note that you should NOT use a globally known CA here!
	#  e.g. using a Verisign cert as a "known CA" means that
	#  ANYONE who has a certificate signed by them can
	#  authenticate via EAP-TLS!  This is likely not what you want.
	#
	tls-config tls-common {
	#	private_key_password = whatever
		private_key_file = ${certdir}/privkey.pem

		#  If Private key & Certificate are located in
		#  the same file, then private_key_file &
		#  certificate_file must contain the same file
		#  name.
		#
		#  If ca_file (below) is not used, then the
		#  certificate_file below SHOULD also include all of
		#  the intermediate CA certificates used to sign the
		#  server certificate, but NOT the root CA.
		#
		#  Including the ROOT CA certificate is not useful and
		#  merely inflates the exchanged data volume during
		#  the TLS negotiation.
		#
		#  This file should contain the server certificate,
		#  followed by intermediate certificates, in order.
		#  i.e. If we have a server certificate signed by CA1,
		#  which is signed by CA2, which is signed by a root
		#  CA, then the "certificate_file" should contain
		#  server.pem, followed by CA1.pem, followed by
		#  CA2.pem.
		#
		#  When using "ca_file" or "ca_dir", the
		#  "certificate_file" should contain only
		#  "server.pem".  And then you may (or may not) need
		#  to set "auto_chain", depending on your version of
		#  OpenSSL.
		#
		#  In short, SSL / TLS certificates are complex.
		#  There are many versions of software, each of which
		#  behave slightly differently.  It is impossible to
		#  give advice which will work everywhere.  Instead,
		#  we give general guidelines.
		#
		certificate_file = ${certdir}/fullchain.pem

		#  Trusted Root CA list
		#
		#  This file can contain multiple CA certificates.
		#  ALL of the CA's in this list will be trusted to
		#  issue client certificates for authentication.
		#
		#  In general, you should use self-signed
		#  certificates for 802.1x (EAP) authentication.
		#  In that case, this CA file should contain
		#  *one* CA certificate.
		#
	#	ca_file = ${cadir}/ca.pem

	 	#  OpenSSL will automatically create certificate chains,
	 	#  unless we tell it to not do that.  The problem is that
	 	#  it sometimes gets the chains right from a certificate
	 	#  signature view, but wrong from the clients view.
		#
		#  When setting "auto_chain = no", the server certificate
		#  file MUST include the full certificate chain.
		#
	#	auto_chain = yes

		#  If OpenSSL supports TLS-PSK, then we can use a
		#  fixed PSK identity and (hex) password.  As of
		#  3.0.18, these can be used at the same time as the
		#  certificate configuration, but only for TLS 1.0
		#  through 1.2.
		#
		#  If PSK and certificates are configured at the same
		#  time for TLS 1.3, then the server will warn you,
		#  and will disable TLS 1.3, as it will not work.
		#
		#  The work around is to have two modules (or for
		#  RadSec, two listen sections).  One will have PSK
		#  configured, and the other will have certificates
		#  configured.
		#
	#	psk_identity = "test"
	#	psk_hexphrase = "036363823"

		#  Dynamic queries for the PSK.  If TLS-PSK is used,
		#  and psk_query is set, then you MUST NOT use
		#  psk_identity or psk_hexphrase.
		#
		#  Instead, use a dynamic expansion similar to the one
		#  below.  It keys off of TLS-PSK-Identity.  It should
		#  return a of string no more than 512 hex characters.
		#  That string will be converted to binary, and will
		#  be used as the dynamic PSK hexphrase.
		#
		#  Note that this query is just an example.  You will
		#  need to customize it for your installation.
		#
	#	psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"

		#  For DH cipher suites to work, you have to
		#  run OpenSSL to create the DH file first:
		#
		#    openssl dhparam -out certs/dh 2048
		#
		dh_file = ${certdir}/dh

		#  If your system doesn't have /dev/urandom,
		#  you will need to create this file, and
		#  periodically change its contents.
		#
		#  For security reasons, FreeRADIUS doesn't
		#  write to files in its configuration
		#  directory.
		#
	#	random_file = /dev/urandom

		#  This can never exceed the size of a RADIUS
		#  packet (4096 bytes), and is preferably half
		#  that, to accommodate other attributes in
		#  RADIUS packet.  On most APs the MAX packet
		#  length is configured between 1500 - 1600
		#  In these cases, fragment size should be
		#  1024 or less.
		#
	#	fragment_size = 1024

		#  include_length is a flag which is
		#  by default set to yes If set to
		#  yes, Total Length of the message is
		#  included in EVERY packet we send.
		#  If set to no, Total Length of the
		#  message is included ONLY in the
		#  First packet of a fragment series.
		#
	#	include_length = yes


		#  Check the Certificate Revocation List
		#
		#  1) Copy CA certificates and CRLs to same directory.
		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		#     'c_rehash' is OpenSSL's command.
		#  3) uncomment the lines below.
		#  5) Restart radiusd
	#	check_crl = yes

		# Check if intermediate CAs have been revoked.
	#	check_all_crl = yes

		ca_path = ${cadir}

		# Accept an expired Certificate Revocation List
		#
	#	allow_expired_crl = no

		#  If check_cert_issuer is set, the value will
		#  be checked against the DN of the issuer in
		#  the client certificate.  If the values do not
		#  match, the certificate verification will fail,
		#  rejecting the user.
		#
		#  This check can be done more generally by checking
		#  the value of the TLS-Client-Cert-Issuer attribute.
		#  This check can be done via any mechanism you
		#  choose.
		#
	#	check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

		#  If check_cert_cn is set, the value will
		#  be xlat'ed and checked against the CN
		#  in the client certificate.  If the values
		#  do not match, the certificate verification
		#  will fail rejecting the user.
		#
		#  This check is done only if the previous
		#  "check_cert_issuer" is not set, or if
		#  the check succeeds.
		#
		#  In 2.1.10 and later, this check can be done
		#  more generally by checking the value of the
		#  TLS-Client-Cert-Common-Name attribute.  This check
		#  can be done via any mechanism you choose.
		#
	#	check_cert_cn = %{User-Name}

		#  Set this option to specify the allowed
		#  TLS cipher suites.  The format is listed
		#  in "man 1 ciphers".
		#
		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
		#
		cipher_list = "PROFILE=SYSTEM"

		#  If enabled, OpenSSL will use server cipher list
		#  (possibly defined by cipher_list option above)
		#  for choosing right cipher suite rather than
		#  using client-specified list which is OpenSSl default
		#  behavior.  Setting this to "yes" means that OpenSSL
		#  will choose the servers ciphers, even if they do not
		#  best match what the client sends.
		#
		#  TLS negotiation is usually good, but can be imperfect.
		#  This setting allows administrators to "fine tune" it
		#  if necessary.
		#
		cipher_server_preference = no

		#  You can selectively disable TLS versions for
		#  compatability with old client devices.
		#
		#  If your system has OpenSSL 1.1.0 or greater, do NOT
		#  use these.  Instead, set tls_min_version and
		#  tls_max_version.
		#
	#	disable_tlsv1_2 = no
	#	disable_tlsv1_1 = yes
	#	disable_tlsv1 = yes

		#  Set min / max TLS version.  Mainly for Debian
		#  "trusty", which disables older versions of TLS, and
		#  requires the application to manually enable them.
		#
		#  If you are running Debian trusty, you should set
		#  these options, otherwise older clients will not be
		#  able to connect.
		#
		#  Allowed values are "1.0", "1.1", "1.2", and "1.3".
		#
		#  Note that the server WILL NOT permit negotiation of
		#  TLS 1.3.  The EAP-TLS standards for TLS 1.3 are NOT
		#  finished.  It is therefore impossible for the server
		#  to negotiate EAP-TLS correctly with TLS 1.3.
		#
		#  The values must be in quotes.
		#
		tls_min_version = "1.2"
		tls_max_version = "1.2"

		#  Elliptical cryptography configuration
		#
		#  Only for OpenSSL >= 0.9.8.f
		#
		ecdh_curve = "prime256v1"

		#  Session resumption / fast reauthentication
		#  cache.
		#
		#  The cache contains the following information:
		#
		#   session Id - unique identifier, managed by SSL
		#   User-Name  - from the Access-Accept
		#   Stripped-User-Name - from the Access-Request
		#   Cached-Session-Policy - from the Access-Accept
		#
		#  See also the "store" subsection below for
		#  additional attributes which can be cached.
		#
		#  The "Cached-Session-Policy" is the name of a
		#  policy which should be applied to the cached
		#  session.  This policy can be used to assign
		#  VLANs, IP addresses, etc.  It serves as a useful
		#  way to re-apply the policy from the original
		#  Access-Accept to the subsequent Access-Accept
		#  for the cached session.
		#
		#  On session resumption, these attributes are
		#  copied from the cache, and placed into the
		#  reply list.
		#
		#  You probably also want "use_tunneled_reply = yes"
		#  when using fast session resumption.
		#
		#  You can check if a session has been resumed by
		#  looking for the existence of the EAP-Session-Resumed
		#  attribute.  Note that this attribute will *only*
		#  exist in the "post-auth" section.
		#
		#  CAVEATS: The cache is stored and reloaded BEFORE
		#  the "post-auth" section is run.  This limitation
		#  makes caching more difficult than it should be.  In
		#  practice, it means that the first authentication
		#  session must set the reply attributes before the
		#  post-auth section is run.
		#
		#  When the session is resumed, the attributes are
		#  restored and placed into the session-state list.
		#
		cache {
			#  Enable it.  The default is "no". Deleting the entire "cache"
			#  subsection also disables caching.
			#
			#  As of version 3.0.14, the session cache requires the use
			#  of the "name" and "persist_dir" configuration items, below.
			#
			#  The internal OpenSSL session cache has been permanently
			#  disabled.
			#
			#  You can disallow resumption for a particular user by adding the
			#  following attribute to the control item list:
			#
			#    Allow-Session-Resumption = No
			#
			#  If "enable = no" below, you CANNOT enable resumption for just one
			#  user by setting the above attribute to "yes".
			#
			enable = no

			#  Lifetime of the cached entries, in hours. The sessions will be
			#  deleted/invalidated after this time.
			#
			lifetime = 24 # hours

			#  Internal "name" of the session cache. Used to
			#  distinguish which TLS context sessions belong to.
			#
			#  The server will generate a random value if unset.
			#  This will change across server restart so you MUST
			#  set the "name" if you want to persist sessions (see
			#  below).
			#
		#	name = "EAP module"

			#  Simple directory-based storage of sessions.
			#  Two files per session will be written, the SSL
			#  state and the cached VPs. This will persist session
			#  across server restarts.
			#
			#  The default directory is ${logdir}, for historical
			#  reasons.  You should ${db_dir} instead.  And check
			#  the value of db_dir in the main radiusd.conf file.
			#  It should not point to ${raddb}
			#
			#  The server will need write perms, and the directory
			#  should be secured from anyone else. You might want
			#  a script to remove old files from here periodically:
			#
			#    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
			#
			#  This feature REQUIRES "name" option be set above.
			#
		#	persist_dir = "${logdir}/tlscache"

			#
			#  As of 3.0.20, it is possible to partially
			#  control which attributes exist in the
			#  session cache.  This subsection lists
			#  attributes which are taken from the reply,
			#  and saved to the on-disk cache.  When the
			#  session is resumed, these attributes are
			#  added to the "session-state" list.  The
			#  default configuration will then take care
			#  of copying them to the reply.
			#
			store {
				Tunnel-Private-Group-Id
			}
		}

		#  As of version 2.1.10, client certificates can be
		#  validated via an external command.  This allows
		#  dynamic CRLs or OCSP to be used.
		#
		#  This configuration is commented out in the
		#  default configuration.  Uncomment it, and configure
		#  the correct paths below to enable it.
		#
		#  If OCSP checking is enabled, and the OCSP checks fail,
		#  the verify section is not run.
		#
		#  If OCSP checking is disabled, the verify section is
		#  run on successful certificate validation.
		#
		verify {
			#  If the OCSP checks succeed, the verify section
			#  is run to allow additional checks.
			#
			#  If you want to skip verify on OCSP success,
			#  uncomment this configuration item, and set it
			#  to "yes".
			#
		#	skip_if_ocsp_ok = no

			#  A temporary directory where the client
			#  certificates are stored.  This directory
			#  MUST be owned by the UID of the server,
			#  and MUST not be accessible by any other
			#  users.  When the server starts, it will do
			#  "chmod go-rwx" on the directory, for
			#  security reasons.  The directory MUST
			#  exist when the server starts.
			#
			#  You should also delete all of the files
			#  in the directory when the server starts.
			#
		#	tmpdir = /var/run/radiusd/tmp

			#  The command used to verify the client cert.
			#  We recommend using the OpenSSL command-line
			#  tool.
			#
			#  The ${..ca_path} text is a reference to
			#  the ca_path variable defined above.
			#
			#  The %{TLS-Client-Cert-Filename} is the name
			#  of the temporary file containing the cert
			#  in PEM format.  This file is automatically
			#  deleted by the server when the command
			#  returns.
			#
		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
		}

		#  OCSP Configuration
		#
		#  Certificates can be verified against an OCSP
		#  Responder. This makes it possible to immediately
		#  revoke certificates without the distribution of
		#  new Certificate Revocation Lists (CRLs).
		#
		ocsp {
			#  Enable it.  The default is "no".
			#  Deleting the entire "ocsp" subsection
			#  also disables ocsp checking
			#
			enable = no

			#  The OCSP Responder URL can be automatically
			#  extracted from the certificate in question.
			#  To override the OCSP Responder URL set
			#  "override_cert_url = yes".
			#
			override_cert_url = yes

			#  If the OCSP Responder address is not extracted from
			#  the certificate, the URL can be defined here.
			#
			url = "http://127.0.0.1/ocsp/"

			# If the OCSP Responder can not cope with nonce
			# in the request, then it can be disabled here.
			#
			# For security reasons, disabling this option
			# is not recommended as nonce protects against
			# replay attacks.
			#
			# Note that Microsoft AD Certificate Services OCSP
			# Responder does not enable nonce by default. It is
			# more secure to enable nonce on the responder than
			# to disable it in the query here.
			# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
			#
		#	use_nonce = yes

			# Number of seconds before giving up waiting
			# for OCSP response. 0 uses system default.
			#
		#	timeout = 0

			# Normally an error in querying the OCSP
			# responder (no response from server, server did
			# not understand the request, etc) will result in
			# a validation failure.
			#
			# To treat these errors as 'soft' failures and
			# still accept the certificate, enable this
			# option.
			#
			# Warning: this may enable clients with revoked
			# certificates to connect if the OCSP responder
			# is not available. Use with caution.
			#
		#	softfail = no
		}
	}


	#  EAP-TLS
	#
	#  As of Version 3.0, the TLS configuration for TLS-based
	#  EAP types is above in the "tls-config" section.
	#
	#tls {
		#  Point to the common TLS configuration
		#
	#	tls = tls-common

		#  As part of checking a client certificate, the EAP-TLS
		#  sets some attributes such as TLS-Client-Cert-Common-Name. This
		#  virtual server has access to these attributes, and can
		#  be used to accept or reject the request.
		#
	#	virtual_server = check-eap-tls
	#}


	#  EAP-TTLS -- Tunneled TLS
	#
	#  The TTLS module implements the EAP-TTLS protocol,
	#  which can be described as EAP inside of Diameter,
	#  inside of TLS, inside of EAP, inside of RADIUS...
	#
	#  Surprisingly, it works quite well.
	#
	ttls {
		#  Which tls-config section the TLS negotiation parameters
		#  are in - see EAP-TLS above for an explanation.
		#
		#  In the case that an old configuration from FreeRADIUS
		#  v2.x is being used, all the options of the tls-config
		#  section may also appear instead in the 'tls' section
		#  above. If that is done, the tls= option here (and in
		#  tls above) MUST be commented out.
		#
		tls = tls-common

		#  The tunneled EAP session needs a default EAP type
		#  which is separate from the one for the non-tunneled
		#  EAP module.  Inside of the TTLS tunnel, we recommend
		#  using EAP-MD5.  If the request does not contain an
		#  EAP conversation, then this configuration entry is
		#  ignored.
		#
		default_eap_type = pap

		#  The tunneled authentication request does not usually
		#  contain useful attributes like 'Calling-Station-Id',
		#  etc.  These attributes are outside of the tunnel,
		#  and normally unavailable to the tunneled
		#  authentication request.
		#
		#  By setting this configuration entry to 'yes',
		#  any attribute which is NOT in the tunneled
		#  authentication request, but which IS available
		#  outside of the tunnel, is copied to the tunneled
		#  request.
		#
		#  allowed values: {no, yes}
		#
		copy_request_to_tunnel = no

		#  As of version 3.0.5, this configuration item
		#  is deprecated.  Instead, you should use
		#
		#    update outer.session-state {
		#      ...
		#    }
		#
		#  This will cache attributes for the final Access-Accept.
		#
		#  The reply attributes sent to the NAS are usually
		#  based on the name of the user 'outside' of the
		#  tunnel (usually 'anonymous').  If you want to send
		#  the reply attributes based on the user name inside
		#  of the tunnel, then set this configuration entry to
		#  'yes', and the reply to the NAS will be taken from
		#  the reply to the tunneled request.
		#
		#  allowed values: {no, yes}
		#
		use_tunneled_reply = no

		#  The inner tunneled request can be sent
		#  through a virtual server constructed
		#  specifically for this purpose.
		#
		#  A virtual server MUST be specified.
		#
		virtual_server = "labitat-inner"

		#  This has the same meaning, and overwrites, the
		#  same field in the "tls" configuration, above.
		#  The default value here is "yes".
		#
	#	include_length = yes

		#  Unlike EAP-TLS, EAP-TTLS does not require a client
		#  certificate. However, you can require one by setting the
		#  following option. You can also override this option by
		#  setting
		#
		#    EAP-TLS-Require-Client-Cert = Yes
		#
		#  in the control items for a request.
		#
		#  Note that the majority of supplicants do not support using a
		#  client certificate with EAP-TTLS, so this option is unlikely
		#  to be usable for most people.
		#
	#	require_client_cert = yes
	}


	#  EAP-PEAP
	#

	##################################################
	#
	#  !!!!! WARNINGS for Windows compatibility  !!!!!
	#
	##################################################
	#
	#  If you see the server send an Access-Challenge,
	#  and the client never sends another Access-Request,
	#  then
	#
	#		STOP!
	#
	#  The server certificate has to have special OID's
	#  in it, or else the Microsoft clients will silently
	#  fail.  See the "scripts/xpextensions" file for
	#  details, and the following page:
	#
	#	https://support.microsoft.com/en-us/help/814394/
	#
	#  If is still doesn't work, and you're using Samba,
	#  you may be encountering a Samba bug.  See:
	#
	#	https://bugzilla.samba.org/show_bug.cgi?id=6563
	#
	#  Note that we do not necessarily agree with their
	#  explanation... but the fix does appear to work.
	#
	##################################################

	#  The tunneled EAP session needs a default EAP type
	#  which is separate from the one for the non-tunneled
	#  EAP module.  Inside of the TLS/PEAP tunnel, we
	#  recommend using EAP-MS-CHAPv2.
	#
	#peap {
		#  Which tls-config section the TLS negotiation parameters
		#  are in - see EAP-TLS above for an explanation.
		#
		#  In the case that an old configuration from FreeRADIUS
		#  v2.x is being used, all the options of the tls-config
		#  section may also appear instead in the 'tls' section
		#  above. If that is done, the tls= option here (and in
		#  tls above) MUST be commented out.
		#
	#	tls = tls-common

		#  The tunneled EAP session needs a default
		#  EAP type which is separate from the one for
		#  the non-tunneled EAP module.  Inside of the
		#  PEAP tunnel, we recommend using MS-CHAPv2,
		#  as that is the default type supported by
		#  Windows clients.
		#
	#	default_eap_type = mschapv2

		#  The PEAP module also has these configuration
		#  items, which are the same as for TTLS.
		#
	#	copy_request_to_tunnel = no

		#  As of version 3.0.5, this configuration item
		#  is deprecated.  Instead, you should use
		#
		#    update outer.session-state {
		#      ...
		#    }
		#
		#  This will cache attributes for the final Access-Accept.
		#
	#	use_tunneled_reply = no

		#  When the tunneled session is proxied, the
		#  home server may not understand EAP-MSCHAP-V2.
		#  Set this entry to "no" to proxy the tunneled
		#  EAP-MSCHAP-V2 as normal MSCHAPv2.
		#
	#	proxy_tunneled_request_as_eap = yes

		#  The inner tunneled request can be sent
		#  through a virtual server constructed
		#  specifically for this purpose.
		#
		#  A virtual server MUST be specified.
		#
	#	virtual_server = "inner-tunnel"

		#  This option enables support for MS-SoH
		#  see doc/SoH.txt for more info.
		#  It is disabled by default.
		#
	#	soh = yes

		#  The SoH reply will be turned into a request which
		#  can be sent to a specific virtual server:
		#
	#	soh_virtual_server = "soh-server"

		#  Unlike EAP-TLS, PEAP does not require a client certificate.
		#  However, you can require one by setting the following
		#  option. You can also override this option by setting
		#
		#    EAP-TLS-Require-Client-Cert = Yes
		#
		#  in the control items for a request.
		#
		#  Note that the majority of supplicants do not support using a
		#  client certificate with PEAP, so this option is unlikely to
		#  be usable for most people.
		#
	#	require_client_cert = yes
	#}


	#  EAP-MSCHAPv2
	#
	#  Note that it is the EAP MS-CHAPv2 sub-module, not
	#  the main 'mschap' module.
	#
	#  Note also that in order for this sub-module to work,
	#  the main 'mschap' module MUST ALSO be configured.
	#
	#  This module is the *Microsoft* implementation of MS-CHAPv2
	#  in EAP.  There is another (incompatible) implementation
	#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
	#  currently support.
	#
	#mschapv2 {
		#  Prior to version 2.1.11, the module never
		#  sent the MS-CHAP-Error message to the
		#  client.  This worked, but it had issues
		#  when the cached password was wrong.  The
		#  server *should* send "E=691 R=0" to the
		#  client, which tells it to prompt the user
		#  for a new password.
		#
		#  The default is to behave as in 2.1.10 and
		#  earlier, which is known to work.  If you
		#  set "send_error = yes", then the error
		#  message will be sent back to the client.
		#  This *may* help some clients work better,
		#  but *may* also cause other clients to stop
		#  working.
		#
	#	send_error = no

		#  Server identifier to send back in the challenge.
		#  This should generally be the host name of the
		#  RADIUS server.  Or, some information to uniquely
		#  identify it.
		#
	#	identity = "FreeRADIUS"
	#}


	#  EAP-FAST
	#
	#  The FAST module implements the EAP-FAST protocol
	#
	#fast {
		#  Point to the common TLS configuration
		#
	#	tls = tls-common

		#  If 'cipher_list' is set here, it will over-ride the
		#  'cipher_list' configuration from the 'tls-common'
		#  configuration.  The EAP-FAST module has it's own
		#  over-ride for 'cipher_list' because the
		#  specifications mandata a different set of ciphers
		#  than are used by the other EAP methods.
		#
		#  cipher_list though must include "ADH" for anonymous provisioning.
		#  This is not as straight forward as appending "ADH" alongside
		#  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
		#  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
		#
		#  Note - for OpenSSL 1.1.0 and above you may need
		#  to add ":@SECLEVEL=0"
		#
	#	cipher_list = "PROFILE=SYSTEM"

		#  PAC lifetime in seconds (default: seven days)
		#
	#	pac_lifetime = 604800

		#  Authority ID of the server
		#
		#  If you are running a cluster of RADIUS servers, you should make
		#  the value chosen here (and for "pac_opaque_key") the same on all
		#  your RADIUS servers.  This value should be unique to your
		#  installation.  We suggest using a domain name.
		#
	#	authority_identity = "1234"

		#  PAC Opaque encryption key (must be exactly 32 bytes in size)
		#
		#  This value MUST be secret, and MUST be generated using
		#  a secure method, such as via 'openssl rand -hex 32'
		#
	#	pac_opaque_key = "0123456789abcdef0123456789ABCDEF"

		#  Same as for TTLS, PEAP, etc.
		#
	#	virtual_server = inner-tunnel
	#}
}