]>
Commit | Line | Data |
---|---|---|
828815b0 TB |
1 | charon.plugins.eap-radius.accounting = no |
2 | Send RADIUS accounting information to RADIUS servers. | |
3 | ||
00b91c43 TB |
4 | charon.plugins.eap-radius.accounting_close_on_timeout = yes |
5 | Close the IKE_SA if there is a timeout during interim RADIUS accounting | |
6 | updates. | |
7 | ||
828815b0 TB |
8 | charon.plugins.eap-radius.accounting_requires_vip = no |
9 | If enabled, accounting is disabled unless an IKE_SA has at least one | |
10 | virtual IP. | |
11 | ||
12 | charon.plugins.eap-radius.class_group = no | |
13 | Use class attributes in RADIUS-Accept messages as group membership | |
14 | information. | |
15 | ||
16 | Use the _class_ attribute sent in the RADIUS-Accept message as group | |
17 | membership information that is compared to the groups specified in the | |
18 | **rightgroups** option in **ipsec.conf**(5). | |
19 | ||
20 | charon.plugins.eap-radius.close_all_on_timeout = no | |
21 | Closes all IKE_SAs if communication with the RADIUS server times out. If it | |
22 | is not set only the current IKE_SA is closed. | |
23 | ||
24 | charon.plugins.eap-radius.dae.enable = no | |
25 | Enables support for the Dynamic Authorization Extension (RFC 5176). | |
26 | ||
27 | charon.plugins.eap-radius.dae.listen = 0.0.0.0 | |
28 | Address to listen for DAE messages from the RADIUS server. | |
29 | ||
30 | charon.plugins.eap-radius.dae.port = 3799 | |
31 | Port to listen for DAE requests. | |
32 | ||
33 | charon.plugins.eap-radius.dae.secret | |
efce4559 TB |
34 | Shared secret used to verify/sign DAE messages. If set, make sure to adjust |
35 | the permissions of the config file accordingly. | |
828815b0 TB |
36 | |
37 | charon.plugins.eap-radius.eap_start = no | |
38 | Send EAP-Start instead of EAP-Identity to start RADIUS conversation. | |
39 | ||
40 | charon.plugins.eap-radius.filter_id = no | |
41 | Use filter_id attribute as group membership information. | |
42 | ||
43 | If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use | |
44 | the _filter_id_ attribute sent in the RADIUS-Accept message as group | |
45 | membership information that is compared to the groups specified in the | |
46 | **rightgroups** option in **ipsec.conf**(5). | |
47 | ||
48 | charon.plugins.eap-radius.forward.ike_to_radius | |
49 | RADIUS attributes to be forwarded from IKEv2 to RADIUS. | |
50 | ||
51 | RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by | |
52 | name or attribute number, a colon can be used to specify vendor-specific | |
53 | attributes, e.g. Reply-Message, or 11, or 36906:12). | |
54 | ||
55 | charon.plugins.eap-radius.forward.radius_to_ike = | |
56 | Same as ike_to_radius but from RADIUS to IKEv2. | |
57 | ||
58 | Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to | |
59 | IKEv2, a strongSwan specific private notify (40969) is used to transmit the | |
60 | attributes. | |
61 | ||
62 | charon.plugins.eap-radius.id_prefix | |
63 | Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the | |
64 | EAP method. | |
65 | ||
66 | charon.plugins.eap-radius.nas_identifier = strongSwan | |
67 | NAS-Identifier to include in RADIUS messages. | |
68 | ||
69 | charon.plugins.eap-radius.port = 1812 | |
70 | Port of RADIUS server (authentication). | |
71 | ||
72 | charon.plugins.eap-radius.secret = | |
efce4559 TB |
73 | Shared secret between RADIUS and NAS. If set, make sure to adjust the |
74 | permissions of the config file accordingly. | |
828815b0 TB |
75 | |
76 | charon.plugins.eap-radius.server = | |
77 | IP/Hostname of RADIUS server. | |
78 | ||
79 | charon.plugins.eap-radius.servers {} | |
80 | Section to specify multiple RADIUS servers. | |
81 | ||
82 | Section to specify multiple RADIUS servers. The **nas_identifier**, | |
83 | **secret**, **sockets** and **port** (or **auth_port**) options can be | |
84 | specified for each server. A server's IP/Hostname can be configured using | |
85 | the **address** option. The **acct_port** [1813] option can be used to | |
86 | specify the port used for RADIUS accounting. For each RADIUS server a | |
87 | priority can be specified using the **preference** [0] option. | |
88 | ||
89 | charon.plugins.eap-radius.sockets = 1 | |
90 | Number of sockets (ports) to use, increase for high load. | |
91 | ||
92 | charon.plugins.eap-radius.xauth {} | |
93 | Section to configure multiple XAuth authentication rounds via RADIUS. | |
94 | ||
95 | Section to configure multiple XAuth authentication rounds via RADIUS. | |
96 | The subsections define so called authentication profiles with arbitrary | |
97 | names. In each profile section one or more XAuth types can be configured, | |
98 | with an assigned message. For each type a separate XAuth exchange will be | |
99 | initiated and all replies get concatenated into the User-Password attribute, | |
100 | which then gets verified over RADIUS. | |
101 | ||
102 | Available XAuth types are **password**, **passcode**, **nextpin**, and | |
103 | **answer**. This type is not relevant to strongSwan or the AAA server, but | |
104 | the client may show a different dialog (along with the configured message). | |
105 | ||
106 | To use the configured profiles, they have to be configured in the respective | |
107 | connection in **ipsec.conf**(5) by appending the profile name, separated by | |
108 | a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_ | |
109 | or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_. |