# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##  Per https://wiki.geant.org/display/H2eduroam/freeradius-idp
##

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
eap {
	default_eap_type = peap
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = ${max_requests}

	#
	# See https://wiki.geant.org/display/H2eduroam/eap-types#eap-types-choices
	# for information about the various EAP options below.
	#

	## EAP-pwd -- secure password-based authentication
	#
	# This is useful for newer versions of Android
	pwd {
		# group = 19
		server_id = "radius@example.ac.za"
		fragment_size = 1020
		virtual_server = "eduroam-inner-tunnel"
	}

	## EAP-GTC -- Generic Token Card.
	#
	# Only used in an inner-tunnel. Really a User-Password for older devices that don't do PAP
	gtc {
		auth_type = PAP
	}

	## Common TLS configuration for TLS-based EAP types
	#
	#  Note that you should NOT use a globally known CA here!
	#  e.g. using a Verisign cert as a "known CA" means that
	#  ANYONE who has a certificate signed by them can
	#  authenticate via EAP-TLS!  This is likely not what you want.
	tls-config tls-common {
		private_key_password = whatever
		private_key_file = ${certdir}/server.key
		certificate_file = ${certdir}/server.pem
		ca_file = ${cadir}/ca.pem
		# auto_chain = yes
		#  For OpenSSL >= 1.1.0, just leave this commented
		#  out, and OpenSSL will do the right thing.
		# dh_file = ${certdir}/dh
		random_file = /dev/urandom
		fragment_size = 1024
		include_length = yes
		check_crl = yes
		ca_path = ${cadir}
		cipher_list = "DEFAULT"
		cipher_server_preference = yes
		# Only support newer crypto
		tls_min_version = "1.2"
		tls_max_version = "1.2"
		ecdh_curve = "prime256v1"

		cache {
			enable = no
			lifetime = 24 # hours
			max_entries = 255
			store {
				Tunnel-Private-Group-Id
			}
		}
	}

	## EAP-TTLS
	ttls {
		tls = tls-common
		default_eap_type = md5
		copy_request_to_tunnel = yes
		# there's a newer way of doing use_tunneled_reply, see sites-available/eduroam-inner-tunnel
		use_tunneled_reply = no
		virtual_server = "eduroam-inner-tunnel"
	}

	##################################################
	#
	#  !!!!! WARNINGS for Windows compatibility  !!!!!
	#
	##################################################
	#
	#  If you see the server send an Access-Challenge,
	#  and the client never sends another Access-Request,
	#  then
	#
	#		STOP!
	#
	#  The server certificate has to have special OID's
	#  in it, or else the Microsoft clients will silently
	#  fail.  See the "scripts/xpextensions" file for
	#  details, and the following page:
	#
	#	https://support.microsoft.com/en-us/help/814394/
	#
	#  If is still doesn't work, and you're using Samba,
	#  you may be encountering a Samba bug.  See:
	#
	#	https://bugzilla.samba.org/show_bug.cgi?id=6563
	#
	#  Note that we do not necessarily agree with their
	#  explanation... but the fix does appear to work.
	#
	##################################################

	## EAP-PEAP
	peap {
		tls = tls-common
		default_eap_type = mschapv2
		copy_request_to_tunnel = yes
		use_tunneled_reply = no
		virtual_server = "eduroam-inner-tunnel"
	}

	# ## EAP-TLS
	#
	# This would be used for device certificates. More configuration in needed.
	# tls {
	# 	tls = tls-common
	# }

	## EAP-MSCHAPv2
	#
	# Do not use directly; required for inner-tunnel authentication in some circumstances
	mschapv2 {
		send_error = no
	}
}

