rlm_eap - inner_eap

Synopsis

Sample configuration for an EAP module that occurs inside of a tunnelled method. It is used to limit the EAP types that can occur inside of the inner tunnel. See also raddb/sites-available/inner-tunnel. See raddb/mods-available/eap for full documentation on the meaning of these configuration entries.

Default configuration

Processing Sections

Any.

Expansions

None.

Directives

default_eap_type

Syntax: default_eap_type = string
Default: mschapy2
Description: This is the best choice for PEAP.

max_sessions

Syntax: max_sessions = integer
Default: 2048
Description: This should be the same as the outer eap max sessions.

timer_expire

Syntax: timer_expire = integer
Default: 60
Description: FIXME

Supported EAP-types

Synopsis

FIXME

Directives

FIXME

md5

Synopsis

FIXME

Directives

FIXME

gtc

Synopsis

FIXME

Directives

auth_type

Syntax: auth_type = string
Default: PAP
Description: FIXME

challenge

Syntax: challenge = string
Default: Password:
Description: The default challenge, which many clients ignore.

mschapv2

Synopsis

No TTLS or PEAP configuration should be listed here.

Directives

send_error

Syntax: send_error = boolean
Default: no
Description: See eap for documentation.

EAP-TLS

Synopsis

You SHOULD use different certificates than are used for the outer EAP configuration! Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. It might work, or it might not. ( FIXME ) The session resumption / fast reauthentication cache CANNOT be used for inner sessions.

Directives

ca_file

Syntax: ca_file = string
Default: ${cadir}/ca.pem
Description: If different CAs for inner and outer certificates are required, then this file should be edited.

ca_path

Syntax: ca_path = string
Default: /path/to/directory/with/ca_certs/and/crls/
Description: CRL and OCSP things go here. See the main eap file for details.

certificate_file

Syntax: certificate_file = string
Default: ${certdir}/inner-server.pem
Description: If the Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name. If ca_file is not used, then the certificate_file MUST include not only the server certificate, but ALSO all of the CA certificates used to sign the server certificate.

check_crl

Syntax: check_crl = boolean
Default: yes
Description: CRL and OCSP things go here. See the main eap file for details.

cipher_list

Syntax: cipher_list = string
Default: DEFAULT
Description: FIXME

dh_file

Syntax: dh_file = string
Default: ${certdir}/dh
Description: Other needful things.

fragment_size

Syntax: fragment_size = integer
Default: 1024
Description: You may want to set a very small fragment size. The TLS data here needs to go inside of the outer EAP-TLS protocol. Try values and see if they work…

private_key_file

Syntax: private_key_file = string
Default: ${certdir}/inner-server.pem
Description: FIXME

private_key_password

Syntax: private_key_password = string
Default: whatever
Description: FIXME

random_file

Syntax: random_file = string
Default: ${certdir}/random
Description: Other needful things.