|
|
@@ -690,6 +690,25 @@ fast_reauth=1
|
|
|
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
|
|
|
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
|
|
|
# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
|
|
|
+#
|
|
|
+# TLS-based methods can use the following parameters to control TLS behavior
|
|
|
+# (these are normally in the phase1 parameter, but can be used also in the
|
|
|
+# phase2 parameter when EAP-TLS is used within the inner tunnel):
|
|
|
+# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
|
|
|
+# TLS library, these may be disabled by default to enforce stronger
|
|
|
+# security)
|
|
|
+# tls_disable_time_checks=1 - ignore certificate validity time (this requests
|
|
|
+# the TLS library to accept certificates even if they are not currently
|
|
|
+# valid, i.e., have expired or have not yet become valid; this should be
|
|
|
+# used only for testing purposes)
|
|
|
+# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
|
|
|
+# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
|
|
|
+# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
|
|
|
+# as a workaround for broken authentication server implementations unless
|
|
|
+# EAP workarounds are disabled with eap_workarounds=0.
|
|
|
+# For EAP-FAST, this must be set to 0 (or left unconfigured for the
|
|
|
+# default value to be used automatically).
|
|
|
+#
|
|
|
# Following certificate/private key fields are used in inner Phase2
|
|
|
# authentication when using EAP-TTLS or EAP-PEAP.
|
|
|
# ca_cert2: File path to CA certificate file. This file can have one or more
|
Jouni Malinen