freeradius-config 3.0.16+dfsg-1ubuntu3 / etc / freeradius / 3.0 / sites-available / abfab-tls

This file is indexed.

/etc/freeradius/3.0/sites-available/abfab-tls is in freeradius-config 3.0.16+dfsg-1ubuntu3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#
#	Example configuration for ABFAB listening on TLS.
#
#	$Id: 5dbe143da6f170505fa1b0e1c4282ebe60b139bb $
#
listen {
	ipaddr = *
	port = 2083
	type = auth
	proto = tcp

	tls {
		private_key_password = whatever

		# Moonshot tends to distribute certs separate from keys
		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
		ca_file = /etc/ssl/certs/ca-certificates.crt
		dh_file = ${certdir}/dh
		fragment_size = 8192
		ca_path = ${cadir}
		cipher_list = "DEFAULT"

		cache {
			enable = no
			lifetime = 24 # hours
			name = "abfab-tls"
#			persist_dir = ${logdir}/abfab-tls
		}

		require_client_cert = yes
		verify {
		}

		psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
	}

	virtual_server = abfab-idp

	clients = radsec-abfab
}

clients radsec-abfab {
	#
	#  Allow all clients, but require TLS.
	#  This client stanza will match other RP proxies from other
	#  realms  established via the trustrouter.  In general
	#  additional client stanzas are also required for local services.
	#
        client default {
	        ipaddr = 0.0.0.0/0
		proto = tls
	}

	#  An example local service
	#  client service_1 {
	#  	ipaddr = 192.0.2.20
	#  	#  You should either set gss_acceptor_host_name below
	#  	#  or set up policy to confirm that a client claims
	#  	#  the right acceptor hostname when using ABFAB.  If
	#  	#  set,  the RADIUS server will confirm that all
	#  	#  requests have this value for the acceptor host name
	#  	gss_acceptor_host_name = "server.example.com"
	#  	#  If set, this acceptor realm name will be included.
	#  Foreign realms will typically reject a request if this is not
	#  	#  properly set.
	#  	gss_acceptor_realm_name = "example.com"
	#  	#  Additionally, trust_router_coi can be set; if set
	#  	#  it will override the default_community in the realm
 	#  	#  module
	#  	# trust_router_coi =  "community1.example.net"
	#  	#  In production depployments it is important to set
	#  	#  	up certificate verification  so that even if
	#  	#  clients spoof IP addresses, one client cannot
	#  	#  impersonate another.
	#  }

}

APT Browse - Built by Thomas Orozco.