eap-radius { # Send RADIUS accounting information to RADIUS servers. # accounting = no # Close the IKE_SA if there is a timeout during interim RADIUS accounting # updates. # accounting_close_on_timeout = yes # Interval in seconds for interim RADIUS accounting updates, if not # specified by the RADIUS server in the Access-Accept message. # accounting_interval = 0 # If enabled, accounting is disabled unless an IKE_SA has at least one # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. # accounting_requires_vip = no # If enabled, adds the Class attributes received in Access-Accept message to # the RADIUS accounting messages. # accounting_send_class = no # Use class attributes in Access-Accept messages as group membership # information. # class_group = no # Closes all IKE_SAs if communication with the RADIUS server times out. If # it is not set only the current IKE_SA is closed. # close_all_on_timeout = no # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. # eap_start = no # Use filter_id attribute as group membership information. # filter_id = no # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the # EAP method. # id_prefix = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # NAS-Identifier to include in RADIUS messages. nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }} # Port of RADIUS server (authentication). # port = 1812 # Base to use for calculating exponential back off. # retransmit_base = 1.4 # Timeout in seconds before sending first retransmit. # retransmit_timeout = 2.0 # Number of times to retransmit a packet before giving up. # retransmit_tries = 4 # Shared secret between RADIUS and NAS. If set, make sure to adjust the # permissions of the config file accordingly. # secret = # IP/Hostname of RADIUS server. # server = # Number of sockets (ports) to use, increase for high load. # sockets = 1 # Whether to include the UDP port in the Called- and Calling-Station-Id # RADIUS attributes. # station_id_with_port = yes dae { # Enables support for the Dynamic Authorization Extension (RFC 5176). # enable = no # Address to listen for DAE messages from the RADIUS server. # listen = 0.0.0.0 # Port to listen for DAE requests. # port = 3799 # Shared secret used to verify/sign DAE messages. If set, make sure to # adjust the permissions of the config file accordingly. # secret = } forward { # RADIUS attributes to be forwarded from IKEv2 to RADIUS. # ike_to_radius = # Same as ike_to_radius but from RADIUS to IKEv2. # radius_to_ike = } # Section to specify multiple RADIUS servers. servers { {% if remote_access.radius.server is vyos_defined %} {% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} {{ server | replace('.', '-') }} { address = {{ server }} secret = {{ server_options.key }} auth_port = {{ server_options.port }} {% if server_options.disable_accounting is not vyos_defined %} acct_port = {{ server_options.port | int +1 }} {% endif %} sockets = 20 } {% endfor %} {% endif %} } # Section to configure multiple XAuth authentication rounds via RADIUS. xauth { } }