Differences

This shows you the differences between two versions of the page.

--- siteadmin:advanced_orps_radsecproxy_configuration [2021/03/09 15:15] – admin
+++ siteadmin:advanced_orps_radsecproxy_configuration [2022/05/18 10:14] (current) – admin
@@ Line 2: / Line 2: @@
 This should be representative of the configuration used in production. It contains the appropriate logging and filtering.
+For RadSecProxy 1.8.0 and above:
 <code>
@@ Line 20: / Line 22: @@
 rewrite OutboundFilter {
     # Operator-Name
-    RemoveAttribute 126
-    AddAttribute 126:'1home.site
+    SupplementAttribute 126:'1home.site
     WhitelistMode on
@@ Line 47: / Line 49: @@
-# Upstream RADIUS proxy (Omit for Visited Only)
+# Upstream RADIUS proxy
 server  roaming0.govroam.uk {
         host 212.219.190.139
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer auto   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
-# Upstream RADIUS proxy (Omit for Visited Only)
+# Upstream RADIUS proxy
 server  roaming1.govroam.uk {
         host 212.219.209.43
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer auto   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
-# Upstream RADIUS proxy (Omit for Visited Only)
+# Upstream RADIUS proxy
 server  roaming2.govroam.uk {
         host 212.219.247.59
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer auto   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
-# Upstream RADIUS proxy (Omit for Visited Only)
+# Upstream RADIUS proxy
 server  roaming3.govroam.uk {
         host 195.194.21.203
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer auto   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
 # Local IdP which will do the authentication (Omit for Visited Only)
+# Configure to match the RADIUS server to which auth requests for your local realm will be sent.
 server  localidp1 {
         host 10.10.10.21
         type udp
         secret XXXX
@@ Line 93: / Line 104: @@
-# RADIUS requests will also be received from the national proxies.
+# RADIUS requests will also be received from the national proxies. (Omit for Visited Only)
 client  roaming0.govroam.uk {
         host 212.219.190.139
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
@@ Line 103: / Line 115: @@
         host 212.219.209.43
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
@@ Line 109: / Line 123: @@
         host 212.219.247.59
         type udp
-        secret XXXX
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
 client  roaming3.govroam.uk {
         host 195.194.21.203
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+# Wireless system
+# Configure this to match the wireless controller/controllers from which the authentication requests are coming.
+client  nas {
+        host 10.10.10.10
         type udp
         secret XXXX
+        fticksVISCOUNTRY GB
+# Change 'home.site' to your realm
+        fticksVISINST 1home.site
 }
+#Known local realm (Omit for Visited Only)
+#Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above
+realm localnet {
+        server localidp1
+}
+### Catch a load of common misconfigurations
+realm /^$/ {
+    replymessage "Misconfigured client: empty realm!"
+}
+realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ {
+    replymessage "Misconfigured client: govroam realm not permitted"
+}
+realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ {
+    replymessage "Misconfigured client: govroam realm invalid (typo?)"
+}
+realm /@\./ {
+    replymessage "Misconfigured client: govroam realm invalid (leading '.')"
+}
+realm /@[^\.]+$/ {
+    replymessage "Misconfigured client: govroam realm invalid (incomplete)"
+}
+### Check it's a syntactically correct realm and proxy if ok
+realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ {
+    server roaming0.govroam.uk
+    server roaming1.govroam.uk
+    server roaming2.govroam.uk
+    server roaming3.govroam.uk
+}
+### Otherwise reject it
+realm * {
+    replymessage "Misconfigured client: govroam realm invalid (syntax error)"
+}
+</code>
+For older versions of RadSecProxy (e.g. on Debian)
+<code>
+# Some basic logging
+LogLevel 3
-client  localidp1 {
+LogDestination         x-syslog:///LOG_DAEMON
-        host 10.10.10.21
+# Prevents RADIUS servers from causing a loop by sending requests back again.
+LoopPrevention         On
+# FTICKS is a standardised way of logging authentication attempts.
+FTicksSyslogFacility LOG_LOCAL0
+FTicksReporting Full
+FTicksMAC VendorKeyHashed
+FTicksKey arandomsalt
+rewrite OutboundFilter {
+    # Operator-Name
+    RemoveAttribute 126
+    AddAttribute 126:'1home.site
+}
+# Upstream RADIUS proxy
+server  roaming0.govroam.uk {
+        host 212.219.190.139
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Upstream RADIUS proxy
+server  roaming1.govroam.uk {
+        host 212.219.209.43
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Upstream RADIUS proxy
+server  roaming2.govroam.uk {
+        host 212.219.247.59
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Upstream RADIUS proxy
+server  roaming3.govroam.uk {
+        host 195.194.21.203
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Local IdP which will do the authentication (Omit for Visited Only)
+# Configure to match the RADIUS server to which auth requests for your local realm will be sent.
+server  localidp1 {
+        host 10.10.10.21
         type udp
         secret XXXX
+        statusServer off
+}
+# RADIUS requests will also be received from the national proxies. (Omit for Visited Only)
+client  roaming0.govroam.uk {
+        host 212.219.190.139
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+client  roaming1.govroam.uk {
+        host 212.219.209.43
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+client  roaming2.govroam.uk {
+        host 212.219.247.59
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+client  roaming3.govroam.uk {
+        host 195.194.21.203
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
-# Wireless system (Omit for Visited Only)
+# Wireless system
+# Configure this to match the wireless controller/controllers from which the authentication requests are coming.
 client  nas {
         host 10.10.10.10
         type udp
         secret XXXX
         fticksVISCOUNTRY GB
-        fticksVISINST 1home.site        # Adding information to the logs about this client.
+# Change 'home.site' to your realm
+        fticksVISINST 1home.site
 }
 #Known local realm (Omit for Visited Only)
+#Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above
 realm localnet {
         server localidp1
@@ Line 143: / Line 324: @@
 }
-realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn) {
+realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ {
     replymessage "Misconfigured client: govroam realm not permitted"
 }
-realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$ {
+realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ {
     replymessage "Misconfigured client: govroam realm invalid (typo?)"
 }
-realm /@\. {
+realm /@\./ {
     replymessage "Misconfigured client: govroam realm invalid (leading '.')"
 }
-realm /@[^\.]+$ {
+realm /@[^\.]+$/ {
     replymessage "Misconfigured client: govroam realm invalid (incomplete)"
 }
 ### Check it's a syntactically correct realm and proxy if ok
-realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$ {
+realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ {
     server roaming0.govroam.uk
     server roaming1.govroam.uk
@@ Line 170: / Line 351: @@
 realm * {
     replymessage "Misconfigured client: govroam realm invalid (syntax error)"
 }
 </code>