|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
rad_clients: []
|
|
|
|
|
# rad_clients:
|
|
|
|
|
# - name: ap-wifi
|
|
|
|
|
# ip: 192.168.7.0/24
|
|
|
|
|
# secret: p@ssw0rd
|
|
|
|
|
# nas_type: other
|
|
|
|
|
|
|
|
|
|
rad_auth_port: 1812
|
|
|
|
|
rad_acc_port: 1813
|
|
|
|
|
rad_ports: [ "{{ rad_auth_port }}", "{{ rad_acc_port }}" ]
|
|
|
|
|
rad_src_ip: []
|
|
|
|
|
|
|
|
|
|
# An optional password if the private key is protected
|
|
|
|
|
# rad_tls_key_pass:
|
|
|
|
|
|
|
|
|
|
# The CA (full chain) to verify client's certificates
|
|
|
|
|
# rad_tls_ca: |
|
|
|
|
|
# ---- BEGIN CERTIFICATE ----
|
|
|
|
|
# ---- END CERTIFICATE ----
|
|
|
|
|
|
|
|
|
|
# The certificate of the radius server
|
|
|
|
|
# rad_tls_cert: |
|
|
|
|
|
# ---- BEGIN CERTIFICATE ----
|
|
|
|
|
# ---- END CERTIFICATE ----
|
|
|
|
|
|
|
|
|
|
# The private key of the radius server
|
|
|
|
|
# rad_tls_key: |
|
|
|
|
|
# -----BEGIN RSA PRIVATE KEY-----
|
|
|
|
|
# -----END RSA PRIVATE KEY-----
|
|
|
|
|
|
|
|
|
|
# An optional CRL to check client's certificate against
|
|
|
|
|
# Can either be a raw CRL in PEM format, or an http or https URL
|
|
|
|
|
# where to fetch it
|
|
|
|
|
# If undefined, no check will be performed, and revoked certificates will be accepted
|
|
|
|
|
# rad_tls_crl:
|
|
|
|
|
|
|
|
|
|
# An email address to notify in case of CRL issue.
|
|
|
|
|
# In case the CRL couldn't be fetched or is outdated, and rad_notify_crl is defined
|
|
|
|
|
# the validation script will allow the authentication and notify the adress instead of failing
|
|
|
|
|
# rad_notify_crl: admin@example.org
|
|
|
|
|
|
|
|
|
|
# The issuer of the clients certificate
|
|
|
|
|
# This can be usefull if you have several intermediate CA
|
|
|
|
|
# all signed by the same root CA, but only want to trust clients from
|
|
|
|
|
# one of them
|
|
|
|
|
# rad_tls_issuer: /C=FR/ST=Aquitaine/L=Bordeaux/O=Firewall Services/OU=Security/CN=wifi
|
