X-Git-Url: http://www.project-moonshot.org/gitweb/?p=radsecproxy.git;a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=503e61d7254444828fec7e1c91e105c4ef4a7a32;hp=3871e069a2e72e3de22b7f55d3993ccdece86a18;hb=4bca131c62f2405a615f6ff280f299eb667f570d;hpb=68d851156019f743618b39d31f7674981ed18a71 diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 3871e06..503e61d 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - 2012-12-12 + 2012-10-25 radsecproxy.conf 5 - radsecproxy 1.6-dev + radsecproxy 1.6.3-rc0 @@ -23,7 +23,7 @@ When the proxy server starts, it will first check the command line arguments, and then read the configuration file. Normally radsecproxy will read the configuration file - /etc/radsecproxy.conf. The command line + /usr/local/etc/radsecproxy.conf. The command line option can be used to instead read an alternate file (see @@ -103,7 +103,7 @@ blocktype name { shell globbing to specify multiple files, e.g.:
- include /etc/radsecproxy.conf.d/*.conf + include /usr/local/etc/radsecproxy.conf.d/*.conf
The files are sorted alphabetically. Included files are read in @@ -126,6 +126,17 @@ blocktype name { + PidFile + + + The PidFile option specifies the name of a file to which + the process id (PID) will be written. This is overridden + by the command line option. There is + no default value for the PidFile option. + + + + LogLevel @@ -403,6 +414,23 @@ blocktype name { + IPv4Only and IPv6Only + + + These can be set to on or + off with off being + the default. At most one of IPv4Only + and IPv6Only can be enabled. Enabling + IPv4Only or IPv6Only + makes radsecproxy resolve DNS names to the corresponding + address family only, and not the other. This is done for + both clients and servers. Note that this can be + overridden in client and + server blocks, see below. + + + + Include @@ -443,8 +471,11 @@ blocktype name { that client. The name of the client block must (with one exception, see below) be either the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form - IpAddress/PrefixLength, or a domain name (FQDN). Note that - literal IPv6 addresses must be enclosed in brackets. + IpAddress/PrefixLength, or a domain name (FQDN). The way an + FQDN is resolved into an IP address may be influenced by the use + of the IPv4Only and + IPv6Only options. Note that literal IPv6 + addresses must be enclosed in brackets. If a domain name is specified, then this will be resolved @@ -475,24 +506,35 @@ blocktype name { The allowed options in a client block are - host, type, + host, IPv4Only, + IPv6Only, type, secret, tls, certificateNameCheck, matchCertificateAttribute, duplicateInterval, AddTTL, - fticksVISCOUNTRY, fticksVISINST, - rewrite, rewriteIn, - rewriteOut, and rewriteAttribute. + fticksVISCOUNTRY, + fticksVISINST, rewrite, + rewriteIn, rewriteOut, and + rewriteAttribute. + + We already discussed the host option. To + specify how radsecproxy should resolve a host + given as a DNS name, the IPv4Only or the + IPv6Only can be set to on. + At most one of these options can be enabled. Enabling + IPv4Only or IPv6Only here + overrides any basic settings set at the top level. - We already discussed the host option. The - value of type must be one of + The value of type must be one of udp, tcp, tls or dtls. The value of secret is the shared RADIUS key used with this client. If the secret contains whitespace, the value must be quoted. This option is optional for TLS/DTLS and if omitted - will default to "mysecret". Note that the default value of - secret will change in an upcoming release. + will default to "radsec". (Note that using a secret other than + "radsec" for TLS is a violation of the standard (RFC 6614) and + that the proposed standard for DTLS stipulates that the secret + must be "radius/dtls".) For a TLS/DTLS client you may also specify the @@ -504,6 +546,15 @@ blocktype name { default. If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error. + + NOTE: All versions of radsecproxy up to and including 1.6 + erroneously verify client certificate chains using the CA in the + very first matching client block regardless of which block is + used for the final decision. This was changed in version 1.6.1 + so that a client block with a different tls + option than the first matching client block is no longer + considered for verification of clients. + For a TLS/DTLS client, the option @@ -601,9 +652,11 @@ blocktype name { after startup. If the domain name resolves to multiple addresses, then for UDP/DTLS the first address is used. For TCP/TLS, the proxy will loop through the addresses until it can - connect to one of them. In the case of TLS/DTLS, the name of the - server must match the FQDN or IP address in the server - certificate. + connect to one of them. The way an FQDN is resolved into an IP + address may be influenced by the use of the + IPv4Only and IPv6Only + options. In the case of TLS/DTLS, the name of the server must + match the FQDN or IP address in the server certificate. Alternatively one may use the host option @@ -627,22 +680,31 @@ blocktype name { The allowed options in a server block are host, port, + IPv4Only, IPv6Only, type, secret, tls, certificateNameCheck, matchCertificateAttribute, AddTTL, rewrite, rewriteIn, rewriteOut, statusServer, retryCount, - retryInterval, dynamicLookupCommand and + retryInterval and LoopPrevention. - We already discussed the host option. The - port option allows you to specify which port - number the server uses. The usage of type, - secret, tls, - certificateNameCheck, + + We already discussed the host option. To + specify how radsecproxy should resolve a host + given as a DNS name, the IPv4Only or the + IPv6Only can be set to on. + At most one of these options can be enabled. Enabling + IPv4Only or IPv6Only here + overrides any basic settings set at the top level. + + The port option allows you to specify which + port number the server uses. The usage of + type, secret, + tls, certificateNameCheck, matchCertificateAttribute, AddTTL, rewrite, rewriteIn and rewriteOut @@ -671,8 +733,17 @@ blocktype name { The option dynamicLookupCommand can be used to specify a command that should be executed to dynamically - configure and use a server. The use of this feature will be - documented separately/later. + configure a server. The executable file should be given with + full path and will be invoked with the name of the realm as its + first and only argument. It should either print a valid + server option on stdout and exit with a code + of 0 or print nothing and exit with a non-zero exit code. An + example of a shell script resolving the DNS NAPTR records for + the realm and then the SRV records for each NAPTR matching + 'x-eduroam:radius.tls' is provided in + tools/naptr-eduroam.sh. This option was + added in radsecproxy-1.3 but tends to crash radsecproxy versions + earlier than 1.6. Using the LoopPrevention option here @@ -890,7 +961,7 @@ blocktype name { defaultClient and defaultServer. Note that these defaults are only used for rewrite on input. No rewriting is done on output - unless explicitly specifed using the + unless explicitly specified using the rewriteOut option.