#Master config file, must be in /etc/radsecproxy or proxy's current directory
#	All possible config options are listed below
#
# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath
# for TLS to work. We always verify peer certificate (both client and server)
#TLSCACertificateFile    /etc/cacerts/CA.pem
TLSCACertificatePath	/etc/cacerts

# You must specify the below for TLS, we will always present our certificate
TLSCertificateFile	/etc/hostcertkey/host.example.com.pem
TLSCertificateKeyFile	/etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
TLSCertificateKeyPassword	follow the white rabbit

# You can optionally specify addresses and ports to listen on
#	Max one of each, below are just multiple examples
#ListenUDP		*:1814
#listenUDP		localhost
#listenTCP		10.10.10.10:2084
#ListenTCP		[2001:700:1:7:215:f2ff:fe35:307d]:2084
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel		3
#Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination		file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination         x-syslog://
#LogDestination         x-syslog://log_local2

#Now we configure clients, servers and realms. Note that these and
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.

#Also note that case insensitive regexp is used for realms, matching
#the entire username string. The matching is done in the order the
#realms are specified, using the first match found. Some examples are
#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
#To treat local users separately you might try first specifying "@"
#and after that ".*".

client 2001:db8::1 {
	type	tls
	secret	verysecret
}
client 127.0.0.1 {
	type	udp
	secret	secret
}
client radius.example.com {
	type TLS
# secret is optional for TLS
}

server 127.0.0.1 {
	type	UDP
	secret	secret
}
realm	@eduroam\.cc$ {
	server	127.0.0.1
}

server 2001:db8::1 {
	type	TLS
	port	2283
# secret is optional for TLS
}
server radius.example.com {
	type	tls
	secret	verysecret
	StatusServer on
# statusserver is optional, can be on or off. Off is default
}

realm @example\.com$ {
	server 2001:db8::1
}
realm \.com$ {
	server 2001:db8::1
}
realm .* {
	server radius.example.com
}