rlm_eap - inner_eap

Synopsis

Sample configuration for an EAP module that occurs inside of a tunnelled method. It is used to limit the EAP types that can occur inside of the inner tunnel. See also raddb/sites-available/inner-tunnel. See raddb/mods-available/eap for full documentation on the meaning of these configuration entries.

Processing Sections

Any.

Expansions

None.

Directives

default_eap_type
Syntax

default_eap_type = string

Default

mschapy2

Description

This is the best choice for PEAP.

max_sessions
Syntax

max_sessions = integer

Default

2048

Description

This should be the same as the outer eap max sessions.

timer_expire
Syntax

timer_expire = integer

Default

60

Description

FIXME

Supported EAP-types

Synopsis

FIXME

Directives

FIXME

md5

Synopsis

FIXME

Directives

FIXME

gtc

Synopsis

FIXME

Directives

auth_type
Syntax

auth_type = string

Default

PAP

Description

FIXME

challenge
Syntax

challenge = string

Default

Password:

Description

The default challenge, which many clients ignore.

mschapv2

Synopsis

No TTLS or PEAP configuration should be listed here.

Directives

send_error
Syntax

send_error = boolean

Default

no

Description

See eap for documentation.

EAP-TLS

Synopsis

You SHOULD use different certificates than are used for the outer EAP configuration! Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. It might work, or it might not. ( FIXME ) The session resumption / fast reauthentication cache CANNOT be used for inner sessions.

Directives

CA_file
Syntax

CA_file = string

Default

${cadir}/ca.pem

Description

If different CAs for inner and outer certificates are required, then this file should be edited.

CA_path
Syntax

CA_path = string

Default

/path/to/directory/with/ca_certs/and/crls/

Description

CRL and OCSP things go here. See the main eap file for details.

certificate_file
Syntax

certificate_file = string

Default

${certdir}/inner-server.pem

Description

If the Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name. If CA_file is not used, then the certificate_file MUST include not only the server certificate, but ALSO all of the CA certificates used to sign the server certificate.

check_crl
Syntax

check_crl = boolean

Default

yes

Description

CRL and OCSP things go here. See the main eap file for details.

cipher_list
Syntax

cipher_list = string

Default

DEFAULT

Description

FIXME

dh_file
Syntax

dh_file = string

Default

${certdir}/dh

Description

Other needful things.

fragment_size
Syntax

fragment_size = integer

Default

1024

Description

You may want to set a very small fragment size. The TLS data here needs to go inside of the outer EAP-TLS protocol. Try values and see if they work…​

private_key_file
Syntax

private_key_file = string

Default

${certdir}/inner-server.pem

Description

FIXME

private_key_password
Syntax

private_key_password = string

Default

whatever

Description

FIXME

random_file
Syntax

random_file = string

Default

${certdir}/random

Description

Other needful things.