Skip to main content

radsecproxy

radsecproxy Github Project Page

radsecproxy.conf man page

Configuration Example

Integration with OpenVPN radius plugin

The OpenVPN radius plugin requires that radsecproxy handle accounting requests.

Configuration Options

# Note that some block option values may reference a block by name, in which case the block name must be previously defined. Hence the order of the blocks may be significant.
# Recommended block order:
#   tls
#   rewrite
#   client
#   server
#   realm



# The rewrite actions are performed in this sequence:
# 	1. RemoveAttribute (or WhitelistAttribute)
# 	2. ModifyAttribute
# 	3. SupplementAttribute
# 	4. AddAttribute
	  
rewrite name {
	AddAttribute attribute:value
	AddVendorAttribute vendor:subattribute:value
	SupplementAttribute attribute:value
	SupplementVendorAttribute vendor:subattribute:value
	ModifyAttribute attribute:/regex/replace/
	ModifyVendorAttribute vendor:subattribute:/regex/replace/
	RemoveAttribute attribute
	RemoveVendorAttribute vendor[:subattribute]
	WhitelistMode (on|off)
	WhitelistAttribute attribute
	WhitelistVendorAttribute vendor[:subattribute]
}

tls name {
	CACertificateFile file
	CACertificatePath path
	CertificateFile file
	CertificateKeyFile file
	CertificateKeyPassword password
	PolicyOID oid
	CRLCheck (on|off)
	CacheExpiry seconds
}

client (name|fqdn|(address[/length])) {
	Host (fqdn|(address[/length])) # multiple lines allowed
	IPv4Only (on|off)
	IPv6Only (on|off)
	Type type (UDP|TCP|TLS|DTLS)
	Secret secret
	TLS tls
	CertificateNameCheck (on|off)
	matchCertificateAttribute ( CN | SubjectAltName:URI | SubjectAltName:DNS ) :/regexp/
	MatchCertificateAttribute SubjectAltName:IP:address
	DuplicateInterval seconds
	AddTTL 1-255
	TCPKeepalive (on|off)
	FticksVISCOUNTRY cc
	FticksVISINST institution
	RewriteIn rewrite
	RewriteOut rewrite
	RewriteAttribute User-Name:/regex/replace/
}

server (name|((fqdn|address)[:port])) {
	Host (fqdn|address)[:port]
	Port port
	DynamicLookupCommand command
	StatusServer (on|off|minimal|auto)
	RetryCount count
	RetryInterfval interval
	RewriteOut rewrite
	RewriteIn rewrite
	LoopPrevention (on|off)
	IPv4Only (on|off)
	IPv6Only (on|off)
	Type type
	Secret secret
	TLS tls
	CertificateNameCheck (on|off)
	matchCertificateAttribute ( CN | SubjectAltName:URI | SubjectAltName:DNS ) :/regexp/
	MatchCertificateAttribute SubjectAltName:IP:address
	AddTTL 1-255
	TCPKeepalive (on|off)
}

realm (*|realm|/regex/) {
	Server server
	AccountingServer server
	AccountingResponse (on|off)
	ReplyMessage message
}

 

Configuration framework


# /etc/radsecproxy.conf

IPv4Only                on
  
ListenUDP               *:1812
ListenUDP               *:1813
ListenTLS               *:2083

# For testing later reduce to 3
LogLevel                4

#LogDestination         file:///var/log/radsecproxy.log
LogDestination          x-syslog:///
LoopPrevention          on

Include /etc/radsecproxy.d/tls.conf
Include /etc/radsecproxy.d/rewrites.conf
Include /etc/radsecproxy.d/clients.conf
Include /etc/radsecproxy.d/servers.conf
Include /etc/radsecproxy.d/realms.conf
# file:tls.conf
  
tls default {
    CACertificateFile  /etc/radsecproxy.d/certs/trusted-roots.crt
    CertificateFile    /etc/radsecproxy.d/certs/certificate.crt
    CertificateKeyFile /etc/radsecproxy.d/certs/certificate.private.key

    CRLCheck off
    #CacheExpiry 3600
    #policyOID               1.3.6.1.5.5.7.3.2
}
# file:rewrites.conf

# examples of possible rewrites

# @azuremfa -> @mydomain.com : for forcing Azure MFA
rewrite azuremfa {
        modifyAttribute 1:/^(.*)@azure$/\1@mydomain.com/
        modifyAttribute 1:/^(.*)@azuremfa$/\1@mydomain.com/
}

# @azurenomfa -> @mydomain.com : for forcing logins that don't require MFA
rewrite azurenomfa {
	modifyAttribute 1:/^(.*)@azurenomfa$/\1@mydomain.com/
}

# @router -> @mydomain.com : for logging into devices with MFA required
rewrite azuremfa-router {
        modifyAttribute 1:/^(.*)@router$/\1@mydomain.com/
}

# @duo -> @mydomain.com : for forcing DUO MFA
rewrite duomfa {
        modifyAttribute 1:/^(.*)@duo$/\1@mydomain.com/
	modifyAttribute 1:/^(.*)@duomfa$/\1@mydomain.com/
}

# @oldBusinessName -> [norealm]] : for forcing login to legacy Active Directory
rewrite oldBusinessName {
	modifyAttribute 1:/^(.*)@oldBusinessName$/\1/
}

# adding a radsecproxy identifying attribute for incoming client requests
rewrite tagrsp1 {
	RemoveVendorAttribute 14988:11
	AddVendorAttribute 14988:11:"rsp1"
}

# [username]@legacyRadius -> [username] : for forcing logins via a legacy radius server
# logins should have been presented to us a username@legacyRadius
# we need to pass them the legacy radius server with no @legacyRadius
rewrite legacyRadius {
        modifyAttribute 1:/^(.*)@legacyRadius$/\1/
}
# file:clients.conf

client office1 {
	host 1.1.1.1
	host 2.2.2.2
	host 10.1.2.1
#	rewriteIn tagrsp1
	secret aBetterPasswordThanThis
	type udp
}

client office2 {
	host 3.3.3.3
	host 10.3.2.1
#	rewriteIn tagrsp1
	secret aBetterPasswordThanThis
	type udp
}

client catchallIPv4UDP {
	host 0.0.0.0/0
#	rewriteIn tagrsp1
	secret aBetterPasswordThanThis
	type udp
}

client catchallIPv4TLS {
	host 0.0.0.0/0
#	rewriteIn tagrsp1
	type TLS
}
# file:servers.conf

# Azure NPS 001 - No MFA
server azureNPS01 {
        host 192.168.1.11:1812
        type udp
        secret aBetterPasswordThanThis
	RetryCount 0
        RetryInterval 3
        RewriteOut azurenomfa
}

# Azure NPS 002 - MFA required
server azureNPS02MFA {
        host 192.168.1.12:1812
        type udp
        secret aBetterPasswordThanThis
	RetryCount 0
        RetryInterval 30
        RewriteOut azuremfa
}

# Azure NPS 002 - MFA Required - with router specific rewrite
server azureNPS02MFA-router {
        host 192.168.1.12:1812
        type udp
        secret aBetterPasswordThanThis
	RetryCount 0
        RetryInterval 30
        RewriteOut azuremfa-router
}

# DUO MFA
server duoauthproxy {
        host 127.0.0.1:31812
        type udp
        secret aBetterPasswordThanThis
	RetryCount 0
        RetryInterval 30
        RewriteOut duomfa
}

# Legacy Active Directory
server legacyAD {
        host 192.168.2.11:1812
        type udp
        secret aBetterPasswordThanThis
	RetryCount 0
        RetryInterval 30
        RewriteOut legacyRadius
}

# Legacy Radius Server
server legacyRadius01 {
        host 8.9.10.11:1812
        type udp
        secret aBetterPasswordThanThis
	RetryCount 0
        RetryInterval 5
        RewriteOut legacyRadius
}
# file:realms.conf

# Force Azure MFA
realm azure {
        server azureNPS02MFA
        AccountingResponse on
}

# Force Azure MFA
realm azuremfa {
        server azureNPS02MFA
        AccountingResponse on
}

# Force Azure No MFA
realm azurenomfa {
        server azureNPS01
        AccountingResponse on
}

# Force DUO MFA
realm duo {
	server duoauthproxy
	AccountingResponse on
}

# Force DUO MFA
realm duomfa {
	server duoauthproxy
	AccountingResponse on
}

# Force legacy Active Directory
realm mydomain.com {
        server legacyRadius
        AccountingResponse on
}

# Force router management login - service against legacy radius server
realm router {
        server legacyRadius
        AccountingResponse on
}

# For legacy Active Directory
realm old {
        server legacyRadius
        AccountingResponse on
}

# All other realms
realm * {
        server legacyRadius
        AccountingResponse on
#       ReplyMessage "Contact tech support..."
}

# All other realms - deny all other requests
# Obviously you can only have one wildcard matcher, this is just another option
realm * {
        ReplyMessage "Radius request denied by proxy. Contact tech support."
}