...
Most of the radsecproxy configuration file is static. Therefore, a template configuration file is provided at http://www.eduroam.org/downloads/docs/eduroam-cookbook-scripts.zip. A detailed explanation of this configuration file follows. However, the comments included in the file should make its action almost self- explanatory. This means you can start and experiment with it right after installation.
Base configuration / logging / F-Ticks
This walk-through goes through the template radsecproxy.conf line by line and explains the meaning of each stanza.
...
| Code Block |
|---|
client __SP_IP_ADDR__ {
type udp
secret __SP_SECRET__
FTicksVISCOUNTRY AQXZ # will generate F-Ticks for a non-existant "visited country = Antarctica"
}
|
Stanzas like this one are used for each connected service provider that is connected via RADIUS. You need to know the IP address of every SP's RADIUS server and negotiate a shared secret with the SP
...
| Code Block |
|---|
realm /myabc\.com$/ {
replymessage "Misconfigured client: default realm of Intel PRO/Wireless supplicant! Rejected by <TLD>."
accountingresponse on
}
realm /@.*3gppnetwork\.org$/ {
replymessage "Misconfigured client: Unsupported 3G EAP-SIM client!"
accountingresponse on
}
realm /^$/ {
replymessage "Misconfigured client: empty realm! Rejected by <TLD>."
accountingresponse on
}
|
...
Finally, all realms that do not belong to the own federation are forwarded to the European eduroam Confederation root servers. However, we limit this to 'sane' realms: these must include a tld of at least 2 characters. Anything else is dropped.
| Code Block |
|---|
realm * /@.+\..{2,}$/ { server etlr1.eduroam.org server etlr2.eduroam.org } realm * { replymessage "Misconfigured client: username does not contain a valid realm!" } |
Goodies
This section contains some optional configuration parameters that can do good in many cases.
...