summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available/abfab-tls
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/sites-available/abfab-tls')
-rw-r--r--raddb/sites-available/abfab-tls118
1 files changed, 118 insertions, 0 deletions
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
new file mode 100644
index 0000000..b8d0626
--- /dev/null
+++ b/raddb/sites-available/abfab-tls
@@ -0,0 +1,118 @@
+#
+# Example configuration for ABFAB listening on TLS.
+#
+# $Id$
+#
+listen {
+ ipaddr = *
+ port = 2083
+ type = auth
+ proto = tcp
+
+ tls {
+ tls_min_version = "1.2"
+ private_key_password = whatever
+
+ # Moonshot tends to distribute certs separate from keys
+ private_key_file = ${certdir}/server.key
+ certificate_file = ${certdir}/server.pem
+ ca_file = ${cadir}/ca.pem
+ dh_file = ${certdir}/dh
+ fragment_size = 8192
+ ca_path = ${cadir}
+ cipher_list = "DEFAULT"
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ name = "abfab-tls"
+ # persist_dir = ${logdir}/abfab-tls
+ }
+ require_client_cert = yes
+ verify {
+ }
+
+ psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
+ }
+
+ virtual_server = abfab-idp
+ clients = radsec-abfab
+}
+
+# There needs to be a separated "listen" section for IPv6.
+# Typically it will be identical to the IPv4 one above, but there might be
+# some differences (e.g. if a different certificate or port is desired)
+listen {
+ ipaddr = ::
+ port = 2083
+ type = auth
+ proto = tcp
+
+ tls {
+ tls_min_version = "1.2"
+ private_key_password = whatever
+
+ # Moonshot tends to distribute certs separate from keys
+ private_key_file = ${certdir}/server.key
+ certificate_file = ${certdir}/server.pem
+ ca_file = ${cadir}/ca.pem
+ dh_file = ${certdir}/dh
+ fragment_size = 8192
+ ca_path = ${cadir}
+ cipher_list = "DEFAULT"
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ name = "abfab-tls"
+ # persist_dir = ${logdir}/abfab-tls
+ }
+ require_client_cert = yes
+ verify {
+ }
+
+ psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
+ }
+
+ virtual_server = abfab-idp
+ clients = radsec-abfab
+}
+
+clients radsec-abfab {
+ #
+ # Allow all clients, but require TLS.
+ # This client stanza will match other RP proxies from other
+ # realms established via the trustrouter. In general
+ # additional client stanzas are also required for local services.
+ #
+ client default {
+ ipaddr = 0.0.0.0/0
+ proto = tls
+ }
+
+ client default_ip6 {
+ ipaddr = ::/0
+ proto = tls
+ }
+
+ # An example local service
+ # client service_1 {
+ # ipaddr = 192.0.2.20
+ # # You should either set gss_acceptor_host_name below
+ # # or set up policy to confirm that a client claims
+ # # the right acceptor hostname when using ABFAB. If
+ # # set, the RADIUS server will confirm that all
+ # # requests have this value for the acceptor host name
+ # gss_acceptor_host_name = "server.example.com"
+ # # If set, this acceptor realm name will be included.
+ # # Foreign realms will typically reject a request if this is not
+ # # properly set.
+ # gss_acceptor_realm_name = "example.com"
+ # # Additionally, trust_router_coi can be set; if set
+ # # it will override the default_community in the realm
+ # # module
+ # trust_router_coi = "community1.example.net"
+ # # In production depployments it is important to set
+ # # up certificate verification so that even if
+ # # clients spoof IP addresses, one client cannot
+ # # impersonate another.
+ # }
+}