X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf-example;h=c97a7726abe1a635132fb391fcf0dce6a307dc26;hb=refs%2Fheads%2Fmaint-1.6;hp=854bb952cca08a72b466c04cc29b276f51e5a4b0;hpb=380b907aa703c3bbdb9a74255c4955afda028bb4;p=libradsec.git diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 854bb95..c97a772 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,34 +1,86 @@ -#Master config file, must be in /etc/radsecproxy or proxy's current directory +# Master config file, must be in /etc/radsecproxy or specified with -c option # All possible config options are listed below # First you may define any global options, these are: # # You can optionally specify addresses and ports to listen on -# Max one of each, below are just multiple examples +# Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 -#listenUDP localhost -#listenTCP 10.10.10.10:2084 -#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:2084 -# Optional log level. 3 is default, 1 is less, 4 is more +#ListenUDP localhost +#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 +#ListenTLS 10.10.10.10:2084 +#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 +#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 + +# To specify a certain address/port for UDP/TLS requests you can use e.g. +#SourceUDP 127.0.0.1:33000 +#SourceTCP *:33000 +#SourceTLS *:33001 +#SourceDTLS *:33001 + +# Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 -#Optional LogDestinatinon, else stderr used for logging +# Optional LogDestination, else stderr used for logging # Logging to file #LogDestination file:///tmp/rp.log # Or logging with Syslog. LOG_DAEMON used if facility not specified # The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and # LOG_LOCAL0, ..., LOG_LOCAL7 -#LogDestination x-syslog:// -#LogDestination x-syslog://log_local2 - -#If we have TLS clients or servers we must define at least one tls block. -#You can name them whatever you like and then reference them by name when -#specifying clients or servers later. There are however three special names -#"default", "defaultclient" and "defaultserver". If no name is defined for -#a client, the "defaultclient" block will be used if it exists, if not the -#"default" will be used. For a server, "defaultserver" followed by "default" -#will be checked. +#LogDestination x-syslog:/// +#LogDestination x-syslog:///log_local2 + +# For generating log entries conforming to the F-Ticks system, specify +# FTicksReporting with one of the following values. +# None -- Do not log in F-Ticks format. This is the default. +# Basic -- Do log in F-Ticks format but do not log VISINST. +# Full -- Do log in F-Ticks format and do log VISINST. +# Please note that in order to get F-Ticks logging for a given client, +# its matching client configuration block has to contain the +# fticksVISCOUNTRY option. + +# You can optionally specify FTicksMAC in order to determine if and +# how Calling-Station-Id (users Ethernet MAC address) is being logged. +# Static -- Use a static string as a placeholder for +# Calling-Station-Id. +# Original -- Log Calling-Station-Id as-is. +# VendorHashed -- Keep first three segments as-is, hash the rest. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This +# is the default. +# FullyHashed -- Hash the entire string. +# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. + +# In order to use FTicksMAC with one of VendorKeyHashed or +# FullyKeyHashed, specify a key with FTicksKey. +# FTicksKey + +# Default F-Ticks configuration: +#FTicksReporting None +#FTicksMAC Static + +# You can optionally specify FTicksSyslogFacility to use a dedicated +# syslog facility for F-Ticks messages. This allows for easier filtering +# of F-Ticks messages. +# F-Ticks messages are always logged using the log level LOG_DEBUG. +# Note that specifying a file (using the file:/// prefix) is not supported. +#FTicksSyslogFacility log_local1 +#FTicksSyslogFacility x-syslog:///log_local1 + +# There is an option for doing some simple loop prevention. Note that +# the LoopPrevention directive can be used in server blocks too, +# overriding what's set here in the basic settings. +#LoopPrevention on +# Add TTL attribute with value 20 if not present (prevents endless loops) +#AddTTL 20 + +# If we have TLS clients or servers we must define at least one tls block. +# You can name them whatever you like and then reference them by name when +# specifying clients or servers later. There are however three special names +# "default", "defaultclient" and "defaultserver". If no name is defined for +# a client, the "defaultclient" block will be used if it exists, if not the +# "default" will be used. For a server, "defaultserver" followed by "default" +# will be checked. # -#The simplest configuration you can do is: +# The simplest configuration you can do is: tls default { # You must specify at least one of CACertificateFile or CACertificatePath # for TLS to work. We always verify peer certificate (client and server) @@ -40,62 +92,103 @@ tls default { CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem # Optionally specify password if key is encrypted (not very secure) CertificateKeyPassword "follow the white rabbit" + # Optionally enable CRL checking + # CRLCheck on + # Optionally specify how long CAs and CRLs are cached, default forever + # CacheExpiry 3600 + # Optionally require that peer certs have one of the specified policyOIDs + # policyoid 1.2.3 # this option can be used multiple times + # policyoid 1.3.4 } -#If you want one cert for all clients and another for all servers, use -#defaultclient and defaultserver instead of default. If we wanted some -#particular server to use something else you could specify a block -#"tls myserver" and then reference that for that server. If you always -#name the tls block in the client/server config you don't need a default - -#Now we configure clients, servers and realms. Note that these and -#also the lines above may be in any order, except that a realm -#can only be configured to use a server that is previously configured. - -#A realm can be a literal domain name, * which matches all, or a -#regexp. A regexp is specified by the character prefix / -#For regexp we do case insensitive matching of the entire username string. -#The matching of realms is done in the order they are specified, using the -#first match found. Some examples are -#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". -#To treat local users separately you might try first specifying "@" -#and after that "*". - -client 2001:db8::1 { +# If you want one cert for all clients and another for all servers, use +# defaultclient and defaultserver instead of default. If we wanted some +# particular server to use something else you could specify a block +# "tls myserver" and then reference that for that server. If you always +# name the tls block in the client/server config you don't need a default + +# Now we configure clients, servers and realms. Note that these and +# also the lines above may be in any order, except that a realm +# can only be configured to use a server that is previously configured. + +# A realm can be a literal domain name, * which matches all, or a +# regexp. A regexp is specified by the character prefix / +# For regexp we do case insensitive matching of the entire username string. +# The matching of realms is done in the order they are specified, using the +# first match found. Some examples are +# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". +# To treat local users separately you might try first specifying "@" +# and after that "*". + +# Configure a rewrite block if you want to add/remove/modify attributes +# rewrite example { +# # Remove NAS-Port. +# removeAttribute 5 +# # Remove vendor attribute 100. +# removeVendorAttribute 99:100 +# # Called-Station-Id = "123456" +# addAttribute 30:123456 +# # Vendor-99-Attr-101 = 0x0f +# addVendorAttribute 99:101:%0f +# # Change users @local to @example.com. +# modifyAttribute 1:/^(.*)@local$/\1@example.com/ +# } + +client [2001:db8::1] { type tls secret verysecret -#we could specify tls here, e.g. +# we could specify tls here, e.g. # tls myclient -#in order to use tls parameters named myclient. We don't, so we will -#use "tls defaultclient" if defined, or look for "tls default" as a -#last resort +# in order to use tls parameters named myclient. We don't, so we will +# use "tls defaultclient" if defined, or look for "tls default" as a +# last resort } client 127.0.0.1 { type udp secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +} +client 127.0.0.1 { + type tcp + secret secret } client radius.example.com { - type TLS + type tls # secret is optional for TLS } +client radius.example.com { + type dtls +# secret is optional for DTLS +} server 127.0.0.1 { type UDP secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +# Might override loop prevention here too: +# LoopPrevention off } realm eduroam.cc { server 127.0.0.1 +# If also want to use this server for accounting, specify +# accountingServer 127.0.0.1 } -server 2001:db8::1 { +server [2001:db8::1] { type TLS port 2283 # secret is optional for TLS -#we could specify tls here, e.g. +# we could specify tls here, e.g. # tls myserver -#in order to use tls parameters named myserver. We don't, so we will -#use "tls defaultserver" if defined, or look for "tls default" as a -#last resort +# in order to use tls parameters named myserver. We don't, so we will +# use "tls defaultserver" if defined, or look for "tls default" as a +# last resort } server radius.example.com { type tls @@ -103,6 +196,12 @@ server radius.example.com { StatusServer on # statusserver is optional, can be on or off. Off is default } +#server radius.example.com { +# type dtls +# secret verysecret +# StatusServer on +## statusserver is optional, can be on or off. Off is default +#} # Equivalent to example.com realm /@example\.com$ { @@ -110,19 +209,20 @@ realm /@example\.com$ { } # One can define a realm without servers, the proxy will then reject # and requests matching this. Optionally one can specify ReplyMessage -# attribute to be included in the reject message. -# +# attribute to be included in the reject message. One can also use +# AccountingResponse option to specify that the proxy should send such. realm /\.com$ { } realm /^anonymous$ { replymessage "No Access" +# AccountingResponse On } # The realm below is equivalent to /.* realm * { server radius.example.com } -#If you don't have a default server you probably want to -#reject all unknowns. Optionally you can also include a message +# If you don't have a default server you probably want to +# reject all unknowns. Optionally you can also include a message #realm * { # replymessage "User unknown" #}