1radsecproxy.conf(5) radsecproxy.conf(5)
2
3
4
6 radsecproxy.conf - Radsec proxy configuration file
7
8
10 When the proxy server starts, it will first check the command line ar‐
11 guments, and then read the configuration file. Normally radsecproxy
12 will read the configuration file /etc/radsecproxy.conf. The command
13 line -c option can be used to instead read an alternate file (see rad‐
14 secproxy(8) for details).
15
16 If the configuration file can not be found, the proxy will exit with an
17 error message. Note that there is also an include facility so that any
18 configuration file may include other configuration files. The proxy
19 will also exit on configuration errors.
20
21
23 When the configuration file is processed, whitespace (spaces and tabs)
24 are generally ignored. For each line, leading and trailing whitespace
25 are ignored. A line is ignored if it is empty, only consists of white‐
26 space, or if the first non-whitespace character is a #. The configura‐
27 tion is generally case insensitive, but in some cases the option values
28 (see below) are not.
29
30 There are two types of configuration structures than can be used. The
31 first and simplest are lines on the format option value. That is, an
32 option name, see below for a list of valid options, followed by white‐
33 space (at least one space or tab character), followed by a value. Note
34 that if the value contains whitespace, then it must be quoted using ""
35 or ''. Any whitespace in front of the option or after the value will be
36 ignored.
37
38 The other type of structure is a block. A block spans at least two
39 lines, and has the format:
40
41 blocktype name {
42 option value
43 option value
44 ...
45 }
46
47
48 That is, some blocktype, see below for a list of the different block
49 types, and then enclosed in braces you have zero or more lines that
50 each have the previously described option value format. Different block
51 types have different rules for which options can be specified, they are
52 listed below. The rules regarding white space, comments and quotes are
53 as above. Hence you may do things like:
54
55 blocktype name {
56 # option value
57 option "value with space"
58 ...
59 }
60
61
62 Option value characters can also be written in hex for options requir‐
63 ing a string type value. This is done by writing the character % fol‐
64 lowed by two hexadecimal digits. If a % is used without two following
65 hexadecimal digits, the % and the following characters are used as
66 written. If you want to write a % and not use this decoding, you may of
67 course write % in hex; i.e., %25. As %00 would terminate a string, this
68 value is not converted in most cases, except when used with rewrite
69 statements or secrets.
70
71 Some options allow or require the use of regular expressions, denoted
72 as regex. The POSIX extended RE system is used, see re_format(7).
73
74 There is one special option that can be used both as a basic option and
75 inside all blocks. That is the option Include where the value specifies
76 files to be included. The value can be a single file, or it can use
77 normal shell globbing to specify multiple files, e.g.:
78
79 include /etc/radsecproxy.conf.d/*.conf
80
81 The files are sorted alphabetically. Included files are read in the or‐
82 der they are specified, when reaching the end of a file, the next file
83 is read. When reaching the end of the last included file, the proxy re‐
84 turns to read the next line following the Include option. Included
85 files may again include other files.
86
87
89 The following basic options may be specified in the configuration file.
90 Note that blocktypes and options inside blocks are discussed later.
91 Note that none of these options are required, and indeed in many cases
92 they are not needed. Note that you should specify each at most once.
93 The behaviour with multiple occurrences is undefined.
94
95 PidFile file
96 The PidFile option specifies the name of a file to which the
97 process id (PID) will be written. This is overridden by the -i
98 command line option. There is no default value for the PidFile
99 option.
100
101 LogLevel 1-5
102 This option specifies the debug level. It must be set to 1, 2,
103 3, 4 or 5, where 1 logs only serious errors, and 5 logs every‐
104 thing. The default is 2 which logs errors, warnings and a few
105 informational messages. Note that the command line option -d
106 overrides this.
107
108 LogDestination (file|syslog)
109 This specifies where the log messages should go. By default the
110 messages go to syslog with facility LOG_DAEMON. Using this op‐
111 tion you can specify another syslog facility, or you may specify
112 that logging should be to a particular file, not using syslog.
113 The value must be either a file URL like
114 file:///path/to/your/logfile.log or a syslog URL using the syn‐
115 tax: x-syslog:///FACILITY where FACILITY must be one of LOG_DAE‐
116 MON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2,
117 LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6or LOG_LOCAL7.
118 You may omit the facility from the URL to specify logging to the
119 default facility, but this is not very useful since this is the
120 default log destination. Note that this option is ignored if -f
121 is specified on the command line.
122
123 LogThreadId (on|off)
124 This can be set to on to include the thread-id in the log mes‐
125 sages (useful for debugging).
126
127
128 LogFullUsername (on|off)
129 This can be set to off to only log the realm in Access-Ac‐
130 cept/Reject log messages (for privacy).
131
132 LogMAC opt
133 The LogMAC option can be used to control if and how Calling-Sta‐
134 tion-Id (the users Ethernet MAC address) is being logged. It can
135 be set to one of Static, Original, VendorHashed, VendorKey‐
136 Hashed, FullyHashed or FullyKeyHashed. The default value for
137 LogMAC is Original.
138
139 See radsecproxy.conf-example for details.
140
141 LogKey key
142 The LogKey option is used to specify the key to use when produc‐
143 ing HMAC's as an effect of specifying VendorKeyHashed or Ful‐
144 lyKeyHashed for the LogMAC option.
145
146 FTicksReporting fticks
147 The FTicksReporting option is used to enable F-Ticks logging and
148 can be set to None, Basic or Full. Its default value is None.
149 If FTicksReporting is set to anything other than None, note that
150 the default value for FTicksMAC needs FTicksKey to be set.
151
152 See radsecproxy.conf-example for details.
153
154 FTicksMAC opt
155 The FTicksMAC option has the same function as LogMAC for FTicks.
156 The default for FTicksMAC is VendorKeyHashed which needs
157 FTicksKey to be set.
158
159 Before choosing any of Original, FullyHashed or VendorHashed,
160 consider the implications for user privacy when MAC addresses
161 are collected. How will the logs be stored, transferred and ac‐
162 cessed?
163
164 FTicksKey key
165 The FTicksKey option has the same function as LogKey for Fticks.
166
167 FTicksSyslogFacility syslog
168 The FTicksSyslogFacility option is used to specify a dedicated
169 syslog facility for F-Ticks messages. This allows for easier
170 filtering of F-Ticks messages. If no FTicksSyslogFacility option
171 is given, F-Ticks messages are written to what the LogDestina‐
172 tion option specifies.
173
174 F-Ticks messages are always logged using the log level LOG_DE‐
175 BUG. Note that specifying a file in FTicksSyslogFacility (using
176 the file:/// prefix) is not supported.
177
178 FTicksPrefix prefix
179 The FTicksPrefix option is used to set the prefix printed in F-
180 Ticks messages. This allows for use of F-Ticks messages in non-
181 eduroam environments. If no FTicksPrefix option is given, it
182 defaults to the prefix used for eduroam (F-TICKS/eduroam/1.0).
183
184
185 ListenUDP (address|*)[:port]
186 ListenTCP (address|*)[:port]
187 ListenTLS (address|*)[:port]
188 ListenDTLS (address|*)[:port]
189 Listen for the address and port for the respective protocol.
190 Normally the proxy will listen to the standard ports if config‐
191 ured to handle clients with the respective protocol. The default
192 ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On
193 most systems it will do this for all of the system's IP ad‐
194 dresses (both IPv4 and IPv6). On some systems however, it may
195 respond to only IPv4 or only IPv6. To specify an alternate port
196 you may use a value on the form *:port where port is any valid
197 port number. If you also want to specify a specific address you
198 can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port
199 may be omitted if you want the default one. Note that you must
200 use brackets around the IPv6 address. These options may be spec‐
201 ified multiple times to listen to multiple addresses and/or
202 ports for each protocol.
203
204 SourceUDP (address|*)[:port]
205 SourceTCP (address|*)[:port]
206 SourceTLS (address|*)[:port]
207 SourceDTLS (address|*)[:port]
208 This can be used to specify source address and/or source port
209 that the proxy will use for connecting to clients to send mes‐
210 sages (e.g. Access Request). The same syntax as for Listen...
211 applies.
212
213 TTLAttribute (attr|vendor:attr)
214 This can be used to change the default TTL attribute. Only
215 change this if you know what you are doing. The syntax is either
216 a numerical value denoting the TTL attribute, or two numerical
217 values separated by column specifying a vendor attribute.
218
219 AddTTL 1-255
220 If a TTL attribute is present, the proxy will decrement the
221 value and discard the message if zero. Normally the proxy does
222 nothing if no TTL attribute is present. If you use the AddTTL
223 option with a value 1-255, the proxy will, when forwarding a
224 message with no TTL attribute, add one with the specified value.
225 Note that this option can also be specified for a client/server
226 which will override this setting when forwarding a message to
227 that client/server.
228
229 LoopPrevention (on|off)
230 When this is enabled (on), a request will never be sent to a
231 server named the same as the client it was received from. I.e.,
232 the names of the client block and the server block are compared.
233 Note that this only gives limited protection against loops. It
234 can be used as a basic option and inside server blocks where it
235 overrides the basic setting.
236
237 IPv4Only (on|off)
238 IPv6Only (on|off)
239 Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
240 names to the corresponding address family only, and not the
241 other. This is done for both clients and servers. At most one of
242 IPv4Only and IPv6Only can be enabled. Note that this can be
243 overridden in client and server blocks, see below.
244
245 SNI (on|off)
246 Server Name Indication (SNI) is an extension to the TLS proto‐
247 col. It allows a client to indicate which hostname it is trying
248 to connect to at the start of the TLS handshake. Enabling this
249 will use the extension for all TLS and DTLS servers which spec‐
250 ify a hostname (not IP address). This can be overridden in
251 server blocks, see below.
252
253 Include file
254 This is not a normal configuration option; it can be specified
255 multiple times. It can both be used as a basic option and in‐
256 side blocks. For the full description, see the configuration
257 syntax section above.
258
259
261 There are five types of blocks, they are client, server, realm, tls and
262 rewrite. At least one instance of each of client and realm is required
263 for the proxy to do anything useful, and it will exit if none are con‐
264 figured. The tls block is required if at least one TLS/DTLS client or
265 server is configured. Note that there can be multiple blocks for each
266 type. For each type, the block names should be unique. The behaviour
267 with multiple occurrences of the same name for the same block type is
268 undefined. Also note that some block option values may reference a
269 block by name, in which case the block name must be previously defined.
270 Hence the order of the blocks may be significant.
271
272
274 client (name|fqdn|(address[/length])) {
275 ...
276 }
277
278 The client block is used to configure a client. That is, tell the proxy
279 about a client, and what parameters should be used for that client. The
280 name of the client block must (with one exception, see below) be either
281 the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or
282 IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN). The
283 way an FQDN is resolved into an IP address may be influenced by the use
284 of the IPv4Only and IPv6Only options. Note that literal IPv6 addresses
285 must be enclosed in brackets.
286
287 If a domain name is specified, then this will be resolved immediately
288 to all the addresses associated with the name, and the proxy will not
289 care about any possible DNS changes that might occur later. Hence there
290 is no dependency on DNS after startup. However, if the name can not be
291 resolved, startup will fail.
292
293 When some client later sends a request to the proxy, the proxy will
294 look at the IP address the request comes from, and then go through all
295 the addresses of each of the configured clients (in the order they are
296 defined), to determine which (if any) of the clients this is. When us‐
297 ing the IpAddress/PrefixLength form, this might mask clients defined
298 later, which then will never be matched.
299
300 In the case of TLS/DTLS, the name of the client must match the FQDN or
301 IP address in the client certificate (CN or SubectAltName:DNS or Sub‐
302 jectAltName:IP respectively) and any MatchCertificateAttribute to be
303 positively identified. Note that no FQDN/IP is checked when using an
304 IP prefix. If overlapping clients are defined (see section above),
305 they will be searched for positive identification, but only among
306 clients referencing the same tls block (selected by the first matching
307 IP address or prefix).
308
309 The allowed options in a client block are:
310
311 Host (fqdn|(address[/length]))
312 Alternatively of specifying the FQDN or address in the block
313 name, the host option may be used. In that case, the value of
314 the host option is used as described above, while the name of
315 the block is only used as a descriptive name for the administra‐
316 tor. The host option may be used multiple times, and can be a
317 mix of addresses, FQDNs and prefixes.
318
319 IPv4Only (on|off)
320 IPv6Only (on|off)
321 Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
322 names to the corresponding address family only, and not the
323 other. At most one of IPv4Only and IPv6Only can be enabled. Note
324 that this will override the global option for this client.
325
326 Type type
327 Specify the type (protocol) of the client. Available options are
328 UDP, TCP, TLS and DTLS.
329
330 Secret secret
331 Use secret as the shared RADIUS key with this client. If the se‐
332 cret contains whitespace, the value must be quoted. This option
333 is optional for TLS/DTLS and if omitted will default to "rad‐
334 sec". (Note that using a secret other than "radsec" for TLS is a
335 violation of the standard (RFC 6614) and that the proposed stan‐
336 dard for DTLS stipulates that the secret must be "radius/dtls".)
337
338 TLS tls
339 For a TLS/DTLS client you may also specify the tls option. The
340 option value must be the name of a previously defined TLS block.
341 If this option is not specified, the TLS block with the name de‐
342 faultClient or default will be used if defined (in that order).
343 If the specified TLS block name does not exist, or the option is
344 not specified and none of the defaults exist, the proxy will
345 exit with an error.
346
347 ServerName servername
348 Use servername for the certificate name check instead of host or
349 the client block name (e.g. if host uses static IP address).
350
351 CertificateNameCheck (on|off)
352 For a TLS/DTLS client, disable the default behaviour of matching
353 CN or SubjectAltName against the specified hostname or IP ad‐
354 dress.
355
356 MatchCertificateAttribute CN:/regexp/
357 MatchCertificateAttribute SubjectAltName:DNS:/regexp/
358 MatchCertificateAttribute SubjectAltName:URI:/regexp/
359 MatchCertificateAttribute SubjectAltName:IP:address
360 MatchCertificateAttribute SubjectAltName:rID:oid
361 MatchCertificateAttribute SubjectAltName:otherName:oid:/regexp/
362 Perform additional validation of certificate attributes. Cur‐
363 rently matching of CN and SubjectAltName types URI, DNS, IP,
364 rID, and otherName is supported. If specified multiple times,
365 all terms must match for the certificate to be considered valid.
366
367 DuplicateInterval seconds
368 Specify for how many seconds duplicate checking should be done.
369 If a proxy receives a new request within a few seconds of a pre‐
370 vious one, it may be treated the same if from the same client,
371 with the same authenticator etc. The proxy will then ignore the
372 new request (if it is still processing the previous one), or re‐
373 turned a copy of the previous reply.
374
375 AddTTL 1-255
376 The AddTTL option has the same meaning as the option used in the
377 basic config. See the BASIC OPTIONS section for details. Any
378 value configured here overrides the basic one when sending mes‐
379 sages to this client.
380
381 TCPKeepalive (on|off)
382 Enable TCP keepalive (default is off). If keepalives are not an‐
383 swered within 30s the connection is considered lost.
384
385 FticksVISCOUNTRY cc
386 Sets this client to be eligible to F-Ticks logging as defined by
387 the FTicksReporting basic option, and specifies the country to
388 be reported. The country should be specified by the two-letter
389 country code.
390
391 FticksVISINST institution
392 Set the institution to report in F-Ticks logging. If this option
393 is omitted, the name of the client block is used.
394
395 Rewrite rewrite
396 This option is deprecated. Use rewriteIn instead.
397
398 RewriteIn rewrite
399 RewriteOut rewrite
400 Apply the operations in the specified rewrite block on incoming
401 (request) or outgoing (response) messages from this client.
402 Rewriting incoming messages is done before, outgoing after other
403 processing. If the RewriteIn is not configured, the rewrite
404 blocks defaultClient or default will be applied if defined. No
405 default blocks are applied for RewriteOut.
406
407 RewriteAttribute User-Name:/regex/replace/
408 Rewrite the User-Name attribute in a client request for the re‐
409 quest forwarded by the proxy. The User-Name attribute is written
410 back to the original value if a matching response is later sent
411 back to the client. Example usage:
412
413 RewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
414
415
416
418 server (name|((fqdn|address)[:port])) {
419 ...
420 }
421
422 The server block is used to configure a server. That is, tell the proxy
423 about a server, and what parameters should be used when communicating
424 with that server. The name of the server block must (with one excep‐
425 tion, see below) be either the IP address (IPv4 or IPv6) of the server,
426 or a domain name (FQDN). If a domain name is specified, then this will
427 be resolved immediately to all the addresses associated with the name,
428 and the proxy will not care about any possible DNS changes that might
429 occur later. Hence there is no dependency on DNS after startup. If the
430 domain name resolves to multiple addresses, then for UDP/DTLS the first
431 address is used. For TCP/TLS, the proxy will loop through the addresses
432 until it can connect to one of them. The way an FQDN is resolved into
433 an IP address may be influenced by the use of the IPv4Only and IPv6Only
434 options.
435
436 In the case of TLS/DTLS, the name of the server must match the FQDN or
437 IP address in the server certificate.
438
439 Note that the fqdn or address may include a port number (separated with
440 a column). This port number will then override the default port or a
441 port option in the server block. Also note that literal IPv6 addresses
442 must be enclosed in brackets.
443
444 The allowed options in a server block are:
445
446 Host (fqdn|address)[:port]
447 Alternatively of specifying the FQDN or address in the block
448 name the host option may be used. In that case, the value of the
449 host option is used as described above, while the name of the
450 block is only used as a descriptive name for the administrator.
451 Note that multiple host options may be used. This will then be
452 treated as multiple names/addresses for the same server. When
453 initiating a TCP/TLS connection, all addresses of all names may
454 be attempted, but there is no failover between the different
455 host values. For failover use separate server blocks.
456
457 Port port
458 Specify the port (UDP/TCP) to connect to. If omitted, UDP and
459 TCP will default to 1812 while TLS and DTLS will default to
460 2083.
461
462 Source (address|*)[:port]
463 Specify the source address and/or port to use for this server.
464 See Source... options above.
465
466 ServerName servername
467 Use servername for the certificate name check instead of host or
468 the server block name (e.g. if host uses static IP address). Ad‐
469 ditionally, this name is used for SNI (if enabled), unless SNIs‐
470 ervername is set.
471
472 DynamicLookupCommand command
473 Execute the command to dynamically configure a server for a
474 realm given by the username field in an Access-Request. The
475 command can take two special forms, naptr:service or srv:prefix,
476 or point to a script or executable.
477
478 The naptr: and srv: forms execute the corresponding DNS queries,
479 either searching for service in NAPTR records (followed by SRV
480 query), or querying for prefix.realm SRV records. Finally a
481 server block will be constructed for the dynamic realm taking
482 this server block as a template and overriding the host entries
483 with the content of the SRV records.
484
485 Otherwise, the command should be an executable file or script,
486 given with full path, that will be invoked with the name of the
487 realm as its first and only argument. It should either print a
488 valid server {...} block containing at least one host statement
489 on stdout and exit with a code of 0, or print nothing and exit
490 with a non-zero exit code. If the command exited with 0 and pro‐
491 vided a valid server config, it will be combined with the state‐
492 ments in this server block, with the values returned by the com‐
493 mand taking preference.
494
495 An example of a shell script resolving the DNS NAPTR records for
496 the realm and then the SRV records for each NAPTR matching 'x-
497 eduroam:radius.tls' is provided in tools/naptr-eduroam.sh. This
498 is equivalent to configuring 'naptr:x-eduroam:radius.tls' di‐
499 rectly.
500
501 StatusServer (on|off|minimal|auto)
502 Enable the use of status-server messages for this server (de‐
503 fault off). If statusserver is enabled (on), the proxy will
504 send regular status-server messages to the server to verify that
505 it is alive. Status tracking of the server will solely depend on
506 status-server message and ignore lost requests. This should only
507 be enabled if the server supports it. With the option minimal
508 status-server messages are only sent when regular requests have
509 been lost and no other replies have been received.
510
511 The option auto tries to detect whether the other server sup‐
512 ports status-server. If so, status-server messages are enabled
513 in minimal mode.
514
515 RetryCount count
516 Set how many times the proxy should retry sending a request to
517 the server. Default is 2 retries. Please note that Radius re‐
518 tries are normally done by the NAS.
519
520 RetryInterfval interval
521 Set the interval between each retry. Default is 5s.
522
523 Rewrite rewrite
524 This option is deprecated. Use rewriteIn instead.
525
526 RewriteOut rewrite
527 RewriteIn rewrite
528 Apply the operations in the specified rewrite block on outgoing
529 (request) or incoming (response) messages to/from this server.
530 Rewriting outgoing messages is done after, incoming before other
531 processing. If the RewriteIn is not configured, the rewrite
532 blocks defaultServer or default will be applied if defined. No
533 default blocks are applied for RewriteOut.
534
535 LoopPrevention (on|off)
536 This overrides the global LoopPrevention option for this server.
537 See section BASIC OPTIONS for details on this option.
538
539 BlockingStartup (on|off)
540 Start the dynamic server in blocking mode (default off), treat‐
541 ing it as if it was already connected and enqueue requests to
542 this server. Queued requests will be sent out when the connec‐
543 tion is established. If however the dynamic lookup or the con‐
544 nection fails, the queued requests will be lost. (This is only
545 considered for dynamic lookup servers. Ie when DynamicLookupCom‐
546 mand is specified) Warning: when the dynamic lookup and connec‐
547 tion process is slow, this wil block the respective realm for
548 that time.
549
550 SNI (on|off)
551
552 Override gobal SNI setting (see above). This is implicitly en‐
553 abled if SNIservername is set.
554
555 SNIservername sni
556 Explicitly set the sni to request from the server, in case the
557 server is specified by IP address or to override the hostname.
558 Implicitly enables SNI for this server.
559
560 DTLSForceMTU mtu
561 Some non-Linux platforms are unable to query the MTU of a con‐
562 nection, causing DTLS to limit itself to 256 bytes and thus
563 failing to connect. Manually set mtu to a large enough value so
564 the initial DTLS cleint-hello fits without fragmentation.
565
566 The meaning and syntax of the following options are exactly the same as
567 for the client block. The details are not repeated here. Please refer
568 to the definitions in the CLIENT BLOCK section.
569
570 IPv4Only (on|off)
571 IPv6Only (on|off)
572 Type type
573 Secret secret
574 TLS tls
575 CertificateNameCheck (on|off)
576 MatchCertificateAttribute ...
577 AddTTL 1-255
578 TCPKeepalive (on|off)
579
580
581
583 realm (*|realm|/regex/) {
584 ...
585 }
586
587 When the proxy receives an Access-Request it needs to figure out to
588 which server it should be forwarded. This is done by looking at the
589 Username attribute in the request, and matching that against the names
590 of the defined realm blocks. The proxy will match against the blocks in
591 the order they are specified, using the first match if any. If no realm
592 matches, the proxy will simply ignore the request. Each realm block
593 specifies what the server should do when a match is found.
594
595 The allowed options in a realm block are:
596
597 Server server
598 AccountingServer server
599 Specify the server to which requests for this realm should be
600 forwarded. server references a previously defined server block
601 (see the SERVER BLOCK section). Each server and accountingServer
602 can be specified multiple times, or omitted completely. If no
603 server is configured, the proxy will deny all Access-Requests
604 for this realm. If no accountingServer is configured, the proxy
605 will silently ignore all Accounting-Requests for this realm. See
606 the SERVER SELECTION section below for details.
607
608 AccountingResponse (on|off)
609 Enable sending Accounting-Response instead of ignoring Account‐
610 ing-Requests when no accoutingServer are configured.
611
612 AccountingLog (on|off)
613 When responding to Accounting-Requests (AccountingResponse on),
614 log the accounting data.
615
616 ReplyMessage message
617 Specify a message to be sent back to the client if a Access-Re‐
618 quest is denied because no server are configured.
619
620
621 REALM BLOCK NAMES AND MATCHING
622 In the general case the proxy will look for a @ in the username attri‐
623 bute, and try to do an exact, case insensitive match between what comes
624 after the @ and the name of the realm block. So if you get a request
625 with the attribute value anonymous@example.com, the proxy will go
626 through the realm names in the order they are specified, looking for a
627 realm block named example.com.
628
629 There are two exceptions to this, one is the realm name * which means
630 match everything. Hence if you have a realm block named *, then it will
631 always match. This should then be the last realm block defined, since
632 any blocks after this would never be checked. This is useful for having
633 a default.
634
635 The other exception is regular expression matching. If the realm name
636 starts with a /, the name is treated as an regular expression. A case
637 insensitive regexp match will then be done using this regexp on the
638 value of the entire Username attribute. Optionally you may also have a
639 trailing / after the regexp. So as an example, if you want to use reg‐
640 exp matching the domain example.com you could have a realm block named
641 /@example\.com$/. If you want to match all domains under the .com top
642 domain, you could do /@.*\.com$/. Note that since the matching is done
643 on the entire attribute value, you can also use rules like
644 /^[a-k].*@example\.com$/ to get some of the users in this domain to use
645 one server, while other users could be matched by another realm block
646 and use another server.
647
648
649 SERVER SELECTION
650 Normally requests will be forwarded to the first server option defined.
651 If there are multiple server options, the proxy will do fail-over and
652 use the second server if the first is down. If the two first are down,
653 it will try the third etc. If the first server comes back up, it will
654 go back to using that one. Detection of servers being up or down is
655 based on the use of StatusServer (if enabled), and that TCP/TLS/DTLS
656 connections are up. Otherwise unanswered requests are used to detect
657 unresponsive servers. AccountingServers are treated the same, but inde‐
658 pendently of the other servers.
659
660 If there is no Server option, the proxy will if ReplyMessage is speci‐
661 fied, reply back to the client with an Access Reject message. The mes‐
662 sage contains a replyMessage attribute with the value as specified by
663 the ReplyMessage option. Note that this is different from having no
664 match since then the request is simply ignored. This can be used to
665 catch all undefined sub-domains or even all undefined realms by config‐
666 uring either a regex match like /@.*\.example\.com/ or the realm * with
667 no server option. Another use-case is to block a specific pattern in
668 the username or realm part using a regex.
669
670 If there is no AccountingServer option, the proxy will normally do
671 nothing, ignoring accounting requests. If instead AccountingResponse is
672 set to on, the proxy will log some of the accounting information and
673 send an Accounting-Response back. This stops clients from retransmit‐
674 ting Accounting-Request messages when a realm has no accountingServer
675 configured.
676
677
679 tls name {
680 ...
681 }
682
683 The TLS block specifies TLS configuration options and you need at least
684 one of these if you have clients or servers using TLS/DTLS. As dis‐
685 cussed in the client and server block descriptions, a client or server
686 block may reference a particular TLS block by name. There are also how‐
687 ever the special TLS block names default, defaultClient and default‐
688 Server which are used as defaults if the client or server block does
689 not reference a TLS block. Also note that a TLS block must be defined
690 before the client or server block that would use it. If you want the
691 same TLS configuration for all TLS/DTLS clients and servers, you need
692 just a single tls block named default, and the client and servers need
693 not refer to it. If you want all TLS/DTLS clients to use one config,
694 and all TLS/DTLS servers to use another, then you would be fine only
695 defining two TLS blocks named defaultClient and defaultServer. If you
696 want different clients (or different servers) to have different TLS pa‐
697 rameters, then you may need to create other TLS blocks with other
698 names, and reference those from the client or server definitions.
699
700 As both clients and servers need to present and verify a certificate,
701 both a certificate as well as a CA to verify the peers certificate
702 must be configured.
703
704 The allowed options in a tls block are:
705
706 CACertificateFile file
707 The CA certificate file used to verify the peers certificate.
708
709 CACertificatePath path
710 The path to search for CA or intermediate certificates.
711
712 CertificateFile file
713 The server certificate this proxy will use. The file may also
714 contain a certificate chain.
715
716 CertificateKeyFile file
717 The private-key file for the server certificate specified in
718 CACertificateFile.
719
720 CertificateKeyPassword password
721 The password to decrypt the private-key.
722
723 PolicyOID oid
724 Require the peers certificate to adhere to the policy specified
725 by oid. When specified multiple times at least one policy must
726 be valid in the peer certificate.
727
728 CRLCheck (on|off)
729 Enable checking peer certificate against the CRL (default off).
730 Note that radsecproxy does not fetch the CRLs itself. This has
731 to be done separately, e.g. with fetch-crl(8)
732
733 CacheExpiry seconds
734 Specify how many seconds the CA and CRL information should be
735 cached. By default, the CA and CRL are loaded at startup and
736 cached indefinetely. After the configured time, the CA CRL are
737 re-read. Alternatively, reloading the CA and CRL can be trig‐
738 gered by sending a SIGHUP to the radsecproxy process. This op‐
739 tion may be set to zero to disable caching.
740
741 CipherList ciphers
742 Specify the list of accepted ciphers. See openssl-ciphers(1).
743
744 CipherSuites ciphersuites
745 Specify the ciphersuites to be used for TLS1.3. See openssl-ci‐
746 phers(1).
747 Note this requires OpenSSL 1.1.1
748
749 TlsVersion ( version | minversion:maxversion )
750 DtlsVersion ( version | minversion:maxversion )
751 Specify the TLS/DTLS protocol version to be used.
752 Specify the range of allowed protocol versions between minver‐
753 sion and maxversion (inclusive). If either is left out, any ver‐
754 sion up to, or starting from this version is allowed. E.g.
755 "TLS1_2:" will allow TLSv1.2 or later. If omitted, use the sys‐
756 tem defaults set in openssl.conf
757 Currently supported values are SSL3,TLS1,TLS1_1,TLS1_2,TLS1_3
758 for TLS and DTLS1,DTLS1_1,DTLS1_2 for DTLS.
759
760 DhFile file
761 DH parameter file to use. See openssl-dhparam(1)
762 Note: starting with OpenSSL 3.0, use of custom DH parameters is
763 discouraged.
764
765
767 rewrite name {
768 ...
769 }
770
771 The rewrite block specifies rules that may rewrite RADIUS messages. It
772 can be used to add, remove and modify specific attributes from messages
773 received from and sent to clients and servers. As discussed in the
774 client and server block descriptions, a client or server block may ref‐
775 erence a particular rewrite block by name. There are however also the
776 special rewrite block names default, defaultClient and defaultServer
777 which are used as defaults if the client or server block does not ref‐
778 erence a block. Also note that a rewrite block must be defined before
779 the client or server block that would use it. If you want the same re‐
780 write rules for input from all clients and servers, you need just a
781 single rewrite block named default, and the client and servers need not
782 refer to it. If you want all clients to use one config, and all servers
783 to use another, then you would be fine only defining two rewrite blocks
784 named defaultClient and defaultServer. Note that these defaults are
785 only used for rewrite on input. No rewriting is done on output unless
786 explicitly specified using the RewriteOut option.
787
788 The rewrite actions are performed in this sequence:
789 1. RemoveAttribute (or WhitelistAttribute)
790 2. ModifyAttribute
791 3. SupplementAttribute
792 4. AddAttribute
793
794 All options can be specified multiple times. The allowed options in a
795 rewrite block are:
796
797 AddAttribute attribute:value
798 Add an attribute to the radius message and set it to value. The
799 attribute must be specified using the numerical attribute id.
800 The value can either be numerical, a string, or a hex value. If
801 the value starts with a number, it is interpreted as a 32bit un‐
802 signed integer. Use the ' character at the start of the value
803 to force string interpretation. When using hex value, it is rec‐
804 ommended to also lead with ' to avoid unintended numeric inter‐
805 pretation. See the CONFIGURATION SYNTAX section for further de‐
806 tails.
807
808 AddVendorAttribute vendor:subattribute:value
809 Add a vendor attribute to the radius message, specified by ven‐
810 dor and subattribute. Both vendor and subattribute must be spec‐
811 ified as numerical values. The format of value is the same as
812 for addAttribute above.
813
814 SupplementAttribute attribute:value
815 Add an attribute to the radius message and set it to value, only
816 if the attribute is not yet present on the message. The format
817 of value is the same as for addAttribute above.
818
819 SupplementVendorAttribute vendor:subattribute:value
820 Add a vendor attribute to the radius message only if the subat‐
821 tribute of this vendor is not yet present on the message. The
822 format of is the same as for addVendorAttribute above.
823
824 ModifyAttribute attribute:/regex/replace/
825 Modify the given attribute using the regex replace pattern. As
826 above, attribute must be specified by a numerical value. Example
827 usage:
828
829 modifyAttribute 1:/^(.*)@local$/\1@example.com/
830
831 ModifyVendorAttribute vendor:subattribute:/regex/replace/
832 Modify the given subattribute of given vendor using the regex
833 replace pattern. Other than the added vendor, the same syntax
834 as for ModifyAttribute applies.
835
836 RemoveAttribute attribute
837 Remove all attributes with the given id.
838
839 RemoveVendorAttribute vendor[:subattribute]
840 Remove all vendor attributes that match the given vendor and
841 subattribute. If the subattribute is omitted, all attributes
842 with the given vendor id are removed.
843
844 WhitelistMode (on|off)
845 Enable whitelist mode. All attributes except those configured
846 with WhitelistAttribute or WhitelistVendorAttribute will be re‐
847 moved. While whitelist mode is active, RemoveAttribute and Re‐
848 moveVendorAttribute statements are ignored.
849
850 WhitelistAttribute attribute
851 Do not remove attributes with the given id when WhitelistMode is
852 on. Ignored otherwise.
853
854 WhitelistVendorAttribute vendor[:subattribute]
855 Do not remove vendor attributes that match the given vendor and
856 subattribute when WhitelistMode is on. Ignored otherwise.
857
858 If the subattribute is omitted, the complete vendor attribute is
859 whitelisted. Otherwise only the specified subattribute is kept
860 but all other subattributes are removed.
861
862
864 radsecproxy(8)
865
866
867
868radsecproxy 1.10.0 2023-05-26 radsecproxy.conf(5)