This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
netserver_appendix_1_6.0.0 [2014/06/03 21:39] ybarajas |
netserver_appendix_1_6.0.0 [2014/06/13 20:34] (current) bbullock |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Sample ipassNS.properties File ====== | ||
+ | <code> | ||
+ | # File: ipassNS.properties.example | ||
+ | |||
+ | # Description: iPass NetServer configuration file. | ||
+ | |||
+ | # Blank lines and lines beginning with # ignored. | ||
+ | |||
+ | |||
+ | |||
+ | # This file contains a subset of the most commonly used properties. | ||
+ | |||
+ | # For a complete listing of all available properties, | ||
+ | # go to the directory <ns-home>/bin/ and execute the | ||
+ | # command: "ipassconfig.csh -listall" | ||
+ | |||
+ | # For a detailed description of a particular property, | ||
+ | # go to the directory <ns-home>/bin/ and execute the | ||
+ | # command: "ipassconfig.csh -help <property name>" | ||
+ | |||
+ | |||
+ | # Your iPass Customer ID | ||
+ | |||
+ | CustomerId=1 | ||
+ | |||
+ | |||
+ | |||
+ | # Configure RadiusClients | ||
+ | |||
+ | ###RadiusClient1=ipaddress=10.10.6.2,sharedsecret=testkey | ||
+ | ###RadiusClient2=ipaddress=10.10.50.19,sharedsecret=testkey | ||
+ | |||
+ | |||
+ | |||
+ | # Configure MultiProvider | ||
+ | # Determines if MultiProvider functionality is enabled. | ||
+ | # If enabled, the CustomerId sent to iPass will be that of the RadiusClient | ||
+ | # that the request came from. | ||
+ | # If the CustomerId is not set in the RadiusClient info, the main | ||
+ | # CustomerId of this server is used. | ||
+ | # Eg: to set a customerId for a client using RadiusClient settings: | ||
+ | # RadiusClient1=ipaddress=10.10.6.2,sharedsecret=testkey,CustomerId=111 | ||
+ | |||
+ | ###MultiProvider=Yes | ||
+ | |||
+ | |||
+ | # Mapping Realm to ProxyServer(s) | ||
+ | |||
+ | |||
+ | RoutingRealm1=realm=IPASS,AuthServer=IpassServer,AcctServer=IpassServer,Strip=Yes | ||
+ | RoutingRealm2=realm=IPASV,AuthServer=IpassServer,AcctServer=IpassServer,Strip=Yes | ||
+ | ##RoutingRealm3=realm=DEFAULT,AuthServer=IpassServer,AcctServer=IpassServer | ||
+ | ##RoutingRealm4=realm=NOREALM,AuthServer=ProxyAuthServer1,AcctServer=ProxyAcctServer1 | ||
+ | |||
+ | |||
+ | |||
+ | # Proxy Server settings | ||
+ | # Protocol should be defaulted to Radius | ||
+ | |||
+ | ###ProxyAuthServer1=protocol=RADIUSProxy,ipaddress=127.0.0.1,port=1812, | ||
+ | IdleTimeout=15000,sharedsecret=testkey | ||
+ | ###ProxyAcctServer1=protocol=RADIUSProxy,ipaddress=127.0.0.1,port=1813, | ||
+ | IdleTimeout=15000,sharedsecret=testkey | ||
+ | |||
+ | |||
+ | |||
+ | # Ipass Server (Transaction Server List) | ||
+ | |||
+ | IpassServer1=IpAddress=auth7.ipass.com,Port=9101,KeyStoreProperty=KeyStore2 | ||
+ | IpassServer2=IpAddress=auth8.ipass.com,Port=9101,KeyStoreProperty=KeyStore2 | ||
+ | IpassServer3=IpAddress=auth-apac.ipass.com,Port=9101,KeyStoreProperty=KeyStore2 | ||
+ | IpassServer4=IpAddress=auth-sjc.ipass.com,Port=9101,KeyStoreProperty=KeyStore2 | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | # Auth, Acct, and Proxy Listener information. | ||
+ | |||
+ | # Sample line: | ||
+ | # Listener1= Port=<value> | ||
+ | # Port - Port number to listen for iPass requests from. | ||
+ | # Default is UDP port 11812/11813. | ||
+ | |||
+ | |||
+ | |||
+ | Listener1=Type=Radius,Port=11812 | ||
+ | Listener2=Type=RadiusProxy,Port=11817 | ||
+ | Listener3=Type=SSLPost,Port=11811 | ||
+ | |||
+ | |||
+ | |||
+ | # IP Addresses, in X.X.X.X format, permitted to send control messages (such as | ||
+ | # shutdown and restart) to this server. Multiple IPs can be specified. All | ||
+ | # must be unique and contain the prefix ControlMessageIp. | ||
+ | # By default, the local host and iPass Transaction Servers IP address | ||
+ | # are already included. | ||
+ | |||
+ | # Sample format: | ||
+ | # ControlMessageIp1=555.555.555.555 | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | # Debug level determines if debug and error messages are logged | ||
+ | # to the event table. | ||
+ | # Debug Level 0 - Only severe messages are logged | ||
+ | # Debug Level 1 - Error messages are logged | ||
+ | # Debug Level 2 - Error and Debug messages are logged | ||
+ | # Debug Level 3 - Error, Debug, and Packet parsing information is logged | ||
+ | # Debug Level 4 - Error, Debug, Packet parsing, and Packet dumping is logged | ||
+ | # Debug Level 5 - Detailed Packet and debug information is logged | ||
+ | |||
+ | # Note: Production servers should normally run with debug level 0 or 1. | ||
+ | |||
+ | DebugLevel=0 | ||
+ | |||
+ | AutoUpload=yes | ||
+ | UploadAtStartup=yes | ||
+ | AutoUpdate=no | ||
+ | |||
+ | # Allow Accounting Update Messages to Pass-through to TS | ||
+ | AllowAcctUpdate=yes | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | # EapMode determines if the NetServer will do early-termination | ||
+ | # of EAP-TTLS requests. Primarily EAP-TTLS/PAP. | ||
+ | # All other EAP types will be blocked unless otherwise configured to do so. | ||
+ | # Default setting is: yes or true. | ||
+ | |||
+ | EapMode=YES | ||
+ | |||
+ | |||
+ | # EapNotification determines if the NetServer will send back | ||
+ | # the Reply-Message(s) in EAP-Notification Requests prior to | ||
+ | # sending back the final Radius Access-Accept/Access-Reject. | ||
+ | # Default setting is: true | ||
+ | |||
+ | EapNotification=NO | ||
+ | |||
+ | |||
+ | # This feature is used in conjuction with the EapNotification feature. | ||
+ | # It is used to filter which Reply-Message(s) can get sent back | ||
+ | # as EAP-Notifications. It will check if any Reply-Messages begin | ||
+ | # with the given FilterPrefix string. | ||
+ | # FilterPrefix: The string to match at the beginning of the Reply-Message. | ||
+ | # It is case insensitive. | ||
+ | # KeepPrefix: Whether to keep that prefix attached to the Reply-Message | ||
+ | # when sending back as an EAP-Notification. | ||
+ | |||
+ | |||
+ | EapNotificationFilter1= FilterPrefix="Location=",KeepPrefix=YES | ||
+ | |||
+ | # Tunneled EAP NAI Check | ||
+ | # This function ensures the declared EAP Identity of an EAP-TTLS | ||
+ | # request used in accounting without CUI, eventually contains within | ||
+ | # the username@domain NAI of the Authorized Account negotiated with iPass | ||
+ | # during secondary authentication phase. Prevents Tunnel Fraud. | ||
+ | |||
+ | EapNaiCheck=true | ||
+ | |||
+ | |||
+ | # EAP Early Termination | ||
+ | # With EapMode enabled, the netserver offers native EAP-TTLS tunneling to | ||
+ | # the iPass AAA fabric. The tunnel is protected by 2048-bit RSA encryption | ||
+ | # secured by Thawte global. This provides a single trust point, EAP-Identity | ||
+ | # Token and Authentication Method for a connection profile on any iPass enabled network. | ||
+ | # The "inside" secondary auth method is performed with the Home AAA via the | ||
+ | # TCP/SSL iPass Transaction Network (PAP, MSHCAPv2, GTC, TLS, EAP-SIM) by | ||
+ | # support or preference behind the Roamserver. Suitable for fast roaming. | ||
+ | |||
+ | |||
+ | |||
+ | EapEarlyTerminate=21 | ||
+ | |||
+ | # EAP Pass-Through Filters | ||
+ | # If EapMode is yes, TTLS will never pass-through the Netserver. For default | ||
+ | # pass-through, set EapMode=no. With EapMode Enabled, EapPassThroughAllow | ||
+ | # specifies the EAP Protocol Id which are allowed to transact end-to-end | ||
+ | # via the iPass Transaction Network. Additional Network Policies Apply. | ||
+ | # End-to-end EAP Authentication methods can be prohibitively slow. | ||
+ | |||
+ | |||
+ | # EapPassThroughAllow=4,6,13,23,25,43 | ||
+ | # EapPassThroughAllow=all | ||
+ | # EapPassThroughDeny=nothing | ||
+ | |||
+ | |||
+ | |||
+ | # CUI SETTINGS | ||
+ | # | ||
+ | # If EapNaiCheck is false, a supplier must support attribute 89 | ||
+ | # in all Radius Accounting. These settings enable reflection of | ||
+ | # Chargeable-User-Identity Attribute 89 in all Access-Accept. | ||
+ | # The value of the attribute is the accepted userid negotiated with iPass | ||
+ | # Transaction Centers unless a CUI is returned by the Home AAA. | ||
+ | |||
+ | |||
+ | CuiEnable=yes | ||
+ | |||
+ | # | ||
+ | # CuiHasEnable encodes the value of the CUI returned in an Access-Accept to | ||
+ | # create a unique and anonymous identity hash of the user portion of the NAI. | ||
+ | # This hash is reversable by iPass for billing correlation. | ||
+ | |||
+ | CuiHashEnable=no | ||
+ | |||
+ | |||
+ | # | ||
+ | # CuiHashingStrategy sets the type of hashing strategy to be performed | ||
+ | # on CUI hashing. That is, either the complete NAI or just the USER_NAME | ||
+ | # in an NAI to be hashed. | ||
+ | |||
+ | |||
+ | CuiHashingStrategy=USER_NAME | ||
+ | |||
+ | # CuiAcctUserReplace retrieves the CUI from all Accounting messages and | ||
+ | # replaces the Anonymous EAP Identity token used for routing the transaction in | ||
+ | # the User-Name with the value of the CUI returned in the Access-Accept. | ||
+ | # If CuiHashEnable is yes, CuiAcctUserReplace can optionally leave the User-Name | ||
+ | # encoded for transmission to iPass for correlation by the Home AAA without CUI. | ||
+ | |||
+ | |||
+ | # CuiAcctUserReplace1=Token=all,Decode=yes | ||
+ | CuiAcctUserReplace1=Token="IPASS/user@ipass.com",Decode=yes | ||
+ | CuiAcctUserReplace2=Token="user@ipass.com",Decode=Yes | ||
+ | CuiAcctUserReplace3=Token="IPASS/user@ipass",Decode=yes | ||
+ | CuiAcctUserReplace4=Token="user@ipass",Decode=Yes | ||
+ | CuiAcctUserReplace5=Token="IPASS/anonymous@ipass.com",Decode=yes | ||
+ | CuiAcctUserReplace6=Token="anonymous@ipass.com",Decode=yes | ||
+ | CuiAcctUserReplace7=Token="IPASS/anonymous@ipass",Decode=yes | ||
+ | CuiAcctUserReplace8=Token="anonymous@ipass,Decode=yes | ||
+ | |||
+ | |||
+ | # CACHE DEFAULTS | ||
+ | |||
+ | # Determines if the caching of successful authentication requests is enabled | ||
+ | AuthCacheEnabled=True | ||
+ | |||
+ | # Auth Cache. Limit by the number of users. | ||
+ | AuthCacheSize=60 | ||
+ | |||
+ | # Auth Cache days Limit by the number of days in cache | ||
+ | AuthCacheDays=1 | ||
+ | |||
+ | |||
+ | #Filesize rotation | ||
+ | LocalAccounting=false | ||
+ | AcctLogBackupType=MultipleWithTimestamp | ||
+ | AcctLogRotationMaxSize=10240 | ||
+ | AcctLogRotationType=FileSize | ||
+ | |||
+ | |||
+ | TraceLogBackupType=MultipleWithTimestamp | ||
+ | #TraceLogRotationType=NumberOfHours | ||
+ | #TraceLogRotationHours=24 | ||
+ | TraceLogRotationType=FileSize | ||
+ | TraceLogRotationMaxSize=10240 | ||
+ | LogDirFileDeletionAge=120 | ||
+ | |||
+ | |||
+ | # Determines the Keystore which will be used for administrative purpose. | ||
+ | # The configured KeyStore must be of KeyStoreType=ns | ||
+ | |||
+ | AdminKeyStoreProperty=KeyStore2 | ||
+ | |||
+ | |||
+ | KeyStore1=KeyStoreType=eap,KeyStorePath=$ipass.server.home/certs/eapserver.keystore, | ||
+ | KeyPassword=UfGjld0YWEUjEIZUnNvIsA==,KeyStorePassword=UfGjld0YWEUjEIZUnNvIsA= | ||
+ | |||
+ | KeyStore2=KeyStoreType=ns,KeyStorePath=$ipass.server.home/certs/ns1.keystore | ||
+ | |||
+ | </code> | ||
+ | |||
+ | Go to: **[[dokuwiki_other|Other Product Documents]] > [[netserver_help_6.0.0|NetServer Admin Guide]]** | ||
+ | |||
+ | {{tag>netserver}} |