X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=4024bde0c4f912510a0cfbfd3676e19963c727d9;hb=c1f196080a7cb867afd3dee50e2910899cbf5f46;hp=56b9e19aa5d1ee12a519b77e9a84a220011b53f4;hpb=d528d69f0f9afb96f157693cafe4a8191fb9e9a5;p=libradsec.git diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 56b9e19..4024bde 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - 2008-10-06 + 2009-03-12 radsecproxy.conf 5 - radsecproxy devel 2008-10-06 + radsecproxy devel 2009-03-12 @@ -52,7 +52,7 @@ are not. There are two types of configuration structures than can be used. The first -and simplest are lines of the format option value. That +and simplest are lines on the format option value. That is, an option name, see below for a list of valid options, followed by whitespace (at least one space or tab character), followed by a value. Note that if the value contains whitespace, then it must be quoted using @@ -128,9 +128,9 @@ occurences is undefined. logLevel -This option specifies the debug level. It must be set to 1, 2, 3 or 4, where 1 -logs only serious errors, and 4 logs everything. The default is 3 which logs -errors, warnings and some informational messages. Note that the command line +This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where +1 logs only serious errors, and 5 logs everything. The default is 2 which logs +errors, warnings and a few informational messages. Note that the command line option overrides this. @@ -166,13 +166,13 @@ Normally the proxy will listen to the standard RADIUS UDP port 1812 if configured to handle UDP clients. On most systems it will do this for all of the system's IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an -alternate port you may use a value of the form *:port where +alternate port you may use a value on the form *:port where port is any valid port number. If you also want to specify a specific address you can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you want the default one (like in these examples). These examples are equivalent to 192.168.1.1 and 2001:db8::1. Note that -you must use brackets around the IPv6 address if you specify port number. +you must use brackets around the IPv6 address. This option may be specified multiple times to listen to multiple addresses and/or ports. @@ -210,16 +210,6 @@ used for receiving connections from DTLS clients. The default port number is - listenAccountingUDP - - -This is similar to the listenUDP option, except that it is -used for specifying port and optionally the address to receive UDP Accounting -messages on. - - - - sourceUDP @@ -256,6 +246,31 @@ will use for DTLS connections. + TTLAttribute + + +This can be used to change the default TTL attribute. Only change this if +you know what you are doing. The syntax is either a numerical value +denoting the TTL attribute, or two numerical values separated by column +specifying a vendor attribute, i.e. vendorid:attribute. + + + + + addTTL + + +If a TTL attribute is present, the proxy will decrement the value and +discard the message if zero. Normally the proxy does nothing if no TTL +attribute is present. If you use the addTTL option with a value 1-255, +the proxy will when forwarding a message with no TTL attribute, add one +with the specified value. Note that this option can also be specified +for a client/server. It will then override this setting when forwarding +a message to that client/server. + + + + loopPrevention @@ -264,6 +279,8 @@ This can be set to on or off with will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. +It can be used as a basic option and inside server blocks where it overrides +the basic setting. @@ -283,7 +300,7 @@ description, see the configuration syntax section above. Blocks There are five types of blocks, they are client, -server, realm, Btls +server, realm, tls and rewrite. At least one instance of each of client and realm is required. This is necessary for the proxy to do anything useful, and it will exit if not. The @@ -302,8 +319,9 @@ be significant. The client block is used to configure a client. That is, tell the proxy about a client, and what parameters should be used for that client. The name of the client block must (with one exception, see below) be either the IP address -(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) of the form -IpAddress/PrefixLength, or a domain name (FQDN). +(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form +IpAddress/PrefixLength, or a domain name (FQDN). Note that literal IPv6 +addresses must be enclosed in brackets. If a domain name is specified, then this will be resolved immediately to all @@ -326,16 +344,18 @@ client name is an IP prefix. Alternatively one may use the host option inside a client block. In that case, the value of the host option is used as above, while the name of the block is only used as a descriptive name for the -administrator. +administrator. The host option may be used multiple times, and can be a mix of +addresses, FQDNs and prefixes. The allowed options in a client block are host, type, secret, tls, certificateNameCheck, matchCertificateAttribute, -duplicateInterval, rewrite, -rewriteIn, rewriteOut and -rewriteAttribute. We already discussed the +duplicateInterval, addTTL, +rewrite, rewriteIn, +rewriteOut and rewriteAttribute. +We already discussed the host option. The value of type must be one of udp, tcp, tls or dtls. The value of secret is the @@ -375,6 +395,12 @@ ignore the new request (if it is still processing the previous one), or returned a copy of the previous reply. +The addTTL option is similar to the +addTTL option used in the basic config. See that for +details. Any value configured here overrides the basic one when sending +messages to this client. + + The rewrite option is deprecated. Use rewriteIn instead. @@ -400,10 +426,10 @@ The rewriteAttribute option currently makes it possible to specify that the User-Name attribute in a client request shall be rewritten in the request sent by the proxy. The User-Name attribute is written back to the original value if a matching response is later sent back to the client. The -value must be of the form User-Name:/regexpmatch/replacement/. Example usage: +value must be on the form User-Name:/regexpmatch/replacement/. Example usage:
-rewriteAttribute User-Name:/^(.*)@local$/$1@example.com/ +rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
@@ -427,23 +453,36 @@ name of the server must match the FQDN or IP address in the server certificate. Alternatively one may use the host option inside a server block. In that case, the value of the host option is used as above, while the name of the block is only used as a descriptive name for the -administrator. +administrator. Note that multiple host options may be used. This will then be +treated as multiple names/addresses for the same server. When initiating a TCP/TLS +connection, all addresses of all names may be attempted, but there is no failover +between the different host values. For failover one must use separate server +blocks. + + +Note that the name of the block, or values of host options may include a +port number (separated with a column). This port number will then override the +default port or a port option in the server block. Also note that literal IPv6 +addresses must be enclosed in brackets. The allowed options in a server block are host, port, type, secret, tls, certificateNameCheck, -matchCertificateAttribute, rewrite, +matchCertificateAttribute, addTTL, +rewrite, rewriteIn, rewriteOut, statusServer, retryCount, -retryInterval and dynamicLookupCommand. +retryInterval, dynamicLookupCommand +and loopPrevention. We already discussed the host option. The port option allows you to specify which port number the server uses. The usage of type, secret, tls, certificateNameCheck, -matchCertificateAttribute, rewrite, +matchCertificateAttribute, addTTL, +rewrite, rewriteIn and rewriteOut are just as specified for the client block above, except that defaultServer (and not defaultClient) @@ -470,6 +509,11 @@ The option dynamicLookupCommand can be used to specify a command that should be executed to dynamically configure and use a server. The use of this feature will be documented separately/later. + +Using the loopPrevention option here overrides any +basic setting of this option. See section BASIC +OPTIONS for details on this option. + Realm Block @@ -594,8 +638,9 @@ default, even defaultServer if you really want to. The available TLS block options are CACertificateFile, CACertificatePath, certificateFile, certificateKeyFile, -certificateKeyPassword, cacheExpiry -and CRLCheck. When doing RADIUS over TLS/DTLS, both the +certificateKeyPassword, cacheExpiry, +CRLCheck and policyOID. +When doing RADIUS over TLS/DTLS, both the client and the server present certificates, and they are both verified by the peer. Hence you must always specify certificateFile and certificateKeyFile options, as well as @@ -607,7 +652,9 @@ certificates to a peer, you also always need to specify Note that you may specify both, in which case the certificates in CACertificateFile are checked first. By default CRLs are not checked. This can be changed by setting CRLCheck to -on. +on. One can require peer certificates to adhere to certain +policies by specifying one or multiple policyOIDs using one or multiple +policyOID options. CA certificates and CRLs are normally cached permanently. That is, once a CA @@ -643,15 +690,21 @@ rewrite on input. No rewriting is done on output unless explicitly specifed using the rewriteOut option. -The available rewrite block options are addAttribute, +The available rewrite block options +are addAttribute, addVendorAttribute, removeAttribute, removeVendorAttribute and modifyAttribute. They can all be specified none, one or multiple times. -addAttribute is used to add attributes to a message. The -option value must be of the form attribute:value where -attribute is a numerical value specifying the attribute. +addAttribute is used to add attributes to a +message. The option value must be on the +form attribute:value where attribute is a numerical +value specifying the attribute. Simliarly, +the addVendorAttribute is used to specify a vendor +attribute to be added. The option value must be on the +form vendor:subattribute:value, where vendor and +subattribute are numerical values. The removeAttribute option is used to specify an @@ -659,20 +712,20 @@ attribute that should be removed from received messages. The option value must be a numerical value specifying which attribute is to be removed. Similarly, removeVendorAttribute is used to specify a vendor attribute that is to be removed. The value can be a numerical value -for removing all attributes from a given vendor, or of the form +for removing all attributes from a given vendor, or on the form vendor:subattribute, where vendor and subattribute are numerical values, for removing a specific subattribute for a specific vendor. modifyAttribute is used to specify modification of -attributes. The value must be of the form +attributes. The value must be on the form attribute:/regexpmatch/replacement/ where attribute is a numerical attribute type, regexpmatch is regexp matching rule and replacement specifies how to replace the matching regexp. Example usage:
-modifyAttribute 1:/^(.*)@local$/$1@example.com/ +modifyAttribute 1:/^(.*)@local$/\1@example.com/