133 lines
5.4 KiB
Plaintext
133 lines
5.4 KiB
Plaintext
charon.plugins.eap-radius.accounting = no
|
|
Send RADIUS accounting information to RADIUS servers.
|
|
|
|
charon.plugins.eap-radius.accounting_close_on_timeout = yes
|
|
Close the IKE_SA if there is a timeout during interim RADIUS accounting
|
|
updates.
|
|
|
|
charon.plugins.eap-radius.accounting_interval = 0
|
|
Interval in seconds for interim RADIUS accounting updates, if not specified
|
|
by the RADIUS server in the Access-Accept message.
|
|
|
|
charon.plugins.eap-radius.accounting_requires_vip = no
|
|
If enabled, accounting is disabled unless an IKE_SA has at least one
|
|
virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
|
|
|
|
charon.plugins.eap-radius.accounting_send_class = no
|
|
If enabled, adds the Class attributes received in Access-Accept message to
|
|
the RADIUS accounting messages.
|
|
|
|
charon.plugins.eap-radius.class_group = no
|
|
Use class attributes in Access-Accept messages as group membership
|
|
information.
|
|
|
|
Use the _class_ attribute sent in the RADIUS-Accept message as group
|
|
membership information that is compared to the groups specified in the
|
|
**rightgroups** option in **ipsec.conf**(5).
|
|
|
|
charon.plugins.eap-radius.close_all_on_timeout = no
|
|
Closes all IKE_SAs if communication with the RADIUS server times out. If it
|
|
is not set only the current IKE_SA is closed.
|
|
|
|
charon.plugins.eap-radius.dae.enable = no
|
|
Enables support for the Dynamic Authorization Extension (RFC 5176).
|
|
|
|
charon.plugins.eap-radius.dae.listen = 0.0.0.0
|
|
Address to listen for DAE messages from the RADIUS server.
|
|
|
|
charon.plugins.eap-radius.dae.port = 3799
|
|
Port to listen for DAE requests.
|
|
|
|
charon.plugins.eap-radius.dae.secret
|
|
Shared secret used to verify/sign DAE messages. If set, make sure to adjust
|
|
the permissions of the config file accordingly.
|
|
|
|
charon.plugins.eap-radius.eap_start = no
|
|
Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
|
|
|
|
charon.plugins.eap-radius.filter_id = no
|
|
Use filter_id attribute as group membership information.
|
|
|
|
If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
|
|
the _filter_id_ attribute sent in the RADIUS-Accept message as group
|
|
membership information that is compared to the groups specified in the
|
|
**rightgroups** option in **ipsec.conf**(5).
|
|
|
|
charon.plugins.eap-radius.forward.ike_to_radius
|
|
RADIUS attributes to be forwarded from IKEv2 to RADIUS.
|
|
|
|
RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
|
|
name or attribute number, a colon can be used to specify vendor-specific
|
|
attributes, e.g. Reply-Message, or 11, or 36906:12).
|
|
|
|
charon.plugins.eap-radius.forward.radius_to_ike =
|
|
Same as ike_to_radius but from RADIUS to IKEv2.
|
|
|
|
Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
|
|
IKEv2, a strongSwan specific private notify (40969) is used to transmit the
|
|
attributes.
|
|
|
|
charon.plugins.eap-radius.id_prefix
|
|
Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
|
|
EAP method.
|
|
|
|
charon.plugins.eap-radius.nas_identifier = strongSwan
|
|
NAS-Identifier to include in RADIUS messages.
|
|
|
|
charon.plugins.eap-radius.port = 1812
|
|
Port of RADIUS server (authentication).
|
|
|
|
charon.plugins.eap-radius.secret =
|
|
Shared secret between RADIUS and NAS. If set, make sure to adjust the
|
|
permissions of the config file accordingly.
|
|
|
|
charon.plugins.eap-radius.server =
|
|
IP/Hostname of RADIUS server.
|
|
|
|
charon.plugins.eap-radius.retransmit_base = 1.4
|
|
Base to use for calculating exponential back off.
|
|
|
|
charon.plugins.eap-radius.retransmit_timeout = 2.0
|
|
Timeout in seconds before sending first retransmit.
|
|
|
|
charon.plugins.eap-radius.retransmit_tries = 4
|
|
Number of times to retransmit a packet before giving up.
|
|
|
|
charon.plugins.eap-radius.servers {}
|
|
Section to specify multiple RADIUS servers.
|
|
|
|
Section to specify multiple RADIUS servers. The **nas_identifier**,
|
|
**secret**, **sockets** and **port** (or **auth_port**) options can be
|
|
specified for each server. A server's IP/Hostname can be configured using
|
|
the **address** option. The **acct_port** [1813] option can be used to
|
|
specify the port used for RADIUS accounting. For each RADIUS server a
|
|
priority can be specified using the **preference** [0] option. The
|
|
retransmission time for each server can set set using **retransmit_base**,
|
|
**retransmit_timeout** and **retransmit_tries**.
|
|
|
|
charon.plugins.eap-radius.sockets = 1
|
|
Number of sockets (ports) to use, increase for high load.
|
|
|
|
charon.plugins.eap-radius.station_id_with_port = yes
|
|
Whether to include the UDP port in the Called- and Calling-Station-Id
|
|
RADIUS attributes.
|
|
|
|
charon.plugins.eap-radius.xauth {}
|
|
Section to configure multiple XAuth authentication rounds via RADIUS.
|
|
|
|
Section to configure multiple XAuth authentication rounds via RADIUS.
|
|
The subsections define so called authentication profiles with arbitrary
|
|
names. In each profile section one or more XAuth types can be configured,
|
|
with an assigned message. For each type a separate XAuth exchange will be
|
|
initiated and all replies get concatenated into the User-Password attribute,
|
|
which then gets verified over RADIUS.
|
|
|
|
Available XAuth types are **password**, **passcode**, **nextpin**, and
|
|
**answer**. This type is not relevant to strongSwan or the AAA server, but
|
|
the client may show a different dialog (along with the configured message).
|
|
|
|
To use the configured profiles, they have to be configured in the respective
|
|
connection in **ipsec.conf**(5) by appending the profile name, separated by
|
|
a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
|
|
or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.
|