Frage ist gelöst

RadiusServer mit PEAP und OpenLDAP Problem

FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct  9 2008 at 13:24:33 

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.  

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A  

PARTICULAR PURPOSE.  

You may redistribute copies of FreeRADIUS under the terms of the  

GNU General Public License v2.  

Starting - reading configuration files ... 

including configuration file /etc/freeradius//radiusd.conf 

including configuration file /etc/freeradius//proxy.conf 

including configuration file /etc/freeradius//clients.conf 

including files in directory /etc/freeradius//modules/ 

including configuration file /etc/freeradius//modules/etc_group 

including configuration file /etc/freeradius//modules/wimax 

including configuration file /etc/freeradius//modules/policy 

including configuration file /etc/freeradius//modules/unix 

including configuration file /etc/freeradius//modules/linelog 

including configuration file /etc/freeradius//modules/exec 

including configuration file /etc/freeradius//modules/sradutmp 

including configuration file /etc/freeradius//modules/mac2vlan 

including configuration file /etc/freeradius//modules/counter 

including configuration file /etc/freeradius//modules/mschap 

including configuration file /etc/freeradius//modules/digest 

including configuration file /etc/freeradius//modules/ippool 

including configuration file /etc/freeradius//modules/files 

including configuration file /etc/freeradius//modules/attr_rewrite 

including configuration file /etc/freeradius//modules/detail.example.com 

including configuration file /etc/freeradius//modules/mac2ip 

including configuration file /etc/freeradius//modules/pam 

including configuration file /etc/freeradius//modules/realm 

including configuration file /etc/freeradius//modules/inner-eap 

including configuration file /etc/freeradius//modules/preprocess 

including configuration file /etc/freeradius//modules/attr_filter 

including configuration file /etc/freeradius//modules/radutmp 

including configuration file /etc/freeradius//modules/passwd 

including configuration file /etc/freeradius//modules/acct_unique 

including configuration file /etc/freeradius//modules/chap 

including configuration file /etc/freeradius//modules/ldap 

including configuration file /etc/freeradius//modules/expr 

including configuration file /etc/freeradius//modules/echo 

including configuration file /etc/freeradius//modules/krb5 

including configuration file /etc/freeradius//modules/detail.log 

including configuration file /etc/freeradius//modules/pap 

including configuration file /etc/freeradius//modules/expiration 

including configuration file /etc/freeradius//modules/logintime 

including configuration file /etc/freeradius//modules/detail 

including configuration file /etc/freeradius//modules/sql_log 

including configuration file /etc/freeradius//modules/smbpasswd 

including configuration file /etc/freeradius//modules/checkval 

including configuration file /etc/freeradius//modules/always 

including configuration file /etc/freeradius//eap.conf 

including configuration file /etc/freeradius//policy.conf 

including files in directory /etc/freeradius//sites-enabled/ 

including configuration file /etc/freeradius//sites-enabled/inner-tunnel 

including configuration file /etc/freeradius//sites-enabled/default 

including dictionary file /etc/freeradius//dictionary 

main { 

	prefix = "/usr" 

	localstatedir = "/var" 

	logdir = "/var/log/freeradius" 

	libdir = "/usr/lib/freeradius" 

	radacctdir = "/var/log/freeradius/radacct" 

	hostname_lookups = no 

	max_request_time = 30 

	cleanup_delay = 5 

	max_requests = 1024 

	allow_core_dumps = no 

	pidfile = "/var/run/radiusd/radiusd.pid" 

	checkrad = "/usr/sbin/checkrad" 

	debug_level = 0 

	proxy_requests = yes 

 log { 

	stripped_names = no 

	auth = no 

	auth_badpass = no 

	auth_goodpass = no 

 } 

 security { 

	max_attributes = 200 

	reject_delay = 1 

	status_server = yes 

 } 

} 

 client localhost { 

	ipaddr = 127.0.0.1 

	require_message_authenticator = no 

	secret = "testing123" 

	nastype = "other" 

 } 

radiusd: #### Loading Realms and Home Servers #### 

 proxy server { 

	retry_delay = 5 

	retry_count = 3 

	default_fallback = no 

	dead_time = 120 

	wake_all_if_all_dead = no 

 } 

 home_server localhost { 

	ipaddr = 127.0.0.1 

	port = 1812 

	type = "auth" 

	secret = "testing123" 

	response_window = 20 

	max_outstanding = 65536 

	zombie_period = 40 

	status_check = "status-server" 

	ping_interval = 30 

	check_interval = 30 

	num_answers_to_alive = 3 

	num_pings_to_alive = 3 

	revive_interval = 120 

	status_check_timeout = 4 

 } 

 home_server_pool my_auth_failover { 

	type = fail-over 

	home_server = localhost 

 } 

 realm example.com { 

	auth_pool = my_auth_failover 

 } 

 realm LOCAL { 

 } 

radiusd: #### Instantiating modules #### 

 instantiate { 

 Module: Linked to module rlm_exec 

 Module: Instantiating exec 

  exec { 

	wait = no 

	input_pairs = "request" 

	shell_escape = yes 

  } 

 Module: Linked to module rlm_expr 

 Module: Instantiating expr 

 Module: Linked to module rlm_expiration 

 Module: Instantiating expiration 

  expiration { 

	reply-message = "Password Has Expired  " 

  } 

 Module: Linked to module rlm_logintime 

 Module: Instantiating logintime 

  logintime { 

	reply-message = "You are calling outside your allowed timespan  " 

	minimum-timeout = 60 

  } 

 } 

radiusd: #### Loading Virtual Servers #### 

server inner-tunnel { 

 modules { 

 Module: Checking authenticate {...} for more modules to load 

 Module: Linked to module rlm_pap 

 Module: Instantiating pap 

  pap { 

	encryption_scheme = "auto" 

	auto_header = no 

  } 

 Module: Linked to module rlm_chap 

 Module: Instantiating chap 

 Module: Linked to module rlm_mschap 

 Module: Instantiating mschap 

  mschap { 

	use_mppe = yes 

	require_encryption = no 

	require_strong = no 

	with_ntdomain_hack = no 

  } 

 Module: Linked to module rlm_unix 

 Module: Instantiating unix 

  unix { 

	radwtmp = "/var/log/freeradius/radwtmp" 

  } 

 Module: Linked to module rlm_eap 

 Module: Instantiating eap 

  eap { 

	default_eap_type = "md5" 

	timer_expire = 60 

	ignore_unknown_eap_types = no 

	cisco_accounting_username_bug = no 

	max_sessions = 2048 

  } 

 Module: Linked to sub-module rlm_eap_md5 

 Module: Instantiating eap-md5 

 Module: Linked to sub-module rlm_eap_leap 

 Module: Instantiating eap-leap 

 Module: Linked to sub-module rlm_eap_gtc 

 Module: Instantiating eap-gtc 

   gtc { 

	challenge = "Password: " 

	auth_type = "PAP" 

   } 

Ignoring EAP-Type/tls because we do not have OpenSSL support. 

Ignoring EAP-Type/ttls because we do not have OpenSSL support. 

Ignoring EAP-Type/peap because we do not have OpenSSL support. 

 Module: Linked to sub-module rlm_eap_mschapv2 

 Module: Instantiating eap-mschapv2 

   mschapv2 { 

	with_ntdomain_hack = no 

   } 

 Module: Checking authorize {...} for more modules to load 

 Module: Linked to module rlm_realm 

 Module: Instantiating suffix 

  realm suffix { 

	format = "suffix" 

	delimiter = "@" 

	ignore_default = no 

	ignore_null = no 

  } 

 Module: Linked to module rlm_files 

 Module: Instantiating files 

  files { 

	usersfile = "/etc/freeradius//users" 

	acctusersfile = "/etc/freeradius//acct_users" 

	preproxy_usersfile = "/etc/freeradius//preproxy_users" 

	compat = "no" 

  } 

 Module: Checking session {...} for more modules to load 

 Module: Linked to module rlm_radutmp 

 Module: Instantiating radutmp 

  radutmp { 

	filename = "/var/log/freeradius/radutmp" 

	username = "%{User-Name}" 

	case_sensitive = yes 

	check_with_nas = yes 

	perm = 384 

	callerid = yes 

  } 

 Module: Checking post-proxy {...} for more modules to load 

 Module: Checking post-auth {...} for more modules to load 

 Module: Linked to module rlm_attr_filter 

 Module: Instantiating attr_filter.access_reject 

  attr_filter attr_filter.access_reject { 

	attrsfile = "/etc/freeradius//attrs.access_reject" 

	key = "%{User-Name}" 

  } 

 } 

} 

 modules { 

 Module: Checking authenticate {...} for more modules to load 

 Module: Checking authorize {...} for more modules to load 

 Module: Linked to module rlm_preprocess 

 Module: Instantiating preprocess 

  preprocess { 

	huntgroups = "/etc/freeradius//huntgroups" 

	hints = "/etc/freeradius//hints" 

	with_ascend_hack = no 

	ascend_channels_per_line = 23 

	with_ntdomain_hack = no 

	with_specialix_jetstream_hack = no 

	with_cisco_vsa_hack = no 

	with_alvarion_vsa_hack = no 

  } 

 Module: Checking preacct {...} for more modules to load 

 Module: Linked to module rlm_acct_unique 

 Module: Instantiating acct_unique 

  acct_unique { 

	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" 

  } 

 Module: Checking accounting {...} for more modules to load 

 Module: Linked to module rlm_detail 

 Module: Instantiating detail 

  detail { 

	detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" 

	header = "%t" 

	detailperm = 384 

	dirperm = 493 

	locking = no 

	log_packet_header = no 

  } 

 Module: Instantiating attr_filter.accounting_response 

  attr_filter attr_filter.accounting_response { 

	attrsfile = "/etc/freeradius//attrs.accounting_response" 

	key = "%{User-Name}" 

  } 

 Module: Checking session {...} for more modules to load 

 Module: Checking post-proxy {...} for more modules to load 

 Module: Checking post-auth {...} for more modules to load 

 } 

radiusd: #### Opening IP addresses and Ports #### 

listen { 

	type = "auth" 

	ipaddr = * 

	port = 0 

Failed binding to socket: Address already in use  

/etc/freeradius//radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812

# -*- text -*- 

## 

## radiusd.conf	-- FreeRADIUS server configuration file. 

## 

##	http://www.freeradius.org/ 

##	$Id$ 

## 

###################################################################### 

# 

#	Read "man radiusd" before editing this file.  See the section 

#	titled DEBUGGING.  It outlines a method where you can quickly 

#	obtain the configuration you want, without running into 

#	trouble. 

# 

#	Run the server in debugging mode, and READ the output. 

# 

#		$ radiusd -X 

# 

#	We cannot emphasize this point strongly enough.  The vast 

#	majority of problems can be solved by carefully reading the 

#	debugging output, which includes warnings about common issues, 

#	and suggestions for how they may be fixed. 

# 

#	There may be a lot of output, but look carefully for words like: 

#	"warning", "error", "reject", or "failure".  The messages there 

#	will usually be enough to guide you to a solution. 

# 

#	If you are going to ask a question on the mailing list, then 

#	explain what you are trying to do, and include the output from 

#	debugging mode (radiusd -X).  Failure to do so means that all 

#	of the responses to your question will be people telling you 

#	to "post the output of radiusd -X". 

###################################################################### 

# 

#  	The location of other config files and logfiles are declared 

#  	in this file. 

# 

#  	Also general configuration for modules can be done in this 

#  	file, it is exported through the API to modules that ask for 

#  	it. 

# 

#	See "man radiusd.conf" for documentation on the format of this 

#	file.  Note that the individual configuration items are NOT 

#	documented in that "man" page.  They are only documented here, 

#	in the comments. 

# 

#	As of 2.0.0, FreeRADIUS supports a simple processing language 

#	in the "authorize", "authenticate", "accounting", etc. sections. 

#	See "man unlang" for details. 

# 

prefix = /usr 

exec_prefix = /usr 

sysconfdir = /etc 

localstatedir = /var 

sbindir = ${exec_prefix}/sbin 

logdir = /var/log/freeradius 

raddbdir = /etc/freeradius 

radacctdir = ${logdir}/radacct 

#  Location of config and logfiles. 

confdir = ${raddbdir} 

run_dir = ${localstatedir}/run/radiusd 

# Should likely be ${localstatedir}/lib/radiusd 

db_dir = ${raddbdir} 

# 

# libdir: Where to find the rlm_* modules. 

# 

#   This should be automatically set at configuration time. 

# 

#   If the server builds and installs, but fails at execution time 

#   with an 'undefined symbol' error, then you can use the libdir 

#   directive to work around the problem. 

# 

#   The cause is usually that a library has been installed on your 

#   system in a place where the dynamic linker CANNOT find it.  When 

#   executing as root (or another user), your personal environment MAY 

#   be set up to allow the dynamic linker to find the library.  When 

#   executing as a daemon, FreeRADIUS MAY NOT have the same 

#   personalized configuration. 

# 

#   To work around the problem, find out which library contains that symbol, 

#   and add the directory containing that library to the end of 'libdir', 

#   with a colon separating the directory names.  NO spaces are allowed. 

# 

#   e.g. libdir = /usr/local/lib:/opt/package/lib 

# 

#   You can also try setting the LD_LIBRARY_PATH environment variable 

#   in a script which starts the server. 

# 

#   If that does not work, then you can re-configure and re-build the 

#   server to NOT use shared libraries, via: 

# 

#	./configure --disable-shared 

#	make 

#	make install 

# 

libdir = /usr/lib/freeradius 

#  pidfile: Where to place the PID of the RADIUS server. 

# 

#  The server may be signalled while it's running by using this 

#  file. 

# 

#  This file is written when ONLY running in daemon mode. 

# 

#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid` 

# 

pidfile = ${run_dir}/radiusd.pid 

#  chroot: directory where the server does "chroot". 

# 

#  The chroot is done very early in the process of starting the server. 

#  After the chroot has been performed it switches to the "user" listed 

#  below (which MUST be specified).  If "group" is specified, it switchs 

#  to that group, too.  Any other groups listed for the specified "user" 

#  in "/etc/group" are also added as part of this process. 

# 

#  The current working directory (chdir / cd) is left *outside* of the 

#  chroot until all of the modules have been initialized.  This allows 

#  the "raddb" directory to be left outside of the chroot.  Once the 

#  modules have been initialized, it does a "chdir" to ${logdir}.  This 

#  means that it should be impossible to break out of the chroot. 

# 

#  If you are worried about security issues related to this use of chdir, 

#  then simply ensure that the "raddb" directory is inside of the chroot, 

#  end be sure to do "cd raddb" BEFORE starting the server. 

# 

#  If the server is statically linked, then the only files that have 

#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the 

#  "cd raddb" as discussed above, then the "raddb" directory has to be 

#  inside of the chroot directory, too. 

# 

#chroot = /path/to/chroot/directory 

# user/group: The name (or #number) of the user/group to run radiusd as. 

# 

#   If these are commented out, the server will run as the user/group 

#   that started it.  In order to change to a different user/group, you 

#   MUST be root ( or have root privleges ) to start the server. 

# 

#   We STRONGLY recommend that you run the server with as few permissions 

#   as possible.  That is, if you're not using shadow passwords, the 

#   user and group items below should be set to radius'. 

# 

#  NOTE that some kernels refuse to setgid(group) when the value of 

#  (unsigned)group is above 60000; don't use group nobody on these systems! 

# 

#  On systems with shadow passwords, you might have to set 'group = shadow' 

#  for the server to be able to read the shadow password file.  If you can 

#  authenticate users while in debug mode, but not in daemon mode, it may be 

#  that the debugging mode server is running as a user that can read the 

#  shadow info, and the user listed below can not. 

# 

#  The server will also try to use "initgroups" to read /etc/groups. 

#  It will join all groups where "user" is a member.  This can allow 

#  for some finer-grained access controls. 

# 

#user = radius 

#group = radius 

#  max_request_time: The maximum time (in seconds) to handle a request. 

# 

#  Requests which take more time than this to process may be killed, and 

#  a REJECT message is returned. 

# 

#  WARNING: If you notice that requests take a long time to be handled, 

#  then this MAY INDICATE a bug in the server, in one of the modules 

#  used to handle a request, OR in your local configuration. 

# 

#  This problem is most often seen when using an SQL database.  If it takes 

#  more than a second or two to receive an answer from the SQL database, 

#  then it probably means that you haven't indexed the database.  See your 

#  SQL server documentation for more information. 

# 

#  Useful range of values: 5 to 120 

# 

max_request_time = 30 

#  cleanup_delay: The time to wait (in seconds) before cleaning up 

#  a reply which was sent to the NAS. 

# 

#  The RADIUS request is normally cached internally for a short period 

#  of time, after the reply is sent to the NAS.  The reply packet may be 

#  lost in the network, and the NAS will not see it.  The NAS will then 

#  re-send the request, and the server will respond quickly with the 

#  cached reply. 

# 

#  If this value is set too low, then duplicate requests from the NAS 

#  MAY NOT be detected, and will instead be handled as seperate requests. 

# 

#  If this value is set too high, then the server will cache too many 

#  requests, and some new requests may get blocked.  (See 'max_requests'.) 

# 

#  Useful range of values: 2 to 10 

# 

cleanup_delay = 5 

#  max_requests: The maximum number of requests which the server keeps 

#  track of.  This should be 256 multiplied by the number of clients. 

#  e.g. With 4 clients, this number should be 1024. 

# 

#  If this number is too low, then when the server becomes busy, 

#  it will not respond to any new requests, until the 'cleanup_delay' 

#  time has passed, and it has removed the old requests. 

# 

#  If this number is set too high, then the server will use a bit more 

#  memory for no real benefit. 

# 

#  If you aren't sure what it should be set to, it's better to set it 

#  too high than too low.  Setting it to 1000 per client is probably 

#  the highest it should be. 

# 

#  Useful range of values: 256 to infinity 

# 

max_requests = 1024 

#  listen: Make the server listen on a particular IP address, and send 

#  replies out from that address. This directive is most useful for 

#  hosts with multiple IP addresses on one interface. 

# 

#  If you want the server to listen on additional addresses, or on 

#  additionnal ports, you can use multiple "listen" sections. 

# 

#  Each section make the server listen for only one type of packet, 

#  therefore authentication and accounting have to be configured in 

#  different sections. 

# 

#  The server ignore all "listen" section if you are using '-i' and '-p' 

#  on the command line. 

# 

listen { 

	#  Type of packets to listen for. 

	#  Allowed values are: 

	#	auth	listen for authentication packets 

	#	acct	listen for accounting packets 

	#	proxy   IP to use for sending proxied packets 

	#	detail  Read from the detail file.  For examples, see 

	#               raddb/sites-available/copy-acct-to-home-server 

	# 

	type = auth 

	#  Note: "type = proxy" lets you control the source IP used for 

	#        proxying packets, with some limitations: 

	# 

	#    * Only ONE proxy listener can be defined. 

	#    * A proxy listener CANNOT be used in a virtual server section. 

	#    * You should probably set "port = 0". 

	#    * Any "clients" configuration will be ignored. 

	#  IP address on which to listen. 

	#  Allowed values are: 

	#	dotted quad (1.2.3.4) 

	#       hostname    (radius.example.com) 

	#       wildcard    (*) 

	ipaddr = * 

	#  OR, you can use an IPv6 address, but not both 

	#  at the same time. 

#	ipv6addr = ::	# any.  ::1 == localhost 

	#  Port on which to listen. 

	#  Allowed values are: 

	#	integer port number (1812) 

	#	0 means "use /etc/services for the proper port" 

	port = 0 

	#  Some systems support binding to an interface, in addition 

	#  to the IP address.  This feature isn't strictly necessary, 

	#  but for sites with many IP addresses on one interface, 

	#  it's useful to say "listen on all addresses for eth0". 

	# 

	#  If your system does not support this feature, you will 

	#  get an error if you try to use it. 

	# 

#	interface = eth0 

	#  Per-socket lists of clients.  This is a very useful feature. 

	# 

	#  The name here is a reference to a section elsewhere in 

	#  radiusd.conf, or clients.conf.  Having the name as 

	#  a reference allows multiple sockets to use the same 

	#  set of clients. 

	# 

	#  If this configuration is used, then the global list of clients 

	#  is IGNORED for this "listen" section.  Take care configuring 

	#  this feature, to ensure you don't accidentally disable a 

	#  client you need. 

	# 

	#  See clients.conf for the configuration of "per_socket_clients". 

	# 

#	clients = per_socket_clients 

} 

#  This second "listen" section is for listening on the accounting 

#  port, too. 

# 

listen { 

	ipaddr = * 

#	ipv6addr = :: 

	port = 0 

	type = acct 

#	interface = eth0 

#	clients = per_socket_clients 

} 

#  hostname_lookups: Log the names of clients or just their IP addresses 

#  e.g., www.freeradius.org (on) or 206.47.27.232 (off). 

# 

#  The default is 'off' because it would be overall better for the net 

#  if people had to knowingly turn this feature on, since enabling it 

#  means that each client request will result in AT LEAST one lookup 

#  request to the nameserver.   Enabling hostname_lookups will also 

#  mean that your server may stop randomly for 30 seconds from time 

#  to time, if the DNS requests take too long. 

# 

#  Turning hostname lookups off also means that the server won't block 

#  for 30 seconds, if it sees an IP address which has no name associated 

#  with it. 

# 

#  allowed values: {no, yes} 

# 

hostname_lookups = no 

#  Core dumps are a bad thing.  This should only be set to 'yes' 

#  if you're debugging a problem with the server. 

# 

#  allowed values: {no, yes} 

# 

allow_core_dumps = no 

#  Regular expressions 

# 

#  These items are set at configure time.  If they're set to "yes", 

#  then setting them to "no" turns off regular expression support. 

# 

#  If they're set to "no" at configure time, then setting them to "yes" 

#  WILL NOT WORK.  It will give you an error. 

# 

regular_expressions	= yes 

extended_expressions	= yes 

# 

#  Logging section.  The various "log_*" configuration items 

#  will eventually be moved here. 

# 

log { 

	# 

	#  Destination for log messages.  This can be one of: 

	# 

	#	files - log to "file", as defined below. 

	#	syslog - to syslog (see also the "syslog_facility", below. 

	#	stdout - standard output 

	#	stderr - standard error. 

	# 

	#  The command-line option "-X" over-rides this option, and forces 

	#  logging to go to stdout. 

	# 

	destination = files 

	# 

	#  The logging messages for the server are appended to the 

	#  tail of this file if destination == "files" 

	# 

	#  If the server is running in debugging mode, this file is 

	#  NOT used. 

	# 

	file = ${logdir}/radius.log 

	# 

	#  If this configuration parameter is set, then log messages for 

	#  a *request* go to this file, rather than to radius.log. 

	# 

	#  i.e. This is a log file per request, once the server has accepted 

	#  the request as being from a valid client.  Messages that are 

	#  not associated with a request still go to radius.log. 

	# 

	#  Not all log messages in the server core have been updated to use 

	#  this new internal API.  As a result, some messages will still 

	#  go to radius.log.  Please submit patches to fix this behavior. 

	# 

	#  The file name is expanded dynamically.  You should ONLY user 

	#  server-side attributes for the filename (e.g. things you control). 

	#  Using this feature MAY also slow down the server substantially, 

	#  especially if you do thinks like SQL calls as part of the 

	#  expansion of the filename. 

	# 

	#  The name of the log file should use attributes that don't change 

	#  over the lifetime of a request, such as User-Name, 

	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log 

	#  messages will be distributed over multiple files. 

	# 

	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log 

	# 

	#  Which syslog facility to use, if ${destination} == "syslog" 

	# 

	#  The exact values permitted here are OS-dependent.  You probably 

	#  don't want to change this. 

	# 

	syslog_facility = daemon 

	#  Log the full User-Name attribute, as it was found in the request. 

	# 

	# allowed values: {no, yes} 

	# 

	stripped_names = no 

	#  Log authentication requests to the log file. 

	# 

	#  allowed values: {no, yes} 

	# 

	auth = no 

	#  Log passwords with the authentication requests. 

	#  auth_badpass  - logs password if it's rejected 

	#  auth_goodpass - logs password if it's correct 

	# 

	#  allowed values: {no, yes} 

	# 

	auth_badpass = no 

	auth_goodpass = no 

} 

#  The program to execute to do concurrency checks. 

checkrad = ${sbindir}/checkrad 

# SECURITY CONFIGURATION 

# 

#  There may be multiple methods of attacking on the server.  This 

#  section holds the configuration items which minimize the impact 

#  of those attacks 

# 

security { 

	# 

	#  max_attributes: The maximum number of attributes 

	#  permitted in a RADIUS packet.  Packets which have MORE 

	#  than this number of attributes in them will be dropped. 

	# 

	#  If this number is set too low, then no RADIUS packets 

	#  will be accepted. 

	# 

	#  If this number is set too high, then an attacker may be 

	#  able to send a small number of packets which will cause 

	#  the server to use all available memory on the machine. 

	# 

	#  Setting this number to 0 means "allow any number of attributes" 

	max_attributes = 200 

	# 

	#  reject_delay: When sending an Access-Reject, it can be 

	#  delayed for a few seconds.  This may help slow down a DoS 

	#  attack.  It also helps to slow down people trying to brute-force 

	#  crack a users password. 

	# 

	#  Setting this number to 0 means "send rejects immediately" 

	# 

	#  If this number is set higher than 'cleanup_delay', then the 

	#  rejects will be sent at 'cleanup_delay' time, when the request 

	#  is deleted from the internal cache of requests. 

	# 

	#  Useful ranges: 1 to 5 

	reject_delay = 1 

	# 

	#  status_server: Whether or not the server will respond 

	#  to Status-Server requests. 

	# 

	#  When sent a Status-Server message, the server responds with 

	#  an Access-Accept or Accounting-Response packet. 

	# 

	#  This is mainly useful for administrators who want to "ping" 

	#  the server, without adding test users, or creating fake 

	#  accounting packets. 

	# 

	#  It's also useful when a NAS marks a RADIUS server "dead". 

	#  The NAS can periodically "ping" the server with a Status-Server 

	#  packet.  If the server responds, it must be alive, and the 

	#  NAS can start using it for real requests. 

	# 

	status_server = yes 

} 

# PROXY CONFIGURATION 

# 

#  proxy_requests: Turns proxying of RADIUS requests on or off. 

# 

#  The server has proxying turned on by default.  If your system is NOT 

#  set up to proxy requests to another server, then you can turn proxying 

#  off here.  This will save a small amount of resources on the server. 

# 

#  If you have proxying turned off, and your configuration files say 

#  to proxy a request, then an error message will be logged. 

# 

#  To disable proxying, change the "yes" to "no", and comment the 

#  $INCLUDE line. 

# 

#  allowed values: {no, yes} 

# 

proxy_requests  = yes 

$INCLUDE proxy.conf 

# CLIENTS CONFIGURATION 

# 

#  Client configuration is defined in "clients.conf".   

# 

#  The 'clients.conf' file contains all of the information from the old 

#  'clients' and 'naslist' configuration files.  We recommend that you 

#  do NOT use 'client's or 'naslist', although they are still 

#  supported. 

# 

#  Anything listed in 'clients.conf' will take precedence over the 

#  information from the old-style configuration files. 

# 

$INCLUDE clients.conf 

# THREAD POOL CONFIGURATION 

# 

#  The thread pool is a long-lived group of threads which 

#  take turns (round-robin) handling any incoming requests. 

# 

#  You probably want to have a few spare threads around, 

#  so that high-load situations can be handled immediately.  If you 

#  don't have any spare threads, then the request handling will 

#  be delayed while a new thread is created, and added to the pool. 

# 

#  You probably don't want too many spare threads around, 

#  otherwise they'll be sitting there taking up resources, and 

#  not doing anything productive. 

# 

#  The numbers given below should be adequate for most situations. 

# 

thread pool { 

	#  Number of servers to start initially --- should be a reasonable 

	#  ballpark figure. 

	start_servers = 5 

	#  Limit on the total number of servers running. 

	# 

	#  If this limit is ever reached, clients will be LOCKED OUT, so it 

	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to 

	#  keep a runaway server from taking the system with it as it spirals 

	#  down... 

	# 

	#  You may find that the server is regularly reaching the 

	#  'max_servers' number of threads, and that increasing 

	#  'max_servers' doesn't seem to make much difference. 

	# 

	#  If this is the case, then the problem is MOST LIKELY that 

	#  your back-end databases are taking too long to respond, and 

	#  are preventing the server from responding in a timely manner. 

	# 

	#  The solution is NOT do keep increasing the 'max_servers' 

	#  value, but instead to fix the underlying cause of the 

	#  problem: slow database, or 'hostname_lookups=yes'. 

	# 

	#  For more information, see 'max_request_time', above. 

	# 

	max_servers = 32 

	#  Server-pool size regulation.  Rather than making you guess 

	#  how many servers you need, FreeRADIUS dynamically adapts to 

	#  the load it sees, that is, it tries to maintain enough 

	#  servers to handle the current load, plus a few spare 

	#  servers to handle transient load spikes. 

	# 

	#  It does this by periodically checking how many servers are 

	#  waiting for a request.  If there are fewer than 

	#  min_spare_servers, it creates a new spare.  If there are 

	#  more than max_spare_servers, some of the spares die off. 

	#  The default values are probably OK for most sites. 

	# 

	min_spare_servers = 3 

	max_spare_servers = 10 

	#  There may be memory leaks or resource allocation problems with 

	#  the server.  If so, set this value to 300 or so, so that the 

	#  resources will be cleaned up periodically. 

	# 

	#  This should only be necessary if there are serious bugs in the 

	#  server which have not yet been fixed. 

	# 

	#  '0' is a special value meaning 'infinity', or 'the servers never 

	#  exit' 

	max_requests_per_server = 0 

} 

# MODULE CONFIGURATION 

# 

#  The names and configuration of each module is located in this section. 

# 

#  After the modules are defined here, they may be referred to by name, 

#  in other sections of this configuration file. 

# 

modules { 

	# 

	#  Each module has a configuration as follows: 

	# 

	#	name [ instance ] { 

	#		config_item = value 

	#		... 

	#	} 

	# 

	#  The 'name' is used to load the 'rlm_name' library 

	#  which implements the functionality of the module. 

	# 

	#  The 'instance' is optional.  To have two different instances 

	#  of a module, it first must be referred to by 'name'. 

	#  The different copies of the module are then created by 

	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2' 

	# 

	#  The instance names can then be used in later configuration 

	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration 

	#  for an example. 

	# 

	# 

	#  As of 2.0.5, most of the module configurations are in a 

	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/ 

	#  are loaded.  The modules are initialized ONLY if they are 

	#  referenced in a processing section, such as authorize, 

	#  authenticate, accounting, pre/post-proxy, etc. 

	# 

	$INCLUDE ${confdir}/modules/ 

	#  Extensible Authentication Protocol 

	# 

	#  For all EAP related authentications. 

	#  Now in another file, because it is very large. 

	# 

	$INCLUDE eap.conf 

	#  Include another file that has the SQL-related configuration. 

	#  This is another file only because it tends to be big. 

	# 

	#$INCLUDE sql.conf 

	# 

	#  This module is an SQL enabled version of the counter module. 

	# 

	#  Rather than maintaining seperate (GDBM) databases of 

	#  accounting info for each counter, this module uses the data 

	#  stored in the raddacct table by the sql modules. This 

	#  module NEVER does any database INSERTs or UPDATEs.  It is 

	#  totally dependent on the SQL module to process Accounting 

	#  packets. 

	# 

	#$INCLUDE sql/mysql/counter.conf 

	#$INCLUDE sql/postgresql/counter.conf 

	# 

	#  IP addresses managed in an SQL table. 

	# 

	#$INCLUDE sqlippool.conf 

	# OTP token support.  Not included by default. 

	# $INCLUDE otp.conf 

ldap ldap_1x { 

                server = "srvgrp7" 

                identity = "uid=admin,cn=admin,dc=grp7,dc=local" 

                password = "1234qwer" 

                basedn = "dc=grp7,dc=local" 

                base_filter = "(objectclass=)" 

                start_tls = yes 

                # This is your Certificate Authority (CA) certificate 

                tls_cacertfile = /etc/ldap/certs/server.crt 

                tls_require_cert = "demand" 

                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" 

                # profile_attribute = "radiusProfileDn" 

                access_attr = "uid" 

                dictionary_mapping = ${raddbdir}/ldap.attrmap 

                authtype = ldap 

                ldap_connections_number = 5 

                timeout = 4 

                timelimit = 3 

                net_timeout = 1 

	} 

# under MODULES, make sure mschap is uncommented! 

    mschap { 

      # authtype value, if present, will be used 

      # to overwrite (or add) Auth-Type during 

      # authorization. Normally, should be MS-CHAP 

      authtype = MS-CHAP 

      # if use_mppe is not set to no, mschap will 

      # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and 

      # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 

      # 

      use_mppe = yes 

      # if mppe is enabled, require_encryption makes 

      # encryption moderate 

      # 

      require_encryption = yes 

      # require_strong always requires 128 bit key 

      # encryption 

      # 

      require_strong = yes 

      authtype = MS-CHAP 

      # The module can perform authentication itself, OR 

      # use a Windows Domain Controller. See the radius.conf file 

      # for how to do this. 

    } 

} 

# Instantiation 

# 

#  This section orders the loading of the modules.  Modules 

#  listed here will get loaded BEFORE the later sections like 

#  authorize, authenticate, etc. get examined. 

# 

#  This section is not strictly needed.  When a section like 

#  authorize refers to a module, it's automatically loaded and 

#  initialized.  However, some modules may not be listed in any 

#  of the following sections, so they can be listed here. 

# 

#  Also, listing modules here ensures that you have control over 

#  the order in which they are initalized.  If one module needs 

#  something defined by another module, you can list them in order 

#  here, and ensure that the configuration will be OK. 

# 

instantiate { 

	# 

	#  Allows the execution of external scripts. 

	#  The entire command line (and output) must fit into 253 bytes. 

	# 

	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}` 

	exec 

	# 

	#  The expression module doesn't do authorization, 

	#  authentication, or accounting.  It only does dynamic 

	#  translation, of the form: 

	# 

	#	Session-Timeout = `%{expr:2 + 3}` 

	# 

	#  So the module needs to be instantiated, but CANNOT be 

	#  listed in any other section.  See 'doc/rlm_expr' for 

	#  more information. 

	# 

	expr 

	# 

	# We add the counter module here so that it registers 

	# the check-name attribute before any module which sets 

	# it 

#	daily 

	expiration 

	logintime 

	# subsections here can be thought of as "virtual" modules. 

	# 

	# e.g. If you have two redundant SQL servers, and you want to 

	# use them in the authorize and accounting sections, you could 

	# place a "redundant" block in each section, containing the 

	# exact same text.  Or, you could uncomment the following 

	# lines, and list "redundant_sql" in the authorize and 

	# accounting sections. 

	# 

	#redundant redundant_sql { 

	#	sql1 

	#	sql2 

	#} 

authorize { 

        preprocess 

        mschap 

	suffix 

	eap 

	files 

	chap 

	ldap_1x 

	openssl 

    } 

    authenticate { 

         # 

         #  MSCHAP authentication.     

         Auth-Type MS-CHAP { 

               mschap 

          } 

	 # 

         #  Allow EAP authentication. 

         eap 

     } 

} 

###################################################################### 

# 

#	Policies that can be applied in multiple places are listed 

#	globally.  That way, they can be defined once, and referred 

#	to multiple times. 

# 

###################################################################### 

$INCLUDE policy.conf 

###################################################################### 

# 

#	As of 2.0.0, the "authorize", "authenticate", etc. sections 

#	are in separate configuration files, per virtual host. 

# 

###################################################################### 

###################################################################### 

# 

#	Include all enabled virtual hosts. 

# 

#	The following directory is searched for files that match 

#	the regex: 

# 

#		/[a-zA-Z0-9_.]+/ 

# 

#	The files are then included here, just as if they were cut 

#	and pasted into this file. 

# 

#	See "sites-enabled/default" for some additional documentation. 

# 

$INCLUDE sites-enabled/

# -*- text -*- 

## 

##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) 

## 

##	$Id$ 

####################################################################### 

# 

#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server 

#  is smart enough to figure this out on its own.  The most 

#  common side effect of setting 'Auth-Type := EAP' is that the 

#  users then cannot use ANY other authentication method. 

# 

#  EAP types NOT listed here may be supported via the "eap2" module. 

#  See experimental.conf for documentation. 

# 

	eap { 

		#  Invoke the default supported EAP type when 

		#  EAP-Identity response is received. 

		# 

		#  The incoming EAP messages DO NOT specify which EAP 

		#  type they will be using, so it MUST be set here. 

		# 

		#  For now, only one default EAP type may be used at a time. 

		# 

		#  If the EAP-Type attribute is set by another module, 

		#  then that EAP type takes precedence over the 

		#  default type configured here. 

		# 

		default_eap_type = md5 

		#  A list is maintained to correlate EAP-Response 

		#  packets with EAP-Request packets.  After a 

		#  configurable length of time, entries in the list 

		#  expire, and are deleted. 

		# 

		timer_expire     = 60 

		#  There are many EAP types, but the server has support 

		#  for only a limited subset.  If the server receives 

		#  a request for an EAP type it does not support, then 

		#  it normally rejects the request.  By setting this 

		#  configuration to "yes", you can tell the server to 

		#  instead keep processing the request.  Another module 

		#  MUST then be configured to proxy the request to 

		#  another RADIUS server which supports that EAP type. 

		# 

		#  If another module is NOT configured to handle the 

		#  request, then the request will still end up being 

		#  rejected. 

		ignore_unknown_eap_types = no 

		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given 

		# a User-Name attribute in an Access-Accept, it copies one 

		# more byte than it should. 

		# 

		# We can work around it by configurably adding an extra 

		# zero byte. 

		cisco_accounting_username_bug = no 

		# 

		#  Help prevent DoS attacks by limiting the number of 

		#  sessions that the server is tracking.  Most systems 

		#  can handle ~30 EAP sessions/s, so the default limit 

		#  of 2048 is more than enough. 

		max_sessions = 2048 

		# Supported EAP-types 

		# 

		#  We do NOT recommend using EAP-MD5 authentication 

		#  for wireless connections.  It is insecure, and does 

		#  not provide for dynamic WEP keys. 

		# 

		md5 { 

		} 

		# Cisco LEAP 

		# 

		#  We do not recommend using LEAP in new deployments.  See: 

		#  http://www.securiteam.com/tools/5TP012ACKE.html 

		# 

		#  Cisco LEAP uses the MS-CHAP algorithm (but not 

		#  the MS-CHAP attributes) to perform it's authentication. 

		# 

		#  As a result, LEAP *requires* access to the plain-text 

		#  User-Password, or the NT-Password attributes. 

		#  'System' authentication is impossible with LEAP. 

		# 

		leap { 

		} 

		#  Generic Token Card. 

		# 

		#  Currently, this is only permitted inside of EAP-TTLS, 

		#  or EAP-PEAP.  The module "challenges" the user with 

		#  text, and the response from the user is taken to be 

		#  the User-Password. 

		# 

		#  Proxying the tunneled EAP-GTC session is a bad idea, 

		#  the users password will go over the wire in plain-text, 

		#  for anyone to see. 

		# 

		gtc { 

			#  The default challenge, which many clients 

			#  ignore.. 

			#challenge = "Password: " 

			#  The plain-text response which comes back 

			#  is put into a User-Password attribute, 

			#  and passed to another module for 

			#  authentication.  This allows the EAP-GTC 

			#  response to be checked against plain-text, 

			#  or crypt'd passwords. 

			# 

			#  If you say "Local" instead of "PAP", then 

			#  the module will look for a User-Password 

			#  configured for the request, and do the 

			#  authentication itself. 

			# 

			auth_type = PAP 

		} 

		## EAP-TLS 

		# 

		#  See raddb/certs/README for additional comments 

		#  on certificates. 

		# 

		#  If OpenSSL was not found at the time the server was 

		#  built, the "tls", "ttls", and "peap" sections will 

		#  be ignored. 

		# 

		#  Otherwise, when the server first starts in debugging 

		#  mode, test certificates will be created.  See the 

		#  "make_cert_command" below for details, and the README 

		#  file in raddb/certs 

		# 

		#  These test certificates SHOULD NOT be used in a normal 

		#  deployment.  They are created only to make it easier 

		#  to install the server, and to perform some simple 

		#  tests with EAP-TLS, TTLS, or PEAP. 

		# 

		#  See also: 

		# 

		#  http://www.dslreports.com/forum/remark,9286052~mode=flat 

		# 

		tls { 

			# 

			#  These is used to simplify later configurations. 

			# 

			certdir = ${confdir}/certs 

			cadir = ${confdir}/certs 

			private_key_password = whatever 

			private_key_file = ${certdir}/server.pem 

			#  If Private key & Certificate are located in 

			#  the same file, then private_key_file & 

			#  certificate_file must contain the same file 

			#  name. 

			# 

			#  If CA_file (below) is not used, then the 

			#  certificate_file below MUST include not 

			#  only the server certificate, but ALSO all 

			#  of the CA certificates used to sign the 

			#  server certificate. 

			certificate_file = ${certdir}/server.pem 

			#  Trusted Root CA list 

			# 

			#  ALL of the CA's in this list will be trusted 

			#  to issue client certificates for authentication. 

			# 

			#  In general, you should use self-signed 

			#  certificates for 802.1x (EAP) authentication. 

			#  In that case, this CA file should contain 

			#  *one* CA certificate. 

			# 

			#  This parameter is used only for EAP-TLS, 

			#  when you issue client certificates.  If you do 

			#  not use client certificates, and you do not want 

			#  to permit EAP-TLS authentication, then delete 

			#  this configuration item. 

			CA_file = ${cadir}/ca.pem 

			# 

			#  For DH cipher suites to work, you have to 

			#  run OpenSSL to create the DH file first: 

			# 

			#  	openssl dhparam -out certs/dh 1024 

			# 

			dh_file = ${certdir}/dh 

			random_file = ${certdir}/random 

			# 

			#  This can never exceed the size of a RADIUS 

			#  packet (4096 bytes), and is preferably half 

			#  that, to accomodate other attributes in 

			#  RADIUS packet.  On most APs the MAX packet 

			#  length is configured between 1500 - 1600 

			#  In these cases, fragment size should be 

			#  1024 or less. 

			# 

		#	fragment_size = 1024 

			#  include_length is a flag which is 

			#  by default set to yes If set to 

			#  yes, Total Length of the message is 

			#  included in EVERY packet we send. 

			#  If set to no, Total Length of the 

			#  message is included ONLY in the 

			#  First packet of a fragment series. 

			# 

		#	include_length = yes 

			#  Check the Certificate Revocation List 

			# 

			#  1) Copy CA certificates and CRLs to same directory. 

			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'. 

			#    'c_rehash' is OpenSSL's command. 

			#  3) uncomment the line below. 

			#  5) Restart radiusd 

		#	check_crl = yes 

		#	CA_path = /path/to/directory/with/ca_certs/and/crls/ 

		       # 

		       #  If check_cert_issuer is set, the value will 

		       #  be checked against the DN of the issuer in 

		       #  the client certificate.  If the values do not 

		       #  match, the cerficate verification will fail, 

		       #  rejecting the user. 

		       # 

		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" 

		       # 

		       #  If check_cert_cn is set, the value will 

		       #  be xlat'ed and checked against the CN 

		       #  in the client certificate.  If the values 

		       #  do not match, the certificate verification 

		       #  will fail rejecting the user. 

		       # 

		       #  This check is done only if the previous 

		       #  "check_cert_issuer" is not set, or if 

		       #  the check succeeds. 

		       # 

		#	check_cert_cn = %{User-Name} 

		# 

			# Set this option to specify the allowed 

			# TLS cipher suites.  The format is listed 

			# in "man 1 ciphers". 

			cipher_list = "DEFAULT" 

			# 

			#  This configuration entry should be deleted 

			#  once the server is running in a normal 

			#  configuration.  It is here ONLY to make 

			#  initial deployments easier. 

			# 

			make_cert_command = "${certdir}/bootstrap" 

			# 

			#  Session resumption / fast reauthentication 

			#  cache. 

			# 

			cache { 

			      # 

			      #  Enable it.  The default is "no". 

			      #  Deleting the entire "cache" subsection 

			      #  Also disables caching. 

			      # 

			      #  You can disallow resumption for a 

			      #  particular user by adding the following 

			      #  attribute to the control item list: 

			      # 

			      #		Allow-Session-Resumption = No 

			      # 

			      #  If "enable = no" below, you CANNOT 

			      #  enable resumption for just one user 

			      #  by setting the above attribute to "yes". 

			      # 

			      enable = no 

			      # 

			      #  Lifetime of the cached entries, in hours. 

			      #  The sessions will be deleted after this 

			      #  time. 

			      # 

			      lifetime = 24 # hours 

			      # 

			      #  The maximum number of entries in the 

			      #  cache.  Set to "0" for "infinite". 

			      # 

			      #  This could be set to the number of users 

			      #  who are logged in... which can be a LOT. 

			      # 

			      max_entries = 255 

			} 

		} 

		#  The TTLS module implements the EAP-TTLS protocol, 

		#  which can be described as EAP inside of Diameter, 

		#  inside of TLS, inside of EAP, inside of RADIUS... 

		# 

		#  Surprisingly, it works quite well. 

		# 

		#  The TTLS module needs the TLS module to be installed 

		#  and configured, in order to use the TLS tunnel 

		#  inside of the EAP packet.  You will still need to 

		#  configure the TLS module, even if you do not want 

		#  to deploy EAP-TLS in your network.  Users will not 

		#  be able to request EAP-TLS, as it requires them to 

		#  have a client certificate.  EAP-TTLS does not 

		#  require a client certificate. 

		# 

		#  You can make TTLS require a client cert by setting 

		# 

		#	EAP-TLS-Require-Client-Cert = Yes 

		# 

		#  in the control items for a request. 

		# 

		ttls { 

			#  The tunneled EAP session needs a default 

			#  EAP type which is separate from the one for 

			#  the non-tunneled EAP module.  Inside of the 

			#  TTLS tunnel, we recommend using EAP-MD5. 

			#  If the request does not contain an EAP 

			#  conversation, then this configuration entry 

			#  is ignored. 

			default_eap_type = md5 

			#  The tunneled authentication request does 

			#  not usually contain useful attributes 

			#  like 'Calling-Station-Id', etc.  These 

			#  attributes are outside of the tunnel, 

			#  and normally unavailable to the tunneled 

			#  authentication request. 

			# 

			#  By setting this configuration entry to 

			#  'yes', any attribute which NOT in the 

			#  tunneled authentication request, but 

			#  which IS available outside of the tunnel, 

			#  is copied to the tunneled request. 

			# 

			# allowed values: {no, yes} 

			copy_request_to_tunnel = no 

			#  The reply attributes sent to the NAS are 

			#  usually based on the name of the user 

			#  'outside' of the tunnel (usually 

			#  'anonymous').  If you want to send the 

			#  reply attributes based on the user name 

			#  inside of the tunnel, then set this 

			#  configuration entry to 'yes', and the reply 

			#  to the NAS will be taken from the reply to 

			#  the tunneled request. 

			# 

			# allowed values: {no, yes} 

			use_tunneled_reply = no 

			# 

			#  The inner tunneled request can be sent 

			#  through a virtual server constructed 

			#  specifically for this purpose. 

			# 

			#  If this entry is commented out, the inner 

			#  tunneled request will be sent through 

			#  the virtual server that processed the 

			#  outer requests. 

			# 

			virtual_server = "inner-tunnel" 

		} 

		################################################## 

		# 

		#  !!!!! WARNINGS for Windows compatibility  !!!!! 

		# 

		################################################## 

		# 

		#  If you see the server send an Access-Challenge, 

		#  and the client never sends another Access-Request, 

		#  then 

		# 

		#		STOP! 

		# 

		#  The server certificate has to have special OID's 

		#  in it, or else the Microsoft clients will silently 

		#  fail.  See the "scripts/xpextensions" file for 

		#  details, and the following page: 

		# 

		#	http://support.microsoft.com/kb/814394/en-us 

		# 

		#  For additional Windows XP SP2 issues, see: 

		# 

		#	http://support.microsoft.com/kb/885453/en-us 

		# 

		#  Note that we do not necessarily agree with their 

		#  explanation... but the fix does appear to work. 

		# 

		##################################################