siteadmin:advanced_orps_radsecproxy_configuration
This is an old revision of the document!
Advanced ORPS RADSECProxy Configuration
This should be representative of the configuration used in production. It contains the appropriate logging and filtering.
For RadSecProxy 1.8.0 and above:
# Some basic logging
LogLevel 3
LogDestination x-syslog:///LOG_DAEMON
# Prevents RADIUS servers from causing a loop by sending requests back again.
LoopPrevention On
# FTICKS is a standardised way of logging authentication attempts.
FTicksSyslogFacility LOG_LOCAL0
FTicksReporting Full
FTicksMAC VendorKeyHashed
FTicksKey arandomsalt
rewrite OutboundFilter {
# Operator-Name
RemoveAttribute 126
AddAttribute 126:'1home.site
WhitelistMode on
# User-Name
WhitelistAttribute 1
# EAP-Message
WhitelistAttribute 79
# Message-Authenticator
WhitelistAttribute 80
# State
WhitelistAttribute 24
# Proxy-State
WhitelistAttribute 33
# Operator-Name
WhitelistAttribute 126
# Class
WhitelistAttribute 25
# Calling-Station-Id
WhitelistAttribute 31
# Called-Station-Id
WhitelistAttribute 30
# Chargeable-User-Identity
WhitelistAttribute 89
}
# Upstream RADIUS proxy
server roaming0.govroam.uk {
host 212.219.190.139
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Upstream RADIUS proxy
server roaming1.govroam.uk {
host 212.219.209.43
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Upstream RADIUS proxy
server roaming2.govroam.uk {
host 212.219.247.59
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Upstream RADIUS proxy
server roaming3.govroam.uk {
host 195.194.21.203
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Local IdP which will do the authentication (Omit for Visited Only)
# Configure to match the RADIUS server to which auth requests for your local realm will be sent.
server localidp1 {
host 10.10.10.21
type udp
secret XXXX
statusServer auto
}
# RADIUS requests will also be received from the national proxies. (Omit for Visited Only)
client roaming0.govroam.uk {
host 212.219.190.139
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
client roaming1.govroam.uk {
host 212.219.209.43
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
client roaming2.govroam.uk {
host 212.219.247.59
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
client roaming3.govroam.uk {
host 195.194.21.203
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
# Wireless system
# Configure this to match the wireless controller/controllers from which the authentication requests are coming.
client nas {
host 10.10.10.10
type udp
secret XXXX
fticksVISCOUNTRY GB
# Change 'home.site' to your realm
fticksVISINST 1home.site
}
#Known local realm (Omit for Visited Only)
#Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above
realm localnet {
server localidp1
}
### Catch a load of common misconfigurations
realm /^$/ {
replymessage "Misconfigured client: empty realm!"
}
realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ {
replymessage "Misconfigured client: govroam realm not permitted"
}
realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ {
replymessage "Misconfigured client: govroam realm invalid (typo?)"
}
realm /@\./ {
replymessage "Misconfigured client: govroam realm invalid (leading '.')"
}
realm /@[^\.]+$/ {
replymessage "Misconfigured client: govroam realm invalid (incomplete)"
}
### Check it's a syntactically correct realm and proxy if ok
realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ {
server roaming0.govroam.uk
server roaming1.govroam.uk
server roaming2.govroam.uk
server roaming3.govroam.uk
}
### Otherwise reject it
realm * {
replymessage "Misconfigured client: govroam realm invalid (syntax error)"
}
For older versions of RadSecProxy (e.g. on Debian)
# Some basic logging
LogLevel 3
LogDestination x-syslog:///LOG_DAEMON
# Prevents RADIUS servers from causing a loop by sending requests back again.
LoopPrevention On
# FTICKS is a standardised way of logging authentication attempts.
FTicksSyslogFacility LOG_LOCAL0
FTicksReporting Full
FTicksMAC VendorKeyHashed
FTicksKey arandomsalt
rewrite OutboundFilter {
# Operator-Name
RemoveAttribute 126
AddAttribute 126:'1home.site
}
# Upstream RADIUS proxy
server roaming0.govroam.uk {
host 212.219.190.139
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Upstream RADIUS proxy
server roaming1.govroam.uk {
host 212.219.209.43
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Upstream RADIUS proxy
server roaming2.govroam.uk {
host 212.219.247.59
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Upstream RADIUS proxy
server roaming3.govroam.uk {
host 195.194.21.203
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
RewriteOut OutboundFilter
#This checks that status of the adjacent servers.
statusServer minimal
}
# Local IdP which will do the authentication (Omit for Visited Only)
# Configure to match the RADIUS server to which auth requests for your local realm will be sent.
server localidp1 {
host 10.10.10.21
type udp
secret XXXX
statusServer auto
}
# RADIUS requests will also be received from the national proxies. (Omit for Visited Only)
client roaming0.govroam.uk {
host 212.219.190.139
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
client roaming1.govroam.uk {
host 212.219.209.43
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
client roaming2.govroam.uk {
host 212.219.247.59
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
client roaming3.govroam.uk {
host 195.194.21.203
type udp
## Change XXXX to the supplied RADIUS secret.
secret XXXX
}
# Wireless system
# Configure this to match the wireless controller/controllers from which the authentication requests are coming.
client nas {
host 10.10.10.10
type udp
secret XXXX
fticksVISCOUNTRY GB
# Change 'home.site' to your realm
fticksVISINST 1home.site
}
#Known local realm (Omit for Visited Only)
#Configure 'localnet' to be the name of the realm for your site and 'localidp1' to be the IDP mentioned above
realm localnet {
server localidp1
}
### Catch a load of common misconfigurations
realm /^$/ {
replymessage "Misconfigured client: empty realm!"
}
realm /@((myabc|gmail|googlemail|hotmail|live|outlook|yahoo|unimail).com|(.*\.)?3gppnetworks?.org|yahoo.cn)/ {
replymessage "Misconfigured client: govroam realm not permitted"
}
realm /@(.*\.(ax\.uk|ax\.edu|sc\.uk|ac\.edu|ac\.u|local)|ac\.uk)$/ {
replymessage "Misconfigured client: govroam realm invalid (typo?)"
}
realm /@\./ {
replymessage "Misconfigured client: govroam realm invalid (leading '.')"
}
realm /@[^\.]+$/ {
replymessage "Misconfigured client: govroam realm invalid (incomplete)"
}
### Check it's a syntactically correct realm and proxy if ok
realm /@[0-9a-zA-Z\.]+\.[0-9a-zA-Z\.]+$/ {
server roaming0.govroam.uk
server roaming1.govroam.uk
server roaming2.govroam.uk
server roaming3.govroam.uk
}
### Otherwise reject it
realm * {
replymessage "Misconfigured client: govroam realm invalid (syntax error)"
}
siteadmin/advanced_orps_radsecproxy_configuration.1628679507.txt.gz · Last modified: 2021/08/11 10:58 by admin