diff --git a/fticks.c b/fticks.c
index f8b4c20..0918aa5 100644
--- a/fticks.c
+++ b/fticks.c
@@ -17,55 +17,61 @@ fticks_configure(struct options *options,
const char *reporting = (const char *) *reportingp;
const char *mac = (const char *) *macp;
- if (reporting == NULL)
- goto out;
- if (strcasecmp(reporting, "None") == 0)
- options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
- else if (strcasecmp(reporting, "Basic") == 0)
- options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
- else if (strcasecmp(reporting, "Full") == 0)
- options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
- else {
- debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s",
- reporting);
- r = 1;
- goto out;
+ /* Set defaults. */
+ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
+ options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
+
+ if (reporting != NULL) {
+ if (strcasecmp(reporting, "None") == 0)
+ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
+ else if (strcasecmp(reporting, "Basic") == 0)
+ options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
+ else if (strcasecmp(reporting, "Full") == 0)
+ options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
+ else {
+ debugx(1, DBG_ERR,
+ "config error: invalid FTicksReporting value: %s",
+ reporting);
+ r = 1;
+ }
}
- if (mac == NULL)
- goto out;
- if (strcasecmp(mac, "Static") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_STATIC;
- else if (strcasecmp(mac, "Original") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
- else if (strcasecmp(mac, "VendorHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
- else if (strcasecmp(mac, "VendorKeyHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
- else if (strcasecmp(mac, "FullyHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
- else if (strcasecmp(mac, "FullyKeyHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
- else {
- debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac);
- r = 1;
- goto out;
+ if (mac != NULL) {
+ if (strcasecmp(mac, "Static") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_STATIC;
+ else if (strcasecmp(mac, "Original") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
+ else if (strcasecmp(mac, "VendorHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
+ else if (strcasecmp(mac, "VendorKeyHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
+ else if (strcasecmp(mac, "FullyHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
+ else if (strcasecmp(mac, "FullyKeyHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
+ else {
+ debugx(1, DBG_ERR,
+ "config error: invalid FTicksMAC value: %s", mac);
+ r = 1;
+ }
}
- if (*keyp == NULL
- && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
- || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
+ if (*keyp != NULL) {
+ options->fticks_key = *keyp;
+ if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED
+ && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED)
+ debugx(1, DBG_WARN, "config warning: FTicksKey not used");
+ }
+ else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE
+ && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
+ || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
debugx(1, DBG_ERR,
- "config error: FTicksMAC %s requires an FTicksKey", mac);
- options->fticks_mac = RSP_FTICKS_MAC_STATIC;
+ "config error: FTicksMAC values VendorKeyHashed and "
+ "FullyKeyHashed require an FTicksKey");
+ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
r = 1;
- goto out;
}
- if (*keyp != NULL)
- options->fticks_key = *keyp;
-
-out:
if (*reportingp != NULL) {
free(*reportingp);
*reportingp = NULL;
diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index 909356c..2c1b35b 100644
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -39,12 +39,13 @@
# fticksVISCOUNTRY option.
# You can optionally specify FTicksMAC in order to determine if and
-# how Calling-Station-Id is logged.
+# how Calling-Station-Id (users Ethernet MAC address) is being logged.
# Static -- Use a static string as a placeholder for
-# Calling-Station-Id. This is the default.
+# Calling-Station-Id.
# Original -- Log Calling-Station-Id as-is.
# VendorHashed -- Keep first three segments as-is, hash the rest.
-# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key.
+# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This
+# is the default.
# FullyHashed -- Hash the entire string.
# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key.
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 7fef19c..993eb44 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -176,13 +176,17 @@ blocktype name {
The FTicksReporting option is used to enable F-Ticks
logging and can be set to None,
Basic or Full. Its
- default value is None.
+ default value is None. If
+ FTicksReporting is set to anything other than
+ None, note that the default value for
+ FTicksMAC is VendorKeyHashed which
+ needs FTicksKey to be set.
See radsecproxy.conf-example for
details. Note that radsecproxy has to be configured with
- support for F-Ticks (--enable-fticks)
- for this option to have any effect.
+ F-Ticks support (--enable-fticks) for
+ this option to have any effect.
@@ -192,23 +196,31 @@ blocktype name {
The FTicksMAC option can be used to control if and how
- Calling-Station-Id is being logged. It can be set to one
- of Static,
- Original,
+ Calling-Station-Id (the users Ethernet MAC address) is
+ being logged. It can be set to one of
+ Static, Original,
VendorHashed,
VendorKeyHashed,
FullyHashed or
FullyKeyHashed.
- The default value for FTicksMAC is Static.
- Before chosing any of Original
+ The default value for FTicksMAC is
+ VendorKeyHashed. This means that
+ FTicksKey has to be set.
+
+ Before chosing any of Original,
+ FullyHashed or
+ VendorHashed, consider the implications
+ for user privacy when MAC addresses are collected. How
+ will the logs be stored, transferred and accessed?
+
See radsecproxy.conf-example for
details. Note that radsecproxy has to be configured with
- support for F-Ticks (--enable-fticks)
- for this option to have any effect.
+ F-Ticks support (--enable-fticks) for
+ this option to have any effect.
@@ -223,8 +235,8 @@ blocktype name {
option.
- Note that radsecproxy has to be configured with support
- for F-Ticks (--enable-fticks) for this
+ Note that radsecproxy has to be configured with F-Ticks
+ support (--enable-fticks) for this
option to have any effect.
diff --git a/radsecproxy.h b/radsecproxy.h
index f7cc570..08e98b2 100644
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -45,10 +45,10 @@ enum rsp_fticks_reporting_type {
};
enum rsp_fticks_mac_type {
- RSP_FTICKS_MAC_STATIC = 0, /* Default. */
+ RSP_FTICKS_MAC_STATIC = 0,
RSP_FTICKS_MAC_ORIGINAL,
RSP_FTICKS_MAC_VENDOR_HASHED,
- RSP_FTICKS_MAC_VENDOR_KEY_HASHED,
+ RSP_FTICKS_MAC_VENDOR_KEY_HASHED, /* Default. */
RSP_FTICKS_MAC_FULLY_HASHED,
RSP_FTICKS_MAC_FULLY_KEY_HASHED
};