X-Git-Url: http://www.project-moonshot.org/gitweb/?p=libradsec.git;a=blobdiff_plain;f=radsecproxy.conf-example;h=6d24ba839570623d301f027fd0a4a8e0f56945e5;hp=8a6903c225d85fe973428a0b5f634a2aa2c2704b;hb=c1f196080a7cb867afd3dee50e2910899cbf5f46;hpb=dbb14fef5f262d0427bcd415b3c9ecfb47eea9d8 diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 8a6903c..6d24ba8 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,72 +1,157 @@ -#Master config file, must be in /etc/radsecproxy or proxy's current directory +# Master config file, must be in /etc/radsecproxy or specified with -c option # All possible config options are listed below -# -# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath -# for TLS to work. We always verify peer certificate (both client and server) -#TLSCACertificateFile /etc/cacerts/CA.pem -TLSCACertificatePath /etc/cacerts - -# You must specify the below for TLS, we will always present our certificate -TLSCertificateFile /etc/hostcertkey/host.example.com.pem -TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem -# Optionally specify password if key is encrypted (not very secure) -TLSCertificateKeyPassword "follow the white rabbit" +# First you may define any global options, these are: +# # You can optionally specify addresses and ports to listen on -# Max one of each, below are just multiple examples +# Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 #listenUDP localhost -#listenTCP 10.10.10.10:2084 -#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:2084 -# Optional log level. 3 is default, 1 is less, 4 is more +#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 +#listenTLS 10.10.10.10:2084 +#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 +#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 + +# To specify a certain address/port for UDP/TLS requests you can use e.g. +#SourceUDP 127.0.0.1:33000 +#SourceTCP *:33000 +#SourceTLS *:33001 +#SourceDTLS *:33001 +# Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 -#Optional LogDestinatinon, else stderr used for logging +# Optional LogDestination, else stderr used for logging # Logging to file #LogDestination file:///tmp/rp.log # Or logging with Syslog. LOG_DAEMON used if facility not specified # The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and # LOG_LOCAL0, ..., LOG_LOCAL7 -#LogDestination x-syslog:// -#LogDestination x-syslog://log_local2 +#LogDestination x-syslog:/// +#LogDestination x-syslog:///log_local2 + +# There is an option for doing some simple loop prevention. Note that +# the LoopPrevention directive can be used in server blocks too, +# overriding what's set here in the basic settings. +#LoopPrevention on +# Add TTL attribute with value 20 if not present (prevents endless loops) +#addTTL 20 + +# If we have TLS clients or servers we must define at least one tls block. +# You can name them whatever you like and then reference them by name when +# specifying clients or servers later. There are however three special names +# "default", "defaultclient" and "defaultserver". If no name is defined for +# a client, the "defaultclient" block will be used if it exists, if not the +# "default" will be used. For a server, "defaultserver" followed by "default" +# will be checked. +# +# The simplest configuration you can do is: +tls default { + # You must specify at least one of CACertificateFile or CACertificatePath + # for TLS to work. We always verify peer certificate (client and server) + # CACertificateFile /etc/cacerts/CA.pem + CACertificatePath /etc/cacerts + + # You must specify the below for TLS, we always present our certificate + CertificateFile /etc/hostcertkey/host.example.com.pem + CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem + # Optionally specify password if key is encrypted (not very secure) + CertificateKeyPassword "follow the white rabbit" + # Optionally enable CRL checking + # CRLCheck on + # Optionally specify how long CAs and CRLs are cached, default forever + # CacheExpiry 3600 + # Optionally require that peer certs have one of the specified policyOIDs + # policyoid 1.2.3 # this option can be used multiple times + # policyoid 1.3.4 +} + +# If you want one cert for all clients and another for all servers, use +# defaultclient and defaultserver instead of default. If we wanted some +# particular server to use something else you could specify a block +# "tls myserver" and then reference that for that server. If you always +# name the tls block in the client/server config you don't need a default -#Now we configure clients, servers and realms. Note that these and -#also the lines above may be in any order, except that a realm -#can only be configured to use a server that is previously configured. +# Now we configure clients, servers and realms. Note that these and +# also the lines above may be in any order, except that a realm +# can only be configured to use a server that is previously configured. -#A realm can be a literal domain name, * which matches all, or a -#regexp. A regexp is specified by the character prefix / -#For regexp we do case insensitive matching of the entire username string. -#The matching of realms is done in the order they are specified, using the -#first match found. Some examples are -#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". -#To treat local users separately you might try first specifying "@" -#and after that "*". +# A realm can be a literal domain name, * which matches all, or a +# regexp. A regexp is specified by the character prefix / +# For regexp we do case insensitive matching of the entire username string. +# The matching of realms is done in the order they are specified, using the +# first match found. Some examples are +# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". +# To treat local users separately you might try first specifying "@" +# and after that "*". + +# Configure a rewrite block if you want to add/remove/modify attributes +# rewrite example { +# # Remove NAS-Port. +# removeAttribute 5 +# # Remove vendor attribute 100. +# removeVendorAttribute 99:100 +# # Called-Station-Id = "123456" +# addAttribute 30:123456 +# # Vendor-99-Attr-101 = 0x0f +# addVendorAttribute 99:101:%0f +# # Change users @local to @example.com. +# modifyAttribute 1:/^(.*)@local$/\1@example.com/ +# } client 2001:db8::1 { type tls secret verysecret +# we could specify tls here, e.g. +# tls myclient +# in order to use tls parameters named myclient. We don't, so we will +# use "tls defaultclient" if defined, or look for "tls default" as a +# last resort } client 127.0.0.1 { type udp secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +} +client 127.0.0.1 { + type tcp + secret secret } client radius.example.com { - type TLS + type tls # secret is optional for TLS } +client radius.example.com { + type dtls +# secret is optional for DTLS +} server 127.0.0.1 { type UDP secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +# Might override loop prevention here too: +# LoopPrevention off } realm eduroam.cc { server 127.0.0.1 +# If also want to use this server for accounting, specify +# accountingServer 127.0.0.1 } server 2001:db8::1 { type TLS port 2283 # secret is optional for TLS +# we could specify tls here, e.g. +# tls myserver +# in order to use tls parameters named myserver. We don't, so we will +# use "tls defaultserver" if defined, or look for "tls default" as a +# last resort } server radius.example.com { type tls @@ -74,6 +159,12 @@ server radius.example.com { StatusServer on # statusserver is optional, can be on or off. Off is default } +#server radius.example.com { +# type dtls +# secret verysecret +# StatusServer on +## statusserver is optional, can be on or off. Off is default +#} # Equivalent to example.com realm /@example\.com$ { @@ -81,14 +172,20 @@ realm /@example\.com$ { } # One can define a realm without servers, the proxy will then reject # and requests matching this. Optionally one can specify ReplyMessage -# attribute to be included in the reject message. -# +# attribute to be included in the reject message. One can also use +# AccountingResponse option to specify that the proxy should send such. realm /\.com$ { } realm /^anonymous$ { replymessage "No Access" +# AccountingResponse On } # The realm below is equivalent to /.* realm * { server radius.example.com } +# If you don't have a default server you probably want to +# reject all unknowns. Optionally you can also include a message +#realm * { +# replymessage "User unknown" +#}