Differences

This shows you the differences between two versions of the page.

--- siteadmin:advanced_orps_radsecproxy_configuration [2021/08/11 10:40] – admin
+++ siteadmin:advanced_orps_radsecproxy_configuration [2022/05/18 10:14] (current) – admin
@@ Line 2: / Line 2: @@
 This should be representative of the configuration used in production. It contains the appropriate logging and filtering.
+For RadSecProxy 1.8.0 and above:
 <code>
@@ Line 20: / Line 22: @@
 rewrite OutboundFilter {
     # Operator-Name
-    RemoveAttribute 126
-    AddAttribute 126:'1home.site
+    SupplementAttribute 126:'1home.site
     WhitelistMode on
@@ Line 50: / Line 52: @@
 server  roaming0.govroam.uk {
         host 212.219.190.139
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer minimal   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
@@ Line 60: / Line 64: @@
         host 212.219.209.43
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer minimal   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
@@ Line 69: / Line 75: @@
         host 212.219.247.59
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer minimal   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
@@ Line 78: / Line 86: @@
         host 195.194.21.203
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
         RewriteOut OutboundFilter
-        statusServer minimal   #This checks that status of the adjacent servers.
+#This checks that status of the adjacent servers.
+        statusServer minimal
 }
@@ Line 98: / Line 108: @@
         host 212.219.190.139
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
@@ Line 104: / Line 115: @@
         host 212.219.209.43
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
@@ Line 110: / Line 123: @@
         host 212.219.247.59
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
@@ Line 116: / Line 131: @@
         host 195.194.21.203
         type udp
-        secret XXXX            ## Change this to the supplied RADIUS secret.
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
 }
@@ Line 125: / Line 142: @@
         type udp
         secret XXXX
         fticksVISCOUNTRY GB
-        fticksVISINST 1home.site        # Adding information to the logs about this client.
+# Change 'home.site' to your realm
+        fticksVISINST 1home.site
 }
@@ Line 141: / Line 159: @@
 }
-realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn) {
+realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ {
     replymessage "Misconfigured client: govroam realm not permitted"
 }
-realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$ {
+realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ {
     replymessage "Misconfigured client: govroam realm invalid (typo?)"
 }
-realm /@\. {
+realm /@\./ {
     replymessage "Misconfigured client: govroam realm invalid (leading '.')"
 }
-realm /@[^\.]+$ {
+realm /@[^\.]+$/ {
     replymessage "Misconfigured client: govroam realm invalid (incomplete)"
 }
 ### Check it's a syntactically correct realm and proxy if ok
-realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$ {
+realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ {
     server roaming0.govroam.uk
     server roaming1.govroam.uk
@@ Line 168: / Line 186: @@
 realm * {
     replymessage "Misconfigured client: govroam realm invalid (syntax error)"
 }
+</code>
+For older versions of RadSecProxy (e.g. on Debian)
+<code>
+# Some basic logging
+LogLevel 3
+LogDestination         x-syslog:///LOG_DAEMON
+# Prevents RADIUS servers from causing a loop by sending requests back again.
+LoopPrevention         On
+# FTICKS is a standardised way of logging authentication attempts.
+FTicksSyslogFacility LOG_LOCAL0
+FTicksReporting Full
+FTicksMAC VendorKeyHashed
+FTicksKey arandomsalt
+rewrite OutboundFilter {
+    # Operator-Name
+    RemoveAttribute 126
+    AddAttribute 126:'1home.site
+}
+# Upstream RADIUS proxy
+server  roaming0.govroam.uk {
+        host 212.219.190.139
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Upstream RADIUS proxy
+server  roaming1.govroam.uk {
+        host 212.219.209.43
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Upstream RADIUS proxy
+server  roaming2.govroam.uk {
+        host 212.219.247.59
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Upstream RADIUS proxy
+server  roaming3.govroam.uk {
+        host 195.194.21.203
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+        RewriteOut OutboundFilter
+#This checks that status of the adjacent servers.
+        statusServer on
+}
+# Local IdP which will do the authentication (Omit for Visited Only)
+# Configure to match the RADIUS server to which auth requests for your local realm will be sent.
+server  localidp1 {
+        host 10.10.10.21
+        type udp
+        secret XXXX
+        statusServer off
+}
+# RADIUS requests will also be received from the national proxies. (Omit for Visited Only)
+client  roaming0.govroam.uk {
+        host 212.219.190.139
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+client  roaming1.govroam.uk {
+        host 212.219.209.43
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+client  roaming2.govroam.uk {
+        host 212.219.247.59
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+client  roaming3.govroam.uk {
+        host 195.194.21.203
+        type udp
+## Change XXXX to the supplied RADIUS secret.
+        secret XXXX
+}
+# Wireless system
+# Configure this to match the wireless controller/controllers from which the authentication requests are coming.
+client  nas {
+        host 10.10.10.10
+        type udp
+        secret XXXX
+        fticksVISCOUNTRY GB
+# Change 'home.site' to your realm
+        fticksVISINST 1home.site
+}
+#Known local realm (Omit for Visited Only)
+#Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above
+realm localnet {
+        server localidp1
+}
+### Catch a load of common misconfigurations
+realm /^$/ {
+    replymessage "Misconfigured client: empty realm!"
+}
+realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ {
+    replymessage "Misconfigured client: govroam realm not permitted"
+}
+realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ {
+    replymessage "Misconfigured client: govroam realm invalid (typo?)"
+}
+realm /@\./ {
+    replymessage "Misconfigured client: govroam realm invalid (leading '.')"
+}
+realm /@[^\.]+$/ {
+    replymessage "Misconfigured client: govroam realm invalid (incomplete)"
+}
+### Check it's a syntactically correct realm and proxy if ok
+realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ {
+    server roaming0.govroam.uk
+    server roaming1.govroam.uk
+    server roaming2.govroam.uk
+    server roaming3.govroam.uk
+}
+### Otherwise reject it
+realm * {
+    replymessage "Misconfigured client: govroam realm invalid (syntax error)"
+}
 </code>