summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvenaas <venaas>2008-10-07 11:41:10 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2008-10-07 11:41:10 +0000
commit045e082e8c642cf3bbefe6777005b3481ca0fad9 (patch)
tree1bdc9928d09a7ce1566d9e2352b0abc8dfd60715
parent47cef5d953596d1d00b0c3735e093e0003273435 (diff)
updates to readme/changelog etc
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@424 e88ac4ed-0b26-0410-9574-a7f39faa03bf
-rw-r--r--ChangeLog35
-rw-r--r--README4
-rw-r--r--radsecproxy.conf-example44
3 files changed, 71 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index b86d464..6693042 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,12 +15,35 @@
matchCertificateAttribute now also supports CN matching
Forwarding of accounting messages, accountingServer option for realms
Supports multiple client blocks for same source address with different
- certificate checks
+ certificate checks
Removed weekday from log timestamps
2008-07-24 1.1
- Logging stationid attribute
- Added LoopPrevention option
- Failover also without status-server
- Options for RetryCount and RetryInterval
- Working accounting and AccountingResponse option
+ Logging stationid attribute
+ Added LoopPrevention option
+ Failover also without status-server
+ Options for RetryCount and RetryInterval
+ Working accounting and AccountingResponse option
CRL checking and option for enabling it
+2008-10-07 1.2
+ listenTCP and sourceTCP options renamed to listenTLS and sourceTLS
+ Old options deprecated but available for backwards compatiblity
+ Logging reply-message attribute from Reject messages
+ Contribution from Arne Schwabe
+ Rewrite blocks have new options addAttribute and modifyAttribute
+ rewriteIn (replacing rewrite) and rewriteOut in client and server
+ blocks for specifying rewrite on input/output. rewrite deprecated
+ but available as an alias for rewriteIn for backwards compatibility.
+ rewritein rewriteout rewrite
+ regular expressions in realms etc can now be more advanced, including
+ use of "or".
+ cacheExpiry option in tls blocks for specifying expiry time for the
+ cache of CA certificates and CRLs. This is particularly useful for
+ regularly updating CRLs.
+ Some logging has been made more informative
+
+Additional features in devel-20081006
+ Support for TCP and DTLS transports (type tcp, type dtls)
+ Listen... options can be specified multiple times
+ Dynamic server discovery
+ DuplicateInterval option in client block for specifying for how
+ long a request/reply shall be stored for duplicate detection
diff --git a/README b/README
index 8b8ae78..ec10e18 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-This is a revision from the radsecproxy 1.2 devel branch.
+This is a revision from the radsecproxy 2.0 devel branch.
radsecproxy is a generic RADIUS proxy that can support various
RADIUS clients over UDP or TLS (RadSec).
@@ -37,4 +37,4 @@ let me know if you feel left out.
For more information, feedback etc. please see the information
at http://software.uninett.no/radsecproxy/
-Stig Venaas <venaas@uninett.no> -- 2008.05.14
+Stig Venaas <venaas@uninett.no> -- 2008.10.07
diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index f88bfad..fdae1dd 100644
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -7,14 +7,18 @@
# Max one of each, below are just multiple examples
#ListenUDP *:1814
#listenUDP localhost
-#listenTCP 10.10.10.10:2084
-#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:2084
+#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812
+#listenTLS 10.10.10.10:2084
+#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
+#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
# To listen to the default or other Accounting port for UDP you need e.g.
#ListenAccountingUDP *:1813
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP 127.0.0.1:33000
-#SourceTCP *:33001
+#SourceTCP *:33000
+#SourceTLS *:33001
+#SourceDTLS *:33001
# Optional log level. 3 is default, 1 is less, 4 is more
#LogLevel 3
#Optional LogDestinatinon, else stderr used for logging
@@ -51,6 +55,8 @@ tls default {
CertificateKeyPassword "follow the white rabbit"
# Optionally enable CRL checking
# CRLCheck on
+ # Optionally specify how long CAs and CRLs are cached, default forever
+ # CacheExpiry 3600
}
#If you want one cert for all clients and another for all servers, use
@@ -72,6 +78,14 @@ tls default {
#To treat local users separately you might try first specifying "@"
#and after that "*".
+# Configure a rewrite block if you want to add/remove/modify attributes
+# rewrite example {
+# removeAttribute 5
+# removeVendorAttribute 99:100
+# addAttribute 4 attribute%20value
+# modifyAttribute 1:/^(.*)@local$/$1@example.com/
+# }
+
client 2001:db8::1 {
type tls
secret verysecret
@@ -84,15 +98,31 @@ client 2001:db8::1 {
client 127.0.0.1 {
type udp
secret secret
+# Might do rewriting of incoming messages using rewrite block example
+# rewriteIn example
+# Can also do rewriting of outgoing messages
+# rewriteOut example
+}
+client 127.0.0.1 {
+ type tcp
+ secret secret
}
client radius.example.com {
- type TLS
+ type tls
# secret is optional for TLS
}
+client radius.example.com {
+ type dtls
+# secret is optional for DTLS
+}
server 127.0.0.1 {
type UDP
secret secret
+# Might do rewriting of incoming messages using rewrite block example
+# rewriteIn example
+# Can also do rewriting of outgoing messages
+# rewriteOut example
}
realm eduroam.cc {
server 127.0.0.1
@@ -116,6 +146,12 @@ server radius.example.com {
StatusServer on
# statusserver is optional, can be on or off. Off is default
}
+#server radius.example.com {
+# type dtls
+# secret verysecret
+# StatusServer on
+## statusserver is optional, can be on or off. Off is default
+#}
# Equivalent to example.com
realm /@example\.com$ {