Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
netserver_appendix_1_6.0.0 [2014/06/11 17:28]
ybarajas
netserver_appendix_1_6.0.0 [2014/06/13 20:34] (current)
bbullock
Line 1: Line 1:
 +====== Sample ipassNS.properties File ======
  
 +<​code>​
 +# File: ipassNS.properties.example
 +
 +# Description:​ iPass NetServer configuration file.
 +
 +# Blank lines and lines beginning with # ignored.
 +
 +
 +
 +# This file contains a subset of the most commonly used properties.
 +
 +# For a complete listing of all available properties,
 +# go to the directory <​ns-home>/​bin/​ and execute the
 +# command: "​ipassconfig.csh -listall"​
 +
 +# For a detailed description of a particular property,
 +# go to the directory <​ns-home>/​bin/​ and execute the
 +# command: "​ipassconfig.csh -help <​property name>"​
 +
 +
 +# Your iPass Customer ID
 +
 +CustomerId=1
 +
 +
 +
 +# Configure RadiusClients
 +
 +###​RadiusClient1=ipaddress=10.10.6.2,​sharedsecret=testkey
 +###​RadiusClient2=ipaddress=10.10.50.19,​sharedsecret=testkey
 +
 +
 +
 +# Configure MultiProvider
 +# Determines if MultiProvider functionality is enabled.
 +# If enabled, the CustomerId sent to iPass will be that of the RadiusClient
 +# that the request came from.
 +# If the CustomerId is not set in the RadiusClient info, the main
 +# CustomerId of this server is used.
 +# Eg: to set a customerId for a client using RadiusClient settings:
 +# RadiusClient1=ipaddress=10.10.6.2,​sharedsecret=testkey,​CustomerId=111
 +
 +###​MultiProvider=Yes
 +
 +
 +# Mapping Realm to ProxyServer(s)
 +
 +
 +RoutingRealm1=realm=IPASS,​AuthServer=IpassServer,​AcctServer=IpassServer,​Strip=Yes
 +RoutingRealm2=realm=IPASV,​AuthServer=IpassServer,​AcctServer=IpassServer,​Strip=Yes
 +##​RoutingRealm3=realm=DEFAULT,​AuthServer=IpassServer,​AcctServer=IpassServer
 +##​RoutingRealm4=realm=NOREALM,​AuthServer=ProxyAuthServer1,​AcctServer=ProxyAcctServer1
 +
 +
 +
 +# Proxy Server settings
 +# Protocol should be defaulted to Radius
 +
 +###​ProxyAuthServer1=protocol=RADIUSProxy,​ipaddress=127.0.0.1,​port=1812,​
 +IdleTimeout=15000,​sharedsecret=testkey
 +###​ProxyAcctServer1=protocol=RADIUSProxy,​ipaddress=127.0.0.1,​port=1813,​
 +IdleTimeout=15000,​sharedsecret=testkey
 +
 +
 +
 +# Ipass Server (Transaction Server List)
 +
 +IpassServer1=IpAddress=auth7.ipass.com,​Port=9101,​KeyStoreProperty=KeyStore2
 +IpassServer2=IpAddress=auth8.ipass.com,​Port=9101,​KeyStoreProperty=KeyStore2
 +IpassServer3=IpAddress=auth-apac.ipass.com,​Port=9101,​KeyStoreProperty=KeyStore2
 +IpassServer4=IpAddress=auth-sjc.ipass.com,​Port=9101,​KeyStoreProperty=KeyStore2
 +
 +
 +
 +
 +# Auth, Acct, and Proxy Listener information.
 +
 +# Sample line:
 +# Listener1= Port=<​value>​
 +# Port - Port number to listen for iPass requests from.
 +# Default is UDP port 11812/​11813.
 +
 +
 +
 +Listener1=Type=Radius,​Port=11812
 +Listener2=Type=RadiusProxy,​Port=11817
 +Listener3=Type=SSLPost,​Port=11811
 +
 +
 +
 +# IP Addresses, in X.X.X.X format, permitted to send control messages (such as
 +#    shutdown and restart) to this server. Multiple IPs can be specified. All
 +#    must be unique and contain the prefix ControlMessageIp.
 +#    By default, the local host and iPass Transaction Servers IP address
 +#    are already included.
 +
 +# Sample format:
 +# ControlMessageIp1=555.555.555.555
 +#
 +
 +
 +
 +# Debug level determines if debug and error messages are logged
 +# to the event table.
 +#   Debug Level 0 - Only severe messages are logged
 +#   Debug Level 1 - Error messages are logged
 +#   Debug Level 2 - Error and Debug messages are logged
 +#   Debug Level 3 - Error, Debug, and Packet parsing information is logged
 +#   Debug Level 4 - Error, Debug, Packet parsing, and Packet dumping is logged
 +#   Debug Level 5 - Detailed Packet and debug information is logged
 +
 +# Note: Production servers should normally run with debug level 0 or 1.
 +
 +DebugLevel=0
 +
 +AutoUpload=yes
 +UploadAtStartup=yes
 +AutoUpdate=no
 +
 +# Allow Accounting Update Messages to Pass-through to TS
 +AllowAcctUpdate=yes
 +
 +
 +
 +
 +# EapMode determines if the NetServer will do early-termination
 +# of EAP-TTLS requests. Primarily EAP-TTLS/​PAP.
 +# All other EAP types will be blocked unless otherwise configured to do so.
 +# Default setting is: yes or true.
 +
 +EapMode=YES
 +
 +
 +# EapNotification determines if the NetServer will send back
 +# the Reply-Message(s) in EAP-Notification Requests prior to
 +# sending back the final Radius Access-Accept/​Access-Reject.
 +# Default setting is: true
 +
 +EapNotification=NO
 +
 +
 +# This feature is used in conjuction with the EapNotification feature.
 +# It is used to filter which Reply-Message(s) can get sent back
 +# as EAP-Notifications. It will check if any Reply-Messages begin
 +# with the given FilterPrefix string.
 +# FilterPrefix:​ The string to match at the beginning of the Reply-Message.
 +#               It is case insensitive.
 +# KeepPrefix: Whether to keep that prefix attached to the Reply-Message
 +#             when sending back as an EAP-Notification.
 +
 +
 +EapNotificationFilter1= FilterPrefix="​Location=",​KeepPrefix=YES
 +
 +# Tunneled EAP NAI Check
 +# This function ensures the declared EAP Identity of an EAP-TTLS
 +# request used in accounting without CUI, eventually contains within
 +# the username@domain NAI of the Authorized Account negotiated with iPass
 +# during secondary authentication phase. ​ Prevents Tunnel Fraud.
 +
 +EapNaiCheck=true
 +
 +
 +# EAP Early Termination
 +# With EapMode enabled, the netserver offers native EAP-TTLS tunneling to
 +# the iPass AAA fabric. ​ The tunnel is protected by 2048-bit RSA encryption
 +# secured by Thawte global. ​ This provides a single trust point, EAP-Identity
 +# Token and Authentication Method for a connection profile on any iPass enabled network.
 +# The "​inside"​ secondary auth method is performed with the Home AAA via the
 +# TCP/SSL iPass Transaction Network (PAP, MSHCAPv2, GTC, TLS, EAP-SIM) by
 +# support or preference behind the Roamserver. Suitable for fast roaming.
 +
 +
 +
 +EapEarlyTerminate=21
 +
 +# EAP Pass-Through Filters
 +# If EapMode is yes, TTLS will never pass-through the Netserver. ​ For default
 +# pass-through,​ set EapMode=no. With EapMode Enabled, EapPassThroughAllow
 +# specifies the EAP Protocol Id which are allowed to transact end-to-end
 +# via the iPass Transaction Network. ​ Additional Network Policies Apply.
 +# End-to-end EAP Authentication methods can be prohibitively slow.
 +
 +
 +# EapPassThroughAllow=4,​6,​13,​23,​25,​43
 +# EapPassThroughAllow=all
 +# EapPassThroughDeny=nothing
 +
 +
 +
 +# CUI SETTINGS
 +#
 +# If EapNaiCheck is false, a supplier must support attribute 89
 +# in all Radius Accounting. ​ These settings enable reflection of
 +# Chargeable-User-Identity Attribute 89 in all Access-Accept.
 +# The value of the attribute is the accepted userid negotiated with iPass
 +# Transaction Centers unless a CUI is returned by the Home AAA.
 +
 +
 +CuiEnable=yes
 +
 +#
 +# CuiHasEnable encodes the value of the CUI returned in an Access-Accept to
 +# create a unique and anonymous identity hash of the user portion of the NAI.
 +# This hash is reversable by iPass for billing correlation.
 +
 +CuiHashEnable=no
 +
 +
 +#
 +# CuiHashingStrategy sets the type of hashing strategy to be performed
 +# on CUI hashing. That is, either the complete NAI or just the USER_NAME
 +# in an NAI to be hashed.
 +
 +
 +CuiHashingStrategy=USER_NAME
 +
 +# CuiAcctUserReplace retrieves the CUI from all Accounting messages and
 +# replaces the Anonymous EAP Identity token used for routing the transaction in
 +# the User-Name with the value of the CUI returned in the Access-Accept.
 +# If CuiHashEnable is yes, CuiAcctUserReplace can optionally leave the User-Name
 +# encoded for transmission to iPass for correlation by the Home AAA without CUI.
 +
 +
 +# CuiAcctUserReplace1=Token=all,​Decode=yes
 +CuiAcctUserReplace1=Token="​IPASS/​user@ipass.com",​Decode=yes
 +CuiAcctUserReplace2=Token="​user@ipass.com",​Decode=Yes
 +CuiAcctUserReplace3=Token="​IPASS/​user@ipass",​Decode=yes
 +CuiAcctUserReplace4=Token="​user@ipass",​Decode=Yes
 +CuiAcctUserReplace5=Token="​IPASS/​anonymous@ipass.com",​Decode=yes
 +CuiAcctUserReplace6=Token="​anonymous@ipass.com",​Decode=yes
 +CuiAcctUserReplace7=Token="​IPASS/​anonymous@ipass",​Decode=yes
 +CuiAcctUserReplace8=Token="​anonymous@ipass,​Decode=yes
 +
 +
 +# CACHE DEFAULTS
 +
 +# Determines if the caching of successful authentication requests is enabled
 +AuthCacheEnabled=True
 +
 +# Auth Cache. Limit by the number of users.
 +AuthCacheSize=60
 +
 +# Auth Cache days Limit by the number of days in cache
 +AuthCacheDays=1
 +
 +
 +#Filesize rotation
 +LocalAccounting=false
 +AcctLogBackupType=MultipleWithTimestamp
 +AcctLogRotationMaxSize=10240
 +AcctLogRotationType=FileSize
 +
 +
 +TraceLogBackupType=MultipleWithTimestamp
 +#​TraceLogRotationType=NumberOfHours
 +#​TraceLogRotationHours=24
 +TraceLogRotationType=FileSize
 +TraceLogRotationMaxSize=10240
 +LogDirFileDeletionAge=120
 +
 +
 +# Determines the Keystore which will be used for administrative purpose.
 +# The configured KeyStore must be of KeyStoreType=ns
 +
 +AdminKeyStoreProperty=KeyStore2
 +
 +
 +KeyStore1=KeyStoreType=eap,​KeyStorePath=$ipass.server.home/​certs/​eapserver.keystore,​
 +KeyPassword=UfGjld0YWEUjEIZUnNvIsA==,​KeyStorePassword=UfGjld0YWEUjEIZUnNvIsA=  ​
 +
 +KeyStore2=KeyStoreType=ns,​KeyStorePath=$ipass.server.home/​certs/​ns1.keystore
 +
 +</​code>​
 +
 +Go to: **[[dokuwiki_other|Other Product Documents]] > [[netserver_help_6.0.0|NetServer Admin Guide]]** ​
 +
 +{{tag>​netserver}}
 

©2015 iPass Inc. All rights reserved. Terms of Use