# eap_peap.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# PEAP authentication as used by Windows XP (starting with SP1)
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# In order to authenticate, the clients user name must be in ./users
# (the password is irrelevant for EAP TLS).
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires Net_SSLeay.pm-1.21 or later from CPAN.
# Requires openssl 0.9.7beta3 or later from www.openssl.org
# Requires Digest-HMAC from CPAN
# Requires Digest-SHA1 from CPAN
#
# You should consider this file to be a starting point only
# $Id: eap_peap.cfg,v 1.12 2006/11/09 04:54:31 mikem Exp $
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
Secret Secret Stuff
DupInterval 0
Filename %D/users
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType MSCHAP-V2
UsernameMatchesWithoutRealm
Filename %D/users
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType MSCHAP-V2
# This hook fixes the problem with some implementations of PEAP, where the
# accounting requests have the User-Name of anonymous, instead of the real
# users name. After authenticating the inner TTLS request, the
# PostAuthHook caches the _real_ user name in an SQL table,
# The PreProcessingHook replaces the 'anonymous' user name in
# accounting requests with the
# real user name that was previously cached for the NAS and NAS-Port.
# You can see the correct real User-Name logged in the AcctLogFileName
# Must be used in conjunction with PreProcessingHook below
# PostAuthHook file:"goodies/eap_anon_hook.pl"
# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select
# a specific handler, or else you can use EAPAnonymous to set a username and realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton request.
# In this basic example, both the inner and outer authentication are authenticated
# from a file by AuthBy FILE
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard username
# in the outer requests, and it also requires an entry for the
# actual user name who is trying to connect (ie the 'Login name' entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType TTLS, PEAP
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller sizes.
EAPTLS_MaxFragmentSize 1024
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a certificate
# then Radiator will look for a certificate revocation list (CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, or
# if the CRL says the certificate has neen revoked, the authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may require you to specify
# MPPE send and receive keys. This _will_ be required if you select
# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
# You can configure the User-Name that will be used for the inner
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm, it can
# be used to choose a local Realm to handle the inner authentication.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous@some.other.realm
# You can enable or disable support for TTLS Session Resumption and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a session can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
# You can control which version of the draft PEAP protocol to honour
# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
# such as Funk Odyssey Client 2.22 or later. For Funk Odyssey
# version 4, use EAPTLS_PEAPVersion 1,
# but set EAPTLS_PEAPBrokenV1Label below
EAPTLS_PEAPVersion 0
# You can make PEAP Version 1 support compatible with
# nonstandard PEAP V1 clients that use the old broken TLS encryption labels that
# appear to be used frequently, due to Microsofts use of the incorrect
# label in its V0 client. You should use this with Funk Odyssey
# Client version 4 when EAPTLS_PEAPVersion is set to 1
#EAPTLS_PEAPBrokenV1Label
# This hook fixes the problem with some implementations of PEAP, where the
# accounting requests have the User-Name of anonymous, instead of the real
# users name. After authenticating the inner TTLS request, the
# PostAuthHook caches the _real_ user name in an SQL table,
# The PreProcessingHook replaces the 'anonymous' user name in
# accounting requests with the
# real user name that was previously cached for the NAS and NAS-Port.
# You can see the correct real User-Name logged in the AcctLogFileName
# Must be used in conjunction with PostAuthHook above
# PreProcessingHook file:"goodies/eap_anon_hook.pl"