diff options
author | Tobias Brunner <tobias@strongswan.org> | 2014-02-03 18:43:10 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2014-02-12 14:34:34 +0100 |
commit | 828815b0d829c8c9499bf3f6a1c7144611e200fc (patch) | |
tree | ac9f63323fd4568da2213dd7c59acd0ffa6159e9 /conf/plugins/eap-radius.opt | |
parent | da8b16a160542bf07da13fcf8a48bc035beb0782 (diff) | |
download | strongswan-828815b0d829c8c9499bf3f6a1c7144611e200fc.tar.bz2 strongswan-828815b0d829c8c9499bf3f6a1c7144611e200fc.tar.xz |
conf: Options of all plugins documented
Some options are still missing descriptions though.
Diffstat (limited to 'conf/plugins/eap-radius.opt')
-rw-r--r-- | conf/plugins/eap-radius.opt | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt new file mode 100644 index 000000000..be1d99f9d --- /dev/null +++ b/conf/plugins/eap-radius.opt @@ -0,0 +1,103 @@ +charon.plugins.eap-radius.accounting = no + Send RADIUS accounting information to RADIUS servers. + +charon.plugins.eap-radius.accounting_requires_vip = no + If enabled, accounting is disabled unless an IKE_SA has at least one + virtual IP. + +charon.plugins.eap-radius.class_group = no + Use class attributes in RADIUS-Accept messages as group membership + information. + + Use the _class_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.close_all_on_timeout = no + Closes all IKE_SAs if communication with the RADIUS server times out. If it + is not set only the current IKE_SA is closed. + +charon.plugins.eap-radius.dae.enable = no + Enables support for the Dynamic Authorization Extension (RFC 5176). + +charon.plugins.eap-radius.dae.listen = 0.0.0.0 + Address to listen for DAE messages from the RADIUS server. + +charon.plugins.eap-radius.dae.port = 3799 + Port to listen for DAE requests. + +charon.plugins.eap-radius.dae.secret + Shared secret used to verify/sign DAE messages. + +charon.plugins.eap-radius.eap_start = no + Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + +charon.plugins.eap-radius.filter_id = no + Use filter_id attribute as group membership information. + + If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use + the _filter_id_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.forward.ike_to_radius + RADIUS attributes to be forwarded from IKEv2 to RADIUS. + + RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by + name or attribute number, a colon can be used to specify vendor-specific + attributes, e.g. Reply-Message, or 11, or 36906:12). + +charon.plugins.eap-radius.forward.radius_to_ike = + Same as ike_to_radius but from RADIUS to IKEv2. + + Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to + IKEv2, a strongSwan specific private notify (40969) is used to transmit the + attributes. + +charon.plugins.eap-radius.id_prefix + Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + EAP method. + +charon.plugins.eap-radius.nas_identifier = strongSwan + NAS-Identifier to include in RADIUS messages. + +charon.plugins.eap-radius.port = 1812 + Port of RADIUS server (authentication). + +charon.plugins.eap-radius.secret = + Shared secret between RADIUS and NAS. + +charon.plugins.eap-radius.server = + IP/Hostname of RADIUS server. + +charon.plugins.eap-radius.servers {} + Section to specify multiple RADIUS servers. + + Section to specify multiple RADIUS servers. The **nas_identifier**, + **secret**, **sockets** and **port** (or **auth_port**) options can be + specified for each server. A server's IP/Hostname can be configured using + the **address** option. The **acct_port** [1813] option can be used to + specify the port used for RADIUS accounting. For each RADIUS server a + priority can be specified using the **preference** [0] option. + +charon.plugins.eap-radius.sockets = 1 + Number of sockets (ports) to use, increase for high load. + +charon.plugins.eap-radius.xauth {} + Section to configure multiple XAuth authentication rounds via RADIUS. + + Section to configure multiple XAuth authentication rounds via RADIUS. + The subsections define so called authentication profiles with arbitrary + names. In each profile section one or more XAuth types can be configured, + with an assigned message. For each type a separate XAuth exchange will be + initiated and all replies get concatenated into the User-Password attribute, + which then gets verified over RADIUS. + + Available XAuth types are **password**, **passcode**, **nextpin**, and + **answer**. This type is not relevant to strongSwan or the AAA server, but + the client may show a different dialog (along with the configured message). + + To use the configured profiles, they have to be configured in the respective + connection in **ipsec.conf**(5) by appending the profile name, separated by + a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_ + or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_. |