Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Property

Value

authentication.listenport

<Port number>

The port number that the radius server should use for listening to authentication requests. Example is 1812

Default value is 1812

authentication.listenaddress

<IP address>

The address that the radius server should use to listen for authentication requests. Example is 10.10.1.120

No default value

accounting.listenport

<Port number>

The port number that the radius server should use for listening to accounting requests. Example is 1813

Default value is 1813

accounting.listenaddress

<IP address>

The address that the radius server should use to listen for accounting requests. Example is 10.10.1.120

No default value

sockettimeout

<timeout in ms>

The socket timeout while listening for radius packages. This timeout value works on both accounting and authentication sockets

Default value is 3000

duplicatetimer

<time value in ms>

The number of milliseconds that received packages should be stored so they can be checked for duplicate packages

Default value is 30000

duplicatecount

<number of packages>

The number of received packages to store that are checked for duplicate packages.

Default value is 5000

authtype.pap

<authentication plugin ID>

The value of the authentication plugin used to verify pap authentication requests. Example value is 9 (typically user administration authentication plugin) or 43 (Ceptor user administration login providing SMS OTP codes as well)

9 - Ceptor user administration login

authtype.chap

<authentication plugin ID>

Note: CHAP login has not yet been verified with Ceptor.

The value of the authentication plugin used to verify chap authentication requests. Example value is 9 (typically user administration authentication plugin)

9 - Ceptor user administration login

authtype.challenge

<authentication plugin ID>

The value of the authentication plugin used to verify the challenge for two factor logins. An example value could be 43 (SMS OTP using Ceptor user administration server for password validation)

No default value

authentication.challenge

<String>

The challenge text to be shown to the user in the event of a two factor login. This challenge can also be set through the authentication plugin and if it is set from there this value will not be used.

Default value is: "Please enter a valid challenge: "

authentication.twofactor

true / false

Set this value to true if the authentication primary authentication plugin (PAP or CHAP) does not support validating the password but instead can issue a new token through the "newToken" method (for example the google authenticator plugin). The password will then be validated together with the challenge token.

Default value is false

sharedsecret.x

<shared secret for IP addresses>

X is a number between 1 and 512

This value defines a shared secret for a series of IP addresses (those sending the authentication packages). One or more IP addresses can be given per entry. Examples are:

10.1.32.100,10.2.64.100=super123secret
127.0.0.1=another22super33secret

An IP address with the value * can be given, this secret will be used if the sending IP address is not defined. If this is not defined, the package will be ignored!

Secrets can be encrypted using PortalProtect PasswordUtil (see documentation elsewhere). These are then stored here in encoded form, RSA, AES or 3DES form.

No default value

packet.debug

true / false

If set to true all received and send packages will be logged as info logging to the log file.

Default value is false

username.sessionid

<true | false>

Set this value to tell the Radius server to append the PP session ID in the USER field on reply packages of type ACCEPT. This is not supported by all radius clients but those that do support it will in turn either send the session ID back in upcoming accounting requests (allowing for better logging!) or just ignor the field altogether.

Default value is false

clientsessions.maxcount

<number of sessions>

Number of client sessions to store in the radius server. Since radius clients are allowed to present their own "session identifier" to the radius server, these are stored with their corresponding PP sessions ID in the radius server. This defines how many will be stored.

Default value is 100000

clientsessions.timetolive

<Time to live in seconds>

Defines the time to live for client sessions from radius clients. After this time they will be removed if there is not enough space for more client sessions

Default value is 5

clientsessions.forcetimeout

<Force timeout in seconds>

Defines the force timeout for client sessions from radius clients. After this time they will be removed if not heard from

Default value is 30

ppsessions.maxcount

<number of sessions>

Number of pp sessions to store in the radius server which are used for STATE packages send to clients when doing two factor logins. This defines how many will be stored awaiting the second part of the login message from the client

Default value is 100000

ppsessions.timetolive

<Time to live in seconds>

Defines the time to live for pp sessions for STATE packages. After this time they will be removed if there is not enough space for more pp sessions

Default value is 5

ppsessions.forcetimeout

<Force timeout in seconds>

Defines the force timeout for pp sessions for STATE packages. After this time they will be removed if not heard from

Default value is 30

threadpool.size

<number, between 1 and 4096>

Defines number of threads in the threadpool that can handle packages received from clients - this is also the maximum amount of concurrent authentications that can be done at a time.

Default value is 100.

accounting.script

<Script - javascript, python or groovy>

Script code that is run to process a received accounting request package.

authentication.script

<Script - javascript, python or groovy>

Authentication script that is run when an access request package is received from a client - see Ceptor RADIUS Server for more information.

If a script is specified, it overrides the other options for authtype.pap, authtype.challenge etc.

radsec.keystore.name

<Keystore Filename>

Filename for keystore containing SSL server certificate, used for RadSec support.

This can optionally be located in the classpath instead of in a file directly on disk.

radsec.keystore.password

<Keystore password>

Password for keystore - can be encrypted, see Encrypting or Obfuscating Passwords for details.

radsec.keystore.type

<Keystore type - default is JKS>

Type of keystore, e.g. JKS or PKCS12

radsec.listenurl

<Listen URL - should be in format nios://<optional network interface ip>:<port>?key=value&key2=value2&...>

Specifies which port and optional network interface IP to listen on, in addition a number of SSL specific properties can be specified:

  • tlsprotocol
    Name of TLS protocol to use, should normally be TLS which is the default.
  • enabledprotocols
    List of enabled TLS protocols, e.g. TLSv1.2,TLSv1.3
  • enabledciphersuites
    If specified, this lists which cipher suites are enabled - if not specified, the default in the JVM are used.
radsec.needtlsclientauth

<True or false - default is false>

Set to true to require client authentication - if this is set, to true, the value of radsec.wanttlsclientauth  is ignored.

radsec.wanttlsclientauth

<True or false - default is false>

Set to true to request, but not require client authentication.

If both need and want tlsclientauth are set to false, then TLS client certificates will not be requested, if want is set to true, it is up to the client if it wants to provide a certificate or not. Connections without a client certificate will then be accepted, and use the default shared secret for the underlying Radius protocol; "radsec" (without the quotes).

duplicatecheck.session

<True of false - default is false>

If true, access requests that arrive while another is already in progress for the session will be ignored. This allows bypassing the regular duplicate check if you have a setup where e.g. an UDP loadbalancer with NAT enabled does not keep the source port intact, and you have a client that retransmits authentication packages in e.g. seconds step of multifactor authentication which carries a session ID.

logsuppression

<Pattern>


If user IDs match this pattern, successful logs otherwise done are suppressed. This is useful for keeping the log noise down for e.g. successful healthchecks.


Note

In addition to these settings, for RadSec you can specify which CA certificate issuers are trusted as well, see X.509 Certificate Properties for details.

In addition to these regular certificate properties, you specify

ca.provider.<providername>.sharedsecret  and set it to a secret different from the default, which is "radsec" (without the quotes).

...