Versions Compared

Old Version 20

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version Current

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
<property name="radsec.keystore.name" value="/ptskeystore" description="Name of keystore containing SSL server cert"/>
<property name="radsec.keystore.password" value="password" description="Password to keystore"/>
<property name="radsec.keystore.type" value="JKS" description="Type of keystore containing SSL server cert"/>
<property name="radsec.listenurl" value="nios://0.0.0.0:2023?tlsprotocol=TLS&enabledprotocols=TLSv1.2,TLSv1.3" description="Listen URL for RadSec protocol"/>
<property name="radsec.needtlsclientauth" value="true" description="True if we should require TLS client certificate"/>
<property name="radsec.wanttlsclientauth" value="false" description="True if we should want TLS client certificate, but not require it"/>
<property name="ca.certificates" value="${ceptor.home}/config/x509/radiustest.cer" description="pkcs#7 files containing CA certificates"/>
<property name="ca.provider.assecotestceptortest.check.crl" value="false" description="Set to true to do CRL checks - be careful to turn on either CRL or OCSP checks"/>
<property name="ca.provider.assecotestceptortest.check.ocsp" value="false" description=""/>
<property name="ca.provider.assecotestceptortest.class" value="dk.itp.security.authentication.x509.GenericCA" description="implementation class"/>
<property name="ca.provider.assecotestceptortest.issuerdn" value="C=DK, O=AssecoCeptor, CN=radiustest" description="Certificate DN"/>
<property name="ca.provider.assecotestceptortest.sharedsecret" value="radsec" description="Shared secret, default is radsec"/>
<property name="ca.providers" value="assecotestceptortest" description="list of certificate issuers (providers)"/>

...

Info

The minimum configuration for using a self-signed certificate is:

Code Block
<property name="ca.certificates" value="${ceptor.home}/config/x509/selfsigned.cer" description="Add Certificate to list here"/>
<property name="ca.provider.selfsigned.issuerdn" value="C=DK, O=AssecoCeptor, CN=radiustest" description="Certificate DN"/>
<property name="ca.providers" value="selfsigned" description="Add provider name to selfsigned"/>


...

Code Block
	<server name="radiusserver1" type="radius" description="Radius server" extends="applications">
		<group name="listening" description="Radius server listening configuration">
			<property name="accounting.listenaddress" value="127.0.0.1" description="Accounting listening address - empty is default adapter"/>
			<property name="accounting.listenport" value="1813" description="Accounting port"/>
			<property name="authentication.listenaddress" value="0.0.0.0" description="Authentication listening address - empty is default adapter"/>
			<property name="authentication.listenport" value="1812" description="Authentication port"/>
			<property name="radsec.keystore.name" value="/ptskeystore" description="Name of keystore containing SSL server cert"/>
			<property name="radsec.keystore.password" value="password" description="Password to keystore"/>
			<property name="radsec.keystore.type" value="JKS" description="Type of keystore containing SSL server cert"/>
			<property name="radsec.listenurl" value="nios://0.0.0.0:2023?tlsprotocol=TLS&enabledprotocols=TLSv1.2,TLSv1.3" description="Listen URL for RadSec protocol"/>
			<property name="radsec.needtlsclientauth" value="true" description="True if we should require TLS client certificate"/>
			<property name="radsec.wanttlsclientauth" value="false" description="True if we should want TLS client certificate, but not require it"/>
			<property name="sockettimeout" value="3000" description="Listening timeout for authentiation and accounting"/>
		</group>
		<group name="other" description="Radius server configuration">
			<property name="authentication.challenge" value="43" description="Challenge authentication plugin if PAP authentication plugin supports two factor logins"/>
			<property name="authentication.pap" value="9" description="PAP authentication plugin (for example UAAuthenticationPlugin)"/>
			<property name="authentication.script" value="%{script:groovy}import dk.itp.security.passticket.*;
import dk.itp.security.passticket.server.AuthErrorCodes;
import dk.itp.pp.radius.packet.*;
import dk.itp.pp.radius.attribute.*;

// Change these to match required data
int authenticationType = AuthTypes.AUTHTYPE_GOOGLEAUTH;
String otpPrompt = &quot;Enter OTP displayed in Authenticator: &quot;;

if (context.session) {
    // We have a session, so it must be 2nd call with an OTP
	String userPassword = context.accessRequest.getUserPassword();
	
	def challenge = new Object[1];
	challenge[0] = userPassword;
	
    context.agent.logon(context.session, authenticationType, context.agent.getUser(context.session), challenge);
    context.reply.addAttribute( new StringAttribute( TypeConstants.STATE, context.session) );
    context.reply.setPacketType(TypeConstants.PACKAGE_TYPE_ACCESS_ACCEPT);
} else {
    // Starting from scratch, create a new session and authenticate into it
    
    def sourceIP = context.accessRequest.getAttributeValue(&quot;NAS-IP-Address&quot;);
    if (!sourceIP)
        sourceIP = context.accessRequest.getAttributeValue(&quot;Calling-Station-Id&quot;);
    context.session = context.agent.newSession(sourceIP);
    
	String userName = context.accessRequest.getUserName();
	String userPassword = context.accessRequest.getUserPassword();
    
    try {
        context.agent.logon(context.session, authenticationType, userName, userPassword);
    } catch(PTException e) {
        if( e.getErrorCode() == AuthErrorCodes.ERROR_NEED_OTP ) {
            context.reply.addAttribute( new StringAttribute( TypeConstants.STATE, context.session) );
			context.reply.addAttribute( &quot;Reply-Message&quot;, otpPrompt );
            context.reply.setPacketType(TypeConstants.ACCESS_CHALLENGE);
        } else {
            throw e;
        }
    }
}
" description="Script executed to perform authentication - when set, authentication.pap, authentication.twofactor and authentication.chap are ignored"/>
			<property name="authentication.twofactor" value="false" description="Allows the radius server to do a twofactor login. For two factor logins using the newToken method (google authenticator for example)"/>
			<property name="clientsessions.forcetimeout" value="30" description="Force timeout in minutes for client sessions"/>
			<property name="clientsessions.maxcount" value="100000" description="Number of client sessions to store in the server"/>
			<property name="clientsessions.timetolive" value="5" description="Time to live for client sessions if not seen"/>
			<property name="packet.debug" value="true" description="Set to true to log contents of radius packets (as INFO - will be logged as DEBUG by otherwise)"/>
			<property name="ppsessions.forcetimeout" value="30" description="Force timeout in minutes for pp sessions"/>
			<property name="ppsessions.maxcount" value="100000" description="Number of pp sessions to store in the server"/>
			<property name="ppsessions.timetolive" value="5" description="Time to live for pp sessions if not seen"/>
			<property name="username.sessionid" value="true" description="Set the User-Name attribute on accept packages to PP session ID. Some clients might send it back. Some might not support it!"/>
		</group>
		<group name="security" description="Radius server security configuration">
			<property name="sharedsecret.1" value="*=secret1" description="shared secret for all other clients than listed below"/>
			<property name="sharedsecret.2" value="127.0.0.1,10.0.0.1=secret2" description="shared secret for IP 127.0.0.1 and 10.0.0.1"/>
		</group>
		<group name="radsec_ssl" description="Radius security SSL client certificate configuration">
			<property name="ca.certificates" value="${ceptor.home}/config/x509/radiustest.cer" description="pkcs#7 files containing CA certificates"/>
			<property name="ca.provider.assecotestceptortest.check.crl" value="false" description="Set to true to do CRL checks - be careful to turn on either CRL or OCSP checks"/>
			<property name="ca.provider.assecotestceptortest.check.ocsp" value="false" description=""/>
			<property name="ca.provider.assecotestceptortest.class" value="dk.itp.security.authentication.x509.GenericCA" description="implementation class"/>
			<property name="ca.provider.assecotestceptortest.issuerdn" value="C=DK, O=AssecoCeptor, CN=radiustest" description="Certificate DN"/>
			<property name="ca.provider.assecotestceptortest.sharedsecret" value="radsec" description="Shared secret, default is radsec"/>
			<property name="ca.providers" value="assecotestceptortest" description="list of certificate issuers (providers)"/>
			<property name="http.proxyHost" value="localhost" description="proxy host"/>
			<property name="http.proxyPassword" value="" description="proxy password for proxy authentication"/>
			<property name="http.proxyPort" value="8888" description="proxy port"/>
			<property name="http.proxyUser" value="" description="proxy userid for proxy authentication"/>
			<property name="proxy.enable" value="false" description="use proxy server"/>
		</group>
	</server>

...