1radsecproxy.conf(5)                                        radsecproxy.conf(5)
2
3
4

NAME

6       radsecproxy.conf - Radsec proxy configuration file
7
8

DESCRIPTION

10       When  the  proxy  server  starts,  it will first check the command line
11       arguments, and then read the configuration file.  Normally  radsecproxy
12       will  read  the  configuration  file /etc/radsecproxy.conf. The command
13       line -c option can be used to instead read an alternate file (see  rad‐
14       secproxy(1) for details).
15
16       If the configuration file can not be found, the proxy will exit with an
17       error message. Note that there is also an include facility so that  any
18       configuration  file  may  include  other configuration files. The proxy
19       will also exit on configuration errors.
20
21

CONFIGURATION SYNTAX

23       When the configuration file is processed, whitespace (spaces and  tabs)
24       are  generally  ignored. For each line, leading and trailing whitespace
25       are ignored.  A line is ignored if it is empty, only consists of white‐
26       space,  or if the first non-whitespace character is a #. The configura‐
27       tion is generally case insensitive, but in some cases the option values
28       (see below) are not.
29
30       There  are  two types of configuration structures than can be used. The
31       first and simplest are lines on the format option value.  That  is,  an
32       option  name, see below for a list of valid options, followed by white‐
33       space (at least one space or tab character), followed by a value.  Note
34       that  if the value contains whitespace, then it must be quoted using ""
35       or ''. Any whitespace in front of the option or after the value will be
36       ignored.
37
38       The  other  type  of  structure  is a block. A block spans at least two
39       lines, and has the format:
40
41              blocktype name {
42                   option value
43                   option value
44                   ...
45              }
46
47
48       That is, some blocktype, see below for a list of  the  different  block
49       types,  and  then  enclosed  in braces you have zero or more lines that
50       each have the previously described option value format. Different block
51       types have different rules for which options can be specified, they are
52       listed below. The rules regarding white space, comments and quotes  are
53       as above. Hence you may do things like:
54
55              blocktype name {
56              #    option value
57                  option "value with space"
58                  ...
59              }
60
61
62       Option  value characters can also be written in hex for options requir‐
63       ing a string type value. This is done by writing the character  %  fol‐
64       lowed  by  two hexadecimal digits. If a % is used without two following
65       hexadecimal digits, the % and the  following  characters  are  used  as
66       written. If you want to write a % and not use this decoding, you may of
67       course write % in hex; i.e., %25. As %00 would terminate a string, this
68       value  is  not  converted  in most cases, except when used with rewrite
69       statements or secrets.
70
71       Some options allow or require the use of regular  expressions,  denoted
72       as regex. The POSIX extended RE system is used, see re_format(7).
73
74       There is one special option that can be used both as a basic option and
75       inside all blocks. That is the option Include where the value specifies
76       files  to  be  included.  The value can be a single file, or it can use
77       normal shell globbing to specify multiple files, e.g.:
78
79              include /etc/radsecproxy.conf.d/*.conf
80
81       The files are sorted alphabetically. Included files  are  read  in  the
82       order  they  are  specified,  when reaching the end of a file, the next
83       file is read. When reaching the end of  the  last  included  file,  the
84       proxy  returns  to  read  the  next  line following the Include option.
85       Included files may again include other files.
86
87

BASIC OPTIONS

89       The following basic options may be specified in the configuration file.
90       Note  that  blocktypes  and  options inside blocks are discussed later.
91       Note that none of these options are required, and indeed in many  cases
92       they  are  not  needed. Note that you should specify each at most once.
93       The behaviour with multiple occurrences is undefined.
94
95       PidFile file
96              The PidFile option specifies the name of a  file  to  which  the
97              process  id  (PID) will be written. This is overridden by the -i
98              command line option.  There is no default value for the  PidFile
99              option.
100
101       LogLevel 1-5
102              This  option  specifies the debug level. It must be set to 1, 2,
103              3, 4 or 5, where 1 logs only serious errors, and 5  logs  every‐
104              thing.  The  default  is 2 which logs errors, warnings and a few
105              informational messages. Note that the  command  line  option  -d
106              overrides this.
107
108       LogDestination (file|syslog)
109              This  specifies where the log messages should go. By default the
110              messages go to  syslog  with  facility  LOG_DAEMON.  Using  this
111              option you can specify another syslog facility, or you may spec‐
112              ify that logging should be to a particular file, not using  sys‐
113              log. The value must be either a file or syslog URL. The file URL
114              is the standard one file:///var/log/radsecproxy/radsecproxy.log,
115              specifying  a  local  file  that should be used. For syslog, you
116              must use the syntax: x-syslog:///FACILITY where FACILITY must be
117              one  of  LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1,
118              LOG_LOCAL2,  LOG_LOCAL3,  LOG_LOCAL4,  LOG_LOCAL5,  LOG_LOCAL6or
119              LOG_LOCAL7.   You  may omit the facility from the URL to specify
120              logging to the default facility, but this  is  not  very  useful
121              since this is the default log destination. Note that this option
122              is ignored if -f is specified on the command line.
123
124       LogThreadId (on|off)
125              This can be set to on to include the thread-id in the  log  mes‐
126              sages (useful for debugging).
127
128
129       LogFullUsername (on|off)
130              This  can  be  set  to  off  to  only  log  the realm in Access-
131              Accept/Reject log messages (for privacy).
132
133       LogMAC opt
134              The LogMAC option can be used to control if and how Calling-Sta‐
135              tion-Id (the users Ethernet MAC address) is being logged. It can
136              be set to one  of  Static,  Original,  VendorHashed,  VendorKey‐
137              Hashed,  FullyHashed  or  FullyKeyHashed.  The default value for
138              LogMAC is Original.
139
140              See radsecproxy.conf-example for details.
141
142       LogKey key
143              The LogKey option is used to specify the key to use when produc‐
144              ing  HMAC's  as  an effect of specifying VendorKeyHashed or Ful‐
145              lyKeyHashed for the LogMAC option.
146
147       FTicksReporting fticks
148              The FTicksReporting option is used to enable F-Ticks logging and
149              can  be  set to None, Basic or Full.  Its default value is None.
150              If FTicksReporting is set to anything other than None, note that
151              the default value for FTicksMAC needs FTicksKey to be set.
152
153              See radsecproxy.conf-example for details.
154
155       FTicksMAC opt
156              The FTicksMAC option has the same function as LogMAC for FTicks.
157              The  default  for  FTicksMAC  is  VendorKeyHashed  which   needs
158              FTicksKey to be set.
159
160              Before  choosing  any  of Original, FullyHashed or VendorHashed,
161              consider the implications for user privacy  when  MAC  addresses
162              are  collected.  How  will  the  logs be stored, transferred and
163              accessed?
164
165       FTicksKey key
166              The FTicksKey option has the same function as LogKey for Fticks.
167
168       FTicksSyslogFacility syslog
169              The FTicksSyslogFacility option is used to specify  a  dedicated
170              syslog  facility  for  F-Ticks  messages. This allows for easier
171              filtering of F-Ticks messages. If no FTicksSyslogFacility option
172              is  given,  F-Ticks messages are written to what the LogDestina‐
173              tion option specifies.
174
175              F-Ticks  messages  are  always  logged  using  the   log   level
176              LOG_DEBUG.  Note  that specifying a file in FTicksSyslogFacility
177              (using the file:/// prefix) is not supported.
178
179       FTicksPrefix prefix
180              The FTicksPrefix option is used to set the prefix printed in  F-
181              Ticks  messages. This allows for use of F-Ticks messages in non-
182              eduroam environments.  If no FTicksPrefix option  is  given,  it
183              defaults to the prefix used for eduroam (F-TICKS/eduroam/1.0).
184
185
186       ListenUDP (address|*)[:port]
187       ListenTCP (address|*)[:port]
188       ListenTLS (address|*)[:port]
189       ListenDTLS (address|*)[:port]
190              Listen  for  the  address  and port for the respective protocol.
191              Normally the proxy will listen to the standard ports if  config‐
192              ured to handle clients with the respective protocol. The default
193              ports are 1812 for UDP and TCP and 2083 for  TLS  and  DTLS.  On
194              most  systems  it  will  do  this  for  all  of  the system's IP
195              addresses (both IPv4 and IPv6). On some systems however, it  may
196              respond  to only IPv4 or only IPv6. To specify an alternate port
197              you may use a value on the form *:port where port is  any  valid
198              port  number. If you also want to specify a specific address you
199              can do e.g.  192.168.1.1:1812 or  [2001:db8::1]:1812.  The  port
200              may  be  omitted if you want the default one. Note that you must
201              use brackets around the IPv6 address. These options may be spec‐
202              ified  multiple  times  to  listen  to multiple addresses and/or
203              ports for each protocol.
204
205       SourceUDP (address|*)[:port]
206       SourceTCP (address|*)[:port]
207       SourceTLS (address|*)[:port]
208       SourceDTLS (address|*)[:port]
209              This can be used to specify source address  and/or  source  port
210              that  the  proxy will use for connecting to clients to send mes‐
211              sages (e.g. Access Request). The same syntax  as  for  Listen...
212              applies.
213
214       TTLAttribute (attr|vendor:attr)
215              This  can  be  used  to  change  the default TTL attribute. Only
216              change this if you know what you are doing. The syntax is either
217              a  numerical  value denoting the TTL attribute, or two numerical
218              values separated by column specifying a vendor attribute.
219
220       AddTTL 1-255
221              If a TTL attribute is present,  the  proxy  will  decrement  the
222              value  and  discard the message if zero. Normally the proxy does
223              nothing if no TTL attribute is present. If you  use  the  AddTTL
224              option  with  a  value  1-255, the proxy will, when forwarding a
225              message with no TTL attribute, add one with the specified value.
226              Note  that this option can also be specified for a client/server
227              which will override this setting when forwarding  a  message  to
228              that client/server.
229
230       LoopPrevention (on|off)
231              When  this  is  enabled  (on), a request will never be sent to a
232              server named the same as the client it was received from.  I.e.,
233              the names of the client block and the server block are compared.
234              Note that this only gives limited protection against  loops.  It
235              can  be used as a basic option and inside server blocks where it
236              overrides the basic setting.
237
238       IPv4Only (on|off)
239       IPv6Only (on|off)
240              Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
241              names  to  the  corresponding  address  family only, and not the
242              other. This is done for both clients and servers. At most one of
243              IPv4Only  and  IPv6Only  can  be enabled.  Note that this can be
244              overridden in client and server blocks, see below.
245
246       Include file
247              This is not a normal configuration option; it can  be  specified
248              multiple  times.   It  can  both  be  used as a basic option and
249              inside blocks. For the full description, see  the  configuration
250              syntax section above.
251
252

BLOCKS

254       There are five types of blocks, they are client, server, realm, tls and
255       rewrite.  At least one instance of each of client and realm is required
256       for  the proxy to do anything useful, and it will exit if none are con‐
257       figured. The tls block is required if at least one TLS/DTLS  client  or
258       server  is  configured. Note that there can be multiple blocks for each
259       type. For each type, the block names should be  unique.  The  behaviour
260       with  multiple  occurrences of the same name for the same block type is
261       undefined. Also note that some block  option  values  may  reference  a
262       block by name, in which case the block name must be previously defined.
263       Hence the order of the blocks may be significant.
264
265

CLIENT BLOCK

267       client (name|fqdn|(address[/length])) {
268            ...
269       }
270
271       The client block is used to configure a client. That is, tell the proxy
272       about a client, and what parameters should be used for that client. The
273       name of the client block must (with one exception, see below) be either
274       the  IP  address  (IPv4  or  IPv6) of the client, an IP prefix (IPv4 or
275       IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN).  The
276       way an FQDN is resolved into an IP address may be influenced by the use
277       of the IPv4Only and IPv6Only options. Note that literal IPv6  addresses
278       must be enclosed in brackets.
279
280       If  a  domain name is specified, then this will be resolved immediately
281       to all the addresses associated with the name, and the proxy  will  not
282       care about any possible DNS changes that might occur later. Hence there
283       is no dependency on DNS after startup. However, if the name can not  be
284       resolved, startup will fail.
285
286       When  some  client  later  sends a request to the proxy, the proxy will
287       look at the IP address the request comes from, and then go through  all
288       the  addresses of each of the configured clients (in the order they are
289       defined), to determine which (if any) of  the  clients  this  is.  When
290       using  the IpAddress/PrefixLength form, this might mask clients defined
291       later, which then will never be matched.
292
293       In the case of TLS/DTLS, the name of the client must match the FQDN  or
294       IP  address  in the client certificate (CN or SubectAltName:DNS or Sub‐
295       jectAltName:IP respectively). Note that this is not required  when  the
296       client  name  is  an IP prefix. If overlapping clients are defined (see
297       section above), they will be searched for matching  MatchCertificateAt‐
298       tribute, but they must reference the same tls block.
299
300       The allowed options in a client block are:
301
302       Host (fqdn|(address[/length]))
303              Alternatively  of  specifying  the  FQDN or address in the block
304              name,  the host option may be used. In that case, the  value  of
305              the  host  option  is used as described above, while the name of
306              the block is only used as a descriptive name for the administra‐
307              tor.  The  host  option may be used multiple times, and can be a
308              mix of addresses, FQDNs and prefixes.
309
310       IPv4Only (on|off)
311       IPv6Only (on|off)
312              Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
313              names  to  the  corresponding  address  family only, and not the
314              other. At most one of IPv4Only and IPv6Only can be enabled. Note
315              that this will override the global option for this client.
316
317       Type type
318              Specify the type (protocol) of the client. Available options are
319              UDP, TCP, TLS and DTLS.
320
321       Secret secret
322              Use secret as the shared RADIUS key with  this  client.  If  the
323              secret  contains  whitespace,  the  value  must  be quoted. This
324              option is optional for TLS/DTLS and if omitted will  default  to
325              "radsec".  (Note that using a secret other than "radsec" for TLS
326              is a violation of the standard (RFC 6614) and that the  proposed
327              standard   for   DTLS   stipulates   that  the  secret  must  be
328              "radius/dtls".)
329
330       TLS tls
331              For a TLS/DTLS client you may also specify the tls  option.  The
332              option value must be the name of a previously defined TLS block.
333              If this option is not specified, the TLS  block  with  the  name
334              defaultClient  or  default  will  be  used  if  defined (in that
335              order). If the specified TLS block name does not exist,  or  the
336              option  is  not  specified  and  none of the defaults exist, the
337              proxy will exit with an error.
338
339       CertificateNameCheck (on|off)
340              For a TLS/DTLS client, disable the default behaviour of matching
341              CN  or  SubjectAltName  against  the  specified  hostname  or IP
342              address.
343
344       matchCertificateAttribute  (  CN  |  SubjectAltName:URI  |  SubjectAlt‐
345       Name:DNS ) :/regexp/
346       MatchCertificateAttribute SubjectAltName:IP:address
347              Perform  additional  validation  of certificate attributes. Cur‐
348              rently matching of CN and SubjectAltName types URI DNS and IP is
349              supported. Note that currently this option can only be specified
350              once in a client block.
351
352       DuplicateInterval seconds
353              Specify for how many seconds duplicate checking should be  done.
354              If a proxy receives a new request within a few seconds of a pre‐
355              vious one, it may be treated the same if from the  same  client,
356              with  the same authenticator etc. The proxy will then ignore the
357              new request (if it is still processing  the  previous  one),  or
358              returned a copy of the previous reply.
359
360       AddTTL 1-255
361              The AddTTL option has the same meaning as the option used in the
362              basic config.  See the BASIC OPTIONS section  for  details.  Any
363              value  configured here overrides the basic one when sending mes‐
364              sages to this client.
365
366       TCPKeepalive (on|off)
367              Enable TCP keepalive (default is off).  If  keepalives  are  not
368              answered within 30s the connection is considered lost.
369
370       FticksVISCOUNTRY cc
371              Sets this client to be eligible to F-Ticks logging as defined by
372              the FTicksReporting basic option, and specifies the  country  to
373              be  reported.  The country should be specified by the two-letter
374              country code.
375
376       FticksVISINST institution
377              Set the institution to report in F-Ticks logging. If this option
378              is omitted, the name of the client block is used.
379
380       Rewrite rewrite
381              This option is deprecated. Use rewriteIn instead.
382
383       RewriteIn rewrite
384       RewriteOut rewrite
385              Apply  the operations in the specified rewrite block on incoming
386              (request) or outgoing  (response)  messages  from  this  client.
387              Rewriting incoming messages is done before, outgoing after other
388              processing. If the RewriteIn  is  not  configured,  the  rewrite
389              blocks  defaultClient  or default will be applied if defined. No
390              default blocks are applied for RewriteOut.
391
392       RewriteAttribute User-Name:/regex/replace/
393              Rewrite the User-Name attribute in  a  client  request  for  the
394              request forwarded by the proxy. The User-Name attribute is writ‐
395              ten back to the original value if a matching response  is  later
396              sent back to the client. Example usage:
397
398              RewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
399
400
401

SERVER BLOCK

403       server (name|((fqdn|address)[:port])) {
404            ...
405       }
406
407       The server block is used to configure a server. That is, tell the proxy
408       about a server, and what parameters should be used  when  communicating
409       with  that  server.  The name of the server block must (with one excep‐
410       tion, see below) be either the IP address (IPv4 or IPv6) of the server,
411       or  a domain name (FQDN). If a domain name is specified, then this will
412       be resolved immediately to all the addresses associated with the  name,
413       and  the  proxy will not care about any possible DNS changes that might
414       occur later. Hence there is no dependency on DNS after startup. If  the
415       domain name resolves to multiple addresses, then for UDP/DTLS the first
416       address is used. For TCP/TLS, the proxy will loop through the addresses
417       until  it  can connect to one of them. The way an FQDN is resolved into
418       an IP address may be influenced by the use of the IPv4Only and IPv6Only
419       options.
420
421       In  the case of TLS/DTLS, the name of the server must match the FQDN or
422       IP address in the server certificate.
423
424       Note that the fqdn or address may include a port number (separated with
425       a  column).  This  port number will then override the default port or a
426       port option in the server block. Also note that literal IPv6  addresses
427       must be enclosed in brackets.
428
429       The allowed options in a server block are:
430
431       Host (fqdn|address)[:port]
432              Alternatively  of  specifying  the  FQDN or address in the block
433              name the host option may be used. In that case, the value of the
434              host  option  is  used as described above, while the name of the
435              block is only used as a descriptive name for the  administrator.
436              Note  that  multiple host options may be used. This will then be
437              treated as multiple names/addresses for the  same  server.  When
438              initiating  a TCP/TLS connection, all addresses of all names may
439              be attempted, but there is no  failover  between  the  different
440              host values. For failover use separate server blocks.
441
442       Port port
443              Specify  the  port  (UDP/TCP) to connect to. If omitted, UDP and
444              TCP will default to 1812 while TLS  and  DTLS  will  default  to
445              2083.
446
447       DynamicLookupCommand command
448              Execute  the command to dynamically configure a server. The exe‐
449              cutable file should be given with full path and will be  invoked
450              with  the  name  of the realm as its first and only argument. It
451              should either print a valid server {...} option  on  stdout  and
452              exit  with a code of 0 or print nothing and exit with a non-zero
453              exit code.
454
455              If the command exited with 0 an provided a valid server  config,
456              it  will  be  combined with the statements in this server block,
457              with the values returned by the command taking preference.
458
459              An example of a shell script resolving the DNS NAPTR records for
460              the  realm  and then the SRV records for each NAPTR matching 'x-
461              eduroam:radius.tls' is provided in tools/naptr-eduroam.sh.
462
463       StatusServer (on|off|minimal|auto)
464              Enable  the  use  of  status-server  messages  for  this  server
465              (default  off).  If statusserver is enabled (on), the proxy will
466              send regular status-server messages to the server to verify that
467              it is alive. Status tracking of the server will solely depend on
468              status-server message and ignore lost requests. This should only
469              be  enabled  if  the server supports it. With the option minimal
470              status-server messages are only sent when regular requests  have
471              been lost and no other replies have been received.
472
473              The  option  auto  tries to detect whether the other server sup‐
474              ports status-server. If so, status-server messages  are  enabled
475              in minimal mode.
476
477       RetryCount count
478              Set  how  many times the proxy should retry sending a request to
479              the server. Default is  2  retries.   Please  note  that  Radius
480              retries are normally done by the NAS.
481
482       RetryInterfval interval
483              Set the interval between each retry. Default is 5s.
484
485       Rewrite rewrite
486              This option is deprecated. Use rewriteIn instead.
487
488       RewriteOut rewrite
489       RewriteIn rewrite
490              Apply  the operations in the specified rewrite block on outgoing
491              (request) or incoming (response) messages to/from  this  server.
492              Rewriting outgoing messages is done after, incoming before other
493              processing. If the RewriteIn  is  not  configured,  the  rewrite
494              blocks  defaultServer  or default will be applied if defined. No
495              default blocks are applied for RewriteOut.
496
497       LoopPrevention (on|off)
498              This overrides the global LoopPrevention option for this server.
499              See section BASIC OPTIONS for details on this option.
500
501       The meaning and syntax of the following options are exactly the same as
502       for the client block. The details are not repeated here.  Please  refer
503       to the definitions in the CLIENT BLOCK section.
504
505       IPv4Only (on|off)
506       IPv6Only (on|off)
507       Type type
508       Secret secret
509       TLS tls
510       CertificateNameCheck (on|off)
511       matchCertificateAttribute  (  CN  |  SubjectAltName:URI  |  SubjectAlt‐
512       Name:DNS ) :/regexp/
513       MatchCertificateAttribute SubjectAltName:IP:address
514       AddTTL 1-255
515       TCPKeepalive (on|off)
516
517
518

REALM BLOCK

520       realm (*|realm|/regex/) {
521            ...
522       }
523
524       When the proxy receives an Access-Request it needs  to  figure  out  to
525       which  server  it  should  be forwarded. This is done by looking at the
526       Username attribute in the request, and matching that against the  names
527       of the defined realm blocks. The proxy will match against the blocks in
528       the order they are specified, using the first match if any. If no realm
529       matches,  the  proxy  will  simply ignore the request. Each realm block
530       specifies what the server should do when a match is found.
531
532       The allowed options in a realm block are:
533
534       Server server
535       AccountingServer server
536              Specify the server to which requests for this  realm  should  be
537              forwarded.   server references a previously defined server block
538              (see the SERVER BLOCK section). Each server and accountingServer
539              can  be  specified  multiple times, or omitted completely. If no
540              server is configured, the proxy will  deny  all  Access-Requests
541              for  this realm. If no accountingServer is configured, the proxy
542              will silently ignore all Accounting-Requests for this realm. See
543              the SERVER SELECTION section below for details.
544
545       AccountingResponse (on|off)
546              Enable  sending Accounting-Response instead of ignoring Account‐
547              ing-Requests when no accoutingServer are configured.
548
549       ReplyMessage message
550              Specify a message to be sent back to the  client  if  a  Access-
551              Request is denied because no server are configured.
552
553
554   REALM BLOCK NAMES AND MATCHING
555       In  the  general  case  the  proxy  will  look  for a @ in the username
556       attribute, and try to do an exact, case insensitive match between  what
557       comes  after  the  @  and  the name of the realm block. So if you get a
558       request with the attribute value anonymous@example.com, the proxy  will
559       go through the realm names in the order they are specified, looking for
560       a realm block named example.com.
561
562       There are two exceptions to this, one is the realm name *  which  means
563       match everything. Hence if you have a realm block named *, then it will
564       always match. This should then be the last realm block  defined,  since
565       any blocks after this would never be checked. This is useful for having
566       a default.
567
568       The other exception is regular expression matching. If the  realm  name
569       starts  with  a /, the name is treated as an regular expression. A case
570       insensitive regexp match will then be done using  this  regexp  on  the
571       value  of the entire Username attribute. Optionally you may also have a
572       trailing / after the regexp.  So as an example, if you want to use reg‐
573       exp  matching the domain example.com you could have a realm block named
574       /@example\.com$/. If you want to match all domains under the  .com  top
575       domain,  you could do /@.*\.com$/. Note that since the matching is done
576       on  the  entire  attribute  value,  you  can  also   use   rules   like
577       /^[a-k].*@example\.com$/ to get some of the users in this domain to use
578       one server, while other users could be matched by another  realm  block
579       and use another server.
580
581
582   SERVER SELECTION
583       Normally requests will be forwarded to the first server option defined.
584       If there are multiple server options, the proxy will do  fail-over  and
585       use  the second server if the first is down. If the two first are down,
586       it will try the third etc. If the first server comes back up,  it  will
587       go  back  to  using that one.  Detection of servers being up or down is
588       based on the use of StatusServer (if enabled),  and  that  TCP/TLS/DTLS
589       connections  are  up.  Otherwise unanswered requests are used to detect
590       unresponsive servers. AccountingServers are treated the same, but inde‐
591       pendently of the other servers.
592
593       If  there is no Server option, the proxy will if ReplyMessage is speci‐
594       fied, reply back to the client with an Access Reject message. The  mes‐
595       sage  contains  a replyMessage attribute with the value as specified by
596       the ReplyMessage option. Note that this is  different  from  having  no
597       match  since  then  the request is simply ignored.  This can be used to
598       catch all undefined sub-domains or even all undefined realms by config‐
599       uring either a regex match like /@.*\.example\.com/ or the realm * with
600       no server option.  Another use-case is to block a specific  pattern  in
601       the username or realm part using  a regex.
602
603       If  there  is  no  AccountingServer  option, the proxy will normally do
604       nothing, ignoring accounting requests. If instead AccountingResponse is
605       set  to  on,  the proxy will log some of the accounting information and
606       send an Accounting-Response back. This stops clients  from  retransmit‐
607       ting  Accounting-Request  messages when a realm has no accountingServer
608       configured.
609
610

TLS BLOCK

612       tls name {
613            ...
614       }
615
616       The TLS block specifies TLS configuration options and you need at least
617       one  of  these  if  you have clients or servers using TLS/DTLS. As dis‐
618       cussed in the client and server block descriptions, a client or  server
619       block may reference a particular TLS block by name. There are also how‐
620       ever the special TLS block names default,  defaultClient  and  default‐
621       Server  which  are  used as defaults if the client or server block does
622       not reference a TLS block. Also note that a TLS block must  be  defined
623       before  the  client  or server block that would use it. If you want the
624       same TLS configuration for all TLS/DTLS clients and servers,  you  need
625       just  a single tls block named default, and the client and servers need
626       not refer to it. If you want all TLS/DTLS clients to  use  one  config,
627       and  all  TLS/DTLS  servers to use another, then you would be fine only
628       defining two TLS blocks named defaultClient and defaultServer.  If  you
629       want  different  clients  (or  different servers) to have different TLS
630       parameters, then you may need to create other  TLS  blocks  with  other
631       names, and reference those from the client or server definitions.
632
633       As  both  clients and servers need to present and verify a certificate,
634       both a certificate as well as a CA  to  verify  the  peers  certificate
635       must be configured.
636
637       The allowed options in a tls block are:
638
639       CACertificateFile file
640              The CA certificate file used to verify the peers certificate.
641
642       CACertificatePath path
643              The path to search for CA or intermediate certificates.
644
645       CertificateFile file
646              The  server  certificate  this proxy will use. The file may also
647              contain a certificate chain.
648
649       CertificateKeyFile file
650              The private-key file for the  server  certificate  specified  in
651              CACertificateFile.
652
653       CertificateKeyPassword password
654              The password to decrypt the private-key.
655
656       PolicyOID oid
657              Require  the peers certificate to adhere to the policy specified
658              by oid.  This can be specified multiple times.
659
660       CRLCheck (on|off)
661              Enable checking peer certificate against the CRL (default off).
662              Note that radsecproxy does not fetch the CRLs itslef.  This  has
663              to be done separately, e.g. with fetch-crl(8)
664
665       CacheExpiry seconds
666              Specify  how  many  seconds the CA and CRL information should be
667              cached. By default, the CA and CRL are  loaded  at  startup  and
668              cached  indefinetely.  After the configured time, the CA CRL are
669              re-read. Alternatively, reloading the CA and CRL  can  be  trig‐
670              gered  by  sending  a  SIGHUP  to  the radsecproxy process. This
671              option may be set to zero to disable caching.
672
673
674

REWRITE BLOCK

676       rewrite name {
677            ...
678       }
679
680       The rewrite block specifies rules that may rewrite RADIUS messages.  It
681       can be used to add, remove and modify specific attributes from messages
682       received from and sent to clients and  servers.  As  discussed  in  the
683       client and server block descriptions, a client or server block may ref‐
684       erence a particular rewrite block by name. There are however  also  the
685       special  rewrite  block  names default, defaultClient and defaultServer
686       which are used as defaults if the client or server block does not  ref‐
687       erence  a  block. Also note that a rewrite block must be defined before
688       the client or server block that would use it. If you want the same  re‐
689       write  rules  for  input  from all clients and servers, you need just a
690       single rewrite block named default, and the client and servers need not
691       refer to it. If you want all clients to use one config, and all servers
692       to use another, then you would be fine only defining two rewrite blocks
693       named  defaultClient  and  defaultServer.  Note that these defaults are
694       only used for rewrite on input. No rewriting is done on  output  unless
695       explicitly specified using the RewriteOut option.
696
697       The rewrite actions are performed in this sequence:
698              1. RemoveAttribute (or WhitelistAttribute)
699              2. ModifyAttribute
700              3. SupplementAttribute
701              4. AddAttribute
702
703       All  options  can be specified multiple times. The allowed options in a
704       rewrite block are:
705
706       AddAttribute attribute:value
707              Add an attribute to the radius message and set it to value.  The
708              attribute  must  be  specified using the numerical attribute id.
709              The value can either be numerical, a string, or a hex value.  If
710              the  value  starts  with  a number, it is interpreted as a 32bit
711              unsigned integer.  Use the ' character at the start of the value
712              to force string interpretation. When using hex value, it is rec‐
713              ommended to also lead with ' to avoid unintended numeric  inter‐
714              pretation.  See  the  CONFIGURATION  SYNTAX  section for further
715              details.
716
717       AddVendorAttribute vendor:subattribute:value
718              Add a vendor attribute to the radius message, specified by  ven‐
719              dor and subattribute. Both vendor and subattribute must be spec‐
720              ified as numerical values. The format of value is  the  same  as
721              for addAttribute above.
722
723       SupplementAttribute attribute:value
724              Add an attribute to the radius message and set it to value, only
725              if the  attribute is not yet present on the message.  The format
726              of value is the same as for addAttribute above.
727
728       SupplementVendorAttribute vendor:subattribute:value
729              Add  a vendor attribute to the radius message only if the subat‐
730              tribute of this vendor is not yet present on  the  message.  The
731              format of is the same as for addVendorAttribute above.
732
733       ModifyAttribute attribute:/regex/replace/
734              Modify  the  given attribute using the regex replace pattern. As
735              above, attribute must be specified by a numerical value. Example
736              usage:
737
738              modifyAttribute 1:/^(.*)@local$/\1@example.com/
739
740       ModifyVendorAttribute vendor:subattribute:/regex/replace/
741              Modify  the  given  subattribute of given vendor using the regex
742              replace pattern.  Other than the added vendor, the  same  syntax
743              as for ModifyAttribute applies.
744
745       RemoveAttribute attribute
746              Remove all attributes with the given id.
747
748       RemoveVendorAttribute vendor[:subattribute]
749              Remove  all  vendor  attributes  that match the given vendor and
750              subattribute. If the subattribute  is  omitted,  all  attributes
751              with the given vendor id are removed.
752
753       WhitelistMode (on|off)
754              Enable  whitelist  mode.  All attributes except those configured
755              with  WhitelistAttrbiute  or  WhitelistVendorAttribute  will  be
756              removed.   While  whitelist  mode is active, RemoveAttribute and
757              RemoveVendorAttribute statements are ignored.
758
759       WhitelistAttribute attribute
760              Do not remove attributes with the given id when WhitelistMode is
761              on.  Ignored otherwise.
762
763       WhitelistVendorAttribute vendor[:subattribute]
764              Do  not remove vendor attributes that match the given vendor and
765              subattribute when WhitelistMode is on. Ignored otherwise.
766
767              If the subattribute is omitted, the complete vendor attribute is
768              whitelisted.  Otherwise  only the specified subattribute is kept
769              but all other subattributes are removed.
770
771

SEE ALSO

773       radsecproxy(1)
774
775
776
777radsecproxy 1.8.2                 2020-08-06               radsecproxy.conf(5)
Impressum