1radsecproxy.conf(5) radsecproxy.conf(5)
2
3
4
6 radsecproxy.conf - Radsec proxy configuration file
7
8
10 When the proxy server starts, it will first check the command line
11 arguments, and then read the configuration file. Normally radsecproxy
12 will read the configuration file /etc/radsecproxy.conf. The command
13 line -c option can be used to instead read an alternate file (see rad‐
14 secproxy(1) for details).
15
16 If the configuration file can not be found, the proxy will exit with an
17 error message. Note that there is also an include facility so that any
18 configuration file may include other configuration files. The proxy
19 will also exit on configuration errors.
20
21
23 When the configuration file is processed, whitespace (spaces and tabs)
24 are generally ignored. For each line, leading and trailing whitespace
25 are ignored. A line is ignored if it is empty, only consists of white‐
26 space, or if the first non-whitespace character is a #. The configura‐
27 tion is generally case insensitive, but in some cases the option values
28 (see below) are not.
29
30 There are two types of configuration structures than can be used. The
31 first and simplest are lines on the format option value. That is, an
32 option name, see below for a list of valid options, followed by white‐
33 space (at least one space or tab character), followed by a value. Note
34 that if the value contains whitespace, then it must be quoted using ""
35 or ''. Any whitespace in front of the option or after the value will be
36 ignored.
37
38 The other type of structure is a block. A block spans at least two
39 lines, and has the format:
40
41 blocktype name {
42 option value
43 option value
44 ...
45 }
46
47
48 That is, some blocktype, see below for a list of the different block
49 types, and then enclosed in braces you have zero or more lines that
50 each have the previously described option value format. Different block
51 types have different rules for which options can be specified, they are
52 listed below. The rules regarding white space, comments and quotes are
53 as above. Hence you may do things like:
54
55 blocktype name {
56 # option value
57 option "value with space"
58 ...
59 }
60
61
62 Option value characters can also be written in hex for options requir‐
63 ing a string type value. This is done by writing the character % fol‐
64 lowed by two hexadecimal digits. If a % is used without two following
65 hexadecimal digits, the % and the following characters are used as
66 written. If you want to write a % and not use this decoding, you may of
67 course write % in hex; i.e., %25. As %00 would terminate a string, this
68 value is not converted in most cases, except when used with rewrite
69 statements or secrets.
70
71 Some options allow or require the use of regular expressions, denoted
72 as regex. The POSIX extended RE system is used, see re_format(7).
73
74 There is one special option that can be used both as a basic option and
75 inside all blocks. That is the option Include where the value specifies
76 files to be included. The value can be a single file, or it can use
77 normal shell globbing to specify multiple files, e.g.:
78
79 include /etc/radsecproxy.conf.d/*.conf
80
81 The files are sorted alphabetically. Included files are read in the
82 order they are specified, when reaching the end of a file, the next
83 file is read. When reaching the end of the last included file, the
84 proxy returns to read the next line following the Include option.
85 Included files may again include other files.
86
87
89 The following basic options may be specified in the configuration file.
90 Note that blocktypes and options inside blocks are discussed later.
91 Note that none of these options are required, and indeed in many cases
92 they are not needed. Note that you should specify each at most once.
93 The behaviour with multiple occurrences is undefined.
94
95 PidFile file
96 The PidFile option specifies the name of a file to which the
97 process id (PID) will be written. This is overridden by the -i
98 command line option. There is no default value for the PidFile
99 option.
100
101 LogLevel 1-5
102 This option specifies the debug level. It must be set to 1, 2,
103 3, 4 or 5, where 1 logs only serious errors, and 5 logs every‐
104 thing. The default is 2 which logs errors, warnings and a few
105 informational messages. Note that the command line option -d
106 overrides this.
107
108 LogDestination (file|syslog)
109 This specifies where the log messages should go. By default the
110 messages go to syslog with facility LOG_DAEMON. Using this
111 option you can specify another syslog facility, or you may spec‐
112 ify that logging should be to a particular file, not using sys‐
113 log. The value must be either a file or syslog URL. The file URL
114 is the standard one file:///var/log/radsecproxy/radsecproxy.log,
115 specifying a local file that should be used. For syslog, you
116 must use the syntax: x-syslog:///FACILITY where FACILITY must be
117 one of LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1,
118 LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6or
119 LOG_LOCAL7. You may omit the facility from the URL to specify
120 logging to the default facility, but this is not very useful
121 since this is the default log destination. Note that this option
122 is ignored if -f is specified on the command line.
123
124 LogThreadId (on|off)
125 This can be set to on to include the thread-id in the log mes‐
126 sages (useful for debugging).
127
128
129 LogFullUsername (on|off)
130 This can be set to off to only log the realm in Access-
131 Accept/Reject log messages (for privacy).
132
133 LogMAC opt
134 The LogMAC option can be used to control if and how Calling-Sta‐
135 tion-Id (the users Ethernet MAC address) is being logged. It can
136 be set to one of Static, Original, VendorHashed, VendorKey‐
137 Hashed, FullyHashed or FullyKeyHashed. The default value for
138 LogMAC is Original.
139
140 See radsecproxy.conf-example for details.
141
142 LogKey key
143 The LogKey option is used to specify the key to use when produc‐
144 ing HMAC's as an effect of specifying VendorKeyHashed or Ful‐
145 lyKeyHashed for the LogMAC option.
146
147 FTicksReporting fticks
148 The FTicksReporting option is used to enable F-Ticks logging and
149 can be set to None, Basic or Full. Its default value is None.
150 If FTicksReporting is set to anything other than None, note that
151 the default value for FTicksMAC needs FTicksKey to be set.
152
153 See radsecproxy.conf-example for details.
154
155 FTicksMAC opt
156 The FTicksMAC option has the same function as LogMAC for FTicks.
157 The default for FTicksMAC is VendorKeyHashed which needs
158 FTicksKey to be set.
159
160 Before choosing any of Original, FullyHashed or VendorHashed,
161 consider the implications for user privacy when MAC addresses
162 are collected. How will the logs be stored, transferred and
163 accessed?
164
165 FTicksKey key
166 The FTicksKey option has the same function as LogKey for Fticks.
167
168 FTicksSyslogFacility syslog
169 The FTicksSyslogFacility option is used to specify a dedicated
170 syslog facility for F-Ticks messages. This allows for easier
171 filtering of F-Ticks messages. If no FTicksSyslogFacility option
172 is given, F-Ticks messages are written to what the LogDestina‐
173 tion option specifies.
174
175 F-Ticks messages are always logged using the log level
176 LOG_DEBUG. Note that specifying a file in FTicksSyslogFacility
177 (using the file:/// prefix) is not supported.
178
179 FTicksPrefix prefix
180 The FTicksPrefix option is used to set the prefix printed in F-
181 Ticks messages. This allows for use of F-Ticks messages in non-
182 eduroam environments. If no FTicksPrefix option is given, it
183 defaults to the prefix used for eduroam (F-TICKS/eduroam/1.0).
184
185
186 ListenUDP (address|*)[:port]
187 ListenTCP (address|*)[:port]
188 ListenTLS (address|*)[:port]
189 ListenDTLS (address|*)[:port]
190 Listen for the address and port for the respective protocol.
191 Normally the proxy will listen to the standard ports if config‐
192 ured to handle clients with the respective protocol. The default
193 ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On
194 most systems it will do this for all of the system's IP
195 addresses (both IPv4 and IPv6). On some systems however, it may
196 respond to only IPv4 or only IPv6. To specify an alternate port
197 you may use a value on the form *:port where port is any valid
198 port number. If you also want to specify a specific address you
199 can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port
200 may be omitted if you want the default one. Note that you must
201 use brackets around the IPv6 address. These options may be spec‐
202 ified multiple times to listen to multiple addresses and/or
203 ports for each protocol.
204
205 SourceUDP (address|*)[:port]
206 SourceTCP (address|*)[:port]
207 SourceTLS (address|*)[:port]
208 SourceDTLS (address|*)[:port]
209 This can be used to specify source address and/or source port
210 that the proxy will use for connecting to clients to send mes‐
211 sages (e.g. Access Request). The same syntax as for Listen...
212 applies.
213
214 TTLAttribute (attr|vendor:attr)
215 This can be used to change the default TTL attribute. Only
216 change this if you know what you are doing. The syntax is either
217 a numerical value denoting the TTL attribute, or two numerical
218 values separated by column specifying a vendor attribute.
219
220 AddTTL 1-255
221 If a TTL attribute is present, the proxy will decrement the
222 value and discard the message if zero. Normally the proxy does
223 nothing if no TTL attribute is present. If you use the AddTTL
224 option with a value 1-255, the proxy will, when forwarding a
225 message with no TTL attribute, add one with the specified value.
226 Note that this option can also be specified for a client/server
227 which will override this setting when forwarding a message to
228 that client/server.
229
230 LoopPrevention (on|off)
231 When this is enabled (on), a request will never be sent to a
232 server named the same as the client it was received from. I.e.,
233 the names of the client block and the server block are compared.
234 Note that this only gives limited protection against loops. It
235 can be used as a basic option and inside server blocks where it
236 overrides the basic setting.
237
238 IPv4Only (on|off)
239 IPv6Only (on|off)
240 Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
241 names to the corresponding address family only, and not the
242 other. This is done for both clients and servers. At most one of
243 IPv4Only and IPv6Only can be enabled. Note that this can be
244 overridden in client and server blocks, see below.
245
246 Include file
247 This is not a normal configuration option; it can be specified
248 multiple times. It can both be used as a basic option and
249 inside blocks. For the full description, see the configuration
250 syntax section above.
251
252
254 There are five types of blocks, they are client, server, realm, tls and
255 rewrite. At least one instance of each of client and realm is required
256 for the proxy to do anything useful, and it will exit if none are con‐
257 figured. The tls block is required if at least one TLS/DTLS client or
258 server is configured. Note that there can be multiple blocks for each
259 type. For each type, the block names should be unique. The behaviour
260 with multiple occurrences of the same name for the same block type is
261 undefined. Also note that some block option values may reference a
262 block by name, in which case the block name must be previously defined.
263 Hence the order of the blocks may be significant.
264
265
267 client (name|fqdn|(address[/length])) {
268 ...
269 }
270
271 The client block is used to configure a client. That is, tell the proxy
272 about a client, and what parameters should be used for that client. The
273 name of the client block must (with one exception, see below) be either
274 the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or
275 IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN). The
276 way an FQDN is resolved into an IP address may be influenced by the use
277 of the IPv4Only and IPv6Only options. Note that literal IPv6 addresses
278 must be enclosed in brackets.
279
280 If a domain name is specified, then this will be resolved immediately
281 to all the addresses associated with the name, and the proxy will not
282 care about any possible DNS changes that might occur later. Hence there
283 is no dependency on DNS after startup. However, if the name can not be
284 resolved, startup will fail.
285
286 When some client later sends a request to the proxy, the proxy will
287 look at the IP address the request comes from, and then go through all
288 the addresses of each of the configured clients (in the order they are
289 defined), to determine which (if any) of the clients this is. When
290 using the IpAddress/PrefixLength form, this might mask clients defined
291 later, which then will never be matched.
292
293 In the case of TLS/DTLS, the name of the client must match the FQDN or
294 IP address in the client certificate (CN or SubectAltName:DNS or Sub‐
295 jectAltName:IP respectively). Note that this is not required when the
296 client name is an IP prefix. If overlapping clients are defined (see
297 section above), they will be searched for matching MatchCertificateAt‐
298 tribute, but they must reference the same tls block.
299
300 The allowed options in a client block are:
301
302 Host (fqdn|(address[/length]))
303 Alternatively of specifying the FQDN or address in the block
304 name, the host option may be used. In that case, the value of
305 the host option is used as described above, while the name of
306 the block is only used as a descriptive name for the administra‐
307 tor. The host option may be used multiple times, and can be a
308 mix of addresses, FQDNs and prefixes.
309
310 IPv4Only (on|off)
311 IPv6Only (on|off)
312 Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
313 names to the corresponding address family only, and not the
314 other. At most one of IPv4Only and IPv6Only can be enabled. Note
315 that this will override the global option for this client.
316
317 Type type
318 Specify the type (protocol) of the client. Available options are
319 UDP, TCP, TLS and DTLS.
320
321 Secret secret
322 Use secret as the shared RADIUS key with this client. If the
323 secret contains whitespace, the value must be quoted. This
324 option is optional for TLS/DTLS and if omitted will default to
325 "radsec". (Note that using a secret other than "radsec" for TLS
326 is a violation of the standard (RFC 6614) and that the proposed
327 standard for DTLS stipulates that the secret must be
328 "radius/dtls".)
329
330 TLS tls
331 For a TLS/DTLS client you may also specify the tls option. The
332 option value must be the name of a previously defined TLS block.
333 If this option is not specified, the TLS block with the name
334 defaultClient or default will be used if defined (in that
335 order). If the specified TLS block name does not exist, or the
336 option is not specified and none of the defaults exist, the
337 proxy will exit with an error.
338
339 CertificateNameCheck (on|off)
340 For a TLS/DTLS client, disable the default behaviour of matching
341 CN or SubjectAltName against the specified hostname or IP
342 address.
343
344 matchCertificateAttribute ( CN | SubjectAltName:URI | SubjectAlt‐
345 Name:DNS ) :/regexp/
346 MatchCertificateAttribute SubjectAltName:IP:address
347 Perform additional validation of certificate attributes. Cur‐
348 rently matching of CN and SubjectAltName types URI DNS and IP is
349 supported. Note that currently this option can only be specified
350 once in a client block.
351
352 DuplicateInterval seconds
353 Specify for how many seconds duplicate checking should be done.
354 If a proxy receives a new request within a few seconds of a pre‐
355 vious one, it may be treated the same if from the same client,
356 with the same authenticator etc. The proxy will then ignore the
357 new request (if it is still processing the previous one), or
358 returned a copy of the previous reply.
359
360 AddTTL 1-255
361 The AddTTL option has the same meaning as the option used in the
362 basic config. See the BASIC OPTIONS section for details. Any
363 value configured here overrides the basic one when sending mes‐
364 sages to this client.
365
366 TCPKeepalive (on|off)
367 Enable TCP keepalive (default is off). If keepalives are not
368 answered within 30s the connection is considered lost.
369
370 FticksVISCOUNTRY cc
371 Sets this client to be eligible to F-Ticks logging as defined by
372 the FTicksReporting basic option, and specifies the country to
373 be reported. The country should be specified by the two-letter
374 country code.
375
376 FticksVISINST institution
377 Set the institution to report in F-Ticks logging. If this option
378 is omitted, the name of the client block is used.
379
380 Rewrite rewrite
381 This option is deprecated. Use rewriteIn instead.
382
383 RewriteIn rewrite
384 RewriteOut rewrite
385 Apply the operations in the specified rewrite block on incoming
386 (request) or outgoing (response) messages from this client.
387 Rewriting incoming messages is done before, outgoing after other
388 processing. If the RewriteIn is not configured, the rewrite
389 blocks defaultClient or default will be applied if defined. No
390 default blocks are applied for RewriteOut.
391
392 RewriteAttribute User-Name:/regex/replace/
393 Rewrite the User-Name attribute in a client request for the
394 request forwarded by the proxy. The User-Name attribute is writ‐
395 ten back to the original value if a matching response is later
396 sent back to the client. Example usage:
397
398 RewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
399
400
401
403 server (name|((fqdn|address)[:port])) {
404 ...
405 }
406
407 The server block is used to configure a server. That is, tell the proxy
408 about a server, and what parameters should be used when communicating
409 with that server. The name of the server block must (with one excep‐
410 tion, see below) be either the IP address (IPv4 or IPv6) of the server,
411 or a domain name (FQDN). If a domain name is specified, then this will
412 be resolved immediately to all the addresses associated with the name,
413 and the proxy will not care about any possible DNS changes that might
414 occur later. Hence there is no dependency on DNS after startup. If the
415 domain name resolves to multiple addresses, then for UDP/DTLS the first
416 address is used. For TCP/TLS, the proxy will loop through the addresses
417 until it can connect to one of them. The way an FQDN is resolved into
418 an IP address may be influenced by the use of the IPv4Only and IPv6Only
419 options.
420
421 In the case of TLS/DTLS, the name of the server must match the FQDN or
422 IP address in the server certificate.
423
424 Note that the fqdn or address may include a port number (separated with
425 a column). This port number will then override the default port or a
426 port option in the server block. Also note that literal IPv6 addresses
427 must be enclosed in brackets.
428
429 The allowed options in a server block are:
430
431 Host (fqdn|address)[:port]
432 Alternatively of specifying the FQDN or address in the block
433 name the host option may be used. In that case, the value of the
434 host option is used as described above, while the name of the
435 block is only used as a descriptive name for the administrator.
436 Note that multiple host options may be used. This will then be
437 treated as multiple names/addresses for the same server. When
438 initiating a TCP/TLS connection, all addresses of all names may
439 be attempted, but there is no failover between the different
440 host values. For failover use separate server blocks.
441
442 Port port
443 Specify the port (UDP/TCP) to connect to. If omitted, UDP and
444 TCP will default to 1812 while TLS and DTLS will default to
445 2083.
446
447 DynamicLookupCommand command
448 Execude the command to dynamically configure a server. The exe‐
449 cutable file should be given with full path and will be invoked
450 with the name of the realm as its first and only argument. It
451 should either print a valid server {...} option on stdout and
452 exit with a code of 0 or print nothing and exit with a non-zero
453 exit code.
454
455 If the command exited with 0 an provided a valid server config,
456 it will be combined with the statements in this server block,
457 with the values returned by the command taking preference.
458
459 An example of a shell script resolving the DNS NAPTR records for
460 the realm and then the SRV records for each NAPTR matching 'x-
461 eduroam:radius.tls' is provided in tools/naptr-eduroam.sh.
462
463 StatusServer (on|off|minimal|auto)
464 Enable the use of status-server messages for this server
465 (default off). If statusserver is enabled (on), the proxy will
466 send regular status-server messages to the server to verify that
467 it is alive. Status tracking of the server will solely depend on
468 status-server message and ignore lost requests. This should only
469 be enabled if the server supports it. With the option minimal
470 status-server messages are only sent when regular requests have
471 been lost and no other replies have been received.
472
473 The option auto tries to detect whether the other server sup‐
474 ports status-server. If so, status-server messages are enabled
475 in minimal mode.
476
477 RetryCount count
478 Set how many times the proxy should retry sending a request to
479 the server. Default is 2 retries. Please note that Radius
480 retries are normally done by the NAS.
481
482 RetryInterfval interval
483 Set the interval between each retry. Default is 5s.
484
485 Rewrite rewrite
486 This option is deprecated. Use rewriteIn instead.
487
488 RewriteOut rewrite
489 RewriteIn rewrite
490 Apply the operations in the specified rewrite block on outgoing
491 (request) or incoming (response) messages to/from this server.
492 Rewriting outgoing messages is done after, incoming before other
493 processing. If the RewriteIn is not configured, the rewrite
494 blocks defaultServer or default will be applied if defined. No
495 default blocks are applied for RewriteOut.
496
497 LoopPrevention (on|off)
498 This overrides the global LoopPrevention option for this server.
499 See section BASIC OPTIONS for details on this option.
500
501 The meaning and syntax of the following options are exactly the same as
502 for the client block. The details are not repeated here. Please refer
503 to the definitions in the CLIENT BLOCK section.
504
505 IPv4Only (on|off)
506 IPv6Only (on|off)
507 Type type
508 Secret secret
509 TLS tls
510 CertificateNameCheck (on|off)
511 matchCertificateAttribute ( CN | SubjectAltName:URI | SubjectAlt‐
512 Name:DNS ) :/regexp/
513 MatchCertificateAttribute SubjectAltName:IP:address
514 AddTTL 1-255
515 TCPKeepalive (on|off)
516
517
518
520 realm (*|realm|/regex/) {
521 ...
522 }
523
524 When the proxy receives an Access-Request it needs to figure out to
525 which server it should be forwarded. This is done by looking at the
526 Username attribute in the request, and matching that against the names
527 of the defined realm blocks. The proxy will match against the blocks in
528 the order they are specified, using the first match if any. If no realm
529 matches, the proxy will simply ignore the request. Each realm block
530 specifies what the server should do when a match is found.
531
532 The allowed options in a realm block are:
533
534 Server server
535 AccountingServer server
536 Specify the server to which requests for this realm should be
537 forwarded. server references a previously defined server block
538 (see the SERVER BLOCK section). Each server and accountingServer
539 can be specified multiple times, or omitted completely. If no
540 server is configured, the proxy will deny all Access-Requests
541 for this realm. If no accountingServer is configured, the proxy
542 will silently ignore all Accounting-Requests for this realm. See
543 the SERVER SELECTION section below for details.
544
545 AccountingResponse (on|off)
546 Enable sending Accounting-Response instead of ignoring Account‐
547 ing-Requests when no accoutingServer are configured.
548
549 ReplyMessage message
550 Specify a message to be sent back to the client if a Access-
551 Request is denied because no server are configured.
552
553
554 REALM BLOCK NAMES AND MATCHING
555 In the general case the proxy will look for a @ in the username
556 attribute, and try to do an exact, case insensitive match between what
557 comes after the @ and the name of the realm block. So if you get a
558 request with the attribute value anonymous@example.com, the proxy will
559 go through the realm names in the order they are specified, looking for
560 a realm block named example.com.
561
562 There are two exceptions to this, one is the realm name * which means
563 match everything. Hence if you have a realm block named *, then it will
564 always match. This should then be the last realm block defined, since
565 any blocks after this would never be checked. This is useful for having
566 a default.
567
568 The other exception is regular expression matching. If the realm name
569 starts with a /, the name is treated as an regular expression. A case
570 insensitive regexp match will then be done using this regexp on the
571 value of the entire Username attribute. Optionally you may also have a
572 trailing / after the regexp. So as an example, if you want to use reg‐
573 exp matching the domain example.com you could have a realm block named
574 /@example\.com$/. If you want to match all domains under the .com top
575 domain, you could do /@.*\.com$/. Note that since the matching is done
576 on the entire attribute value, you can also use rules like
577 /^[a-k].*@example\.com$/ to get some of the users in this domain to use
578 one server, while other users could be matched by another realm block
579 and use another server.
580
581
582 SERVER SELECTION
583 Normally requests will be forwarded to the first server option defined.
584 If there are multiple server options, the proxy will do fail-over and
585 use the second server if the first is down. If the two first are down,
586 it will try the third etc. If the first server comes back up, it will
587 go back to using that one. Detection of servers being up or down is
588 based on the use of StatusServer (if enabled), and that TCP/TLS/DTLS
589 connections are up. Otherwise unanswered requests are used to detect
590 unresponsive servers. AccountingServers are treated the same, but inde‐
591 pendently of the other servers.
592
593 If there is no Server option, the proxy will if ReplyMessage is speci‐
594 fied, reply back to the client with an Access Reject message. The mes‐
595 sage contains a replyMessage attribute with the value as specified by
596 the ReplyMessage option. Note that this is different from having no
597 match since then the request is simply ignored. This can be used to
598 catch all undefined sub-domains or even all undefined realms by config‐
599 uring either a regex match like /@.*\.example\.com/ or the realm * with
600 no server option. Another use-case is to block a specific pattern in
601 the username or realm part using a regex.
602
603 If there is no AccountingServer option, the proxy will normally do
604 nothing, ignoring accounting requests. If instead AccountingResponse is
605 set to on, the proxy will log some of the accounting information and
606 send an Accounting-Response back. This stops clients from retransmit‐
607 ting Accounting-Request messages when a realm has no accountingServer
608 configured.
609
610
612 tls name {
613 ...
614 }
615
616 The TLS block specifies TLS configuration options and you need at least
617 one of these if you have clients or servers using TLS/DTLS. As dis‐
618 cussed in the client and server block descriptions, a client or server
619 block may reference a particular TLS block by name. There are also how‐
620 ever the special TLS block names default, defaultClient and default‐
621 Server which are used as defaults if the client or server block does
622 not reference a TLS block. Also note that a TLS block must be defined
623 before the client or server block that would use it. If you want the
624 same TLS configuration for all TLS/DTLS clients and servers, you need
625 just a single tls block named default, and the client and servers need
626 not refer to it. If you want all TLS/DTLS clients to use one config,
627 and all TLS/DTLS servers to use another, then you would be fine only
628 defining two TLS blocks named defaultClient and defaultServer. If you
629 want different clients (or different servers) to have different TLS
630 parameters, then you may need to create other TLS blocks with other
631 names, and reference those from the client or server definitions.
632
633 As both clients and servers need to present and verify a certificate,
634 both a certificate as well as a CA to verify the peers certificate
635 must be configured.
636
637 The allowed options in a tls block are:
638
639 CACertificateFile file
640 The CA certificate file used to verify the peers certificate.
641
642 CACertificatePath path
643 The path to search for CA or intermediate certificates.
644
645 CertificateFile file
646 The server certificate this proxy will use. The file may also
647 contain a certificate chain.
648
649 CertificateKeyFile file
650 The private-key file for the server certificate specified in
651 CACertificateFile.
652
653 CertificateKeyPassword password
654 The password to decrypt the private-key.
655
656 PolicyOID oid
657 Require the peers certificate to adhere to the policy specified
658 by oid. This can be specified multiple times.
659
660 CRLCheck (on|off)
661 Enable checking peer certificate against the CRL (default off).
662 Note that radsecproxy does not fetch the CRLs itslef. This has
663 to be done separately, e.g. with fetch-crl(8)
664
665 CacheExpiry seconds
666 Specify how many seconds the CA and CRL information should be
667 cached. By default, the CA and CRL are loaded at startup and
668 cached indefinetely. After the configured time, the CA CRL are
669 re-read. Alternatively, reloading the CA and CRL can be trig‐
670 gered by sending a SIGHUP to the radsecproxy process. This
671 option may be set to zero to disable caching.
672
673
674
676 rewrite name {
677 ...
678 }
679
680 The rewrite block specifies rules that may rewrite RADIUS messages. It
681 can be used to add, remove and modify specific attributes from messages
682 received from and sent to clients and servers. As discussed in the
683 client and server block descriptions, a client or server block may ref‐
684 erence a particular rewrite block by name. There are however also the
685 special rewrite block names default, defaultClient and defaultServer
686 which are used as defaults if the client or server block does not ref‐
687 erence a block. Also note that a rewrite block must be defined before
688 the client or server block that would use it. If you want the same re‐
689 write rules for input from all clients and servers, you need just a
690 single rewrite block named default, and the client and servers need not
691 refer to it. If you want all clients to use one config, and all servers
692 to use another, then you would be fine only defining two rewrite blocks
693 named defaultClient and defaultServer. Note that these defaults are
694 only used for rewrite on input. No rewriting is done on output unless
695 explicitly specified using the RewriteOut option.
696
697 The rewrite actions are performed in this sequence:
698 1. RemoveAttribute (or WhitelistAttribute)
699 2. ModifyAttribute
700 3. SupplementAttribute
701 4. AddAttribute
702
703 All options can be specified multiple times. The allowed options in a
704 rewrite block are:
705
706 AddAttribute attribute:value
707 Add an attribute to the radius message and set it to value. The
708 attribute must be specified using the numerical attribute id.
709 The value can either be numerical, a string, or a hex value. If
710 the value starts with a number, it is interpreted as a 32bit
711 unsigned integer. Use the ' character at the start of the value
712 to force string interpretation. When using hex value, it is rec‐
713 ommended to also lead with ' to avoid unintended numeric inter‐
714 pretation. See the CONFIGURATION SYNTAX section for further
715 details.
716
717 AddVendorAttribute vendor:subattribute:value
718 Add a vendor attribute to the radius message, specified by ven‐
719 dor and subattribute. Both vendor and subattribute must be spec‐
720 ified as numerical values. The format of value is the same as
721 for addAttribute above.
722
723 SupplementAttribute attribute:value
724 Add an attribute to the radius message and set it to value, only
725 if the attribute is not yet present on the message. The format
726 of value is the same as for addAttribute above.
727
728 SupplementVendorAttribute vendor:subattribute:value
729 Add a vendor attribute to the radius message only if the subat‐
730 tribute of this vendor is not yet present on the message. The
731 format of is the same as for addVendorAttribute above.
732
733 ModifyAttribute attribute:/regex/replace/
734 Modify the given attribute using the regex replace pattern. As
735 above, attribute must be specified by a numerical value. Example
736 usage:
737
738 modifyAttribute 1:/^(.*)@local$/\1@example.com/
739
740 ModifyVendorAttribute vendor:subattribute:/regex/replace/
741 Modify the given subattribute of given vendor using the regex
742 replace pattern. Other than the added vendor, the same syntax
743 as for ModifyAttribute applies.
744
745 RemoveAttribute attribute
746 Remove all attributes with the given id.
747
748 RemoveVendorAttribute vendor[:subattribute]
749 Remove all vendor attributes that match the given vendor and
750 subattribute. If the subattribute is omitted, all attributes
751 with the given vendor id are removed.
752
753 WhitelistMode (on|off)
754 Enable whitelist mode. All attributes except those configured
755 with WhitelistAttrbiute or WhitelistVendorAttribute will be
756 removed. While whitelist mode is active, RemoveAttribute and
757 RemoveVendorAttribute statements are ignored.
758
759 WhitelistAttribute attribute
760 Do not remove attributes with the given id when WhitelistMode is
761 on. Ignored otherwise.
762
763 WhitelistVendorAttribute vendor[:subattribute]
764 Do not remove vendor attributes that match the given vendor and
765 subattribute when WhitelistMode is on. Ignored otherwise.
766
767 If the subattribute is omitted, the complete vendor attribute is
768 whitelisted. Otherwise only the specified subattribute is kept
769 but all other subattributes are removed.
770
771
773 radsecproxy(1)
774
775
776
777radsecproxy 1.8.1 2019-10-01 radsecproxy.conf(5)