TLS - Config - common

Synopsis

Note
tls-config tls-common is not a module.

Common TLS configuration for TLS-based EAP types. See raddb/certs/README for additional comments on certificates. If OpenSSL was not found at the time the server was built, the tls, ttls, and peap sections will be ignored. Otherwise, when the server first starts in debugging mode, test certificates will be created. See the make_cert_command below for details and the README file in raddb/certs These test certificates SHOULD NOT be used in a normal deployment. They are created only to make it easier to install the server and to perform some simple tests with EAP-TLS, TTLS, or PEAP. See also: http://www.dslreports.com/forum/remark,9286052~mode=flat

Note
Globally known CA should not be used here! e.g. using a Verisign cert as a known CA means that ANYONE who has a certificate signed by them can authenticate via EAP-TLS! This is likely not what you want.

Processing Sections

Any.

Expansions

None.

Directives

CA_file
Syntax

CA_file = string

Default

${cadir}/ca.pem

Description

Trusted Root CA list: ALL of the CA’s in this list will be trusted to issue client certificates for authentication. In general, self-signed certificates should be used for 802.1x (EAP) authentication, and this CA file should contain ONLY one CA certificate. This parameter is used only for EAP-TLS, when you issue client certificates. If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration directive.

CA_path
Syntax

CA_path = string

Default

${cadir}

Description

Checks the Certificate Revocation List

  1. Copy CA certificates and CRLs to same directory.

  2. Execute 'c_rehash <CA certs&CRLs Directory>'. 'c_rehash' is OpenSSL’s command.

  3. uncomment the line below.

  4. Restart radiusd

certificate_file
Syntax

certificate_file = string

Default

${certdir}/server.pem

Description

If CA_file is not used, then the certificate_file MUST include not only the server certificate, but ALSO all of the CA certificates used to sign the server certificate.

check_cert_cn
Syntax

check_cert_cn = string

Default

%{User-Name}

Description

If check_cert_cn is set, the value will be xlat’ed and checked against the CN in the client certificate. If the values do not match, the certificate verification will fail, rejecting the user. This check is done only if the previous check_cert_issuer is not set or if the check succeeds. In versions 2.1.10 and later, this check can be done more generally by checking the value of the TLS-Client-Cert-CN attribute. This check can be done via any mechanism you choose.

check_cert_issuer
Syntax

check_cert_issuer = string

Default

/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd

Description

If check_cert_issuer is set, the value will be checked against the DN of the issuer in the client certificate. If the values do not match, the cerficate verification will fail, rejecting the user. In versions 2.1.10 and later, this check can be done more generally by checking the value of the TLS-Client-Cert-Issuer attribute. This check can be done via any mechanism you choose.

check_crl
Syntax

check_crl = boolean

Default

yes

Description

Checks the Certificate Revocation List

  1. Copy CA certificates and CRLs to same directory.

  2. Execute 'c_rehash <CA certs&CRLs Directory>'. 'c_rehash' is OpenSSL’s command.

  3. uncomment the line below.

  4. Restart radiusd

cipher_list
Syntax

cipher_list = string

Default

DEFAULT

Description

Set this option to specify the allowed TLS cipher suites. The format is listed in man 1 ciphers.

dh_file
Syntax

dh_file = string

Default

${certdir}/dh

Description

For DH cipher suites to work, you have to run OpenSSL to create the DH file first: openssl dhparam -out certs/dh 1024

ecdh_curve
Syntax

ecdh_curve = string

Default

prime256v1

Description

Elliptical cryptography configuration. Only for OpenSSL >= 0.9.8.f

fragment_size
Syntax

fragment_size = integer

Default

1024

Description

Fragment_size can never exceed the size of a RADIUS packet (4096 bytes), and is preferably half that, to accommodate other attributes in the RADIUS packet. On most APs the MAX packet length is configured between 1500-1600; in these cases, fragment size should be 1024 or less.

include_length
Syntax

include_length = boolean

Default

yes

Description

Include_length is a flag that is by default set to yes. If set to yes, the total length of the message is included in EVERY packet we send. If set to no, the total length of the message is included ONLY in the first packet of a fragment series.

make_cert_command
Syntax

make_cert_command = string

Default

${certdir}/bootstrap

Description

This command creates the initial snake oil certificates when the server is run as root and via radiusd-X. As of 2.1.11, this command ALSO checks the server certificate for validity, including expiration. This check means that radiusd will refuse to start when the certificate has expired. The alternative is to have the 802.1X clients refuse to connect when they discover the certificate has expired. Having the server print an error message and refuse to start is the preferred solution, as identifying and debugging client issues is too complex.

private_key_file
Syntax

private_key_file = string

Default

${certdir}/server.pem

Description

If CA_file is not used, then the certificate_file MUST include not only the server certificate, but ALSO all of the CA certificates used to sign the server certificate.

private_key_password
Syntax

private_key_password = string

Default

whatever

Description

If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name.

psk_hexphrase
Syntax

psk_hexphrase = integer

Default

036363823

Description

If OpenSSL supports TLS-PSK, then we can use a PSK identity and (hex) password. When the psk_identity and psk_hexphrase are specified, then the following certificate-based configuration directives are not allowed: private_key_password private_key_file certificate_file CA_file CA_path

Future versions of the server may be able to look up the shared key (hexphrase) based on the identity, but for now, the identity is fixed and must be the same as the client. The passphrase must be a hex value and can be up to 256 hex digits.

psk_identity
Syntax

psk_identity = string

Default

test

Description

If OpenSSL supports TLS-PSK, then we can use a PSK identity and (hex) password. When the psk_identity and psk_hexphrase are specified, then the following certificate-based configuration directives are not allowed: private_key_password private_key_file certificate_file CA_file CA_path

Future versions of the server may be able to look up the shared key (hexphrase) based on the identity, but for now, the identity is fixed and must be the same as the client. The passphrase must be a hex value and can be up to 256 hex digits.

random_file
Syntax

random_file = string

Default

${certdir}/random

Description

If your system doesn’t have /dev/urandom, you will need to create this file and periodically change its contents. For security reasons, FreeRADIUS doesn’t write to files in its configuration directory.