X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf-example;h=c97a7726abe1a635132fb391fcf0dce6a307dc26;hb=refs%2Fheads%2Fmaint-1.6;hp=bde62e396344086cf57c9f900105221d0456a5a4;hpb=8ea898130c8d555071721d56bbb8e2f4e1fcabda;p=libradsec.git diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index bde62e3..c97a772 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,14 +1,228 @@ -#Master config file, must be in /etc/radsecproxy or proxy's current directory +# Master config file, must be in /etc/radsecproxy or specified with -c option # All possible config options are listed below + +# First you may define any global options, these are: +# +# You can optionally specify addresses and ports to listen on +# Multiple statements can be used for multiple ports/addresses +#ListenUDP *:1814 +#ListenUDP localhost +#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 +#ListenTLS 10.10.10.10:2084 +#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 +#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 + +# To specify a certain address/port for UDP/TLS requests you can use e.g. +#SourceUDP 127.0.0.1:33000 +#SourceTCP *:33000 +#SourceTLS *:33001 +#SourceDTLS *:33001 + +# Optional log level. 3 is default, 1 is less, 5 is more +#LogLevel 3 +# Optional LogDestination, else stderr used for logging +# Logging to file +#LogDestination file:///tmp/rp.log +# Or logging with Syslog. LOG_DAEMON used if facility not specified +# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and +# LOG_LOCAL0, ..., LOG_LOCAL7 +#LogDestination x-syslog:/// +#LogDestination x-syslog:///log_local2 + +# For generating log entries conforming to the F-Ticks system, specify +# FTicksReporting with one of the following values. +# None -- Do not log in F-Ticks format. This is the default. +# Basic -- Do log in F-Ticks format but do not log VISINST. +# Full -- Do log in F-Ticks format and do log VISINST. +# Please note that in order to get F-Ticks logging for a given client, +# its matching client configuration block has to contain the +# fticksVISCOUNTRY option. + +# You can optionally specify FTicksMAC in order to determine if and +# how Calling-Station-Id (users Ethernet MAC address) is being logged. +# Static -- Use a static string as a placeholder for +# Calling-Station-Id. +# Original -- Log Calling-Station-Id as-is. +# VendorHashed -- Keep first three segments as-is, hash the rest. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This +# is the default. +# FullyHashed -- Hash the entire string. +# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. + +# In order to use FTicksMAC with one of VendorKeyHashed or +# FullyKeyHashed, specify a key with FTicksKey. +# FTicksKey + +# Default F-Ticks configuration: +#FTicksReporting None +#FTicksMAC Static + +# You can optionally specify FTicksSyslogFacility to use a dedicated +# syslog facility for F-Ticks messages. This allows for easier filtering +# of F-Ticks messages. +# F-Ticks messages are always logged using the log level LOG_DEBUG. +# Note that specifying a file (using the file:/// prefix) is not supported. +#FTicksSyslogFacility log_local1 +#FTicksSyslogFacility x-syslog:///log_local1 + +# There is an option for doing some simple loop prevention. Note that +# the LoopPrevention directive can be used in server blocks too, +# overriding what's set here in the basic settings. +#LoopPrevention on +# Add TTL attribute with value 20 if not present (prevents endless loops) +#AddTTL 20 + +# If we have TLS clients or servers we must define at least one tls block. +# You can name them whatever you like and then reference them by name when +# specifying clients or servers later. There are however three special names +# "default", "defaultclient" and "defaultserver". If no name is defined for +# a client, the "defaultclient" block will be used if it exists, if not the +# "default" will be used. For a server, "defaultserver" followed by "default" +# will be checked. # -# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath -# for TLS to work. We always verify peer certificate (both client and server) -#TLSCACertificateFile /etc/cacerts/CA.pem -TLSCACertificatePath /etc/cacerts +# The simplest configuration you can do is: +tls default { + # You must specify at least one of CACertificateFile or CACertificatePath + # for TLS to work. We always verify peer certificate (client and server) + # CACertificateFile /etc/cacerts/CA.pem + CACertificatePath /etc/cacerts + + # You must specify the below for TLS, we always present our certificate + CertificateFile /etc/hostcertkey/host.example.com.pem + CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem + # Optionally specify password if key is encrypted (not very secure) + CertificateKeyPassword "follow the white rabbit" + # Optionally enable CRL checking + # CRLCheck on + # Optionally specify how long CAs and CRLs are cached, default forever + # CacheExpiry 3600 + # Optionally require that peer certs have one of the specified policyOIDs + # policyoid 1.2.3 # this option can be used multiple times + # policyoid 1.3.4 +} + +# If you want one cert for all clients and another for all servers, use +# defaultclient and defaultserver instead of default. If we wanted some +# particular server to use something else you could specify a block +# "tls myserver" and then reference that for that server. If you always +# name the tls block in the client/server config you don't need a default + +# Now we configure clients, servers and realms. Note that these and +# also the lines above may be in any order, except that a realm +# can only be configured to use a server that is previously configured. + +# A realm can be a literal domain name, * which matches all, or a +# regexp. A regexp is specified by the character prefix / +# For regexp we do case insensitive matching of the entire username string. +# The matching of realms is done in the order they are specified, using the +# first match found. Some examples are +# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". +# To treat local users separately you might try first specifying "@" +# and after that "*". + +# Configure a rewrite block if you want to add/remove/modify attributes +# rewrite example { +# # Remove NAS-Port. +# removeAttribute 5 +# # Remove vendor attribute 100. +# removeVendorAttribute 99:100 +# # Called-Station-Id = "123456" +# addAttribute 30:123456 +# # Vendor-99-Attr-101 = 0x0f +# addVendorAttribute 99:101:%0f +# # Change users @local to @example.com. +# modifyAttribute 1:/^(.*)@local$/\1@example.com/ +# } + +client [2001:db8::1] { + type tls + secret verysecret +# we could specify tls here, e.g. +# tls myclient +# in order to use tls parameters named myclient. We don't, so we will +# use "tls defaultclient" if defined, or look for "tls default" as a +# last resort +} +client 127.0.0.1 { + type udp + secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +} +client 127.0.0.1 { + type tcp + secret secret +} +client radius.example.com { + type tls +# secret is optional for TLS +} +client radius.example.com { + type dtls +# secret is optional for DTLS +} + +server 127.0.0.1 { + type UDP + secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +# Might override loop prevention here too: +# LoopPrevention off +} +realm eduroam.cc { + server 127.0.0.1 +# If also want to use this server for accounting, specify +# accountingServer 127.0.0.1 +} -# You must specify the below for TLS, we will always present our certificate -TLSCertificateFile /etc/hostcertkey/host.example.com.pem -TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem +server [2001:db8::1] { + type TLS + port 2283 +# secret is optional for TLS +# we could specify tls here, e.g. +# tls myserver +# in order to use tls parameters named myserver. We don't, so we will +# use "tls defaultserver" if defined, or look for "tls default" as a +# last resort +} +server radius.example.com { + type tls + secret verysecret + StatusServer on +# statusserver is optional, can be on or off. Off is default +} +#server radius.example.com { +# type dtls +# secret verysecret +# StatusServer on +## statusserver is optional, can be on or off. Off is default +#} -# You can optionally specify a non-standard UDP port to listen -#UDPServerPort 1814 +# Equivalent to example.com +realm /@example\.com$ { + server 2001:db8::1 +} +# One can define a realm without servers, the proxy will then reject +# and requests matching this. Optionally one can specify ReplyMessage +# attribute to be included in the reject message. One can also use +# AccountingResponse option to specify that the proxy should send such. +realm /\.com$ { +} +realm /^anonymous$ { + replymessage "No Access" +# AccountingResponse On +} +# The realm below is equivalent to /.* +realm * { + server radius.example.com +} +# If you don't have a default server you probably want to +# reject all unknowns. Optionally you can also include a message +#realm * { +# replymessage "User unknown" +#}