Skip to main content

RADSECPROXY

radsecproxy Github Project Page

radsecproxy.conf man page

Configuration Example

Configuration Options

# Note that some block option values may reference a block by name, in which case the block name must be previously defined. Hence the order of the blocks may be significant.
# Recommended block order:
#   tls
#   rewrite
#   client
#   server
#   realm



# The rewrite actions are performed in this sequence:
# 	1. RemoveAttribute (or WhitelistAttribute)
# 	2. ModifyAttribute
# 	3. SupplementAttribute
# 	4. AddAttribute
	  
rewrite name {
	AddAttribute attribute:value
	AddVendorAttribute vendor:subattribute:value
	SupplementAttribute attribute:value
	SupplementVendorAttribute vendor:subattribute:value
	ModifyAttribute attribute:/regex/replace/
	ModifyVendorAttribute vendor:subattribute:/regex/replace/
	RemoveAttribute attribute
	RemoveVendorAttribute vendor[:subattribute]
	WhitelistMode (on|off)
	WhitelistAttribute attribute
	WhitelistVendorAttribute vendor[:subattribute]
}

tls name {
	CACertificateFile file
	CACertificatePath path
	CertificateFile file
	CertificateKeyFile file
	CertificateKeyPassword password
	PolicyOID oid
	CRLCheck (on|off)
	CacheExpiry seconds
}

client (name|fqdn|(address[/length])) {
	Host (fqdn|(address[/length])) # multiple lines allowed
	IPv4Only (on|off)
	IPv6Only (on|off)
	Type type (UDP|TCP|TLS|DTLS)
	Secret secret
	TLS tls
	CertificateNameCheck (on|off)
	matchCertificateAttribute ( CN | SubjectAltName:URI | SubjectAltName:DNS ) :/regexp/
	MatchCertificateAttribute SubjectAltName:IP:address
	DuplicateInterval seconds
	AddTTL 1-255
	TCPKeepalive (on|off)
	FticksVISCOUNTRY cc
	FticksVISINST institution
	RewriteIn rewrite
	RewriteOut rewrite
	RewriteAttribute User-Name:/regex/replace/
}

server (name|((fqdn|address)[:port])) {
	Host (fqdn|address)[:port]
	Port port
	DynamicLookupCommand command
	StatusServer (on|off|minimal|auto)
	RetryCount count
	RetryInterfval interval
	RewriteOut rewrite
	RewriteIn rewrite
	LoopPrevention (on|off)
	IPv4Only (on|off)
	IPv6Only (on|off)
	Type type
	Secret secret
	TLS tls
	CertificateNameCheck (on|off)
	matchCertificateAttribute ( CN | SubjectAltName:URI | SubjectAltName:DNS ) :/regexp/
	MatchCertificateAttribute SubjectAltName:IP:address
	AddTTL 1-255
	TCPKeepalive (on|off)
}

realm (*|realm|/regex/) {
	Server server
	AccountingServer server
	AccountingResponse (on|off)
	ReplyMessage message
}

tls name {
	CACertificateFile file
	CACertificatePath path
	CertificateFile file
	CertificateKeyFile file
	CertificateKeyPassword password
	PolicyOID oid
	CRLCheck (on|off)
	CacheExpiry seconds
}


# The rewrite actions are performed in this sequence:
# 	1. RemoveAttribute (or WhitelistAttribute)
# 	2. ModifyAttribute
# 	3. SupplementAttribute
# 	4. AddAttribute
	  
rewrite name {
	AddAttribute attribute:value
	AddVendorAttribute vendor:subattribute:value
	SupplementAttribute attribute:value
	SupplementVendorAttribute vendor:subattribute:value
	ModifyAttribute attribute:/regex/replace/
	ModifyVendorAttribute vendor:subattribute:/regex/replace/
	RemoveAttribute attribute
	RemoveVendorAttribute vendor[:subattribute]
	WhitelistMode (on|off)
	WhitelistAttribute attribute
	WhitelistVendorAttribute vendor[:subattribute]
}