"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
- <date>2011-04-04</date>
+ <date>2012-04-11</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo>radsecproxy 1.5-dev</refmiscinfo>
+ <refmiscinfo>radsecproxy 1.6-dev</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
When the proxy server starts, it will first check the command
line arguments, and then read the configuration file. Normally
radsecproxy will read the configuration file
- <filename>/etc/radsecproxy.conf</filename>. The command line
+ <filename>/usr/local/etc/radsecproxy.conf</filename>. The command line
<option>-c</option> option can be used to instead read an
alternate file (see
<citerefentry>
for details).
</para>
<para>
- If the configuration file can not be found, the proxy will exit
- with an error message. Note that there is also an include facility
- so that any configuration file may include other configuration
- files. The proxy will also exit on configuration errors.
+ If the configuration file can not be found, the proxy will exit
+ with an error message. Note that there is also an include facility
+ so that any configuration file may include other configuration
+ files. The proxy will also exit on configuration errors.
</para>
</refsect1>
<refsect1>
shell globbing to specify multiple files, e.g.:
<blockquote>
<para>
- include /etc/radsecproxy.conf.d/*.conf
+ include /usr/local/etc/radsecproxy.conf.d/*.conf
</para>
</blockquote>
The files are sorted alphabetically. Included files are read in
</para>
<variablelist>
<varlistentry>
+ <term><literal>PidFile</literal></term>
+ <listitem>
+ <para>
+ The PidFile option specifies the name of a file to which
+ the process id (PID) will be written. This is overridden
+ by the <option>-i</option> command line option. There is
+ no default value for the PidFile option.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><literal>LogLevel</literal></term>
<listitem>
<para>
<term><literal>FTicksReporting</literal></term>
<listitem>
<para>
- TODO! (See <literal>radsecproxy.conf-example</literal>
- for now.)
+ The FTicksReporting option is used to enable F-Ticks
+ logging and can be set to <literal>None</literal>,
+ <literal>Basic</literal> or <literal>Full</literal>. Its
+ default value is <literal>None</literal>. If
+ FTicksReporting is set to anything other than
+ <literal>None</literal>, note that the default value for
+ FTicksMAC is <literal>VendorKeyHashed</literal> which
+ needs FTicksKey to be set.
+ </para>
+ <para>
+ See <literal>radsecproxy.conf-example</literal> for
+ details. Note that radsecproxy has to be configured with
+ F-Ticks support (<literal>--enable-fticks</literal>) for
+ this option to have any effect.
</para>
</listitem>
</varlistentry>
<term><literal>FTicksMAC</literal></term>
<listitem>
<para>
- TODO! (See <literal>radsecproxy.conf-example</literal>
- for now.)
+ The FTicksMAC option can be used to control if and how
+ Calling-Station-Id (the users Ethernet MAC address) is
+ being logged. It can be set to one of
+ <literal>Static</literal>, <literal>Original</literal>,
+ <literal>VendorHashed</literal>,
+ <literal>VendorKeyHashed</literal>,
+ <literal>FullyHashed</literal> or
+ <literal>FullyKeyHashed</literal>.
+ </para>
+ <para>
+ The default value for FTicksMAC is
+ <literal>VendorKeyHashed</literal>. This means that
+ FTicksKey has to be set.
+ <para>
+ Before chosing any of <literal>Original</literal>,
+ <literal>FullyHashed</literal> or
+ <literal>VendorHashed</literal>, consider the implications
+ for user privacy when MAC addresses are collected. How
+ will the logs be stored, transferred and accessed?
+ </para>
+ </para>
+ <para>
+ See <literal>radsecproxy.conf-example</literal> for
+ details. Note that radsecproxy has to be configured with
+ F-Ticks support (<literal>--enable-fticks</literal>) for
+ this option to have any effect.
</para>
</listitem>
</varlistentry>
<term><literal>FTicksKey</literal></term>
<listitem>
<para>
- TODO! (See <literal>radsecproxy.conf-example</literal>
- for now.)
+ The FTicksKey option is used to specify the key to use
+ when producing HMAC's as an effect of specifying
+ VendorKeyHashed or FullyKeyHashed for the FTicksMAC
+ option.
+ </para>
+ <para>
+ Note that radsecproxy has to be configured with F-Ticks
+ support (<literal>--enable-fticks</literal>) for this
+ option to have any effect.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>FTicksSyslogFacility</literal></term>
+ <listitem>
+ <para>
+ The FTicksSyslogFacility option is used to specify a
+ dedicated syslog facility for F-Ticks messages. This
+ allows for easier filtering of F-Ticks messages. If no
+ FTicksSyslogFacility option is given, F-Ticks messages are
+ written to what the LogDestination option specifies.
+ </para>
+ <para>
+ F-Ticks messages are always logged using the log level
+ LOG_DEBUG. Note that specifying a file in
+ FTicksSyslogFacility (using the file:/// prefix) is
+ not supported.
</para>
</listitem>
</varlistentry>
<literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
<literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
- <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>,
- <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
- <literal>rewriteAttribute</literal>.
+ <literal>fticksVISCOUNTRY</literal>, <literal>fticksVISINST</literal>,
+ <literal>rewrite</literal>, <literal>rewriteIn</literal>,
+ <literal>rewriteOut</literal>, and <literal>rewriteAttribute</literal>.
We already discussed the <literal>host</literal> option. The
value of <literal>type</literal> must be one of
<literal>tls</literal> or <literal>dtls</literal>. The value of
<literal>secret</literal> is the shared RADIUS key used with
this client. If the secret contains whitespace, the value must
- be quoted. This option is optional for TLS/DTLS.
+ be quoted. This option is optional for TLS/DTLS and if omitted
+ will default to "mysecret". Note that the default value of
+ <literal>secret</literal> will change in an upcoming release.
</para>
<para>
For a TLS/DTLS client you may also specify the
<literal>FTicksReporting</literal> basic option.
</para>
<para>
+ The <literal>fticksVISINST</literal> option overwrites
+ the default <literal>VISINST</literal> value taken from the client
+ block name.
+ </para>
+ <para>
The <literal>rewrite</literal> option is deprecated. Use
<literal>rewriteIn</literal> instead.
</para>
<literal>AddTTL</literal>, <literal>rewrite</literal>,
<literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
<literal>statusServer</literal>, <literal>retryCount</literal>,
- <literal>retryInterval</literal>,
<literal>dynamicLookupCommand</literal> and
+ <literal>retryInterval</literal> and
<literal>LoopPrevention</literal>.
</para>
<para>
<para>
The option <literal>dynamicLookupCommand</literal> can be used
to specify a command that should be executed to dynamically
- configure and use a server. The use of this feature will be
- documented separately/later.
+ configure a server. The executable file should be given with
+ full path and will be invoked with the name of the realm as its
+ first and only argument. It should either print a valid
+ <literal>server</literal> option on stdout and exit with a code
+ of 0 or print nothing and exit with a non-zero exit code. An
+ example of a shell script resolving the DNS NAPTR records for
+ the realm and then the SRV records for each NAPTR matching
+ 'x-eduroam:radius.tls' is provided in
+ <literal>tools/naptr-eduroam.sh</literal>. This option was
+ added in radsecproxy-1.3 but tends to crash radsecproxy versions
+ earlier than 1.6.
</para>
<para>
Using the <literal>LoopPrevention</literal> option here
the users in this domain to use one server, while other users
could be matched by another realm block and use another
server.
- </para>
+ </para>
</refsect2>
<refsect2>
<title>Realm block options</title>
<para>
<citerefentry>
<refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>
- </citerefentry>,
- <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
- <citetitle>RadSec internet draft</citetitle>
- </ulink>
+ </citerefentry>,
+ <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
+ <citetitle>RadSec internet draft</citetitle>
+ </ulink>
</para>
</refsect1>
</refentry>