summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/charon/eap-radius.conf.tmpl
blob: 5ec35c98831341dc7030497375edb409980ddfe5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
eap-radius {
    # Send RADIUS accounting information to RADIUS servers.
    # accounting = no

    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
    # updates.
    # accounting_close_on_timeout = yes

    # Interval in seconds for interim RADIUS accounting updates, if not
    # specified by the RADIUS server in the Access-Accept message.
    # accounting_interval = 0

    # If enabled, accounting is disabled unless an IKE_SA has at least one
    # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
    # accounting_requires_vip = no

    # If enabled, adds the Class attributes received in Access-Accept message to
    # the RADIUS accounting messages.
    # accounting_send_class = no

    # Use class attributes in Access-Accept messages as group membership
    # information.
    # class_group = no

    # Closes all IKE_SAs if communication with the RADIUS server times out. If
    # it is not set only the current IKE_SA is closed.
    # close_all_on_timeout = no

    # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
    # eap_start = no

    # Use filter_id attribute as group membership information.
    # filter_id = no

    # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
    # EAP method.
    # id_prefix =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # NAS-Identifier to include in RADIUS messages.
    nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }}

    # Port of RADIUS server (authentication).
    # port = 1812

    # Base to use for calculating exponential back off.
    # retransmit_base = 1.4

    # Timeout in seconds before sending first retransmit.
    # retransmit_timeout = 2.0

    # Number of times to retransmit a packet before giving up.
    # retransmit_tries = 4

    # Shared secret between RADIUS and NAS. If set, make sure to adjust the
    # permissions of the config file accordingly.
    # secret =

    # IP/Hostname of RADIUS server.
    # server =

    # Number of sockets (ports) to use, increase for high load.
    # sockets = 1

    # Whether to include the UDP port in the Called- and Calling-Station-Id
    # RADIUS attributes.
    # station_id_with_port = yes

    dae {
        # Enables support for the Dynamic Authorization Extension (RFC 5176).
        # enable = no

        # Address to listen for DAE messages from the RADIUS server.
        # listen = 0.0.0.0

        # Port to listen for DAE requests.
        # port = 3799

        # Shared secret used to verify/sign DAE messages. If set, make sure to
        # adjust the permissions of the config file accordingly.
        # secret =
    }

    forward {
        # RADIUS attributes to be forwarded from IKEv2 to RADIUS.
        # ike_to_radius =

        # Same as ike_to_radius but from RADIUS to IKEv2.
        # radius_to_ike =
    }

    # Section to specify multiple RADIUS servers.
    servers {
{%  if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %}
{%    for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %}
        {{ server | replace('.', '-') }} {
            address = {{ server }}
            secret = {{ server_options.key }}
            auth_port = {{ server_options.port }}
{%      if server_options.disable_accounting is not defined %}
            acct_port = {{ server_options.port | int +1 }}
{%  endif %}
            sockets = 20
        }
{%    endfor %}
{%  endif %}
    }

    # Section to configure multiple XAuth authentication rounds via RADIUS.
    xauth {
    }
}