summaryrefslogtreecommitdiff
path: root/radsecproxy.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'radsecproxy.conf.5')
-rw-r--r--radsecproxy.conf.521
1 files changed, 12 insertions, 9 deletions
diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5
index b19ebb3..8d7e246 100644
--- a/radsecproxy.conf.5
+++ b/radsecproxy.conf.5
@@ -130,11 +130,10 @@ dependency on DNS after startup. When some client later sends a request to the
proxy, the proxy will look at the IP address the request comes from, and then go
through all the addresses of each of the configured clients, to determine which
(if any) of the clients this is. In the case of TLS, the name of the client must
-match the FQDN or IP address in the client certificate. Note that at the time of
-writing it must match the certificate CN. This will be extended to check
-subjectAltName if present.
+match the FQDN or IP address in the client certificate.
.sp
-The allowed options in a client block are \fBtype\fR, \fBsecret\fR and \fBtls\fR.
+The allowed options in a client block are \fBtype\fR, \fBsecret\fR, \fBtls\fR
+and \fBmatchcertificateattribute\fR.
The value of \fBtype\fR must be either \fBudp\fR or \fBtls\fR. The value of
\fBsecret\fR is the shared RADIUS key used with this client. If the secret
contains whitespace, the value must be quoted. This option is optional for TLS.
@@ -143,7 +142,11 @@ be the name of a previously defined TLS block. If this option is not specified,
the TLS block with the name \fBdefaultclient\fR will be used if defined. If not
defined, it will try to use the TLS block named \fBdefault\fR. If the specified
TLS block name does not exist, or the option is not specified and none of the
-defaults exist, the proxy will exit with an error.
+defaults exist, the proxy will exit with an error. The matchcertificateattribute
+is optional and can be used to require that certain certificate attributes have
+certain values. Currently the allowed values are of the form
+SubjectAltName:URI:/regexp/ which can be used to specify that SubjectAltName
+URIs in the certificate match the specified regexp.
.sp
.SH "SERVER BLOCK"
@@ -157,12 +160,12 @@ Hence there is no dependency on DNS after startup. If the domain name resolves
to multiple addresses, then for UDP the first address is used. For TLS, the proxy
will loop through the addresses until it can connect to one of them. In the case
of TLS, the name of the server must match the FQDN or IP address in the server
-certificate. Note that at the time of writing it must match the certificate CN.
-This will be extended to check subjectAltName if present.
+certificate.
.sp
The allowed options in a server block are \fBtype\fR, \fBsecret\fR, \fBtls\fR,
-\fBport\fR and \fBstatusServer\fR. The values of \fBtype\fR, \fBsecret\fR and
-\fBtls\fR are just as specified for the \fIclient block\fR above, except that
+\fBport\fR, \fBstatusServer\fR and \fBmatchcertificateattribute\fR. The values
+of \fBtype\fR, \fBsecret\fR, \fBtls\fR and \fBmatchcertificateattribute\fR are
+just as specified for the \fIclient block\fR above, except that
\fBdefaultserve\fRr (and not \fBdefaultclient\fR) is used as a fallback if the
\fBtls\fR option is not used.
.sp