Mercurial > hg > waaad
changeset 349:087d76efb83d
Completed draft of configuration file for radius_gw
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Fri, 01 May 2009 14:58:46 +0900 |
| parents | 7907e7cc0aef |
| children | c47a045fd4d6 |
| files | doc/radius_gw.conf.sample |
| diffstat | 1 files changed, 47 insertions(+), 32 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/radius_gw.conf.sample Thu Apr 30 17:23:31 2009 +0900 +++ b/doc/radius_gw.conf.sample Fri May 01 14:58:46 2009 +0900 @@ -5,12 +5,54 @@ # RADIUS/Diameter gateway. Typically, a RADIUS client (e.g. a NAS) would connect to # this extension, and the message would be converted to Diameter and sent to a Diameter server. # -# This extension contains two almost independent parts: authentication/authorization and accounting. -# See the detail of each section bellow. +# Note that this extension alone is not sufficient to achieve RADIUS/Diameter gateway function. +# You need to add specific extensions to handle RADIUS messages and convert them to +# Diameter apps such as NASREQ, EAP, ... See the next section for information. + + +############## +# Extensions # +############## + +# Additional extensions must be loaded to support specific RADIUS messages and attributes. + +# Extensions are registered either for every message, or by port (auth or acct), or by port and code. +# The general format is: +# extension [: conf_file [: port] [: code(s)]] ; +# Where: +# extension is the file name (relative or absolute) of the extension to load. +# conf_file is optional and the name of the configuration file. +# port is optional, either "auth" or "acct". +# If not specified, extension is called for messages incoming on both ports +# code(s): coma-separated list of command codes for which this extension must be called. +# If not specified, the extension is called for all incoming messages. # -# Note that this extension alone is not sufficient for most authentication / authorization applications. -# You need to add specific extensions for each application such as NASREQ, EAP, ... -# See the "auth_mod" configuration parameter for this purpose. +# The extensions are called in the order they appear in this file. +# Here are some explained examples: +# 3579.so; Load this extension and call it for all messages. No configuration file. +# 3579.so : 3579.conf; Same as previous but with a configuration file specified. +# 3579.so : : auth; No configuration file, but called only for messages on authentication port. +# 3579.so : : 4, 8, 11; Called for messages with command code 4, 8, or 11 only. +# 3579.so : 3579.conf : auth : 4, 8, 11; All parameters combined. + +# Once the list of extensions for an incoming message has been called (or empty list), +# if some of the attributes have not been handled, an error is loggued. + +################## +# RADIUS Clients # +################## + +# Each RADIUS client must be declared in the form: IP = shared-secret ; +# IP can be ipv4 or ipv6 +# shared-secret can be a quoted string, or a list of hexadecimal values. +# examples: +# 192.168.100.1 = "secret key" ; # the shared secret buffer is 0x736563726574206b6579 (length 10 bytes) +# fe00::1 = 73 65 63 72 65 74 20 6b 65 79; # same shared secret as previously +# When a packet is received from an IP not declared here, it is silently discarded. +# +# Alternatively, a separate file can be specified in the form: +# radius_client_file = "/path/to/file"; +# The format of this file in that case is yet to be defined (option not supported fully yet) #################### @@ -30,14 +72,6 @@ # The IPv6 address to which the server is bound, or "disable" # auth_server_ipv6 = :: ; -# Enabling the auth server is not sufficient, one must provide additional modules -# that will convert the specific RADIUS messages / attributes depending on application. -# When a RADIUS message is received and no module is available to handle it / one of its attributes, -# it is logged and an error message is returned. -# auth_mod = radius_2865 ; # RADIUS base RFC, PAP / CHAP authentication (NASREQ) -# auth_mod = radius_3579 : radius_eap.conf ; # RADIUS EAP RFC (Diameter EAP) -# auth_mod = radius_ignore : radius_ignore.conf; # list of attributes to discard or blind copy in answers. - ################ # Accounting # @@ -54,22 +88,3 @@ # The IPv6 address to which the server is bound, or "disable" # acct_server_ipv6 = :: ; - -# Store session id used by authentication messages to find the application id for the accounting msg -# acct_app_sessions = 1; - -# The Diameter Application to use for the accounting messages with unknown session information -# acct_app_id = 0; - - -################## -# RADIUS Clients # -################## - -# Each RADIUS client must be declared in the form: IP = shared-secret ; -# IP can be ipv4 or ipv6 -# shared-secret can be a quoted string, or a list of hexadecimal values. -# examples: -# 192.168.100.1 = "secret key" ; # the shared secret buffer is 0x736563726574206b6579 (length 10 bytes) -# fe00::1 = 73 65 63 72 65 74 20 6b 65 79; # same shared secret as previously -# When a packet is received from an IP not declared here, it is silently discarded.