# lsa_eap_multi.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# PAP, EAP-TTLS and EAP-PEAP authentication as used by Windows XP
# (starting with SP1) using AuthBy LSA and Microsoft Active Directory.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate Wireless PEAP users from a Windows LSA, which
# permits authentication against any Windows Active Directory Domain
# or NT Domain.
# It will accept requests from any client and try to handle request
# for any realm.
# To use this LSA, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security policy
# enabled.
# Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not Home edition).
#
# To use this example, Radiator must be run on Windows as Administrator,
# or as a user that has the 'Act as part of the operating system' security policy
# enabled. This is not possible with Windows XP Home edition.
# 
# Requires the Win32-Lsa perl module from Open System Consultants.
# Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like this:
#   ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
#
# Users will only be authenticated if they have the 'Access this computer from the network'
# security policy enabled. Their other account restrictions will also be checked
# CHAP passwords can only be authenticated if the user has their 
# 'Store password using reversible encryption' option enabled in their Account
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and 
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires openssl and Net_SSLeay.
#
# You should consider this file to be a starting point only
# $Id: lsa_eap_multi.cfg,v 1.3 2007/12/18 21:23:50 mikem Exp $

Foreground
LogStdout
LogDir		c:/program files/radiator
DbDir		c:/program files/radiator
# User a lower trace level in production systems:
Trace 		4

AuthPort 1812,1645
AcctPort 1813,1646

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client 10.24.70.26>
	IdenticalClients 127.0.0.1
	Secret	#####
	DupInterval 0
</Client>

# This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
# handles the outer and inner requests for TTSL and PEAP. You can use
# it to authenticate almost anything against Microsoft Active Directory
<Handler>
	<AuthBy LSA>
		# Specifies which Windows Domain is ALWAYS to be used to authenticate
		# users (even if they specify a different domain in their username). 
		# Empty string means the local machine only
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 
		# domain name
		# Empty string (the default) means the local machine
		Domain clinlan

		# Specifies the Windows Domain to use if the user does not
		# specify a doain domain in their username.
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 
		# domain name
		# Empty string (the default) means the local machine
		DefaultDomain clinlan

		# You can check whether each user is the member of a windows group
		# with the Group parameter. If more than one Group is specified, then the
		# user must be a member of at least one of them. Requires Win32::NetAdmin
		# (which is installed by default with ActivePerl). If no Group
		# parameters are specified, then Group checks will not be performed.
		#Group Administrators
		#Group Domain Users

		# You can specify which domain controller will be used to check group
		# membership with the DomainController parameter. If no Group parameters
		# are specified, DomainController wil not be used. Defaults to
		# empty string, meaning the default controller of the host where this
		# instance of Radaitor is running.
		#DomainController zulu


		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default (most
		# preferred) type given first
		EAPType PEAP, TTLS, MSCHAP-V2

		# EAPTLS_CAFile is the name of a file of CA certificates 
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

		# EAPTLS_CAPath is the name of a directory containing CA
    		# certificates in PEM format. The files each contain one 
		# CA certificate. The files are looked up by the CA 
		# subject name hash value
#		EAPTLS_CAPath

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		# EAPTLS_RandomFile is an optional file containing
		# randdomness
#		EAPTLS_RandomFile %D/certificates/random

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1000

		# EAPTLS_DHFile if set specifies the DH group file. It
		# may be required if you need to use ephemeral DH keys.
#		EAPTLS_DHFile %D/certificates/cert/dh
		

		# If EAPTLS_CRLCheck is set  and the client presents a certificate
		# then Radiator will look for a certificate revocation list (CRL) 
		# for the certificate issuer
		# when authenticating each client. If a CRL file is not found, or
		# if the CRL says the certificate has neen revoked, the authentication will 
		# fail with an error:
		#   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
		# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
		# Alternatively, CRLs may follow a file naming convention: 
		#  the hash of the issuer subject name 
		# and a suffix that depends on the serial number.
		# eg ab1331b2.r0, ab1331b2.r1 etc.
		# You can find out the hash of the issuer name in a CRL with
		#  openssl crl -in crl.pem -hash -noout
		# CRLs with tis name convention
		# will be searched in EAPTLS_CAPath, else in the openssl 
		# certificates directory typically /usr/local/openssl/certs/
		# CRLs are expected to be in PEM format.
		# A CRL files can be generated with openssl like this:
		#  openssl ca -gencrl -revoke cert-clt.pem
		#  openssl ca -gencrl -out crl.pem
		# Use of these flags requires Net_SSLeay-1.21 or later
		#EAPTLS_CRLCheck
		#EAPTLS_CRLFile %D/certificates/crl.pem
		#EAPTLS_CRLFile %D/certificates/revocations.pem
		
		# Some clients, depending on their configuration, may require you to specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can configure the User-Name that will be used for the inner
		# authentication. Defaults to 'anonymous'. This can be useful
		# when proxying the inner authentication. If tehre is a realm, it can 
		# be used to choose a local Realm to handle the inner authentication.
		# %0 is replaced with the EAP identitiy
	 	#EAPAnonymous %0@clinlan.local

		# You can enable or disable support for TTLS Session Resumption and
		# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
		# Default is enabled
		#EAPTLS_SessionResumption 0

		# You can limit how long after the initial session that a session can be resumed
		# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
		# (12 hours)
		#EAPTLS_SessionResumptionLimit 10
	</AuthBy>
</Handler>