Ceptor Docs

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Property

Value

authentication.listenport

<Port number>

The port number that the radius server should use for listening to authentication requests. Example is 1812

Default value is 1812

authentication.listenaddress

<IP address>

The address that the radius server should use to listen for authentication requests. Example is 10.10.1.120

No default value

accounting.listenport

<Port number>

The port number that the radius server should use for listening to accounting requests. Example is 1813

Default value is 1813

accounting.listenaddress

<IP address>

The address that the radius server should use to listen for accounting requests. Example is 10.10.1.120

No default value

sockettimeout

<timeout in ms>

The socket timeout while listening for radius packages. This timeout value works on both accounting and authentication sockets

Default value is 3000

duplicatetimer

<time value in ms>

The number of milliseconds that received packages should be stored so they can be checked for duplicate packages

Default value is 30000

duplicatecount

<number of packages>

The number of received packages to store that are checked for duplicate packages.

Default value is 5000

authtype.pap

<authentication plugin ID>

The value of the authentication plugin used to verify pap authentication requests. Example value is 9 (typically user administration authentication plugin) or 43 (Ceptor user administration login providing SMS OTP codes as well)

9 - Ceptor user administration login

authtype.chap

<authentication plugin ID>

Note: CHAP login has not yet been verified with Ceptor.

The value of the authentication plugin used to verify chap authentication requests. Example value is 9 (typically user administration authentication plugin)

9 - Ceptor user administration login

authtype.challenge

<authentication plugin ID>

The value of the authentication plugin used to verify the challenge for two factor logins. An example value could be 43 (SMS OTP using Ceptor user administration server for password validation)

No default value

authentication.challenge

<String>

The challenge text to be shown to the user in the event of a two factor login. This challenge can also be set through the authentication plugin and if it is set from there this value will not be used.

Default value is: "Please enter a valid challenge: "

authentication.twofactor

true / false

Set this value to true if the authentication primary authentication plugin (PAP or CHAP) does not support validating the password but instead can issue a new token through the "newToken" method (for example the google authenticator plugin). The password will then be validated together with the challenge token.

Default value is false

sharedsecret.x

<shared secret for IP addresses>

X is a number between 1 and 512

This value defines a shared secret for a series of IP addresses (those sending the authentication packages). One or more IP addresses can be given per entry. Examples are:

10.1.32.100,10.2.64.100=super123secret
127.0.0.1=another22super33secret

An IP address with the value * can be given, this secret will be used if the sending IP address is not defined. If this is not defined, the package will be ignored!

Secrets can be encrypted using PortalProtect PasswordUtil (see documentation elsewhere). These are then stored here in encoded form, RSA, AES or 3DES form.

No default value

packet.debug

true / false

If set to true all received and send packages will be logged as info logging to the log file.

Default value is false

username.sessionid

<true | false>

Set this value to tell the Radius server to append the PP session ID in the USER field on reply packages of type ACCEPT. This is not supported by all radius clients but those that do support it will in turn either send the session ID back in upcoming accounting requests (allowing for better logging!) or just ignor the field altogether.

Default value is false

clientsessions.maxcount

<number of sessions>

Number of client sessions to store in the radius server. Since radius clients are allowed to present their own "session identifier" to the radius server, these are stored with their corresponding PP sessions ID in the radius server. This defines how many will be stored.

Default value is 100000

clientsessions.timetolive

<Time to live in seconds>

Defines the time to live for client sessions from radius clients. After this time they will be removed if there is not enough space for more client sessions

Default value is 5

clientsessions.forcetimeout

<Force timeout in seconds>

Defines the force timeout for client sessions from radius clients. After this time they will be removed if not heard from

Default value is 30

ppsessions.maxcount

<number of sessions>

Number of pp sessions to store in the radius server which are used for STATE packages send to clients when doing two factor logins. This defines how many will be stored awaiting the second part of the login message from the client

Default value is 100000

ppsessions.timetolive

<Time to live in seconds>

Defines the time to live for pp sessions for STATE packages. After this time they will be removed if there is not enough space for more pp sessions

Default value is 5

ppsessions.forcetimeout

<Force timeout in seconds>

Defines the force timeout for pp sessions for STATE packages. After this time they will be removed if not heard from

Default value is 30

threadpool.size

<number, between 1 and 4096>

Defines number of threads in the threadpool that can handle packages received from clients - this is also the maximum amount of concurrent authentications that can be done at a time.

Default value is 100.

accounting.script

<Script - javascript, python or groovy>

Script code that is run to process a received accounting request package.

authentication.script

<Script - javascript, python or groovy>

Authentication script that is run when an access request package is received from a client - see Ceptor RADIUS Server for more information.

If a script is specified, it overrides the other options for authtype.pap, authtype.challenge etc.