radsecproxy 1.6.2-1ubuntu1 / etc / radsecproxy.conf

This file is indexed.

/etc/radsecproxy.conf is in radsecproxy 1.6.2-1ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Master config file for radsecproxy

# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
#ListenUDP		*:1814
#ListenUDP		localhost
#ListenTCP		[2001:700:1:7:215:f2ff:fe35:307d]:1812
#ListenTLS		10.10.10.10:2084
#ListenTLS		[2001:700:1:7:215:f2ff:fe35:307d]:2084
#ListenDTLS		[2001:700:1:7:215:f2ff:fe35:307d]:2084

# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP		127.0.0.1:33000
#SourceTCP		*:33000
#SourceTLS		*:33001
#SourceDTLS		*:33001

# Optional log level. 3 is default, 1 is less, 5 is more
#LogLevel		3
# Optional LogDestination, else stderr used for logging
# Logging to file
#LogDestination		file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination         x-syslog:///
#LogDestination         x-syslog:///log_local2

# For generating log entries conforming to the F-Ticks system, specify
# FTicksReporting with one of the following values.
#   None  -- Do not log in F-Ticks format.  This is the default.
#   Basic -- Do log in F-Ticks format but do not log VISINST.
#   Full  -- Do log in F-Ticks format and do log VISINST.
# Please note that in order to get F-Ticks logging for a given client,
# its matching client configuration block has to contain the
# fticksVISCOUNTRY option.

# You can optionally specify FTicksMAC in order to determine if and
# how Calling-Station-Id (users Ethernet MAC address) is being logged.
#   Static          -- Use a static string as a placeholder for
#                      Calling-Station-Id.
#   Original        -- Log Calling-Station-Id as-is.
#   VendorHashed    -- Keep first three segments as-is, hash the rest.
#   VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key.    This
#   		       is the default.
#   FullyHashed     -- Hash the entire string.
#   FullyKeyHashed  -- Like FullyHashed but salt with F-Ticks-Key.

# In order to use FTicksMAC with one of VendorKeyHashed or
# FullyKeyHashed, specify a key with FTicksKey.
# FTicksKey <key>

# Default F-Ticks configuration:
#FTicksReporting None
#FTicksMAC Static

# You can optionally specify FTicksSyslogFacility to use a dedicated 
# syslog facility for F-Ticks messages. This allows for easier filtering
# of F-Ticks messages.
# F-Ticks messages are always logged using the log level LOG_DEBUG.
# Note that specifying a file (using the file:/// prefix) is not supported.
#FTicksSyslogFacility	log_local1
#FTicksSyslogFacility	x-syslog:///log_local1 

# There is an option for doing some simple loop prevention.  Note that
# the LoopPrevention directive can be used in server blocks too,
# overriding what's set here in the basic settings.
#LoopPrevention		on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#AddTTL 20

# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
#tls default {
    # You must specify at least one of CACertificateFile or CACertificatePath
    # for TLS to work. We always verify peer certificate (client and server)
    # CACertificateFile /etc/ssl/certs/ca-certificates.crt
    # CACertificatePath	/etc/ssl/certs

    # You must specify the below for TLS, we always present our certificate
    # CertificateFile	 /etc/ssl/certs/ssl-cert-snakeoil.pem
    # CertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    # Optionally specify password if key is encrypted (not very secure)
    # CertificateKeyPassword	"follow the white rabbit"
    #
    # Optionally enable CRL checking
    # CRLCheck on
    # Optionally specify how long CAs and CRLs are cached, default forever
    # CacheExpiry 3600
    #
    # Optionally require that peer certs have one of the specified policyOIDs
    # policyoid     1.2.3 # this option can be used multiple times
    # policyoid     1.3.4
#}

# If you want one cert for all clients and another for all servers, use
# defaultclient and defaultserver instead of default. If we wanted some
# particular server to use something else you could specify a block
# "tls myserver" and then reference that for that server. If you always
# name the tls block in the client/server config you don't need a default

# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.

# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".

# Configure a rewrite block if you want to add/remove/modify attributes
# rewrite example {
#       # Remove NAS-Port.
#	removeAttribute 5
#       # Remove vendor attribute 100.
#	removeVendorAttribute 99:100
#       # Called-Station-Id = "123456"
#	addAttribute 30:123456
#       # Vendor-99-Attr-101 = 0x0f
#       addVendorAttribute 99:101:%0f
#       # Change users @local to @example.com.
#	modifyAttribute 1:/^(.*)@local$/\1@example.com/
# }

# An example client
#client [2001:db8::1] {
#	# type can be one of tcp, udp, tls, dtls
#	type	udp
#	# secret is optional for TLS/DTLS
#	secret	secret
#	# Might do rewriting of incoming messages using rewrite block example
#	rewriteIn example
#	# Can also do rewriting of outgoing messages
#	rewriteOut example	
#	# if also want to use this server for accounting, specify
#	accountingServer 127.0.0.1
#	# statusserver is optional, can be on or off. Off is default
#	StatusServer on
#}

# Equivalent to example.com
#realm /@example\.com$ {
#	server 2001:db8::1
#}

# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
#realm /\.com$ {
#}
#
#realm /^anonymous$ {
#	replymessage "No Access"
#	AccountingResponse On
#}

# example config for localhost, rejecting all users
client 127.0.0.1 {
	type udp
	secret testing123
}

realm * {
        replymessage "User unknown"
}

APT Browse - Built by Thomas Orozco.