# eap_tls_proxy.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with proxying of
# EAP TTLS authentication as used by Funk Odyssey.
# With this example, you can proxy handle TTLS requests and send the inner authenbticaiton 
# requests to a remote Radius server, which does not need to be TTLS enabled.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will received EAP TTLS requests, unpack the inner authenticaiton requests
# and proxy the inner authenitation to a remote server, based on the realm and 
# username of the inner authentication.
#
# Alternatively, you can service the inner requests locally within this server. See
# goodies/eap_ttls.cfg for an example.
#
# In order to test this, you can user the sample test certificates
# supplied with Radiator. For production, you
# WILL need to install a real valid server certificate and 
# key for Radiator to use. Runs with openssl on Unix and Windows.
#
# There is a helpful tutorial for testing EAP TLS with Aironet wireless cards
# on Linux at http://www.missl.cs.umd.edu/wireless/eaptls/
# other references for other OSs at http://www.denobula.com/EAPTLS.pdf and
# You can debug EAP on an Aironet AP by telnetting and then :eap_diag1_on or :eap_diag2_on
#
# The example below is configured to work with the example test certificates
# mentioned in http://www.missl.cs.umd.edu/wireless/eaptls/, which were
# installed in /home/mikem/os/linux/cert. The configuration
# may be different for your system.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires Net_SSLeay.pm-1.21
# Requires openssl 0.9.7beta or later from www.openssl.org
# Requires Digest-HMAC from CPAN
# Requires Digest-SHA1 from CPAN
#
# You should consider this file to be a starting point only
# $Id: eap_ttls_proxy.cfg,v 1.7 2005/03/16 21:58:47 mikem Exp $

Foreground
#LogStdout

# User a lower trace level in production systems:
Trace 		3


PidFile /var/run/radius.pid
DictionaryFile /etc/radiator/dictionary
LogDir /var/log/radius
DbDir /var/db

<SessionDatabase SQL>
	Identifier SessionDB
	DBSource DBI:mysql:database=radiator;host=mysql.example.org
	DBUsername radiator
	DBAuth mySqlPassword
	AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('%u', '%1', %2, %3, %{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}', '%{Service-Type}')
</SessionDatabase>

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client 192.168.1.1>
	Identifier Meru
	Secret	donttell
	DupInterval 0
	# if we don't add this and remove it later, we keep going back to the same handler every time
	AddToRequest MeruOuterAuth = 1
</Client>

<Client 192.168.1.2>
	Identifier CiscoVPN
	Secret donttell
	DupInterval 2
</Client>


<AuthBy LDAP_APS>
	Identifier CheckPass

	#StripFromRequest ConvertedFromEAPMSCHAPV2

	# Tell Radiator how to talk to the LDAP server
	Host            127.0.0.1
	Version		3
	BaseDN          dc=example,dc=org
	UsernameAttr    uid
	FailureBackoffTime 30

	# don't try uid=DEFAULT
	NoDefault

	PasswordAttr	authAuthority
	
	# log to syslog
	<Log SYSLOG>
	    LogHost syslog.example.org
	    Facility local2
	    Trace 3
	</Log>

	# You can enable debugging of the Net::LDAP
	# module with this:

	#Debug 255
</AuthBy>


<AuthBy LDAP_APS>
	Identifier CheckGroupMembership

	#StripFromRequest ConvertedFromEAPMSCHAPV2

	# Tell Radiator how to talk to the LDAP server
	Host            127.0.0.1
	Version		3
	BaseDN          dc=example,dc=org
	UsernameAttr    uid
	FailureBackoffTime 30

	# don't try uid=DEFAULT
	NoDefault

	# we're not checking passwords here, but if this isn't here we get a 
	# warmning in the logs
	PasswordAttr
	
	# Check in LDAP to make sure this user is allowed to use the network.
	# This filter returns the DN of the wireless.users group if the user
	# is a member of that group.  If the results are empty, the 
	# user is denied.
	SearchFilter (&(memberuid=%1)(cn=wireless.users))

	# log to syslog
	<Log SYSLOG>
	    LogHost syslog.example.org
	    Facility local2
	    Trace 3
	</Log>

	# You can enable debugging of the Net::LDAP
	# module with this:

	# Debug 255
</AuthBy>


# keep this one around for VPN server.  Folks with a Crypt password will fail an
# LDAP_APS authentication attempt.

<AuthBy LDAP2>
	Identifier CheckBind

	# Tell Radiator how to talk to the LDAP server
	Host            127.0.0.1
	Version		3
	BaseDN          dc=example,dc=org
	UsernameAttr    uid
	FailureBackoffTime 30

	# don't try uid=DEFAULT
	NoDefault

	# do a bind as the user instead of trying to compare passwords
	ServerChecksPassword

	# log to syslog
	<Log SYSLOG>
		LogHost syslog.example.org
		Facility local2
		Trace 3
	</Log>

	# You can enable debugging of the Net::LDAP
	# module with this:

	# Debug 255
</AuthBy>




# This handler intercepts the inner authentication requests and sends them to another
# server. The remote Radius server does not need to know anything about TTLS.
<Handler TunnelledByTTLS=1>

	# try each of the following methods, until something rejects us
	AuthByPolicy ContinueUntilReject

	AuthBy CheckPass
	
	AuthBy CheckGroupMembership
	
</Handler>


# This is where the inner EAP-MSCHAPV2 request appears, after being converted to 
# a conventional Radius-MSCHAPV2 request. You can proxy or handle locally.
# Since its an odinary Radius request, it can be proxied to non-EAP capable Radius
# servers.
<Handler ConvertedFromEAPMSCHAPV2=1>

	# try each of the following methods, until something rejects us
	AuthByPolicy ContinueUntilReject

	AuthBy CheckPass
	
	AuthBy CheckGroupMembership
	
</Handler>


# handle web-based captive-portal wireless requests
# this must be above the 802.1x authentication section in the config file
<Handler Client-Identifier = Meru, Service-Type = Login-User>
 
	# enable accounting
	AcctLogFileName /var/log/radius/vpn-acct.log

	# try each of the following methods, until something rejects us
	AuthByPolicy ContinueUntilReject

	AuthBy CheckPass
		
	AuthBy CheckGroupMembership
 
</Handler>



# This is where the PEAP inner request appears
# The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
# With the EAP_PEAP_MSCHAP_Convert flag set, the EAP-MSCHAPV2 request is converted
# into conventional Radius-MSCHAPV2 and redespatched to the <Handler ConvertedFromEAPMSCHAPV2=1>
# above.
<Handler TunnelledByPEAP=1>
	<AuthBy FILE>

		# This tells the PEAP client what types of inner EAP requests
		# we will honour
		EAPType MSCHAP-V2

		# This flag tells EAPType MSCHAP-V2 to convert the inner EAP-MSCHAPV2 request into
		# an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
		# that matches ConvertedFromEAPMSCHAPV2=1 (see above)
		EAP_PEAP_MSCHAP_Convert 1
	</AuthBy>
</Handler>


# This is where the inner EAP-MSCHAPV2 request appears, after being converted to 
# a conventional Radius-MSCHAPV2 request. You can proxy or handle locally.
# Since its now an ordinary Radius MSCHAP request, it can be proxied to non-EAP capable Radius
# servers.
<Handler ConvertedFromLEAP=1>
	# Proxy to a non-EAP capable server
	# try each of the following methods, until something rejects us
	AuthByPolicy ContinueUntilReject

	AuthBy CheckPass
	
	AuthBy CheckGroupMembership
	
</Handler>



# The original TTLS request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked inm the inner authentication
# extracted.
# The inner authentication request will sent again to a matching
# Realm or Handler. The special check item TunnelledByTTLS=1 can be used to select
# a specific handler
# This allows you to select an inner authentication method based on Realm, or the
# fact that they were tunnelled. You can therfore act just as a TTLS server, or also 
# act as the AAA/H home server, and authenticate TTLS requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton request.
# The following handler gets the outer authentication request, authenticates it against the user
# anonymous in a FILE. The inner authentication is then redespatched where it will
# be handled by the <Handler TunnelledByTTLS=1> clause above
<Handler Client-Identifier = Meru, MeruOuterAuth = 1>
#<Handler default> 
# if we don't remove this, we keep going back to the same handler every time
	StripFromRequest MeruOuterAuth

	<AuthBy FILE>
		# Users must be in this file to get anywhere. IN this example,
		# it reques an entry for 'anonymous' which is the username 
		# in the outer requests
		Filename /etc/radiator/users

		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default (most
		# preferred) type given first
		EAPType TTLS,PEAP,LEAP
		
		EAP_LEAP_MSCHAP_Convert
		
		# EAPTLS_CAFile is the name of a file of CA certificates 
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		#EAPTLS_CAFile /etc/radiator/certificates/demoCA/cacert.pem

		# EAPTLS_CAPath is the name of a directory containing CA
    		# certificates in PEM format. The files each contain one 
		# CA certificate. The files are looked up by the CA 
		# subject name hash value
		# EAPTLS_CAPath

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		#EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
		#EAPTLS_CertificateType PEM

		EAPTLS_CertificateFile /private/etc/certificates/cert.example.org.crt
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		#EAPTLS_PrivateKeyFile /etc/radiator/certificates/cert-srv.pem
		#EAPTLS_PrivateKeyPassword whatever

		EAPTLS_PrivateKeyFile /private/etc/certificates/cert.example.org.key
		EAPTLS_PrivateKeyPassword myCertSecret

		# EAPTLS_RandomFile is an optional file containing
		# randdomness
		# EAPTLS_RandomFile /etc/radiator/certificates/random

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1000

		# EAPTLS_DHFile if set specifies the DH group file. It
		# may be required if you need to use ephemeral DH keys.
		# EAPTLS_DHFile /etc/radiator/certificates/dh
		
		# Some clients, depending on their configuration, may require you to specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		SSLeayTrace 4

		# You can configure the User-Name that will be used for the inner
		# authentication. Defaults to 'anonymous'. This can be useful
		# when proxying the inner authentication. If tehre is a realm, it can 
		# be used to choose a local Realm to handle the inner authentication.
		# EAPAnonymous anonymous@some.other.realm
	</AuthBy>
</Handler>







# Handle requests from the Cisco VPN3000 server

<Handler Client-Identifier = CiscoVPN>
 
        # enable accounting
        AcctLogFileName /var/log/radius/vpn-acct.log

        # try each of the following methods, until something rejects us
        AuthByPolicy ContinueUntilReject

		AuthBy CheckBind
		
		AuthBy CheckGroupMembership
 
</Handler>