eap.conf

The eap.conf configuration file deals with the settings needed to perform cryptographic operations. The default eap.conf file that comes with your default installation provides enough information to help you configure your system properly, here we are presenting some common options, what they mean and how to configure them.

The tls section

This section holds configuration settings that affect your RADIUS server, so be careful when editting these settings.

private_key_password

The password you used to encode your private key when generating your certificate request. Comment it out if no password was set.

private_key_file

Path to your private key file. It has to be in PEM format

certificate_file

Path to your actual server certificate also in PEM format

If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name.

CA_file

Trusted Root CA list. To use a certificate chain, you need to append in this file all certificates of the CAs that take part in your certificate chain, starting with the one that is at the top of the chain and finishing with the one that signed your certificate. This file has to be in PEM format.

check_crl

Set it to yes if you are going to use revocation lists, or comment it out if you won't.

CA_path

Path to the directory where the revocation list is. If you are not using CRLs, comment this out.
Copy to this directory the RL and your trusted root CA list. Once you've done that, do a c_rehash to this directory, where c_rehash is an OpenSSL command. Remember that CRLs have an expiry date, so make sure to always refresh your CRLs otherwise your server will deny all requests.

check_cert_issuer 

If check_cert_issuer is set, the value will be checked against the DN of the issuer in the client certificate. If the values do not match, the cerficate verification will fail, rejecting the user.

check_cert_cn

If check_cert_cn is set, the value will be xlat'ed and checked against the CN in the client certificate. If the values do not match, the certificate verification will fail rejecting the user.

This check is done only if the previous "check_cert_issuer" is not set, or if the check succeeds.

If you are using computer certificates, the username is sent like 'host//pc001' and the verification might fail because of the 'host//' part. In such a case, you might want to strip that part by doing:

check_cert_cn = %{Stripped-User-Name:-%{User-Name}}