######################################################################
#
#  RADIUS over TLS
#
######################################################################

server radsec {
	listen {
		transport = tls

		type = Access-Request
		type = Accounting-Request

		tls {

			ipaddr = *
			port = 2083

			#
			#  Connection limiting for sockets with "proto = tcp".
			#
			limit {
			      #
			      #  Limit the number of simultaneous TCP connections to the socket
			      #
			      #  The default is 16.
			      #  Setting this to 0 means "no limit"
			      max_connections = 16

			      #  The per-socket "max_requests" option does not exist.

			      #
			      #  The lifetime, in seconds, of a TCP connection.  After
			      #  this lifetime, the connection will be closed.
			      #
			      #  Setting this to 0 means "forever".
			      lifetime = 0

			      #
			      #  The idle timeout, in seconds, of a TCP connection.
			      #  If no packets have been received over the connection for
			      #  this time, the connection will be closed.
			      #
			      #  Setting this to 0 means "no timeout".
			      #
			      #  We STRONGLY RECOMMEND that you set an idle timeout.
			      #
			      idle_timeout = 30
			}

			private_key_password = whatever
			private_key_file = ${certdir}/server.pem

			#  If Private key & Certificate are located in
			#  the same file, then private_key_file &
			#  certificate_file must contain the same file
			#  name.
			#
			#  If ca_file (below) is not used, then the
			#  certificate_file below MUST include not
			#  only the server certificate, but ALSO all
			#  of the CA certificates used to sign the
			#  server certificate.
			certificate_file = ${certdir}/server.pem

			#  Trusted Root CA list
			#
			#  ALL of the CA's in this list will be trusted
			#  to issue client certificates for authentication.
			#
			#  In general, you should use self-signed
			#  certificates for 802.1x (EAP) authentication.
			#  In that case, this CA file should contain
			#  *one* CA certificate.
			#
			#  This parameter is used only for EAP-TLS,
			#  when you issue client certificates.  If you do
			#  not use client certificates, and you do not want
			#  to permit EAP-TLS authentication, then delete
			#  this configuration item.
			ca_file = ${cadir}/ca.pem

			#
			#  For DH cipher suites to work, you have to
			#  run OpenSSL to create the DH file first:
			#
			#  	openssl dhparam -out certs/dh 1024
			#
			dh_file = ${certdir}/dh

			#
			#  If your system doesn't have /dev/urandom,
			#  you will need to create this file, and
			#  periodically change its contents.
			#
			#  For security reasons, FreeRADIUS doesn't
			#  write to files in its configuration
			#  directory.
			#
	#		random_file = /dev/urandom

			#
			#  The default fragment size is 1K.
			#  However, it's possible to send much more data than
			#  that over a TCP connection.  The upper limit is 64K.
			#  Setting the fragment size to more than 1K means that
			#  there are fewer round trips when setting up a TLS
			#  connection.  But only if the certificates are large.
			#
			fragment_size = 8192

			#  include_length is a flag which is
			#  by default set to yes If set to
			#  yes, Total Length of the message is
			#  included in EVERY packet we send.
			#  If set to no, Total Length of the
			#  message is included ONLY in the
			#  First packet of a fragment series.
			#
		#	include_length = yes

			#  Check the Certificate Revocation List
			#
			#  1) Copy CA certificates and CRLs to same directory.
			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
			#    'c_rehash' is OpenSSL's command.
			#  3) uncomment the line below.
			#  5) Restart radiusd
		#	check_crl = yes
			ca_path = ${cadir}

			#  Accept an expired Certificate Revocation List
			#
		#	allow_expired_crl = no

			#  Accept a not-yet-valid Certificate Revocation List
			#
		#	allow_not_yet_valid_crl = no

			#
			#  If check_cert_issuer is set, the value will
			#  be checked against the DN of the issuer in
			#  the client certificate.  If the values do not
			#  match, the certificate verification will fail,
			#  rejecting the user.
			#
			#  This check can be done more generally by checking
			#  the value of the TLS-Client-Cert-Issuer attribute.
			#  This check can be done via any mechanism you choose.
			#
		#	check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

			#
			#  If check_cert_cn is set, the value will
			#  be xlat'ed and checked against the CN
			#  in the client certificate.  If the values
			#  do not match, the certificate verification
			#  will fail rejecting the user.
			#
			#  This check is done only if the previous
			#  "check_cert_issuer" is not set, or if
			#  the check succeeds.
			#
			#  This check can be done more generally by checking
			#  the value of the TLS-Client-Cert-Common-Name attribute.
			#  This check can be done via any mechanism you choose.
			#
		#	check_cert_cn = %{User-Name}
		#
			#  Set this option to specify the allowed
			#  TLS cipher suites.  The format is listed
			#  in "man 1 ciphers".
			cipher_list = "DEFAULT"

			#  If enabled, OpenSSL will use server cipher list
			#  (possibly defined by cipher_list option above)
			#  for choosing right cipher suite rather than
			#  using client-specified list which is OpenSSl default
			#  behavior. Having it set to 'yes' is best practice
			#  for TLS.
			cipher_server_preference = yes

			#
			#  Session resumption / fast reauthentication
			#  cache.
			#
			#  The cache contains the following information:
			#
			#  session Id - unique identifier, managed by SSL
			#  User-Name  - from the Access-Accept
			#  Stripped-User-Name - from the Access-Request
			#  Cached-Session-Policy - from the Access-Accept
			#
			#  The "Cached-Session-Policy" is the name of a
			#  policy which should be applied to the cached
			#  session.  This policy can be used to assign
			#  VLANs, IP addresses, etc.  It serves as a useful
			#  way to re-apply the policy from the original
			#  Access-Accept to the subsequent Access-Accept
			#  for the cached session.
			#
			#  On session resumption, these attributes are
			#  copied from the cache, and placed into the
			#  reply list.
			#
			#  You probably also want "use_tunneled_reply = yes"
			#  when using fast session resumption.
			#
			cache {
			      #
			      #  Lifetime of the cached entries, in hours.
			      #  The sessions will be deleted after this
			      #  time.
			      #
			      lifetime = 24 # hours

			      #
			      #  Internal "name" of the session cache.
			      #  Used to distinguish which TLS context
			      #  sessions belong to.
			      #
			      #  The server will generate a random value
			      #  if unset. This will change across server
			      #  restart so you MUST set the "name" if you
			      #  want to persist sessions (see below).
			      #
			      #  If you use IPv6, change the "ipaddr" below
			      #  to "ipv6addr"
			      #
			      #name = "TLS ${..ipaddr} ${..port} ${..proto}"

			      #
			      #  Simple directory-based storage of sessions.
			      #  Two files per session will be written, the SSL
			      #  state and the cached VPs. This will persist session
			      #  across server restarts.
			      #
			      #  The server will need write perms, and the directory
			      #  should be secured from anyone else. You might want
			      #  a script to remove old files from here periodically:
			      #
			      #    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
			      #
			      #  This feature REQUIRES "name" option be set above.
			      #
			      #persist_dir = "${logdir}/tlscache"
			}

			#
			#  Require a client certificate.
			#
			require_client_cert = yes

			#
			#  As of version 2.1.10, client certificates can be
			#  validated via an external command.  This allows
			#  dynamic CRLs or OCSP to be used.
			#
			#  This configuration is commented out in the
			#  default configuration.  Uncomment it, and configure
			#  the correct paths below to enable it.
			#
			verify {
				#  The command used to verify the client cert.
				#  We recommend using the OpenSSL command-line
				#  tool.
				#
				#  The ${..ca_path} text is a reference to
				#  the ca_path variable defined above.
				#
				#  The %{TLS-Client-Cert-Filename} is the name
				#  of the temporary file containing the cert
				#  in PEM format.  This file is automatically
				#  deleted by the server when the command
				#  returns.
		#    		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
			}
		}
	}

	recv Access-Request {
		ok
	}

	recv Accounting-Request {
		ok
	}
}
