<div>My freeradius version is 2.1.1. When I config eap-tls with crl and one level root certificate,it's work normally. But when the ca is two level, the root ca is for signing the second level CA certificate , and the second level CA is for signing user certificates and crls.It's mean the root ca certificate is self-signed,but the second level ca certificate is not .How can I config ? I got the error message below:</div>
<div>[tls] eaptls_verify returned 11 <br>[tls] <<< TLS 1.0 Handshake [length 0477], Certificate <br>--> verify error:num=3:unable to get certificate CRL <br>[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca <br>
TLS Alert write:fatal:unknown CA <br> TLS_accept:error in SSLv3 read client certificate B <br>rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned</div>
<div> </div>
<div> </div>
<div>and all the message is :</div>
<div> </div>
<div> </div>
<div> </div>
<div>rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=0, length=119<br> User-Name = "test01"<br> EAP-Message = 0x0202000b01746573743031<br> Message-Authenticator = 0xb8ef974e2b69e44cba1654b844a2d51a<br>
NAS-IP-Address = 10.10.10.221<br> NAS-Identifier = "0023893a34b3"<br> NAS-Port = 16781313<br> NAS-Port-Type = Ethernet<br> Service-Type = Framed-User<br> Framed-Protocol = PPP<br>
Calling-Station-Id = "001a-6b67-1b8a"<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No <a href="mailto:'@'">'@'</a> in User-Name = "test01", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 2 length 11<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>
[files] users: Matched entry DEFAULT at line 172<br>++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type tls<br>[tls] Requiring client certificate<br>[tls] Initiate<br>[tls] Start returned 1<br>
++[eap] returns handled<br>Sending Access-Challenge of id 0 to 10.10.10.221 port 5001<br> Framed-Protocol = PPP<br> Framed-Compression = Van-Jacobson-TCP-IP<br> EAP-Message = 0x010300060d20<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xf27891bef27b9cb066ded7b428b0591f<br>Finished request 0.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=1, length=206<br>
User-Name = "test01"<br> EAP-Message = 0x020300500d800000004616030100410100003d03014a9770d26937eb2ffd4e3f2645f5e215a8982050c3496e12ac70d9cff2c877c900001600040005000a000900640062000300060013001200630100<br>
Message-Authenticator = 0x90519b61ec6ef30f291aae9592159baa<br> NAS-IP-Address = 10.10.10.221<br> NAS-Identifier = "0023893a34b3"<br> NAS-Port = 16781313<br> NAS-Port-Type = Ethernet<br>
Service-Type = Framed-User<br> Framed-Protocol = PPP<br> Calling-Station-Id = "001a-6b67-1b8a"<br> State = 0xf27891bef27b9cb066ded7b428b0591f<br>+- entering group authorize {...}<br>
++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No <a href="mailto:'@'">'@'</a> in User-Name = "test01", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>[eap] EAP packet type response id 3 length 80<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 172<br>
++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>
[eap] EAP/tls<br>[eap] processing type tls<br>[tls] Authenticate<br>[tls] processing EAP-TLS<br> TLS Length 70<br>[tls] Length Included<br>[tls] eaptls_verify returned 11 <br>[tls] (other): before/accept initialization <br>
[tls] TLS_accept: before/accept initialization <br>[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello <br>[tls] TLS_accept: SSLv3 read client hello A <br>[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello <br>
[tls] TLS_accept: SSLv3 write server hello A <br>[tls] >>> TLS 1.0 Handshake [length 023e], Certificate <br>[tls] TLS_accept: SSLv3 write certificate A <br>[tls] >>> TLS 1.0 Handshake [length 000d], CertificateRequest <br>
[tls] TLS_accept: SSLv3 write certificate request A <br>[tls] TLS_accept: SSLv3 flush data <br>[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>In SSL Handshake Phase <br>In SSL Accept mode <br>
[tls] eaptls_process returned 13 <br>++[eap] returns handled<br>Sending Access-Challenge of id 1 to 10.10.10.221 port 5001<br> Framed-Protocol = PPP<br> Framed-Compression = Van-Jacobson-TCP-IP<br> EAP-Message = 0x0104028e0d8000000284160301002a0200002603014a9656618b268bb7d6920d634c828a353ce0c1b85c6ca92dd46b21f39618a96100000400160301023e0b00023a0002370002343082023030820199a00302010202084e4f6234214476cb300d06092a864886f70d0101040500301d310b300906035504061302434e310e300c06035504030c0553756243413020170d3039303832363031333833385a180f32313038303832363031333833385a301e310b300906035504061302434e310f300d06035504030c0673657276657230819f300d06092a864886f70d010101050003818d0030818902818100ba29ddeec0dca45b50e2e98794b5579fbb<br>
EAP-Message = 0x0fcbf19aadc8c874b404ed6f246afeac3f2dcd0e44cae33929357ebaa97462077052e84608d0423d51c62ba31fe6a3bca32bc751241788fee774cc260617329d46e59f72f0043cd416f9ef131205b4835b784239d5a842464bcaab0811e8893373b1590965d003e5af8c72eff3e4710203010001a3763074303b0603551d2304343032801433a67c94686b7a0b5945e4eb04766a1246433580a110810e434e3d53756243412c20433d434e82082136f9fe58a4dee730090603551d1304023000300b0603551d0f040403020780301d0603551d0e04160414cb07f5f821338b457d04acd5c60e29dac2ed3ab4300d06092a864886f70d01010405000381<br>
EAP-Message = 0x810000c17048132d70cbcfd8e0734eeea2bd0a91d32b12a12188d1bda39562ab705aff1a3dd1484b019045c30662af4c3945d480ee87b9c7230b79794f886b2f55c1ab62dd19a366f5b6e5ec8010ce893f993b6b9ab5fe205300810aafd850fa34a1a0ff8eae2e38a207e514c5487598334592a76ae4e9e4f6c12865367365724c1d160301000d0d00000502010200000e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xf27891bef37c9cb066ded7b428b0591f<br>Finished request 1.<br>Going to the next request<br>Waking up in 4.8 seconds.<br>rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=2, length=1605<br>
User-Name = "test01"<br> EAP-Message = 0x020405bd0d80000005b316030105830b0004730004700002343082023030820199a0030201020208282cc1177c2ee3cd300d06092a864886f70d0101040500301d310b300906035504061302434e310e300c06035504030c0553756243413020170d3039303832363031333833385a180f32313038303832363031333833385a301e310b300906035504061302434e310f300d06035504030c0674657374303130819f300d06092a864886f70d010101050003818d00308189028181008874a06d0fcb137eac82d9e92d3abc270f97d8f5ea0965f69c62c6e42fe075869ba8255e9b046581ca8356f796389b9ef43b6660586d526666244cf29ef782bf<br>
EAP-Message = 0x80e4419d577a1590f89ec59bd4cf348ab3cd2af042054c423c66cd29227a628eb7710b918608cbf59872e120962c1226baa5720f8330da03e61d93def9d911130203010001a3763074303b0603551d2304343032801433a67c94686b7a0b5945e4eb04766a1246433580a110810e434e3d53756243412c20433d434e82082136f9fe58a4dee730090603551d1304023000300b0603551d0f040403020780301d0603551d0e04160414a9267c897fdd0f74a9cfd1f318d1c16b89cbaad3300d06092a864886f70d01010405000381810044be805a98c8eb17cce4cbbbca5d841cf326d507eee0b3e59e88b28f22e472eb6ed52399c5566480da512ef893<br>
EAP-Message = 0x4203521cf8fa8d0dcff9d5ed96d7ffa3c7504400a920fdaf688dfed2502d6fac9f31d13720d40dd9f5784ddc1af78bd4efbf4f61b57ba1333384a07d3ab19903e61e38f4b075237b8d312ce96e1dd33e9913dc000236308202323082019ba00302010202082136f9fe58a4dee7300d06092a864886f70d0101040500301e310b300906035504061302434e310f300d06035504030c06526f6f744341301e170d3039303832363031333635325a170d3139303832363031333635325a301d310b300906035504061302434e310e300c06035504030c05537562434130819f300d06092a864886f70d010101050003818d0030818902818100849a9687d2<br>
EAP-Message = 0xfb63cd2407c98484c06f714766dbcbfdfdd3e52d003ebd049f1a91f68a4eaf12326bd82e6805fa90610e906c798ef0c574c502913958de79f4ec774ce89b625a738b6f395c30a2703d81d47785e4a47bdb49c96a9857645507cc8ad67bf1d1e2253ac8ea5884bb7fa8079da740922a9d18d421d159252dcb0250db0203010001a37a3078303c0603551d230435303380146d746f53b99052eda7f2ddc00aeaf4a7627376c8a111810f434e3d526f6f7443412c20433d434e82082a44f6b76f9b83fd300c0603551d13040530030101ff300b0603551d0f040403020106301d0603551d0e0416041433a67c94686b7a0b5945e4eb04766a124643358030<br>
EAP-Message = 0x0d06092a864886f70d01010405000381810082ce3a088d975173c71d7c9479349ce87191a8fcd70190782de1b2e927b682a95dabc305faf7e6e3424f224c2c992b0d95d1cd208d7f8a9b0dc29e622c72eeb4bf8189a0019e0d715a69824cae4d8726598a11933a29d6ffe0296a6187f1f5f56bebc0d9c74cedcf406aa12a348b85c0b7677fd7513ec7fa605d3b1c40441d00100000820080775b3bf40951517762ab09a29118cb469943c3394f79c1cf6af9b2c16f3cbfe0b46286a46502fec8db0a27375a47d3a80caeabc2a9d111e54d12dbb827a4ff0986c1bc216667b3664ef9c2eb0f8e2ad2ce9416ffbec8698958a25647a4c41e3b1d025bae7e<br>
EAP-Message = 0x314d333770c694a9e0b7c69c55d41cb5d39a6cd0a9104c321b16f10f000082008045ee5b3caa57d90cc677cef5613fd7ea7eface1fd270d8d79f30c9a5aa59955e1970bb46e9810e3b32d3b95aed2ed6851c3f1d472eb5cdcd66a36812a5cd504dabfcdb2480706f72609d6306256df7fe4643ce33251643d2b3a139523f06f089b82b3da272f94f93f2053f0853bc676e7f1c33ff2acda82ea33719447cec713514030100010116030100205d4a7ef850987e1a7050cda07ad2cde2259bb9bccb34e35d71074ebb54fbe2cc<br>
Message-Authenticator = 0x092ea59633356e2212f9d607f393ed3a<br> NAS-IP-Address = 10.10.10.221<br> NAS-Identifier = "0023893a34b3"<br> NAS-Port = 16781313<br> NAS-Port-Type = Ethernet<br>
Service-Type = Framed-User<br> Framed-Protocol = PPP<br> Calling-Station-Id = "001a-6b67-1b8a"<br> State = 0xf27891bef37c9cb066ded7b428b0591f<br>+- entering group authorize {...}<br>
++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No <a href="mailto:'@'">'@'</a> in User-Name = "test01", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>[eap] EAP packet type response id 4 length 253<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 172<br>
++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>
[eap] EAP/tls<br>[eap] processing type tls<br>[tls] Authenticate<br>[tls] processing EAP-TLS<br> TLS Length 1459<br>[tls] Length Included<br>[tls] eaptls_verify returned 11 <br>[tls] <<< TLS 1.0 Handshake [length 0477], Certificate <br>
--> verify error:num=3:unable to get certificate CRL <br>[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca <br>TLS Alert write:fatal:unknown CA <br> TLS_accept:error in SSLv3 read client certificate B <br>
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<br>SSL: SSL_read failed in a system call (-1), TLS session fails.<br>TLS receive handshake failed during operation<br>[tls] eaptls_process returned 4 <br>
[eap] Handler failed in EAP/tls<br>[eap] Failed in EAP select<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> test01<br>
attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 2 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 2<br>
Sending Access-Reject of id 2 to 10.10.10.221 port 5001<br> EAP-Message = 0x04040004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>Waking up in 3.5 seconds.<br>Cleaning up request 0 ID 0 with timestamp +124<br>
Waking up in 0.1 seconds.<br>Cleaning up request 1 ID 1 with timestamp +124<br>Waking up in 1.2 seconds.<br>Cleaning up request 2 ID 2 with timestamp +125<br>Ready to process requests.</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>and the eap.conf is :</div>
<div> </div>
<div> </div>
<div> </div>
<div># -*- text -*-<br>##<br>## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)<br>##<br>## $Id$</div>
<div>#######################################################################<br>#<br># Whatever you do, do NOT set 'Auth-Type := EAP'. The server<br># is smart enough to figure this out on its own. The most<br>
# common side effect of setting 'Auth-Type := EAP' is that the<br># users then cannot use ANY other authentication method.<br>#<br># EAP types NOT listed here may be supported via the "eap2" module.<br>
# See experimental.conf for documentation.<br>#<br> eap {<br> # Invoke the default supported EAP type when<br> # EAP-Identity response is received.<br> #<br> # The incoming EAP messages DO NOT specify which EAP<br>
# type they will be using, so it MUST be set here.<br> #<br> # For now, only one default EAP type may be used at a time.<br> #<br> # If the EAP-Type attribute is set by another module,<br> # then that EAP type takes precedence over the<br>
# default type configured here.<br> #<br> default_eap_type = tls</div>
<div> # A list is maintained to correlate EAP-Response<br> # packets with EAP-Request packets. After a<br> # configurable length of time, entries in the list<br> # expire, and are deleted.<br> #<br> timer_expire = 60</div>
<div> # There are many EAP types, but the server has support<br> # for only a limited subset. If the server receives<br> # a request for an EAP type it does not support, then<br> # it normally rejects the request. By setting this<br>
# configuration to "yes", you can tell the server to<br> # instead keep processing the request. Another module<br> # MUST then be configured to proxy the request to<br> # another RADIUS server which supports that EAP type.<br>
#<br> # If another module is NOT configured to handle the<br> # request, then the request will still end up being<br> # rejected.<br> ignore_unknown_eap_types = no</div>
<div> # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given<br> # a User-Name attribute in an Access-Accept, it copies one<br> # more byte than it should.<br> #<br> # We can work around it by configurably adding an extra<br>
# zero byte.<br> cisco_accounting_username_bug = no</div>
<div> #<br> # Help prevent DoS attacks by limiting the number of<br> # sessions that the server is tracking. Most systems<br> # can handle ~30 EAP sessions/s, so the default limit<br> # of 2048 is more than enough.<br>
max_sessions = 2048</div>
<div> # Supported EAP-types</div>
<div> #<br> # We do NOT recommend using EAP-MD5 authentication<br> # for wireless connections. It is insecure, and does<br> # not provide for dynamic WEP keys.<br> #<br> md5 {<br> }</div>
<div> # Cisco LEAP<br> #<br> # We do not recommend using LEAP in new deployments. See:<br> #<br> # Cisco LEAP uses the MS-CHAP algorithm (but not<br> # the MS-CHAP attributes) to perform it's authentication.<br>
#<br> # As a result, LEAP *requires* access to the plain-text<br> # User-Password, or the NT-Password attributes.<br> # 'System' authentication is impossible with LEAP.<br> #<br> leap {<br> }</div>
<div> # Generic Token Card.<br> #<br> # Currently, this is only permitted inside of EAP-TTLS,<br> # or EAP-PEAP. The module "challenges" the user with<br> # text, and the response from the user is taken to be<br>
# the User-Password.<br> #<br> # Proxying the tunneled EAP-GTC session is a bad idea,<br> # the users password will go over the wire in plain-text,<br> # for anyone to see.<br> #<br> gtc {<br> # The default challenge, which many clients<br>
# ignore..<br> #challenge = "Password: "</div>
<div> # The plain-text response which comes back<br> # is put into a User-Password attribute,<br> # and passed to another module for<br> # authentication. This allows the EAP-GTC<br> # response to be checked against plain-text,<br>
# or crypt'd passwords.<br> #<br> # If you say "Local" instead of "PAP", then<br> # the module will look for a User-Password<br> # configured for the request, and do the<br> # authentication itself.<br>
#<br> auth_type = PAP<br> }</div>
<div> ## EAP-TLS<br> #<br> # See raddb/certs/README for additional comments<br> # on certificates.<br> #<br> # If OpenSSL was not found at the time the server was<br> # built, the "tls", "ttls", and "peap" sections will<br>
# be ignored.<br> #<br> # Otherwise, when the server first starts in debugging<br> # mode, test certificates will be created. See the<br> # "make_cert_command" below for details, and the README<br> # file in raddb/certs<br>
#<br> # These test certificates SHOULD NOT be used in a normal<br> # deployment. They are created only to make it easier<br> # to install the server, and to perform some simple<br> # tests with EAP-TLS, TTLS, or PEAP.<br>
#<br> # See also:<br> #<br> #<br> tls {<br> #<br> # These is used to simplify later configurations.<br> #<br> certdir = ${confdir}/certs<br> cadir = ${confdir}/certs</div>
<div> private_key_password = 111111<br> private_key_file = ${certdir}/server.pem</div>
<div> # If Private key & Certificate are located in<br> # the same file, then private_key_file &<br> # certificate_file must contain the same file<br> # name.<br> #<br> # If CA_file (below) is not used, then the<br>
# certificate_file below MUST include not<br> # only the server certificate, but ALSO all<br> # of the CA certificates used to sign the<br> # server certificate.<br> certificate_file = ${certdir}/server.pem</div>
<div> # Trusted Root CA list<br> #<br> # ALL of the CA's in this list will be trusted<br> # to issue client certificates for authentication.<br> #<br> # In general, you should use self-signed<br> # certificates for 802.1x (EAP) authentication.<br>
# In that case, this CA file should contain<br> # *one* CA certificate.<br> #<br> # This parameter is used only for EAP-TLS,<br> # when you issue client certificates. If you do<br> # not use client certificates, and you do not want<br>
# to permit EAP-TLS authentication, then delete<br> # this configuration item.<br> CA_file = ${cadir}/ca.pem</div>
<div> #<br> # For DH cipher suites to work, you have to<br> # run OpenSSL to create the DH file first:<br> #<br> # openssl dhparam -out certs/dh 1024<br> #<br> dh_file = ${certdir}/dh<br> random_file = ${certdir}/random</div>
<div> #<br> # This can never exceed the size of a RADIUS<br> # packet (4096 bytes), and is preferably half<br> # that, to accomodate other attributes in<br> # RADIUS packet. On most APs the MAX packet<br> # length is configured between 1500 - 1600<br>
# In these cases, fragment size should be<br> # 1024 or less.<br> #<br> # fragment_size = 1024</div>
<div> # include_length is a flag which is<br> # by default set to yes If set to<br> # yes, Total Length of the message is<br> # included in EVERY packet we send.<br> # If set to no, Total Length of the<br>
# message is included ONLY in the<br> # First packet of a fragment series.<br> #<br> # include_length = yes</div>
<div> # Check the Certificate Revocation List<br> #<br> # 1) Copy CA certificates and CRLs to same directory.<br> # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.<br> # 'c_rehash' is OpenSSL's command.<br>
# 3) uncomment the line below.<br> # 5) Restart radiusd<br> check_crl = yes<br> CA_path = ${certdir}</div>
<div> #<br> # If check_cert_issuer is set, the value will<br> # be checked against the DN of the issuer in<br> # the client certificate. If the values do not<br> # match, the cerficate verification will fail,<br>
# rejecting the user.<br> #<br> # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"</div>
<div> #<br> # If check_cert_cn is set, the value will<br> # be xlat'ed and checked against the CN<br> # in the client certificate. If the values<br> # do not match, the certificate verification<br>
# will fail rejecting the user.<br> #<br> # This check is done only if the previous<br> # "check_cert_issuer" is not set, or if<br> # the check succeeds.<br> #<br>
# check_cert_cn = %{User-Name}<br> #<br> # Set this option to specify the allowed<br> # TLS cipher suites. The format is listed<br> # in "man 1 ciphers".<br> cipher_list = "DEFAULT"</div>
<div> #</div>
<div> # This configuration entry should be deleted<br> # once the server is running in a normal<br> # configuration. It is here ONLY to make<br> # initial deployments easier.<br> #<br> make_cert_command = "${certdir}/bootstrap"</div>
<div> #<br> # Session resumption / fast reauthentication<br> # cache.<br> #<br> cache {<br> #<br> # Enable it. The default is "no".<br> # Deleting the entire "cache" subsection<br>
# Also disables caching.<br> #<br> # You can disallow resumption for a<br> # particular user by adding the following<br> # attribute to the control item list:<br> #<br>
# Allow-Session-Resumption = No<br> #<br> # If "enable = no" below, you CANNOT<br> # enable resumption for just one user<br> # by setting the above attribute to "yes".<br>
#<br> enable = no</div>
<div> #<br> # Lifetime of the cached entries, in hours.<br> # The sessions will be deleted after this<br> # time.<br> #<br> lifetime = 24 # hours</div>
<div> #<br> # The maximum number of entries in the<br> # cache. Set to "0" for "infinite".<br> #<br> # This could be set to the number of users<br> # who are logged in... which can be a LOT.<br>
#<br> max_entries = 255<br> }<br> }</div>
<div> # The TTLS module implements the EAP-TTLS protocol,<br> # which can be described as EAP inside of Diameter,<br> # inside of TLS, inside of EAP, inside of RADIUS...<br> #<br> # Surprisingly, it works quite well.<br>
#<br> # The TTLS module needs the TLS module to be installed<br> # and configured, in order to use the TLS tunnel<br> # inside of the EAP packet. You will still need to<br> # configure the TLS module, even if you do not want<br>
# to deploy EAP-TLS in your network. Users will not<br> # be able to request EAP-TLS, as it requires them to<br> # have a client certificate. EAP-TTLS does not<br> # require a client certificate.<br> #<br> # You can make TTLS require a client cert by setting<br>
#<br> # EAP-TLS-Require-Client-Cert = Yes<br> #<br> # in the control items for a request.<br> #<br> ttls {<br> # The tunneled EAP session needs a default<br> # EAP type which is separate from the one for<br>
# the non-tunneled EAP module. Inside of the<br> # TTLS tunnel, we recommend using EAP-MD5.<br> # If the request does not contain an EAP<br> # conversation, then this configuration entry<br> # is ignored.<br>
default_eap_type = md5</div>
<div> # The tunneled authentication request does<br> # not usually contain useful attributes<br> # like 'Calling-Station-Id', etc. These<br> # attributes are outside of the tunnel,<br> # and normally unavailable to the tunneled<br>
# authentication request.<br> #<br> # By setting this configuration entry to<br> # 'yes', any attribute which NOT in the<br> # tunneled authentication request, but<br> # which IS available outside of the tunnel,<br>
# is copied to the tunneled request.<br> #<br> # allowed values: {no, yes}<br> copy_request_to_tunnel = no</div>
<div> # The reply attributes sent to the NAS are<br> # usually based on the name of the user<br> # 'outside' of the tunnel (usually<br> # 'anonymous'). If you want to send the<br> # reply attributes based on the user name<br>
# inside of the tunnel, then set this<br> # configuration entry to 'yes', and the reply<br> # to the NAS will be taken from the reply to<br> # the tunneled request.<br> #<br> # allowed values: {no, yes}<br>
use_tunneled_reply = no</div>
<div> #<br> # The inner tunneled request can be sent<br> # through a virtual server constructed<br> # specifically for this purpose.<br> #<br> # If this entry is commented out, the inner<br> # tunneled request will be sent through<br>
# the virtual server that processed the<br> # outer requests.<br> #<br> virtual_server = "inner-tunnel"<br> }</div>
<div> ##################################################<br> #<br> # !!!!! WARNINGS for Windows compatibility !!!!!<br> #<br> ##################################################<br> #<br> # If you see the server send an Access-Challenge,<br>
# and the client never sends another Access-Request,<br> # then<br> #<br> # STOP!<br> #<br> # The server certificate has to have special OID's<br> # in it, or else the Microsoft clients will silently<br> # fail. See the "scripts/xpextensions" file for<br>
# details, and the following page:<br> #<br> # <a href="http://support.microsoft.com/kb/814394/en-us">http://support.microsoft.com/kb/814394/en-us</a><br> #<br> # For additional Windows XP SP2 issues, see:<br> #<br>
# <a href="http://support.microsoft.com/kb/885453/en-us">http://support.microsoft.com/kb/885453/en-us</a><br> #<br> # Note that we do not necessarily agree with their<br> # explanation... but the fix does appear to work.<br>
#<br> ##################################################</div>
<div> #<br> # The tunneled EAP session needs a default EAP type<br> # which is separate from the one for the non-tunneled<br> # EAP module. Inside of the TLS/PEAP tunnel, we<br> # recommend using EAP-MS-CHAPv2.<br>
#<br> # The PEAP module needs the TLS module to be installed<br> # and configured, in order to use the TLS tunnel<br> # inside of the EAP packet. You will still need to<br> # configure the TLS module, even if you do not want<br>
# to deploy EAP-TLS in your network. Users will not<br> # be able to request EAP-TLS, as it requires them to<br> # have a client certificate. EAP-PEAP does not<br> # require a client certificate.<br> #<br> #<br>
# You can make PEAP require a client cert by setting<br> #<br> # EAP-TLS-Require-Client-Cert = Yes<br> #<br> # in the control items for a request.<br> #<br> peap {<br> # The tunneled EAP session needs a default<br>
# EAP type which is separate from the one for<br> # the non-tunneled EAP module. Inside of the<br> # PEAP tunnel, we recommend using MS-CHAPv2,<br> # as that is the default type supported by<br> # Windows clients.<br>
default_eap_type = mschapv2</div>
<div> # the PEAP module also has these configuration<br> # items, which are the same as for TTLS.<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no</div>
<div> # When the tunneled session is proxied, the<br> # home server may not understand EAP-MSCHAP-V2.<br> # Set this entry to "no" to proxy the tunneled<br> # EAP-MSCHAP-V2 as normal MSCHAPv2.<br> # proxy_tunneled_request_as_eap = yes</div>
<div> #<br> # The inner tunneled request can be sent<br> # through a virtual server constructed<br> # specifically for this purpose.<br> #<br> # If this entry is commented out, the inner<br> # tunneled request will be sent through<br>
# the virtual server that processed the<br> # outer requests.<br> #<br> virtual_server = "inner-tunnel"<br> }</div>
<div> #<br> # This takes no configuration.<br> #<br> # Note that it is the EAP MS-CHAPv2 sub-module, not<br> # the main 'mschap' module.<br> #<br> # Note also that in order for this sub-module to work,<br>
# the main 'mschap' module MUST ALSO be configured.<br> #<br> # This module is the *Microsoft* implementation of MS-CHAPv2<br> # in EAP. There is another (incompatible) implementation<br> # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not<br>
# currently support.<br> #<br> mschapv2 {<br> }<br> }<br></div>