Mercurial > hg > fD-testbed

diff conf/opendiam.eap.testbed.aaa/opendiameter/nasd/config/nasd.xml @ 0:9e5a3c884de6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial import of the virtual testbed.
author Sebastien Decugis <sdecugis@nict.go.jp>
date Thu, 17 Jun 2010 11:00:32 +0900
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/conf/opendiam.eap.testbed.aaa/opendiameter/nasd/config/nasd.xml	Thu Jun 17 11:00:32 2010 +0900
@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE call_management SYSTEM "nasd.dtd">
+<call_management>
+
+    <!-- Thread count that should be started for
+         the open diameter framework -->
+    <thread_count>5</thread_count>
+
+    <!-- The nasd deamon supports the NAS model
+         described in RFC2881 -->
+
+    <!-- Call management section contains a list of
+        all the available access technology that
+        this deamon supports. Each access protocols
+        will have thier own specific configuration
+        entries. Currently supported access protocols
+        are:
+            1. PANA: call entry name is "pana"
+        Future access protocols to be supported are:
+            1. 802.1X: call entry name is "8021X"
+        -->
+    <access_protocols>
+
+        <access_entry>
+            <name>pana</name>
+            <enabled>true</enabled>
+            <pana>
+                <!-- protocol specific configuration entry -->
+                <cfg_file>/etc/opendiameter/nas/config/nasd_pana_paa.xml</cfg_file>
+                <ep_script>/etc/opendiameter/nas/scripts/script_pana_paa_ep.sh</ep_script>
+                <dhcp_bootstrap>true</dhcp_bootstrap>
+            </pana>
+        </access_entry>
+
+        <access_entry>
+            <name>eap_8021X</name>
+            <enabled>false</enabled>
+            <eap_8021X>
+            </eap_8021X>
+        </access_entry>
+
+    </access_protocols>
+
+    <!-- Call management section contains a list
+        of all available AAA technology supported
+        by this deamon. Each protocol has thier
+        own specific configuration information.
+        Currently supported access protocols 
+        are:
+            1. Standalone EAP auth: protocol name is
+                "standalone-eap". This is for localized 
+                authentication only and generally should 
+                not be used. This uses a pre-shared key 
+                for ALL eap access.
+            2. Diameter EAP: protocol name is "diameter-eap".
+                Uses diameter eap for backend authorization
+                and authentication. This is compliant with 
+                draft-ietf-aaa-eap-10.txt.
+        Future protocol support are:
+            1. RADIUS: Uses EAP radius 
+        -->
+    <aaa_protocols>
+        <aaa_entry>
+            <name>local_eap_auth</name>
+            <enabled>true</enabled>
+            <!-- protocol specific configuration entry -->             
+            <local_eap_auth>
+                <shared_secret_file>/etc/opendiameter/nas/config/nasd_eap_shared_secret.bin</shared_secret_file>
+                <identity>user1@isp.net</identity>
+            </local_eap_auth>
+        </aaa_entry>
+        <aaa_entry>
+            <name>diameter_eap</name>
+            <enabled>false</enabled>
+            <diameter_eap>
+                <!-- protocol specific configuration entry -->             
+                <diameter_cfg_file>/etc/opendiameter/nas/config/nasd_diameter_eap.xml</diameter_cfg_file>
+            </diameter_eap>
+        </aaa_entry>
+    </aaa_protocols>
+
+    <!-- Call management section contains a list
+        of policies that can be applied to a call.
+        A policy dictates whether the call should
+        continue or not. They can also be used to
+        perform specific functions. These policies 
+        are applied to each call attempt while
+        they perform very specific functions such 
+        as network filtering, auditing, qos ... etc. 
+        Currently supported policy are:
+            1. Scripts: policy name is "script".
+                This policy simply invokes a local
+                system script. This policy will
+                always allow the call to attempt
+                completion.
+        Future supported policy are:
+            1. Accounting
+            2. QoS
+            3. EP-filter
+    -->
+        
+    <access_policies>
+        <policy_entry>
+            <name>script</name>
+            <!-- policy specific configuration entry -->
+            <script>
+                <file>/etc/opendiameter/nas/scripts/script_policy</file>
+            </script>
+        </policy_entry>
+        <policy_entry>
+            <name>ep-filter</name>
+            <!-- policy specific configuration entry -->
+        </policy_entry>
+        <policy_entry>
+            <name>qos</name>
+            <!-- policy specific configuration entry -->
+        </policy_entry>
+        <policy_entry>
+            <name>accounting</name>
+            <!-- policy specific configuration entry -->
+        </policy_entry>
+        <policy_entry>
+            <name>bridging</name>
+            <!-- policy specific configuration entry -->
+        </policy_entry>
+    </access_policies>
+
+    <!-- Call management section also contains a
+        simple routing rule set. This routing rule
+        works as follows. Each call is identified an 
+        NAI (RFC2486). The route table lists a set
+        of NAI that may match the call's NAI. If a
+        match is made, the access policies is applied
+        to that call. If the access policy succeeds
+        then the call can proceed. If not the call
+        is dropped. The routing entry also specifies
+        the aaa protocol to be used if the call is
+        allowed to proceed. A default route is also 
+        used as a catch all entry. Note that NAI
+        matching is done using the following rules:
+            1. Full NAI text takes precedence. i.e.
+                if an entry has user@domain.com then
+                this is tested first. If succeeding
+                entries has domain.com then that
+                will be tested next.
+            2. Domain only test. An entry can contain
+                only the domain name of the NAI and
+                can be used to apply policy for all
+                users in that domain.
+        -->
+    <call_routing>
+        <call_route_entry>
+            <!-- route entry is specific to user1@isp.net -->
+            <nai>user1@isp.net</nai>
+            <access_policy>script</access_policy>
+            <access_policy>ep-filter</access_policy>
+            <access_policy>accouting</access_policy>
+            <aaa_protocol>local_eap_auth</aaa_protocol>
+        </call_route_entry>
+        <call_route_entry>
+            <!-- route entry is specific to local_nas@opendiameter.org -->
+            <nai>local_nas@opendiameter.org</nai>
+            <access_policy>script</access_policy>
+            <access_policy>ep-filter</access_policy>
+            <access_policy>accouting</access_policy>
+            <aaa_protocol>local_eap_auth</aaa_protocol>
+        </call_route_entry>
+        <call_route_entry>
+            <nai>isp1.net</nai>
+            <access_policy>script</access_policy>
+            <access_policy>script</access_policy>
+            <aaa_protocol>local_eap_auth</aaa_protocol>
+        </call_route_entry>
+        <call_route_entry>
+            <nai>isp.net</nai>
+            <access_policy>script</access_policy>
+            <access_policy>script</access_policy>
+            <aaa_protocol>diameter_eap</aaa_protocol>
+        </call_route_entry>
+        <call_route_default>
+            <!-- this will catch all nai not listed above -->
+            <access_policy>script</access_policy>
+            <aaa_protocol>diameter_eap</aaa_protocol>
+        </call_route_default>
+    </call_routing>
+
+</call_management>
"Welcome to our mercurial repository"