1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
|
# Master config file, all possible config options are listed below
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
#ListenUDP *:1814
#ListenUDP localhost
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812
#ListenTLS 10.10.10.10:2084
#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP 127.0.0.1:33000
#SourceTCP *:33000
#SourceTLS *:33001
#SourceDTLS *:33001
# Optional log level. 3 is default, 1 is less, 5 is more
#LogLevel 3
# Optional LogDestination, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog:///
#LogDestination x-syslog:///log_local2
# Optional log thread Id
#LogThreadId on
# For generating log entries conforming to the F-Ticks system, specify
# FTicksReporting with one of the following values.
# None -- Do not log in F-Ticks format. This is the default.
# Basic -- Do log in F-Ticks format but do not log VISINST.
# Full -- Do log in F-Ticks format and do log VISINST.
# Please note that in order to get F-Ticks logging for a given client,
# its matching client configuration block has to contain the
# fticksVISCOUNTRY option.
# You can optionally specify Log MAC and FTicksMAC in order to determine if and
# how Calling-Station-Id (users Ethernet MAC address) is being logged.
# Static -- Use a static string as a placeholder for
# Calling-Station-Id in F-Ticks, of omit it in normal log.
# Original -- Log Calling-Station-Id as-is. This is the default for log.
# VendorHashed -- Keep first three segments as-is, hash the rest.
# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key or Log-key
# respectively. This is the default for F-Ticks.
# FullyHashed -- Hash the entire string.
# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key.
# In order to use LogMAC or FTicksMAC with one of VendorKeyHashed or
# FullyKeyHashed, specify a key with LogKey or FTicksKey.
#LogKey <key>
#FTicksKey <key>
# Default Log andF-Ticks configuration:
#LogMAC Original
#FTicksReporting None
#FTicksMAC Static
# You can optionally specify FTicksSyslogFacility to use a dedicated
# syslog facility for F-Ticks messages. This allows for easier filtering
# of F-Ticks messages.
# F-Ticks messages are always logged using the log level LOG_DEBUG.
# Note that specifying a file (using the file:/// prefix) is not supported.
#FTicksSyslogFacility log_local1
#FTicksSyslogFacility x-syslog:///log_local1
# If you are using radsecproxy outside the eduroam context, and you want
# F-Ticks messages to have your own prefix instead of eduroam, you can set:
#FTicksPrefix <prefix>
# There is an option for doing some simple loop prevention. Note that
# the LoopPrevention directive can be used in server blocks too,
# overriding what's set here in the basic settings.
#LoopPrevention on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#AddTTL 20
# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/cacerts/CA.pem
CACertificatePath /etc/cacerts
# You must specify the below for TLS, we always present our certificate
CertificateFile /etc/hostcertkey/host.example.com.pem
CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
CertificateKeyPassword "follow the white rabbit"
# Optionally enable CRL checking
# CRLCheck on
# Optionally specify how long CAs and CRLs are cached, default forever
# CacheExpiry 3600
# Optionally require that peer certs have one of the specified policyOIDs
# policyoid 1.2.3 # this option can be used multiple times
# policyoid 1.3.4
# Require at least TLS1.2, overriding system defaults
# TLSVersion TLS1_2:
}
# If you want one cert for all clients and another for all servers, use
# defaultclient and defaultserver instead of default. If we wanted some
# particular server to use something else you could specify a block
# "tls myserver" and then reference that for that server. If you always
# name the tls block in the client/server config you don't need a default
# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.
# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".
# Configure a rewrite block if you want to add/remove/modify attributes
# rewrite example {
# # Remove NAS-Port.
# removeAttribute 5
# # Remove vendor attribute 100.
# removeVendorAttribute 99:100
# # Called-Station-Id = "123456"
# addAttribute 30:123456
# # Vendor-99-Attr-101 = 0x0f
# addVendorAttribute 99:101:%0f
# # Change users @local to @example.com.
# modifyAttribute 1:/^(.*)@local$/\1@example.com/
# }
client [2001:db8::1] {
type tls
secret verysecret
# we could specify tls here, e.g.
# tls myclient
# in order to use tls parameters named myclient. We don't, so we will
# use "tls defaultclient" if defined, or look for "tls default" as a
# last resort
}
client 127.0.0.1 {
type udp
secret secret
# Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# Can also do rewriting of outgoing messages
# rewriteOut example
}
client 127.0.0.1 {
type tcp
secret secret
}
client radius.example.com {
type tls
# secret is optional for TLS
}
client radius.example.com {
type dtls
# secret is optional for DTLS
}
client localhost {
type tls
pskkey mysecretpresharedkey
#a client using TLS-PSK with implicit default psk context and using client name as psk-identity
}
server 127.0.0.1 {
type UDP
secret secret
# Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# Can also do rewriting of outgoing messages
# rewriteOut example
# Might override loop prevention here too:
# LoopPrevention off
}
realm eduroam.cc {
server 127.0.0.1
# If also want to use this server for accounting, specify
# accountingServer 127.0.0.1
}
server [2001:db8::1] {
type TLS
port 2283
# secret is optional for TLS
# we could specify tls here, e.g.
# tls myserver
# in order to use tls parameters named myserver. We don't, so we will
# use "tls defaultserver" if defined, or look for "tls default" as a
# last resort
}
server radius.example.com {
type tls
secret radsec
StatusServer on
# statusserver is optional, can be on or off. Off is default
tcpKeepalive on
# tcp and tls connections also support TCP keepalives.
# Optionally specify the SNI for the outgoing connection
# sni www.example.com
}
#server radius.example.com {
# type dtls
# secret verysecret
# StatusServer on
## statusserver is optional, can be on or off. Off is default
#}
server radius.example.com {
type tls
pskidentity my.psk.identity
pskkey mysecretpresharedkey
#a minimal TLS-PSK server config using implicit default psk context
}
#server template for dynamic discovery, looking for NAPTR DNS records
server dyndisc {
type tls
tls default
dynamicLookupCommand naptr:x-eduroam:radius.tls
#alternatively call a script that poerforms the lookup
#dynamicLookupCommand /usr/local/bin/naptr-eduroam.sh
}
# Equivalent to example.com
realm /@example\.com$ {
server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
realm /\.com$ {
}
realm /^anonymous$ {
replymessage "No Access"
# AccountingResponse On
}
# The realm below is equivalent to /.*
realm * {
server dyndisc
}
# If you don't have a default server you probably want to
# reject all unknowns. Optionally you can also include a message
#realm * {
# replymessage "User unknown"
#}
|
