HowTo: eap-tls with crl and two level CA certificate
高志江
gaozhijiang at gmail.com
Fri Aug 28 08:44:55 CEST 2009
My freeradius version is 2.1.1. When I config eap-tls with crl and one
level root certificate,it's work normally. But when the ca is two level, the
root ca is for signing the second level CA certificate , and the second
level CA is for signing user certificates and crls.It's mean the root ca
certificate is self-signed,but the second level ca certificate is not .How
can I config ? I got the error message below:
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0477], Certificate
--> verify error:num=3:unable to get certificate CRL
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
and all the message is :
rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=0,
length=119
User-Name = "test01"
EAP-Message = 0x0202000b01746573743031
Message-Authenticator = 0xb8ef974e2b69e44cba1654b844a2d51a
NAS-IP-Address = 10.10.10.221
NAS-Identifier = "0023893a34b3"
NAS-Port = 16781313
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "001a-6b67-1b8a"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.221 port 5001
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf27891bef27b9cb066ded7b428b0591f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=1,
length=206
User-Name = "test01"
EAP-Message =
0x020300500d800000004616030100410100003d03014a9770d26937eb2ffd4e3f2645f5e215a8982050c3496e12ac70d9cff2c877c900001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x90519b61ec6ef30f291aae9592159baa
NAS-IP-Address = 10.10.10.221
NAS-Identifier = "0023893a34b3"
NAS-Port = 16781313
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "001a-6b67-1b8a"
State = 0xf27891bef27b9cb066ded7b428b0591f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 023e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 000d], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.10.10.221 port 5001
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message =
0x0104028e0d8000000284160301002a0200002603014a9656618b268bb7d6920d634c828a353ce0c1b85c6ca92dd46b21f39618a96100000400160301023e0b00023a0002370002343082023030820199a00302010202084e4f6234214476cb300d06092a864886f70d0101040500301d310b300906035504061302434e310e300c06035504030c0553756243413020170d3039303832363031333833385a180f32313038303832363031333833385a301e310b300906035504061302434e310f300d06035504030c0673657276657230819f300d06092a864886f70d010101050003818d0030818902818100ba29ddeec0dca45b50e2e98794b5579fbb
EAP-Message =
0x0fcbf19aadc8c874b404ed6f246afeac3f2dcd0e44cae33929357ebaa97462077052e84608d0423d51c62ba31fe6a3bca32bc751241788fee774cc260617329d46e59f72f0043cd416f9ef131205b4835b784239d5a842464bcaab0811e8893373b1590965d003e5af8c72eff3e4710203010001a3763074303b0603551d2304343032801433a67c94686b7a0b5945e4eb04766a1246433580a110810e434e3d53756243412c20433d434e82082136f9fe58a4dee730090603551d1304023000300b0603551d0f040403020780301d0603551d0e04160414cb07f5f821338b457d04acd5c60e29dac2ed3ab4300d06092a864886f70d01010405000381
EAP-Message =
0x810000c17048132d70cbcfd8e0734eeea2bd0a91d32b12a12188d1bda39562ab705aff1a3dd1484b019045c30662af4c3945d480ee87b9c7230b79794f886b2f55c1ab62dd19a366f5b6e5ec8010ce893f993b6b9ab5fe205300810aafd850fa34a1a0ff8eae2e38a207e514c5487598334592a76ae4e9e4f6c12865367365724c1d160301000d0d00000502010200000e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf27891bef37c9cb066ded7b428b0591f
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.10.221 port 5001, id=2,
length=1605
User-Name = "test01"
EAP-Message =
0x020405bd0d80000005b316030105830b0004730004700002343082023030820199a0030201020208282cc1177c2ee3cd300d06092a864886f70d0101040500301d310b300906035504061302434e310e300c06035504030c0553756243413020170d3039303832363031333833385a180f32313038303832363031333833385a301e310b300906035504061302434e310f300d06035504030c0674657374303130819f300d06092a864886f70d010101050003818d00308189028181008874a06d0fcb137eac82d9e92d3abc270f97d8f5ea0965f69c62c6e42fe075869ba8255e9b046581ca8356f796389b9ef43b6660586d526666244cf29ef782bf
EAP-Message =
0x80e4419d577a1590f89ec59bd4cf348ab3cd2af042054c423c66cd29227a628eb7710b918608cbf59872e120962c1226baa5720f8330da03e61d93def9d911130203010001a3763074303b0603551d2304343032801433a67c94686b7a0b5945e4eb04766a1246433580a110810e434e3d53756243412c20433d434e82082136f9fe58a4dee730090603551d1304023000300b0603551d0f040403020780301d0603551d0e04160414a9267c897fdd0f74a9cfd1f318d1c16b89cbaad3300d06092a864886f70d01010405000381810044be805a98c8eb17cce4cbbbca5d841cf326d507eee0b3e59e88b28f22e472eb6ed52399c5566480da512ef893
EAP-Message =
0x4203521cf8fa8d0dcff9d5ed96d7ffa3c7504400a920fdaf688dfed2502d6fac9f31d13720d40dd9f5784ddc1af78bd4efbf4f61b57ba1333384a07d3ab19903e61e38f4b075237b8d312ce96e1dd33e9913dc000236308202323082019ba00302010202082136f9fe58a4dee7300d06092a864886f70d0101040500301e310b300906035504061302434e310f300d06035504030c06526f6f744341301e170d3039303832363031333635325a170d3139303832363031333635325a301d310b300906035504061302434e310e300c06035504030c05537562434130819f300d06092a864886f70d010101050003818d0030818902818100849a9687d2
EAP-Message =
0xfb63cd2407c98484c06f714766dbcbfdfdd3e52d003ebd049f1a91f68a4eaf12326bd82e6805fa90610e906c798ef0c574c502913958de79f4ec774ce89b625a738b6f395c30a2703d81d47785e4a47bdb49c96a9857645507cc8ad67bf1d1e2253ac8ea5884bb7fa8079da740922a9d18d421d159252dcb0250db0203010001a37a3078303c0603551d230435303380146d746f53b99052eda7f2ddc00aeaf4a7627376c8a111810f434e3d526f6f7443412c20433d434e82082a44f6b76f9b83fd300c0603551d13040530030101ff300b0603551d0f040403020106301d0603551d0e0416041433a67c94686b7a0b5945e4eb04766a124643358030
EAP-Message =
0x0d06092a864886f70d01010405000381810082ce3a088d975173c71d7c9479349ce87191a8fcd70190782de1b2e927b682a95dabc305faf7e6e3424f224c2c992b0d95d1cd208d7f8a9b0dc29e622c72eeb4bf8189a0019e0d715a69824cae4d8726598a11933a29d6ffe0296a6187f1f5f56bebc0d9c74cedcf406aa12a348b85c0b7677fd7513ec7fa605d3b1c40441d00100000820080775b3bf40951517762ab09a29118cb469943c3394f79c1cf6af9b2c16f3cbfe0b46286a46502fec8db0a27375a47d3a80caeabc2a9d111e54d12dbb827a4ff0986c1bc216667b3664ef9c2eb0f8e2ad2ce9416ffbec8698958a25647a4c41e3b1d025bae7e
EAP-Message =
0x314d333770c694a9e0b7c69c55d41cb5d39a6cd0a9104c321b16f10f000082008045ee5b3caa57d90cc677cef5613fd7ea7eface1fd270d8d79f30c9a5aa59955e1970bb46e9810e3b32d3b95aed2ed6851c3f1d472eb5cdcd66a36812a5cd504dabfcdb2480706f72609d6306256df7fe4643ce33251643d2b3a139523f06f089b82b3da272f94f93f2053f0853bc676e7f1c33ff2acda82ea33719447cec713514030100010116030100205d4a7ef850987e1a7050cda07ad2cde2259bb9bccb34e35d71074ebb54fbe2cc
Message-Authenticator = 0x092ea59633356e2212f9d607f393ed3a
NAS-IP-Address = 10.10.10.221
NAS-Identifier = "0023893a34b3"
NAS-Port = 16781313
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "001a-6b67-1b8a"
State = 0xf27891bef37c9cb066ded7b428b0591f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1459
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0477], Certificate
--> verify error:num=3:unable to get certificate CRL
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test01
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 2 to 10.10.10.221 port 5001
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 0 ID 0 with timestamp +124
Waking up in 0.1 seconds.
Cleaning up request 1 ID 1 with timestamp +124
Waking up in 1.2 seconds.
Cleaning up request 2 ID 2 with timestamp +125
Ready to process requests.
and the eap.conf is :
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = tls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. Most systems
# can handle ~30 EAP sessions/s, so the default limit
# of 2048 is more than enough.
max_sessions = 2048
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
#
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = 111111
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
check_crl = yes
CA_path = ${certdir}
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company
Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
#
make_cert_command = "${certdir}/bootstrap"
#
# Session resumption / fast reauthentication
# cache.
#
cache {
#
# Enable it. The default is "no".
# Deleting the entire "cache" subsection
# Also disables caching.
#
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes".
#
enable = no
#
# Lifetime of the cached entries, in hours.
# The sessions will be deleted after this
# time.
#
lifetime = 24 # hours
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
max_entries = 255
}
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = md5
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090828/f62400ad/attachment.html>
More information about the Freeradius-Users
mailing list