ansible/roles/freeradius/templates/mods-available/eap.j2

{{ ansible_managed | comment }}

eap {

    default_eap_type = peap

    type = peap
    type = ttls

    ignore_unknown_eap_types = no

    cisco_accounting_username_bug = no

    timer_expire = 60
    max_sessions = ${max_requests}

    tls-config tls-common {
        private_key_file = {{ radiusd__tls_private_key_file }}
        certificate_file = {{ radiusd__tls_certificate_file }}
        ca_file = {{ radiusd__tls_ca_file }}
        cipher_list = {{ radiusd__tls_cipher_list | enquote }}
        cipher_server_preferences = yes
        tls_min_version = "1.2"
        tls_max_version = "1.3"
        # TODO
        # cache {
        #    enable = yes
        #    lifetime = 24
        #    name = "eap"
        #    persistdir = "${logdir}/tlscache"
        #    store {
        #        Tunnel-Private-Group-Id
        #    }
        # }
        ocsp {
           enable = no
        }
    }

    peap {
        tls = tls-common
        default_eap_type = gtc
        require_client_cert = no
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = inner-aurore
    }

    ttls {
        tls = tls-common
        default_eap_type = pap
        require_client_cert = no
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = inner-aurore
    }

}