1 files changed, 58 insertions, 0 deletions

diff --git a/raddb/home_servers/tls.conf b/raddb/home_servers/tls.conf
new file mode 100644
index 0000000..7a0a61c
--- /dev/null
+++ b/raddb/home_servers/tls.conf
@@ -0,0 +1,58 @@
+#
+#  This file contains the configuration for the "outgoing"
+#  radsec connections.  It should be included by all of the
+#  dynamic home server configuration files.
+#
+#  This file should be customized for your local system.
+#
+#  See sites-available/tls for an example of configuring a home_server
+#  with TLS.
+
+	#
+	#  The server does not (yet) support RadSec over DTLS.
+	#
+	proto = tcp
+
+	#
+	#  Use "auth" for Eduroam, as it does not do accounting.
+	#
+	#  Other sites may allow "auth+acct".
+	#
+	type = auth
+
+	#
+	#  The secret for RadSec is ALWAYS "radsec".
+	#
+	secret = radsec
+
+	#
+	#  Similarly to HTTP, the client can use Server Name
+	#  Indication to inform the RadSec server as to which
+	#  domain it is requesting.  This selection allows
+	#  multiple sites to exist at the same IP address.
+	#
+	#  This configuration sets the hostname sent in SNI.
+	#
+#	hostname = example.org
+
+	#
+	#  Outbound radsec requires a "tls" subsection.
+	#
+	tls {
+		#
+		#  This is the *client* certificate used to connect outbound to the radsec server.
+		#
+		#  It MUST be signed by a CA which is known to the radsec server.
+		#
+		certificate_file = ${certdir}/radsec-client.pem
+
+		private_key_file = ${certdir}/radsec-client.key
+		private_key_password = whatever
+
+		ca_path = ${cadir}
+
+		#
+		#  See sites-available/tls, and the "home_server tls" subsection for more
+		#  documentation on which configuration items are allowed here.
+		#
+	}