# lsa_eap_peap.cfg Foreground LogStdout LogDir c:\Program Files\Radiator DbDir c:\Program Files\Radiator LogFile %L/%m%d%y.log DictionaryFile %D/dictionary PidFile %D/radiusd.pid AuthPort 1645, 1812 AcctPort 1646, 1813 # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with IdenticalClients 127.0.0.1 Secret *********** DupInterval 0 IgnoreAcctSignature 1 # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # Authenticate with Windows LSA # Specifies which Windows Domain is ALWAYS to be used to authenticate # users (even if they specify a different domain in their username). # Empty string means the local machine only # Special characters are supported. Can be an Active # directory domain or a Windows NT domain controller # domain name # Empty string (the default) means the local machine Domain clinlan # Specifies the Windows Domain to use if the user does not # specify a doain domain in their username. # Special characters are supported. Can be an Active # directory domain or a Windows NT domain controller # domain name # Empty string (the default) means the local machine DefaultDomain clinlan # You can check whether each user is the member of a windows group # with the Group parameter. If more than one Group is specified, then the # user must be a member of at least one of them. Requires Win32::NetAdmin # (which is installed by default with ActivePerl). If no Group # parameters are specified, then Group checks will not be performed. #Group Administrators #Group Domain Users # You can specify which domain controller will be used to check group # membership with the DomainController parameter. If no Group parameters # are specified, DomainController wil not be used. Defaults to # empty string, meaning the default controller of the host where this # instance of Radaitor is running. #DomainController zulu # This tells the PEAP client what types of inner EAP requests # we will honour EAPType MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner authentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select # a specific handler, or else you can use EAPAnonymous to set a username and realm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/or the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton request. # In this basic example, both the inner and outer authentication are authenticated # from a file by AuthBy FILE # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard username # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename %D/users # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile %D/certificates/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever # EAPTLS_RandomFile is an optional file containing # randdomness # EAPTLS_RandomFile %D/certificates/random # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt # size that will be replied by Radiator. It must be small # enough to fit in a single Radius request (ie less than 4096) # and still leave enough space for other attributes # Aironet APs seem to need a smaller MaxFragmentSize # (eg 1024) than the default of 2048. Others need even smaller sizes. EAPTLS_MaxFragmentSize 1000 # EAPTLS_DHFile if set specifies the DH group file. It # may be required if you need to use ephemeral DH keys. # EAPTLS_DHFile %D/certificates/cert/dh # If EAPTLS_CRLCheck is set and the client presents a certificate # then Radiator will look for a certificate revocation list (CRL) # for the certificate issuer # when authenticating each client. If a CRL file is not found, or # if the CRL says the certificate has neen revoked, the authentication will # fail with an error: # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned # One or more CRLs can be named with the EAPTLS_CRLFile parameter. # Alternatively, CRLs may follow a file naming convention: # the hash of the issuer subject name # and a suffix that depends on the serial number. # eg ab1331b2.r0, ab1331b2.r1 etc. # You can find out the hash of the issuer name in a CRL with # openssl crl -in crl.pem -hash -noout # CRLs with tis name convention # will be searched in EAPTLS_CAPath, else in the openssl # certificates directory typically /usr/local/openssl/certs/ # CRLs are expected to be in PEM format. # A CRL files can be generated with openssl like this: # openssl ca -gencrl -revoke cert-clt.pem # openssl ca -gencrl -out crl.pem # Use of these flags requires Net_SSLeay-1.21 or later #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem # Some clients, depending on their configuration, may require you to specify # MPPE send and receive keys. This _will_ be required if you select # 'Keys will be generated automatically for data privacy' in the Funk Odyssey # client Network Properties dialog. # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key # in the final Access-Accept AutoMPPEKeys # You can configure the User-Name that will be used for the inner # authentication. Defaults to 'anonymous'. This can be useful # when proxying the inner authentication. If tehre is a realm, it can # be used to choose a local Realm to handle the inner authentication. # %0 is replaced with the EAP identitiy # EAPAnonymous anonymous@some.other.realm # You can enable or disable support for TTLS Session Resumption and # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag. # Default is enabled #EAPTLS_SessionResumption 0 # You can limit how long after the initial session that a session can be resumed # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200 # (12 hours) #EAPTLS_SessionResumptionLimit 10 # You can control which version of the draft PEAP protocol to honour # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients, # such as Funk Odyssey Client 2.22 or later. EAPTLS_PEAPVersion 0