Skip to content
Permalink
1.9.2-mpi
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Master config file, all possible config options are listed below
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
#ListenUDP *:1814
#ListenUDP localhost
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812
#ListenTLS 10.10.10.10:2084
#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP 127.0.0.1:33000
#SourceTCP *:33000
#SourceTLS *:33001
#SourceDTLS *:33001
# Optional log level. 3 is default, 1 is less, 5 is more
#LogLevel 3
# Optional LogDestination, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog:///
#LogDestination x-syslog:///log_local2
# Optional log thread Id
#LogThreadId on
# For generating log entries conforming to the F-Ticks system, specify
# FTicksReporting with one of the following values.
# None -- Do not log in F-Ticks format. This is the default.
# Basic -- Do log in F-Ticks format but do not log VISINST.
# Full -- Do log in F-Ticks format and do log VISINST.
# Please note that in order to get F-Ticks logging for a given client,
# its matching client configuration block has to contain the
# fticksVISCOUNTRY option.
# You can optionally specify Log MAC and FTicksMAC in order to determine if and
# how Calling-Station-Id (users Ethernet MAC address) is being logged.
# Static -- Use a static string as a placeholder for
# Calling-Station-Id in F-Ticks, of omit it in normal log.
# Original -- Log Calling-Station-Id as-is. This is the default for log.
# VendorHashed -- Keep first three segments as-is, hash the rest.
# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key or Log-key
# respectively. This is the default for F-Ticks.
# FullyHashed -- Hash the entire string.
# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key.
# In order to use LogMAC or FTicksMAC with one of VendorKeyHashed or
# FullyKeyHashed, specify a key with LogKey or FTicksKey.
#LogKey <key>
#FTicksKey <key>
# Default Log andF-Ticks configuration:
#LogMAC Original
#FTicksReporting None
#FTicksMAC Static
# You can optionally specify FTicksSyslogFacility to use a dedicated
# syslog facility for F-Ticks messages. This allows for easier filtering
# of F-Ticks messages.
# F-Ticks messages are always logged using the log level LOG_DEBUG.
# Note that specifying a file (using the file:/// prefix) is not supported.
#FTicksSyslogFacility log_local1
#FTicksSyslogFacility x-syslog:///log_local1
# If you are using radsecproxy outside the eduroam context, and you want
# F-Ticks messages to have your own prefix instead of eduroam, you can set:
#FTicksPrefix <prefix>
# There is an option for doing some simple loop prevention. Note that
# the LoopPrevention directive can be used in server blocks too,
# overriding what's set here in the basic settings.
#LoopPrevention on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#AddTTL 20
# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/cacerts/CA.pem
CACertificatePath /etc/cacerts
# You must specify the below for TLS, we always present our certificate
CertificateFile /etc/hostcertkey/host.example.com.pem
CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
CertificateKeyPassword "follow the white rabbit"
# Optionally enable CRL checking
# CRLCheck on
# Optionally specify how long CAs and CRLs are cached, default forever
# CacheExpiry 3600
# Optionally require that peer certs have one of the specified policyOIDs
# policyoid 1.2.3 # this option can be used multiple times
# policyoid 1.3.4
# Require at least TLS1.2, overriding system defaults
# TLSVersion TLS1_2:
}
# If you want one cert for all clients and another for all servers, use
# defaultclient and defaultserver instead of default. If we wanted some
# particular server to use something else you could specify a block
# "tls myserver" and then reference that for that server. If you always
# name the tls block in the client/server config you don't need a default
# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.
# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".
# Configure a rewrite block if you want to add/remove/modify attributes
# rewrite example {
# # Remove NAS-Port.
# removeAttribute 5
# # Remove vendor attribute 100.
# removeVendorAttribute 99:100
# # Called-Station-Id = "123456"
# addAttribute 30:123456
# # Vendor-99-Attr-101 = 0x0f
# addVendorAttribute 99:101:%0f
# # Change users @local to @example.com.
# modifyAttribute 1:/^(.*)@local$/\1@example.com/
# }
client [2001:db8::1] {
type tls
secret verysecret
# we could specify tls here, e.g.
# tls myclient
# in order to use tls parameters named myclient. We don't, so we will
# use "tls defaultclient" if defined, or look for "tls default" as a
# last resort
}
client 127.0.0.1 {
type udp
secret secret
# Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# Can also do rewriting of outgoing messages
# rewriteOut example
}
client 127.0.0.1 {
type tcp
secret secret
}
client radius.example.com {
type tls
# secret is optional for TLS
}
client radius.example.com {
type dtls
# secret is optional for DTLS
}
server 127.0.0.1 {
type UDP
secret secret
# Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# Can also do rewriting of outgoing messages
# rewriteOut example
# Might override loop prevention here too:
# LoopPrevention off
}
realm eduroam.cc {
server 127.0.0.1
# If also want to use this server for accounting, specify
# accountingServer 127.0.0.1
}
server [2001:db8::1] {
type TLS
port 2283
# secret is optional for TLS
# we could specify tls here, e.g.
# tls myserver
# in order to use tls parameters named myserver. We don't, so we will
# use "tls defaultserver" if defined, or look for "tls default" as a
# last resort
}
server radius.example.com {
type tls
secret radsec
StatusServer on
# statusserver is optional, can be on or off. Off is default
tcpKeepalive on
# tcp and tls connections also support TCP keepalives.
}
#server radius.example.com {
# type dtls
# secret verysecret
# StatusServer on
## statusserver is optional, can be on or off. Off is default
#}
# Equivalent to example.com
realm /@example\.com$ {
server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
realm /\.com$ {
}
realm /^anonymous$ {
replymessage "No Access"
# AccountingResponse On
}
# The realm below is equivalent to /.*
realm * {
server radius.example.com
}
# If you don't have a default server you probably want to
# reject all unknowns. Optionally you can also include a message
#realm * {
# replymessage "User unknown"
#}