summaryrefslogtreecommitdiffstats
path: root/raddb/home_servers
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/home_servers/README.md21
-rw-r--r--raddb/home_servers/tls.conf58
2 files changed, 79 insertions, 0 deletions
diff --git a/raddb/home_servers/README.md b/raddb/home_servers/README.md
new file mode 100644
index 0000000..01267b8
--- /dev/null
+++ b/raddb/home_servers/README.md
@@ -0,0 +1,21 @@
+# Dynamic Home Servers
+
+This directory is where dynamic home servers are stored.
+
+Each file in the directory should be named for the home server domain
+name. In the above example, the filename should be
+`${raddb}/home_servers/example.com`. The name of the home server in
+the file should be the same as the filename which contains the home
+server definition.
+
+Each file in the directory should have one, and only one,
+`home_server` definition.
+
+See doc/configuration/dynamic_home_servers.md for more information on
+dynamic home_servers.
+
+See also `mods-config/realm/freeradius-naptr-to-home-server.sh` for a
+sample shell script which creates home servers.
+
+This directory also has a `tls.conf` file which contains site-specific
+TLS configuration for home servers.
diff --git a/raddb/home_servers/tls.conf b/raddb/home_servers/tls.conf
new file mode 100644
index 0000000..7a0a61c
--- /dev/null
+++ b/raddb/home_servers/tls.conf
@@ -0,0 +1,58 @@
+#
+# This file contains the configuration for the "outgoing"
+# radsec connections. It should be included by all of the
+# dynamic home server configuration files.
+#
+# This file should be customized for your local system.
+#
+# See sites-available/tls for an example of configuring a home_server
+# with TLS.
+
+ #
+ # The server does not (yet) support RadSec over DTLS.
+ #
+ proto = tcp
+
+ #
+ # Use "auth" for Eduroam, as it does not do accounting.
+ #
+ # Other sites may allow "auth+acct".
+ #
+ type = auth
+
+ #
+ # The secret for RadSec is ALWAYS "radsec".
+ #
+ secret = radsec
+
+ #
+ # Similarly to HTTP, the client can use Server Name
+ # Indication to inform the RadSec server as to which
+ # domain it is requesting. This selection allows
+ # multiple sites to exist at the same IP address.
+ #
+ # This configuration sets the hostname sent in SNI.
+ #
+# hostname = example.org
+
+ #
+ # Outbound radsec requires a "tls" subsection.
+ #
+ tls {
+ #
+ # This is the *client* certificate used to connect outbound to the radsec server.
+ #
+ # It MUST be signed by a CA which is known to the radsec server.
+ #
+ certificate_file = ${certdir}/radsec-client.pem
+
+ private_key_file = ${certdir}/radsec-client.key
+ private_key_password = whatever
+
+ ca_path = ${cadir}
+
+ #
+ # See sites-available/tls, and the "home_server tls" subsection for more
+ # documentation on which configuration items are allowed here.
+ #
+ }