X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=2b6367c469b3c8d3809806d337e83ae0e9ed4cd4;hb=dbcc997716f5bec3316c74371eb8077884d6672d;hp=406f2bf4dec82a931385bf4b3b9569510a213c62;hpb=1080f966ba0fa083696b22f5d8095de49ce9730a;p=libradsec.git diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 406f2bf..2b6367c 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - 2011-04-04 + 2012-04-11 radsecproxy.conf 5 - radsecproxy 1.5-dev + radsecproxy 1.6-dev @@ -32,10 +32,10 @@ for details). - If the configuration file can not be found, the proxy will exit - with an error message. Note that there is also an include facility - so that any configuration file may include other configuration - files. The proxy will also exit on configuration errors. + If the configuration file can not be found, the proxy will exit + with an error message. Note that there is also an include facility + so that any configuration file may include other configuration + files. The proxy will also exit on configuration errors. @@ -98,7 +98,7 @@ blocktype name { There is one special option that can be used both as a basic option and inside all blocks. That is the option - include where the value specifies files to be + Include where the value specifies files to be included. The value can be a single file, or it can use normal shell globbing to specify multiple files, e.g.:
@@ -110,7 +110,7 @@ blocktype name { the order they are specified, when reaching the end of a file, the next file is read. When reaching the end of the last included file, the proxy returns to read the next line following - the include option. Included files may again + the Include option. Included files may again include other files. @@ -126,7 +126,18 @@ blocktype name { - logLevel + PidFile + + + The PidFile option specifies the name of a file to which + the process id (PID) will be written. This is overridden + by the command line option. There is + no default value for the PidFile option. + + + + + LogLevel This option specifies the debug level. It must be set to @@ -138,7 +149,7 @@ blocktype name { - logDestination + LogDestination This specifies where the log messages should go. By @@ -168,8 +179,101 @@ blocktype name { + + + FTicksReporting + + + The FTicksReporting option is used to enable F-Ticks + logging and can be set to None, + Basic or Full. Its + default value is None. If + FTicksReporting is set to anything other than + None, note that the default value for + FTicksMAC is VendorKeyHashed which + needs FTicksKey to be set. + + + See radsecproxy.conf-example for + details. Note that radsecproxy has to be configured with + F-Ticks support (--enable-fticks) for + this option to have any effect. + + + + - listenUDP + FTicksMAC + + + The FTicksMAC option can be used to control if and how + Calling-Station-Id (the users Ethernet MAC address) is + being logged. It can be set to one of + Static, Original, + VendorHashed, + VendorKeyHashed, + FullyHashed or + FullyKeyHashed. + + + The default value for FTicksMAC is + VendorKeyHashed. This means that + FTicksKey has to be set. + + Before chosing any of Original, + FullyHashed or + VendorHashed, consider the implications + for user privacy when MAC addresses are collected. How + will the logs be stored, transferred and accessed? + + + + See radsecproxy.conf-example for + details. Note that radsecproxy has to be configured with + F-Ticks support (--enable-fticks) for + this option to have any effect. + + + + + + FTicksKey + + + The FTicksKey option is used to specify the key to use + when producing HMAC's as an effect of specifying + VendorKeyHashed or FullyKeyHashed for the FTicksMAC + option. + + + Note that radsecproxy has to be configured with F-Ticks + support (--enable-fticks) for this + option to have any effect. + + + + + + FTicksSyslogFacility + + + The FTicksSyslogFacility option is used to specify a + dedicated syslog facility for F-Ticks messages. This + allows for easier filtering of F-Ticks messages. If no + FTicksSyslogFacility option is given, F-Ticks messages are + written to what the LogDestination option specifies. + + + F-Ticks messages are always logged using the log level + LOG_DEBUG. Note that specifying a file in + FTicksSyslogFacility (using the file:/// prefix) is + not supported. + + + + + + ListenUDP Normally the proxy will listen to the standard RADIUS UDP @@ -194,10 +298,10 @@ blocktype name { - listenTCP + ListenTCP - This option is similar to the listenUDP + This option is similar to the ListenUDP option, except that it is used for receiving connections from TCP clients. The default port number is 1812. @@ -205,22 +309,22 @@ blocktype name { - listenTLS + ListenTLS - This is similar to the listenUDP + This is similar to the ListenUDP option, except that it is used for receiving connections from TLS clients. The default port number is 2083. Note that this option was - previously called listenTCP. + previously called ListenTCP. - listenDTLS + ListenDTLS - This is similar to the listenUDP + This is similar to the ListenUDP option, except that it is used for receiving connections from DTLS clients. The default port number is 2083. @@ -228,7 +332,7 @@ blocktype name { - sourceUDP + SourceUDP This can be used to specify source address and/or source @@ -238,7 +342,7 @@ blocktype name { - sourceTCP + SourceTCP This can be used to specify source address and/or source @@ -247,7 +351,7 @@ blocktype name { - sourceTLS + SourceTLS This can be used to specify source address and/or source @@ -256,7 +360,7 @@ blocktype name { - sourceDTLS + SourceDTLS This can be used to specify source address and/or source @@ -278,13 +382,13 @@ blocktype name { - addTTL + AddTTL If a TTL attribute is present, the proxy will decrement the value and discard the message if zero. Normally the proxy does nothing if no TTL attribute is present. If you - use the addTTL option with a value 1-255, the proxy will + use the AddTTL option with a value 1-255, the proxy will when forwarding a message with no TTL attribute, add one with the specified value. Note that this option can also be specified for a client/server. It will then override @@ -294,7 +398,7 @@ blocktype name { - loopPrevention + LoopPrevention This can be set to on or @@ -310,7 +414,7 @@ blocktype name { - include + Include This is not a normal configuration option; it can be @@ -386,10 +490,10 @@ blocktype name { secret, tls, certificateNameCheck, matchCertificateAttribute, - duplicateInterval, addTTL, - rewrite, rewriteIn, - rewriteOut and - rewriteAttribute. + duplicateInterval, AddTTL, + fticksVISCOUNTRY, fticksVISINST, + rewrite, rewriteIn, + rewriteOut, and rewriteAttribute. We already discussed the host option. The value of type must be one of @@ -397,7 +501,9 @@ blocktype name { tls or dtls. The value of secret is the shared RADIUS key used with this client. If the secret contains whitespace, the value must - be quoted. This option is optional for TLS/DTLS. + be quoted. This option is optional for TLS/DTLS and if omitted + will default to "mysecret". Note that the default value of + secret will change in an upcoming release. For a TLS/DTLS client you may also specify the @@ -438,12 +544,22 @@ blocktype name { one), or returned a copy of the previous reply. - The addTTL option is similar to the - addTTL option used in the basic config. See + The AddTTL option is similar to the + AddTTL option used in the basic config. See that for details. Any value configured here overrides the basic one when sending messages to this client. + The fticksVISCOUNTRY option configures + clients eligible to F-Ticks logging as defined by the + FTicksReporting basic option. + + + The fticksVISINST option overwrites + the default VISINST value taken from the client + block name. + + The rewrite option is deprecated. Use rewriteIn instead. @@ -525,12 +641,12 @@ blocktype name { type, secret, tls, certificateNameCheck, matchCertificateAttribute, - addTTL, rewrite, + AddTTL, rewrite, rewriteIn, rewriteOut, statusServer, retryCount, - retryInterval, dynamicLookupCommand and - loopPrevention. + retryInterval and + LoopPrevention. We already discussed the host option. The @@ -539,7 +655,7 @@ blocktype name { secret, tls, certificateNameCheck, matchCertificateAttribute, - addTTL, rewrite, + AddTTL, rewrite, rewriteIn and rewriteOut are just as specified for the client block above, except that defaultServer (and not @@ -566,11 +682,20 @@ blocktype name { The option dynamicLookupCommand can be used to specify a command that should be executed to dynamically - configure and use a server. The use of this feature will be - documented separately/later. - - - Using the loopPrevention option here + configure a server. The executable file should be given with + full path and will be invoked with the name of the realm as its + first and only argument. It should either print a valid + server option on stdout and exit with a code + of 0 or print nothing and exit with a non-zero exit code. An + example of a shell script resolving the DNS NAPTR records for + the realm and then the SRV records for each NAPTR matching + 'x-eduroam:radius.tls' is provided in + tools/naptr-eduroam.sh. This option was + added in radsecproxy-1.3 but tends to crash radsecproxy versions + earlier than 1.6. + + + Using the LoopPrevention option here overrides any basic setting of this option. See section BASIC OPTIONS for details on this option. @@ -632,7 +757,7 @@ blocktype name { the users in this domain to use one server, while other users could be matched by another realm block and use another server. - + Realm block options @@ -838,10 +963,10 @@ blocktype name { radsecproxy1 - , - - RadSec internet draft - + , + + RadSec internet draft +