# eap_peap.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # PEAP authentication as used by Windows XP (starting with SP1) # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # This example will authenticate from a standard users file in # the current directory. # It will accept requests from any client and try to handle request # for any realm. # And it will print out what its doing in great detail. # # In order to authenticate, the clients user name must be in ./users # (the password is irrelevant for EAP TLS). # # In order to test this, you can user the sample test certificates # supplied with Radiator. For production, you # WILL need to install a real valid server certificate and # key for Radiator to use. Runs with openssl on Unix and Windows. # # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax. # # Requires Net_SSLeay.pm-1.21 or later from CPAN. # Requires openssl 0.9.7beta3 or later from www.openssl.org # Requires Digest-HMAC from CPAN # Requires Digest-SHA1 from CPAN # # You should consider this file to be a starting point only # $Id: eap_peap.cfg,v 1.12 2006/11/09 04:54:31 mikem Exp $ LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret Secret Stuff DupInterval 0 Filename %D/users # This tells the PEAP client what types of inner EAP requests # we will honour EAPType MSCHAP-V2 UsernameMatchesWithoutRealm Filename %D/users # This tells the PEAP client what types of inner EAP requests # we will honour EAPType MSCHAP-V2 # This hook fixes the problem with some implementations of PEAP, where the # accounting requests have the User-Name of anonymous, instead of the real # users name. After authenticating the inner TTLS request, the # PostAuthHook caches the _real_ user name in an SQL table, # The PreProcessingHook replaces the 'anonymous' user name in # accounting requests with the # real user name that was previously cached for the NAS and NAS-Port. # You can see the correct real User-Name logged in the AcctLogFileName # Must be used in conjunction with PreProcessingHook below # PostAuthHook file:"goodies/eap_anon_hook.pl" # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner authentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select # a specific handler, or else you can use EAPAnonymous to set a username and realm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/or the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton request. # In this basic example, both the inner and outer authentication are authenticated # from a file by AuthBy FILE # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard username # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename %D/users # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType TTLS, PEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile %D/certificates/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever # EAPTLS_RandomFile is an optional file containing # randdomness # EAPTLS_RandomFile %D/certificates/random # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt # size that will be replied by Radiator. It must be small # enough to fit in a single Radius request (ie less than 4096) # and still leave enough space for other attributes # Aironet APs seem to need a smaller MaxFragmentSize # (eg 1024) than the default of 2048. Others need even smaller sizes. EAPTLS_MaxFragmentSize 1024 # EAPTLS_DHFile if set specifies the DH group file. It # may be required if you need to use ephemeral DH keys. # EAPTLS_DHFile %D/certificates/cert/dh # If EAPTLS_CRLCheck is set and the client presents a certificate # then Radiator will look for a certificate revocation list (CRL) # for the certificate issuer # when authenticating each client. If a CRL file is not found, or # if the CRL says the certificate has neen revoked, the authentication will # fail with an error: # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned # One or more CRLs can be named with the EAPTLS_CRLFile parameter. # Alternatively, CRLs may follow a file naming convention: # the hash of the issuer subject name # and a suffix that depends on the serial number. # eg ab1331b2.r0, ab1331b2.r1 etc. # You can find out the hash of the issuer name in a CRL with # openssl crl -in crl.pem -hash -noout # CRLs with tis name convention # will be searched in EAPTLS_CAPath, else in the openssl # certificates directory typically /usr/local/openssl/certs/ # CRLs are expected to be in PEM format. # A CRL files can be generated with openssl like this: # openssl ca -gencrl -revoke cert-clt.pem # openssl ca -gencrl -out crl.pem # Use of these flags requires Net_SSLeay-1.21 or later #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem # Some clients, depending on their configuration, may require you to specify # MPPE send and receive keys. This _will_ be required if you select # 'Keys will be generated automatically for data privacy' in the Funk Odyssey # client Network Properties dialog. # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key # in the final Access-Accept AutoMPPEKeys # You can enable some warning messages from the Net::SSLeay # module by setting SSLeayTrace to an integer from 1 to 4 # 1=ciphers, 2=trace, 3=dump data SSLeayTrace 4 # You can configure the User-Name that will be used for the inner # authentication. Defaults to 'anonymous'. This can be useful # when proxying the inner authentication. If tehre is a realm, it can # be used to choose a local Realm to handle the inner authentication. # %0 is replaced with the EAP identitiy # EAPAnonymous anonymous@some.other.realm # You can enable or disable support for TTLS Session Resumption and # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag. # Default is enabled #EAPTLS_SessionResumption 0 # You can limit how long after the initial session that a session can be resumed # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200 # (12 hours) #EAPTLS_SessionResumptionLimit 10 # You can control which version of the draft PEAP protocol to honour # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients, # such as Funk Odyssey Client 2.22 or later. For Funk Odyssey # version 4, use EAPTLS_PEAPVersion 1, # but set EAPTLS_PEAPBrokenV1Label below EAPTLS_PEAPVersion 0 # You can make PEAP Version 1 support compatible with # nonstandard PEAP V1 clients that use the old broken TLS encryption labels that # appear to be used frequently, due to Microsofts use of the incorrect # label in its V0 client. You should use this with Funk Odyssey # Client version 4 when EAPTLS_PEAPVersion is set to 1 #EAPTLS_PEAPBrokenV1Label # This hook fixes the problem with some implementations of PEAP, where the # accounting requests have the User-Name of anonymous, instead of the real # users name. After authenticating the inner TTLS request, the # PostAuthHook caches the _real_ user name in an SQL table, # The PreProcessingHook replaces the 'anonymous' user name in # accounting requests with the # real user name that was previously cached for the NAS and NAS-Port. # You can see the correct real User-Name logged in the AcctLogFileName # Must be used in conjunction with PostAuthHook above # PreProcessingHook file:"goodies/eap_anon_hook.pl"