Skip to main content

radsecproxy

radsecproxy Github Project Page

radsecproxy.conf man page

Configuration Example

Configuration Options

# Note that some block option values may reference a block by name, in which case the block name must be previously defined. Hence the order of the blocks may be significant.
# Recommended block order:
# tls
# rewrite
# client
# server
# realm



# The rewrite actions are performed in this sequence:
# 1. RemoveAttribute (or WhitelistAttribute)
# 2. ModifyAttribute
# 3. SupplementAttribute
# 4. AddAttribute
rewrite name {
AddAttribute attribute:value
AddVendorAttribute vendor:subattribute:value
SupplementAttribute attribute:value
SupplementVendorAttribute vendor:subattribute:value
ModifyAttribute attribute:/regex/replace/
ModifyVendorAttribute vendor:subattribute:/regex/replace/
RemoveAttribute attribute
RemoveVendorAttribute vendor[:subattribute]
WhitelistMode (on|off)
WhitelistAttribute attribute
WhitelistVendorAttribute vendor[:subattribute]
}

tls name {
CACertificateFile file
CACertificatePath path
CertificateFile file
CertificateKeyFile file
CertificateKeyPassword password

Configuration framework

Create the folders and files first:

mkdir /etc/radsecproxy.d

touch /etc/radsecproxy.d/tls.conf
touch /etc/radsecproxy.d/rewrites.conf
touch /etc/radsecproxy.d/clients.conf
touch /etc/radsecproxy.d/servers.conf
touch /etc/radsecproxy.d/realms.conf

chown -R radsecproxy:radsecproxy /etc/radsecproxy.*

chmod 770 /etc/radsecproxy.d
chmod 660 /etc/radsecproxy.conf /etc/radsecproxy.d/*.conf

Now populate the files as needed:

# /etc/radsecproxy.conf

IPv4Only on
ListenUDP *:1812
ListenUDP *:1813
ListenTLS *:2083

# For testing later reduce to 3
LogLevel 4

#LogDestination file:///var/log/radsecproxy.log
LogDestination x-syslog:///
LoopPrevention on

Include /etc/radsecproxy.d/tls.conf
Include /etc/radsecproxy.d/rewrites.conf
Include /etc/radsecproxy.d/clients.conf
Include /etc/radsecproxy.d/servers.conf
Include /etc/radsecproxy.d/realms.conf
# file:tls.conf
tls default {
CACertificateFile /etc/radsecproxy.d/certs/trusted-roots.crt
CertificateFile /etc/radsecproxy.d/certs/certificate.crt
CertificateKeyFile /etc/radsecproxy.d/certs/certificate.private.key

CRLCheck off
#CacheExpiry 3600
#policyOID 1.3.6.1.5.5.7.3.2
}
# file:rewrites.conf

# examples of possible rewrites

# @azuremfa -> @mydomain.com : for forcing Azure MFA
rewrite azuremfa {
modifyAttribute 1:/^(.*)@azure$/\1@mydomain.com/
modifyAttribute 1:/^(.*)@azuremfa$/\1@mydomain.com/
}

# @azurenomfa -> @mydomain.com : for forcing logins that don't require MFA
rewrite azurenomfa {
modifyAttribute 1:/^(.*)@azurenomfa$/\1@mydomain.com/
}

# @router -> @mydomain.com : for logging into devices with MFA required
rewrite azuremfa-router {
modifyAttribute 1:/^(.*)@router$/\1@mydomain.com/
}

# @duo -> @mydomain.com : for forcing DUO MFA
rewrite duomfa {
modifyAttribute 1:/^(.*)@duo$/\1@mydomain.com/
modifyAttribute 1:/^(.*)@duomfa$/\1@mydomain.com/
}

# @oldBusinessName -> [norealm]] : for forcing login to legacy Active Directory
rewrite oldBusinessName {
modifyAttribute 1:/^(.*)@oldBusinessName$/\1/
}

# adding a radsecproxy identifying attribute for incoming client requests
rewrite tagrsp1 {
RemoveVendorAttribute 14988:11
AddVendorAttribute 14988:11:"rsp1"
}
# file:clients.conf

client office1 {
host 1.1.1.1
host 2.2.2.2
host 10.1.2.1
# rewriteIn tagrsp1
secret aBetterPasswordThanThis
type udp
}

client office2 {
host 3.3.3.3
host 10.3.2.1
# rewriteIn tagrsp1
secret aBetterPasswordThanThis
type udp
}

client catchallIPv4UDP {
host 0.0.0.0/0
# rewriteIn tagrsp1
secret aBetterPasswordThanThis
type udp
}

client catchallIPv4TLS {
host 0.0.0.0/0
# rewriteIn tagrsp1
type TLS
}
# file:servers.conf

# Azure NPS 001 - No MFA
server azureNPS01 {
host 192.168.1.11:1812
type udp
secret aBetterPasswordThanThis
RetryCount 0
RetryInterval 3
RewriteOut azurenomfa
}

# Azure NPS 002 - MFA required
server azureNPS02MFA {
host 192.168.1.12:1812
type udp
secret aBetterPasswordThanThis
RetryCount 0
RetryInterval 30
RewriteOut azuremfa
}

# Azure NPS 002 - MFA Required - with router specific rewrite
server azureNPS02MFA-router {
host 192.168.1.12:1812
type udp
secret aBetterPasswordThanThis
RetryCount 0
RetryInterval 30
RewriteOut azuremfa-router
}

# DUO MFA
server duoauthproxy {
host 127.0.0.1:31812
type udp
# file:realms.conf

# Force Azure MFA
realm azure {
server azureNPS02MFA
AccountingResponse on
}

# Force Azure MFA
realm azuremfa {
server azureNPS02MFA
AccountingResponse on
}

# Force Azure No MFA
realm azurenomfa {
server azureNPS01
AccountingResponse on
}

# Force DUO MFA
realm duo {
server duoauthproxy
AccountingResponse on
}

# Force DUO MFA
realm duomfa {
server duoauthproxy
AccountingResponse on
}

# Force legacy Active Directory
realm mydomain.com {
server legacyRadius
AccountingResponse on