Part of Slepp's ProjectsPastebinTURLImagebinFilebin
Feedback -- English French German Japanese
Create Upload Newest Tools Donate

Advertising

users
Friday, April 13th, 2007 at 4:58:50am UTC 

  1. # -*- text -*-
  2. #
  3. #  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
  4. #  is smart enough to figure this out on its own.  The most
  5. #  common side effect of setting 'Auth-Type := EAP' is that the
  6. #  users then cannot use ANY other authentication method.
  7. #
  8. #       $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
  9. #
  10.         eap {
  11.                 #  Invoke the default supported EAP type when
  12.                 #  EAP-Identity response is received.
  13.                 #
  14.                 #  The incoming EAP messages DO NOT specify which EAP
  15.                 #  type they will be using, so it MUST be set here.
  16.                 #
  17.                 #  For now, only one default EAP type may be used at a time.
  18.                 #
  19.                 #  If the EAP-Type attribute is set by another module,
  20.                 #  then that EAP type takes precedence over the
  21.                 #  default type configured here.
  22.                 #
  23.                 default_eap_type = peap
  24.  
  25.                 #  A list is maintained to correlate EAP-Response
  26.                 #  packets with EAP-Request packets.  After a
  27.                 #  configurable length of time, entries in the list
  28.                 #  expire, and are deleted.
  29.                 #
  30.                 timer_expire     = 60
  31.  
  32.                 #  There are many EAP types, but the server has support
  33.                 #  for only a limited subset.  If the server receives
  34.                 #  a request for an EAP type it does not support, then
  35.                 #  it normally rejects the request.  By setting this
  36.                 #  configuration to "yes", you can tell the server to
  37.                 #  instead keep processing the request.  Another module
  38.                 #  MUST then be configured to proxy the request to
  39.                 #  another RADIUS server which supports that EAP type.
  40.                 #
  41.                 #  If another module is NOT configured to handle the
  42.                 #  request, then the request will still end up being
  43.                 #  rejected.
  44.                 ignore_unknown_eap_types = no
  45.  
  46.                 # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
  47.                 # a User-Name attribute in an Access-Accept, it copies one
  48.                 # more byte than it should.
  49.                 #
  50.                 # We can work around it by configurably adding an extra
  51.                 # zero byte.
  52.                 cisco_accounting_username_bug = no
  53.  
  54.                 # Supported EAP-types
  55.  
  56.                 #
  57.                 #  We do NOT recommend using EAP-MD5 authentication
  58.                 #  for wireless connections.  It is insecure, and does
  59.                 #  not provide for dynamic WEP keys.
  60.                 #
  61.                 md5 {
  62.                 }
  63.  
  64.                 # Cisco LEAP
  65.                 #
  66.                 #  We do not recommend using LEAP in new deployments.  See:
  67.                 #  http://www.securiteam.com/tools/5TP012ACKE.html
  68.                 #
  69.                 #  Cisco LEAP uses the MS-CHAP algorithm (but not
  70.                 #  the MS-CHAP attributes) to perform it's authentication.
  71.                 #
  72.                 #  As a result, LEAP *requires* access to the plain-text
  73.                 #  User-Password, or the NT-Password attributes.
  74.                 #  'System' authentication is impossible with LEAP.
  75.                 #
  76.                 leap {
  77.                 }
  78.  
  79.                 #  Generic Token Card.
  80.                 #
  81.                 #  Currently, this is only permitted inside of EAP-TTLS,
  82.                 #  or EAP-PEAP.  The module "challenges" the user with
  83.                 #  text, and the response from the user is taken to be
  84.                 #  the User-Password.
  85.                 #
  86.                 #  Proxying the tunneled EAP-GTC session is a bad idea,
  87.                 #  the users password will go over the wire in plain-text,
  88.                 #  for anyone to see.
  89.                 #
  90.                 gtc {
  91.                         #  The default challenge, which many clients
  92.                         #  ignore..
  93.                         #challenge = "Password: "
  94.  
  95.                         #  The plain-text response which comes back
  96.                         #  is put into a User-Password attribute,
  97.                         #  and passed to another module for
  98.                         #  authentication.  This allows the EAP-GTC
  99.                         #  response to be checked against plain-text,
  100.                         #  or crypt'd passwords.
  101.                         #
  102.                         #  If you say "Local" instead of "PAP", then
  103.                         #  the module will look for a User-Password
  104.                         #  configured for the request, and do the
  105.                         #  authentication itself.
  106.                         #
  107.                         auth_type = PAP
  108.                 }
  109.  
  110.                 ## EAP-TLS
  111.                 #
  112.                 #  To generate ctest certificates, run the script
  113.                 #
  114.                 #       ../scripts/certs.sh
  115.                 #
  116.                 #  The documents on http://www.freeradius.org/doc
  117.                 #  are old, but may be helpful.
  118.                 #
  119.                 #  See also:
  120.                 #
  121.                 #  http://www.dslreports.com/forum/remark,9286052~mode=flat
  122.                 #
  123.                 tls {
  124.                         private_key_password = whatever
  125.                         private_key_file = ${raddbdir}/certs/cert-srv.pem
  126.  
  127.                         #  If Private key & Certificate are located in
  128.                         #  the same file, then private_key_file &
  129.                         #  certificate_file must contain the same file
  130.                         #  name.
  131.                         certificate_file = ${raddbdir}/certs/cert-srv.pem
  132.  
  133.                         #  Trusted Root CA list
  134.                         CA_file = ${raddbdir}/certs/demoCA/cacert.pem
  135.  
  136.                         dh_file = ${raddbdir}/certs/dh
  137.                         random_file = /dev/urandom
  138.  
  139.                         #
  140.                         #  This can never exceed the size of a RADIUS
  141.                         #  packet (4096 bytes), and is preferably half
  142.                         #  that, to accomodate other attributes in
  143.                         #  RADIUS packet.  On most APs the MAX packet
  144.                         #  length is configured between 1500 - 1600
  145.                         #  In these cases, fragment size should be
  146.                         #  1024 or less.
  147.                         #
  148.                 #       fragment_size = 1024
  149.  
  150.                         #  include_length is a flag which is
  151.                         #  by default set to yes If set to
  152.                         #  yes, Total Length of the message is
  153.                         #  included in EVERY packet we send.
  154.                         #  If set to no, Total Length of the
  155.                         #  message is included ONLY in the
  156.                         #  First packet of a fragment series.
  157.                         #
  158.                 #       include_length = yes
  159.  
  160.                         #  Check the Certificate Revocation List
  161.                         #
  162.                         #  1) Copy CA certificates and CRLs to same directory.
  163.                         #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
  164.                         #    'c_rehash' is OpenSSL's command.
  165.                         #  3) Add 'CA_path=<CA certs&CRLs directory>'
  166.                         #      to radiusd.conf's tls section.
  167.                         #  4) uncomment the line below.
  168.                         #  5) Restart radiusd
  169.                 #       check_crl = yes
  170.  
  171.                        #
  172.                        #  If check_cert_issuer is set, the value will
  173.                        #  be checked against the DN of the issuer in
  174.                        #  the client certificate.  If the values do not
  175.                        #  match, the cerficate verification will fail,
  176.                        #  rejecting the user.
  177.                        #
  178.                 #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
  179.  
  180.                        #
  181.                        #  If check_cert_cn is set, the value will
  182.                        #  be xlat'ed and checked against the CN
  183.                        #  in the client certificate.  If the values
  184.                        #  do not match, the certificate verification
  185.                        #  will fail rejecting the user.
  186.                        #
  187.                        #  This check is done only if the previous
  188.                        #  "check_cert_issuer" is not set, or if
  189.                        #  the check succeeds.
  190.                        #
  191.                 #       check_cert_cn = %{User-Name}
  192.                 #
  193.                         # Set this option to specify the allowed
  194.                         # TLS cipher suites.  The format is listed
  195.                         # in "man 1 ciphers".
  196.                 #       cipher_list = "DEFAULT"
  197.                 }
  198.  
  199.                 #  The TTLS module implements the EAP-TTLS protocol,
  200.                 #  which can be described as EAP inside of Diameter,
  201.                 #  inside of TLS, inside of EAP, inside of RADIUS...
  202.                 #
  203.                 #  Surprisingly, it works quite well.
  204.                 #
  205.                 #  The TTLS module needs the TLS module to be installed
  206.                 #  and configured, in order to use the TLS tunnel
  207.                 #  inside of the EAP packet.  You will still need to
  208.                 #  configure the TLS module, even if you do not want
  209.                 #  to deploy EAP-TLS in your network.  Users will not
  210.                 #  be able to request EAP-TLS, as it requires them to
  211.                 #  have a client certificate.  EAP-TTLS does not
  212.                 #  require a client certificate.
  213.                 #
  214.                 #ttls {
  215.                         #  The tunneled EAP session needs a default
  216.                         #  EAP type which is separate from the one for
  217.                         #  the non-tunneled EAP module.  Inside of the
  218.                         #  TTLS tunnel, we recommend using EAP-MD5.
  219.                         #  If the request does not contain an EAP
  220.                         #  conversation, then this configuration entry
  221.                         #  is ignored.
  222.                 #       default_eap_type = md5
  223.  
  224.                         #  The tunneled authentication request does
  225.                         #  not usually contain useful attributes
  226.                         #  like 'Calling-Station-Id', etc.  These
  227.                         #  attributes are outside of the tunnel,
  228.                         #  and normally unavailable to the tunneled
  229.                         #  authentication request.
  230.                         #
  231.                         #  By setting this configuration entry to
  232.                         #  'yes', any attribute which NOT in the
  233.                         #  tunneled authentication request, but
  234.                         #  which IS available outside of the tunnel,
  235.                         #  is copied to the tunneled request.
  236.                         #
  237.                         # allowed values: {no, yes}
  238.                 #       copy_request_to_tunnel = no
  239.  
  240.                         #  The reply attributes sent to the NAS are
  241.                         #  usually based on the name of the user
  242.                         #  'outside' of the tunnel (usually
  243.                         #  'anonymous').  If you want to send the
  244.                         #  reply attributes based on the user name
  245.                         #  inside of the tunnel, then set this
  246.                         #  configuration entry to 'yes', and the reply
  247.                         #  to the NAS will be taken from the reply to
  248.                         #  the tunneled request.
  249.                         #
  250.                         # allowed values: {no, yes}
  251.                 #       use_tunneled_reply = no
  252.                 #}
  253.  
  254.                 #
  255.                 #  The tunneled EAP session needs a default EAP type
  256.                 #  which is separate from the one for the non-tunneled
  257.                 #  EAP module.  Inside of the TLS/PEAP tunnel, we
  258.                 #  recommend using EAP-MS-CHAPv2.
  259.                 #
  260.                 #  The PEAP module needs the TLS module to be installed
  261.                 #  and configured, in order to use the TLS tunnel
  262.                 #  inside of the EAP packet.  You will still need to
  263.                 #  configure the TLS module, even if you do not want
  264.                 #  to deploy EAP-TLS in your network.  Users will not
  265.                 #  be able to request EAP-TLS, as it requires them to
  266.                 #  have a client certificate.  EAP-PEAP does not
  267.                 #  require a client certificate.
  268.                 #
  269.                  peap {
  270.                         #  The tunneled EAP session needs a default
  271.                         #  EAP type which is separate from the one for
  272.                         #  the non-tunneled EAP module.  Inside of the
  273.                         #  PEAP tunnel, we recommend using MS-CHAPv2,
  274.                         #  as that is the default type supported by
  275.                         #  Windows clients.
  276.                         default_eap_type = mschapv2
  277.  
  278.                         #  the PEAP module also has these configuration
  279.                         #  items, which are the same as for TTLS.
  280.                 #       copy_request_to_tunnel = no
  281.                 #       use_tunneled_reply = no
  282.  
  283.                         #  When the tunneled session is proxied, the
  284.                         #  home server may not understand EAP-MSCHAP-V2.
  285.                         #  Set this entry to "no" to proxy the tunneled
  286.                         #  EAP-MSCHAP-V2 as normal MSCHAPv2.
  287.                 #       proxy_tunneled_request_as_eap = yes
  288.                 }
  289.  
  290.                 #
  291.                 #  This takes no configuration.
  292.                 #
  293.                 #  Note that it is the EAP MS-CHAPv2 sub-module, not
  294.                 #  the main 'mschap' module.
  295.                 #
  296.                 #  Note also that in order for this sub-module to work,
  297.                 #  the main 'mschap' module MUST ALSO be configured.
  298.                 #
  299.                 #  This module is the *Microsoft* implementation of MS-CHAPv2
  300.                 #  in EAP.  There is another (incompatible) implementation
  301.                 #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
  302.                 #  currently support.
  303.                 #
  304.                 mschapv2 {
  305.                 }
  306.         }

advertising

Update the Post

Either update this post and resubmit it with changes, or make a new post.

You may also comment on this post.

update paste below
details of the post (optional)

Note: Only the paste content is required, though the following information can be useful to others.

Save name / title?

(space separated, optional)



Please note that information posted here will not expire by default. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.

comments powered by Disqus
worth-right
worth-right
worth-right