...
Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip. A detailed explanation of this configuration file follows. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.
Base configuration / logging / F-Ticks
This walk-through goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.
...
Code Block |
---|
client __SP_IP_ADDR__ { type udp secret __SP_SECRET__ FTicksVISCOUNTRY AQXZ # will generate F-Ticks for "a non-existant visited country = Antarctica" } |
Stanzas like this one are used for each connected service provider that is connected via RADIUS. You need to know the IP address of every SP's RADIUS server and negotiate a shared secret with the SP
...
Code Block |
---|
realm /myabc\.com$/ { replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by <TLD>." accountingresponse on } realm /@.*3gppnetwork\.org$/ { replymessage "Misconfigured client: Unsupported 3G EAP-SIM client!" accountingresponse on } realm /^$/ { replymessage "Misconfigured client: empty realm! Rejected by <TLD>." accountingresponse on } |
...
Code Block |
---|
realm /IDP_REALM$/ {
server __FROM_SERVER_STANZAS_ABOVE__
server __BACKUP_NAME__
}
|
...
Code Block |
---|
realm /eduroam\.YOUR_TLD/ {
server SA3-monitoring-outgoing
}
|
...
Code Block |
---|
realm /\.YOUR_TLD$/ {
replymessage "Misconfigured supplicant or downstream server: uses known-bad realm in <TLD> federation!"
}
|
Finally, all realms that do not belong to the own federation are forwarded to the European eduroam Confederation root servers. However, we limit this to 'sane' realms: these must include a tld of at least 2 characters. Anything else is dropped.
Code Block |
---|
realm * /@.+\..{2,}$/ { server etlr1.eduroam.org server etlr2.eduroam.org } realm * { replymessage "Misconfigured client: username does not contain a valid realm!" } |
Goodies
This section contains some optional configuration parameters that can do good in many cases.
...