Modify ChangeLog.

[libradsec.git] / radsecproxy.conf.5.xml

diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 16b0413..993eb44 100644 (file)
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -2,7 +2,7 @@
 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 <refentry>
   <refentryinfo>
-    <date>2011-04-04</date>
+    <date>2011-09-30</date>
   </refentryinfo>
   <refmeta>
     <refentrytitle>
@@ -32,10 +32,10 @@
       for details).
     </para>
     <para>
-    If the configuration file can not be found, the proxy will exit
-    with an error message. Note that there is also an include facility
-    so that any configuration file may include other configuration
-    files. The proxy will also exit on configuration errors.
+      If the configuration file can not be found, the proxy will exit
+      with an error message. Note that there is also an include facility
+      so that any configuration file may include other configuration
+      files. The proxy will also exit on configuration errors.
     </para>
   </refsect1>
   <refsect1>
@@ -173,8 +173,20 @@ blocktype name {
         <term><literal>FTicksReporting</literal></term>
         <listitem>
          <para>
-           TODO!  (See <literal>radsecproxy.conf-example</literal>
-           for now.)
+           The FTicksReporting option is used to enable F-Ticks
+           logging and can be set to <literal>None</literal>,
+           <literal>Basic</literal> or <literal>Full</literal>.  Its
+           default value is <literal>None</literal>.  If
+           FTicksReporting is set to anything other than
+           <literal>None</literal>, note that the default value for
+           FTicksMAC is <literal>VendorKeyHashed</literal> which
+           needs FTicksKey to be set.
+         </para>
+         <para>
+           See <literal>radsecproxy.conf-example</literal> for
+           details.  Note that radsecproxy has to be configured with
+           F-Ticks support (<literal>--enable-fticks</literal>) for
+           this option to have any effect.
          </para>
        </listitem>
       </varlistentry>
@@ -183,8 +195,32 @@ blocktype name {
         <term><literal>FTicksMAC</literal></term>
         <listitem>
          <para>
-           TODO!  (See <literal>radsecproxy.conf-example</literal>
-           for now.)
+           The FTicksMAC option can be used to control if and how
+           Calling-Station-Id (the users Ethernet MAC address) is
+           being logged.  It can be set to one of
+           <literal>Static</literal>, <literal>Original</literal>,
+           <literal>VendorHashed</literal>,
+           <literal>VendorKeyHashed</literal>,
+           <literal>FullyHashed</literal> or
+           <literal>FullyKeyHashed</literal>.
+         </para>
+         <para>
+           The default value for FTicksMAC is
+           <literal>VendorKeyHashed</literal>.  This means that
+           FTicksKey has to be set.
+         <para>
+           Before chosing any of <literal>Original</literal>,
+           <literal>FullyHashed</literal> or
+           <literal>VendorHashed</literal>, consider the implications
+           for user privacy when MAC addresses are collected.  How
+           will the logs be stored, transferred and accessed?
+         </para>
+         </para>
+         <para>
+           See <literal>radsecproxy.conf-example</literal> for
+           details.  Note that radsecproxy has to be configured with
+           F-Ticks support (<literal>--enable-fticks</literal>) for
+           this option to have any effect.
          </para>
        </listitem>
       </varlistentry>
@@ -193,8 +229,15 @@ blocktype name {
         <term><literal>FTicksKey</literal></term>
         <listitem>
          <para>
-           TODO!  (See <literal>radsecproxy.conf-example</literal>
-           for now.)
+           The FTicksKey option is used to specify the key to use
+           when producing HMAC's as an effect of specifying
+           VendorKeyHashed or FullyKeyHashed for the FTicksMAC
+           option.
+         </para>
+         <para>
+           Note that radsecproxy has to be configured with F-Ticks
+           support (<literal>--enable-fticks</literal>) for this
+           option to have any effect.
          </para>
        </listitem>
       </varlistentry>
@@ -428,7 +471,9 @@ blocktype name {
       <literal>tls</literal> or <literal>dtls</literal>. The value of
       <literal>secret</literal> is the shared RADIUS key used with
       this client. If the secret contains whitespace, the value must
-      be quoted. This option is optional for TLS/DTLS.
+      be quoted. This option is optional for TLS/DTLS and if omitted
+      will default to "mysecret".  Note that the default value of
+      <literal>secret</literal> will change in an upcoming release.
     </para>
     <para>
       For a TLS/DTLS client you may also specify the
@@ -668,7 +713,7 @@ blocktype name {
        the users in this domain to use one server, while other users
        could be matched by another realm block and use another
        server.
-    </para>
+      </para>
     </refsect2>
     <refsect2>
       <title>Realm block options</title>
@@ -874,10 +919,10 @@ blocktype name {
     <para>
       <citerefentry>
         <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
-        <citetitle>RadSec internet draft</citetitle>
-      </ulink>
+       </citerefentry>,
+       <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
+         <citetitle>RadSec internet draft</citetitle>
+       </ulink>
     </para>
   </refsect1>
 </refentry>