ansible/roles/radius/files/raddb/modules/inner-eap

# -*- text -*-
#
#  $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $

#
#  Sample configuration for an EAP module that occurs *inside*
#  of a tunneled method.  It is used to limit the EAP types that
#  can occur inside of the inner tunnel.
#
#  See also raddb/sites-available/inner-tunnel
#
#  To use this module, edit raddb/sites-available/inner-tunnel, and
#  replace the references to "eap" with "inner-eap".
#
#  See raddb/eap.conf for full documentation on the meaning of the
#  configuration entries here.
#
eap inner-eap {
	# This is the best choice for PEAP.
	default_eap_type = mschapv2
	timer_expire     = 60

	#  This should be the same as the outer eap "max sessions"
	max_sessions = 2048

	# Supported EAP-types
	md5 {
	}

	gtc {
		#  The default challenge, which many clients
		#  ignore..
		#challenge = "Password: "

		auth_type = PAP
	}

	mschapv2 {
	}

	# No TTLS or PEAP configuration should be listed here.

	## EAP-TLS
	#
	#  You SHOULD use different certificates than are used
	#  for the outer EAP configuration!
	#
	#  Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
	#
	tls {
		#
		#  These is used to simplify later configurations.
		#
		certdir = ${confdir}/certs
		cadir = ${confdir}/certs

		private_key_password = whatever
		private_key_file = ${certdir}/server.pem

		#  If Private key & Certificate are located in
		#  the same file, then private_key_file &
		#  certificate_file must contain the same file
		#  name.
		#
		#  If CA_file (below) is not used, then the
		#  certificate_file below MUST include not
		#  only the server certificate, but ALSO all
		#  of the CA certificates used to sign the
		#  server certificate.
		certificate_file = ${certdir}/server.pem

		#  Trusted Root CA list
		#
		#  ALL of the CA's in this list will be trusted
		#  to issue client certificates for authentication.
		#
		#  In general, you should use self-signed
		#  certificates for 802.1x (EAP) authentication.
		#  In that case, this CA file should contain
		#  *one* CA certificate.
		#
		#  This parameter is used only for EAP-TLS,
		#  when you issue client certificates.  If you do
		#  not use client certificates, and you do not want
		#  to permit EAP-TLS authentication, then delete
		#  this configuration item.
		CA_file = ${cadir}/ca.pem

		#
		#  For DH cipher suites to work, you have to
		#  run OpenSSL to create the DH file first:
		#
		#  	openssl dhparam -out certs/dh 1024
		#
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random

		#
		#  This can never exceed the size of a RADIUS
		#  packet (4096 bytes), and is preferably half
		#  that, to accomodate other attributes in
		#  RADIUS packet.  On most APs the MAX packet
		#  length is configured between 1500 - 1600
		#  In these cases, fragment size should be
		#  1024 or less.
		#
	#	fragment_size = 1024

		#  include_length is a flag which is
		#  by default set to yes If set to
		#  yes, Total Length of the message is
		#  included in EVERY packet we send.
		#  If set to no, Total Length of the
		#  message is included ONLY in the
		#  First packet of a fragment series.
		#
	#	include_length = yes

		#  Check the Certificate Revocation List
		#
		#  1) Copy CA certificates and CRLs to same directory.
		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		#    'c_rehash' is OpenSSL's command.
		#  3) uncomment the line below.
		#  5) Restart radiusd
	#	check_crl = yes
	#	CA_path = /path/to/directory/with/ca_certs/and/crls/

	       #
	       #  If check_cert_issuer is set, the value will
	       #  be checked against the DN of the issuer in
	       #  the client certificate.  If the values do not
	       #  match, the cerficate verification will fail,
	       #  rejecting the user.
	       #
	#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

	       #
	       #  If check_cert_cn is set, the value will
	       #  be xlat'ed and checked against the CN
	       #  in the client certificate.  If the values
	       #  do not match, the certificate verification
	       #  will fail rejecting the user.
	       #
	       #  This check is done only if the previous
	       #  "check_cert_issuer" is not set, or if
	       #  the check succeeds.
	       #
	#	check_cert_cn = %{User-Name}
	#
		# Set this option to specify the allowed
		# TLS cipher suites.  The format is listed
		# in "man 1 ciphers".
		cipher_list = "DEFAULT"

		#
		#  The session resumption / fast reauthentication
		#  cache CANNOT be used for inner sessions.
		#
	}
}
Add (free)radius role. 2017-02-21 20:20:04 +01:00			`# -- text --`
			`#`
			`# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $`

			`#`
			`# Sample configuration for an EAP module that occurs inside`
			`# of a tunneled method. It is used to limit the EAP types that`
			`# can occur inside of the inner tunnel.`
			`#`
			`# See also raddb/sites-available/inner-tunnel`
			`#`
			`# To use this module, edit raddb/sites-available/inner-tunnel, and`
			`# replace the references to "eap" with "inner-eap".`
			`#`
			`# See raddb/eap.conf for full documentation on the meaning of the`
			`# configuration entries here.`
			`#`
			`eap inner-eap {`
			`# This is the best choice for PEAP.`
			`default_eap_type = mschapv2`
			`timer_expire = 60`

			`# This should be the same as the outer eap "max sessions"`
			`max_sessions = 2048`

			`# Supported EAP-types`
			`md5 {`
			`}`

			`gtc {`
			`# The default challenge, which many clients`
			`# ignore..`
			`#challenge = "Password: "`

			`auth_type = PAP`
			`}`

			`mschapv2 {`
			`}`

			`# No TTLS or PEAP configuration should be listed here.`

			`## EAP-TLS`
			`#`
			`# You SHOULD use different certificates than are used`
			`# for the outer EAP configuration!`
			`#`
			`# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.`
			`#`
			`tls {`
			`#`
			`# These is used to simplify later configurations.`
			`#`
			`certdir = ${confdir}/certs`
			`cadir = ${confdir}/certs`

			`private_key_password = whatever`
			`private_key_file = ${certdir}/server.pem`

			`# If Private key & Certificate are located in`
			`# the same file, then private_key_file &`
			`# certificate_file must contain the same file`
			`# name.`
			`#`
			`# If CA_file (below) is not used, then the`
			`# certificate_file below MUST include not`
			`# only the server certificate, but ALSO all`
			`# of the CA certificates used to sign the`
			`# server certificate.`
			`certificate_file = ${certdir}/server.pem`

			`# Trusted Root CA list`
			`#`
			`# ALL of the CA's in this list will be trusted`
			`# to issue client certificates for authentication.`
			`#`
			`# In general, you should use self-signed`
			`# certificates for 802.1x (EAP) authentication.`
			`# In that case, this CA file should contain`
			`# one CA certificate.`
			`#`
			`# This parameter is used only for EAP-TLS,`
			`# when you issue client certificates. If you do`
			`# not use client certificates, and you do not want`
			`# to permit EAP-TLS authentication, then delete`
			`# this configuration item.`
			`CA_file = ${cadir}/ca.pem`

			`#`
			`# For DH cipher suites to work, you have to`
			`# run OpenSSL to create the DH file first:`
			`#`
			`# openssl dhparam -out certs/dh 1024`
			`#`
			`dh_file = ${certdir}/dh`
			`random_file = ${certdir}/random`

			`#`
			`# This can never exceed the size of a RADIUS`
			`# packet (4096 bytes), and is preferably half`
			`# that, to accomodate other attributes in`
			`# RADIUS packet. On most APs the MAX packet`
			`# length is configured between 1500 - 1600`
			`# In these cases, fragment size should be`
			`# 1024 or less.`
			`#`
			`# fragment_size = 1024`

			`# include_length is a flag which is`
			`# by default set to yes If set to`
			`# yes, Total Length of the message is`
			`# included in EVERY packet we send.`
			`# If set to no, Total Length of the`
			`# message is included ONLY in the`
			`# First packet of a fragment series.`
			`#`
			`# include_length = yes`

			`# Check the Certificate Revocation List`
			`#`
			`# 1) Copy CA certificates and CRLs to same directory.`
			`# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.`
			`# 'c_rehash' is OpenSSL's command.`
			`# 3) uncomment the line below.`
			`# 5) Restart radiusd`
			`# check_crl = yes`
			`# CA_path = /path/to/directory/with/ca_certs/and/crls/`

			`#`
			`# If check_cert_issuer is set, the value will`
			`# be checked against the DN of the issuer in`
			`# the client certificate. If the values do not`
			`# match, the cerficate verification will fail,`
			`# rejecting the user.`
			`#`
			`# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"`

			`#`
			`# If check_cert_cn is set, the value will`
			`# be xlat'ed and checked against the CN`
			`# in the client certificate. If the values`
			`# do not match, the certificate verification`
			`# will fail rejecting the user.`
			`#`
			`# This check is done only if the previous`
			`# "check_cert_issuer" is not set, or if`
			`# the check succeeds.`
			`#`
			`# check_cert_cn = %{User-Name}`
			`#`
			`# Set this option to specify the allowed`
			`# TLS cipher suites. The format is listed`
			`# in "man 1 ciphers".`
			`cipher_list = "DEFAULT"`

			`#`
			`# The session resumption / fast reauthentication`
			`# cache CANNOT be used for inner sessions.`
			`#`
			`}`
			`}`