summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvenaas <venaas>2008-07-17 17:43:41 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2008-07-17 17:43:41 +0000
commit162d7c3d0d18329f20a1bc326bd4e797fc6d411b (patch)
treee48c4aba48d6a5b5dd4f39deab79dcaafb4fe1ea
parent5586bb39b82cf61cfd81d23bd5c71b4a2a54ac9d (diff)
updated manpage with crlcheck and retry options
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/branches/release-1.1@308 e88ac4ed-0b26-0410-9574-a7f39faa03bf
-rw-r--r--radsecproxy.conf.516
1 files changed, 12 insertions, 4 deletions
diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5
index 414f85a..01ebc5a 100644
--- a/radsecproxy.conf.5
+++ b/radsecproxy.conf.5
@@ -251,7 +251,9 @@ block is only used as a descriptive name for the administrator.
.sp
The allowed options in a server block are \fBhost\fR, \fBport\fR, \fBtype\fR,
\fBsecret\fR, \fBtls\fR, \fBcertificatenamecheck\fR,
-\fBmatchcertificateattribute\fR, \fBrewrite\fR and \fBstatusserver\fR.
+\fBmatchcertificateattribute\fR, \fBrewrite\fR, \fBstatusserver\fR,
+\fBretrycount\fR and \fBretrydelay\fR.
+
We already discussed the \fBhost\fR option.
The \fBport\fR option allows you to specify which port number the server uses.
The values of \fBtype\fR, \fBsecret\fR, \fBtls\fR, \fBcertificatenamecheck\fR,
@@ -265,6 +267,10 @@ for this server. The value must be either \fBon\fR or \fBoff\fR. The default
when not specified, is \fBoff\fR. If statusserver is enabled, the proxy will
during idle periods send regular status-server messages to the server to verify
that it is alive. This should only be enabled if the server supports it.
+.sp
+The options \fBretrycount\fR and \fBretrydelay\fR can be used to specify how
+many times the proxy should retry sending a request and how long it should
+wait between each retry. The defaults are 2 retries and a delay of 5s.
.SH "REALM BLOCK"
When the proxy receives an \fBAccess Request\fR it needs to figure out to which
@@ -372,8 +378,9 @@ also have say a client block refer to a default, even \fBdefaultserver\fR
if you really want to.
.sp
The available TLS block options are \fBCACertificateFile\fR,
-\fBCACertificatePath\fR, \fBCertificateFile\fR, \fBCertificateKeyFile\fR
-and \fBCertificateKeyPassword\fR. When doing RADIUS over TLS, both the
+\fBCACertificatePath\fR, \fBCertificateFile\fR, \fBCertificateKeyFile\fR,
+\fBCertificateKeyPassword\fR and \fBCRLCheck\fR. When doing RADIUS over
+TLS, both the
client and the server present certificates, and they are both verified
by the peer. Hence you must always specify \fBCertificateFile\fR and
\fBCertificateKeyFile\fR options, as well as \fBCertificateKeyPassword\fR
@@ -382,7 +389,8 @@ if a password is needed to decrypt the private key. Note that
certificates, or send a chain of certificates to a peer, you also always
need to specify \fBCACertificateFile\fR or \fBCACertificatePath\fR. Note
that you may specify both, in which case the certificates in
-\fBCACertificateFile\fR are checked first.
+\fBCACertificateFile\fR are checked first. By default CRLs are not
+checked. This can be changed by setting \fBCRLCheck\fR to \fBon\fR.
.SH "REWRITE BLOCK"
The rewrite block specifies rules that may rewrite RADIUS messages. It