#Foreground
#LogStdout
LogDir /var/log/radiator
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
AuthPort 1812
AcctPort 1813
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
Secret nit44nac
DupInterval 0
# This handler intercepts the inner authentication requests and sends them to another
# server. The remote Radius server does not need to know anything about TTLS.
Filename %D/users
EAPType MD5
# TNCAllowReply Reply-Message=allow
TNCIsolateReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:13
TNCNoRecommendationReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:15
#RewriteUsername s/^(.*?)\@.*$/$1/
Filename %D/users
EAPType MSCHAP-V2
#PreAuthHook sub { print "here I am ${$_[0]} \n";\
# my $eap = ${$_[0]}->get_attr('EAP-Message');\
# my $x = unpack('H*', $eap);\
# print "eap is $x\n";\
# if ($eap eq "\02\03\00\06\03\00")\
# {\
# print "fixme\n";\
# ${$_[0]}->change_attr('EAP-Message', "\02\03\00\06\03\15");\
# }\
# }
# Users must be in this file to get anywhere
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType TLS,TTLS, PEAP, MD5-Challenge
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates (and possible CRLs) in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath %D/certificates/demoCA
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller sizes.
EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/dh
# If EAPTLS_CRLCheck is set
# then Radiator will look for a certificate revocation list (CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, or
# if the CRL says the certificate has neen revoked, the authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# You can rewrite the Common Nam ein the certificate before using it
# to find the username in the Radiator database:
#EAPTLSRewriteCertificateCommonName s/testUser/mikem/
# With EAPTLS_NoCheckId you can also prevents the comparison of the
# username with the certificate common name. The certificate will be
# acccepted based only on the validity dates and the verification chain
# to the root certificate. This allows Radiator to
# mimic the behaviour of some other Radius servers.
#EAPTLS_NoCheckId
# Some clients, depending on their configuration, may require you to specify
# MPPE send and receive keys for dynamic WEP encryption.
# This _will_ be required if you select
# 'Data encryption (WEP enabled) and
# 'The key is provided for me automatically' in the Windows XP
# Wireless Network Proerties window
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
# (Hint: to use Dynamic WEP keys with Cisco Aironet APs, you may need to
# set 'Use of Data Encryption by Stations' to 'Full Encryption' on the
# AP Radio Data Encryption page. Otherwise some clients will
# fail to associate)
AutoMPPEKeys
# This attribute enables processing of TNC messages in
# TTLS requests, which wil be handled by the TTLS inner\
# clause above
UseTNCIMV