LogDir		/var/log/radius
DbDir		/etc/radiator
# User a lower trace level in production systems:
Trace 		4

AuthPort	1812
AcctPort	1813

include %D/client.cfg

include %D/ldap.cfg

<Handler Aruba-Location-Id="N/A", Client-Identifier=/aruba-controller/>
	AuthBy LDAP-AUTH-MSCHAPV2
	AddToReply Service-Type=Authenticate-Only
        AcctLogFileName %L/detail
</Handler>

<Handler TunnelledByPEAP=1>
	AuthBy LDAP-AUTH-MSCHAPV2
	AddToReply Service-Type=Framed-User
	AcctLogFileName %L/detail
</Handler>

<Handler TunnelledByTTLS=1>
	AuthBy LDAP-AUTH-TTLS
	AddToReply Service-Type=Framed-User
	AcctLogFileName %L/detail
</Handler>

<Handler>
	<AuthBy FILE>
		Filename %D/users.anon

		EAPType PEAP,TTLS

		# EAPTLS_CAFile is the name of a file of CA certificates 
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		#
		# Note: need to verify that RedHat actually updates this periodically
		#       or set up a script to do it ourselves. - bshafer
		EAPTLS_CAFile /etc/pki/tls/cert.pem

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		EAPTLS_CertificateFile %D/certificates/radius.du.edu.pem
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		#
		# Note: The two files are combined into one - though they
		#       probably don't need to be.  - bshafer
		#
		EAPTLS_PrivateKeyFile %D/certificates/radius.du.edu.pem

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1000

		# Some clients, depending on their configuration, may require you to specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		#SSLeayTrace 4

		# You can control which version of the draft PEAP protocol to honour
		# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
		# such as Funk Odyssey Client 2.22 or later. For Funk Odyssey
		# version 4, use EAPTLS_PEAPVersion 1, 
		# but set EAPTLS_PEAPBrokenV1Label below
		EAPTLS_PEAPVersion 0

		# You can make PEAP Version 1 support compatible with
		# nonstandard PEAP V1 clients that use the old broken TLS encryption labels that
		# appear to be used frequently, due to Microsofts use of the incorrect
		# label in its V0 client. You should use this with Funk Odyssey
		# Client version 4 when EAPTLS_PEAPVersion is set to 1
		#EAPTLS_PEAPBrokenV1Label
	</AuthBy>

	AcctLogFileName %L/detail
</Handler>