blob: b8d0626bbe8923a97506b7410e83f88e3af4c42a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
#
# Example configuration for ABFAB listening on TLS.
#
# $Id$
#
listen {
ipaddr = *
port = 2083
type = auth
proto = tcp
tls {
tls_min_version = "1.2"
private_key_password = whatever
# Moonshot tends to distribute certs separate from keys
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
name = "abfab-tls"
# persist_dir = ${logdir}/abfab-tls
}
require_client_cert = yes
verify {
}
psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
}
virtual_server = abfab-idp
clients = radsec-abfab
}
# There needs to be a separated "listen" section for IPv6.
# Typically it will be identical to the IPv4 one above, but there might be
# some differences (e.g. if a different certificate or port is desired)
listen {
ipaddr = ::
port = 2083
type = auth
proto = tcp
tls {
tls_min_version = "1.2"
private_key_password = whatever
# Moonshot tends to distribute certs separate from keys
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
name = "abfab-tls"
# persist_dir = ${logdir}/abfab-tls
}
require_client_cert = yes
verify {
}
psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
}
virtual_server = abfab-idp
clients = radsec-abfab
}
clients radsec-abfab {
#
# Allow all clients, but require TLS.
# This client stanza will match other RP proxies from other
# realms established via the trustrouter. In general
# additional client stanzas are also required for local services.
#
client default {
ipaddr = 0.0.0.0/0
proto = tls
}
client default_ip6 {
ipaddr = ::/0
proto = tls
}
# An example local service
# client service_1 {
# ipaddr = 192.0.2.20
# # You should either set gss_acceptor_host_name below
# # or set up policy to confirm that a client claims
# # the right acceptor hostname when using ABFAB. If
# # set, the RADIUS server will confirm that all
# # requests have this value for the acceptor host name
# gss_acceptor_host_name = "server.example.com"
# # If set, this acceptor realm name will be included.
# # Foreign realms will typically reject a request if this is not
# # properly set.
# gss_acceptor_realm_name = "example.com"
# # Additionally, trust_router_coi can be set; if set
# # it will override the default_community in the realm
# # module
# trust_router_coi = "community1.example.net"
# # In production depployments it is important to set
# # up certificate verification so that even if
# # clients spoof IP addresses, one client cannot
# # impersonate another.
# }
}
|
