Loading...
Searching...
No Matches
radiusclient-tls.conf
This is an configuration file with TLS.
# RADIUS settings
# The name to be used to identify this NAS (server). If set it will
# be used in NAS-Identifier.
#nas-identifier my-server-name
# Override the IP (or IPv6) address of the NAS.
#nas-ip 10.100.5.3
#nas-ip ::1
# RADIUS server to use for authentication and accounting requests.
# Specify as host:port. For IPv6 use '[IPv6]:port'.
# You may specify more than one server in a comma-separated list for failover.
#
authserver localhost:2083
#authserver 127.1.1.1:9999,172.17.0.1
# Under TLS/DTLS, both authentication and accounting traffic share the same
# connection to authserver; this acctserver directive is ignored.
#acctserver localhost:2083
# Dictionary of vendor-specific attributes. Standard RFC 2865/2866/2869
# attributes are built into the library and do not require this option.
# Only set this if your server uses vendor-specific attributes (VSAs)
# not covered by the built-in dictionary.
#dictionary /usr/local/etc/radcli/dictionary
# Default authentication realm appended to usernames that contain no realm.
# Leave blank to send usernames as-is.
default_realm
# Time in seconds to wait for a reply from the RADIUS server.
# Note: total wait time before failing is radius_timeout × radius_retries.
radius_timeout 10
# Number of times to resend a request to a server before trying the next one.
radius_retries 3
# Local address from which RADIUS packets are sent.
# Use * to let the OS choose the source address (recommended).
bindaddr *
# Namespace in which all sockets of Radcli are to be opened. This is effectively same as the
# Radcli existing on that namespace.
# If commented out, the default existing Namespace will be used.
#namespace namespace-name
# Support for IPv6 non-temporary address support. This is an IPv6-only option
# and is valid only when IPv6 Privacy Extensions are enabled in system.
# If this option is set to "true", the radius packets will be sent with the
# IPv6 Global address and will not use the temporary addresses. If commented
# out, temporary IPv6 addresses will be used as source address for the packets
# sent.
#use-public-addr true
# ---------------------------------------------------------------------------
# TLS/DTLS settings
# ---------------------------------------------------------------------------
# Transport protocol: 'tls' for RADIUS/TLS over TCP (RFC 6614), or
# 'dtls' for RADIUS/DTLS over UDP (RFC 7360).
serv-type tls
# --- Authentication: choose one of the two options below ---
# Option 1 (recommended): X.509 certificate authentication.
# This is the standard method supported by most TLS-capable RADIUS servers
# (e.g. FreeRADIUS, radsecproxy). Provide the CA certificate that signed the
# server's certificate, and client certificate/key files to identify this NAS.
tls-ca-file /usr/local/etc/radcli/ca.pem
tls-cert-file /usr/local/etc/radcli/cert.pem
tls-key-file /usr/local/etc/radcli/key.pem
# Option 2: Pre-Shared Key (PSK) authentication.
# Use only if your server explicitly supports PSK (RFC 6614 §2.3).
# PSK is uncommon; if in doubt, use Option 1 above.
# When using PSK: remove the tls-ca-file/tls-cert-file/tls-key-file lines
# above and use one of the following instead:
#
# Inline in the authserver line (replaces the authserver entry above):
#authserver localhost:2083:psk@username@hexkey
#
# Or via a credentials file (one entry per line: hostname psk:user:hexkey):
#servers /usr/local/etc/radcli/servers-tls
# ---------------------------------------------------------------------------
# Disable TLS server hostname verification. For debugging only;
# do not use in production.
#tls-verify-hostname false
# Require the Message-Authenticator attribute in received responses.
# Mandated by draft-ietf-radext-deprecating-radius as a mitigation for
# CVE-2024-3596 (BLAST RADIUS). Enabled by default; set to 'no' only
# when communicating with legacy servers that do not send this attribute.
#require-message-authenticator no
Generated by
1.14.0