# eap_peap.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# PEAP authentication as used by Windows XP (starting with SP1)
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# In order to authenticate, the clients user name must be in ./users 
# (the password is irrelevant for EAP TLS).
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and 
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires Net_SSLeay.pm-1.21 or later from CPAN. 
# Requires openssl 0.9.7beta3 or later from www.openssl.org
# Requires Digest-HMAC from CPAN
# Requires Digest-SHA1 from CPAN
#
# You should consider this file to be a starting point only
# $Id: eap_peap.cfg,v 1.12 2006/11/09 04:54:31 mikem Exp $

LogDir		/var/log/radius
DbDir		/etc/radiator
# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	Secret Stuff
	DupInterval 0
</Client>

<Handler TunnelledByTTLS=1>
	<AuthBy FILE>
		Filename %D/users

		# This tells the PEAP client what types of inner EAP requests
		# we will honour
		EAPType MSCHAP-V2
	</AuthBy>
</Handler>

<Handler TunnelledByPEAP=1>
	<AuthBy FILE>
		UsernameMatchesWithoutRealm
		Filename %D/users

		# This tells the PEAP client what types of inner EAP requests
		# we will honour
		EAPType MSCHAP-V2
	</AuthBy>
	# This hook fixes the problem with some implementations of PEAP, where the
	# accounting requests have the User-Name of anonymous, instead of the real
	# users name. After authenticating the inner TTLS request, the
	# PostAuthHook caches the _real_ user name in an SQL table,
	# The PreProcessingHook replaces the 'anonymous' user name in 
	# accounting requests with the 
	# real user name that was previously cached for the NAS and NAS-Port.
	# You can see the correct real User-Name logged in the AcctLogFileName
	# Must be used in conjunction with PreProcessingHook below
#	PostAuthHook file:"goodies/eap_anon_hook.pl"
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select
# a specific handler, or else you can use EAPAnonymous to set a username and realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or also 
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton request.
# In this basic example, both the inner and outer authentication are authenticated
# from a file by AuthBy FILE
<Handler>
	<AuthBy FILE>
		# The username of the outer authentication
		#  must be in this file to get anywhere. In this example,
		# it requires an entry for 'anonymous' which is the standard username 
		# in the outer requests, and it also requires an entry for the
		# actual user name who is trying to connect (ie the 'Login name' entered
		# in the Funk Odyssey 'Edit Profile Properties' page
		Filename %D/users

		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default (most
		# preferred) type given first
		EAPType TTLS, PEAP 

		# EAPTLS_CAFile is the name of a file of CA certificates 
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

		# EAPTLS_CAPath is the name of a directory containing CA
    		# certificates in PEM format. The files each contain one 
		# CA certificate. The files are looked up by the CA 
		# subject name hash value
#		EAPTLS_CAPath

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		# EAPTLS_RandomFile is an optional file containing
		# randdomness
#		EAPTLS_RandomFile %D/certificates/random

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1024

		# EAPTLS_DHFile if set specifies the DH group file. It
		# may be required if you need to use ephemeral DH keys.
#		EAPTLS_DHFile %D/certificates/cert/dh
		

		# If EAPTLS_CRLCheck is set  and the client presents a certificate
		# then Radiator will look for a certificate revocation list (CRL) 
		# for the certificate issuer
		# when authenticating each client. If a CRL file is not found, or
		# if the CRL says the certificate has neen revoked, the authentication will 
		# fail with an error:
		#   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
		# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
		# Alternatively, CRLs may follow a file naming convention: 
		#  the hash of the issuer subject name 
		# and a suffix that depends on the serial number.
		# eg ab1331b2.r0, ab1331b2.r1 etc.
		# You can find out the hash of the issuer name in a CRL with
		#  openssl crl -in crl.pem -hash -noout
		# CRLs with tis name convention
		# will be searched in EAPTLS_CAPath, else in the openssl 
		# certificates directory typically /usr/local/openssl/certs/
		# CRLs are expected to be in PEM format.
		# A CRL files can be generated with openssl like this:
		#  openssl ca -gencrl -revoke cert-clt.pem
		#  openssl ca -gencrl -out crl.pem
		# Use of these flags requires Net_SSLeay-1.21 or later
		#EAPTLS_CRLCheck
		#EAPTLS_CRLFile %D/certificates/crl.pem
		#EAPTLS_CRLFile %D/certificates/revocations.pem
		
		# Some clients, depending on their configuration, may require you to specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		SSLeayTrace 4

		# You can configure the User-Name that will be used for the inner
		# authentication. Defaults to 'anonymous'. This can be useful
		# when proxying the inner authentication. If tehre is a realm, it can 
		# be used to choose a local Realm to handle the inner authentication.
		# %0 is replaced with the EAP identitiy
		# EAPAnonymous anonymous@some.other.realm

		# You can enable or disable support for TTLS Session Resumption and
		# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
		# Default is enabled
		#EAPTLS_SessionResumption 0

		# You can limit how long after the initial session that a session can be resumed
		# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
		# (12 hours)
		#EAPTLS_SessionResumptionLimit 10

		# You can control which version of the draft PEAP protocol to honour
		# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
		# such as Funk Odyssey Client 2.22 or later. For Funk Odyssey
		# version 4, use EAPTLS_PEAPVersion 1, 
		# but set EAPTLS_PEAPBrokenV1Label below
		EAPTLS_PEAPVersion 0

		# You can make PEAP Version 1 support compatible with
		# nonstandard PEAP V1 clients that use the old broken TLS encryption labels that
		# appear to be used frequently, due to Microsofts use of the incorrect
		# label in its V0 client. You should use this with Funk Odyssey
		# Client version 4 when EAPTLS_PEAPVersion is set to 1
		#EAPTLS_PEAPBrokenV1Label
	</AuthBy>

	# This hook fixes the problem with some implementations of PEAP, where the
	# accounting requests have the User-Name of anonymous, instead of the real
	# users name. After authenticating the inner TTLS request, the
	# PostAuthHook caches the _real_ user name in an SQL table,
	# The PreProcessingHook replaces the 'anonymous' user name in 
	# accounting requests with the 
	# real user name that was previously cached for the NAS and NAS-Port.
	# You can see the correct real User-Name logged in the AcctLogFileName
	# Must be used in conjunction with PostAuthHook above
#	PreProcessingHook file:"goodies/eap_anon_hook.pl"
</Handler>