1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
#Master config file, must be in /etc/radsecproxy or proxy's current directory
# All possible config options are listed below
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Max one of each, below are just multiple examples
#ListenUDP *:1814
#listenUDP localhost
#listenTCP 10.10.10.10:2084
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:2084
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel 3
#Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog:///
#LogDestination x-syslog:///log_local2
#If we have TLS clients or servers we must define at least one tls block.
#You can name them whatever you like and then reference them by name when
#specifying clients or servers later. There are however three special names
#"default", "defaultclient" and "defaultserver". If no name is defined for
#a client, the "defaultclient" block will be used if it exists, if not the
#"default" will be used. For a server, "defaultserver" followed by "default"
#will be checked.
#
#The simplest configuration you can do is:
tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/cacerts/CA.pem
CACertificatePath /etc/cacerts
# You must specify the below for TLS, we always present our certificate
CertificateFile /etc/hostcertkey/host.example.com.pem
CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
CertificateKeyPassword "follow the white rabbit"
}
#If you want one cert for all clients and another for all servers, use
#defaultclient and defaultserver instead of default. If we wanted some
#particular server to use something else you could specify a block
#"tls myserver" and then reference that for that server. If you always
#name the tls block in the client/server config you don't need a default
#Now we configure clients, servers and realms. Note that these and
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.
#A realm can be a literal domain name, * which matches all, or a
#regexp. A regexp is specified by the character prefix /
#For regexp we do case insensitive matching of the entire username string.
#The matching of realms is done in the order they are specified, using the
#first match found. Some examples are
#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
#To treat local users separately you might try first specifying "@"
#and after that "*".
client 2001:db8::1 {
type tls
secret verysecret
#we could specify tls here, e.g.
# tls myclient
#in order to use tls parameters named myclient. We don't, so we will
#use "tls defaultclient" if defined, or look for "tls default" as a
#last resort
}
client 127.0.0.1 {
type udp
secret secret
}
client radius.example.com {
type TLS
# secret is optional for TLS
}
server 127.0.0.1 {
type UDP
secret secret
}
realm eduroam.cc {
server 127.0.0.1
}
server 2001:db8::1 {
type TLS
port 2283
# secret is optional for TLS
#we could specify tls here, e.g.
# tls myserver
#in order to use tls parameters named myserver. We don't, so we will
#use "tls defaultserver" if defined, or look for "tls default" as a
#last resort
}
server radius.example.com {
type tls
secret verysecret
StatusServer on
# statusserver is optional, can be on or off. Off is default
}
# Equivalent to example.com
realm /@example\.com$ {
server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message.
#
realm /\.com$ {
}
realm /^anonymous$ {
replymessage "No Access"
}
# The realm below is equivalent to /.*
realm * {
server radius.example.com
}
#If you don't have a default server you probably want to
#reject all unknowns. Optionally you can also include a message
#realm * {
# replymessage "User unknown"
#}
|
