TLS - Config - common

ca_file = string

${cadir}/ca.pem

Trusted Root CA list: ALL of the CA’s in this list will be trusted to issue client certificates for authentication. In general, self-signed certificates should be used for 802.1x (EAP) authentication, and this CA file should contain ONLY one CA certificate. This parameter is used only for EAP-TLS, when you issue client certificates. If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration directive.

ca_path = string

${cadir}

Checks the Certificate Revocation List

certificate_file = string

${certdir}/server.pem

If ca_file is not used, then the certificate_file MUST include not only the server certificate, but ALSO all of the CA certificates used to sign the server certificate.

check_cert_cn = string

%{User-Name}

If check_cert_cn is set, the value will be xlat’ed and checked against the CN in the client certificate. If the values do not match, the certificate verification will fail, rejecting the user. This check is done only if the previous check_cert_issuer is not set or if the check succeeds. In versions 2.1.10 and later, this check can be done more generally by checking the value of the TLS-Client-Cert-CN attribute. This check can be done via any mechanism you choose.

check_cert_issuer = string

/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd

If check_cert_issuer is set, the value will be checked against the DN of the issuer in the client certificate. If the values do not match, the cerficate verification will fail, rejecting the user. In versions 2.1.10 and later, this check can be done more generally by checking the value of the TLS-Client-Cert-Issuer attribute. This check can be done via any mechanism you choose.

check_crl = boolean

yes

Checks the Certificate Revocation List

cipher_list = string

DEFAULT

Set this option to specify the allowed TLS cipher suites. The format is listed in man 1 ciphers.

dh_file = string

${certdir}/dh

For DH cipher suites to work, you have to run OpenSSL to create the DH file first: openssl dhparam -out certs/dh 1024

ecdh_curve = string

prime256v1

Elliptical cryptography configuration. Only for OpenSSL >= 0.9.8.f

fragment_size = integer

1024

Fragment_size can never exceed the size of a RADIUS packet (4096 bytes), and is preferably half that, to accommodate other attributes in the RADIUS packet. On most APs the MAX packet length is configured between 1500-1600; in these cases, fragment size should be 1024 or less.

include_length = boolean

yes

Include_length is a flag that is by default set to yes. If set to yes, the total length of the message is included in EVERY packet we send. If set to no, the total length of the message is included ONLY in the first packet of a fragment series.

make_cert_command = string

${certdir}/bootstrap

This command creates the initial snake oil certificates when the server is run as root and via radiusd-X. As of 2.1.11, this command ALSO checks the server certificate for validity, including expiration. This check means that radiusd will refuse to start when the certificate has expired. The alternative is to have the 802.1X clients refuse to connect when they discover the certificate has expired. Having the server print an error message and refuse to start is the preferred solution, as identifying and debugging client issues is too complex.

private_key_file = string

${certdir}/server.pem

If ca_file is not used, then the certificate_file MUST include not only the server certificate, but ALSO all of the CA certificates used to sign the server certificate.

If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name.

private_key_password = string

whatever

The password for the private key.

psk_hexphrase = integer

036363823

If OpenSSL supports TLS-PSK, then we can use a PSK identity and (hex) password. When the psk_identity and psk_hexphrase are specified, then the following certificate-based configuration directives are not allowed: private_key_password private_key_file certificate_file ca_file ca_path

psk_identity = string

test

If OpenSSL supports TLS-PSK, then we can use a PSK identity and (hex) password. When the psk_identity and psk_hexphrase are specified, then the following certificate-based configuration directives are not allowed: private_key_password private_key_file certificate_file ca_file ca_path

random_file = string

${certdir}/random

If your system doesn’t have /dev/urandom, you will need to create this file and periodically change its contents. For security reasons, FreeRADIUS doesn’t write to files in its configuration directory.