listen {
ipaddr = *
port = 2083
type = auth+acct
proto = tcp
virtual_server = default
clients = radsec
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}tls
The following example is exactly the same configuration as used by the EAP-TLS module. It’s OK for testing, but for production use it’s a good idea to use different server certificates for EAP and for RADIUS transport.
If there is only one TLS configuration for multiple sockets, then putting "tls { …}" into radiusd.conf is suggested. The subsection below can then be changed into a reference:
# tls = ${tls}The above means that "the tls sub-section is not here, but is, instead, in the top-level section called 'tls'".
For multiple tls configurations, they can be placed into sub-sections of a top-level "tls" section. There’s no need to call them all "tls". The following can then be used to refer to the "site1" sub-section of the "tls" section:
# tls = ${tls.site1}tls {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
# random_file = ${certdir}/random
fragment_size = 8192
# include_length = yes
# check_crl = yes
ca_path = ${cadir}
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"Session resumption / fast reauthentication cache.
The cache contains the following information:
session Id |
unique identifier, managed by SSL |
User-Name |
from the Access-Accept |
Stripped-User-Name |
from the Access-Request |
Cached-Session-Policy |
from the Access-Accept |
The "Cached-Session-Policy" is the name of a policy that is be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to reapply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session.
On session resumption, these attributes are copied from the cache and placed into the reply list.
When using fast session resumption, set "use_tunneled_reply = yes".
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
#name = "TLS ${..ipaddr} ${..port} ${..proto}"
#persist_dir = "${logdir}/tlscache"
}Client certificate.
require_client_cert = yesAs of version 2.1.10, client certificates can be validated via an external command. This allows dynamic CRLs or OCSP to be used.
This configuration is commented out in the default configuration. Uncomment and configure the correct paths below to enable it.
verify {
# tmpdir = /tmp/radiusd
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
}
}
clients radsec {
client 127.0.0.1 {
ipaddr = 127.0.0.1
proto = tls
secret = radsec
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = none
tls {
private_key_password = whatever
private_key_file = ${certdir}/client.pem
certificate_file = ${certdir}/client.pem
ca_file = ${cadir}/ca.pem
# psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 8192
# include_length = yes
# check_crl = yes
ca_path = ${cadir}
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
}
home_server_pool tls {
type = fail-over
home_server = tls
}
realm tls {
auth_pool = tls
}