-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathradiator-radsec_outbound_openroaming.conf
307 lines (231 loc) · 8.37 KB
/
radiator-radsec_outbound_openroaming.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
# radiator-radsec_outbound_openroaming.conf
# for outbound RadSec connections for openroaming
#
# Copyright by Radiator Software 2020-2025
# Created: 2022-09-22 [email protected]
# Modified: 2025-01-23 [email protected]
# Radiator directories
DbDir /etc/radiator
LogDir /var/log/radiator
LogFile %L/radiator-%{GlobalVar:instance}.log
# more detailed logging
LogMicroseconds
LogTraceId
Trace 2
# minimal StatusServer messages
StatusServer minimal
# Proxy also unknown attributes
ProxyUnknownAttributes
# Needed only for Radiator <= v4.28, an example how to use custom dictionaries
#DictionaryFile /opt/radiator/radiator/dictionary,/etc/radiator/dictionary.wba
# Dictionary file
DictionaryFile /opt/radiator/radiator/dictionary
# No pidfile is needed when started as a systemd service
PidFile
# Make IPv6 and IPv4 listen sockets completely separate
# Bind only to IPv4 wildcard address
BindV6Only
BindAddress 0.0.0.0
# this instance listens only RADIUS authentication
AuthPort 16450
AcctPort 16460
# authentication log to file
<AuthLog FILE>
Identifier AUTHLOG-FILE
Filename %L/authentication-%{GlobalVar:instance}.log
Include %D/conf.d/authlog-formats.conf
LogSuccess
LogFailure
LogIgnore
</AuthLog>
# accounting log to file
<AcctLog FILE>
Identifier ACCTLOG-FILE
Filename %L/accounting-%{GlobalVar:instance}.log
Include %D/conf.d/acctlog-formats.conf
</AcctLog>
#
# Clients
#
# include loopback clients
Include %D/conf.d/clients-radius-loopback.conf
# Resolver configuration for DNS discovery
<Resolver>
# Local caching nameserver is recommended over
# public DNS server. This is to improve
# latency, reliability and performance as some
# public servers have been observed to sometimes
# to respond with negative response to NAPTR
# requests.
#
# On Ubuntu servers the local DNS resolver is
# usually bound to 127.0.0.53:53-
Nameservers 127.0.0.53
#Debug
# Only one NAPTR-Pattern currently supported (Radiator 4.27)
# for eduroam
# NAPTR-Pattern x-eduroam:(radius)\.(tls)
# for OpenRoaming
#NAPTR-Pattern aaa+auth:(radius)\.(tls)\.(tcp)
NAPTR-Pattern ^aaa\+auth:radius\.tls\.tcp\z
# Do not try the following if NAPTR is not found:
# _radsec._ sctp.<REALM>, _radsec._tcp.<REALM> and
# _radius._udp.<REALM>
DirectAddressLookup 0
# Disable Radiator's own negative DNS cache
NegativeCacheTtl 0
# Local DNS resolver should be usually always available
FailureBackoffTime 0
</Resolver>
<AuthBy DNSROAM>
Identifier AUTHBY-DNSROAM-OPENROAMING
Port 2083
Protocol radsec
Transport tcp
Secret radsec
ReconnectTimeout 1
NoreplyTimeout 5
ConnectOnDemand
TLS_CAPath %D/certificates/%{GlobalVar:instance}/ca/
TLS_CertificateChainFile %D/certificates/%{GlobalVar:instance}/client/CertificateChainFile.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/certificates/%{GlobalVar:instance}/client/PrivateKeyFile.pem
# These TLS settings are left liberal for interoperability.
# They can be hardened, but functionality and interoperability with other
# implementations need to tested in practice.
TLS_SecurityLevel 1
TLS_Protocols TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
# 3gppnetwork.org => pub.3gppnetwork.org conversion
RewriteTargetRealm s/(.+[0-9])\.3gppnetwork\.org\z/$1.pub.3gppnetwork.org/
# If no target server found (or is not responsive?),
# redespatch the request with Identifier added as
# OSC-Environment-Identifier
RedespatchIfNoTarget
# Use this to check certificate CN
# You may need to enable this if there are OpenRoaming
# certificates, which do not have CN as a SubjectAltName
# in the certificate.
#TLS_ExpectedPeerName CN=.*
</AuthBy>
<AuthBy RADSEC>
Identifier AUTHBY-HASHBALANCE-RADSEC-WRIX
Port 2083
# Using HASHBALANCE with RadSec requires this
ProxyAlgorithm HashBalance
Secret radsec
#UseStatusServerForFailureDetect
#KeepaliveTimeout 30
NoreplyTimeout 5
MaxFailedRequests 2
FailureBackoffTime 60
# is this only if none of these respond?
NoReplyReject
#Host wrix1.example.com
#Host wrix2.example.com
# ensure IPv6 address retrieval for name
#Host ipv6:wrix1.example.com
#Host ipv6:wrix2.example.com
TLS_CAPath %D/certificates/%{GlobalVar:instance}/ca/
TLS_CertificateChainFile %D/certificates/%{GlobalVar:instance}/client/CertificateChainFile.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/certificates/%{GlobalVar:instance}/client/PrivateKeyFile.pem
# Adjust and use this if you want to check the PolicyOID
#TLS_PolicyOID 1.3.6.1.4.1.25178.3.1.2
# These TLS settings are left liberal for interoperability.
# They can be hardened, but functionality and interoperability with other
# implementations need to tested in practice.
TLS_SecurityLevel 1
TLS_Protocols TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
# Use this to check certificate CN
# You may need to enable this if there are OpenRoaming
# certificates, which do not have CN as a SubjectAltName
# in the certificate.
#TLS_ExpectedPeerName CN=.*
</AuthBy>
# If DNS discovery fails, RedespatchIfNoTarget sends the request here
<Handler OSC-Environment-Identifier=AUTHBY-DNSROAM-OPENROAMING>
Identifier HANDLER-HASHBALANCE-RADSEC-WRIX
# Acknowledge accounting to client without waiting accounting response from IdP
#AccountingAccepted
# try some static servers such as WRIX service provider etc.
#AuthBy AUTHBY-HASHBALANCE-RADSEC-WRIX
# this rejects by default all those realms, for which DNSROAM
# has not been able to find responding RadSec servers
<AuthBy INTERNAL>
Identifier HANDLER-HASHBALANCE-RADSEC-WRIX-AUTHBY-INTERNAL
AuthResult REJECT
AcctResult ACCEPT
RejectReason HANDLER-HASHBALANCE-RADSEC-WRIX-INTERNAL: Realm is not reachable.
</AuthBy>
RejectHasReason
AuthLog AUTHLOG-FILE
AcctLog ACCTLOG-FILE
# Stripping and adding requests is not important as we reject these
# requests but if the requests are forwarded, you should consider
# enabling these both.
Include %D/conf.d/strip-attributes.conf
# Strip Operator-Name from the outbound request
#StripFromRequest Operator-Name
# Add Operator-Name to the outbound request unless it is already there.
# SUBID is not required but WBA ID is required for OpenRoaming.
#AddToRequestIfNotExist Operator-Name=4SUBID.WBAID
</Handler>
# an example handler to forward a realm to roaming partner without
# performing a DNS discovery, e.g. settled OpenRoaming
#<Handler Realm=wlan.mnc001.mcc001.3gppnetwork.org>
#
# Identifier HANDLER-MNC001.MCC001.3GPPNETWORK.ORG
#
# # Acknowledge accounting in any case
# #AccountingAccepted
#
# # Use specific RadSec AuthBy
# AuthBy AUTHBY-HASHBALANCE-RADSEC-WRIX
#
# AuthLog AUTHLOG-FILE
# AcctLog ACCTLOG-FILE
#
# # Strip listed attributes from the requests and replies
# Include %D/conf.d/strip-attributes.conf
#
# # Strip Operator-Name from the outbound request
# #StripFromRequest Operator-Name
#
# # Add Operator-Name to the outbound request unless it is already there.
# # SUBID is not required but WBA ID is required for OpenRoaming.
# #AddToRequestIfNotExist Operator-Name=4SUBID.WBAID
#
#</Handler>
# Try first to find target server via DNS
<Handler Realm=/.+/>
Identifier HANDLER-DNSROAM-OPENROAMING
AuthBy AUTHBY-DNSROAM-OPENROAMING
AuthLog AUTHLOG-FILE
AcctLog ACCTLOG-FILE
# Stripping and adding requests is not important as we reject these
# requests but if the requests are forwarded, you should consider
# enabling these both.
Include %D/conf.d/strip-attributes.conf
# Strip Operator-Name from the outbound request
#StripFromRequest Operator-Name
# Add Operator-Name to the outbound request unless it is already there.
# SUBID is not required but WBA ID is required for OpenRoaming.
#AddToRequestIfNotExist Operator-Name=4SUBID.WBAID
</Handler>
# Default handler rejects authentication, accepts accounting
<Handler>
Identifier HANDLER-DEFAULT
<AuthBy INTERNAL>
Identifier HANDLER-DEFAULT
AuthResult REJECT
AcctResult ACCEPT
RejectReason HANDLER-DEFAULT: No matching handler found.
</AuthBy>
RejectHasReason
AuthLog AUTHLOG-FILE
AcctLog ACCTLOG-FILE
</Handler>
# There is no need for session database
<SessionDatabase NULL>
Identifier SESSION-DATABASE-NULL
</SessionDatabase>