File: abfab-tls

package info (click to toggle)
freeradius 3.0.12+dfsg-5+deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 21,144 kB
  • ctags: 11,887
  • sloc: ansic: 109,067; sh: 5,176; perl: 2,648; sql: 1,397; python: 1,161; makefile: 374; xml: 62; tcl: 35; sed: 23; ruby: 22
file content (77 lines) | stat: -rw-r--r-- 2,128 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#
#	Example configuration for ABFAB listening on TLS.
#
#	$Id: 79d74e6fcbb12b1226f026383b8e1043092dd6fb $
#
listen {
	ipaddr = *
	port = 2083
	type = auth
	proto = tcp

	tls {
		private_key_password = whatever

		# Moonshot tends to distribute certs separate from keys
		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
		ca_file = /etc/ssl/certs/ca-certificates.crt
		dh_file = ${certdir}/dh
		fragment_size = 8192
		ca_path = ${cadir}
		cipher_list = "DEFAULT"

		cache {
			enable = no
			lifetime = 24 # hours
			max_entries = 255
		}

		require_client_cert = yes
		verify {
		}

		psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
	}

	virtual_server = abfab-idp

	clients = radsec-abfab
}

clients radsec-abfab {
	#
	#  Allow all clients, but require TLS.
	#  This client stanza will match other RP proxies from other
	#  realms  established via the trustrouter.  In general
	#  additional client stanzas are also required for local services.
	#
        client default {
	        ipaddr = 0.0.0.0/0
		proto = tls
	}

	#  An example local service
	#  client service_1 {
	#  	ipaddr = 192.0.2.20
	#  	#  You should either set gss_acceptor_host_name below
	#  	#  or set up policy to confirm that a client claims
	#  	#  the right acceptor hostname when using ABFAB.  If
	#  	#  set,  the RADIUS server will confirm that all
	#  	#  requests have this value for the acceptor host name
	#  	gss_acceptor_host_name = "server.example.com"
	#  	#  If set, this acceptor realm name will be included.
	#  Foreign realms will typically reject a request if this is not
	#  	#  properly set.
	#  	gss_acceptor_realm_name = "example.com"
	#  	#  Additionally, trust_router_coi can be set; if set
	#  	#  it will override the default_community in the realm
 	#  	#  module
	#  	# trust_router_coi =  "community1.example.net"
	#  	#  In production depployments it is important to set
	#  	#  	up certificate verification  so that even if
	#  	#  clients spoof IP addresses, one client cannot
	#  	#  impersonate another.
	#  }

}