summaryrefslogtreecommitdiffstats
path: root/raddb/home_servers/tls.conf
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/home_servers/tls.conf')
-rw-r--r--raddb/home_servers/tls.conf58
1 files changed, 58 insertions, 0 deletions
diff --git a/raddb/home_servers/tls.conf b/raddb/home_servers/tls.conf
new file mode 100644
index 0000000..7a0a61c
--- /dev/null
+++ b/raddb/home_servers/tls.conf
@@ -0,0 +1,58 @@
+#
+# This file contains the configuration for the "outgoing"
+# radsec connections. It should be included by all of the
+# dynamic home server configuration files.
+#
+# This file should be customized for your local system.
+#
+# See sites-available/tls for an example of configuring a home_server
+# with TLS.
+
+ #
+ # The server does not (yet) support RadSec over DTLS.
+ #
+ proto = tcp
+
+ #
+ # Use "auth" for Eduroam, as it does not do accounting.
+ #
+ # Other sites may allow "auth+acct".
+ #
+ type = auth
+
+ #
+ # The secret for RadSec is ALWAYS "radsec".
+ #
+ secret = radsec
+
+ #
+ # Similarly to HTTP, the client can use Server Name
+ # Indication to inform the RadSec server as to which
+ # domain it is requesting. This selection allows
+ # multiple sites to exist at the same IP address.
+ #
+ # This configuration sets the hostname sent in SNI.
+ #
+# hostname = example.org
+
+ #
+ # Outbound radsec requires a "tls" subsection.
+ #
+ tls {
+ #
+ # This is the *client* certificate used to connect outbound to the radsec server.
+ #
+ # It MUST be signed by a CA which is known to the radsec server.
+ #
+ certificate_file = ${certdir}/radsec-client.pem
+
+ private_key_file = ${certdir}/radsec-client.key
+ private_key_password = whatever
+
+ ca_path = ${cadir}
+
+ #
+ # See sites-available/tls, and the "home_server tls" subsection for more
+ # documentation on which configuration items are allowed here.
+ #
+ }