-The client block is used to configure a client. That is, tell the proxy about a
-client, and what parameters should be used for that client. The name of the
-client block must (with one exception, see below) be either the IP address
-(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) of the form
-IpAddress/PrefixLength, or a domain name (FQDN).
- </para>
- <para>
-If a domain name is specified, then this will be resolved immediately to all
-the addresses associated with the name, and the proxy will not care about any
-possible DNS changes that might occur later. Hence there is no dependency on
-DNS after startup.
- </para>
- <para>
-When some client later sends a request to the proxy, the proxy will look at the
-IP address the request comes from, and then go through all the addresses of
-each of the configured clients (in the order they are defined), to determine
-which (if any) of the clients this is.
- </para>
- <para>
-In the case of TLS/DTLS, the name of the client must match the FQDN or IP
-address in the client certificate. Note that this is not required when the
-client name is an IP prefix.
- </para>
- <para>
-Alternatively one may use the <literal>host</literal> option inside a client
-block. In that case, the value of the <literal>host</literal> option is used as
-above, while the name of the block is only used as a descriptive name for the
-administrator.
- </para>
- <para>
-The allowed options in a client block are <literal>host</literal>,
-<literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>,
-<literal>certificateNameCheck</literal>,
-<literal>matchCertificateAttribute</literal>,
-<literal>duplicateInterval</literal>, <literal>addTTL</literal>,
-<literal>rewrite</literal>, <literal>rewriteIn</literal>,
-<literal>rewriteOut</literal> and <literal>rewriteAttribute</literal>.
-We already discussed the
-<literal>host</literal> option. The value of <literal>type</literal> must be
-one of <literal>udp</literal>, <literal>tcp</literal>, <literal>tls</literal>
-or <literal>dtls</literal>. The value of <literal>secret</literal> is the
-shared RADIUS key used with this client. If the secret contains whitespace,
-the value must be quoted. This option is optional for TLS/DTLS.
- </para>
- <para>
-For a TLS/DTLS client you may also specify the <literal>tls</literal> option.
-The option value must be the name of a previously defined TLS block. If this
-option is not specified, the TLS block with the name
-<literal>defaultClient</literal> will be used if defined. If not defined, it
-will try to use the TLS block named <literal>default</literal>. If the
-specified TLS block name does not exist, or the option is not specified and
-none of the defaults exist, the proxy will exit with an error.
- </para>
- <para>
-For a TLS/DTLS client, the option <literal>certificateNameCheck</literal>
-can be set
-to <literal>off</literal>, to disable the default behaviour of matching CN or
-SubjectAltName against the specified hostname or IP address.
- </para>
- <para>
-Additional validation of certificate attributes can be done by use of the
-<literal>matchCertificateAttribute</literal> option. Currently one can only do
-some matching of CN and SubjectAltName. For regexp matching on CN, one can use
-the value <literal>CN:/regexp/</literal>. For SubjectAltName one can only do
-regexp matching of the URI, this is specified as
-<literal>SubjectAltName:URI:/regexp/</literal>. Note that currently this option
-can only be specified once in a client block.
- </para>
- <para>
-The <literal>duplicateInterval</literal> option can be used to specify for how
-many seconds duplicate checking should be done. If a proxy receives a new
-request within a few seconds of a previous one, it may be treated the same if
-from the same client, with the same authenticator etc. The proxy will then
-ignore the new request (if it is still processing the previous one), or
-returned a copy of the previous reply.
- </para>
- <para>
-The <literal>addTTL</literal> option is similar to the
-<literal>addTTL</literal> option used in the basic config. See that for
-details. Any value configured here overrides the basic one when sending
-messages to this client.
- </para>
- <para>
-The <literal>rewrite</literal> option is deprecated. Use
-<literal>rewriteIn</literal> instead.
- </para>
- <para>
-The <literal>rewriteIn</literal> option can be used to refer to a rewrite block
-that specifies certain rewrite operations that should be performed on incoming
-messages from the client. The rewriting is done before other processing.
-For details, see the rewrite block text below. Similarly to
-<literal>tls</literal> discussed above, if this option is not used, there is a
-fallback to using the <literal>rewrite</literal> block named
-<literal>defaultClient</literal> if it exists; and if not, a fallback to a
-block named <literal>default</literal>.
- </para>
- <para>
-The <literal>rewriteOut</literal> option is used in the same way as
-<literal>rewriteIn</literal>, except that it specifies rewrite operations that
-should be performed on outgoing messages to the client. The rewriting is done
-after other processing. Also, there is no rewrite fallback if this option is
-not used.
- </para>
- <para>
-The <literal>rewriteAttribute</literal> option currently makes it possible to
-specify that the User-Name attribute in a client request shall be rewritten in
-the request sent by the proxy. The User-Name attribute is written back to the
-original value if a matching response is later sent back to the client. The
-value must be of the form User-Name:/regexpmatch/replacement/. Example usage:
+ The client block is used to configure a client. That is, tell
+ the proxy about a client, and what parameters should be used for
+ that client. The name of the client block must (with one
+ exception, see below) be either the IP address (IPv4 or IPv6) of
+ the client, an IP prefix (IPv4 or IPv6) on the form
+ IpAddress/PrefixLength, or a domain name (FQDN). The way an
+ FQDN is resolved into an IP address may be influenced by the use
+ of the <literal>IPv4Only</literal> and
+ <literal>IPv6Only</literal> options. Note that literal IPv6
+ addresses must be enclosed in brackets.
+ </para>
+ <para>
+ If a domain name is specified, then this will be resolved
+ immediately to all the addresses associated with the name, and
+ the proxy will not care about any possible DNS changes that
+ might occur later. Hence there is no dependency on DNS after
+ startup.
+ </para>
+ <para>
+ When some client later sends a request to the proxy, the proxy
+ will look at the IP address the request comes from, and then go
+ through all the addresses of each of the configured clients (in
+ the order they are defined), to determine which (if any) of the
+ clients this is.
+ </para>
+ <para>
+ In the case of TLS/DTLS, the name of the client must match the
+ FQDN or IP address in the client certificate. Note that this is
+ not required when the client name is an IP prefix.
+ </para>
+ <para>
+ Alternatively one may use the <literal>host</literal> option
+ inside a client block. In that case, the value of the
+ <literal>host</literal> option is used as above, while the name
+ of the block is only used as a descriptive name for the
+ administrator. The host option may be used multiple times, and
+ can be a mix of addresses, FQDNs and prefixes.
+ </para>
+ <para>
+ The allowed options in a client block are
+ <literal>host</literal>, <literal>IPv4Only</literal>,
+ <literal>IPv6Only</literal>, <literal>type</literal>,
+ <literal>secret</literal>, <literal>tls</literal>,
+ <literal>certificateNameCheck</literal>,
+ <literal>matchCertificateAttribute</literal>,
+ <literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
+ <literal>fticksVISCOUNTRY</literal>,
+ <literal>fticksVISINST</literal>, <literal>rewrite</literal>,
+ <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
+ <literal>rewriteAttribute</literal>.
+
+ We already discussed the <literal>host</literal> option. To
+ specify how radsecproxy should resolve a <literal>host</literal>
+ given as a DNS name, the <literal>IPv4Only</literal> or the
+ <literal>IPv6Only</literal> can be set to <literal>on</literal>.
+ At most one of these options can be enabled. Enabling
+ <literal>IPv4Only</literal> or <literal>IPv6Only</literal> here
+ overrides any basic settings set at the top level.
+
+ The value of <literal>type</literal> must be one of
+ <literal>udp</literal>, <literal>tcp</literal>,
+ <literal>tls</literal> or <literal>dtls</literal>. The value of
+ <literal>secret</literal> is the shared RADIUS key used with
+ this client. If the secret contains whitespace, the value must
+ be quoted. This option is optional for TLS/DTLS and if omitted
+ will default to "mysecret". Note that the default value of
+ <literal>secret</literal> will change in an upcoming release.
+ </para>
+ <para>
+ For a TLS/DTLS client you may also specify the
+ <literal>tls</literal> option. The option value must be the
+ name of a previously defined TLS block. If this option is not
+ specified, the TLS block with the name
+ <literal>defaultClient</literal> will be used if defined. If not
+ defined, it will try to use the TLS block named
+ <literal>default</literal>. If the specified TLS block name does
+ not exist, or the option is not specified and none of the
+ defaults exist, the proxy will exit with an error.
+ </para>
+ <para>
+ For a TLS/DTLS client, the option
+ <literal>certificateNameCheck</literal> can be set to
+ <literal>off</literal>, to disable the default behaviour of
+ matching CN or SubjectAltName against the specified hostname or
+ IP address.
+ </para>
+ <para>
+ Additional validation of certificate attributes can be done by
+ use of the <literal>matchCertificateAttribute</literal>
+ option. Currently one can only do some matching of CN and
+ SubjectAltName. For regexp matching on CN, one can use the value
+ <literal>CN:/regexp/</literal>. For SubjectAltName one can only
+ do regexp matching of the URI, this is specified as
+ <literal>SubjectAltName:URI:/regexp/</literal>. Note that
+ currently this option can only be specified once in a client
+ block.
+ </para>
+ <para>
+ The <literal>duplicateInterval</literal> option can be used to
+ specify for how many seconds duplicate checking should be
+ done. If a proxy receives a new request within a few seconds of
+ a previous one, it may be treated the same if from the same
+ client, with the same authenticator etc. The proxy will then
+ ignore the new request (if it is still processing the previous
+ one), or returned a copy of the previous reply.
+ </para>
+ <para>
+ The <literal>AddTTL</literal> option is similar to the
+ <literal>AddTTL</literal> option used in the basic config. See
+ that for details. Any value configured here overrides the basic
+ one when sending messages to this client.
+ </para>
+ <para>
+ The <literal>fticksVISCOUNTRY</literal> option configures
+ clients eligible to F-Ticks logging as defined by the
+ <literal>FTicksReporting</literal> basic option.
+ </para>
+ <para>
+ The <literal>fticksVISINST</literal> option overwrites
+ the default <literal>VISINST</literal> value taken from the client
+ block name.
+ </para>
+ <para>
+ The <literal>rewrite</literal> option is deprecated. Use
+ <literal>rewriteIn</literal> instead.
+ </para>
+ <para>
+ The <literal>rewriteIn</literal> option can be used to refer to
+ a rewrite block that specifies certain rewrite operations that
+ should be performed on incoming messages from the client. The
+ rewriting is done before other processing. For details, see the
+ rewrite block text below. Similarly to <literal>tls</literal>
+ discussed above, if this option is not used, there is a fallback
+ to using the <literal>rewrite</literal> block named
+ <literal>defaultClient</literal> if it exists; and if not, a
+ fallback to a block named <literal>default</literal>.
+ </para>
+ <para>
+ The <literal>rewriteOut</literal> option is used in the same way
+ as <literal>rewriteIn</literal>, except that it specifies
+ rewrite operations that should be performed on outgoing messages
+ to the client. The rewriting is done after other
+ processing. Also, there is no rewrite fallback if this option is
+ not used.
+ </para>
+ <para>
+ The <literal>rewriteAttribute</literal> option currently makes
+ it possible to specify that the User-Name attribute in a client
+ request shall be rewritten in the request sent by the proxy. The
+ User-Name attribute is written back to the original value if a
+ matching response is later sent back to the client. The value
+ must be on the form User-Name:/regexpmatch/replacement/. Example
+ usage: