From 355e140b8839fff12f6636b634402c72124a367e Mon Sep 17 00:00:00 2001 From: venaas Date: Tue, 6 Jan 2009 17:10:24 +0000 Subject: update config example git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@451 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- radsecproxy.conf-example | 83 +++++++++++++++++++++++++----------------------- 1 file changed, 43 insertions(+), 40 deletions(-) (limited to 'radsecproxy.conf-example') diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index fdae1dd..5fcc4a6 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -1,18 +1,16 @@ -#Master config file, must be in /etc/radsecproxy or specified with -c option +# Master config file, must be in /etc/radsecproxy or specified with -c option # All possible config options are listed below # First you may define any global options, these are: # # You can optionally specify addresses and ports to listen on -# Max one of each, below are just multiple examples +# Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 #listenUDP localhost #ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 #listenTLS 10.10.10.10:2084 #ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 #ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 -# To listen to the default or other Accounting port for UDP you need e.g. -#ListenAccountingUDP *:1813 # To specify a certain address/port for UDP/TLS requests you can use e.g. #SourceUDP 127.0.0.1:33000 @@ -21,7 +19,7 @@ #SourceDTLS *:33001 # Optional log level. 3 is default, 1 is less, 4 is more #LogLevel 3 -#Optional LogDestinatinon, else stderr used for logging +# Optional LogDestinatinon, else stderr used for logging # Logging to file #LogDestination file:///tmp/rp.log # Or logging with Syslog. LOG_DAEMON used if facility not specified @@ -30,18 +28,20 @@ #LogDestination x-syslog:/// #LogDestination x-syslog:///log_local2 -#There is an option for doing some simple loop prevention +# There is an option for doing some simple loop prevention #LoopPrevention on +# Add TTL attribute with value 20 if not present (prevents endless loops) +#addTTL 20 -#If we have TLS clients or servers we must define at least one tls block. -#You can name them whatever you like and then reference them by name when -#specifying clients or servers later. There are however three special names -#"default", "defaultclient" and "defaultserver". If no name is defined for -#a client, the "defaultclient" block will be used if it exists, if not the -#"default" will be used. For a server, "defaultserver" followed by "default" -#will be checked. +# If we have TLS clients or servers we must define at least one tls block. +# You can name them whatever you like and then reference them by name when +# specifying clients or servers later. There are however three special names +# "default", "defaultclient" and "defaultserver". If no name is defined for +# a client, the "defaultclient" block will be used if it exists, if not the +# "default" will be used. For a server, "defaultserver" followed by "default" +# will be checked. # -#The simplest configuration you can do is: +# The simplest configuration you can do is: tls default { # You must specify at least one of CACertificateFile or CACertificatePath # for TLS to work. We always verify peer certificate (client and server) @@ -57,26 +57,29 @@ tls default { # CRLCheck on # Optionally specify how long CAs and CRLs are cached, default forever # CacheExpiry 3600 + # Optionally require that peer certs have one of the specified policyOIDs + # policyoid 1.2.3 # this option can be used multiple times + # policyoid 1.3.4 } -#If you want one cert for all clients and another for all servers, use -#defaultclient and defaultserver instead of default. If we wanted some -#particular server to use something else you could specify a block -#"tls myserver" and then reference that for that server. If you always -#name the tls block in the client/server config you don't need a default +# If you want one cert for all clients and another for all servers, use +# defaultclient and defaultserver instead of default. If we wanted some +# particular server to use something else you could specify a block +# "tls myserver" and then reference that for that server. If you always +# name the tls block in the client/server config you don't need a default -#Now we configure clients, servers and realms. Note that these and -#also the lines above may be in any order, except that a realm -#can only be configured to use a server that is previously configured. +# Now we configure clients, servers and realms. Note that these and +# also the lines above may be in any order, except that a realm +# can only be configured to use a server that is previously configured. -#A realm can be a literal domain name, * which matches all, or a -#regexp. A regexp is specified by the character prefix / -#For regexp we do case insensitive matching of the entire username string. -#The matching of realms is done in the order they are specified, using the -#first match found. Some examples are -#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". -#To treat local users separately you might try first specifying "@" -#and after that "*". +# A realm can be a literal domain name, * which matches all, or a +# regexp. A regexp is specified by the character prefix / +# For regexp we do case insensitive matching of the entire username string. +# The matching of realms is done in the order they are specified, using the +# first match found. Some examples are +# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". +# To treat local users separately you might try first specifying "@" +# and after that "*". # Configure a rewrite block if you want to add/remove/modify attributes # rewrite example { @@ -89,11 +92,11 @@ tls default { client 2001:db8::1 { type tls secret verysecret -#we could specify tls here, e.g. +# we could specify tls here, e.g. # tls myclient -#in order to use tls parameters named myclient. We don't, so we will -#use "tls defaultclient" if defined, or look for "tls default" as a -#last resort +# in order to use tls parameters named myclient. We don't, so we will +# use "tls defaultclient" if defined, or look for "tls default" as a +# last resort } client 127.0.0.1 { type udp @@ -134,11 +137,11 @@ server 2001:db8::1 { type TLS port 2283 # secret is optional for TLS -#we could specify tls here, e.g. +# we could specify tls here, e.g. # tls myserver -#in order to use tls parameters named myserver. We don't, so we will -#use "tls defaultserver" if defined, or look for "tls default" as a -#last resort +# in order to use tls parameters named myserver. We don't, so we will +# use "tls defaultserver" if defined, or look for "tls default" as a +# last resort } server radius.example.com { type tls @@ -171,8 +174,8 @@ realm /^anonymous$ { realm * { server radius.example.com } -#If you don't have a default server you probably want to -#reject all unknowns. Optionally you can also include a message +# If you don't have a default server you probably want to +# reject all unknowns. Optionally you can also include a message #realm * { # replymessage "User unknown" #} -- cgit v1.2.3