X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=b4b66e75aff7a73e3813c16c93fbf79080e15071;hb=40e8d53c3878a24f78b2a7d5b359b7bfbefb6f59;hp=72facea9897457a8356689f766f151f0ddc6fb6b;hpb=7466a1c5e655f5e99445e24598423f0711ddc1b5;p=radsecproxy.git diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 72facea..b4b66e7 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - 2011-04-04 + 2012-04-27 radsecproxy.conf 5 - radsecproxy 1.5-dev + radsecproxy 1.6 @@ -23,7 +23,7 @@ When the proxy server starts, it will first check the command line arguments, and then read the configuration file. Normally radsecproxy will read the configuration file - /etc/radsecproxy.conf. The command line + /usr/local/etc/radsecproxy.conf. The command line option can be used to instead read an alternate file (see @@ -32,10 +32,10 @@ for details). - If the configuration file can not be found, the proxy will exit - with an error message. Note that there is also an include facility - so that any configuration file may include other configuration - files. The proxy will also exit on configuration errors. + If the configuration file can not be found, the proxy will exit + with an error message. Note that there is also an include facility + so that any configuration file may include other configuration + files. The proxy will also exit on configuration errors. @@ -98,19 +98,19 @@ blocktype name { There is one special option that can be used both as a basic option and inside all blocks. That is the option - include where the value specifies files to be + Include where the value specifies files to be included. The value can be a single file, or it can use normal shell globbing to specify multiple files, e.g.:
- include /etc/radsecproxy.conf.d/*.conf + include /usr/local/etc/radsecproxy.conf.d/*.conf
The files are sorted alphabetically. Included files are read in the order they are specified, when reaching the end of a file, the next file is read. When reaching the end of the last included file, the proxy returns to read the next line following - the include option. Included files may again + the Include option. Included files may again include other files. @@ -126,6 +126,17 @@ blocktype name { + PidFile + + + The PidFile option specifies the name of a file to which + the process id (PID) will be written. This is overridden + by the command line option. There is + no default value for the PidFile option. + + + + LogLevel @@ -168,6 +179,99 @@ blocktype name { + + + FTicksReporting + + + The FTicksReporting option is used to enable F-Ticks + logging and can be set to None, + Basic or Full. Its + default value is None. If + FTicksReporting is set to anything other than + None, note that the default value for + FTicksMAC is VendorKeyHashed which + needs FTicksKey to be set. + + + See radsecproxy.conf-example for + details. Note that radsecproxy has to be configured with + F-Ticks support (--enable-fticks) for + this option to have any effect. + + + + + + FTicksMAC + + + The FTicksMAC option can be used to control if and how + Calling-Station-Id (the users Ethernet MAC address) is + being logged. It can be set to one of + Static, Original, + VendorHashed, + VendorKeyHashed, + FullyHashed or + FullyKeyHashed. + + + The default value for FTicksMAC is + VendorKeyHashed. This means that + FTicksKey has to be set. + + Before chosing any of Original, + FullyHashed or + VendorHashed, consider the implications + for user privacy when MAC addresses are collected. How + will the logs be stored, transferred and accessed? + + + + See radsecproxy.conf-example for + details. Note that radsecproxy has to be configured with + F-Ticks support (--enable-fticks) for + this option to have any effect. + + + + + + FTicksKey + + + The FTicksKey option is used to specify the key to use + when producing HMAC's as an effect of specifying + VendorKeyHashed or FullyKeyHashed for the FTicksMAC + option. + + + Note that radsecproxy has to be configured with F-Ticks + support (--enable-fticks) for this + option to have any effect. + + + + + + FTicksSyslogFacility + + + The FTicksSyslogFacility option is used to specify a + dedicated syslog facility for F-Ticks messages. This + allows for easier filtering of F-Ticks messages. If no + FTicksSyslogFacility option is given, F-Ticks messages are + written to what the LogDestination option specifies. + + + F-Ticks messages are always logged using the log level + LOG_DEBUG. Note that specifying a file in + FTicksSyslogFacility (using the file:/// prefix) is + not supported. + + + + ListenUDP @@ -197,7 +301,7 @@ blocktype name { ListenTCP - This option is similar to the listenUDP + This option is similar to the ListenUDP option, except that it is used for receiving connections from TCP clients. The default port number is 1812. @@ -208,11 +312,11 @@ blocktype name { ListenTLS - This is similar to the listenUDP + This is similar to the ListenUDP option, except that it is used for receiving connections from TLS clients. The default port number is 2083. Note that this option was - previously called listenTCP. + previously called ListenTCP. @@ -220,7 +324,7 @@ blocktype name { ListenDTLS - This is similar to the listenUDP + This is similar to the ListenUDP option, except that it is used for receiving connections from DTLS clients. The default port number is 2083. @@ -284,7 +388,7 @@ blocktype name { If a TTL attribute is present, the proxy will decrement the value and discard the message if zero. Normally the proxy does nothing if no TTL attribute is present. If you - use the addTTL option with a value 1-255, the proxy will + use the AddTTL option with a value 1-255, the proxy will when forwarding a message with no TTL attribute, add one with the specified value. Note that this option can also be specified for a client/server. It will then override @@ -310,6 +414,23 @@ blocktype name { + IPv4Only and IPv6Only + + + These can be set to on or + off with off being + the default. At most one of IPv4Only + and IPv6Only can be enabled. Enabling + IPv4Only or IPv6Only + makes radsecproxy resolve DNS names to the corresponding + address family only, and not the other. This is done for + both clients and servers. Note that this can be + overridden in client and + server blocks, see below. + + + + Include @@ -350,8 +471,11 @@ blocktype name { that client. The name of the client block must (with one exception, see below) be either the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form - IpAddress/PrefixLength, or a domain name (FQDN). Note that - literal IPv6 addresses must be enclosed in brackets. + IpAddress/PrefixLength, or a domain name (FQDN). The way an + FQDN is resolved into an IP address may be influenced by the use + of the IPv4Only and + IPv6Only options. Note that literal IPv6 + addresses must be enclosed in brackets. If a domain name is specified, then this will be resolved @@ -382,22 +506,33 @@ blocktype name { The allowed options in a client block are - host, type, + host, IPv4Only, + IPv6Only, type, secret, tls, certificateNameCheck, matchCertificateAttribute, - duplicateInterval, addTTL, - rewrite, rewriteIn, - rewriteOut and + duplicateInterval, AddTTL, + fticksVISCOUNTRY, + fticksVISINST, rewrite, + rewriteIn, rewriteOut, and rewriteAttribute. - We already discussed the host option. The - value of type must be one of + We already discussed the host option. To + specify how radsecproxy should resolve a host + given as a DNS name, the IPv4Only or the + IPv6Only can be set to on. + At most one of these options can be enabled. Enabling + IPv4Only or IPv6Only here + overrides any basic settings set at the top level. + + The value of type must be one of udp, tcp, tls or dtls. The value of secret is the shared RADIUS key used with this client. If the secret contains whitespace, the value must - be quoted. This option is optional for TLS/DTLS. + be quoted. This option is optional for TLS/DTLS and if omitted + will default to "mysecret". Note that the default value of + secret will change in an upcoming release. For a TLS/DTLS client you may also specify the @@ -438,12 +573,22 @@ blocktype name { one), or returned a copy of the previous reply. - The addTTL option is similar to the - addTTL option used in the basic config. See + The AddTTL option is similar to the + AddTTL option used in the basic config. See that for details. Any value configured here overrides the basic one when sending messages to this client. + The fticksVISCOUNTRY option configures + clients eligible to F-Ticks logging as defined by the + FTicksReporting basic option. + + + The fticksVISINST option overwrites + the default VISINST value taken from the client + block name. + + The rewrite option is deprecated. Use rewriteIn instead. @@ -496,9 +641,11 @@ blocktype name { after startup. If the domain name resolves to multiple addresses, then for UDP/DTLS the first address is used. For TCP/TLS, the proxy will loop through the addresses until it can - connect to one of them. In the case of TLS/DTLS, the name of the - server must match the FQDN or IP address in the server - certificate. + connect to one of them. The way an FQDN is resolved into an IP + address may be influenced by the use of the + IPv4Only and IPv6Only + options. In the case of TLS/DTLS, the name of the server must + match the FQDN or IP address in the server certificate. Alternatively one may use the host option @@ -522,24 +669,33 @@ blocktype name { The allowed options in a server block are host, port, + IPv4Only, IPv6Only, type, secret, tls, certificateNameCheck, matchCertificateAttribute, - addTTL, rewrite, + AddTTL, rewrite, rewriteIn, rewriteOut, statusServer, retryCount, - retryInterval, dynamicLookupCommand and - loopPrevention. + retryInterval and + LoopPrevention. - We already discussed the host option. The - port option allows you to specify which port - number the server uses. The usage of type, - secret, tls, - certificateNameCheck, + + We already discussed the host option. To + specify how radsecproxy should resolve a host + given as a DNS name, the IPv4Only or the + IPv6Only can be set to on. + At most one of these options can be enabled. Enabling + IPv4Only or IPv6Only here + overrides any basic settings set at the top level. + + The port option allows you to specify which + port number the server uses. The usage of + type, secret, + tls, certificateNameCheck, matchCertificateAttribute, - addTTL, rewrite, + AddTTL, rewrite, rewriteIn and rewriteOut are just as specified for the client block above, except that defaultServer (and not @@ -566,11 +722,20 @@ blocktype name { The option dynamicLookupCommand can be used to specify a command that should be executed to dynamically - configure and use a server. The use of this feature will be - documented separately/later. - - - Using the loopPrevention option here + configure a server. The executable file should be given with + full path and will be invoked with the name of the realm as its + first and only argument. It should either print a valid + server option on stdout and exit with a code + of 0 or print nothing and exit with a non-zero exit code. An + example of a shell script resolving the DNS NAPTR records for + the realm and then the SRV records for each NAPTR matching + 'x-eduroam:radius.tls' is provided in + tools/naptr-eduroam.sh. This option was + added in radsecproxy-1.3 but tends to crash radsecproxy versions + earlier than 1.6. + + + Using the LoopPrevention option here overrides any basic setting of this option. See section BASIC OPTIONS for details on this option. @@ -632,7 +797,7 @@ blocktype name { the users in this domain to use one server, while other users could be matched by another realm block and use another server. - + Realm block options @@ -838,10 +1003,10 @@ blocktype name { radsecproxy1 - , - - RadSec internet draft - + , + + RadSec internet draft +