X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf-example;h=411c47e52c98dabe71633cfbe879589ac8281c25;hb=271907e96102091be52bd8ae2ba32426e0658e04;hp=fdae1dd70b2007fe4230f8aa2c0a2004787f08e4;hpb=045e082e8c642cf3bbefe6777005b3481ca0fad9;p=libradsec.git diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index fdae1dd..411c47e 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,27 +1,26 @@ -#Master config file, must be in /etc/radsecproxy or specified with -c option +# Master config file, must be in /etc/radsecproxy or specified with -c option # All possible config options are listed below # First you may define any global options, these are: # # You can optionally specify addresses and ports to listen on -# Max one of each, below are just multiple examples +# Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 -#listenUDP localhost +#ListenUDP localhost #ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 -#listenTLS 10.10.10.10:2084 +#ListenTLS 10.10.10.10:2084 #ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 #ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 -# To listen to the default or other Accounting port for UDP you need e.g. -#ListenAccountingUDP *:1813 # To specify a certain address/port for UDP/TLS requests you can use e.g. #SourceUDP 127.0.0.1:33000 #SourceTCP *:33000 #SourceTLS *:33001 #SourceDTLS *:33001 -# Optional log level. 3 is default, 1 is less, 4 is more + +# Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 -#Optional LogDestinatinon, else stderr used for logging +# Optional LogDestination, else stderr used for logging # Logging to file #LogDestination file:///tmp/rp.log # Or logging with Syslog. LOG_DAEMON used if facility not specified @@ -30,18 +29,58 @@ #LogDestination x-syslog:/// #LogDestination x-syslog:///log_local2 -#There is an option for doing some simple loop prevention +# For generating log entries conforming to the F-Ticks system, specify +# FTicksReporting with one of the following values. +# None -- Do not log in F-Ticks format. This is the default. +# Basic -- Do log in F-Ticks format but do not log VISINST. +# Full -- Do log in F-Ticks format and do log VISINST. +# Please note that in order to get F-Ticks logging for a given client, +# its matching client configuration block has to contain the +# fticksVISCOUNTRY option. + +# You can optionally specify FTicksMAC in order to determine if and +# how Calling-Station-Id (users Ethernet MAC address) is being logged. +# Static -- Use a static string as a placeholder for +# Calling-Station-Id. +# Original -- Log Calling-Station-Id as-is. +# VendorHashed -- Keep first three segments as-is, hash the rest. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This +# is the default. +# FullyHashed -- Hash the entire string. +# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. + +# In order to use FTicksMAC with one of VendorKeyHashed or +# FullyKeyHashed, specify a key with FTicksKey. +# FTicksKey + +# Default F-Ticks configuration: +#FTicksReporting None +#FTicksMAC Static + +# You can optionally specify FTicksSyslogFacility to use a dedicated +# syslog facility for F-Ticks messages. This allows easy filtering +# of F-Ticks messages. +# For F-Ticks messages always LOG_DEBUG level is used. +# Please note that FTicksSyslogFacility cannot specify a file (file:///...) +#FTicksSyslogFacility log_local1 +#FTicksSyslogFacility x-syslog:///log_local1 + +# There is an option for doing some simple loop prevention. Note that +# the LoopPrevention directive can be used in server blocks too, +# overriding what's set here in the basic settings. #LoopPrevention on +# Add TTL attribute with value 20 if not present (prevents endless loops) +#AddTTL 20 -#If we have TLS clients or servers we must define at least one tls block. -#You can name them whatever you like and then reference them by name when -#specifying clients or servers later. There are however three special names -#"default", "defaultclient" and "defaultserver". If no name is defined for -#a client, the "defaultclient" block will be used if it exists, if not the -#"default" will be used. For a server, "defaultserver" followed by "default" -#will be checked. +# If we have TLS clients or servers we must define at least one tls block. +# You can name them whatever you like and then reference them by name when +# specifying clients or servers later. There are however three special names +# "default", "defaultclient" and "defaultserver". If no name is defined for +# a client, the "defaultclient" block will be used if it exists, if not the +# "default" will be used. For a server, "defaultserver" followed by "default" +# will be checked. # -#The simplest configuration you can do is: +# The simplest configuration you can do is: tls default { # You must specify at least one of CACertificateFile or CACertificatePath # for TLS to work. We always verify peer certificate (client and server) @@ -57,43 +96,52 @@ tls default { # CRLCheck on # Optionally specify how long CAs and CRLs are cached, default forever # CacheExpiry 3600 + # Optionally require that peer certs have one of the specified policyOIDs + # policyoid 1.2.3 # this option can be used multiple times + # policyoid 1.3.4 } -#If you want one cert for all clients and another for all servers, use -#defaultclient and defaultserver instead of default. If we wanted some -#particular server to use something else you could specify a block -#"tls myserver" and then reference that for that server. If you always -#name the tls block in the client/server config you don't need a default - -#Now we configure clients, servers and realms. Note that these and -#also the lines above may be in any order, except that a realm -#can only be configured to use a server that is previously configured. - -#A realm can be a literal domain name, * which matches all, or a -#regexp. A regexp is specified by the character prefix / -#For regexp we do case insensitive matching of the entire username string. -#The matching of realms is done in the order they are specified, using the -#first match found. Some examples are -#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". -#To treat local users separately you might try first specifying "@" -#and after that "*". +# If you want one cert for all clients and another for all servers, use +# defaultclient and defaultserver instead of default. If we wanted some +# particular server to use something else you could specify a block +# "tls myserver" and then reference that for that server. If you always +# name the tls block in the client/server config you don't need a default + +# Now we configure clients, servers and realms. Note that these and +# also the lines above may be in any order, except that a realm +# can only be configured to use a server that is previously configured. + +# A realm can be a literal domain name, * which matches all, or a +# regexp. A regexp is specified by the character prefix / +# For regexp we do case insensitive matching of the entire username string. +# The matching of realms is done in the order they are specified, using the +# first match found. Some examples are +# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". +# To treat local users separately you might try first specifying "@" +# and after that "*". # Configure a rewrite block if you want to add/remove/modify attributes # rewrite example { +# # Remove NAS-Port. # removeAttribute 5 +# # Remove vendor attribute 100. # removeVendorAttribute 99:100 -# addAttribute 4 attribute%20value -# modifyAttribute 1:/^(.*)@local$/$1@example.com/ +# # Called-Station-Id = "123456" +# addAttribute 30:123456 +# # Vendor-99-Attr-101 = 0x0f +# addVendorAttribute 99:101:%0f +# # Change users @local to @example.com. +# modifyAttribute 1:/^(.*)@local$/\1@example.com/ # } client 2001:db8::1 { type tls secret verysecret -#we could specify tls here, e.g. +# we could specify tls here, e.g. # tls myclient -#in order to use tls parameters named myclient. We don't, so we will -#use "tls defaultclient" if defined, or look for "tls default" as a -#last resort +# in order to use tls parameters named myclient. We don't, so we will +# use "tls defaultclient" if defined, or look for "tls default" as a +# last resort } client 127.0.0.1 { type udp @@ -123,6 +171,8 @@ server 127.0.0.1 { # rewriteIn example # Can also do rewriting of outgoing messages # rewriteOut example +# Might override loop prevention here too: +# LoopPrevention off } realm eduroam.cc { server 127.0.0.1 @@ -134,11 +184,11 @@ server 2001:db8::1 { type TLS port 2283 # secret is optional for TLS -#we could specify tls here, e.g. +# we could specify tls here, e.g. # tls myserver -#in order to use tls parameters named myserver. We don't, so we will -#use "tls defaultserver" if defined, or look for "tls default" as a -#last resort +# in order to use tls parameters named myserver. We don't, so we will +# use "tls defaultserver" if defined, or look for "tls default" as a +# last resort } server radius.example.com { type tls @@ -171,8 +221,8 @@ realm /^anonymous$ { realm * { server radius.example.com } -#If you don't have a default server you probably want to -#reject all unknowns. Optionally you can also include a message +# If you don't have a default server you probably want to +# reject all unknowns. Optionally you can also include a message #realm * { # replymessage "User unknown" #}