<para>
There is one special option that can be used both as a basic
option and inside all blocks. That is the option
- <literal>include</literal> where the value specifies files to be
+ <literal>Include</literal> where the value specifies files to be
included. The value can be a single file, or it can use normal
shell globbing to specify multiple files, e.g.:
<blockquote>
the order they are specified, when reaching the end of a file,
the next file is read. When reaching the end of the last
included file, the proxy returns to read the next line following
- the <literal>include</literal> option. Included files may again
+ the <literal>Include</literal> option. Included files may again
include other files.
</para>
</refsect1>
</para>
<variablelist>
<varlistentry>
- <term><literal>logLevel</literal></term>
+ <term><literal>LogLevel</literal></term>
<listitem>
<para>
This option specifies the debug level. It must be set to
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>logDestination</literal></term>
+ <term><literal>LogDestination</literal></term>
<listitem>
<para>
This specifies where the log messages should go. By
</para>
</listitem>
</varlistentry>
+
<varlistentry>
- <term><literal>listenUDP</literal></term>
+ <term><literal>FTicksReporting</literal></term>
+ <listitem>
+ <para>
+ The FTicksReporting option is used to enable F-Ticks
+ logging and can be set to <literal>None</literal>,
+ <literal>Basic</literal> or <literal>Full</literal>. Its
+ default value is <literal>None</literal>.
+
+ See <literal>radsecproxy.conf-example</literal> for
+ details. Note that radsecproxy has to be configured with
+ support for F-Ticks (<literal>--enable-fticks</literal>)
+ for this option to have any effect.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>FTicksMAC</literal></term>
+ <listitem>
+ <para>
+ The FTicksMAC option can be used to control if and how
+ Calling-Station-Id is being logged. It can be set to one
+ of <literal>Static</literal>, <literal>Original</literal>,
+ <literal>VendorHashed</literal>,
+ <literal>VendorKeyHashed</literal>,
+ <literal>FullyHashed</literal> or
+ <literal>FullyKeyHashed</literal>.
+
+ Its default value is <static>Static</static>.
+
+ See <literal>radsecproxy.conf-example</literal> for
+ details. Note that radsecproxy has to be configured with
+ support for F-Ticks (<literal>--enable-fticks</literal>)
+ for this option to have any effect.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>FTicksKey</literal></term>
+ <listitem>
+ <para>
+ The FTicksKey option is used to specify the key to use
+ when producing HMAC's as an effect of specifying
+ VendorKeyHashed or FullyKeyHashed for the FTicksMAC
+ option.
+
+ Note that radsecproxy has to be configured with support
+ for F-Ticks (<literal>--enable-fticks</literal>) for this
+ option to have any effect.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>ListenUDP</literal></term>
<listitem>
<para>
Normally the proxy will listen to the standard RADIUS UDP
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>listenTCP</literal></term>
+ <term><literal>ListenTCP</literal></term>
<listitem>
<para>
- This option is similar to the <literal>listenUDP</literal>
+ This option is similar to the <literal>ListenUDP</literal>
option, except that it is used for receiving connections
from TCP clients. The default port number is
<literal>1812</literal>.
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>listenTLS</literal></term>
+ <term><literal>ListenTLS</literal></term>
<listitem>
<para>
- This is similar to the <literal>listenUDP</literal>
+ This is similar to the <literal>ListenUDP</literal>
option, except that it is used for receiving connections
from TLS clients. The default port number is
<literal>2083</literal>. Note that this option was
- previously called <literal>listenTCP</literal>.
+ previously called <literal>ListenTCP</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>listenDTLS</literal></term>
+ <term><literal>ListenDTLS</literal></term>
<listitem>
<para>
- This is similar to the <literal>listenUDP</literal>
+ This is similar to the <literal>ListenUDP</literal>
option, except that it is used for receiving connections
from DTLS clients. The default port number is
<literal>2083</literal>.
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>sourceUDP</literal></term>
+ <term><literal>SourceUDP</literal></term>
<listitem>
<para>
This can be used to specify source address and/or source
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>sourceTCP</literal></term>
+ <term><literal>SourceTCP</literal></term>
<listitem>
<para>
This can be used to specify source address and/or source
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>sourceTLS</literal></term>
+ <term><literal>SourceTLS</literal></term>
<listitem>
<para>
This can be used to specify source address and/or source
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>sourceDTLS</literal></term>
+ <term><literal>SourceDTLS</literal></term>
<listitem>
<para>
This can be used to specify source address and/or source
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>addTTL</literal></term>
+ <term><literal>AddTTL</literal></term>
<listitem>
<para>
If a TTL attribute is present, the proxy will decrement
the value and discard the message if zero. Normally the
proxy does nothing if no TTL attribute is present. If you
- use the addTTL option with a value 1-255, the proxy will
+ use the AddTTL option with a value 1-255, the proxy will
when forwarding a message with no TTL attribute, add one
with the specified value. Note that this option can also
be specified for a client/server. It will then override
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>loopPrevention</literal></term>
+ <term><literal>LoopPrevention</literal></term>
<listitem>
<para>
This can be set to <literal>on</literal> or
</listitem>
</varlistentry>
<varlistentry>
- <term><literal>include</literal></term>
+ <term><literal>Include</literal></term>
<listitem>
<para>
This is not a normal configuration option; it can be
<literal>secret</literal>, <literal>tls</literal>,
<literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
- <literal>duplicateInterval</literal>, <literal>addTTL</literal>,
- <literal>rewrite</literal>, <literal>rewriteIn</literal>,
- <literal>rewriteOut</literal> and
+ <literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
+ <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>,
+ <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
<literal>rewriteAttribute</literal>.
We already discussed the <literal>host</literal> option. The
one), or returned a copy of the previous reply.
</para>
<para>
- The <literal>addTTL</literal> option is similar to the
- <literal>addTTL</literal> option used in the basic config. See
+ The <literal>AddTTL</literal> option is similar to the
+ <literal>AddTTL</literal> option used in the basic config. See
that for details. Any value configured here overrides the basic
one when sending messages to this client.
</para>
<para>
+ The <literal>fticksVISCOUNTRY</literal> option configures
+ clients eligible to F-Ticks logging as defined by the
+ <literal>FTicksReporting</literal> basic option.
+ </para>
+ <para>
The <literal>rewrite</literal> option is deprecated. Use
<literal>rewriteIn</literal> instead.
</para>
<literal>type</literal>, <literal>secret</literal>,
<literal>tls</literal>, <literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
- <literal>addTTL</literal>, <literal>rewrite</literal>,
+ <literal>AddTTL</literal>, <literal>rewrite</literal>,
<literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
<literal>statusServer</literal>, <literal>retryCount</literal>,
<literal>retryInterval</literal>,
<literal>dynamicLookupCommand</literal> and
- <literal>loopPrevention</literal>.
+ <literal>LoopPrevention</literal>.
</para>
<para>
We already discussed the <literal>host</literal> option. The
<literal>secret</literal>, <literal>tls</literal>,
<literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
- <literal>addTTL</literal>, <literal>rewrite</literal>,
+ <literal>AddTTL</literal>, <literal>rewrite</literal>,
<literal>rewriteIn</literal> and <literal>rewriteOut</literal>
are just as specified for the <literal>client block</literal>
above, except that <literal>defaultServer</literal> (and not
documented separately/later.
</para>
<para>
- Using the <literal>loopPrevention</literal> option here
+ Using the <literal>LoopPrevention</literal> option here
overrides any basic setting of this option. See section
<literal>BASIC OPTIONS</literal> for details on this option.
</para>
projects / libradsec.git / blobdiff