[people/ms/strongswan.git] / conf / plugins / eap-radius.opt

charon.plugins.eap-radius.accounting = no
	Send RADIUS accounting information to RADIUS servers.

charon.plugins.eap-radius.accounting_close_on_timeout = yes
	Close the IKE_SA if there is a timeout during interim RADIUS accounting
	updates.

charon.plugins.eap-radius.accounting_requires_vip = no
	If enabled, accounting is disabled unless an IKE_SA has at least one
	virtual IP.

charon.plugins.eap-radius.class_group = no
	Use class attributes in RADIUS-Accept messages as group membership
	information.

	Use the _class_ attribute sent in the RADIUS-Accept message as group
	membership information that is compared to the groups specified in the
	**rightgroups** option in **ipsec.conf**(5).

charon.plugins.eap-radius.close_all_on_timeout = no
	Closes all IKE_SAs if communication with the RADIUS server times out. If it
	is not set only the current IKE_SA is closed.

charon.plugins.eap-radius.dae.enable = no
	Enables support for the Dynamic Authorization Extension (RFC 5176).

charon.plugins.eap-radius.dae.listen = 0.0.0.0
	Address to listen for DAE messages from the RADIUS server.

charon.plugins.eap-radius.dae.port = 3799
	Port to listen for DAE requests.

charon.plugins.eap-radius.dae.secret
	Shared secret used to verify/sign DAE messages. If set, make sure to adjust
	the permissions of the config file accordingly.

charon.plugins.eap-radius.eap_start = no
	Send EAP-Start instead of EAP-Identity to start RADIUS conversation.

charon.plugins.eap-radius.filter_id = no
	Use filter_id attribute as group membership information.

	If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
	the _filter_id_ attribute sent in the RADIUS-Accept message as group
	membership information that is compared to the groups specified in the
	**rightgroups** option in **ipsec.conf**(5).

charon.plugins.eap-radius.forward.ike_to_radius
	RADIUS attributes to be forwarded from IKEv2 to RADIUS.

	RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
	name or attribute number, a colon can be used to specify vendor-specific
	attributes, e.g. Reply-Message, or 11, or 36906:12).

charon.plugins.eap-radius.forward.radius_to_ike =
	Same as ike_to_radius but from RADIUS to IKEv2.

	Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
	IKEv2, a strongSwan specific private notify (40969) is used to transmit the
	attributes.

charon.plugins.eap-radius.id_prefix
	Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
	EAP method.

charon.plugins.eap-radius.nas_identifier = strongSwan
	NAS-Identifier to include in RADIUS messages.

charon.plugins.eap-radius.port = 1812
	Port of RADIUS server (authentication).

charon.plugins.eap-radius.secret =
	Shared secret between RADIUS and NAS. If set, make sure to adjust the
	permissions of the config file accordingly.

charon.plugins.eap-radius.server =
	IP/Hostname of RADIUS server.

charon.plugins.eap-radius.servers {}
	Section to specify multiple RADIUS servers.

	Section to specify multiple RADIUS servers. The **nas_identifier**,
	**secret**, **sockets** and **port** (or **auth_port**) options can be
	specified for each server. A server's IP/Hostname can be configured using
	the **address** option. The **acct_port** [1813] option can be used to
	specify the port used for RADIUS accounting. For each RADIUS server a
	priority can be specified using the **preference** [0] option.

charon.plugins.eap-radius.sockets = 1
	Number of sockets (ports) to use, increase for high load.

charon.plugins.eap-radius.xauth {}
	Section to configure multiple XAuth authentication rounds via RADIUS.

	Section to configure multiple XAuth authentication rounds via RADIUS.
	The subsections define so called authentication profiles with arbitrary
	names. In each profile section one or more XAuth types can be configured,
	with an assigned message. For each type a separate XAuth exchange will be
	initiated and all replies get concatenated into the User-Password attribute,
	which then gets verified over RADIUS.

	Available XAuth types are **password**, **passcode**, **nextpin**, and
	**answer**. This type is not relevant to strongSwan or the AAA server, but
	the client may show a different dialog (along with the configured message).

	To use the configured profiles, they have to be configured in the respective
	connection in **ipsec.conf**(5) by appending the profile name, separated by
	a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
	or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.
Commit	Line	Data
828815b0 TB	1	charon.plugins.eap-radius.accounting = no
	2	Send RADIUS accounting information to RADIUS servers.
	3
00b91c43 TB	4	charon.plugins.eap-radius.accounting_close_on_timeout = yes
	5	Close the IKE_SA if there is a timeout during interim RADIUS accounting
	6	updates.
	7
828815b0 TB	8	charon.plugins.eap-radius.accounting_requires_vip = no
	9	If enabled, accounting is disabled unless an IKE_SA has at least one
	10	virtual IP.
	11
	12	charon.plugins.eap-radius.class_group = no
	13	Use class attributes in RADIUS-Accept messages as group membership
	14	information.
	15
	16	Use the _class_ attribute sent in the RADIUS-Accept message as group
	17	membership information that is compared to the groups specified in the
	18	rightgroups option in ipsec.conf(5).
	19
	20	charon.plugins.eap-radius.close_all_on_timeout = no
	21	Closes all IKE_SAs if communication with the RADIUS server times out. If it
	22	is not set only the current IKE_SA is closed.
	23
	24	charon.plugins.eap-radius.dae.enable = no
	25	Enables support for the Dynamic Authorization Extension (RFC 5176).
	26
	27	charon.plugins.eap-radius.dae.listen = 0.0.0.0
	28	Address to listen for DAE messages from the RADIUS server.
	29
	30	charon.plugins.eap-radius.dae.port = 3799
	31	Port to listen for DAE requests.
	32
	33	charon.plugins.eap-radius.dae.secret
efce4559 TB	34	Shared secret used to verify/sign DAE messages. If set, make sure to adjust
efce4559 TB	35	the permissions of the config file accordingly.
828815b0 TB	36
	37	charon.plugins.eap-radius.eap_start = no
	38	Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
	39
	40	charon.plugins.eap-radius.filter_id = no
	41	Use filter_id attribute as group membership information.
	42
	43	If the RADIUS _tunnel_type_ attribute with value ESP is received, use
	44	the _filter_id_ attribute sent in the RADIUS-Accept message as group
	45	membership information that is compared to the groups specified in the
	46	rightgroups option in ipsec.conf(5).
	47
	48	charon.plugins.eap-radius.forward.ike_to_radius
	49	RADIUS attributes to be forwarded from IKEv2 to RADIUS.
	50
	51	RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
	52	name or attribute number, a colon can be used to specify vendor-specific
	53	attributes, e.g. Reply-Message, or 11, or 36906:12).
	54
	55	charon.plugins.eap-radius.forward.radius_to_ike =
	56	Same as ike_to_radius but from RADIUS to IKEv2.
	57
	58	Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
	59	IKEv2, a strongSwan specific private notify (40969) is used to transmit the
	60	attributes.
	61
	62	charon.plugins.eap-radius.id_prefix
	63	Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
	64	EAP method.
	65
	66	charon.plugins.eap-radius.nas_identifier = strongSwan
	67	NAS-Identifier to include in RADIUS messages.
	68
	69	charon.plugins.eap-radius.port = 1812
	70	Port of RADIUS server (authentication).
	71
	72	charon.plugins.eap-radius.secret =
efce4559 TB	73	Shared secret between RADIUS and NAS. If set, make sure to adjust the
efce4559 TB	74	permissions of the config file accordingly.
828815b0 TB	75
	76	charon.plugins.eap-radius.server =
	77	IP/Hostname of RADIUS server.
	78
	79	charon.plugins.eap-radius.servers {}
	80	Section to specify multiple RADIUS servers.
	81
	82	Section to specify multiple RADIUS servers. The nas_identifier,
	83	secret, sockets and port (or auth_port) options can be
	84	specified for each server. A server's IP/Hostname can be configured using
	85	the address option. The acct_port [1813] option can be used to
	86	specify the port used for RADIUS accounting. For each RADIUS server a
	87	priority can be specified using the preference [0] option.
	88
	89	charon.plugins.eap-radius.sockets = 1
	90	Number of sockets (ports) to use, increase for high load.
	91
	92	charon.plugins.eap-radius.xauth {}
	93	Section to configure multiple XAuth authentication rounds via RADIUS.
	94
	95	Section to configure multiple XAuth authentication rounds via RADIUS.
	96	The subsections define so called authentication profiles with arbitrary
	97	names. In each profile section one or more XAuth types can be configured,
	98	with an assigned message. For each type a separate XAuth exchange will be
	99	initiated and all replies get concatenated into the User-Password attribute,
	100	which then gets verified over RADIUS.
	101
	102	Available XAuth types are password, passcode, nextpin, and
	103	answer. This type is not relevant to strongSwan or the AAA server, but
	104	the client may show a different dialog (along with the configured message).
	105
	106	To use the configured profiles, they have to be configured in the respective
	107	connection in ipsec.conf(5) by appending the profile name, separated by
	108	a colon, to the xauth-radius XAauth backend configuration in _rightauth_
	109	or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.