...
Property | Value |
---|---|
authentication.listenport | <Port number> |
authentication.listenaddress | <IP address> |
accounting.listenport | <Port number> |
accounting.listenaddress | <IP address> |
sockettimeout | <timeout in ms> |
duplicatetimer | <time value in ms> |
duplicatecount | <number of packages> |
authtype.pap | <authentication plugin ID> |
authtype.chap | <authentication plugin ID> Note: CHAP login has not yet been verified with Ceptor. The value of the authentication plugin used to verify chap authentication requests. Example value is 9 (typically user administration authentication plugin) |
authtype.challenge | <authentication plugin ID> |
authentication.challenge | <String> The challenge text to be shown to the user in the event of a two factor login. This challenge can also be set through the authentication plugin and if it is set from there this value will not be used. Default value is: "Please enter a valid challenge: " |
authentication.twofactor | true / false Set this value to true if the authentication primary authentication plugin (PAP or CHAP) does not support validating the password but instead can issue a new token through the "newToken" method (for example the google authenticator plugin). The password will then be validated together with the challenge token. Default value is false |
sharedsecret.x | <shared secret for IP addresses> |
packet.debug | true / false If set to true all received and send packages will be logged as info logging to the log file. Default value is false |
username.sessionid | <true | false> |
clientsessions.maxcount | <number of sessions> |
clientsessions.timetolive | <Time to live in seconds> |
clientsessions.forcetimeout | <Force timeout in seconds> |
ppsessions.maxcount | <number of sessions> |
ppsessions.timetolive | <Time to live in seconds> |
ppsessions.forcetimeout | <Force timeout in seconds> |
threadpool.size | <number, between 1 and 4096> Defines number of threads in the threadpool that can handle packages received from clients - this is also the maximum amount of concurrent authentications that can be done at a time. Default value is 100. |
accounting.script | <Script - javascript, python or groovy> Script code that is run to process a received accounting request package. |
authentication.script | <Script - javascript, python or groovy> Authentication script that is run when an access request package is received from a client - see Ceptor RADIUS Server for more information. If a script is specified, it overrides the other options for authtype.pap, authtype.challenge etc. |
radsec.keystore.name | <Keystore Filename> Filename for keystore containing SSL server certificate, used for RadSec support. This can optionally be located in the classpath instead of in a file directly on disk. |
radsec.keystore.password | <Keystore password> Password for keystore - can be encrypted, see Encrypting or Obfuscating Passwords for details. |
radsec.keystore.type | <Keystore type - default is JKS> Type of keystore, e.g. JKS or PKCS12 |
radsec.listenurl | <Listen URL - should be in format nios://<optional network interface ip>:<port>?key=value&key2=value2&...> Specifies which port and optional network interface IP to listen on, in addition a number of SSL specific properties can be specified:
|
radsec.needtlsclientauth | <True or false - default is false> Set to true to require client authentication - if this is set, to true, the value of |
radsec.wanttlsclientauth | <True or false - default is false> Set to true to request, but not require client authentication. If both need and want tlsclientauth are set to false, then TLS client certificates will not be requested, if want is set to true, it is up to the client if it wants to provide a certificate or not. Connections without a client certificate will then be accepted, and use the default shared secret for the underlying Radius protocol; "radsec" (without the quotes). |
duplicatecheck.session | <True of false - default is false> If true, access requests that arrive while another is already in progress for the session will be ignored. This allows bypassing the regular duplicate check if you have a setup where e.g. an UDP loadbalancer with NAT enabled does not keep the source port intact, and you have a client that retransmits authentication packages in e.g. seconds step of multifactor authentication which carries a session ID. |
logsuppression | <Pattern>
|
Note |
---|
In addition to these settings, for RadSec you can specify which CA certificate issuers are trusted as well, see X.509 Certificate Properties for details. In addition to these regular certificate properties, you specify
|
...