blob: 364377473eaf1ec7175e3db0d12095e1ed846cb2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
eap-radius {
# Send RADIUS accounting information to RADIUS servers.
# accounting = no
# Close the IKE_SA if there is a timeout during interim RADIUS accounting
# updates.
# accounting_close_on_timeout = yes
# Interval in seconds for interim RADIUS accounting updates, if not
# specified by the RADIUS server in the Access-Accept message.
# accounting_interval = 0
# If enabled, accounting is disabled unless an IKE_SA has at least one
# virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
# accounting_requires_vip = no
# If enabled, adds the Class attributes received in Access-Accept message to
# the RADIUS accounting messages.
# accounting_send_class = no
# Use class attributes in Access-Accept messages as group membership
# information.
# class_group = no
# Closes all IKE_SAs if communication with the RADIUS server times out. If
# it is not set only the current IKE_SA is closed.
# close_all_on_timeout = no
# Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
# eap_start = no
# Use filter_id attribute as group membership information.
# filter_id = no
# Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
# EAP method.
# id_prefix =
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# NAS-Identifier to include in RADIUS messages.
nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }}
# Port of RADIUS server (authentication).
# port = 1812
# Base to use for calculating exponential back off.
# retransmit_base = 1.4
{% if remote_access.radius.timeout is vyos_defined %}
# Timeout in seconds before sending first retransmit.
retransmit_timeout = {{ remote_access.radius.timeout | float }}
{% endif %}
# Number of times to retransmit a packet before giving up.
# retransmit_tries = 4
# Shared secret between RADIUS and NAS. If set, make sure to adjust the
# permissions of the config file accordingly.
# secret =
# IP/Hostname of RADIUS server.
# server =
# Number of sockets (ports) to use, increase for high load.
# sockets = 1
# Whether to include the UDP port in the Called- and Calling-Station-Id
# RADIUS attributes.
# station_id_with_port = yes
dae {
# Enables support for the Dynamic Authorization Extension (RFC 5176).
# enable = no
# Address to listen for DAE messages from the RADIUS server.
# listen = 0.0.0.0
# Port to listen for DAE requests.
# port = 3799
# Shared secret used to verify/sign DAE messages. If set, make sure to
# adjust the permissions of the config file accordingly.
# secret =
}
forward {
# RADIUS attributes to be forwarded from IKEv2 to RADIUS.
# ike_to_radius =
# Same as ike_to_radius but from RADIUS to IKEv2.
# radius_to_ike =
}
# Section to specify multiple RADIUS servers.
servers {
{% if remote_access.radius.server is vyos_defined %}
{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %}
{{ server | replace('.', '-') }} {
address = {{ server }}
secret = {{ server_options.key }}
auth_port = {{ server_options.port }}
{% if server_options.disable_accounting is not vyos_defined %}
acct_port = {{ server_options.port | int + 1 }}
{% endif %}
sockets = 20
}
{% endfor %}
{% endif %}
}
# Section to configure multiple XAuth authentication rounds via RADIUS.
xauth {
}
}
|
