Update date in radsecproxy.conf.5.

[libradsec.git] / radsecproxy.conf.5.xml

diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index f91eed8..428f2de 100644 (file)
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -2,14 +2,14 @@
 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 <refentry>
   <refentryinfo>
 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 <refentry>
   <refentryinfo>

-    <date>2011-04-04</date>
+    <date>2012-04-11</date>

   </refentryinfo>
   <refmeta>
     <refentrytitle>
       <application>radsecproxy.conf</application>
     </refentrytitle>
     <manvolnum>5</manvolnum>
   </refentryinfo>
   <refmeta>
     <refentrytitle>
       <application>radsecproxy.conf</application>
     </refentrytitle>
     <manvolnum>5</manvolnum>

-    <refmiscinfo>radsecproxy 1.5-dev</refmiscinfo>
+    <refmiscinfo>radsecproxy 1.6-dev</refmiscinfo>

   </refmeta>
   <refnamediv>
     <refname>
   </refmeta>
   <refnamediv>
     <refname>


@@ -32,10 +32,10 @@
       for details).
     </para>
     <para>
       for details).
     </para>
     <para>

-    If the configuration file can not be found, the proxy will exit
-    with an error message. Note that there is also an include facility
-    so that any configuration file may include other configuration
-    files. The proxy will also exit on configuration errors.
+      If the configuration file can not be found, the proxy will exit
+      with an error message. Note that there is also an include facility
+      so that any configuration file may include other configuration
+      files. The proxy will also exit on configuration errors.

     </para>
   </refsect1>
   <refsect1>
     </para>
   </refsect1>
   <refsect1>


@@ -126,6 +126,17 @@ blocktype name {
     </para>
     <variablelist>
       <varlistentry>
     </para>
     <variablelist>
       <varlistentry>

+        <term><literal>PidFile</literal></term>
+        <listitem>
+         <para>
+            The PidFile option specifies the name of a file to which
+            the process id (PID) will be written.  This is overridden
+            by the <option>-i</option> command line option.  There is
+            no default value for the PidFile option.
+         </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>

         <term><literal>LogLevel</literal></term>
         <listitem>
          <para>
         <term><literal>LogLevel</literal></term>
         <listitem>
          <para>


@@ -168,6 +179,99 @@ blocktype name {
          </para>
         </listitem>
       </varlistentry>
          </para>
         </listitem>
       </varlistentry>

+
+      <varlistentry>
+        <term><literal>FTicksReporting</literal></term>
+        <listitem>
+         <para>
+           The FTicksReporting option is used to enable F-Ticks
+           logging and can be set to <literal>None</literal>,
+           <literal>Basic</literal> or <literal>Full</literal>.  Its
+           default value is <literal>None</literal>.  If
+           FTicksReporting is set to anything other than
+           <literal>None</literal>, note that the default value for
+           FTicksMAC is <literal>VendorKeyHashed</literal> which
+           needs FTicksKey to be set.
+         </para>
+         <para>
+           See <literal>radsecproxy.conf-example</literal> for
+           details.  Note that radsecproxy has to be configured with
+           F-Ticks support (<literal>--enable-fticks</literal>) for
+           this option to have any effect.
+         </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><literal>FTicksMAC</literal></term>
+        <listitem>
+         <para>
+           The FTicksMAC option can be used to control if and how
+           Calling-Station-Id (the users Ethernet MAC address) is
+           being logged.  It can be set to one of
+           <literal>Static</literal>, <literal>Original</literal>,
+           <literal>VendorHashed</literal>,
+           <literal>VendorKeyHashed</literal>,
+           <literal>FullyHashed</literal> or
+           <literal>FullyKeyHashed</literal>.
+         </para>
+         <para>
+           The default value for FTicksMAC is
+           <literal>VendorKeyHashed</literal>.  This means that
+           FTicksKey has to be set.
+         <para>
+           Before chosing any of <literal>Original</literal>,
+           <literal>FullyHashed</literal> or
+           <literal>VendorHashed</literal>, consider the implications
+           for user privacy when MAC addresses are collected.  How
+           will the logs be stored, transferred and accessed?
+         </para>
+         </para>
+         <para>
+           See <literal>radsecproxy.conf-example</literal> for
+           details.  Note that radsecproxy has to be configured with
+           F-Ticks support (<literal>--enable-fticks</literal>) for
+           this option to have any effect.
+         </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><literal>FTicksKey</literal></term>
+        <listitem>
+         <para>
+           The FTicksKey option is used to specify the key to use
+           when producing HMAC's as an effect of specifying
+           VendorKeyHashed or FullyKeyHashed for the FTicksMAC
+           option.
+         </para>
+         <para>
+           Note that radsecproxy has to be configured with F-Ticks
+           support (<literal>--enable-fticks</literal>) for this
+           option to have any effect.
+         </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><literal>FTicksSyslogFacility</literal></term>
+        <listitem>
+         <para>
+           The FTicksSyslogFacility option is used to specify a
+           dedicated syslog facility for F-Ticks messages.  This
+           allows for easier filtering of F-Ticks messages.  If no
+           FTicksSyslogFacility option is given, F-Ticks messages are
+           written to what the LogDestination option specifies.
+         </para>
+         <para>
+           F-Ticks messages are always logged using the log level
+           LOG_DEBUG.  Note that specifying a file in
+           FTicksSyslogFacility (using the file:/// prefix) is
+           not supported.
+         </para>
+       </listitem>
+      </varlistentry>
+

       <varlistentry>
         <term><literal>ListenUDP</literal></term>
         <listitem>
       <varlistentry>
         <term><literal>ListenUDP</literal></term>
         <listitem>


@@ -387,9 +491,9 @@ blocktype name {
       <literal>certificateNameCheck</literal>,
       <literal>matchCertificateAttribute</literal>,
       <literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
       <literal>certificateNameCheck</literal>,
       <literal>matchCertificateAttribute</literal>,
       <literal>duplicateInterval</literal>, <literal>AddTTL</literal>,

-      <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>,
-      <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
-      <literal>rewriteAttribute</literal>.
+      <literal>fticksVISCOUNTRY</literal>, <literal>fticksVISINST</literal>,
+      <literal>rewrite</literal>, <literal>rewriteIn</literal>, 
+      <literal>rewriteOut</literal>, and <literal>rewriteAttribute</literal>.

 
       We already discussed the <literal>host</literal> option. The
       value of <literal>type</literal> must be one of
 
       We already discussed the <literal>host</literal> option. The
       value of <literal>type</literal> must be one of


@@ -397,7 +501,9 @@ blocktype name {
       <literal>tls</literal> or <literal>dtls</literal>. The value of
       <literal>secret</literal> is the shared RADIUS key used with
       this client. If the secret contains whitespace, the value must
       <literal>tls</literal> or <literal>dtls</literal>. The value of
       <literal>secret</literal> is the shared RADIUS key used with
       this client. If the secret contains whitespace, the value must

-      be quoted. This option is optional for TLS/DTLS.
+      be quoted. This option is optional for TLS/DTLS and if omitted
+      will default to "mysecret".  Note that the default value of
+      <literal>secret</literal> will change in an upcoming release.

     </para>
     <para>
       For a TLS/DTLS client you may also specify the
     </para>
     <para>
       For a TLS/DTLS client you may also specify the


@@ -449,6 +555,11 @@ blocktype name {
       <literal>FTicksReporting</literal> basic option.
     </para>
     <para>
       <literal>FTicksReporting</literal> basic option.
     </para>
     <para>

+      The <literal>fticksVISINST</literal> option overwrites
+      the default <literal>VISINST</literal> value taken from the client
+      block name.
+    </para>
+    <para>

       The <literal>rewrite</literal> option is deprecated. Use
       <literal>rewriteIn</literal> instead.
     </para>
       The <literal>rewrite</literal> option is deprecated. Use
       <literal>rewriteIn</literal> instead.
     </para>


@@ -533,8 +644,7 @@ blocktype name {
       <literal>AddTTL</literal>, <literal>rewrite</literal>,
       <literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
       <literal>statusServer</literal>, <literal>retryCount</literal>,
       <literal>AddTTL</literal>, <literal>rewrite</literal>,
       <literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
       <literal>statusServer</literal>, <literal>retryCount</literal>,

-      <literal>retryInterval</literal>,
-      <literal>dynamicLookupCommand</literal> and
+      <literal>retryInterval</literal> and

       <literal>LoopPrevention</literal>.
     </para>
     <para>
       <literal>LoopPrevention</literal>.
     </para>
     <para>


@@ -569,12 +679,6 @@ blocktype name {
       an interval of 5s.
     </para>
     <para>
       an interval of 5s.
     </para>
     <para>

-      The option <literal>dynamicLookupCommand</literal> can be used
-      to specify a command that should be executed to dynamically
-      configure and use a server.  The use of this feature will be
-      documented separately/later.
-    </para>
-    <para>

       Using the <literal>LoopPrevention</literal> option here
       overrides any basic setting of this option.  See section
       <literal>BASIC OPTIONS</literal> for details on this option.
       Using the <literal>LoopPrevention</literal> option here
       overrides any basic setting of this option.  See section
       <literal>BASIC OPTIONS</literal> for details on this option.


@@ -637,7 +741,7 @@ blocktype name {
        the users in this domain to use one server, while other users
        could be matched by another realm block and use another
        server.
        the users in this domain to use one server, while other users
        could be matched by another realm block and use another
        server.

-    </para>
+      </para>

     </refsect2>
     <refsect2>
       <title>Realm block options</title>
     </refsect2>
     <refsect2>
       <title>Realm block options</title>


@@ -843,10 +947,10 @@ blocktype name {
     <para>
       <citerefentry>
         <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>
     <para>
       <citerefentry>
         <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>

-      </citerefentry>,
-      <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
-        <citetitle>RadSec internet draft</citetitle>
-      </ulink>
+       </citerefentry>,
+       <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
+         <citetitle>RadSec internet draft</citetitle>
+       </ulink>

     </para>
   </refsect1>
 </refentry>
     </para>
   </refsect1>
 </refentry>