|
|
|
@ -19,20 +19,20 @@
|
|
|
|
# One entry must be listed per line, and 'ocpasswd' should be used
|
|
|
|
# One entry must be listed per line, and 'ocpasswd' should be used
|
|
|
|
# to generate password entries.
|
|
|
|
# to generate password entries.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
|
|
|
|
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:
|
|
|
|
# The radius option requires specifying freeradius-client configuration
|
|
|
|
# The radius option requires specifying freeradius-client configuration
|
|
|
|
# file. If the groupconfig option is set, then config-per-user will be overriden,
|
|
|
|
# file. If the groupconfig option is set, then config-per-user will be overriden,
|
|
|
|
# and all configuration will be read from radius. The supported atributes for
|
|
|
|
# and all configuration will be read from radius. The 'override-interim-updates' if set to
|
|
|
|
# radius configuration are:
|
|
|
|
# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.
|
|
|
|
# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
|
|
|
|
|
|
|
|
# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
|
|
|
|
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# gssapi[keytab=/etc/key.tab,require-local-user-map=false]
|
|
|
|
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
|
|
|
|
# The gssapi option allows to use authentication methods supported by GSSAPI,
|
|
|
|
# The gssapi option allows to use authentication methods supported by GSSAPI,
|
|
|
|
# such as Kerberos tickets with ocserv. It should be best used as an alternative
|
|
|
|
# such as Kerberos tickets with ocserv. It should be best used as an alternative
|
|
|
|
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
|
|
|
|
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
|
|
|
|
# tickets and without tickets to login. The default value for require-local-user-map
|
|
|
|
# tickets and without tickets to login. The default value for require-local-user-map
|
|
|
|
# is true.
|
|
|
|
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
|
|
|
|
|
|
|
|
# to have been issued within the provided number of seconds. That option is used to
|
|
|
|
|
|
|
|
# restrict logins even if the KDC provides long time TGT tickets.
|
|
|
|
|
|
|
|
|
|
|
|
auth = "pam"
|
|
|
|
auth = "pam"
|
|
|
|
#auth = "pam[gid-min=1000]"
|
|
|
|
#auth = "pam[gid-min=1000]"
|
|
|
|
@ -45,7 +45,7 @@ auth = "pam"
|
|
|
|
# will be sufficient to login.
|
|
|
|
# will be sufficient to login.
|
|
|
|
#enable-auth = certificate
|
|
|
|
#enable-auth = certificate
|
|
|
|
#enable-auth = gssapi
|
|
|
|
#enable-auth = gssapi
|
|
|
|
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true]"
|
|
|
|
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
|
|
|
|
|
|
|
|
|
|
|
|
# Accounting methods available:
|
|
|
|
# Accounting methods available:
|
|
|
|
# pam: can only be combined with PAM authentication method, it provides
|
|
|
|
# pam: can only be combined with PAM authentication method, it provides
|
|
|
|
@ -245,6 +245,10 @@ auth-timeout = 40
|
|
|
|
# before being disconnected. Unset to disable.
|
|
|
|
# before being disconnected. Unset to disable.
|
|
|
|
#idle-timeout = 1200
|
|
|
|
#idle-timeout = 1200
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected
|
|
|
|
|
|
|
|
# Unset to disable.
|
|
|
|
|
|
|
|
#session-timeout = 86400
|
|
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a mobile client is allowed to stay idle (no
|
|
|
|
# The time (in seconds) that a mobile client is allowed to stay idle (no
|
|
|
|
# traffic) before being disconnected. Unset to disable.
|
|
|
|
# traffic) before being disconnected. Unset to disable.
|
|
|
|
#mobile-idle-timeout = 2400
|
|
|
|
#mobile-idle-timeout = 2400
|
|
|
|
@ -283,6 +287,11 @@ ban-reset-time = 300
|
|
|
|
# between different networks.
|
|
|
|
# between different networks.
|
|
|
|
cookie-timeout = 300
|
|
|
|
cookie-timeout = 300
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If this is enabled (not recommended) the cookies will stay
|
|
|
|
|
|
|
|
# valid even after a user manually disconnects, and until they
|
|
|
|
|
|
|
|
# expire. This may improve roaming with some broken clients.
|
|
|
|
|
|
|
|
#persistent-cookies = true
|
|
|
|
|
|
|
|
|
|
|
|
# Whether roaming is allowed, i.e., if true a cookie is
|
|
|
|
# Whether roaming is allowed, i.e., if true a cookie is
|
|
|
|
# restricted to a single IP address and cannot be re-used
|
|
|
|
# restricted to a single IP address and cannot be re-used
|
|
|
|
# from a different IP.
|
|
|
|
# from a different IP.
|
|
|
|
@ -290,7 +299,8 @@ deny-roaming = false
|
|
|
|
|
|
|
|
|
|
|
|
# ReKey time (in seconds)
|
|
|
|
# ReKey time (in seconds)
|
|
|
|
# ocserv will ask the client to refresh keys periodically once
|
|
|
|
# ocserv will ask the client to refresh keys periodically once
|
|
|
|
# this amount of seconds is elapsed. Set to zero to disable.
|
|
|
|
# this amount of seconds is elapsed. Set to zero to disable (note
|
|
|
|
|
|
|
|
# that, some clients fail if rekey is disabled).
|
|
|
|
rekey-time = 172800
|
|
|
|
rekey-time = 172800
|
|
|
|
|
|
|
|
|
|
|
|
# ReKey method
|
|
|
|
# ReKey method
|
|
|
|
@ -438,8 +448,9 @@ ping-leases = false
|
|
|
|
# per group. Each file name on these directories must match the username
|
|
|
|
# per group. Each file name on these directories must match the username
|
|
|
|
# or the groupname.
|
|
|
|
# or the groupname.
|
|
|
|
# The options allowed in the configuration files are dns, nbns,
|
|
|
|
# The options allowed in the configuration files are dns, nbns,
|
|
|
|
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route,
|
|
|
|
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
|
|
|
|
# net-priority, deny-roaming, no-udp, user-profile, and cgroup.
|
|
|
|
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
|
|
|
|
|
|
|
|
# user-profile, cgroup, stats-report-time, and session-timeout.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Note that the 'iroute' option allows to add routes on the server
|
|
|
|
# Note that the 'iroute' option allows to add routes on the server
|
|
|
|
# based on a user or group. The syntax depends on the input accepted
|
|
|
|
# based on a user or group. The syntax depends on the input accepted
|
|
|
|
@ -499,11 +510,6 @@ cisco-client-compat = true
|
|
|
|
# This file must be accessible from inside the worker's chroot.
|
|
|
|
# This file must be accessible from inside the worker's chroot.
|
|
|
|
user-profile = profile.xml
|
|
|
|
user-profile = profile.xml
|
|
|
|
|
|
|
|
|
|
|
|
# Binary files that may be downloaded by the CISCO client. Must
|
|
|
|
|
|
|
|
# be within any chroot environment. Normally you don't need
|
|
|
|
|
|
|
|
# to use this option.
|
|
|
|
|
|
|
|
#binary-files = /path/to/binaries
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#Advanced options
|
|
|
|
#Advanced options
|
|
|
|
|
|
|
|
|
|
|
|
# Option to allow sending arbitrary custom headers to the client after
|
|
|
|
# Option to allow sending arbitrary custom headers to the client after
|
|
|
|
|
Nikos Mavrogiannopoulos
10 years ago