summaryrefslogtreecommitdiff
path: root/radsecproxy.conf-example
blob: 029c7e1ea2346ca6ec47a587c368efd91515abf1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#Master config file, must be in /etc/radsecproxy or proxy's current directory
#	All possible config options are listed below

# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
#	Max one of each, below are just multiple examples
#ListenUDP		*:1814
#listenUDP		localhost
#listenTCP		10.10.10.10:2084
#ListenTCP		[2001:700:1:7:215:f2ff:fe35:307d]:2084
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel		3
#Optional LogDestinatinon, else stderr used for logging
# Logging to file
#LogDestination		file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination         x-syslog://
#LogDestination         x-syslog://log_local2

#If we have TLS clients or servers we must define at least one tls block.
#You can name them whatever you like and then reference them by name when
#specifying clients or servers later. There are however three special names
#"default", "defaultclient" and "defaultserver". If no name is defined for
#a client, the "defaultclient" block will be used if it exists, if not the
#"default" will be used. For a server, "defaultserver" followed by "default"
#will be checked.
#
#The simplest configuration you can do is:
tls default {
    # You must specify at least one of CACertificateFile or CACertificatePath
    # for TLS to work. We always verify peer certificate (client and server)
    # CACertificateFile    /etc/cacerts/CA.pem
    CACertificatePath	/etc/cacerts

    # You must specify the below for TLS, we always present our certificate
    CertificateFile	/etc/hostcertkey/host.example.com.pem
    CertificateKeyFile	/etc/hostcertkey/host.example.com.key.pem
    # Optionally specify password if key is encrypted (not very secure)
    CertificateKeyPassword	"follow the white rabbit"
}

#If you want one cert for all clients and another for all servers, use
#defaultclient and defaultserver instead of default. If we wanted some
#particular server to use something else you could specify a block
#"tls myserver" and then reference that for that server. If you always
#name the tls block in the client/server config you don't need a default

#Now we configure clients, servers and realms. Note that these and
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.

#A realm can be a literal domain name, * which matches all, or a
#regexp. A regexp is specified by the character prefix /
#For regexp we do case insensitive matching of the entire username string.
#The matching of realms is done in the order they are specified, using the
#first match found. Some examples are
#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
#To treat local users separately you might try first specifying "@"
#and after that "*".

client 2001:db8::1 {
	type	tls
	secret	verysecret
#we could specify tls here, e.g.
#	tls myclient
#in order to use tls parameters named myclient. We don't, so we will
#use "tls defaultclient" if defined, or look for "tls default" as a
#last resort
}
client 127.0.0.1 {
	type	udp
	secret	secret
}
client radius.example.com {
	type TLS
# secret is optional for TLS
}

server 127.0.0.1 {
	type	UDP
	secret	secret
}
realm	eduroam.cc {
	server	127.0.0.1
}

server 2001:db8::1 {
	type	TLS
	port	2283
# secret is optional for TLS
#we could specify tls here, e.g.
#	tls myserver
#in order to use tls parameters named myserver. We don't, so we will
#use "tls defaultserver" if defined, or look for "tls default" as a
#last resort
}
server radius.example.com {
	type	tls
	secret	verysecret
	StatusServer on
# statusserver is optional, can be on or off. Off is default
}

# Equivalent to example.com
realm /@example\.com$ {
	server 2001:db8::1
}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message.
# 
realm /\.com$ {
}
realm /^anonymous$ {
        replymessage "No Access"
}
# The realm below is equivalent to /.*
realm * {
	server radius.example.com
}
#If you don't have a default server you probably want to
#reject all unknowns. Optionally you can also include a message
#realm * {
        replymessage "User unknown"
}