{% if helpers.exists('OPNsense.freeradius.general.enabled') and OPNsense.freeradius.general.enabled == '1' %}

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##        $Id: 239ac4c00c1240f38d21881eec5588a84d1ba0fe $

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
eap {
        #  Invoke the default supported EAP type when
        #  EAP-Identity response is received.
        #
        #  The incoming EAP messages DO NOT specify which EAP
        #  type they will be using, so it MUST be set here.
        #
        #  For now, only one default EAP type may be used at a time.
        #
        #  If the EAP-Type attribute is set by another module,
        #  then that EAP type takes precedence over the
        #  default type configured here.
        #
{% if helpers.exists('OPNsense.freeradius.eap.default_eap_type') and OPNsense.freeradius.eap.default_eap_type != '' %}
        default_eap_type = {{ OPNsense.freeradius.eap.default_eap_type }}
{% else %}
        default_eap_type = md5
{% endif %}

        #  A list is maintained to correlate EAP-Response
        #  packets with EAP-Request packets.  After a
        #  configurable length of time, entries in the list
        #  expire, and are deleted.
        #
        timer_expire = 60

        #  There are many EAP types, but the server has support
        #  for only a limited subset.  If the server receives
        #  a request for an EAP type it does not support, then
        #  it normally rejects the request.  By setting this
        #  configuration to "yes", you can tell the server to
        #  instead keep processing the request.  Another module
        #  MUST then be configured to proxy the request to
        #  another RADIUS server which supports that EAP type.
        #
        #  If another module is NOT configured to handle the
        #  request, then the request will still end up being
        #  rejected.
        #
        ignore_unknown_eap_types = no

        # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
        # a User-Name attribute in an Access-Accept, it copies one
        # more byte than it should.
        #
        # We can work around it by configurably adding an extra
        # zero byte.
        #
        cisco_accounting_username_bug = no

        #  Help prevent DoS attacks by limiting the number of
        #  sessions that the server is tracking.  For simplicity,
        #  this is taken from the "max_requests" directive in
        #  radiusd.conf.
        #
        max_sessions = ${max_requests}


        ############################################################
        #
        #  Supported EAP-types
        #


        #  EAP-MD5
        #
        #  We do NOT recommend using EAP-MD5 authentication
        #  for wireless connections.  It is insecure, and does
        #  not provide for dynamic WEP keys.
        #
        md5 {
        }


        #  EAP-pwd -- secure password-based authentication
        #
        #pwd {
        #        group = 19

        #        server_id = theserver@example.com

                #  This has the same meaning as for TLS.
                #
        #        fragment_size = 1020

                # The virtual server which determines the
                # "known good" password for the user.
                # Note that unlike TLS, only the "authorize"
                # section is processed.  EAP-PWD requests can be
                # distinguished by having a User-Name, but
                # no User-Password, CHAP-Password, EAP-Message, etc.
                #
        #        virtual_server = "inner-tunnel"
        #}


        #  Cisco LEAP
        #
        #  We do not recommend using LEAP in new deployments.  See:
        #  http://www.securiteam.com/tools/5TP012ACKE.html
        #
        #  As of 3.0.22, LEAP has been removed from the server.
        #  It is insecure, and no one should be using it.
        #


        #  EAP-GTC -- Generic Token Card
        #
        #  Currently, this is only permitted inside of EAP-TTLS,
        #  or EAP-PEAP.  The module "challenges" the user with
        #  text, and the response from the user is taken to be
        #  the User-Password.
        #
        #  Proxying the tunneled EAP-GTC session is a bad idea,
        #  the users password will go over the wire in plain-text,
        #  for anyone to see.
        #
        gtc {
                #  The default challenge, which many clients
                #  ignore..
                #
        #        challenge = "Password: "

                #  The plain-text response which comes back
                #  is put into a User-Password attribute,
                #  and passed to another module for
                #  authentication.  This allows the EAP-GTC
                #  response to be checked against plain-text,
                #  or crypt'd passwords.
                #
                #  If you say "Local" instead of "PAP", then
                #  the module will look for a User-Password
                #  configured for the request, and do the
                #  authentication itself.
                #
                auth_type = PAP
        }


        #  Common TLS configuration for TLS-based EAP types
        #  ------------------------------------------------
        #
        #  See raddb/certs/README.md for additional comments
        #  on certificates.
        #
        #  If OpenSSL was not found at the time the server was
        #  built, the "tls", "ttls", and "peap" sections will
        #  be ignored.
        #
        #  If you do not currently have certificates signed by
        #  a trusted CA you may use the 'snakeoil' certificates.
        #  Included with the server in raddb/certs.
        #
        #  If these certificates have not been auto-generated:
        #    cd raddb/certs
        #    make
        #
        #  These test certificates SHOULD NOT be used in a normal
        #  deployment.  They are created only to make it easier
        #  to install the server, and to perform some simple
        #  tests with EAP-TLS, TTLS, or PEAP.
        #
        #  Note that you should NOT use a globally known CA here!
        #  e.g. using a Verisign cert as a "known CA" means that
        #  ANYONE who has a certificate signed by them can
        #  authenticate via EAP-TLS!  This is likely not what you want.
        #
        tls-config tls-common {
{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
{%   if helpers.exists('OPNsense.freeradius.eap.certificate') and OPNsense.freeradius.eap.certificate != '' %}
                private_key_password =
                private_key_file = ${certdir}/cert_opn.pem
                certificate_file = ${certdir}/cert_opn.pem
{%   endif %}
{% else %}
                private_key_password = whatever
                private_key_file = ${certdir}/server.pem

                #  If Private key & Certificate are located in
                #  the same file, then private_key_file &
                #  certificate_file must contain the same file
                #  name.
                #
                #  If ca_file (below) is not used, then the
                #  certificate_file below SHOULD also include all of
                #  the intermediate CA certificates used to sign the
                #  server certificate, but NOT the root CA.
                #
                #  Including the ROOT CA certificate is not useful and
                #  merely inflates the exchanged data volume during
                #  the TLS negotiation.
                #
                #  This file should contain the server certificate,
                #  followed by intermediate certificates, in order.
                #  i.e. If we have a server certificate signed by CA1,
                #  which is signed by CA2, which is signed by a root
                #  CA, then the "certificate_file" should contain
                #  server.pem, followed by CA1.pem, followed by
                #  CA2.pem.
                #
                #  When using "ca_file" or "ca_dir", the
                #  "certificate_file" should contain only
                #  "server.pem".  And then you may (or may not) need
                #  to set "auto_chain", depending on your version of
                #  OpenSSL.
                #
                #  In short, SSL / TLS certificates are complex.
                #  There are many versions of software, each of which
                #  behave slightly differently.  It is impossible to
                #  give advice which will work everywhere.  Instead,
                #  we give general guidelines.
                #
                certificate_file = ${certdir}/server.pem
{% endif %}
                #  Trusted Root CA list
                #
                #  This file can contain multiple CA certificates.
                #  ALL of the CA's in this list will be trusted to
                #  issue client certificates for authentication.
                #
                #  In general, you should use self-signed
                #  certificates for 802.1x (EAP) authentication.
                #  In that case, this CA file should contain
                #  *one* CA certificate.
                #
{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
{%   if helpers.exists('OPNsense.freeradius.eap.ca') and OPNsense.freeradius.eap.ca != '' %}
                ca_file = ${certdir}/ca_opn.pem
{%   endif %}
{% else %}
                ca_file = ${cadir}/ca.pem
{% endif %}
                #  OpenSSL will automatically create certificate chains,
                #  unless we tell it to not do that.  The problem is that
                #  it sometimes gets the chains right from a certificate
                #  signature view, but wrong from the clients view.
                #
                #  When setting "auto_chain = no", the server certificate
                #  file MUST include the full certificate chain.
                #
        #        auto_chain = yes

                #  If OpenSSL supports TLS-PSK, then we can use a
                #  fixed PSK identity and (hex) password.  As of
                #  3.0.18, these can be used at the same time as the
                #  certificate configuration, but only for TLS 1.0
                #  through 1.2.
                #
                #  If PSK and certificates are configured at the same
                #  time for TLS 1.3, then the server will warn you,
                #  and will disable TLS 1.3, as it will not work.
                #
                #  The work around is to have two modules (or for
                #  RadSec, two listen sections).  One will have PSK
                #  configured, and the other will have certificates
                #  configured.
                #
        #        psk_identity = "test"
        #        psk_hexphrase = "036363823"

                #  Dynamic queries for the PSK.  If TLS-PSK is used,
                #  and psk_query is set, then you MUST NOT use
                #  psk_identity or psk_hexphrase.
                #
                #  Instead, use a dynamic expansion similar to the one
                #  below.  It keys off of TLS-PSK-Identity.  It should
                #  return a of string no more than 512 hex characters.
                #  That string will be converted to binary, and will
                #  be used as the dynamic PSK hexphrase.
                #
                #  Note that this query is just an example.  You will
                #  need to customize it for your installation.
                #
        #        psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"

                #  For DH cipher suites to work, you have to
                #  run OpenSSL to create the DH file first:
                #
                #    openssl dhparam -out certs/dh 2048
                #
                dh_file = ${certdir}/dh

                #  If your system doesn't have /dev/urandom,
                #  you will need to create this file, and
                #  periodically change its contents.
                #
                #  For security reasons, FreeRADIUS doesn't
                #  write to files in its configuration
                #  directory.
                #
        #        random_file = /dev/urandom

                #  This can never exceed the size of a RADIUS
                #  packet (4096 bytes), and is preferably half
                #  that, to accommodate other attributes in
                #  RADIUS packet.  On most APs the MAX packet
                #  length is configured between 1500 - 1600
                #  In these cases, fragment size should be
                #  1024 or less.
                #
        #        fragment_size = 1024

                #  include_length is a flag which is
                #  by default set to yes If set to
                #  yes, Total Length of the message is
                #  included in EVERY packet we send.
                #  If set to no, Total Length of the
                #  message is included ONLY in the
                #  First packet of a fragment series.
                #
        #        include_length = yes


                #  Check the Certificate Revocation List
                #
                #  1) Copy CA certificates and CRLs to same directory.
                #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
                #     'c_rehash' is OpenSSL's command.
                #  3) uncomment the lines below.
                #  5) Restart radiusd
{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
{%   if helpers.exists('OPNsense.freeradius.eap.crl') and OPNsense.freeradius.eap.crl != '' %}
                check_crl = yes
{%   endif %}
{% else %}
        #       check_crl = yes
{% endif %}
                # Check if intermediate CAs have been revoked.
        #        check_all_crl = yes

                ca_path = ${cadir}

                # OpenSSL does not reload contents of ca_path dir over time.
                # That means that if check_crl is enabled and CRLs are loaded
                # from ca_path dir, at some point CRLs will expire and
                # RADIUSd will stop authenticating users.
                # If ca_path_reload_interval is non-zero, it will force OpenSSL
                # to reload all data from ca_path periodically
                #
                # Flush ca_path each hour
        #        ca_path_reload_interval = 3600


                # Accept an expired Certificate Revocation List
                #
        #        allow_expired_crl = no

                #  If check_cert_issuer is set, the value will
                #  be checked against the DN of the issuer in
                #  the client certificate.  If the values do not
                #  match, the certificate verification will fail,
                #  rejecting the user.
                #
                #  This check can be done more generally by checking
                #  the value of the TLS-Client-Cert-Issuer attribute.
                #  This check can be done via any mechanism you
                #  choose.
                #
        #        check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

                #  If check_cert_cn is set, the value will
                #  be xlat'ed and checked against the CN
                #  in the client certificate.  If the values
                #  do not match, the certificate verification
                #  will fail rejecting the user.
                #
                #  This check is done only if the previous
                #  "check_cert_issuer" is not set, or if
                #  the check succeeds.
                #
                #  This check can be done more generally by writing
                #  "unlang" statements to examine the value of the
                #  TLS-Client-Cert-Common-Name attribute.
                #
        #        check_cert_cn = %{User-Name}

                #  Set this option to specify the allowed
                #  TLS cipher suites.  The format is listed
                #  in "man 1 ciphers".
                #
                cipher_list = "DEFAULT"

                #  If enabled, OpenSSL will use server cipher list
                #  (possibly defined by cipher_list option above)
                #  for choosing right cipher suite rather than
                #  using client-specified list which is OpenSSl default
                #  behavior.  Setting this to "yes" means that OpenSSL
                #  will choose the servers ciphers, even if they do not
                #  best match what the client sends.
                #
                #  TLS negotiation is usually good, but can be imperfect.
                #  This setting allows administrators to "fine tune" it
                #  if necessary.
                #
                cipher_server_preference = no

                #  You can selectively disable TLS versions for
                #  compatability with old client devices.
                #
                #  If your system has OpenSSL 1.1.0 or greater, do NOT
                #  use these.  Instead, set tls_min_version and
                #  tls_max_version.
                #
#                disable_tlsv1_2 = yes
#                disable_tlsv1_1 = yes
#                disable_tlsv1 = yes


                #  Set min / max TLS version.
                #
                #  Generally speaking you should NOT use TLS 1.0 or
                #  TLS 1.1.  They are old, possibly insecure, and
                #  deprecated.  However, it is sometimes necessary to
                #  enable it for compatibility with legact systems.
                #  We recommend replacing those legacy systems, and
                #  using at least TLS 1.2.
                #
                #  Some Debian versions disable older versions of TLS,
                #  and requires the application to manually enable
                #  them.
                #
                #  If you are running such a distribution, you should
                #  set these options, otherwise older clients will not
                #  be able to connect.
                #
                #  Allowed values are "1.0", "1.1", "1.2", and "1.3".
                #
                #  As of 2021, it is STRONGLY RECOMMENDED to set
                #
                #        tls_min_version = "1.2"
                #
                #  Older TLS versions are insecure and deprecated.
                #
                #  In order to enable TLS 1.0 and TLS 1.1, you may
                #  also need to update cipher_list below to:
                #
                #        cipher_list = "DEFAULT@SECLEVEL=1"
                #
                #  The values must be in quotes.
                #
                tls_min_version = "1.0"
                tls_max_version = "1.2"

                #  Elliptical cryptography configuration
                #
                #  This configuration should be one of the following:
                #
                #  * a name of the curve to use, e.g. "prime256v1".
                #
                #  * a colon separated list of curve NIDs or names.
                #
                #  * an empty string, in which case OpenSSL will choose
                #    the "best" curve for the situation.
                #
                #  For supported curve names, please run
                #
                #        openssl ecparam -list_curves
                #
                ecdh_curve = "prime256v1"

                #  Session resumption / fast reauthentication
                #  cache.
                #
                #  The cache contains the following information:
                #
                #   session Id - unique identifier, managed by SSL
                #   User-Name  - from the Access-Accept
                #   Stripped-User-Name - from the Access-Request
                #   Cached-Session-Policy - from the Access-Accept
                #
                #  See also the "store" subsection below for
                #  additional attributes which can be cached.
                #
                #  The "Cached-Session-Policy" is the name of a
                #  policy which should be applied to the cached
                #  session.  This policy can be used to assign
                #  VLANs, IP addresses, etc.  It serves as a useful
                #  way to re-apply the policy from the original
                #  Access-Accept to the subsequent Access-Accept
                #  for the cached session.
                #
                #  On session resumption, these attributes are
                #  copied from the cache, and placed into the
                #  reply list.
                #
                #  You probably also want "use_tunneled_reply = yes"
                #  when using fast session resumption.
                #
                #  You can check if a session has been resumed by
                #  looking for the existence of the EAP-Session-Resumed
                #  attribute.  Note that this attribute will *only*
                #  exist in the "post-auth" section.
                #
                #  CAVEATS: The cache is stored and reloaded BEFORE
                #  the "post-auth" section is run.  This limitation
                #  makes caching more difficult than it should be.  In
                #  practice, it means that the first authentication
                #  session must set the reply attributes before the
                #  post-auth section is run.
                #
                #  When the session is resumed, the attributes are
                #  restored and placed into the session-state list.
                #
                cache {
                        #  Enable it.  The default is "no". Deleting the entire "cache"
                        #  subsection also disables caching.
                        #
                        #  The session cache requires the use of the
                        #  "name" and "persist_dir" configuration
                        #  items, below.
                        #
                        #  The internal OpenSSL session cache has been permanently
                        #  disabled.
                        #
                        #  You can disallow resumption for a particular user by adding the
                        #  following attribute to the control item list:
                        #
                        #    Allow-Session-Resumption = No
                        #
                        #  If "enable = no" below, you CANNOT enable resumption for just one
                        #  user by setting the above attribute to "yes".
                        #
                        enable = yes

                        #  Lifetime of the cached entries, in hours. The sessions will be
                        #  deleted/invalidated after this time.
                        #
                        lifetime = 24 # hours

                        #  Internal "name" of the session cache. Used to
                        #  distinguish which TLS context sessions belong to.
                        #
                        #  The server will generate a random value if unset.
                        #  This will change across server restart so you MUST
                        #  set the "name" if you want to persist sessions (see
                        #  below).
                        #
                #        name = "EAP module"

                        #  Simple directory-based storage of sessions.
                        #  Two files per session will be written, the SSL
                        #  state and the cached VPs. This will persist session
                        #  across server restarts.
                        #
                        #  The default directory is ${logdir}, for historical
                        #  reasons.  You should ${db_dir} instead.  And check
                        #  the value of db_dir in the main radiusd.conf file.
                        #  It should not point to ${raddb}
                        #
                        #  The server will need write perms, and the directory
                        #  should be secured from anyone else. You might want
                        #  a script to remove old files from here periodically:
                        #
                        #    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
                        #
                        #  This feature REQUIRES "name" option be set above.
                        #
                #        persist_dir = "${logdir}/tlscache"

                        #
                        #  As of 3.0.20, it is possible to partially
                        #  control which attributes exist in the
                        #  session cache.  This subsection lists
                        #  attributes which are taken from the reply,
                        #  and saved to the on-disk cache.  When the
                        #  session is resumed, these attributes are
                        #  added to the "session-state" list.  The
                        #  default configuration will then take care
                        #  of copying them to the reply.
                        #
                        store {
                                Tunnel-Private-Group-Id
                        }
                }

                #  Client certificates can be validated via an
                #  external command.  This allows dynamic CRLs or OCSP
                #  to be used.
                #
                #  This configuration is commented out in the
                #  default configuration.  Uncomment it, and configure
                #  the correct paths below to enable it.
                #
                #  If OCSP checking is enabled, and the OCSP checks fail,
                #  the verify section is not run.
                #
                #  If OCSP checking is disabled, the verify section is
                #  run on successful certificate validation.
                #
                verify {
                        #  If the OCSP checks succeed, the verify section
                        #  is run to allow additional checks.
                        #
                        #  If you want to skip verify on OCSP success,
                        #  uncomment this configuration item, and set it
                        #  to "yes".
                        #
                #        skip_if_ocsp_ok = no

                        #  A temporary directory where the client
                        #  certificates are stored.  This directory
                        #  MUST be owned by the UID of the server,
                        #  and MUST not be accessible by any other
                        #  users.  When the server starts, it will do
                        #  "chmod go-rwx" on the directory, for
                        #  security reasons.  The directory MUST
                        #  exist when the server starts.
                        #
                        #  You should also delete all of the files
                        #  in the directory when the server starts.
                        #
                #        tmpdir = /tmp/radiusd

                        #  The command used to verify the client cert.
                        #  We recommend using the OpenSSL command-line
                        #  tool.
                        #
                        #  The ${..ca_path} text is a reference to
                        #  the ca_path variable defined above.
                        #
                        #  The %{TLS-Client-Cert-Filename} is the name
                        #  of the temporary file containing the cert
                        #  in PEM format.  This file is automatically
                        #  deleted by the server when the command
                        #  returns.
                        #
                #        client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
                }

                #  OCSP Configuration
                #
                #  Certificates can be verified against an OCSP
                #  Responder. This makes it possible to immediately
                #  revoke certificates without the distribution of
                #  new Certificate Revocation Lists (CRLs).
                #
                ocsp {
                        #  Enable it.  The default is "no".
                        #  Deleting the entire "ocsp" subsection
                        #  also disables ocsp checking
                        #
                        enable = no

                        #  The OCSP Responder URL can be automatically
                        #  extracted from the certificate in question.
                        #  To override the OCSP Responder URL set
                        #  "override_cert_url = yes".
                        #
                        override_cert_url = yes

                        #  If the OCSP Responder address is not extracted from
                        #  the certificate, the URL can be defined here.
                        #
                        url = "http://127.0.0.1/ocsp/"

                        # If the OCSP Responder can not cope with nonce
                        # in the request, then it can be disabled here.
                        #
                        # For security reasons, disabling this option
                        # is not recommended as nonce protects against
                        # replay attacks.
                        #
                        # Note that Microsoft AD Certificate Services OCSP
                        # Responder does not enable nonce by default. It is
                        # more secure to enable nonce on the responder than
                        # to disable it in the query here.
                        # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
                        #
                #        use_nonce = yes

                        # Number of seconds before giving up waiting
                        # for OCSP response. 0 uses system default.
                        #
                #        timeout = 0

                        # Normally an error in querying the OCSP
                        # responder (no response from server, server did
                        # not understand the request, etc) will result in
                        # a validation failure.
                        #
                        # To treat these errors as 'soft' failures and
                        # still accept the certificate, enable this
                        # option.
                        #
                        # Warning: this may enable clients with revoked
                        # certificates to connect if the OCSP responder
                        # is not available. Use with caution.
                        #
                #        softfail = no
                }
        }


        #  EAP-TLS
        #
        #  The TLS configuration for TLS-based EAP types is held in
        #  the "tls-config" section, above.
        #
        tls {
                #  Point to the common TLS configuration
                #
                tls = tls-common

                #  As part of checking a client certificate, the EAP-TLS
                #  sets some attributes such as TLS-Client-Cert-Common-Name. This
                #  virtual server has access to these attributes, and can
                #  be used to accept or reject the request.
                #
{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
{%   if helpers.exists('OPNsense.freeradius.eap.check_tls_names') and OPNsense.freeradius.eap.check_tls_names == '1' %}
                virtual_server = check-eap-tls
{%   endif %}
{% endif %}
                #  You can control whether or not EAP-TLS requires a
                #  client certificate by setting
                #
                #        configurable_client_cert = yes
                #
                #  Once that setting has been changed, you can then set
                #
                #        EAP-TLS-Require-Client-Cert = No
                #
                #  in the control items for a request, and the EAP-TLS
                #  module will not require a client certificate from
                #  the supplicant.
                #
                #  WARNING: This configuration should only be used
                #  when the users are placed into a "captive portal"
                #  or "walled garden", where they have limited network
                #  access.  Otherwise the configuraton will allow
                #  anyone on the network, without authenticating them!
                #
#                configurable_client_cert = no
        }


        #  EAP-TTLS -- Tunneled TLS
        #
        #  The TTLS module implements the EAP-TTLS protocol,
        #  which can be described as EAP inside of Diameter,
        #  inside of TLS, inside of EAP, inside of RADIUS...
        #
        #  Surprisingly, it works quite well.
        #
        ttls {
                #  Which tls-config section the TLS negotiation parameters
                #  are in - see EAP-TLS above for an explanation.
                #
                #  In the case that an old configuration from FreeRADIUS
                #  v2.x is being used, all the options of the tls-config
                #  section may also appear instead in the 'tls' section
                #  above. If that is done, the tls= option here (and in
                #  tls above) MUST be commented out.
                #
                tls = tls-common

                #  The tunneled EAP session needs a default EAP type
                #  which is separate from the one for the non-tunneled
                #  EAP module.  Inside of the TTLS tunnel, we recommend
                #  using EAP-MD5.  If the request does not contain an
                #  EAP conversation, then this configuration entry is
                #  ignored.
                #
                {% if helpers.exists('OPNsense.freeradius.eap.default_eap_type') and OPNsense.freeradius.eap.default_eap_type == 'ttls-gtc' %}
                default_eap_type = gtc
                {% else %}
                default_eap_type = md5
                {% endif %}

                #  The tunneled authentication request does not usually
                #  contain useful attributes like 'Calling-Station-Id',
                #  etc.  These attributes are outside of the tunnel,
                #  and normally unavailable to the tunneled
                #  authentication request.
                #
                #  By setting this configuration entry to 'yes',
                #  any attribute which is NOT in the tunneled
                #  authentication request, but which IS available
                #  outside of the tunnel, is copied to the tunneled
                #  request.
                #
                #  allowed values: {no, yes}
                #
                copy_request_to_tunnel = no

                #  This configuration item is deprecated.  Instead,
                #  you should use:
                #
                #    update outer.session-state {
                #      ...
                #    }
                #
                #  This will cache attributes for the final Access-Accept.
                #
                #  See "update outer.session-state" in the "post-auth"
                #  sections of sites-available/default, and of
                #  sites-available/inner-tunnel
                #
                #  The reply attributes sent to the NAS are usually
                #  based on the name of the user 'outside' of the
                #  tunnel (usually 'anonymous').  If you want to send
                #  the reply attributes based on the user name inside
                #  of the tunnel, then set this configuration entry to
                #  'yes', and the reply to the NAS will be taken from
                #  the reply to the tunneled request.
                #
                #  allowed values: {no, yes}
                #
{%   if helpers.exists('OPNsense.freeradius.general.vlanassign') and OPNsense.freeradius.general.vlanassign == '1' %}
                use_tunneled_reply = yes
{%   else %}
                use_tunneled_reply = no
{%   endif %}
                #  The inner tunneled request can be sent
                #  through a virtual server constructed
                #  specifically for this purpose.
                #
                #  A virtual server MUST be specified.
                #
                virtual_server = "inner-tunnel"

                #  This has the same meaning, and overwrites, the
                #  same field in the "tls" configuration, above.
                #  The default value here is "yes".
                #
        #        include_length = yes

                #  Unlike EAP-TLS, EAP-TTLS does not require a client
                #  certificate. However, you can require one by setting the
                #  following option. You can also override this option by
                #  setting
                #
                #    EAP-TLS-Require-Client-Cert = Yes
                #
                #  in the control items for a request.
                #
                #  Note that the majority of supplicants do not support using a
                #  client certificate with EAP-TTLS, so this option is unlikely
                #  to be usable for most people.
                #
        #        require_client_cert = yes
        }


        #  EAP-PEAP
        #

        ##################################################
        #
        #  !!!!! WARNINGS for Windows compatibility  !!!!!
        #
        ##################################################
        #
        #  If you see the server send an Access-Challenge,
        #  and the client never sends another Access-Request,
        #  then
        #
        #                STOP!
        #
        #  The server certificate has to have special OID's
        #  in it, or else the Microsoft clients will silently
        #  fail.  See the "scripts/xpextensions" file for
        #  details, and the following page:
        #
        #        https://support.microsoft.com/en-us/help/814394/
        #
        #  If is still doesn't work, and you're using Samba,
        #  you may be encountering a Samba bug.  See:
        #
        #        https://bugzilla.samba.org/show_bug.cgi?id=6563
        #
        #  Note that we do not necessarily agree with their
        #  explanation... but the fix does appear to work.
        #
        ##################################################

        #  The tunneled EAP session needs a default EAP type
        #  which is separate from the one for the non-tunneled
        #  EAP module.  Inside of the TLS/PEAP tunnel, we
        #  recommend using EAP-MS-CHAPv2.
        #
        peap {
                #  Which tls-config section the TLS negotiation parameters
                #  are in - see EAP-TLS above for an explanation.
                #
                #  In the case that an old configuration from FreeRADIUS
                #  v2.x is being used, all the options of the tls-config
                #  section may also appear instead in the 'tls' section
                #  above. If that is done, the tls= option here (and in
                #  tls above) MUST be commented out.
                #
                tls = tls-common

                #  The tunneled EAP session needs a default
                #  EAP type which is separate from the one for
                #  the non-tunneled EAP module.  Inside of the
                #  PEAP tunnel, we recommend using MS-CHAPv2,
                #  as that is the default type supported by
                #  Windows clients.
                #
                default_eap_type = mschapv2

                #  The PEAP module also has these configuration
                #  items, which are the same as for TTLS.
                #
                copy_request_to_tunnel = no

                #  This configuration item is deprecated.  Instead,
                #  you should use:
                #
                #    update outer.session-state {
                #      ...
                #    }
                #
                #  This will cache attributes for the final Access-Accept.
                #
                #  See "update outer.session-state" in the "post-auth"
                #  sections of sites-available/default, and of
                #  sites-available/inner-tunnel
                #
{%   if helpers.exists('OPNsense.freeradius.general.vlanassign') and OPNsense.freeradius.general.vlanassign == '1' %}
                use_tunneled_reply = yes
{%   else %}
                use_tunneled_reply = no
{%   endif %}

                #  When the tunneled session is proxied, the
                #  home server may not understand EAP-MSCHAP-V2.
                #  Set this entry to "no" to proxy the tunneled
                #  EAP-MSCHAP-V2 as normal MSCHAPv2.
                #
                #  This setting can be over-ridden on a packet by
                #  packet basis by setting
                #
                #        &control:Proxy-Tunneled-Request-As-EAP = yes
                #
        #        proxy_tunneled_request_as_eap = yes

                #  The inner tunneled request can be sent
                #  through a virtual server constructed
                #  specifically for this purpose.
                #
                #  A virtual server MUST be specified.
                #
                virtual_server = "inner-tunnel"

                #  This option enables support for MS-SoH
                #  see doc/SoH.txt for more info.
                #  It is disabled by default.
                #
        #        soh = yes

                #  The SoH reply will be turned into a request which
                #  can be sent to a specific virtual server:
                #
        #        soh_virtual_server = "soh-server"

                #  Unlike EAP-TLS, PEAP does not require a client certificate.
                #  However, you can require one by setting the following
                #  option. You can also override this option by setting
                #
                #    EAP-TLS-Require-Client-Cert = Yes
                #
                #  in the control items for a request.
                #
                #  Note that the majority of supplicants do not support using a
                #  client certificate with PEAP, so this option is unlikely to
                #  be usable for most people.
                #
        #        require_client_cert = yes
        }


        #  EAP-MSCHAPv2
        #
        #  Note that it is the EAP MS-CHAPv2 sub-module, not
        #  the main 'mschap' module.
        #
        #  Note also that in order for this sub-module to work,
        #  the main 'mschap' module MUST ALSO be configured.
        #
        #  This module is the *Microsoft* implementation of MS-CHAPv2
        #  in EAP.  There is another (incompatible) implementation
        #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
        #  currently support.
        #
        mschapv2 {
                #  In earlier versions of the server, this module
                #  never sent the MS-CHAP-Error message to the client.
                #  This worked, but it had issues when the cached
                #  password was wrong.  The server *should* send
                #  "E=691 R=0" to the client, which tells it to prompt
                #  the user for a new password.
                #
                #  The default is to use that functionality.  which is
                #  known to work.  If you set "send_error = yes", then
                #  the error message will be sent back to the client.
                #  This *may* help some clients work better, but *may*
                #  also cause other clients to stop working.
                #
        #        send_error = no

                #  Server identifier to send back in the challenge.
                #  This should generally be the host name of the
                #  RADIUS server.  Or, some information to uniquely
                #  identify it.
                #
        #        identity = "FreeRADIUS"
        }


        #  EAP-FAST
        #
        #  The FAST module implements the EAP-FAST protocol
        #
        #fast {
                #  Point to the common TLS configuration
                #
        #        tls = tls-common

                #  If 'cipher_list' is set here, it will over-ride the
                #  'cipher_list' configuration from the 'tls-common'
                #  configuration.  The EAP-FAST module has it's own
                #  over-ride for 'cipher_list' because the
                #  specifications mandata a different set of ciphers
                #  than are used by the other EAP methods.
                #
                #  cipher_list though must include "ADH" for anonymous provisioning.
                #  This is not as straight forward as appending "ADH" alongside
                #  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
                #  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
                #
        #        cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"

                #  PAC lifetime in seconds (default: seven days)
                #
        #        pac_lifetime = 604800

                #  Authority ID of the server
                #
                #  If you are running a cluster of RADIUS servers, you should make
                #  the value chosen here (and for "pac_opaque_key") the same on all
                #  your RADIUS servers.  This value should be unique to your
                #  installation.  We suggest using a domain name.
                #
        #        authority_identity = "1234"

                #  PAC Opaque encryption key (must be exactly 32 bytes in size)
                #
                #  This value MUST be secret, and MUST be generated using
                #  a secure method, such as via 'openssl rand -hex 32'
                #
        #        pac_opaque_key = "0123456789abcdef0123456789ABCDEF"

                #  Same as for TTLS, PEAP, etc.
                #
        #        virtual_server = inner-tunnel
        #}
}
{% endif %}
