diff options
Diffstat (limited to '')
-rw-r--r-- | raddb/home_servers/README.md | 21 | ||||
-rw-r--r-- | raddb/home_servers/tls.conf | 58 |
2 files changed, 79 insertions, 0 deletions
diff --git a/raddb/home_servers/README.md b/raddb/home_servers/README.md new file mode 100644 index 0000000..01267b8 --- /dev/null +++ b/raddb/home_servers/README.md @@ -0,0 +1,21 @@ +# Dynamic Home Servers + +This directory is where dynamic home servers are stored. + +Each file in the directory should be named for the home server domain +name. In the above example, the filename should be +`${raddb}/home_servers/example.com`. The name of the home server in +the file should be the same as the filename which contains the home +server definition. + +Each file in the directory should have one, and only one, +`home_server` definition. + +See doc/configuration/dynamic_home_servers.md for more information on +dynamic home_servers. + +See also `mods-config/realm/freeradius-naptr-to-home-server.sh` for a +sample shell script which creates home servers. + +This directory also has a `tls.conf` file which contains site-specific +TLS configuration for home servers. diff --git a/raddb/home_servers/tls.conf b/raddb/home_servers/tls.conf new file mode 100644 index 0000000..7a0a61c --- /dev/null +++ b/raddb/home_servers/tls.conf @@ -0,0 +1,58 @@ +# +# This file contains the configuration for the "outgoing" +# radsec connections. It should be included by all of the +# dynamic home server configuration files. +# +# This file should be customized for your local system. +# +# See sites-available/tls for an example of configuring a home_server +# with TLS. + + # + # The server does not (yet) support RadSec over DTLS. + # + proto = tcp + + # + # Use "auth" for Eduroam, as it does not do accounting. + # + # Other sites may allow "auth+acct". + # + type = auth + + # + # The secret for RadSec is ALWAYS "radsec". + # + secret = radsec + + # + # Similarly to HTTP, the client can use Server Name + # Indication to inform the RadSec server as to which + # domain it is requesting. This selection allows + # multiple sites to exist at the same IP address. + # + # This configuration sets the hostname sent in SNI. + # +# hostname = example.org + + # + # Outbound radsec requires a "tls" subsection. + # + tls { + # + # This is the *client* certificate used to connect outbound to the radsec server. + # + # It MUST be signed by a CA which is known to the radsec server. + # + certificate_file = ${certdir}/radsec-client.pem + + private_key_file = ${certdir}/radsec-client.key + private_key_password = whatever + + ca_path = ${cadir} + + # + # See sites-available/tls, and the "home_server tls" subsection for more + # documentation on which configuration items are allowed here. + # + } |