diff options
-rw-r--r-- | ChangeLog | 35 | ||||
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | radsecproxy.conf-example | 44 |
3 files changed, 71 insertions, 12 deletions
@@ -15,12 +15,35 @@ matchCertificateAttribute now also supports CN matching Forwarding of accounting messages, accountingServer option for realms Supports multiple client blocks for same source address with different - certificate checks + certificate checks Removed weekday from log timestamps 2008-07-24 1.1 - Logging stationid attribute - Added LoopPrevention option - Failover also without status-server - Options for RetryCount and RetryInterval - Working accounting and AccountingResponse option + Logging stationid attribute + Added LoopPrevention option + Failover also without status-server + Options for RetryCount and RetryInterval + Working accounting and AccountingResponse option CRL checking and option for enabling it +2008-10-07 1.2 + listenTCP and sourceTCP options renamed to listenTLS and sourceTLS + Old options deprecated but available for backwards compatiblity + Logging reply-message attribute from Reject messages + Contribution from Arne Schwabe + Rewrite blocks have new options addAttribute and modifyAttribute + rewriteIn (replacing rewrite) and rewriteOut in client and server + blocks for specifying rewrite on input/output. rewrite deprecated + but available as an alias for rewriteIn for backwards compatibility. + rewritein rewriteout rewrite + regular expressions in realms etc can now be more advanced, including + use of "or". + cacheExpiry option in tls blocks for specifying expiry time for the + cache of CA certificates and CRLs. This is particularly useful for + regularly updating CRLs. + Some logging has been made more informative + +Additional features in devel-20081006 + Support for TCP and DTLS transports (type tcp, type dtls) + Listen... options can be specified multiple times + Dynamic server discovery + DuplicateInterval option in client block for specifying for how + long a request/reply shall be stored for duplicate detection @@ -1,4 +1,4 @@ -This is a revision from the radsecproxy 1.2 devel branch. +This is a revision from the radsecproxy 2.0 devel branch. radsecproxy is a generic RADIUS proxy that can support various RADIUS clients over UDP or TLS (RadSec). @@ -37,4 +37,4 @@ let me know if you feel left out. For more information, feedback etc. please see the information at http://software.uninett.no/radsecproxy/ -Stig Venaas <venaas@uninett.no> -- 2008.05.14 +Stig Venaas <venaas@uninett.no> -- 2008.10.07 diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index f88bfad..fdae1dd 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -7,14 +7,18 @@ # Max one of each, below are just multiple examples #ListenUDP *:1814 #listenUDP localhost -#listenTCP 10.10.10.10:2084 -#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:2084 +#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 +#listenTLS 10.10.10.10:2084 +#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 +#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 # To listen to the default or other Accounting port for UDP you need e.g. #ListenAccountingUDP *:1813 # To specify a certain address/port for UDP/TLS requests you can use e.g. #SourceUDP 127.0.0.1:33000 -#SourceTCP *:33001 +#SourceTCP *:33000 +#SourceTLS *:33001 +#SourceDTLS *:33001 # Optional log level. 3 is default, 1 is less, 4 is more #LogLevel 3 #Optional LogDestinatinon, else stderr used for logging @@ -51,6 +55,8 @@ tls default { CertificateKeyPassword "follow the white rabbit" # Optionally enable CRL checking # CRLCheck on + # Optionally specify how long CAs and CRLs are cached, default forever + # CacheExpiry 3600 } #If you want one cert for all clients and another for all servers, use @@ -72,6 +78,14 @@ tls default { #To treat local users separately you might try first specifying "@" #and after that "*". +# Configure a rewrite block if you want to add/remove/modify attributes +# rewrite example { +# removeAttribute 5 +# removeVendorAttribute 99:100 +# addAttribute 4 attribute%20value +# modifyAttribute 1:/^(.*)@local$/$1@example.com/ +# } + client 2001:db8::1 { type tls secret verysecret @@ -84,15 +98,31 @@ client 2001:db8::1 { client 127.0.0.1 { type udp secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example +} +client 127.0.0.1 { + type tcp + secret secret } client radius.example.com { - type TLS + type tls # secret is optional for TLS } +client radius.example.com { + type dtls +# secret is optional for DTLS +} server 127.0.0.1 { type UDP secret secret +# Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# Can also do rewriting of outgoing messages +# rewriteOut example } realm eduroam.cc { server 127.0.0.1 @@ -116,6 +146,12 @@ server radius.example.com { StatusServer on # statusserver is optional, can be on or off. Off is default } +#server radius.example.com { +# type dtls +# secret verysecret +# StatusServer on +## statusserver is optional, can be on or off. Off is default +#} # Equivalent to example.com realm /@example\.com$ { |