summaryrefslogtreecommitdiff
path: root/radsecproxy.conf-example
blob: 6dc133b49d889997e64166c0f123e9be0ce2e79c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#Master config file, must be in /etc/radsecproxy or proxy's current directory
#	All possible config options are listed below
#
# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath
# for TLS to work. We always verify peer certificate (both client and server)
#TLSCACertificateFile    /etc/cacerts/CA.pem
TLSCACertificatePath	/etc/cacerts

# You must specify the below for TLS, we will always present our certificate
TLSCertificateFile	/etc/hostcertkey/host.example.com.pem
TLSCertificateKeyFile	/etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
TLSCertificateKeyPassword	follow the white rabbit

# You can optionally specify addresses and ports to listen on
#	Max one of each, below are just multiple examples
#ListenUDP		*:1814
#listenUDP		localhost
#listenTCP		10.10.10.10:2084
#ListenTCP		[2001:700:1:7:215:f2ff:fe35:307d]:2084
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel		3
#Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination		file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination         x-syslog://
#LogDestination         x-syslog://log_local2

#Now we configure clients, servers and realms. Note that these and
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.

#A realm can be a literal domain name, * which matches all, or a
#regexp. A regexp is specified by the character prefix /
#For regexp we do case insensitive matching of the entire username string.
#The matching of realms is done in the order they are specified, using the
#first match found. Some examples are
#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
#To treat local users separately you might try first specifying "@"
#and after that "*".

client 2001:db8::1 {
	type	tls
	secret	verysecret
}
client 127.0.0.1 {
	type	udp
	secret	secret
}
client radius.example.com {
	type TLS
# secret is optional for TLS
}

server 127.0.0.1 {
	type	UDP
	secret	secret
}
realm	eduroam.cc {
	server	127.0.0.1
}

server 2001:db8::1 {
	type	TLS
	port	2283
# secret is optional for TLS
}
server radius.example.com {
	type	tls
	secret	verysecret
	StatusServer on
# statusserver is optional, can be on or off. Off is default
}

# Equivalent to example.com
realm /@example\.com$ {
	server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message.
# 
realm /\.com$ {
}
realm /^anonymous$ {
        replymessage "No Access"
}
# The realm below is equivalent to /.*
realm * {
	server radius.example.com
}