# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##	$Id$

#######################################################################
	eap {		
		default_eap_type = md5		
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		max_sessions = 4096

		md5 {
		}	
		leap {
		}	
		gtc {
			auth_type = PAP
		}

		## EAP-TLS
		
		tls {		
			certdir = ${confdir}/certs
			cadir = ${confdir}/certs
			private_key_password = whatever
			private_key_file = ${certdir}/server.key
			certificate_file = ${certdir}/server.pem
			CA_file = ${cadir}/ca.pem
			dh_file = ${certdir}/dh
			random_file = /dev/urandom
			
		#	fragment_size = 1024
		#	include_length = yes
		#	check_crl = yes
			CA_path = ${cadir}
		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
		#	check_cert_cn = %{User-Name}
			cipher_list = "DEFAULT"
			make_cert_command = "${certdir}/bootstrap"
			ecdh_curve = "prime256v1"
		
			cache {			   
			      enable = no
			      lifetime = 24 # hours		     
			      max_entries = 255
			}

			verify {	
		#     		tmpdir = /tmp/radiusd
		#    		client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
			}
	
			ocsp {			     
			      enable = no
			      override_cert_url = yes
			      url = "http://127.0.0.1/ocsp/"
			}
		}

		
		ttls {
			
			default_eap_type = md5		
			copy_request_to_tunnel = no			
			use_tunneled_reply = no
			virtual_server = "inner-tunnel"
		#	include_length = yes
		}

		
		peap {			
			default_eap_type = mschapv2
			copy_request_to_tunnel = no
			use_tunneled_reply = no
		#	proxy_tunneled_request_as_eap = yes
			virtual_server = "inner-tunnel"
#			soh = yes
#			soh_virtual_server = "soh-server"
		}

		mschapv2 {
#			send_error = no
		}
	}