...
Code Block |
---|
<property name="radsec.keystore.name" value="/ptskeystore" description="Name of keystore containing SSL server cert"/> <property name="radsec.keystore.password" value="password" description="Password to keystore"/> <property name="radsec.keystore.type" value="JKS" description="Type of keystore containing SSL server cert"/> <property name="radsec.listenurl" value="nios://0.0.0.0:2023?tlsprotocol=TLS&enabledprotocols=TLSv1.2,TLSv1.3" description="Listen URL for RadSec protocol"/> <property name="radsec.needtlsclientauth" value="true" description="True if we should require TLS client certificate"/> <property name="radsec.wanttlsclientauth" value="false" description="True if we should want TLS client certificate, but not require it"/> <property name="ca.certificates" value="${ceptor.home}/config/x509/radiustest.cer" description="pkcs#7 files containing CA certificates"/> <property name="ca.provider.assecotestceptortest.check.crl" value="false" description="Set to true to do CRL checks - be careful to turn on either CRL or OCSP checks"/> <property name="ca.provider.assecotestceptortest.check.ocsp" value="false" description=""/> <property name="ca.provider.assecotestceptortest.class" value="dk.itp.security.authentication.x509.GenericCA" description="implementation class"/> <property name="ca.provider.assecotestceptortest.issuerdn" value="C=DK, O=AssecoCeptor, CN=radiustest" description="Certificate DN"/> <property name="ca.provider.assecotestceptortest.sharedsecret" value="radsec" description="Shared secret, default is radsec"/> <property name="ca.providers" value="assecotestceptortest" description="list of certificate issuers (providers)"/> |
...
Info | ||
---|---|---|
The minimum configuration for using a self-signed certificate is:
|
...
Code Block |
---|
<server name="radiusserver1" type="radius" description="Radius server" extends="applications"> <group name="listening" description="Radius server listening configuration"> <property name="accounting.listenaddress" value="127.0.0.1" description="Accounting listening address - empty is default adapter"/> <property name="accounting.listenport" value="1813" description="Accounting port"/> <property name="authentication.listenaddress" value="0.0.0.0" description="Authentication listening address - empty is default adapter"/> <property name="authentication.listenport" value="1812" description="Authentication port"/> <property name="radsec.keystore.name" value="/ptskeystore" description="Name of keystore containing SSL server cert"/> <property name="radsec.keystore.password" value="password" description="Password to keystore"/> <property name="radsec.keystore.type" value="JKS" description="Type of keystore containing SSL server cert"/> <property name="radsec.listenurl" value="nios://0.0.0.0:2023?tlsprotocol=TLS&enabledprotocols=TLSv1.2,TLSv1.3" description="Listen URL for RadSec protocol"/> <property name="radsec.needtlsclientauth" value="true" description="True if we should require TLS client certificate"/> <property name="radsec.wanttlsclientauth" value="false" description="True if we should want TLS client certificate, but not require it"/> <property name="sockettimeout" value="3000" description="Listening timeout for authentiation and accounting"/> </group> <group name="other" description="Radius server configuration"> <property name="authentication.challenge" value="43" description="Challenge authentication plugin if PAP authentication plugin supports two factor logins"/> <property name="authentication.pap" value="9" description="PAP authentication plugin (for example UAAuthenticationPlugin)"/> <property name="authentication.script" value="%{script:groovy}import dk.itp.security.passticket.*; import dk.itp.security.passticket.server.AuthErrorCodes; import dk.itp.pp.radius.packet.*; import dk.itp.pp.radius.attribute.*; // Change these to match required data int authenticationType = AuthTypes.AUTHTYPE_GOOGLEAUTH; String otpPrompt = "Enter OTP displayed in Authenticator: "; if (context.session) { // We have a session, so it must be 2nd call with an OTP String userPassword = context.accessRequest.getUserPassword(); def challenge = new Object[1]; challenge[0] = userPassword; context.agent.logon(context.session, authenticationType, context.agent.getUser(context.session), challenge); context.reply.addAttribute( new StringAttribute( TypeConstants.STATE, context.session) ); context.reply.setPacketType(TypeConstants.PACKAGE_TYPE_ACCESS_ACCEPT); } else { // Starting from scratch, create a new session and authenticate into it def sourceIP = context.accessRequest.getAttributeValue("NAS-IP-Address"); if (!sourceIP) sourceIP = context.accessRequest.getAttributeValue("Calling-Station-Id"); context.session = context.agent.newSession(sourceIP); String userName = context.accessRequest.getUserName(); String userPassword = context.accessRequest.getUserPassword(); try { context.agent.logon(context.session, authenticationType, userName, userPassword); } catch(PTException e) { if( e.getErrorCode() == AuthErrorCodes.ERROR_NEED_OTP ) { context.reply.addAttribute( new StringAttribute( TypeConstants.STATE, context.session) ); context.reply.addAttribute( "Reply-Message", otpPrompt ); context.reply.setPacketType(TypeConstants.ACCESS_CHALLENGE); } else { throw e; } } } " description="Script executed to perform authentication - when set, authentication.pap, authentication.twofactor and authentication.chap are ignored"/> <property name="authentication.twofactor" value="false" description="Allows the radius server to do a twofactor login. For two factor logins using the newToken method (google authenticator for example)"/> <property name="clientsessions.forcetimeout" value="30" description="Force timeout in minutes for client sessions"/> <property name="clientsessions.maxcount" value="100000" description="Number of client sessions to store in the server"/> <property name="clientsessions.timetolive" value="5" description="Time to live for client sessions if not seen"/> <property name="packet.debug" value="true" description="Set to true to log contents of radius packets (as INFO - will be logged as DEBUG by otherwise)"/> <property name="ppsessions.forcetimeout" value="30" description="Force timeout in minutes for pp sessions"/> <property name="ppsessions.maxcount" value="100000" description="Number of pp sessions to store in the server"/> <property name="ppsessions.timetolive" value="5" description="Time to live for pp sessions if not seen"/> <property name="username.sessionid" value="true" description="Set the User-Name attribute on accept packages to PP session ID. Some clients might send it back. Some might not support it!"/> </group> <group name="security" description="Radius server security configuration"> <property name="sharedsecret.1" value="*=secret1" description="shared secret for all other clients than listed below"/> <property name="sharedsecret.2" value="127.0.0.1,10.0.0.1=secret2" description="shared secret for IP 127.0.0.1 and 10.0.0.1"/> </group> <group name="radsec_ssl" description="Radius security SSL client certificate configuration"> <property name="ca.certificates" value="${ceptor.home}/config/x509/radiustest.cer" description="pkcs#7 files containing CA certificates"/> <property name="ca.provider.assecotestceptortest.check.crl" value="false" description="Set to true to do CRL checks - be careful to turn on either CRL or OCSP checks"/> <property name="ca.provider.assecotestceptortest.check.ocsp" value="false" description=""/> <property name="ca.provider.assecotestceptortest.class" value="dk.itp.security.authentication.x509.GenericCA" description="implementation class"/> <property name="ca.provider.assecotestceptortest.issuerdn" value="C=DK, O=AssecoCeptor, CN=radiustest" description="Certificate DN"/> <property name="ca.provider.assecotestceptortest.sharedsecret" value="radsec" description="Shared secret, default is radsec"/> <property name="ca.providers" value="assecotestceptortest" description="list of certificate issuers (providers)"/> <property name="http.proxyHost" value="localhost" description="proxy host"/> <property name="http.proxyPassword" value="" description="proxy password for proxy authentication"/> <property name="http.proxyPort" value="8888" description="proxy port"/> <property name="http.proxyUser" value="" description="proxy userid for proxy authentication"/> <property name="proxy.enable" value="false" description="use proxy server"/> </group> </server> |
...