...
Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip. A detailed explanation of this configuration file follows, but if you are unwilling to read it all, the comments should make the configuration file almost self-explanatory and you can start and experiment with it right after the initial installation, which is explained below.
Detailed explanation of configuration
This section goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.
| Code Block |
|---|
ListenUDP localhost:11812 ListenTCP *:2083 |
...
There are some known client-side misconfigurations. If they were not already caught by the local RADIUS
server, it does not make sense for the proxy to send these requests up to the eduroam infrastructure. These
requests are immediately rejected.
Note: if you need to blacklist an existing realm for some reason, you can follow the myabc.com example,
copying and replacing it with the realm to be blacklisted.
| Code Block |
|---|
realm /myabc\.com$/ {
replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant!"
}
realm /^$/ {
replymessage "Misconfigured client: empty realm!"
}
|
Requests that are coming in from upstream and are supposed to be handled by the own RADIUS server are
listed in _OWN_REALM_. Create multiples of these stanzas if your local server serves more than one realm.
| Code Block |
|---|
realm /_OWN_REALM_$/ {
server localhost
}
|
The configuration stanza above will terminate all requests that end in _OWN_REALM_ but which were not caught by previous realm definitions, which prevents a possible loop. This is achieved by having the client name = localhost and the server name = localhost, and LoopPrevention enabled, which checks for this condition.
...