1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
#Master config file, must be in /etc/radsecproxy or proxy's current directory
# All possible config options are listed below
#
# You must specify at least one of TLSCACertificateFile or TLSCACertificatePath
# for TLS to work. We always verify peer certificate (both client and server)
#TLSCACertificateFile /etc/cacerts/CA.pem
TLSCACertificatePath /etc/cacerts
# You must specify the below for TLS, we will always present our certificate
TLSCertificateFile /etc/hostcertkey/host.example.com.pem
TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
TLSCertificateKeyPassword "follow the white rabbit"
# You can optionally specify addresses and ports to listen on
# Max one of each, below are just multiple examples
#ListenUDP *:1814
#listenUDP localhost
#listenTCP 10.10.10.10:2084
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:2084
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel 3
#Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog://
#LogDestination x-syslog://log_local2
#Now we configure clients, servers and realms. Note that these and
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.
#A realm can be a literal domain name, * which matches all, or a
#regexp. A regexp is specified by the character prefix /
#For regexp we do case insensitive matching of the entire username string.
#The matching of realms is done in the order they are specified, using the
#first match found. Some examples are
#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
#To treat local users separately you might try first specifying "@"
#and after that "*".
client 2001:db8::1 {
type tls
secret verysecret
}
client 127.0.0.1 {
type udp
secret secret
}
client radius.example.com {
type TLS
# secret is optional for TLS
}
server 127.0.0.1 {
type UDP
secret secret
}
realm eduroam.cc {
server 127.0.0.1
}
server 2001:db8::1 {
type TLS
port 2283
# secret is optional for TLS
}
server radius.example.com {
type tls
secret verysecret
StatusServer on
# statusserver is optional, can be on or off. Off is default
}
# Equivalent to example.com
realm /@example\.com$ {
server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message.
#
realm /\.com$ {
}
realm /^anonymous$ {
replymessage "No Access"
}
# The realm below is equivalent to /.*
realm * {
server radius.example.com
}
|