1radsecproxy.conf(5) radsecproxy.conf(5)
2
6 radsecproxy.conf - Radsec proxy configuration file
7
10 When the proxy server starts, it will first check the command line ar‐
11 guments, and then read the configuration file. Normally radsecproxy
12 will read the configuration file /etc/radsecproxy.conf. The command
13 line -c option can be used to instead read an alternate file (see rad‐
14 secproxy(8) for details).
15 If the configuration file can not be found, the proxy will exit with an
17 error message. Note that there is also an include facility so that any
18 configuration file may include other configuration files. The proxy
19 will also exit on configuration errors.
20
23 When the configuration file is processed, whitespace (spaces and tabs)
24 are generally ignored. For each line, leading and trailing whitespace
25 are ignored. A line is ignored if it is empty, only consists of white‐
26 space, or if the first non-whitespace character is a #. The configura‐
27 tion is generally case insensitive, but in some cases the option values
28 (see below) are not.
29 There are two types of configuration structures than can be used. The
31 first and simplest are lines on the format option value. That is, an
32 option name, see below for a list of valid options, followed by white‐
33 space (at least one space or tab character), followed by a value. Note
34 that if the value contains whitespace, then it must be quoted using ""
35 or ''. Any whitespace in front of the option or after the value will be
36 ignored.
37 The other type of structure is a block. A block spans at least two
39 lines, and has the format:
40 blocktype name {
42 option value
43 option value
44 ...
45 }
46 That is, some blocktype, see below for a list of the different block
49 types, and then enclosed in braces you have zero or more lines that
50 each have the previously described option value format. Different block
51 types have different rules for which options can be specified, they are
52 listed below. The rules regarding white space, comments and quotes are
53 as above. Hence you may do things like:
54 blocktype name {
56 # option value
57 option "value with space"
58 ...
59 }
60 Option value characters can also be written in hex for options requir‐
63 ing a string type value. This is done by writing the character % fol‐
64 lowed by two hexadecimal digits. If a % is used without two following
65 hexadecimal digits, the % and the following characters are used as
66 written. If you want to write a % and not use this decoding, you may of
67 course write % in hex; i.e., %25. As %00 would terminate a string, this
68 value is not converted in most cases, except when used with rewrite
69 statements or secrets.
70 Some options allow or require the use of regular expressions, denoted
72 as regex. The POSIX extended RE system is used, see re_format(7).
73 There is one special option that can be used both as a basic option and
75 inside all blocks. That is the option Include where the value specifies
76 files to be included. The value can be a single file, or it can use
77 normal shell globbing to specify multiple files, e.g.:
78 include /etc/radsecproxy.conf.d/*.conf
80 The files are sorted alphabetically. Included files are read in the or‐
82 der they are specified, when reaching the end of a file, the next file
83 is read. When reaching the end of the last included file, the proxy re‐
84 turns to read the next line following the Include option. Included
85 files may again include other files.
86
89 The following basic options may be specified in the configuration file.
90 Note that blocktypes and options inside blocks are discussed later.
91 Note that none of these options are required, and indeed in many cases
92 they are not needed. Note that you should specify each at most once.
93 The behaviour with multiple occurrences is undefined.
94 PidFile file
96 The PidFile option specifies the name of a file to which the
97 process id (PID) will be written. This is overridden by the -i
98 command line option. There is no default value for the PidFile
99 option.
100 LogLevel 1-5
102 This option specifies the debug level. It must be set to 1, 2,
103 3, 4 or 5, where 1 logs only serious errors, and 5 logs every‐
104 thing. The default is 2 which logs errors, warnings and a few
105 informational messages. Note that the command line option -d
106 overrides this.
107 LogDestination (file|syslog)
109 This specifies where the log messages should go. By default the
110 messages go to syslog with facility LOG_DAEMON. Using this op‐
111 tion you can specify another syslog facility, or you may specify
112 that logging should be to a particular file, not using syslog.
113 The value must be either a file URL like
114 file:///path/to/your/logfile.log or a syslog URL using the syn‐
115 tax: x-syslog:///FACILITY where FACILITY must be one of LOG_DAE‐
116 MON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2,
117 LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6or LOG_LOCAL7.
118 You may omit the facility from the URL to specify logging to the
119 default facility, but this is not very useful since this is the
120 default log destination. Note that this option is ignored if -f
121 is specified on the command line.
122 LogThreadId (on|off)
124 This can be set to on to include the thread-id in the log mes‐
125 sages (useful for debugging).
126 LogFullUsername (on|off)
129 This can be set to off to only log the realm in Access-Ac‐
130 cept/Reject log messages (for privacy).
131 LogMAC opt
133 The LogMAC option can be used to control if and how Calling-Sta‐
134 tion-Id (the users Ethernet MAC address) is being logged. It can
135 be set to one of Static, Original, VendorHashed, VendorKey‐
136 Hashed, FullyHashed or FullyKeyHashed. The default value for
137 LogMAC is Original.
138 See radsecproxy.conf-example for details.
140 LogKey key
142 The LogKey option is used to specify the key to use when produc‐
143 ing HMAC's as an effect of specifying VendorKeyHashed or Ful‐
144 lyKeyHashed for the LogMAC option.
145 FTicksReporting fticks
147 The FTicksReporting option is used to enable F-Ticks logging and
148 can be set to None, Basic or Full. Its default value is None.
149 If FTicksReporting is set to anything other than None, note that
150 the default value for FTicksMAC needs FTicksKey to be set.
151 See radsecproxy.conf-example for details.
153 FTicksMAC opt
155 The FTicksMAC option has the same function as LogMAC for FTicks.
156 The default for FTicksMAC is VendorKeyHashed which needs
157 FTicksKey to be set.
158 Before choosing any of Original, FullyHashed or VendorHashed,
160 consider the implications for user privacy when MAC addresses
161 are collected. How will the logs be stored, transferred and ac‐
162 cessed?
163 FTicksKey key
165 The FTicksKey option has the same function as LogKey for Fticks.
166 FTicksSyslogFacility syslog
168 The FTicksSyslogFacility option is used to specify a dedicated
169 syslog facility for F-Ticks messages. This allows for easier
170 filtering of F-Ticks messages. If no FTicksSyslogFacility option
171 is given, F-Ticks messages are written to what the LogDestina‐
172 tion option specifies.
173 F-Ticks messages are always logged using the log level LOG_DE‐
175 BUG. Note that specifying a file in FTicksSyslogFacility (using
176 the file:/// prefix) is not supported.
177 FTicksPrefix prefix
179 The FTicksPrefix option is used to set the prefix printed in F-
180 Ticks messages. This allows for use of F-Ticks messages in non-
181 eduroam environments. If no FTicksPrefix option is given, it
182 defaults to the prefix used for eduroam (F-TICKS/eduroam/1.0).
183 ListenUDP (address|*)[:port]
186 ListenTCP (address|*)[:port]
187 ListenTLS (address|*)[:port]
188 ListenDTLS (address|*)[:port]
189 Listen for the address and port for the respective protocol.
190 Normally the proxy will listen to the standard ports if config‐
191 ured to handle clients with the respective protocol. The default
192 ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On
193 most systems it will do this for all of the system's IP ad‐
194 dresses (both IPv4 and IPv6). On some systems however, it may
195 respond to only IPv4 or only IPv6. To specify an alternate port
196 you may use a value on the form *:port where port is any valid
197 port number. If you also want to specify a specific address you
198 can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port
199 may be omitted if you want the default one. Note that you must
200 use brackets around the IPv6 address. These options may be spec‐
201 ified multiple times to listen to multiple addresses and/or
202 ports for each protocol.
203 SourceUDP (address|*)[:port]
205 SourceTCP (address|*)[:port]
206 SourceTLS (address|*)[:port]
207 SourceDTLS (address|*)[:port]
208 This can be used to specify source address and/or source port
209 that the proxy will use for connecting to clients to send mes‐
210 sages (e.g. Access Request). The same syntax as for Listen...
211 applies.
212 TTLAttribute (attr|vendor:attr)
214 This can be used to change the default TTL attribute. Only
215 change this if you know what you are doing. The syntax is either
216 a numerical value denoting the TTL attribute, or two numerical
217 values separated by column specifying a vendor attribute.
218 AddTTL 1-255
220 If a TTL attribute is present, the proxy will decrement the
221 value and discard the message if zero. Normally the proxy does
222 nothing if no TTL attribute is present. If you use the AddTTL
223 option with a value 1-255, the proxy will, when forwarding a
224 message with no TTL attribute, add one with the specified value.
225 Note that this option can also be specified for a client/server
226 which will override this setting when forwarding a message to
227 that client/server.
228 LoopPrevention (on|off)
230 When this is enabled (on), a request will never be sent to a
231 server named the same as the client it was received from. I.e.,
232 the names of the client block and the server block are compared.
233 Note that this only gives limited protection against loops. It
234 can be used as a basic option and inside server blocks where it
235 overrides the basic setting.
236 IPv4Only (on|off)
238 IPv6Only (on|off)
239 Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
240 names to the corresponding address family only, and not the
241 other. This is done for both clients and servers. At most one of
242 IPv4Only and IPv6Only can be enabled. Note that this can be
243 overridden in client and server blocks, see below.
244 Include file
246 This is not a normal configuration option; it can be specified
247 multiple times. It can both be used as a basic option and in‐
248 side blocks. For the full description, see the configuration
249 syntax section above.
250
253 There are five types of blocks, they are client, server, realm, tls and
254 rewrite. At least one instance of each of client and realm is required
255 for the proxy to do anything useful, and it will exit if none are con‐
256 figured. The tls block is required if at least one TLS/DTLS client or
257 server is configured. Note that there can be multiple blocks for each
258 type. For each type, the block names should be unique. The behaviour
259 with multiple occurrences of the same name for the same block type is
260 undefined. Also note that some block option values may reference a
261 block by name, in which case the block name must be previously defined.
262 Hence the order of the blocks may be significant.
263
266 client (name|fqdn|(address[/length])) {
267 ...
268 }
269 The client block is used to configure a client. That is, tell the proxy
271 about a client, and what parameters should be used for that client. The
272 name of the client block must (with one exception, see below) be either
273 the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or
274 IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN). The
275 way an FQDN is resolved into an IP address may be influenced by the use
276 of the IPv4Only and IPv6Only options. Note that literal IPv6 addresses
277 must be enclosed in brackets.
278 If a domain name is specified, then this will be resolved immediately
280 to all the addresses associated with the name, and the proxy will not
281 care about any possible DNS changes that might occur later. Hence there
282 is no dependency on DNS after startup. However, if the name can not be
283 resolved, startup will fail.
284 When some client later sends a request to the proxy, the proxy will
286 look at the IP address the request comes from, and then go through all
287 the addresses of each of the configured clients (in the order they are
288 defined), to determine which (if any) of the clients this is. When us‐
289 ing the IpAddress/PrefixLength form, this might mask clients defined
290 later, which then will never be matched.
291 In the case of TLS/DTLS, the name of the client must match the FQDN or
293 IP address in the client certificate (CN or SubectAltName:DNS or Sub‐
294 jectAltName:IP respectively). Note that this is not required when the
295 client name is an IP prefix. If overlapping clients are defined (see
296 section above), they will be searched for matching MatchCertificateAt‐
297 tribute, but they must reference the same tls block.
298 The allowed options in a client block are:
300 Host (fqdn|(address[/length]))
302 Alternatively of specifying the FQDN or address in the block
303 name, the host option may be used. In that case, the value of
304 the host option is used as described above, while the name of
305 the block is only used as a descriptive name for the administra‐
306 tor. The host option may be used multiple times, and can be a
307 mix of addresses, FQDNs and prefixes.
308 IPv4Only (on|off)
310 IPv6Only (on|off)
311 Enabling IPv4Only or IPv6Only (on) makes radsecproxy resolve DNS
312 names to the corresponding address family only, and not the
313 other. At most one of IPv4Only and IPv6Only can be enabled. Note
314 that this will override the global option for this client.
315 Type type
317 Specify the type (protocol) of the client. Available options are
318 UDP, TCP, TLS and DTLS.
319 Secret secret
321 Use secret as the shared RADIUS key with this client. If the se‐
322 cret contains whitespace, the value must be quoted. This option
323 is optional for TLS/DTLS and if omitted will default to "rad‐
324 sec". (Note that using a secret other than "radsec" for TLS is a
325 violation of the standard (RFC 6614) and that the proposed stan‐
326 dard for DTLS stipulates that the secret must be "radius/dtls".)
327 TLS tls
329 For a TLS/DTLS client you may also specify the tls option. The
330 option value must be the name of a previously defined TLS block.
331 If this option is not specified, the TLS block with the name de‐
332 faultClient or default will be used if defined (in that order).
333 If the specified TLS block name does not exist, or the option is
334 not specified and none of the defaults exist, the proxy will
335 exit with an error.
336 CertificateNameCheck (on|off)
338 For a TLS/DTLS client, disable the default behaviour of matching
339 CN or SubjectAltName against the specified hostname or IP ad‐
340 dress.
341 MatchCertificateAttribute CN:/regexp/
343 MatchCertificateAttribute SubjectAltName:DNS:/regexp/
344 MatchCertificateAttribute SubjectAltName:URI:/regexp/
345 MatchCertificateAttribute SubjectAltName:IP:address
346 MatchCertificateAttribute SubjectAltName:rID:oid
347 MatchCertificateAttribute SubjectAltName:otherName:oid:/regexp/
348 Perform additional validation of certificate attributes. Cur‐
349 rently matching of CN and SubjectAltName types URI, DNS, IP,
350 rID, and otherName is supported. If specified multiple times,
351 all terms must match for the certificate to be considered valid.
352 DuplicateInterval seconds
354 Specify for how many seconds duplicate checking should be done.
355 If a proxy receives a new request within a few seconds of a pre‐
356 vious one, it may be treated the same if from the same client,
357 with the same authenticator etc. The proxy will then ignore the
358 new request (if it is still processing the previous one), or re‐
359 turned a copy of the previous reply.
360 AddTTL 1-255
362 The AddTTL option has the same meaning as the option used in the
363 basic config. See the BASIC OPTIONS section for details. Any
364 value configured here overrides the basic one when sending mes‐
365 sages to this client.
366 TCPKeepalive (on|off)
368 Enable TCP keepalive (default is off). If keepalives are not an‐
369 swered within 30s the connection is considered lost.
370 FticksVISCOUNTRY cc
372 Sets this client to be eligible to F-Ticks logging as defined by
373 the FTicksReporting basic option, and specifies the country to
374 be reported. The country should be specified by the two-letter
375 country code.
376 FticksVISINST institution
378 Set the institution to report in F-Ticks logging. If this option
379 is omitted, the name of the client block is used.
380 Rewrite rewrite
382 This option is deprecated. Use rewriteIn instead.
383 RewriteIn rewrite
385 RewriteOut rewrite
386 Apply the operations in the specified rewrite block on incoming
387 (request) or outgoing (response) messages from this client.
388 Rewriting incoming messages is done before, outgoing after other
389 processing. If the RewriteIn is not configured, the rewrite
390 blocks defaultClient or default will be applied if defined. No
391 default blocks are applied for RewriteOut.
392 RewriteAttribute User-Name:/regex/replace/
394 Rewrite the User-Name attribute in a client request for the re‐
395 quest forwarded by the proxy. The User-Name attribute is written
396 back to the original value if a matching response is later sent
397 back to the client. Example usage:
398 RewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
400
404 server (name|((fqdn|address)[:port])) {
405 ...
406 }
407 The server block is used to configure a server. That is, tell the proxy
409 about a server, and what parameters should be used when communicating
410 with that server. The name of the server block must (with one excep‐
411 tion, see below) be either the IP address (IPv4 or IPv6) of the server,
412 or a domain name (FQDN). If a domain name is specified, then this will
413 be resolved immediately to all the addresses associated with the name,
414 and the proxy will not care about any possible DNS changes that might
415 occur later. Hence there is no dependency on DNS after startup. If the
416 domain name resolves to multiple addresses, then for UDP/DTLS the first
417 address is used. For TCP/TLS, the proxy will loop through the addresses
418 until it can connect to one of them. The way an FQDN is resolved into
419 an IP address may be influenced by the use of the IPv4Only and IPv6Only
420 options.
421 In the case of TLS/DTLS, the name of the server must match the FQDN or
423 IP address in the server certificate.
424 Note that the fqdn or address may include a port number (separated with
426 a column). This port number will then override the default port or a
427 port option in the server block. Also note that literal IPv6 addresses
428 must be enclosed in brackets.
429 The allowed options in a server block are:
431 Host (fqdn|address)[:port]
433 Alternatively of specifying the FQDN or address in the block
434 name the host option may be used. In that case, the value of the
435 host option is used as described above, while the name of the
436 block is only used as a descriptive name for the administrator.
437 Note that multiple host options may be used. This will then be
438 treated as multiple names/addresses for the same server. When
439 initiating a TCP/TLS connection, all addresses of all names may
440 be attempted, but there is no failover between the different
441 host values. For failover use separate server blocks.
442 Port port
444 Specify the port (UDP/TCP) to connect to. If omitted, UDP and
445 TCP will default to 1812 while TLS and DTLS will default to
446 2083.
447 Source (address|*)[:port]
449 Specify the source address and/or port to use for this server.
450 See Source... options above.
451 DynamicLookupCommand command
453 Execute the command to dynamically configure a server. The exe‐
454 cutable file should be given with full path and will be invoked
455 with the name of the realm as its first and only argument. It
456 should either print a valid server {...} option on stdout and
457 exit with a code of 0 or print nothing and exit with a non-zero
458 exit code.
459 If the command exited with 0 an provided a valid server config,
461 it will be combined with the statements in this server block,
462 with the values returned by the command taking preference.
463 An example of a shell script resolving the DNS NAPTR records for
465 the realm and then the SRV records for each NAPTR matching 'x-
466 eduroam:radius.tls' is provided in tools/naptr-eduroam.sh.
467 StatusServer (on|off|minimal|auto)
469 Enable the use of status-server messages for this server (de‐
470 fault off). If statusserver is enabled (on), the proxy will
471 send regular status-server messages to the server to verify that
472 it is alive. Status tracking of the server will solely depend on
473 status-server message and ignore lost requests. This should only
474 be enabled if the server supports it. With the option minimal
475 status-server messages are only sent when regular requests have
476 been lost and no other replies have been received.
477 The option auto tries to detect whether the other server sup‐
479 ports status-server. If so, status-server messages are enabled
480 in minimal mode.
481 RetryCount count
483 Set how many times the proxy should retry sending a request to
484 the server. Default is 2 retries. Please note that Radius re‐
485 tries are normally done by the NAS.
486 RetryInterfval interval
488 Set the interval between each retry. Default is 5s.
489 Rewrite rewrite
491 This option is deprecated. Use rewriteIn instead.
492 RewriteOut rewrite
494 RewriteIn rewrite
495 Apply the operations in the specified rewrite block on outgoing
496 (request) or incoming (response) messages to/from this server.
497 Rewriting outgoing messages is done after, incoming before other
498 processing. If the RewriteIn is not configured, the rewrite
499 blocks defaultServer or default will be applied if defined. No
500 default blocks are applied for RewriteOut.
501 LoopPrevention (on|off)
503 This overrides the global LoopPrevention option for this server.
504 See section BASIC OPTIONS for details on this option.
505 BlockingStartup (on|off)
507 Start the dynamic server in blocking mode (default off), treat‐
508 ing it as if it was already connected and enqueue requests to
509 this server. Queued requests will be sent out when the connec‐
510 tion is established. If however the dynamic lookup or the con‐
511 nection fails, the queued requests will be lost. (This is only
512 considered for dynamic lookup servers. Ie when DynamicLookupCom‐
513 mand is specified) Warning: when the dynamic lookup and connec‐
514 tion process is slow, this wil block the respective realm for
515 that time.
516 The meaning and syntax of the following options are exactly the same as
518 for the client block. The details are not repeated here. Please refer
519 to the definitions in the CLIENT BLOCK section.
520 IPv4Only (on|off)
522 IPv6Only (on|off)
523 Type type
524 Secret secret
525 TLS tls
526 CertificateNameCheck (on|off)
527 MatchCertificateAttribute ...
528 AddTTL 1-255
529 TCPKeepalive (on|off)
530
534 realm (*|realm|/regex/) {
535 ...
536 }
537 When the proxy receives an Access-Request it needs to figure out to
539 which server it should be forwarded. This is done by looking at the
540 Username attribute in the request, and matching that against the names
541 of the defined realm blocks. The proxy will match against the blocks in
542 the order they are specified, using the first match if any. If no realm
543 matches, the proxy will simply ignore the request. Each realm block
544 specifies what the server should do when a match is found.
545 The allowed options in a realm block are:
547 Server server
549 AccountingServer server
550 Specify the server to which requests for this realm should be
551 forwarded. server references a previously defined server block
552 (see the SERVER BLOCK section). Each server and accountingServer
553 can be specified multiple times, or omitted completely. If no
554 server is configured, the proxy will deny all Access-Requests
555 for this realm. If no accountingServer is configured, the proxy
556 will silently ignore all Accounting-Requests for this realm. See
557 the SERVER SELECTION section below for details.
558 AccountingResponse (on|off)
560 Enable sending Accounting-Response instead of ignoring Account‐
561 ing-Requests when no accoutingServer are configured.
562 ReplyMessage message
564 Specify a message to be sent back to the client if a Access-Re‐
565 quest is denied because no server are configured.
566 REALM BLOCK NAMES AND MATCHING
569 In the general case the proxy will look for a @ in the username attri‐
570 bute, and try to do an exact, case insensitive match between what comes
571 after the @ and the name of the realm block. So if you get a request
572 with the attribute value anonymous@example.com, the proxy will go
573 through the realm names in the order they are specified, looking for a
574 realm block named example.com.
575 There are two exceptions to this, one is the realm name * which means
577 match everything. Hence if you have a realm block named *, then it will
578 always match. This should then be the last realm block defined, since
579 any blocks after this would never be checked. This is useful for having
580 a default.
581 The other exception is regular expression matching. If the realm name
583 starts with a /, the name is treated as an regular expression. A case
584 insensitive regexp match will then be done using this regexp on the
585 value of the entire Username attribute. Optionally you may also have a
586 trailing / after the regexp. So as an example, if you want to use reg‐
587 exp matching the domain example.com you could have a realm block named
588 /@example\.com$/. If you want to match all domains under the .com top
589 domain, you could do /@.*\.com$/. Note that since the matching is done
590 on the entire attribute value, you can also use rules like
591 /^[a-k].*@example\.com$/ to get some of the users in this domain to use
592 one server, while other users could be matched by another realm block
593 and use another server.
594 SERVER SELECTION
597 Normally requests will be forwarded to the first server option defined.
598 If there are multiple server options, the proxy will do fail-over and
599 use the second server if the first is down. If the two first are down,
600 it will try the third etc. If the first server comes back up, it will
601 go back to using that one. Detection of servers being up or down is
602 based on the use of StatusServer (if enabled), and that TCP/TLS/DTLS
603 connections are up. Otherwise unanswered requests are used to detect
604 unresponsive servers. AccountingServers are treated the same, but inde‐
605 pendently of the other servers.
606 If there is no Server option, the proxy will if ReplyMessage is speci‐
608 fied, reply back to the client with an Access Reject message. The mes‐
609 sage contains a replyMessage attribute with the value as specified by
610 the ReplyMessage option. Note that this is different from having no
611 match since then the request is simply ignored. This can be used to
612 catch all undefined sub-domains or even all undefined realms by config‐
613 uring either a regex match like /@.*\.example\.com/ or the realm * with
614 no server option. Another use-case is to block a specific pattern in
615 the username or realm part using a regex.
616 If there is no AccountingServer option, the proxy will normally do
618 nothing, ignoring accounting requests. If instead AccountingResponse is
619 set to on, the proxy will log some of the accounting information and
620 send an Accounting-Response back. This stops clients from retransmit‐
621 ting Accounting-Request messages when a realm has no accountingServer
622 configured.
623
626 tls name {
627 ...
628 }
629 The TLS block specifies TLS configuration options and you need at least
631 one of these if you have clients or servers using TLS/DTLS. As dis‐
632 cussed in the client and server block descriptions, a client or server
633 block may reference a particular TLS block by name. There are also how‐
634 ever the special TLS block names default, defaultClient and default‐
635 Server which are used as defaults if the client or server block does
636 not reference a TLS block. Also note that a TLS block must be defined
637 before the client or server block that would use it. If you want the
638 same TLS configuration for all TLS/DTLS clients and servers, you need
639 just a single tls block named default, and the client and servers need
640 not refer to it. If you want all TLS/DTLS clients to use one config,
641 and all TLS/DTLS servers to use another, then you would be fine only
642 defining two TLS blocks named defaultClient and defaultServer. If you
643 want different clients (or different servers) to have different TLS pa‐
644 rameters, then you may need to create other TLS blocks with other
645 names, and reference those from the client or server definitions.
646 As both clients and servers need to present and verify a certificate,
648 both a certificate as well as a CA to verify the peers certificate
649 must be configured.
650 The allowed options in a tls block are:
652 CACertificateFile file
654 The CA certificate file used to verify the peers certificate.
655 CACertificatePath path
657 The path to search for CA or intermediate certificates.
658 CertificateFile file
660 The server certificate this proxy will use. The file may also
661 contain a certificate chain.
662 CertificateKeyFile file
664 The private-key file for the server certificate specified in
665 CACertificateFile.
666 CertificateKeyPassword password
668 The password to decrypt the private-key.
669 PolicyOID oid
671 Require the peers certificate to adhere to the policy specified
672 by oid. When specified multiple times at least one policy must
673 be valid in the peer certificate.
674 CRLCheck (on|off)
676 Enable checking peer certificate against the CRL (default off).
677 Note that radsecproxy does not fetch the CRLs itself. This has
678 to be done separately, e.g. with fetch-crl(8)
679 CacheExpiry seconds
681 Specify how many seconds the CA and CRL information should be
682 cached. By default, the CA and CRL are loaded at startup and
683 cached indefinetely. After the configured time, the CA CRL are
684 re-read. Alternatively, reloading the CA and CRL can be trig‐
685 gered by sending a SIGHUP to the radsecproxy process. This op‐
686 tion may be set to zero to disable caching.
687 CipherList ciphers
689 Specify the list of accepted ciphers. See openssl-ciphers(1).
690 CipherSuites ciphersuites
692 Specify the ciphersuites to be used for TLS1.3. See openssl-ci‐
693 phers(1).
694 Note this requires openssl 1.1.1
695 TlsVersion ( version | minversion:maxversion )
697 DtlsVersion ( version | minversion:maxversion )
698 Specify the TLS/DTLS protocol version to be used.
699 Specify the range of allowed protocol versions between minver‐
700 sion and maxversion (inclusive). If either is left out, any ver‐
701 sion up to, or starting from this version is allowed. E.g.
702 "TLS1_2:" will allow TLSv1.2 or later.
703 Currently supported values are SSL3,TLS1,TLS1_1,TLS1_2,TLS1_3
704 for TLS and DTLS1,DTLS1_1 for DTLS.
705 DhFile file
707 DH parameter file to use. See openssl-dhparam(1)
708
712 rewrite name {
713 ...
714 }
715 The rewrite block specifies rules that may rewrite RADIUS messages. It
717 can be used to add, remove and modify specific attributes from messages
718 received from and sent to clients and servers. As discussed in the
719 client and server block descriptions, a client or server block may ref‐
720 erence a particular rewrite block by name. There are however also the
721 special rewrite block names default, defaultClient and defaultServer
722 which are used as defaults if the client or server block does not ref‐
723 erence a block. Also note that a rewrite block must be defined before
724 the client or server block that would use it. If you want the same re‐
725 write rules for input from all clients and servers, you need just a
726 single rewrite block named default, and the client and servers need not
727 refer to it. If you want all clients to use one config, and all servers
728 to use another, then you would be fine only defining two rewrite blocks
729 named defaultClient and defaultServer. Note that these defaults are
730 only used for rewrite on input. No rewriting is done on output unless
731 explicitly specified using the RewriteOut option.
732 The rewrite actions are performed in this sequence:
734 1. RemoveAttribute (or WhitelistAttribute)
735 2. ModifyAttribute
736 3. SupplementAttribute
737 4. AddAttribute
738 All options can be specified multiple times. The allowed options in a
740 rewrite block are:
741 AddAttribute attribute:value
743 Add an attribute to the radius message and set it to value. The
744 attribute must be specified using the numerical attribute id.
745 The value can either be numerical, a string, or a hex value. If
746 the value starts with a number, it is interpreted as a 32bit un‐
747 signed integer. Use the ' character at the start of the value
748 to force string interpretation. When using hex value, it is rec‐
749 ommended to also lead with ' to avoid unintended numeric inter‐
750 pretation. See the CONFIGURATION SYNTAX section for further de‐
751 tails.
752 AddVendorAttribute vendor:subattribute:value
754 Add a vendor attribute to the radius message, specified by ven‐
755 dor and subattribute. Both vendor and subattribute must be spec‐
756 ified as numerical values. The format of value is the same as
757 for addAttribute above.
758 SupplementAttribute attribute:value
760 Add an attribute to the radius message and set it to value, only
761 if the attribute is not yet present on the message. The format
762 of value is the same as for addAttribute above.
763 SupplementVendorAttribute vendor:subattribute:value
765 Add a vendor attribute to the radius message only if the subat‐
766 tribute of this vendor is not yet present on the message. The
767 format of is the same as for addVendorAttribute above.
768 ModifyAttribute attribute:/regex/replace/
770 Modify the given attribute using the regex replace pattern. As
771 above, attribute must be specified by a numerical value. Example
772 usage:
773 modifyAttribute 1:/^(.*)@local$/\1@example.com/
775 ModifyVendorAttribute vendor:subattribute:/regex/replace/
777 Modify the given subattribute of given vendor using the regex
778 replace pattern. Other than the added vendor, the same syntax
779 as for ModifyAttribute applies.
780 RemoveAttribute attribute
782 Remove all attributes with the given id.
783 RemoveVendorAttribute vendor[:subattribute]
785 Remove all vendor attributes that match the given vendor and
786 subattribute. If the subattribute is omitted, all attributes
787 with the given vendor id are removed.
788 WhitelistMode (on|off)
790 Enable whitelist mode. All attributes except those configured
791 with WhitelistAttribute or WhitelistVendorAttribute will be re‐
792 moved. While whitelist mode is active, RemoveAttribute and Re‐
793 moveVendorAttribute statements are ignored.
794 WhitelistAttribute attribute
796 Do not remove attributes with the given id when WhitelistMode is
797 on. Ignored otherwise.
798 WhitelistVendorAttribute vendor[:subattribute]
800 Do not remove vendor attributes that match the given vendor and
801 subattribute when WhitelistMode is on. Ignored otherwise.
802 If the subattribute is omitted, the complete vendor attribute is
804 whitelisted. Otherwise only the specified subattribute is kept
805 but all other subattributes are removed.
806
809 radsecproxy(8)
810radsecproxy 1.9.0 2021-05-28 radsecproxy.conf(5)