X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=35182f0d61ef10fa95e7d609f80c7f98880b767b;hb=a0008e2f3e69c136fe21744a212cd58eb3a1c4a7;hp=f91eed82643a1422ac0ccb0a740b93c38d05a9c3;hpb=25587120eecfdc5a041bbc3bdd90c50df1c490ff;p=libradsec.git diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index f91eed8..35182f0 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - 2011-04-04 + 2012-12-12 radsecproxy.conf 5 - radsecproxy 1.5-dev + radsecproxy 1.6-dev @@ -32,10 +32,10 @@ for details). - If the configuration file can not be found, the proxy will exit - with an error message. Note that there is also an include facility - so that any configuration file may include other configuration - files. The proxy will also exit on configuration errors. + If the configuration file can not be found, the proxy will exit + with an error message. Note that there is also an include facility + so that any configuration file may include other configuration + files. The proxy will also exit on configuration errors. @@ -168,6 +168,99 @@ blocktype name { + + + FTicksReporting + + + The FTicksReporting option is used to enable F-Ticks + logging and can be set to None, + Basic or Full. Its + default value is None. If + FTicksReporting is set to anything other than + None, note that the default value for + FTicksMAC is VendorKeyHashed which + needs FTicksKey to be set. + + + See radsecproxy.conf-example for + details. Note that radsecproxy has to be configured with + F-Ticks support (--enable-fticks) for + this option to have any effect. + + + + + + FTicksMAC + + + The FTicksMAC option can be used to control if and how + Calling-Station-Id (the users Ethernet MAC address) is + being logged. It can be set to one of + Static, Original, + VendorHashed, + VendorKeyHashed, + FullyHashed or + FullyKeyHashed. + + + The default value for FTicksMAC is + VendorKeyHashed. This means that + FTicksKey has to be set. + + Before chosing any of Original, + FullyHashed or + VendorHashed, consider the implications + for user privacy when MAC addresses are collected. How + will the logs be stored, transferred and accessed? + + + + See radsecproxy.conf-example for + details. Note that radsecproxy has to be configured with + F-Ticks support (--enable-fticks) for + this option to have any effect. + + + + + + FTicksKey + + + The FTicksKey option is used to specify the key to use + when producing HMAC's as an effect of specifying + VendorKeyHashed or FullyKeyHashed for the FTicksMAC + option. + + + Note that radsecproxy has to be configured with F-Ticks + support (--enable-fticks) for this + option to have any effect. + + + + + + FTicksSyslogFacility + + + The FTicksSyslogFacility option is used to specify a + dedicated syslog facility for F-Ticks messages. This + allows for easier filtering of F-Ticks messages. If no + FTicksSyslogFacility option is given, F-Ticks messages are + written to what the LogDestination option specifies. + + + F-Ticks messages are always logged using the log level + LOG_DEBUG. Note that specifying a file in + FTicksSyslogFacility (using the file:/// prefix) is + not supported. + + + + ListenUDP @@ -387,9 +480,9 @@ blocktype name { certificateNameCheck, matchCertificateAttribute, duplicateInterval, AddTTL, - fticksVISCOUNTRY, rewrite, - rewriteIn, rewriteOut, and - rewriteAttribute. + fticksVISCOUNTRY, fticksVISINST, + rewrite, rewriteIn, + rewriteOut, and rewriteAttribute. We already discussed the host option. The value of type must be one of @@ -397,7 +490,9 @@ blocktype name { tls or dtls. The value of secret is the shared RADIUS key used with this client. If the secret contains whitespace, the value must - be quoted. This option is optional for TLS/DTLS. + be quoted. This option is optional for TLS/DTLS and if omitted + will default to "mysecret". Note that the default value of + secret will change in an upcoming release. For a TLS/DTLS client you may also specify the @@ -449,6 +544,11 @@ blocktype name { FTicksReporting basic option. + The fticksVISINST option overwrites + the default VISINST value taken from the client + block name. + + The rewrite option is deprecated. Use rewriteIn instead. @@ -533,8 +633,7 @@ blocktype name { AddTTL, rewrite, rewriteIn, rewriteOut, statusServer, retryCount, - retryInterval, - dynamicLookupCommand and + retryInterval and LoopPrevention. @@ -569,12 +668,6 @@ blocktype name { an interval of 5s. - The option dynamicLookupCommand can be used - to specify a command that should be executed to dynamically - configure and use a server. The use of this feature will be - documented separately/later. - - Using the LoopPrevention option here overrides any basic setting of this option. See section BASIC OPTIONS for details on this option. @@ -637,7 +730,7 @@ blocktype name { the users in this domain to use one server, while other users could be matched by another realm block and use another server. - + Realm block options @@ -843,10 +936,10 @@ blocktype name { radsecproxy1 - , - - RadSec internet draft - + , + + RadSec internet draft +