#################################################################
# Change the four values below to make this config file support #
# the authPort and acctPort you need. #
#################################################################
DefineGlobalVar auPort 1812
DefineGlobalVar acPort 1813
AuthPort 1812
AcctPort 1813
################################################
# Your Should Not Need To Edit Below This Line #
################################################
Foreground
LogStdout
SnmpgetProg /usr/bin/snmpget
LogDir /var/log/radius
PidFile /var/run/radiusd_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}-radiusd.pid
DbDir /usr/local/raddb
LogFile %L/%Y%m%d_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}.logfile
include %D/conf/clients.cfg
# User a lower trace level in production systems,
Trace 6
# This is where we authenticate a EAP-TTLS inner request, which may
# also be an EAP request.
# Some Funk Odyssey clients always calculate TTLS-MSCHAPV2
# passwords based on the username _without_ the
# realm. Therefore
# you may need to strip the realm here in order to get
# TTLS-MSCHAPV2 working with Funk Odyssey client
#RewriteUsername s/^(.*?)\@.*$/$1/
Filename %D/users
# This tells the TTLS client what types of inner EAP requests
# we will honour
EAPType MSCHAP-V2
# This hook may be used with EAP-TTLS where the accounting
# requests can have anything for User-Name, instead of the
# real user name. After authenticating the inner EAP-TTLS
# request, the PostAuthHook caches the _real_ user name in an
# SQL table, The PreProcessingHook replaces the 'anonymous'
# user name in accounting requests with the real user name
# that was previously cached for the NAS and NAS-Port. You
# can see the correct real User-Name logged in the
# AcctLogFileName. Must be used in conjunction with
# PreProcessingHook below
# PostAuthHook file:"goodies/eap_anon_hook.pl"
# The original TTLS request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the
# inner authentication extracted.
#
# The inner authentication request will sent again to a matching Realm
# or Handler. The special check item TunnelledByTTLS=1 can be used to
# select a specific handler. This allows you to select an inner
# authentication method based on realm, or the fact that they were
# tunnelled. You can therfore act just as a EAP-TTLS server, or also
# act as the AAA/H home server, and authenticate EAP-TTLS requests
# locally or proxy them to another remote server based on the realm of
# the inner authentication request.
#
# In this basic example the inner authentication is authenticated from
# a file by AuthBy FILE
# users file will not be used for tunnelled EAP outer
# authentication. EAP-TTLS inner authentication is
# handled by its own Handler above.
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType TTLS
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller sizes.
EAPTLS_MaxFragmentSize 1000
# EAPTLS_Protocols is a comma separated list of TLS
# protocols that are permissible for EAP
# authentication. Currently supported protocols are:
# TLSv1, TLSv1.1 and TLSv1.2. There is no default and
# all TLS protocols are allowed.
#EAPTLS_Protocols TLSv1.1, TLSv1.2
# EAPTLS_Ciphers specifies which subset of cipher
# suites is permissible for EAP authentication, using
# the standard OpenSSL string format. The default is
# DEFAULT:!EXPORT:!LOW
#EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4
# Ephemeral key exchange is supported with Diffie-Hellman key
# exchange (DHE) and Elliptic Curve Diffie-Hellman key
# exchange (ECDHE). See the reference manual for details.
#EAPTLS_DHFile %D/certificates/dh2048.pem
#EAPTLS_ECDH_Curve prime256v1
# If EAPTLS_CRLCheck is set and the client presents a certificate
# then Radiator will look for a certificate revocation list (CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, or
# if the CRL says the certificate has neen revoked, the authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
# TLS_CRLFile can include operating system wildcards to refer to multiple CRLS
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
#EAPTLS_CRLFile %D/crls/*.r0
#
# Set EAPTLS_CRLCheckAll with EAPTLS_CRLCheck to
# enable CRL checks for the entire certificate
# chain. The above notes about CRL files apply to
# intermediate CRLs too.
#EAPTLS_CRLCheckAll
# EAPTLS_PolicyOID enables certificate policy checking and specifies one or more policy OIDs
# that must be present in the certificate path. It sets the \'require explicit policy\'
# flag as defined in RFC3280. Requires Net-SSLeay 1.37 or later
#EAPTLS_PolicyOID 2.5.29.32.0
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
#AutoMPPEKeys
# You can configure the User-Name that will be used
# for the inner authentication if the inner
# authentication does not already have
# User-Name. Defaults to 'anonymous'. This can be
# useful when proxying the inner authentication. If
# there is a realm, it can be used to choose a Handler
# to handle the inner authentication.
# %0 is replaced with the EAP identity.
#EAPAnonymous anonymous@some.other.realm
# You can enable or disable support for TTLS Session Resumption and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a session can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
# Some supplicants (notably PBG4 on MAC OSX) do not conform to the TTLS
# protocol specification, and do not understand the ACK sent
# by the server at the end of TLS negotiation and session
# resumption, resulting in session resumption not
# completing. This flag enables a workaround for such
# supplicants. Many other supplicants are happy with this too.
#EAPTTLS_NoAckRequired
# You can force the supplicant to present a valid client
# certificate with EAPTLS_RequireClientCert
#EAPTLS_RequireClientCert
# OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746.
# This counters the prefix attack described in CVE-2009-3555 and elsewhere.
# However this can cause problems when authenticating unpatched supplicants.
# You can work around this issue by setting EAPTLS_AllowUnsafeLegacyRenegotiation
#EAPTLS_AllowUnsafeLegacyRenegotiation
# You can enable TLS state tracing. Useful mostly for
# tracing TLS handshake process. Tracing is also
# enabled when global Trace is set to 5 or PacketTrace
# is set for the request that initiates the TLS
# handshake. Defaults to off.
#EAPTLS_TraceState
# This hook may be used with TTLS where the accounting
# requests can have anything for User-Name, instead of the
# real user name. After authenticating the inner TTLS request,
# the PostAuthHook caches the _real_ user name in an SQL
# table, The PreProcessingHook replaces the 'anonymous' user
# name in accounting requests with the real user name that was
# previously cached for the NAS and NAS-Port. You can see the
# correct real User-Name logged in the AcctLogFileName. Must
# be used in conjunction with PreProcessingHook below
# PostAuthHook file:"goodies/eap_anon_hook.pl"
# PreProcessingHook file:"goodies/eap_anon_hook.pl"
# AcctLogFileName %D/detail