1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
# Master config file, must be in /etc/radsecproxy or specified with -c option
# All possible config options are listed below
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
#ListenUDP *:1814
#listenUDP localhost
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812
#listenTLS 10.10.10.10:2084
#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP 127.0.0.1:33000
#SourceTCP *:33000
#SourceTLS *:33001
#SourceDTLS *:33001
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel 3
# Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog:///
#LogDestination x-syslog:///log_local2
# There is an option for doing some simple loop prevention
#LoopPrevention on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#addTTL 20
# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/cacerts/CA.pem
CACertificatePath /etc/cacerts
# You must specify the below for TLS, we always present our certificate
CertificateFile /etc/hostcertkey/host.example.com.pem
CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
CertificateKeyPassword "follow the white rabbit"
# Optionally enable CRL checking
# CRLCheck on
# Optionally specify how long CAs and CRLs are cached, default forever
# CacheExpiry 3600
# Optionally require that peer certs have one of the specified policyOIDs
# policyoid 1.2.3 # this option can be used multiple times
# policyoid 1.3.4
}
# If you want one cert for all clients and another for all servers, use
# defaultclient and defaultserver instead of default. If we wanted some
# particular server to use something else you could specify a block
# "tls myserver" and then reference that for that server. If you always
# name the tls block in the client/server config you don't need a default
# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.
# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".
# Configure a rewrite block if you want to add/remove/modify attributes
# rewrite example {
# removeAttribute 5
# removeVendorAttribute 99:100
# addAttribute 4 attribute%20value
# modifyAttribute 1:/^(.*)@local$/\1@example.com/
# }
client 2001:db8::1 {
type tls
secret verysecret
# we could specify tls here, e.g.
# tls myclient
# in order to use tls parameters named myclient. We don't, so we will
# use "tls defaultclient" if defined, or look for "tls default" as a
# last resort
}
client 127.0.0.1 {
type udp
secret secret
# Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# Can also do rewriting of outgoing messages
# rewriteOut example
}
client 127.0.0.1 {
type tcp
secret secret
}
client radius.example.com {
type tls
# secret is optional for TLS
}
client radius.example.com {
type dtls
# secret is optional for DTLS
}
server 127.0.0.1 {
type UDP
secret secret
# Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# Can also do rewriting of outgoing messages
# rewriteOut example
}
realm eduroam.cc {
server 127.0.0.1
# If also want to use this server for accounting, specify
# accountingServer 127.0.0.1
}
server 2001:db8::1 {
type TLS
port 2283
# secret is optional for TLS
# we could specify tls here, e.g.
# tls myserver
# in order to use tls parameters named myserver. We don't, so we will
# use "tls defaultserver" if defined, or look for "tls default" as a
# last resort
}
server radius.example.com {
type tls
secret verysecret
StatusServer on
# statusserver is optional, can be on or off. Off is default
}
#server radius.example.com {
# type dtls
# secret verysecret
# StatusServer on
## statusserver is optional, can be on or off. Off is default
#}
# Equivalent to example.com
realm /@example\.com$ {
server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
realm /\.com$ {
}
realm /^anonymous$ {
replymessage "No Access"
# AccountingResponse On
}
# The realm below is equivalent to /.*
realm * {
server radius.example.com
}
# If you don't have a default server you probably want to
# reject all unknowns. Optionally you can also include a message
#realm * {
# replymessage "User unknown"
#}
|
