################################################################# # Change the four values below to make this config file support # # the authPort and acctPort you need. # ################################################################# DefineGlobalVar auPort 1812 DefineGlobalVar acPort 1813 AuthPort 1812 AcctPort 1813 ################################################ # Your Should Not Need To Edit Below This Line # ################################################ Foreground LogStdout SnmpgetProg /usr/bin/snmpget LogDir /var/log/radius PidFile /var/run/radiusd_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}-radiusd.pid DbDir /usr/local/raddb LogFile %L/%Y%m%d_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}.logfile include %D/conf/clients.cfg # User a lower trace level in production systems, Trace 6 # This is where we authenticate a EAP-TTLS inner request, which may # also be an EAP request. # Some Funk Odyssey clients always calculate TTLS-MSCHAPV2 # passwords based on the username _without_ the # realm. Therefore # you may need to strip the realm here in order to get # TTLS-MSCHAPV2 working with Funk Odyssey client #RewriteUsername s/^(.*?)\@.*$/$1/ Filename %D/users # This tells the TTLS client what types of inner EAP requests # we will honour EAPType MSCHAP-V2 # This hook may be used with EAP-TTLS where the accounting # requests can have anything for User-Name, instead of the # real user name. After authenticating the inner EAP-TTLS # request, the PostAuthHook caches the _real_ user name in an # SQL table, The PreProcessingHook replaces the 'anonymous' # user name in accounting requests with the real user name # that was previously cached for the NAS and NAS-Port. You # can see the correct real User-Name logged in the # AcctLogFileName. Must be used in conjunction with # PreProcessingHook below # PostAuthHook file:"goodies/eap_anon_hook.pl" # The original TTLS request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the # inner authentication extracted. # # The inner authentication request will sent again to a matching Realm # or Handler. The special check item TunnelledByTTLS=1 can be used to # select a specific handler. This allows you to select an inner # authentication method based on realm, or the fact that they were # tunnelled. You can therfore act just as a EAP-TTLS server, or also # act as the AAA/H home server, and authenticate EAP-TTLS requests # locally or proxy them to another remote server based on the realm of # the inner authentication request. # # In this basic example the inner authentication is authenticated from # a file by AuthBy FILE # users file will not be used for tunnelled EAP outer # authentication. EAP-TTLS inner authentication is # handled by its own Handler above. Filename %D/users # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType TTLS # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile %D/certificates/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever # EAPTLS_RandomFile is an optional file containing # randomness # EAPTLS_RandomFile %D/certificates/random # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt # size that will be replied by Radiator. It must be small # enough to fit in a single Radius request (ie less than 4096) # and still leave enough space for other attributes # Aironet APs seem to need a smaller MaxFragmentSize # (eg 1024) than the default of 2048. Others need even smaller sizes. EAPTLS_MaxFragmentSize 1000 # EAPTLS_Protocols is a comma separated list of TLS # protocols that are permissible for EAP # authentication. Currently supported protocols are: # TLSv1, TLSv1.1 and TLSv1.2. There is no default and # all TLS protocols are allowed. #EAPTLS_Protocols TLSv1.1, TLSv1.2 # EAPTLS_Ciphers specifies which subset of cipher # suites is permissible for EAP authentication, using # the standard OpenSSL string format. The default is # DEFAULT:!EXPORT:!LOW #EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4 # Ephemeral key exchange is supported with Diffie-Hellman key # exchange (DHE) and Elliptic Curve Diffie-Hellman key # exchange (ECDHE). See the reference manual for details. #EAPTLS_DHFile %D/certificates/dh2048.pem #EAPTLS_ECDH_Curve prime256v1 # If EAPTLS_CRLCheck is set and the client presents a certificate # then Radiator will look for a certificate revocation list (CRL) # for the certificate issuer # when authenticating each client. If a CRL file is not found, or # if the CRL says the certificate has neen revoked, the authentication will # fail with an error: # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned # One or more CRLs can be named with the EAPTLS_CRLFile parameter. # Alternatively, CRLs may follow a file naming convention: # the hash of the issuer subject name # and a suffix that depends on the serial number. # eg ab1331b2.r0, ab1331b2.r1 etc. # You can find out the hash of the issuer name in a CRL with # openssl crl -in crl.pem -hash -noout # CRLs with tis name convention # will be searched in EAPTLS_CAPath, else in the openssl # certificates directory typically /usr/local/openssl/certs/ # CRLs are expected to be in PEM format. # A CRL files can be generated with openssl like this: # openssl ca -gencrl -revoke cert-clt.pem # openssl ca -gencrl -out crl.pem # Use of these flags requires Net_SSLeay-1.21 or later # TLS_CRLFile can include operating system wildcards to refer to multiple CRLS #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem #EAPTLS_CRLFile %D/crls/*.r0 # # Set EAPTLS_CRLCheckAll with EAPTLS_CRLCheck to # enable CRL checks for the entire certificate # chain. The above notes about CRL files apply to # intermediate CRLs too. #EAPTLS_CRLCheckAll # EAPTLS_PolicyOID enables certificate policy checking and specifies one or more policy OIDs # that must be present in the certificate path. It sets the \'require explicit policy\' # flag as defined in RFC3280. Requires Net-SSLeay 1.37 or later #EAPTLS_PolicyOID 2.5.29.32.0 # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key # in the final Access-Accept #AutoMPPEKeys # You can configure the User-Name that will be used # for the inner authentication if the inner # authentication does not already have # User-Name. Defaults to 'anonymous'. This can be # useful when proxying the inner authentication. If # there is a realm, it can be used to choose a Handler # to handle the inner authentication. # %0 is replaced with the EAP identity. #EAPAnonymous anonymous@some.other.realm # You can enable or disable support for TTLS Session Resumption and # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag. # Default is enabled #EAPTLS_SessionResumption 0 # You can limit how long after the initial session that a session can be resumed # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200 # (12 hours) #EAPTLS_SessionResumptionLimit 10 # Some supplicants (notably PBG4 on MAC OSX) do not conform to the TTLS # protocol specification, and do not understand the ACK sent # by the server at the end of TLS negotiation and session # resumption, resulting in session resumption not # completing. This flag enables a workaround for such # supplicants. Many other supplicants are happy with this too. #EAPTTLS_NoAckRequired # You can force the supplicant to present a valid client # certificate with EAPTLS_RequireClientCert #EAPTLS_RequireClientCert # OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. # This counters the prefix attack described in CVE-2009-3555 and elsewhere. # However this can cause problems when authenticating unpatched supplicants. # You can work around this issue by setting EAPTLS_AllowUnsafeLegacyRenegotiation #EAPTLS_AllowUnsafeLegacyRenegotiation # You can enable TLS state tracing. Useful mostly for # tracing TLS handshake process. Tracing is also # enabled when global Trace is set to 5 or PacketTrace # is set for the request that initiates the TLS # handshake. Defaults to off. #EAPTLS_TraceState # This hook may be used with TTLS where the accounting # requests can have anything for User-Name, instead of the # real user name. After authenticating the inner TTLS request, # the PostAuthHook caches the _real_ user name in an SQL # table, The PreProcessingHook replaces the 'anonymous' user # name in accounting requests with the real user name that was # previously cached for the NAS and NAS-Port. You can see the # correct real User-Name logged in the AcctLogFileName. Must # be used in conjunction with PreProcessingHook below # PostAuthHook file:"goodies/eap_anon_hook.pl" # PreProcessingHook file:"goodies/eap_anon_hook.pl" # AcctLogFileName %D/detail