#
#  This file contains the configuration for the "outgoing"
#  radsec connections.  It should be included by all of the
#  dynamic home server configuration files.
#
#  This file should be customized for your local system.
#
#  See sites-available/tls for an example of configuring a home_server
#  with TLS.

	#
	#  The server does not (yet) support RadSec over DTLS.
	#
	proto = tcp

	#
	#  Use "auth" for Eduroam, as it does not do accounting.
	#
	#  Other sites may allow "auth+acct".
	#
	type = auth

	#
	#  The secret for RadSec is ALWAYS "radsec".
	#
	secret = radsec

	#
	#  Similarly to HTTP, the client can use Server Name
	#  Indication to inform the RadSec server as to which
	#  domain it is requesting.  This selection allows
	#  multiple sites to exist at the same IP address.
	#
	#  This configuration sets the hostname sent in SNI.
	#
#	hostname = example.org

	#
	#  Outbound radsec requires a "tls" subsection.
	#
	tls {
		#
		#  This is the *client* certificate used to connect outbound to the radsec server.
		#
		#  It MUST be signed by a CA which is known to the radsec server.
		#
		certificate_file = ${certdir}/radsec-client.pem

		private_key_file = ${certdir}/radsec-client.key
		private_key_password = whatever

		ca_path = ${cadir}

		#
		#  See sites-available/tls, and the "home_server tls" subsection for more
		#  documentation on which configuration items are allowed here.
		#
	}