2
3
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
3
4
# is smart enough to figure this out on its own. The most
4
5
# common side effect of setting 'Auth-Type := EAP' is that the
5
6
# users then cannot use ANY other authentication method.
7
# $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
8
# $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
10
11
# Invoke the default supported EAP type when
78
79
# Generic Token Card.
80
81
# Currently, this is only permitted inside of EAP-TTLS,
81
82
# or EAP-PEAP. The module "challenges" the user with
82
83
# text, and the response from the user is taken to be
167
168
# 5) Restart radiusd
168
169
# check_crl = yes
171
# If check_cert_cn is set, the value will
172
# be xlat'ed and checked against the CN
173
# in the client certificate. If the values
174
# do not match, the certificate verification
175
# will fail rejecting the user.
177
# check_cert_cn = %{User-Name}
172
# If check_cert_issuer is set, the value will
173
# be checked against the DN of the issuer in
174
# the client certificate. If the values do not
175
# match, the cerficate verification will fail,
176
# rejecting the user.
178
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
181
# If check_cert_cn is set, the value will
182
# be xlat'ed and checked against the CN
183
# in the client certificate. If the values
184
# do not match, the certificate verification
185
# will fail rejecting the user.
187
# This check is done only if the previous
188
# "check_cert_issuer" is not set, or if
189
# the check succeeds.
191
# check_cert_cn = %{User-Name}
193
# Set this option to specify the allowed
194
# TLS cipher suites. The format is listed
195
# in "man 1 ciphers".
196
# cipher_list = "DEFAULT"
180
199
# The TTLS module implements the EAP-TTLS protocol,
186
205
# The TTLS module needs the TLS module to be installed
187
206
# and configured, in order to use the TLS tunnel
188
# inside of the EAP packet. You will still need to
207
# inside of the EAP packet. You will still need to
189
208
# configure the TLS module, even if you do not want
190
209
# to deploy EAP-TLS in your network. Users will not
191
210
# be able to request EAP-TLS, as it requires them to
219
238
# copy_request_to_tunnel = no
221
240
# The reply attributes sent to the NAS are
222
# usually based on the name of the user
241
# usually based on the name of the user
223
242
# 'outside' of the tunnel (usually
224
243
# 'anonymous'). If you want to send the
225
244
# reply attributes based on the user name
242
260
# The PEAP module needs the TLS module to be installed
243
261
# and configured, in order to use the TLS tunnel
244
# inside of the EAP packet. You will still need to
262
# inside of the EAP packet. You will still need to
245
263
# configure the TLS module, even if you do not want
246
264
# to deploy EAP-TLS in your network. Users will not
247
265
# be able to request EAP-TLS, as it requires them to
256
274
# as that is the default type supported by
257
275
# Windows clients.
258
276
# default_eap_type = mschapv2
278
# the PEAP module also has these configuration
279
# items, which are the same as for TTLS.
280
# copy_request_to_tunnel = no
281
# use_tunneled_reply = no
283
# When the tunneled session is proxied, the
284
# home server may not understand EAP-MSCHAP-V2.
285
# Set this entry to "no" to proxy the tunneled
286
# EAP-MSCHAP-V2 as normal MSCHAPv2.
287
# proxy_tunneled_request_as_eap = yes