{
	## EAP-TLS
	#
	#  To generate ctest certificates, run the script
	#
	#   ../scripts/certs.sh
	#
	#  The documents on http://www.freeradius.org/doc
	#  are old, but may be helpful.
	#
	#  See also:
	#
	#  http://www.dslreports.com/forum/remark,9286052~mode=flat
	#
	#  Note that you should NOT use a globally known CA here!
	#  e.g. using a Verisign cert as a "known CA" means that
	#  ANYONE who has a certificate signed by them can
	#  authenticate via EAP-TLS!  This is likely not what you want.
}
	tls-config tls-common \{
		private_key_password = whatever
		private_key_file = $\{raddbdir\}/certs/radiusd.pem
		certificate_file = $\{raddbdir\}/certs/radiusd.pem
		ca_file = $\{raddbdir\}/certs/radiusd.pem
		dh_file = $\{raddbdir\}/certs/dh
		random_file = $\{raddbdir\}/certs/random
{
		#
		#  This can never exceed the size of a RADIUS
		#  packet (4096 bytes), and is preferably half
		#  that, to accomodate other attributes in
		#  RADIUS packet.  On most APs the MAX packet
		#  length is configured between 1500 - 1600
		#  In these cases, fragment size should be
		#  1024 or less.
		#
}		#fragment_size = 1024
{
		#  include_length is a flag which is
		#  by default set to yes If set to
		#  yes, Total Length of the message is
		#  included in EVERY packet we send.
		#  If set to no, Total Length of the
		#  message is included ONLY in the
		#  First packet of a fragment series.
		#
}		#include_length = yes
{
		#  Check the Certificate Revocation List
		#  
		#  1) Copy CA certificates and CRLs to same directory.
		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		#	'c_rehash' is OpenSSL's command.
		#  3) Add 'CA_path=<CA certs&CRLs directory>'
		#	  to radiusd.conf's tls section.
		#  4) uncomment the line below.
		#  5) Restart radiusd
}		#check_crl = yes
{
		#
		#  If check_cert_cn is set, the value will
		#  be xlat'ed and checked against the CN
		#  in the client certificate.  If the values
		#  do not match, the certificate verification
		#  will fail rejecting the user.
		#
}		#check_cert_cn = %\{User-Name\}
{
                #
                # Set this option to specify the allowed
                # TLS cipher suites.  The format is listed
                # in "man 1 ciphers".
}                cipher_list = "DEFAULT"
{
                #

                #
                #  Elliptical cryptography configuration
                #
                #  Only for OpenSSL >= 0.9.8.f
                #
}                ecdh_curve = "prime256v1"

{
                #
                #  Session resumption / fast reauthentication
                #  cache.
                #
                #  The cache contains the following information:
                #
                #  session Id - unique identifier, managed by SSL
                #  User-Name  - from the Access-Accept
                #  Stripped-User-Name - from the Access-Request
                #  Cached-Session-Policy - from the Access-Accept
                #
                #  The "Cached-Session-Policy" is the name of a
                #  policy which should be applied to the cached
                #  session.  This policy can be used to assign
                #  VLANs, IP addresses, etc.  It serves as a useful
                #  way to re-apply the policy from the original
                #  Access-Accept to the subsequent Access-Accept
                #  for the cached session.
                #
                #  On session resumption, these attributes are
                #  copied from the cache, and placed into the
                #  reply list.
                #
                #  You probably also want "use_tunneled_reply = yes"
                #  when using fast session resumption.
                #
}                cache \{
                        enable = yes
                        lifetime = 24 # hours
                       max_entries = 255
               \}
{
                #
                #  As of version 2.1.10, client certificates can be
                #  validated via an external command.  This allows
                #  dynamic CRLs or OCSP to be used.
                #
                #  This configuration is commented out in the
                #  default configuration.  Uncomment it, and configure
                #  the correct paths below to enable it.
                #
}



	\}
