======Advanced ORPS RADSECProxy Configuration====== This should be representative of the configuration used in production. It contains the appropriate logging and filtering. For RadSecProxy 1.8.0 and above: # Some basic logging LogLevel 3 LogDestination x-syslog:///LOG_DAEMON # Prevents RADIUS servers from causing a loop by sending requests back again. LoopPrevention On # FTICKS is a standardised way of logging authentication attempts. FTicksSyslogFacility LOG_LOCAL0 FTicksReporting Full FTicksMAC VendorKeyHashed FTicksKey arandomsalt rewrite OutboundFilter { # Operator-Name SupplementAttribute 126:'1home.site WhitelistMode on # User-Name WhitelistAttribute 1 # EAP-Message WhitelistAttribute 79 # Message-Authenticator WhitelistAttribute 80 # State WhitelistAttribute 24 # Proxy-State WhitelistAttribute 33 # Operator-Name WhitelistAttribute 126 # Class WhitelistAttribute 25 # Calling-Station-Id WhitelistAttribute 31 # Called-Station-Id WhitelistAttribute 30 # Chargeable-User-Identity WhitelistAttribute 89 } # Upstream RADIUS proxy server roaming0.govroam.uk { host 212.219.190.139 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer minimal } # Upstream RADIUS proxy server roaming1.govroam.uk { host 212.219.209.43 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer minimal } # Upstream RADIUS proxy server roaming2.govroam.uk { host 212.219.247.59 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer minimal } # Upstream RADIUS proxy server roaming3.govroam.uk { host 195.194.21.203 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer minimal } # Local IdP which will do the authentication (Omit for Visited Only) # Configure to match the RADIUS server to which auth requests for your local realm will be sent. server localidp1 { host 10.10.10.21 type udp secret XXXX statusServer auto } # RADIUS requests will also be received from the national proxies. (Omit for Visited Only) client roaming0.govroam.uk { host 212.219.190.139 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } client roaming1.govroam.uk { host 212.219.209.43 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } client roaming2.govroam.uk { host 212.219.247.59 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } client roaming3.govroam.uk { host 195.194.21.203 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } # Wireless system # Configure this to match the wireless controller/controllers from which the authentication requests are coming. client nas { host 10.10.10.10 type udp secret XXXX fticksVISCOUNTRY GB # Change 'home.site' to your realm fticksVISINST 1home.site } #Known local realm (Omit for Visited Only) #Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above realm localnet { server localidp1 } ### Catch a load of common misconfigurations realm /^$/ { replymessage "Misconfigured client: empty realm!" } realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ { replymessage "Misconfigured client: govroam realm not permitted" } realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ { replymessage "Misconfigured client: govroam realm invalid (typo?)" } realm /@\./ { replymessage "Misconfigured client: govroam realm invalid (leading '.')" } realm /@[^\.]+$/ { replymessage "Misconfigured client: govroam realm invalid (incomplete)" } ### Check it's a syntactically correct realm and proxy if ok realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ { server roaming0.govroam.uk server roaming1.govroam.uk server roaming2.govroam.uk server roaming3.govroam.uk } ### Otherwise reject it realm * { replymessage "Misconfigured client: govroam realm invalid (syntax error)" } For older versions of RadSecProxy (e.g. on Debian) # Some basic logging LogLevel 3 LogDestination x-syslog:///LOG_DAEMON # Prevents RADIUS servers from causing a loop by sending requests back again. LoopPrevention On # FTICKS is a standardised way of logging authentication attempts. FTicksSyslogFacility LOG_LOCAL0 FTicksReporting Full FTicksMAC VendorKeyHashed FTicksKey arandomsalt rewrite OutboundFilter { # Operator-Name RemoveAttribute 126 AddAttribute 126:'1home.site } # Upstream RADIUS proxy server roaming0.govroam.uk { host 212.219.190.139 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer on } # Upstream RADIUS proxy server roaming1.govroam.uk { host 212.219.209.43 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer on } # Upstream RADIUS proxy server roaming2.govroam.uk { host 212.219.247.59 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer on } # Upstream RADIUS proxy server roaming3.govroam.uk { host 195.194.21.203 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX RewriteOut OutboundFilter #This checks that status of the adjacent servers. statusServer on } # Local IdP which will do the authentication (Omit for Visited Only) # Configure to match the RADIUS server to which auth requests for your local realm will be sent. server localidp1 { host 10.10.10.21 type udp secret XXXX statusServer off } # RADIUS requests will also be received from the national proxies. (Omit for Visited Only) client roaming0.govroam.uk { host 212.219.190.139 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } client roaming1.govroam.uk { host 212.219.209.43 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } client roaming2.govroam.uk { host 212.219.247.59 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } client roaming3.govroam.uk { host 195.194.21.203 type udp ## Change XXXX to the supplied RADIUS secret. secret XXXX } # Wireless system # Configure this to match the wireless controller/controllers from which the authentication requests are coming. client nas { host 10.10.10.10 type udp secret XXXX fticksVISCOUNTRY GB # Change 'home.site' to your realm fticksVISINST 1home.site } #Known local realm (Omit for Visited Only) #Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above realm localnet { server localidp1 } ### Catch a load of common misconfigurations realm /^$/ { replymessage "Misconfigured client: empty realm!" } realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ { replymessage "Misconfigured client: govroam realm not permitted" } realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ { replymessage "Misconfigured client: govroam realm invalid (typo?)" } realm /@\./ { replymessage "Misconfigured client: govroam realm invalid (leading '.')" } realm /@[^\.]+$/ { replymessage "Misconfigured client: govroam realm invalid (incomplete)" } ### Check it's a syntactically correct realm and proxy if ok realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ { server roaming0.govroam.uk server roaming1.govroam.uk server roaming2.govroam.uk server roaming3.govroam.uk } ### Otherwise reject it realm * { replymessage "Misconfigured client: govroam realm invalid (syntax error)" }