Provided by: radsecproxy_1.10.0-2build2_amd64 bug

NAME

       radsecproxy.conf - Radsec proxy configuration file

DESCRIPTION

       When  the  proxy  server  starts, it will first check the command line arguments, and then
       read the configuration  file.  Normally  radsecproxy  will  read  the  configuration  file
       /etc/radsecproxy.conf. The command line -c option can be used to instead read an alternate
       file (see radsecproxy(8) for details).

       If the configuration file can not be found, the proxy will exit  with  an  error  message.
       Note  that  there  is  also an include facility so that any configuration file may include
       other configuration files. The proxy will also exit on configuration errors.

CONFIGURATION SYNTAX

       When the configuration file is processed,  whitespace  (spaces  and  tabs)  are  generally
       ignored. For each line, leading and trailing whitespace are ignored.  A line is ignored if
       it is empty, only consists of whitespace, or if the first non-whitespace character is a #.
       The  configuration is generally case insensitive, but in some cases the option values (see
       below) are not.

       There are two types of configuration structures than can be used. The first  and  simplest
       are  lines  on  the  format option value. That is, an option name, see below for a list of
       valid options, followed by whitespace (at least one space or tab character), followed by a
       value.  Note that if the value contains whitespace, then it must be quoted using "" or ''.
       Any whitespace in front of the option or after the value will be ignored.

       The other type of structure is a block. A block spans at least  two  lines,  and  has  the
       format:

              blocktype name {
                   option value
                   option value
                   ...
              }

       That  is,  some  blocktype,  see  below  for a list of the different block types, and then
       enclosed in braces you have zero or more lines that each  have  the  previously  described
       option  value  format. Different block types have different rules for which options can be
       specified, they are listed below. The rules regarding white space, comments and quotes are
       as above. Hence you may do things like:

              blocktype name {
              #    option value
                  option "value with space"
                  ...
              }

       Option  value  characters  can  also be written in hex for options requiring a string type
       value. This is done by writing the character % followed by two hexadecimal digits. If a  %
       is  used  without two following hexadecimal digits, the % and the following characters are
       used as written. If you want to write a % and not use this decoding,  you  may  of  course
       write % in hex; i.e., %25. As %00 would terminate a string, this value is not converted in
       most cases, except when used with rewrite statements or secrets.

       Some options allow or require the use of regular expressions, denoted as regex. The  POSIX
       extended RE system is used, see re_format(7).

       There is one special option that can be used both as a basic option and inside all blocks.
       That is the option Include where the value specifies files to be included. The  value  can
       be a single file, or it can use normal shell globbing to specify multiple files, e.g.:

              include /etc/radsecproxy.conf.d/*.conf

       The  files  are  sorted  alphabetically.  Included  files  are  read in the order they are
       specified, when reaching the end of a file, the next file is read. When reaching  the  end
       of  the  last included file, the proxy returns to read the next line following the Include
       option. Included files may again include other files.

BASIC OPTIONS

       The following basic options  may  be  specified  in  the  configuration  file.  Note  that
       blocktypes  and options inside blocks are discussed later. Note that none of these options
       are required, and indeed in many cases they are not needed. Note that you  should  specify
       each at most once. The behaviour with multiple occurrences is undefined.

       PidFile file
              The  PidFile option specifies the name of a file to which the process id (PID) will
              be written. This is overridden by the -i command line option.  There is no  default
              value for the PidFile option.

       LogLevel 1-5
              This  option  specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1
              logs only serious errors, and 5 logs  everything.  The  default  is  2  which  logs
              errors,  warnings  and  a  few  informational  messages. Note that the command line
              option -d overrides this.

       LogDestination (file|syslog)
              This specifies where the log messages should go. By  default  the  messages  go  to
              syslog  with  facility LOG_DAEMON. Using this option you can specify another syslog
              facility, or you may specify that logging should be to a particular file, not using
              syslog.  The  value must be either a file URL like file:///path/to/your/logfile.log
              or a syslog URL using the syntax: x-syslog:///FACILITY where FACILITY must  be  one
              of  LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3,
              LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6or LOG_LOCAL7.  You may omit  the  facility  from
              the  URL  to  specify  logging to the default facility, but this is not very useful
              since this is the default log destination. Note that this option is ignored  if  -f
              is specified on the command line.

       LogThreadId (on|off)
              This  can  be  set  to  on to include the thread-id in the log messages (useful for
              debugging).

       LogFullUsername (on|off)
              This can be set to off to only log the realm in Access-Accept/Reject  log  messages
              (for privacy).

       LogMAC opt
              The  LogMAC  option can be used to control if and how Calling-Station-Id (the users
              Ethernet MAC address) is being logged. It can be set to one  of  Static,  Original,
              VendorHashed,  VendorKeyHashed,  FullyHashed  or FullyKeyHashed.  The default value
              for LogMAC is Original.

              See radsecproxy.conf-example for details.

       LogKey key
              The LogKey option is used to specify the key to use when  producing  HMAC's  as  an
              effect of specifying VendorKeyHashed or FullyKeyHashed for the LogMAC option.

       FTicksReporting fticks
              The  FTicksReporting  option  is  used  to enable F-Ticks logging and can be set to
              None, Basic or Full.  Its default value is  None.  If  FTicksReporting  is  set  to
              anything other than None, note that the default value for FTicksMAC needs FTicksKey
              to be set.

              See radsecproxy.conf-example for details.

       FTicksMAC opt
              The FTicksMAC option has the same function as LogMAC for FTicks.  The  default  for
              FTicksMAC is VendorKeyHashed which needs FTicksKey to be set.

              Before  choosing  any  of  Original,  FullyHashed  or  VendorHashed,  consider  the
              implications for user privacy when MAC addresses are collected. How will  the  logs
              be stored, transferred and accessed?

       FTicksKey key
              The FTicksKey option has the same function as LogKey for Fticks.

       FTicksSyslogFacility syslog
              The  FTicksSyslogFacility option is used to specify a dedicated syslog facility for
              F-Ticks messages. This allows for easier  filtering  of  F-Ticks  messages.  If  no
              FTicksSyslogFacility  option  is  given,  F-Ticks  messages are written to what the
              LogDestination option specifies.

              F-Ticks messages are always  logged  using  the  log  level  LOG_DEBUG.  Note  that
              specifying  a  file  in  FTicksSyslogFacility  (using  the  file:/// prefix) is not
              supported.

       FTicksPrefix prefix
              The FTicksPrefix option is used to set the prefix printed in F-Ticks messages. This
              allows for use of F-Ticks messages in non-eduroam environments.  If no FTicksPrefix
              option is given, it defaults to the prefix used for eduroam (F-TICKS/eduroam/1.0).

       ListenUDP (address|*)[:port]
       ListenTCP (address|*)[:port]
       ListenTLS (address|*)[:port]
       ListenDTLS (address|*)[:port]
              Listen for the address and port for the respective protocol.   Normally  the  proxy
              will  listen  to  the  standard  ports  if  configured  to  handle clients with the
              respective protocol. The default ports are 1812 for UDP and TCP and  2083  for  TLS
              and  DTLS.  On  most  systems  it will do this for all of the system's IP addresses
              (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or  only
              IPv6.  To  specify  an  alternate port you may use a value on the form *:port where
              port is any valid port number. If you also want to specify a specific  address  you
              can do e.g.  192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you
              want the default one. Note that you must use  brackets  around  the  IPv6  address.
              These  options  may  be  specified  multiple  times to listen to multiple addresses
              and/or ports for each protocol.

       SourceUDP (address|*)[:port]
       SourceTCP (address|*)[:port]
       SourceTLS (address|*)[:port]
       SourceDTLS (address|*)[:port]
              This can be used to specify source address and/or source port that the  proxy  will
              use  for  connecting  to  clients  to send messages (e.g. Access Request). The same
              syntax as for Listen... applies.

       TTLAttribute (attr|vendor:attr)
              This can be used to change the default TTL attribute. Only change this if you  know
              what  you  are  doing.  The  syntax  is  either  a numerical value denoting the TTL
              attribute, or  two  numerical  values  separated  by  column  specifying  a  vendor
              attribute.

       AddTTL 1-255
              If  a  TTL attribute is present, the proxy will decrement the value and discard the
              message if zero. Normally the proxy does nothing if no TTL attribute is present. If
              you  use  the  AddTTL  option with a value 1-255, the proxy will, when forwarding a
              message with no TTL attribute, add one with the specified value.   Note  that  this
              option  can  also be specified for a client/server which will override this setting
              when forwarding a message to that client/server.

       LoopPrevention (on|off)
              When this is enabled (on), a request will never be sent to a server named the  same
              as  the  client  it  was received from. I.e., the names of the client block and the
              server block are compared. Note that this only  gives  limited  protection  against
              loops. It can be used as a basic option and inside server blocks where it overrides
              the basic setting.

       IPv4Only (on|off)
       IPv6Only (on|off)
              Enabling IPv4Only or IPv6Only (on) makes  radsecproxy  resolve  DNS  names  to  the
              corresponding address family only, and not the other. This is done for both clients
              and servers. At most one of IPv4Only and IPv6Only can be enabled.  Note  that  this
              can be overridden in client and server blocks, see below.

       SNI (on|off)
              Server  Name  Indication  (SNI)  is  an extension to the TLS protocol.  It allows a
              client to indicate which hostname it is trying to connect to at the  start  of  the
              TLS  handshake.  Enabling  this will use the extension for all TLS and DTLS servers
              which specify a hostname (not IP address). This can be overridden in server blocks,
              see below.

       Include file
              This  is not a normal configuration option; it can be specified multiple times.  It
              can both be used as a basic option and inside blocks. For the full description, see
              the configuration syntax section above.

BLOCKS

       There are five types of blocks, they are client, server, realm, tls and rewrite.  At least
       one instance of each of client and realm is required for the proxy to do anything  useful,
       and  it  will  exit  if  none  are  configured.  The tls block is required if at least one
       TLS/DTLS client or server is configured. Note that there can be multiple blocks  for  each
       type.  For  each  type,  the  block  names  should  be unique. The behaviour with multiple
       occurrences of the same name for the same block type is undefined.  Also  note  that  some
       block  option  values  may reference a block by name, in which case the block name must be
       previously defined. Hence the order of the blocks may be significant.

CLIENT BLOCK

       client (name|fqdn|(address[/length])) {
            ...
       }

       The client block is used to configure a client. That is, tell the proxy  about  a  client,
       and  what  parameters  should  be  used for that client. The name of the client block must
       (with one exception, see below) be either the IP address (IPv4 or IPv6) of the client,  an
       IP  prefix (IPv4 or IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN). The
       way an FQDN is resolved into an IP address may be influenced by the use  of  the  IPv4Only
       and IPv6Only options. Note that literal IPv6 addresses must be enclosed in brackets.

       If a domain name is specified, then this will be resolved immediately to all the addresses
       associated with the name, and the proxy will not care about any possible DNS changes  that
       might occur later. Hence there is no dependency on DNS after startup. However, if the name
       can not be resolved, startup will fail.

       When some client later sends a request to the proxy, the proxy will look at the IP address
       the  request  comes  from, and then go through all the addresses of each of the configured
       clients (in the order they are defined), to determine which (if any) of the  clients  this
       is.  When  using  the  IpAddress/PrefixLength form, this might mask clients defined later,
       which then will never be matched.

       In the case of TLS/DTLS, the name of the client must match the FQDN or IP address  in  the
       client  certificate  (CN  or  SubectAltName:DNS or SubjectAltName:IP respectively) and any
       MatchCertificateAttribute to be positively identified.  Note that no  FQDN/IP  is  checked
       when  using  an  IP  prefix.  If overlapping clients are defined (see section above), they
       will be searched for positive identification, but only among clients referencing the  same
       tls block (selected by the first matching IP address or prefix).

       The allowed options in a client block are:

       Host (fqdn|(address[/length]))
              Alternatively of specifying the FQDN or address in the block name,  the host option
              may be used. In that case, the value of the host option is used as described above,
              while  the  name  of  the  block  is  only  used  as  a  descriptive  name  for the
              administrator. The host option may be used multiple times, and  can  be  a  mix  of
              addresses, FQDNs and prefixes.

       IPv4Only (on|off)
       IPv6Only (on|off)
              Enabling  IPv4Only  or  IPv6Only  (on)  makes  radsecproxy resolve DNS names to the
              corresponding address family only, and not the other. At most one of  IPv4Only  and
              IPv6Only  can  be  enabled. Note that this will override the global option for this
              client.

       Type type
              Specify the type (protocol) of the client. Available options are UDP, TCP, TLS  and
              DTLS.

       Secret secret
              Use  secret  as  the  shared  RADIUS  key  with this client. If the secret contains
              whitespace, the value must be quoted. This option is optional for TLS/DTLS  and  if
              omitted will default to "radsec". (Note that using a secret other than "radsec" for
              TLS is a violation of the standard (RFC 6614) and that the  proposed  standard  for
              DTLS stipulates that the secret must be "radius/dtls".)

       TLS tls
              For a TLS/DTLS client you may also specify the tls option. The option value must be
              the name of a previously defined TLS block. If this option is  not  specified,  the
              TLS  block  with the name defaultClient or default will be used if defined (in that
              order). If the specified TLS block name does  not  exist,  or  the  option  is  not
              specified and none of the defaults exist, the proxy will exit with an error.

       ServerName servername
              Use  servername  for the certificate name check instead of host or the client block
              name (e.g. if host uses static IP address).

       CertificateNameCheck (on|off)
              For  a  TLS/DTLS  client,  disable  the  default  behaviour  of  matching   CN   or
              SubjectAltName against the specified hostname or IP address.

       MatchCertificateAttribute CN:/regexp/
       MatchCertificateAttribute SubjectAltName:DNS:/regexp/
       MatchCertificateAttribute SubjectAltName:URI:/regexp/
       MatchCertificateAttribute SubjectAltName:IP:address
       MatchCertificateAttribute SubjectAltName:rID:oid
       MatchCertificateAttribute SubjectAltName:otherName:oid:/regexp/
              Perform  additional  validation of certificate attributes. Currently matching of CN
              and SubjectAltName types  URI,  DNS,  IP,  rID,  and  otherName  is  supported.  If
              specified multiple times, all terms must match for the certificate to be considered
              valid.

       DuplicateInterval seconds
              Specify for how many seconds duplicate checking should be done. If a proxy receives
              a new request within a few seconds of a previous one, it may be treated the same if
              from the same client, with the same authenticator etc. The proxy will  then  ignore
              the new request (if it is still processing the previous one), or returned a copy of
              the previous reply.

       AddTTL 1-255
              The AddTTL option has the same meaning as the option used in the basic config.  See
              the  BASIC  OPTIONS  section  for  details. Any value configured here overrides the
              basic one when sending messages to this client.

       TCPKeepalive (on|off)
              Enable TCP keepalive (default is off). If keepalives are not  answered  within  30s
              the connection is considered lost.

       FticksVISCOUNTRY cc
              Sets   this   client   to  be  eligible  to  F-Ticks  logging  as  defined  by  the
              FTicksReporting basic option, and  specifies  the  country  to  be  reported.   The
              country should be specified by the two-letter country code.

       FticksVISINST institution
              Set  the  institution  to report in F-Ticks logging. If this option is omitted, the
              name of the client block is used.

       Rewrite rewrite
              This option is deprecated. Use rewriteIn instead.

       RewriteIn rewrite
       RewriteOut rewrite
              Apply the operations in the  specified  rewrite  block  on  incoming  (request)  or
              outgoing  (response) messages from this client. Rewriting incoming messages is done
              before, outgoing after other processing. If the RewriteIn is  not  configured,  the
              rewrite  blocks  defaultClient  or  default  will be applied if defined. No default
              blocks are applied for RewriteOut.

       RewriteAttribute User-Name:/regex/replace/
              Rewrite the User-Name attribute in a client request for the  request  forwarded  by
              the  proxy.  The  User-Name  attribute  is  written back to the original value if a
              matching response is later sent back to the client. Example usage:

              RewriteAttribute User-Name:/^(.*)@local$/\1@example.com/

SERVER BLOCK

       server (name|((fqdn|address)[:port])) {
            ...
       }

       The server block is used to configure a server. That is, tell the proxy  about  a  server,
       and  what  parameters should be used when communicating with that server.  The name of the
       server block must (with one exception, see below) be either the IP address (IPv4 or  IPv6)
       of  the  server, or a domain name (FQDN). If a domain name is specified, then this will be
       resolved immediately to all the addresses associated with the name, and the proxy will not
       care  about  any possible DNS changes that might occur later. Hence there is no dependency
       on DNS after startup. If the domain name resolves to multiple addresses, then for UDP/DTLS
       the first address is used. For TCP/TLS, the proxy will loop through the addresses until it
       can connect to one of them. The way an  FQDN  is  resolved  into  an  IP  address  may  be
       influenced by the use of the IPv4Only and IPv6Only options.

       In  the  case of TLS/DTLS, the name of the server must match the FQDN or IP address in the
       server certificate.

       Note that the fqdn or address may include a port number (separated with  a  column).  This
       port number will then override the default port or a port option in the server block. Also
       note that literal IPv6 addresses must be enclosed in brackets.

       The allowed options in a server block are:

       Host (fqdn|address)[:port]
              Alternatively of specifying the FQDN or address in the block name the  host  option
              may be used. In that case, the value of the host option is used as described above,
              while the  name  of  the  block  is  only  used  as  a  descriptive  name  for  the
              administrator.  Note  that  multiple  host  options  may be used. This will then be
              treated as multiple names/addresses for the same server. When initiating a  TCP/TLS
              connection,  all  addresses of all names may be attempted, but there is no failover
              between the different host values. For failover use separate server blocks.

       Port port
              Specify the port (UDP/TCP) to connect to. If omitted, UDP and TCP will  default  to
              1812 while TLS and DTLS will default to 2083.

       Source (address|*)[:port]
              Specify  the  source  address  and/or  port  to  use for this server. See Source...
              options above.

       ServerName servername
              Use servername for the certificate name check instead of host or the  server  block
              name (e.g. if host uses static IP address). Additionally, this name is used for SNI
              (if enabled), unless SNIservername is set.

       DynamicLookupCommand command
              Execute the command to dynamically configure a server for  a  realm  given  by  the
              username  field  in  an  Access-Request.   The  command can take two special forms,
              naptr:service or srv:prefix, or point to a script or executable.

              The naptr: and srv: forms execute the corresponding DNS queries,  either  searching
              for  service in NAPTR records (followed by SRV query), or querying for prefix.realm
              SRV records. Finally a server block will  be  constructed  for  the  dynamic  realm
              taking  this  server  block  as a template and overriding the host entries with the
              content of the SRV records.

              Otherwise, the command should be an executable file  or  script,  given  with  full
              path,  that  will  be  invoked  with  the  name  of the realm as its first and only
              argument.  It should either print a valid server {...} block  containing  at  least
              one  host  statement on stdout and exit with a code of 0, or print nothing and exit
              with a non-zero exit code. If the command exited with 0 and provided a valid server
              config,  it  will  be  combined  with the statements in this server block, with the
              values returned by the command taking preference.

              An example of a shell script resolving the DNS NAPTR records for the realm and then
              the  SRV  records  for  each  NAPTR  matching 'x-eduroam:radius.tls' is provided in
              tools/naptr-eduroam.sh.    This   is   equivalent    to    configuring    'naptr:x-
              eduroam:radius.tls' directly.

       StatusServer (on|off|minimal|auto)
              Enable  the  use  of  status-server  messages  for  this  server (default off).  If
              statusserver is enabled (on), the proxy will send regular status-server messages to
              the  server  to  verify that it is alive. Status tracking of the server will solely
              depend on status-server message and ignore  lost  requests.  This  should  only  be
              enabled  if  the server supports it. With the option minimal status-server messages
              are only sent when regular requests have been lost and no other replies  have  been
              received.

              The option auto tries to detect whether the other server supports status-server. If
              so, status-server messages are enabled in minimal mode.

       RetryCount count
              Set how many times the proxy should retry sending a request to the server.  Default
              is 2 retries.  Please note that Radius retries are normally done by the NAS.

       RetryInterfval interval
              Set the interval between each retry. Default is 5s.

       Rewrite rewrite
              This option is deprecated. Use rewriteIn instead.

       RewriteOut rewrite
       RewriteIn rewrite
              Apply  the  operations  in  the  specified  rewrite  block on outgoing (request) or
              incoming (response) messages to/from this server. Rewriting  outgoing  messages  is
              done  after,  incoming before other processing. If the RewriteIn is not configured,
              the rewrite blocks defaultServer or default will be applied if defined. No  default
              blocks are applied for RewriteOut.

       LoopPrevention (on|off)
              This overrides the global LoopPrevention option for this server.  See section BASIC
              OPTIONS for details on this option.

       BlockingStartup (on|off)
              Start the dynamic server in blocking mode (default off), treating it as if  it  was
              already connected and enqueue requests to this server. Queued requests will be sent
              out when the connection is established.  If  however  the  dynamic  lookup  or  the
              connection  fails,  the queued requests will be lost.  (This is only considered for
              dynamic lookup servers. Ie when DynamicLookupCommand is  specified)  Warning:  when
              the  dynamic  lookup  and connection process is slow, this wil block the respective
              realm for that time.

       SNI (on|off)

              Override gobal SNI setting (see above). This is implicitly enabled if SNIservername
              is set.

       SNIservername sni
              Explicitly  set the sni to request from the server, in case the server is specified
              by IP address or to override the hostname. Implicitly enables SNI for this server.

       DTLSForceMTU mtu
              Some non-Linux platforms are unable to query the MTU of a connection, causing  DTLS
              to  limit  itself  to  256 bytes and thus failing to connect. Manually set mtu to a
              large enough value so the initial DTLS cleint-hello fits without fragmentation.

       The meaning and syntax of the following options are exactly the same  as  for  the  client
       block.  The  details  are not repeated here. Please refer to the definitions in the CLIENT
       BLOCK section.

       IPv4Only (on|off)
       IPv6Only (on|off)
       Type type
       Secret secret
       TLS tls
       CertificateNameCheck (on|off)
       MatchCertificateAttribute ...
       AddTTL 1-255
       TCPKeepalive (on|off)

REALM BLOCK

       realm (*|realm|/regex/) {
            ...
       }

       When the proxy receives an Access-Request it needs to figure out to which server it should
       be  forwarded.  This  is  done  by  looking  at the Username attribute in the request, and
       matching that against the names of the defined realm blocks. The proxy will match  against
       the  blocks  in  the  order  they are specified, using the first match if any. If no realm
       matches, the proxy will simply ignore the request. Each realm  block  specifies  what  the
       server should do when a match is found.

       The allowed options in a realm block are:

       Server server
       AccountingServer server
              Specify  the  server  to which requests for this realm should be forwarded.  server
              references a previously defined server block (see the SERVER BLOCK  section).  Each
              server and accountingServer can be specified multiple times, or omitted completely.
              If no server is configured, the proxy will deny all Access-Requests for this realm.
              If   no  accountingServer  is  configured,  the  proxy  will  silently  ignore  all
              Accounting-Requests for this realm. See the  SERVER  SELECTION  section  below  for
              details.

       AccountingResponse (on|off)
              Enable  sending Accounting-Response instead of ignoring Accounting-Requests when no
              accoutingServer are configured.

       AccountingLog (on|off)
              When responding to Accounting-Requests (AccountingResponse on), log the  accounting
              data.

       ReplyMessage message
              Specify  a  message  to  be  sent  back to the client if a Access-Request is denied
              because no server are configured.

   REALM BLOCK NAMES AND MATCHING
       In the general case the proxy will look for a @ in the username attribute, and try  to  do
       an  exact, case insensitive match between what comes after the @ and the name of the realm
       block. So if you get a request with the attribute value anonymous@example.com,  the  proxy
       will go through the realm names in the order they are specified, looking for a realm block
       named example.com.

       There are two exceptions to this, one is the realm name * which  means  match  everything.
       Hence  if  you  have a realm block named *, then it will always match. This should then be
       the last realm block defined, since any blocks after this would never be checked. This  is
       useful for having a default.

       The other exception is regular expression matching. If the realm name starts with a /, the
       name is treated as an regular expression. A case insensitive regexp  match  will  then  be
       done  using  this regexp on the value of the entire Username attribute. Optionally you may
       also have a trailing / after the regexp.  So as an example, if  you  want  to  use  regexp
       matching  the  domain  example.com you could have a realm block named /@example\.com$/. If
       you want to match all domains under the .com top domain, you could  do  /@.*\.com$/.  Note
       that since the matching is done on the entire attribute value, you can also use rules like
       /^[a-k].*@example\.com$/ to get some of the users in this domain to use one server,  while
       other users could be matched by another realm block and use another server.

   SERVER SELECTION
       Normally  requests  will  be  forwarded  to  the first server option defined. If there are
       multiple server options, the proxy will do fail-over and use  the  second  server  if  the
       first  is  down. If the two first are down, it will try the third etc. If the first server
       comes back up, it will go back to using that one.  Detection of servers being up  or  down
       is  based  on  the use of StatusServer (if enabled), and that TCP/TLS/DTLS connections are
       up.  Otherwise  unanswered   requests   are   used   to   detect   unresponsive   servers.
       AccountingServers are treated the same, but independently of the other servers.

       If  there  is no Server option, the proxy will if ReplyMessage is specified, reply back to
       the client with an Access Reject message. The message contains  a  replyMessage  attribute
       with  the  value as specified by the ReplyMessage option. Note that this is different from
       having no match since then the request is simply ignored.  This can be used to  catch  all
       undefined  sub-domains  or  even  all undefined realms by configuring either a regex match
       like /@.*\.example\.com/ or the realm * with no server option.   Another  use-case  is  to
       block a specific pattern in the username or realm part using  a regex.

       If  there  is  no  AccountingServer  option,  the proxy will normally do nothing, ignoring
       accounting requests. If instead AccountingResponse is set to on, the proxy will  log  some
       of  the  accounting  information  and send an Accounting-Response back. This stops clients
       from retransmitting Accounting-Request messages  when  a  realm  has  no  accountingServer
       configured.

TLS BLOCK

       tls name {
            ...
       }

       The  TLS  block  specifies TLS configuration options and you need at least one of these if
       you have clients or servers using TLS/DTLS. As discussed in the client  and  server  block
       descriptions, a client or server block may reference a particular TLS block by name. There
       are also however the special TLS block  names  default,  defaultClient  and  defaultServer
       which  are  used as defaults if the client or server block does not reference a TLS block.
       Also note that a TLS block must be defined before the client or server  block  that  would
       use  it.  If you want the same TLS configuration for all TLS/DTLS clients and servers, you
       need just a single tls block named default, and the client and servers need not  refer  to
       it.  If  you  want all TLS/DTLS clients to use one config, and all TLS/DTLS servers to use
       another, then you would be fine only defining  two  TLS  blocks  named  defaultClient  and
       defaultServer.  If you want different clients (or different servers) to have different TLS
       parameters, then you may need to create other TLS blocks with other names,  and  reference
       those from the client or server definitions.

       As  both  clients and servers need to present and verify a certificate, both a certificate
       as well as a CA to verify the peers certificate  must be configured.

       The allowed options in a tls block are:

       CACertificateFile file
              The CA certificate file used to verify the peers certificate.

       CACertificatePath path
              The path to search for CA or intermediate certificates.

       CertificateFile file
              The server certificate this proxy will use. The file may also contain a certificate
              chain.

       CertificateKeyFile file
              The private-key file for the server certificate specified in CACertificateFile.

       CertificateKeyPassword password
              The password to decrypt the private-key.

       PolicyOID oid
              Require  the  peers  certificate  to  adhere  to the policy specified by oid.  When
              specified multiple times at least one policy must be valid in the peer certificate.

       CRLCheck (on|off)
              Enable checking peer certificate against the CRL (default off).
              Note that radsecproxy does  not  fetch  the  CRLs  itself.  This  has  to  be  done
              separately, e.g. with fetch-crl(8)

       CacheExpiry seconds
              Specify  how  many seconds the CA and CRL information should be cached. By default,
              the CA and CRL are loaded at startup and cached indefinetely. After the  configured
              time,  the  CA  CRL  are  re-read.  Alternatively,  reloading the CA and CRL can be
              triggered by sending a SIGHUP to the radsecproxy process. This option may be set to
              zero to disable caching.

       CipherList ciphers
              Specify the list of accepted ciphers. See openssl-ciphers(1).

       CipherSuites ciphersuites
              Specify the ciphersuites to be used for TLS1.3. See openssl-ciphers(1).
              Note this requires OpenSSL 1.1.1

       TlsVersion ( version | minversion:maxversion )
       DtlsVersion ( version | minversion:maxversion )
              Specify the TLS/DTLS protocol version to be used.
              Specify  the  range  of allowed protocol versions between minversion and maxversion
              (inclusive). If either is left out, any  version  up  to,  or  starting  from  this
              version  is  allowed.  E.g. "TLS1_2:" will allow TLSv1.2 or later.  If omitted, use
              the system defaults set in openssl.conf
              Currently  supported  values  are  SSL3,TLS1,TLS1_1,TLS1_2,TLS1_3   for   TLS   and
              DTLS1,DTLS1_1,DTLS1_2 for DTLS.

       DhFile file
              DH parameter file to use. See openssl-dhparam(1)
              Note: starting with OpenSSL 3.0, use of custom DH parameters is discouraged.

REWRITE BLOCK

       rewrite name {
            ...
       }

       The rewrite block specifies rules that may rewrite RADIUS messages. It can be used to add,
       remove and modify specific attributes from messages received from and sent to clients  and
       servers.  As  discussed  in  the  client and server block descriptions, a client or server
       block may reference a particular rewrite block by name. There are however also the special
       rewrite block names default, defaultClient and defaultServer which are used as defaults if
       the client or server block does not reference a block. Also note that a rewrite block must
       be  defined  before  the  client  or  server block that would use it. If you want the same
       rewrite rules for input from all clients and servers, you need just a single rewrite block
       named default, and the client and servers need not refer to it. If you want all clients to
       use one config, and all servers to use another, then you would be fine only  defining  two
       rewrite  blocks  named  defaultClient and defaultServer. Note that these defaults are only
       used for rewrite on input. No rewriting is done  on  output  unless  explicitly  specified
       using the RewriteOut option.

       The rewrite actions are performed in this sequence:
              1. RemoveAttribute (or WhitelistAttribute)
              2. ModifyAttribute
              3. SupplementAttribute
              4. AddAttribute

       All options can be specified multiple times. The allowed options in a rewrite block are:

       AddAttribute attribute:value
              Add  an  attribute to the radius message and set it to value. The attribute must be
              specified using the numerical attribute id. The value can either  be  numerical,  a
              string,  or  a hex value. If the value starts with a number, it is interpreted as a
              32bit unsigned integer.  Use the ' character at the start of  the  value  to  force
              string  interpretation. When using hex value, it is recommended to also lead with '
              to avoid unintended numeric interpretation. See the  CONFIGURATION  SYNTAX  section
              for further details.

       AddVendorAttribute vendor:subattribute:value
              Add a vendor attribute to the radius message, specified by vendor and subattribute.
              Both vendor and subattribute must be specified as numerical values. The  format  of
              value is the same as for addAttribute above.

       SupplementAttribute attribute:value
              Add  an attribute to the radius message and set it to value, only if the  attribute
              is not yet present on the message.   The  format  of  value  is  the  same  as  for
              addAttribute above.

       SupplementVendorAttribute vendor:subattribute:value
              Add  a  vendor  attribute  to  the  radius message only if the subattribute of this
              vendor is not yet present on the  message.  The  format  of  is  the  same  as  for
              addVendorAttribute above.

       ModifyAttribute attribute:/regex/replace/
              Modify  the  given  attribute  using the regex replace pattern. As above, attribute
              must be specified by a numerical value. Example usage:

              modifyAttribute 1:/^(.*)@local$/\1@example.com/

       ModifyVendorAttribute vendor:subattribute:/regex/replace/
              Modify the given subattribute of given vendor  using  the  regex  replace  pattern.
              Other than the added vendor, the same syntax as for ModifyAttribute applies.

       RemoveAttribute attribute
              Remove all attributes with the given id.

       RemoveVendorAttribute vendor[:subattribute]
              Remove  all  vendor attributes that match the given vendor and subattribute. If the
              subattribute is omitted, all attributes with the given vendor id are removed.

       WhitelistMode (on|off)
              Enable   whitelist   mode.   All   attributes   except   those   configured    with
              WhitelistAttribute  or  WhitelistVendorAttribute  will be removed.  While whitelist
              mode is active, RemoveAttribute and RemoveVendorAttribute statements are ignored.

       WhitelistAttribute attribute
              Do not remove attributes with the given  id  when  WhitelistMode  is  on.   Ignored
              otherwise.

       WhitelistVendorAttribute vendor[:subattribute]
              Do  not  remove vendor attributes that match the given vendor and subattribute when
              WhitelistMode is on. Ignored otherwise.

              If the subattribute is omitted,  the  complete  vendor  attribute  is  whitelisted.
              Otherwise  only  the specified subattribute is kept but all other subattributes are
              removed.

SEE ALSO

       radsecproxy(8)