1 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"
2 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
5 <date>2012-12-12</date>
9 <application>radsecproxy.conf</application>
11 <manvolnum>5</manvolnum>
12 <refmiscinfo>radsecproxy 1.6-dev</refmiscinfo>
16 <application>radsecproxy.conf</application>
18 <refpurpose>Radsec proxy configuration file</refpurpose>
21 <title>Description</title>
23 When the proxy server starts, it will first check the command
24 line arguments, and then read the configuration file. Normally
25 radsecproxy will read the configuration file
26 <filename>/etc/radsecproxy.conf</filename>. The command line
27 <option>-c</option> option can be used to instead read an
30 <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>
35 If the configuration file can not be found, the proxy will exit
36 with an error message. Note that there is also an include facility
37 so that any configuration file may include other configuration
38 files. The proxy will also exit on configuration errors.
42 <title>Configuration Syntax</title>
44 When the configuration file is processed, whitespace (spaces and
45 tabs) are generally ignored. For each line, leading and trailing
46 whitespace are ignored. A line is ignored if it is empty, only
47 consists of whitespace, or if the first non-whitespace character
48 is a <literal>#</literal>. The configuration is generally case
49 insensitive, but in some cases the option values (see below) are
53 There are two types of configuration structures than can be
54 used. The first and simplest are lines on the format
55 <emphasis>option value</emphasis>. That is, an option name, see
56 below for a list of valid options, followed by whitespace (at
57 least one space or tab character), followed by a value. Note
58 that if the value contains whitespace, then it must be quoted
59 using <literal>""</literal> or <literal>''</literal>. Any
60 whitespace in front of the option or after the value will be
64 The other type of structure is a block. A block spans at least
65 two lines, and has the format:
66 <blockquote><literallayout>
72 </literallayout></blockquote>
73 That is, some blocktype, see below for a list of the different
74 block types, and then enclosed in braces you have zero or more
75 lines that each have the previously described <emphasis>option
76 value</emphasis> format. Different block types have different
77 rules for which options can be specified, they are listed
78 below. The rules regarding white space, comments and quotes are
79 as above. Hence you may do things like:
80 <blockquote><literallayout>
83 option "value with space"
86 </literallayout></blockquote>
89 Option value characters can also be written in hex. This is done
90 by writing the character <literal>%</literal> followed by two
91 hexadecimal digits. If a <literal>%</literal> is used without
92 two following hexadecimal digits, the <literal>%</literal> and
93 the following characters are used as written. If you want to
94 write a <literal>%</literal> and not use this decoding, you may
95 of course write <literal>%</literal> in hex; i.e.,
96 <literal>%25</literal>.
99 There is one special option that can be used both as a basic
100 option and inside all blocks. That is the option
101 <literal>Include</literal> where the value specifies files to be
102 included. The value can be a single file, or it can use normal
103 shell globbing to specify multiple files, e.g.:
106 include /etc/radsecproxy.conf.d/*.conf
109 The files are sorted alphabetically. Included files are read in
110 the order they are specified, when reaching the end of a file,
111 the next file is read. When reaching the end of the last
112 included file, the proxy returns to read the next line following
113 the <literal>Include</literal> option. Included files may again
118 <title>Basic Options</title>
120 The following basic options may be specified in the
121 configuration file. Note that blocktypes and options inside
122 blocks are discussed later. Note that none of these options are
123 required, and indeed in many cases they are not needed. Note
124 that you should specify each at most once. The behaviour with
125 multiple occurences is undefined.
129 <term><literal>LogLevel</literal></term>
132 This option specifies the debug level. It must be set to
133 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5
134 logs everything. The default is 2 which logs errors,
135 warnings and a few informational messages. Note that the
136 command line option <option>-d</option> overrides this.
141 <term><literal>LogDestination</literal></term>
144 This specifies where the log messages should go. By
145 default the messages go to syslog with facility
146 <literal>LOG_DAEMON</literal>. Using this option you can
147 specify another syslog facility, or you may specify that
148 logging should be to a particular file, not using
149 syslog. The value must be either a file or syslog URL. The
150 file URL is the standard one, specifying a local file that
151 should be used. For syslog, you must use the syntax:
152 <literal>x-syslog:///FACILITY</literal> where
153 <literal>FACILITY</literal> must be one of
154 <literal>LOG_DAEMON</literal>,
155 <literal>LOG_MAIL</literal>, <literal>LOG_USER</literal>,
156 <literal>LOG_LOCAL0</literal>,
157 <literal>LOG_LOCAL1</literal>,
158 <literal>LOG_LOCAL2</literal>,
159 <literal>LOG_LOCAL3</literal>,
160 <literal>LOG_LOCAL4</literal>,
161 <literal>LOG_LOCAL5</literal>,
162 <literal>LOG_LOCAL6</literal> or
163 <literal>LOG_LOCAL7</literal>. You may omit the facility
164 from the URL to specify logging to the default facility,
165 but this is not very useful since this is the default log
166 destination. Note that this option is ignored if
167 <option>-f</option> is specified on the command line.
173 <term><literal>FTicksReporting</literal></term>
176 The FTicksReporting option is used to enable F-Ticks
177 logging and can be set to <literal>None</literal>,
178 <literal>Basic</literal> or <literal>Full</literal>. Its
179 default value is <literal>None</literal>. If
180 FTicksReporting is set to anything other than
181 <literal>None</literal>, note that the default value for
182 FTicksMAC is <literal>VendorKeyHashed</literal> which
183 needs FTicksKey to be set.
186 See <literal>radsecproxy.conf-example</literal> for
187 details. Note that radsecproxy has to be configured with
188 F-Ticks support (<literal>--enable-fticks</literal>) for
189 this option to have any effect.
195 <term><literal>FTicksMAC</literal></term>
198 The FTicksMAC option can be used to control if and how
199 Calling-Station-Id (the users Ethernet MAC address) is
200 being logged. It can be set to one of
201 <literal>Static</literal>, <literal>Original</literal>,
202 <literal>VendorHashed</literal>,
203 <literal>VendorKeyHashed</literal>,
204 <literal>FullyHashed</literal> or
205 <literal>FullyKeyHashed</literal>.
208 The default value for FTicksMAC is
209 <literal>VendorKeyHashed</literal>. This means that
210 FTicksKey has to be set.
212 Before chosing any of <literal>Original</literal>,
213 <literal>FullyHashed</literal> or
214 <literal>VendorHashed</literal>, consider the implications
215 for user privacy when MAC addresses are collected. How
216 will the logs be stored, transferred and accessed?
220 See <literal>radsecproxy.conf-example</literal> for
221 details. Note that radsecproxy has to be configured with
222 F-Ticks support (<literal>--enable-fticks</literal>) for
223 this option to have any effect.
229 <term><literal>FTicksKey</literal></term>
232 The FTicksKey option is used to specify the key to use
233 when producing HMAC's as an effect of specifying
234 VendorKeyHashed or FullyKeyHashed for the FTicksMAC
238 Note that radsecproxy has to be configured with F-Ticks
239 support (<literal>--enable-fticks</literal>) for this
240 option to have any effect.
246 <term><literal>ListenUDP</literal></term>
249 Normally the proxy will listen to the standard RADIUS UDP
250 port <literal>1812</literal> if configured to handle UDP
251 clients. On most systems it will do this for all of the
252 system's IP addresses (both IPv4 and IPv6). On some
253 systems however, it may respond to only IPv4 or only
254 IPv6. To specify an alternate port you may use a value on
255 the form <literal>*:port</literal> where port is any valid
256 port number. If you also want to specify a specific
258 e.g. <literal>192.168.1.1:1812</literal> or
259 <literal>[2001:db8::1]:1812</literal>. The port may be
260 omitted if you want the default one (like in these
261 examples). These examples are equivalent to
262 <literal>192.168.1.1</literal> and
263 <literal>2001:db8::1</literal>. Note that you must use
264 brackets around the IPv6 address. This option may be
265 specified multiple times to listen to multiple addresses
271 <term><literal>ListenTCP</literal></term>
274 This option is similar to the <literal>ListenUDP</literal>
275 option, except that it is used for receiving connections
276 from TCP clients. The default port number is
277 <literal>1812</literal>.
282 <term><literal>ListenTLS</literal></term>
285 This is similar to the <literal>ListenUDP</literal>
286 option, except that it is used for receiving connections
287 from TLS clients. The default port number is
288 <literal>2083</literal>. Note that this option was
289 previously called <literal>ListenTCP</literal>.
294 <term><literal>ListenDTLS</literal></term>
297 This is similar to the <literal>ListenUDP</literal>
298 option, except that it is used for receiving connections
299 from DTLS clients. The default port number is
300 <literal>2083</literal>.
305 <term><literal>SourceUDP</literal></term>
308 This can be used to specify source address and/or source
309 port that the proxy will use for sending UDP client
310 messages (e.g. Access Request).
315 <term><literal>SourceTCP</literal></term>
318 This can be used to specify source address and/or source
319 port that the proxy will use for TCP connections.
324 <term><literal>SourceTLS</literal></term>
327 This can be used to specify source address and/or source
328 port that the proxy will use for TLS connections.
333 <term><literal>SourceDTLS</literal></term>
336 This can be used to specify source address and/or source
337 port that the proxy will use for DTLS connections.
342 <term><literal>TTLAttribute</literal></term>
345 This can be used to change the default TTL attribute. Only
346 change this if you know what you are doing. The syntax is
347 either a numerical value denoting the TTL attribute, or
348 two numerical values separated by column specifying a
350 i.e. <literal>vendorid:attribute</literal>.
355 <term><literal>AddTTL</literal></term>
358 If a TTL attribute is present, the proxy will decrement
359 the value and discard the message if zero. Normally the
360 proxy does nothing if no TTL attribute is present. If you
361 use the AddTTL option with a value 1-255, the proxy will
362 when forwarding a message with no TTL attribute, add one
363 with the specified value. Note that this option can also
364 be specified for a client/server. It will then override
365 this setting when forwarding a message to that
371 <term><literal>LoopPrevention</literal></term>
374 This can be set to <literal>on</literal> or
375 <literal>off</literal> with <literal>off</literal> being
376 the default. When this is enabled, a request will never be
377 sent to a server named the same as the client it was
378 received from. I.e., the names of the client block and the
379 server block are compared. Note that this only gives
380 limited protection against loops. It can be used as a
381 basic option and inside server blocks where it overrides
387 <term><literal>Include</literal></term>
390 This is not a normal configuration option; it can be
391 specified multiple times. It can both be used as a basic
392 option and inside blocks. For the full description, see
393 the configuration syntax section above.
400 <title>Blocks</title>
402 There are five types of blocks, they are
403 <literal>client</literal>, <literal>server</literal>,
404 <literal>realm</literal>, <literal>tls</literal> and
405 <literal>rewrite</literal>. At least one instance of each of
406 <literal>client</literal> and <literal>realm</literal> is
407 required. This is necessary for the proxy to do anything useful,
408 and it will exit if not. The <literal>tls</literal> block is
409 required if at least one TLS/DTLS client or server is
410 configured. Note that there can be multiple blocks for each
411 type. For each type, the block names should be unique. The
412 behaviour with multiple occurences of the same name for the same
413 block type is undefined. Also note that some block option values
414 may reference a block by name, in which case the block name must
415 be previously defined. Hence the order of the blocks may be
420 <title>Client Block</title>
422 The client block is used to configure a client. That is, tell
423 the proxy about a client, and what parameters should be used for
424 that client. The name of the client block must (with one
425 exception, see below) be either the IP address (IPv4 or IPv6) of
426 the client, an IP prefix (IPv4 or IPv6) on the form
427 IpAddress/PrefixLength, or a domain name (FQDN). Note that
428 literal IPv6 addresses must be enclosed in brackets.
431 If a domain name is specified, then this will be resolved
432 immediately to all the addresses associated with the name, and
433 the proxy will not care about any possible DNS changes that
434 might occur later. Hence there is no dependency on DNS after
438 When some client later sends a request to the proxy, the proxy
439 will look at the IP address the request comes from, and then go
440 through all the addresses of each of the configured clients (in
441 the order they are defined), to determine which (if any) of the
445 In the case of TLS/DTLS, the name of the client must match the
446 FQDN or IP address in the client certificate. Note that this is
447 not required when the client name is an IP prefix.
450 Alternatively one may use the <literal>host</literal> option
451 inside a client block. In that case, the value of the
452 <literal>host</literal> option is used as above, while the name
453 of the block is only used as a descriptive name for the
454 administrator. The host option may be used multiple times, and
455 can be a mix of addresses, FQDNs and prefixes.
458 The allowed options in a client block are
459 <literal>host</literal>, <literal>type</literal>,
460 <literal>secret</literal>, <literal>tls</literal>,
461 <literal>certificateNameCheck</literal>,
462 <literal>matchCertificateAttribute</literal>,
463 <literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
464 <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>,
465 <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
466 <literal>rewriteAttribute</literal>.
468 We already discussed the <literal>host</literal> option. The
469 value of <literal>type</literal> must be one of
470 <literal>udp</literal>, <literal>tcp</literal>,
471 <literal>tls</literal> or <literal>dtls</literal>. The value of
472 <literal>secret</literal> is the shared RADIUS key used with
473 this client. If the secret contains whitespace, the value must
474 be quoted. This option is optional for TLS/DTLS and if omitted
475 will default to "mysecret". Note that the default value of
476 <literal>secret</literal> will change in an upcoming release.
479 For a TLS/DTLS client you may also specify the
480 <literal>tls</literal> option. The option value must be the
481 name of a previously defined TLS block. If this option is not
482 specified, the TLS block with the name
483 <literal>defaultClient</literal> will be used if defined. If not
484 defined, it will try to use the TLS block named
485 <literal>default</literal>. If the specified TLS block name does
486 not exist, or the option is not specified and none of the
487 defaults exist, the proxy will exit with an error.
490 For a TLS/DTLS client, the option
491 <literal>certificateNameCheck</literal> can be set to
492 <literal>off</literal>, to disable the default behaviour of
493 matching CN or SubjectAltName against the specified hostname or
497 Additional validation of certificate attributes can be done by
498 use of the <literal>matchCertificateAttribute</literal>
499 option. Currently one can only do some matching of CN and
500 SubjectAltName. For regexp matching on CN, one can use the value
501 <literal>CN:/regexp/</literal>. For SubjectAltName one can only
502 do regexp matching of the URI, this is specified as
503 <literal>SubjectAltName:URI:/regexp/</literal>. Note that
504 currently this option can only be specified once in a client
508 The <literal>duplicateInterval</literal> option can be used to
509 specify for how many seconds duplicate checking should be
510 done. If a proxy receives a new request within a few seconds of
511 a previous one, it may be treated the same if from the same
512 client, with the same authenticator etc. The proxy will then
513 ignore the new request (if it is still processing the previous
514 one), or returned a copy of the previous reply.
517 The <literal>AddTTL</literal> option is similar to the
518 <literal>AddTTL</literal> option used in the basic config. See
519 that for details. Any value configured here overrides the basic
520 one when sending messages to this client.
523 The <literal>fticksVISCOUNTRY</literal> option configures
524 clients eligible to F-Ticks logging as defined by the
525 <literal>FTicksReporting</literal> basic option.
528 The <literal>rewrite</literal> option is deprecated. Use
529 <literal>rewriteIn</literal> instead.
532 The <literal>rewriteIn</literal> option can be used to refer to
533 a rewrite block that specifies certain rewrite operations that
534 should be performed on incoming messages from the client. The
535 rewriting is done before other processing. For details, see the
536 rewrite block text below. Similarly to <literal>tls</literal>
537 discussed above, if this option is not used, there is a fallback
538 to using the <literal>rewrite</literal> block named
539 <literal>defaultClient</literal> if it exists; and if not, a
540 fallback to a block named <literal>default</literal>.
543 The <literal>rewriteOut</literal> option is used in the same way
544 as <literal>rewriteIn</literal>, except that it specifies
545 rewrite operations that should be performed on outgoing messages
546 to the client. The rewriting is done after other
547 processing. Also, there is no rewrite fallback if this option is
551 The <literal>rewriteAttribute</literal> option currently makes
552 it possible to specify that the User-Name attribute in a client
553 request shall be rewritten in the request sent by the proxy. The
554 User-Name attribute is written back to the original value if a
555 matching response is later sent back to the client. The value
556 must be on the form User-Name:/regexpmatch/replacement/. Example
560 rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
566 <title>Server Block</title>
568 The server block is used to configure a server. That is, tell
569 the proxy about a server, and what parameters should be used
570 when communicating with that server. The name of the server
571 block must (with one exception, see below) be either the IP
572 address (IPv4 or IPv6) of the server, or a domain name
573 (FQDN). If a domain name is specified, then this will be
574 resolved immediately to all the addresses associated with the
575 name, and the proxy will not care about any possible DNS changes
576 that might occur later. Hence there is no dependency on DNS
577 after startup. If the domain name resolves to multiple
578 addresses, then for UDP/DTLS the first address is used. For
579 TCP/TLS, the proxy will loop through the addresses until it can
580 connect to one of them. In the case of TLS/DTLS, the name of the
581 server must match the FQDN or IP address in the server
585 Alternatively one may use the <literal>host</literal> option
586 inside a server block. In that case, the value of the
587 <literal>host</literal> option is used as above, while the name
588 of the block is only used as a descriptive name for the
589 administrator. Note that multiple host options may be used. This
590 will then be treated as multiple names/addresses for the same
591 server. When initiating a TCP/TLS connection, all addresses of
592 all names may be attempted, but there is no failover between the
593 different host values. For failover one must use separate server
597 Note that the name of the block, or values of host options may
598 include a port number (separated with a column). This port
599 number will then override the default port or a port option in
600 the server block. Also note that literal IPv6 addresses must be
601 enclosed in brackets.
604 The allowed options in a server block are
605 <literal>host</literal>, <literal>port</literal>,
606 <literal>type</literal>, <literal>secret</literal>,
607 <literal>tls</literal>, <literal>certificateNameCheck</literal>,
608 <literal>matchCertificateAttribute</literal>,
609 <literal>AddTTL</literal>, <literal>rewrite</literal>,
610 <literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
611 <literal>statusServer</literal>, <literal>retryCount</literal>,
612 <literal>retryInterval</literal>,
613 <literal>dynamicLookupCommand</literal> and
614 <literal>LoopPrevention</literal>.
617 We already discussed the <literal>host</literal> option. The
618 <literal>port</literal> option allows you to specify which port
619 number the server uses. The usage of <literal>type</literal>,
620 <literal>secret</literal>, <literal>tls</literal>,
621 <literal>certificateNameCheck</literal>,
622 <literal>matchCertificateAttribute</literal>,
623 <literal>AddTTL</literal>, <literal>rewrite</literal>,
624 <literal>rewriteIn</literal> and <literal>rewriteOut</literal>
625 are just as specified for the <literal>client block</literal>
626 above, except that <literal>defaultServer</literal> (and not
627 <literal>defaultClient</literal>) is the fallback for the
628 <literal>tls</literal>, <literal>rewrite</literal> and
629 <literal>rewriteIn</literal> options.
632 <literal>statusServer</literal> can be specified to enable the
633 use of status-server messages for this server. The value must be
634 either <literal>on</literal> or <literal>off</literal>. The
635 default when not specified, is <literal>off</literal>. If
636 statusserver is enabled, the proxy will during idle periods send
637 regular status-server messages to the server to verify that it
638 is alive. This should only be enabled if the server supports it.
641 The options <literal>retryCount</literal> and
642 <literal>retryInterval</literal> can be used to specify how many
643 times the proxy should retry sending a request and how long it
644 should wait between each retry. The defaults are 2 retries and
648 The option <literal>dynamicLookupCommand</literal> can be used
649 to specify a command that should be executed to dynamically
650 configure and use a server. The use of this feature will be
651 documented separately/later.
654 Using the <literal>LoopPrevention</literal> option here
655 overrides any basic setting of this option. See section
656 <literal>BASIC OPTIONS</literal> for details on this option.
660 <title>Realm Block</title>
662 When the proxy receives an Access-Request it needs to figure out
663 to which server it should be forwarded. This is done by looking
664 at the Username attribute in the request, and matching that
665 against the names of the defined realm blocks. The proxy will
666 match against the blocks in the order they are specified, using
667 the first match if any. If no realm matches, the proxy will
668 simply ignore the request. Each realm block specifies what the
669 server should do when a match is found. A realm block may
670 contain none, one or multiple <literal>server</literal> options,
671 and similarly <literal>accountingServer</literal> options. There
672 are also <literal>replyMessage</literal> and
673 <literal>accountingResponse</literal> options. We will discuss
677 <title>Realm block names and matching</title>
679 In the general case the proxy will look for a
680 <literal>@</literal> in the username attribute, and try to do
681 an exact case insensitive match between what comes after the
682 <literal>@</literal> and the name of the realm block. So if
683 you get a request with the attribute value
684 <literal>anonymous@example.com</literal>, the proxy will go
685 through the realm names in the order they are specified,
686 looking for a realm block named
687 <literal>example.com</literal>.
690 There are two exceptions to this, one is the realm name
691 <literal>*</literal> which means match everything. Hence if
692 you have a realm block named <literal>*</literal>, then it
693 will always match. This should then be the last realm block
694 defined, since any blocks after this would never be
695 checked. This is useful for having a default.
698 The other exception is regular expression matching. If the
699 realm name starts with a <literal>/</literal>, the name is
700 treated as an regular expression. A case insensitive regexp
701 match will then be done using this regexp on the value of the
702 entire Username attribute. Optionally you may also have a
703 trailing <literal>/</literal> after the regexp. So as an
704 example, if you want to use regexp matching the domain
705 <literal>example.com</literal> you could have a realm block
706 named <literal>/@example\\.com$</literal>. Optinally this can
707 also be written <literal>/@example\\.com$/</literal>. If you
708 want to match all domains under the <literal>.com</literal>
709 top domain, you could do <literal>/@.*\\.com$</literal>. Note
710 that since the matching is done on the entire attribute value,
711 you can also use rules like
712 <literal>/^[a-k].*@example\\.com$/</literal> to get some of
713 the users in this domain to use one server, while other users
714 could be matched by another realm block and use another
719 <title>Realm block options</title>
721 A realm block may contain none, one or multiple
722 <literal>server</literal> options. If defined, the values of
723 the <literal>server</literal> options must be the names of
724 previously defined server blocks. Normally requests will be
725 forwarded to the first server option defined. If there are
726 multiple server options, the proxy will do fail-over and use
727 the second server if the first is down. If the two first are
728 down, it will try the third etc. If say the first server comes
729 back up, it will go back to using that one. Currently
730 detection of servers being up or down is based on the use of
731 StatusServer (if enabled), and that TCP/TLS/DTLS connections
735 A realm block may also contain none, one or multiple
736 <literal>accountingServer</literal> options. This is used
737 exactly like the <literal>server</literal> option, except that
738 it is used for specifying where to send matching accounting
739 requests. The values must be the names of previously defined
740 server blocks. When multiple accounting servers are defined,
741 there is a failover mechanism similar to the one for the
742 <literal>server</literal> option.
745 If there is no <literal>server</literal> option, the proxy
746 will if <literal>replyMessage</literal> is specified, reply
747 back to the client with an Access Reject message. The message
748 contains a replyMessage attribute with the value as specified
749 by the <literal>replyMessage</literal> option. Note that this
750 is different from having no match since then the request is
751 simply ignored. You may wonder why this is useful. One example
752 is if you handle say all domains under say
753 <literal>.bv</literal>. Then you may have several realm blocks
754 matching the domains that exists, while for other domains
755 under <literal>.bv</literal> you want to send a reject. At the
756 same time you might want to send all other requests to some
757 default server. After the realms for the subdomains, you would
758 then have two realm definitions. One with the name
759 <literal>/@.*\\.bv$</literal> with no servers, followed by one
760 with the name <literal>*</literal> with the default server
761 defined. This may also be useful for blocking particular
765 If there is no <literal>accountingServer</literal> option, the
766 proxy will normally do nothing, ignoring accounting
767 requests. There is however an option called
768 <literal>accountingResponse</literal>. If this is set to
769 <literal>on</literal>, the proxy will log some of the
770 accounting information and send an Accounting-Response
771 back. This is useful if you do not care much about accounting,
772 but want to stop clients from retransmitting accounting
773 requests. By default this option is set to
774 <literal>off</literal>.
779 <title>TLS Block</title>
781 The TLS block specifies TLS configuration options and you need
782 at least one of these if you have clients or servers using
783 TLS/DTLS. As discussed in the client and server block
784 descriptions, a client or server block may reference a
785 particular TLS block by name. There are also however the special
786 TLS block names <literal>default</literal>,
787 <literal>defaultClient</literal> and
788 <literal>defaultServer</literal> which are used as defaults if
789 the client or server block does not reference a TLS block. Also
790 note that a TLS block must be defined before the client or
791 server block that would use it. If you want the same TLS
792 configuration for all TLS/DTLS clients and servers, you need
793 just a single tls block named <literal>default</literal>, and
794 the client and servers need not refer to it. If you want all
795 TLS/DTLS clients to use one config, and all TLS/DTLS servers to
796 use another, then you would be fine only defining two TLS blocks
797 named <literal>defaultClient</literal> and
798 <literal>defaultServer</literal>. If you want different clients
799 (or different servers) to have different TLS parameters, then
800 you may need to create other TLS blocks with other names, and
801 reference those from the client or server definitions. Note that
802 you could also have say a client block refer to a default, even
803 <literal>defaultServer</literal> if you really want to.
806 The available TLS block options are
807 <literal>CACertificateFile</literal>,
808 <literal>CACertificatePath</literal>,
809 <literal>certificateFile</literal>,
810 <literal>certificateKeyFile</literal>,
811 <literal>certificateKeyPassword</literal>,
812 <literal>cacheExpiry</literal>, <literal>CRLCheck</literal> and
813 <literal>policyOID</literal>. When doing RADIUS over TLS/DTLS,
814 both the client and the server present certificates, and they
815 are both verified by the peer. Hence you must always specify
816 <literal>certificateFile</literal> and
817 <literal>certificateKeyFile</literal> options, as well as
818 <literal>certificateKeyPassword</literal> if a password is
819 needed to decrypt the private key. Note that
820 <literal>CACertificateFile</literal> may be a certificate
821 chain. In order to verify certificates, or send a chain of
822 certificates to a peer, you also always need to specify
823 <literal>CACertificateFile</literal> or
824 <literal>CACertificatePath</literal>. Note that you may specify
825 both, in which case the certificates in
826 <literal>CACertificateFile</literal> are checked first. By
827 default CRLs are not checked. This can be changed by setting
828 <literal>CRLCheck</literal> to <literal>on</literal>. One can
829 require peer certificates to adhere to certain policies by
830 specifying one or multiple policyOIDs using one or multiple
831 <literal>policyOID</literal> options.
834 CA certificates and CRLs are normally cached permanently. That
835 is, once a CA or CRL has been read, the proxy will never attempt
836 to re-read it. CRLs may change relatively often and the proxy
837 should ideally always use the latest CRLs. Rather than
838 restarting the proxy, there is an option
839 <literal>cacheExpiry</literal> that specifies how many seconds
840 the CA and CRL information should be cached. Reasonable values
841 might be say 3600 (1 hour) or 86400 (24 hours), depending on how
842 frequently CRLs are updated and how critical it is to be up to
843 date. This option may be set to zero to disable caching.
847 <title>Rewrite Block</title>
849 The rewrite block specifies rules that may rewrite RADIUS
850 messages. It can be used to add, remove and modify specific
851 attributes from messages received from and sent to clients and
852 servers. As discussed in the client and server block
853 descriptions, a client or server block may reference a
854 particular rewrite block by name. There are however also the
855 special rewrite block names <literal>default</literal>,
856 <literal>defaultClient</literal> and
857 <literal>defaultServer</literal> which are used as defaults if
858 the client or server block does not reference a block. Also note
859 that a rewrite block must be defined before the client or server
860 block that would use it. If you want the same rewrite rules for
861 input from all clients and servers, you need just a single
862 rewrite block named <literal>default</literal>, and the client
863 and servers need not refer to it. If you want all clients to use
864 one config, and all servers to use another, then you would be
865 fine only defining two rewrite blocks named
866 <literal>defaultClient</literal> and
867 <literal>defaultServer</literal>. Note that these defaults are
868 only used for rewrite on input. No rewriting is done on output
869 unless explicitly specifed using the
870 <literal>rewriteOut</literal> option.
873 The available rewrite block options are
874 <literal>addAttribute</literal>,
875 <literal>addVendorAttribute</literal>,
876 <literal>removeAttribute</literal>,
877 <literal>removeVendorAttribute</literal> and
878 <literal>modifyAttribute</literal>. They can all be specified
879 none, one or multiple times.
882 <literal>addAttribute</literal> is used to add attributes to a
883 message. The option value must be on the form
884 <literal>attribute:value</literal> where attribute is a
885 numerical value specifying the attribute. Simliarly, the
886 <literal>addVendorAttribute</literal> is used to specify a
887 vendor attribute to be added. The option value must be on the
888 form <literal>vendor:subattribute:value</literal>, where vendor
889 and subattribute are numerical values.
892 The <literal>removeAttribute</literal> option is used to specify
893 an attribute that should be removed from received messages. The
894 option value must be a numerical value specifying which
895 attribute is to be removed. Similarly,
896 <literal>removeVendorAttribute</literal> is used to specify a
897 vendor attribute that is to be removed. The value can be a
898 numerical value for removing all attributes from a given vendor,
899 or on the form <literal>vendor:subattribute</literal>, where
900 vendor and subattribute are numerical values, for removing a
901 specific subattribute for a specific vendor.
904 <literal>modifyAttribute</literal> is used to specify
905 modification of attributes. The value must be on the form
906 <literal>attribute:/regexpmatch/replacement/</literal> where
907 attribute is a numerical attribute type, regexpmatch is regexp
908 matching rule and replacement specifies how to replace the
909 matching regexp. Example usage:
912 modifyAttribute 1:/^(.*)@local$/\1@example.com/
918 <title>See Also</title>
921 <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>
923 <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
924 <citetitle>RadSec internet draft</citetitle>