# -*- text -*- # # $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ # # Sample configuration for an EAP module that occurs *inside* # of a tunneled method. It is used to limit the EAP types that # can occur inside of the inner tunnel. # # See also raddb/sites-available/inner-tunnel # # See raddb/mods-available/eap for full documentation on the meaning of these # configuration entries. # eap inner-eap { # This is the best choice for PEAP. default_eap_type = mschapv2 timer_expire = 60 # This should be the same as the outer eap "max sessions" max_sessions = 2048 # Supported EAP-types md5 { } gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " auth_type = PAP } mschapv2 { # See eap for documentation # send_error = no } # No TTLS or PEAP configuration should be listed here. ## EAP-TLS # # You SHOULD use different certificates than are used # for the outer EAP configuration! # # You can create the "inner-server.pem" file by doing: # # cd raddb/certs # vi inner-server.cnf # make inner-server # # The certificate MUST be different from the "server.cnf" # file. # # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. # It might work, or it might not. # tls { private_key_password = whatever private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem # You may want different CAs for inner and outer # certificates. If so, edit this file. ca_file = /etc/ssl/certs/ca-certificates.crt cipher_list = "DEFAULT" # You may want to set a very small fragment size. # The TLS data here needs to go inside of the # outer EAP-TLS protocol. # # Try values and see if they work... # fragment_size = 1024 # Other needful things dh_file = ${certdir}/dh random_file = /dev/urandom # CRL and OCSP things go here. See the main "eap" # file for details. # check_crl = yes # ca_path = /path/to/directory/with/ca_certs/and/crls/ # Accept an expired Certificate Revocation List # # allow_expired_crl = no # # The session resumption / fast re-authentication # cache CANNOT be used for inner sessions. # } }