{
	## EAP-TLS
	#
	#  To generate ctest certificates, run the script
	#
	#   ../scripts/certs.sh
	#
	#  The documents on http://www.freeradius.org/doc
	#  are old, but may be helpful.
	#
	#  See also:
	#
	#  http://www.dslreports.com/forum/remark,9286052~mode=flat
	#
}
	tls \{
		private_key_password = whatever
		private_key_file = $\{raddbdir\}/certs/radiusd.pem
		certificate_file = $\{raddbdir\}/certs/radiusd.pem
		CA_file = $\{raddbdir\}/certs/radiusd.pem
		dh_file = $\{raddbdir\}/certs/dh
		random_file = $\{raddbdir\}/certs/random
{
		#
		#  This can never exceed the size of a RADIUS
		#  packet (4096 bytes), and is preferably half
		#  that, to accomodate other attributes in
		#  RADIUS packet.  On most APs the MAX packet
		#  length is configured between 1500 - 1600
		#  In these cases, fragment size should be
		#  1024 or less.
		#
}		#fragment_size = 1024
{
		#  include_length is a flag which is
		#  by default set to yes If set to
		#  yes, Total Length of the message is
		#  included in EVERY packet we send.
		#  If set to no, Total Length of the
		#  message is included ONLY in the
		#  First packet of a fragment series.
		#
}		#include_length = yes
{
		#  Check the Certificate Revocation List
		#  
		#  1) Copy CA certificates and CRLs to same directory.
		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
		#	'c_rehash' is OpenSSL's command.
		#  3) Add 'CA_path=<CA certs&CRLs directory>'
		#	  to radiusd.conf's tls section.
		#  4) uncomment the line below.
		#  5) Restart radiusd
}		#check_crl = yes
{
		#
		#  If check_cert_cn is set, the value will
		#  be xlat'ed and checked against the CN
		#  in the client certificate.  If the values
		#  do not match, the certificate verification
		#  will fail rejecting the user.
		#
}		#check_cert_cn = %\{User-Name\}
	\}
