Configure a Linux Server to Connect to an RP Proxy

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: May 28, 2015 by Stefan Paetow
2 min read

Once the Moonshot Libraries have been installed on a Server, they need to be configured to connect to a local Moonshot RP Proxy (RADIUS server) via RADIUS or RadSec in order to create the first hop between the service and the user's home IdP to allow authentication to happen.

The configuration that specifies how to connect to a Moonshot RP Proxy exists in /etc/radsec.conf (on a fresh install, you will need to create this file). This can be a RADIUS or a RadSec connection.

If you are unsure which to use, then RadSec is recommended as it is more flexible and more secure. It is slightly more complex to set up, however.

Configure RadSec

If you choose to use a RadSec connection to your Moonshot RP, then place the following content into /etc/radsec.conf:

realm gss-eap {
	type = "TLS"
	cacertfile = "$path_to_ca.pem"
	certfile = "$path_to_client.pem"
	certkeyfile = "$path_to_client.key"
	disable_hostname_check = yes
	server {
		hostname = "$hostname"
		service = "2083"
		secret = "radsec"
	}
}
Here, $hostname is the hostname of your local Moonshot RP Proxy, and $path_to_ca.pem $path_to_client.pem and $path_to_client.key are paths to the ca.pem, client.pem and client.key files that your Moonshot RP Proxy administrator has given you.

Configure RADIUS

If you choose to use a plain RADIUS connection to your Moonshot RP Proxy, then place the following content into /etc/radsec.conf:

realm gss-eap { 
     type = "UDP" 
     timeout = 5 
     retries = 3 
     server { 
          hostname = "$hostname" 
          service = "1812" 
          secret = "$secret" 
     } 
}
Here, $hostname is the hostname of your local Moonshot RP Proxy, and $secret is the shared secret that your Moonshot RP Proxy administrator has given you.