Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | ## |
| 3 | ## proxy.conf -- proxy radius and realm configuration directives |
| 4 | ## |
| 5 | ## $Id: ae8fedf199ad3ec6197dee75db11769aafa88d07 $ |
| 6 | |
| 7 | ####################################################################### |
| 8 | # |
| 9 | # Proxy server configuration |
| 10 | # |
| 11 | # This entry controls the servers behaviour towards ALL other servers |
| 12 | # to which it sends proxy requests. |
| 13 | # |
| 14 | proxy server { |
| 15 | # |
| 16 | # Note that as of 2.0, the "synchronous", "retry_delay", |
| 17 | # "retry_count", and "dead_time" have all been deprecated. |
| 18 | # For backwards compatibility, they are are still accepted |
| 19 | # by the server, but they ONLY apply to the old-style realm |
| 20 | # configuration. i.e. realms with "authhost" and/or "accthost" |
| 21 | # entries. |
| 22 | # |
| 23 | # i.e. "retry_delay" and "retry_count" have been replaced |
| 24 | # with per-home-server configuration. See the "home_server" |
| 25 | # example below for details. |
| 26 | # |
| 27 | # i.e. "dead_time" has been replaced with a per-home-server |
| 28 | # "revive_interval". We strongly recommend that this not |
| 29 | # be used, however. The new method is much better. |
| 30 | |
| 31 | # |
| 32 | # In 2.0, the server is always "synchronous", and setting |
| 33 | # "synchronous = no" is impossible. This simplifies the |
| 34 | # server and increases the stability of the network. |
| 35 | # However, it means that the server (i.e. proxy) NEVER |
| 36 | # originates packets. It proxies packets ONLY when it receives |
| 37 | # a packet or a re-transmission from the NAS. If the NAS never |
| 38 | # re-transmits, the proxy never re-transmits, either. This can |
| 39 | # affect fail-over, where a packet does *not* fail over to a |
| 40 | # second home server.. because the NAS never retransmits the |
| 41 | # packet. |
| 42 | # |
| 43 | # If you need to set "synchronous = no", please send a |
| 44 | # message to the list <freeradius-users@lists.freeradius.org> |
| 45 | # explaining why this feature is vital for your network. |
| 46 | |
| 47 | # |
| 48 | # If a realm exists, but there are no live home servers for |
| 49 | # it, we can fall back to using the "DEFAULT" realm. This is |
| 50 | # most useful for accounting, where the server can proxy |
| 51 | # accounting requests to home servers, but if they're down, |
| 52 | # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL), |
| 53 | # and then store the packets in the "detail" file. That data |
| 54 | # can be later proxied to the home servers by radrelay, when |
| 55 | # those home servers come back up again. |
| 56 | |
| 57 | # Setting this to "yes" may have issues for authentication. |
| 58 | # i.e. If you are proxying for two different ISP's, and then |
| 59 | # act as a general dial-up for Gric. If one of the first two |
| 60 | # ISP's has their RADIUS server go down, you do NOT want to |
| 61 | # proxy those requests to GRIC. Instead, you probably want |
| 62 | # to just drop the requests on the floor. In that case, set |
| 63 | # this value to 'no'. |
| 64 | # |
| 65 | # allowed values: {yes, no} |
| 66 | # |
| 67 | default_fallback = no |
| 68 | |
| 69 | } |
| 70 | |
| 71 | ####################################################################### |
| 72 | # |
| 73 | # Configuration for the proxy realms. |
| 74 | # |
| 75 | # As of 2.0. the old-style "realms" file is deprecated, and is not |
| 76 | # used by FreeRADIUS. |
| 77 | # |
| 78 | # As of 2.0, the "realm" configuration has changed. Instead of |
| 79 | # specifying "authhost" and "accthost" in a realm section, the home |
| 80 | # servers are specified separately in a "home_server" section. For |
| 81 | # backwards compatibility, you can still use the "authhost" and |
| 82 | # "accthost" directives. If you only have one home server for a |
| 83 | # realm, it is easier to use the old-style configuration. |
| 84 | # |
| 85 | # However, if you have multiple servers for a realm, we STRONGLY |
| 86 | # suggest moving to the new-style configuration. |
| 87 | # |
| 88 | # |
| 89 | # Load-balancing and failover between home servers is handled via |
| 90 | # a "home_server_pool" section. |
| 91 | # |
| 92 | # Finally, The "realm" section defines the realm, some options, and |
| 93 | # indicates which server pool should be used for the realm. |
| 94 | # |
| 95 | # This change means that simple configurations now require multiple |
| 96 | # sections to define a realm. However, complex configurations |
| 97 | # are much simpler than before, as multiple realms can share the same |
| 98 | # server pool. |
| 99 | # |
| 100 | # That is, realms point to server pools, and server pools point to |
| 101 | # home servers. Multiple realms can point to one server pool. One |
| 102 | # server pool can point to multiple home servers. Each home server |
| 103 | # can appear in one or more pools. |
| 104 | # |
| 105 | |
| 106 | ###################################################################### |
| 107 | # |
| 108 | # This section defines a "Home Server" which is another RADIUS |
| 109 | # server that gets sent proxied requests. In earlier versions |
| 110 | # of FreeRADIUS, home servers were defined in "realm" sections, |
| 111 | # which was awkward. In 2.0, they have been made independent |
| 112 | # from realms, which is better for a number of reasons. |
| 113 | # |
| 114 | home_server localhost { |
| 115 | # |
| 116 | # Home servers can be sent Access-Request packets |
| 117 | # or Accounting-Request packets. |
| 118 | # |
| 119 | # Allowed values are: |
| 120 | # auth - Handles Access-Request packets |
| 121 | # acct - Handles Accounting-Request packets |
| 122 | # auth+acct - Handles Access-Request packets at "port", |
| 123 | # and Accounting-Request packets at "port + 1" |
| 124 | # coa - Handles CoA-Request and Disconnect-Request packets. |
| 125 | # See also raddb/sites-available/originate-coa |
| 126 | type = auth |
| 127 | |
| 128 | # |
| 129 | # Configure ONE OF the following entries: |
| 130 | # |
| 131 | # IPv4 address |
| 132 | # |
| 133 | ipaddr = 127.0.0.1 |
| 134 | |
| 135 | # OR IPv6 address |
| 136 | # ipv6addr = ::1 |
| 137 | |
| 138 | # OR virtual server |
| 139 | # virtual_server = foo |
| 140 | |
| 141 | # Note that while both ipaddr and ipv6addr will accept |
| 142 | # both addresses and host names, we do NOT recommend |
| 143 | # using host names. When you specify a host name, the |
| 144 | # server has to do a DNS lookup to find the IP address |
| 145 | # of the home server. If the DNS server is slow or |
| 146 | # unresponsive, it means that FreeRADIUS will NOT be |
| 147 | # able to determine the address, and will therefore NOT |
| 148 | # start. |
| 149 | # |
| 150 | # Also, the mapping of host name to address is done ONCE |
| 151 | # when the server starts. If DNS is later updated to |
| 152 | # change the address, FreeRADIUS will NOT discover that |
| 153 | # until after a re-start, or a HUP. |
| 154 | # |
| 155 | # If you specify a virtual_server here, then requests |
| 156 | # will be proxied internally to that virtual server. |
| 157 | # These requests CANNOT be proxied again, however. The |
| 158 | # intent is to have the local server handle packets |
| 159 | # when all home servers are dead. |
| 160 | # |
| 161 | # Requests proxied to a virtual server will be passed |
| 162 | # through the pre-proxy and post-proxy sections, just |
| 163 | # like any other request. See also the sample "realm" |
| 164 | # configuration, below. |
| 165 | # |
| 166 | # None of the rest of the home_server configuration is used |
| 167 | # for the "virtual_server" configuration. |
| 168 | |
| 169 | # |
| 170 | # The port to which packets are sent. |
| 171 | # |
| 172 | # Usually 1812 for type "auth", and 1813 for type "acct". |
| 173 | # Older servers may use 1645 and 1646. |
| 174 | # Use 3799 for type "coa" |
| 175 | # |
| 176 | port = 1812 |
| 177 | |
| 178 | # |
| 179 | # The transport protocol. |
| 180 | # |
| 181 | # If unspecified, defaults to "udp", which is the traditional |
| 182 | # RADIUS transport. It may also be "tcp", in which case TCP |
| 183 | # will be used to talk to this home server. |
| 184 | # |
| 185 | # When home servers are put into pools, the pool can contain |
| 186 | # home servers with both UDP and TCP transports. |
| 187 | # |
| 188 | #proto = udp |
| 189 | |
| 190 | # |
| 191 | # The shared secret use to "encrypt" and "sign" packets between |
| 192 | # FreeRADIUS and the home server. |
| 193 | # |
| 194 | # The secret can be any string, up to 8k characters in length. |
| 195 | # |
| 196 | # Control codes can be entered vi octal encoding, |
| 197 | # e.g. "\101\102" == "AB" |
| 198 | # Quotation marks can be entered by escaping them, |
| 199 | # e.g. "foo\"bar" |
| 200 | # Spaces or other "special" characters can be entered |
| 201 | # by putting quotes around the string. |
| 202 | # e.g. "foo bar" |
| 203 | # "foo;bar" |
| 204 | # |
| 205 | secret = testing123 |
| 206 | |
| 207 | ############################################################ |
| 208 | # |
| 209 | # The rest of the configuration items listed here are optional, |
| 210 | # and do not have to appear in every home server definition. |
| 211 | # |
| 212 | ############################################################ |
| 213 | |
| 214 | # |
| 215 | # You can optionally specify the source IP address used when |
| 216 | # proxying requests to this home server. When the src_ipaddr |
| 217 | # it set, the server will automatically create a proxy |
| 218 | # listener for that IP address. |
| 219 | # |
| 220 | # If you specify this field for one home server, you will |
| 221 | # likely need to specify it for ALL home servers. |
| 222 | # |
| 223 | # If you don't care about the source IP address, leave this |
| 224 | # entry commented. |
| 225 | # |
| 226 | # src_ipaddr = 127.0.0.1 |
| 227 | |
| 228 | # |
| 229 | # If the home server does not respond to a request within |
| 230 | # this time, this server will initiate "zombie_period". |
| 231 | # |
| 232 | # The response window is large because responses MAY be slow, |
| 233 | # especially when proxying across the Internet. |
| 234 | # |
| 235 | # Useful range of values: 5 to 60 |
| 236 | response_window = 20 |
| 237 | |
| 238 | # |
| 239 | # If you want the old behaviour of the server rejecting |
| 240 | # proxied requests after "response_window" timeout, set |
| 241 | # the following configuration item to "yes". |
| 242 | # |
| 243 | # This configuration WILL be removed in a future release |
| 244 | # If you believe you need it, email the freeradius-users |
| 245 | # list, and explain why it should stay in the server. |
| 246 | # |
| 247 | # no_response_fail = no |
| 248 | |
| 249 | # |
| 250 | # If the home server does not respond to ANY packets during |
| 251 | # the "zombie period", it will be considered to be dead. |
| 252 | # |
| 253 | # A home server that is marked "zombie" will be used for |
| 254 | # proxying as a low priority. If there are live servers, |
| 255 | # they will always be preferred to a zombie. Requests will |
| 256 | # be proxied to a zombie server ONLY when there are no |
| 257 | # live servers. |
| 258 | # |
| 259 | # Any request that is proxied to a home server will continue |
| 260 | # to be sent to that home server until the home server is |
| 261 | # marked dead. At that point, it will fail over to another |
| 262 | # server, if a live server is available. If none is available, |
| 263 | # then the "post-proxy-type fail" handler will be called. |
| 264 | # |
| 265 | # If "status_check" below is something other than "none", then |
| 266 | # the server will start sending status checks at the start of |
| 267 | # the zombie period. It will continue sending status checks |
| 268 | # until the home server is marked "alive". |
| 269 | # |
| 270 | # Useful range of values: 20 to 120 |
| 271 | zombie_period = 40 |
| 272 | |
| 273 | ############################################################ |
| 274 | # |
| 275 | # As of 2.0, FreeRADIUS supports RADIUS layer "status |
| 276 | # checks". These are used by a proxy server to see if a home |
| 277 | # server is alive. |
| 278 | # |
| 279 | # These status packets are sent ONLY if the proxying server |
| 280 | # believes that the home server is dead. They are NOT sent |
| 281 | # if the proxying server believes that the home server is |
| 282 | # alive. They are NOT sent if the proxying server is not |
| 283 | # proxying packets. |
| 284 | # |
| 285 | # If the home server responds to the status check packet, |
| 286 | # then it is marked alive again, and is returned to use. |
| 287 | # |
| 288 | ############################################################ |
| 289 | |
| 290 | # |
| 291 | # Some home servers do not support status checks via the |
| 292 | # Status-Server packet. Others may not have a "test" user |
| 293 | # configured that can be used to query the server, to see if |
| 294 | # it is alive. For those servers, we have NO WAY of knowing |
| 295 | # when it becomes alive again. Therefore, after the server |
| 296 | # has been marked dead, we wait a period of time, and mark |
| 297 | # it alive again, in the hope that it has come back to |
| 298 | # life. |
| 299 | # |
| 300 | # If it has NOT come back to life, then FreeRADIUS will wait |
| 301 | # for "zombie_period" before marking it dead again. During |
| 302 | # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because |
| 303 | # the home server is still dead. There is NOTHING that can |
| 304 | # be done about this, other than to enable the status checks, |
| 305 | # as documented below. |
| 306 | # |
| 307 | # e.g. if "zombie_period" is 40 seconds, and "revive_interval" |
| 308 | # is 300 seconds, the for 40 seconds out of every 340, or about |
| 309 | # 10% of the time, all authentications will fail. |
| 310 | # |
| 311 | # If the "zombie_period" and "revive_interval" configurations |
| 312 | # are set smaller, than it is possible for up to 50% of |
| 313 | # authentications to fail. |
| 314 | # |
| 315 | # As a result, we recommend enabling status checks, and |
| 316 | # we do NOT recommend using "revive_interval". |
| 317 | # |
| 318 | # The "revive_interval" is used ONLY if the "status_check" |
| 319 | # entry below is "none". Otherwise, it will not be used, |
| 320 | # and should be deleted. |
| 321 | # |
| 322 | # Useful range of values: 60 to 3600 |
| 323 | revive_interval = 120 |
| 324 | |
| 325 | # |
| 326 | # The proxying server (i.e. this one) can do periodic status |
| 327 | # checks to see if a dead home server has come back alive. |
| 328 | # |
| 329 | # If set to "none", then the other configuration items listed |
| 330 | # below are not used, and the "revive_interval" time is used |
| 331 | # instead. |
| 332 | # |
| 333 | # If set to "status-server", the Status-Server packets are |
| 334 | # sent. Many RADIUS servers support Status-Server. If a |
| 335 | # server does not support it, please contact the server |
| 336 | # vendor and request that they add it. |
| 337 | # |
| 338 | # If set to "request", then Access-Request, or Accounting-Request |
| 339 | # packets are sent, depending on the "type" entry above (auth/acct). |
| 340 | # |
| 341 | # Allowed values: none, status-server, request |
| 342 | status_check = status-server |
| 343 | |
| 344 | # |
| 345 | # If the home server does not support Status-Server packets, |
| 346 | # then the server can still send Access-Request or |
| 347 | # Accounting-Request packets, with a pre-defined user name. |
| 348 | # |
| 349 | # This practice is NOT recommended, as it may potentially let |
| 350 | # users gain network access by using these "test" accounts! |
| 351 | # |
| 352 | # If it is used, we recommend that the home server ALWAYS |
| 353 | # respond to these Access-Request status checks with |
| 354 | # Access-Reject. The status check just needs an answer, it |
| 355 | # does not need an Access-Accept. |
| 356 | # |
| 357 | # For Accounting-Request status checks, only the username |
| 358 | # needs to be set. The rest of the accounting attribute are |
| 359 | # set to default values. The home server that receives these |
| 360 | # accounting packets SHOULD NOT treat them like normal user |
| 361 | # accounting packets. i.e It should probably NOT log them to |
| 362 | # a database. |
| 363 | # |
| 364 | # username = "test_user_please_reject_me" |
| 365 | # password = "this is really secret" |
| 366 | |
| 367 | # |
| 368 | # Configure the interval between sending status check packets. |
| 369 | # |
| 370 | # Setting it too low increases the probability of spurious |
| 371 | # fail-over and fallback attempts. |
| 372 | # |
| 373 | # Useful range of values: 6 to 120 |
| 374 | check_interval = 30 |
| 375 | |
| 376 | # |
| 377 | # Configure the number of status checks in a row that the |
| 378 | # home server needs to respond to before it is marked alive. |
| 379 | # |
| 380 | # If you want to mark a home server as alive after a short |
| 381 | # time period of being responsive, it is best to use a small |
| 382 | # "check_interval", and a large value for |
| 383 | # "num_answers_to_alive". Using a long "check_interval" and |
| 384 | # a small number for "num_answers_to_alive" increases the |
| 385 | # probability of spurious fail-over and fallback attempts. |
| 386 | # |
| 387 | # Useful range of values: 3 to 10 |
| 388 | num_answers_to_alive = 3 |
| 389 | |
| 390 | # |
| 391 | # Limit the total number of outstanding packets to the home |
| 392 | # server. |
| 393 | # |
| 394 | # if ((#request sent) - (#requests received)) > max_outstanding |
| 395 | # then stop sending more packets to the home server |
| 396 | # |
| 397 | # This lets us gracefully fall over when the home server |
| 398 | # is overloaded. |
| 399 | max_outstanding = 65536 |
| 400 | |
| 401 | # |
| 402 | # The configuration items in the next sub-section are used ONLY |
| 403 | # when "type = coa". It is ignored for all other type of home |
| 404 | # servers. |
| 405 | # |
| 406 | # See RFC 5080 for the definitions of the following terms. |
| 407 | # RAND is a function (internal to FreeRADIUS) returning |
| 408 | # random numbers between -0.1 and +0.1 |
| 409 | # |
| 410 | # First Re-transmit occurs after: |
| 411 | # |
| 412 | # RT = IRT + RAND*IRT |
| 413 | # |
| 414 | # Subsequent Re-transmits occur after: |
| 415 | # |
| 416 | # RT = 2 * RTprev + RAND * RTprev |
| 417 | # |
| 418 | # Re-transmits are capped at: |
| 419 | # |
| 420 | # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT |
| 421 | # |
| 422 | # For a maximum number of attempts: MRC |
| 423 | # |
| 424 | # For a maximum (total) period of time: MRD. |
| 425 | # |
| 426 | coa { |
| 427 | # Initial retransmit interval: 1..5 |
| 428 | irt = 2 |
| 429 | |
| 430 | # Maximum Retransmit Timeout: 1..30 (0 == no maximum) |
| 431 | mrt = 16 |
| 432 | |
| 433 | # Maximum Retransmit Count: 1..20 (0 == retransmit forever) |
| 434 | mrc = 5 |
| 435 | |
| 436 | # Maximum Retransmit Duration: 5..60 |
| 437 | mrd = 30 |
| 438 | } |
| 439 | |
| 440 | # |
| 441 | # Connection limiting for home servers with "proto = tcp". |
| 442 | # |
| 443 | # This section is ignored for other home servers. |
| 444 | # |
| 445 | limit { |
| 446 | # |
| 447 | # Limit the number of TCP connections to the home server. |
| 448 | # |
| 449 | # The default is 16. |
| 450 | # Setting this to 0 means "no limit" |
| 451 | max_connections = 16 |
| 452 | |
| 453 | # |
| 454 | # Limit the total number of requests sent over one |
| 455 | # TCP connection. After this number of requests, the |
| 456 | # connection will be closed. Any new packets that are |
| 457 | # proxied to the home server will result in a new TCP |
| 458 | # connection being made. |
| 459 | # |
| 460 | # Setting this to 0 means "no limit" |
| 461 | max_requests = 0 |
| 462 | |
| 463 | # |
| 464 | # The lifetime, in seconds, of a TCP connection. After |
| 465 | # this lifetime, the connection will be closed. |
| 466 | # |
| 467 | # Setting this to 0 means "forever". |
| 468 | lifetime = 0 |
| 469 | |
| 470 | # |
| 471 | # The idle timeout, in seconds, of a TCP connection. |
| 472 | # If no packets have been sent over the connection for |
| 473 | # this time, the connection will be closed. |
| 474 | # |
| 475 | # Setting this to 0 means "no timeout". |
| 476 | idle_timeout = 0 |
| 477 | } |
| 478 | |
| 479 | } |
| 480 | |
| 481 | # Sample virtual home server. |
| 482 | # |
| 483 | # |
| 484 | #home_server virtual.example.com { |
| 485 | # virtual_server = virtual.example.com |
| 486 | #} |
| 487 | |
| 488 | ###################################################################### |
| 489 | # |
| 490 | # This section defines a pool of home servers that is used |
| 491 | # for fail-over and load-balancing. In earlier versions of |
| 492 | # FreeRADIUS, fail-over and load-balancing were defined per-realm. |
| 493 | # As a result, if a server had 5 home servers, each of which served |
| 494 | # the same 10 realms, you would need 50 "realm" entries. |
| 495 | # |
| 496 | # In version 2.0, you would need 5 "home_server" sections, |
| 497 | # 10 'realm" sections, and one "home_server_pool" section to tie the |
| 498 | # two together. |
| 499 | # |
| 500 | home_server_pool my_auth_failover { |
| 501 | # |
| 502 | # The type of this pool controls how home servers are chosen. |
| 503 | # |
| 504 | # fail-over - the request is sent to the first live |
| 505 | # home server in the list. i.e. If the first home server |
| 506 | # is marked "dead", the second one is chosen, etc. |
| 507 | # |
| 508 | # load-balance - the least busy home server is chosen, |
| 509 | # where "least busy" is counted by taking the number of |
| 510 | # requests sent to that home server, and subtracting the |
| 511 | # number of responses received from that home server. |
| 512 | # |
| 513 | # If there are two or more servers with the same low |
| 514 | # load, then one of those servers is chosen at random. |
| 515 | # This configuration is most similar to the old |
| 516 | # "round-robin" method, though it is not exactly the same. |
| 517 | # |
| 518 | # Note that load balancing does not work well with EAP, |
| 519 | # as EAP requires packets for an EAP conversation to be |
| 520 | # sent to the same home server. The load balancing method |
| 521 | # does not keep state in between packets, meaning that |
| 522 | # EAP packets for the same conversation may be sent to |
| 523 | # different home servers. This will prevent EAP from |
| 524 | # working. |
| 525 | # |
| 526 | # For non-EAP authentication methods, and for accounting |
| 527 | # packets, we recommend using "load-balance". It will |
| 528 | # ensure the highest availability for your network. |
| 529 | # |
| 530 | # client-balance - the home server is chosen by hashing the |
| 531 | # source IP address of the packet. If that home server |
| 532 | # is down, the next one in the list is used, just as |
| 533 | # with "fail-over". |
| 534 | # |
| 535 | # There is no way of predicting which source IP will map |
| 536 | # to which home server. |
| 537 | # |
| 538 | # This configuration is most useful to do simple load |
| 539 | # balancing for EAP sessions, as the EAP session will |
| 540 | # always be sent to the same home server. |
| 541 | # |
| 542 | # client-port-balance - the home server is chosen by hashing |
| 543 | # the source IP address and source port of the packet. |
| 544 | # If that home server is down, the next one in the list |
| 545 | # is used, just as with "fail-over". |
| 546 | # |
| 547 | # This method provides slightly better load balancing |
| 548 | # for EAP sessions than "client-balance". However, it |
| 549 | # also means that authentication and accounting packets |
| 550 | # for the same session MAY go to different home servers. |
| 551 | # |
| 552 | # keyed-balance - the home server is chosen by hashing (FNV) |
| 553 | # the contents of the Load-Balance-Key attribute from the |
| 554 | # control items. The request is then sent to home server |
| 555 | # chosen by taking: |
| 556 | # |
| 557 | # server = (hash % num_servers_in_pool). |
| 558 | # |
| 559 | # If there is no Load-Balance-Key in the control items, |
| 560 | # the load balancing method is identical to "load-balance". |
| 561 | # |
| 562 | # For most non-EAP authentication methods, The User-Name |
| 563 | # attribute provides a good key. An "unlang" policy can |
| 564 | # be used to copy the User-Name to the Load-Balance-Key |
| 565 | # attribute. This method may not work for EAP sessions, |
| 566 | # as the User-Name outside of the TLS tunnel is often |
| 567 | # static, e.g. "anonymous@realm". |
| 568 | # |
| 569 | # |
| 570 | # The default type is fail-over. |
| 571 | type = fail-over |
| 572 | |
| 573 | # |
| 574 | # A virtual_server may be specified here. If so, the |
| 575 | # "pre-proxy" and "post-proxy" sections are called when |
| 576 | # the request is proxied, and when a response is received. |
| 577 | # |
| 578 | # This lets you have one policy for all requests that are proxied |
| 579 | # to a home server. This policy is completely independent of |
| 580 | # any policies used to receive, or process the request. |
| 581 | # |
| 582 | #virtual_server = pre_post_proxy_for_pool |
| 583 | |
| 584 | # |
| 585 | # Next, a list of one or more home servers. The names |
| 586 | # of the home servers are NOT the hostnames, but the names |
| 587 | # of the sections. (e.g. home_server foo {...} has name "foo". |
| 588 | # |
| 589 | # Note that ALL home servers listed here have to be of the same |
| 590 | # type. i.e. they all have to be "auth", or they all have to |
| 591 | # be "acct", or the all have to be "auth+acct". |
| 592 | # |
| 593 | home_server = localhost |
| 594 | |
| 595 | # Additional home servers can be listed. |
| 596 | # There is NO LIMIT to the number of home servers that can |
| 597 | # be listed, though using more than 10 or so will become |
| 598 | # difficult to manage. |
| 599 | # |
| 600 | # home_server = foo.example.com |
| 601 | # home_server = bar.example.com |
| 602 | # home_server = baz.example.com |
| 603 | # home_server = ... |
| 604 | |
| 605 | |
| 606 | # |
| 607 | # If ALL home servers are dead, then this "fallback" home server |
| 608 | # is used. If set, it takes precedence over any realm-based |
| 609 | # fallback, such as the DEFAULT realm. |
| 610 | # |
| 611 | # For reasons of stability, this home server SHOULD be a virtual |
| 612 | # server. Otherwise, the fallback may itself be dead! |
| 613 | # |
| 614 | #fallback = virtual.example.com |
| 615 | } |
| 616 | |
| 617 | ###################################################################### |
| 618 | # |
| 619 | # |
| 620 | # This section defines a new-style "realm". Note the in version 2.0, |
| 621 | # there are many fewer configuration items than in 1.x for a realm. |
| 622 | # |
| 623 | # Automatic proxying is done via the "realms" module (see "man |
| 624 | # rlm_realm"). To manually proxy the request put this entry in the |
| 625 | # "users" file: |
| 626 | |
| 627 | # |
| 628 | # |
| 629 | #DEFAULT Proxy-To-Realm := "realm_name" |
| 630 | # |
| 631 | # |
| 632 | realm example.com { |
| 633 | # |
| 634 | # Realms point to pools of home servers. |
| 635 | # |
| 636 | # For authentication, the "auth_pool" configuration item |
| 637 | # should point to a "home_server_pool" that was previously |
| 638 | # defined. All of the home servers in the "auth_pool" must |
| 639 | # be of type "auth". |
| 640 | # |
| 641 | # For accounting, the "acct_pool" configuration item |
| 642 | # should point to a "home_server_pool" that was previously |
| 643 | # defined. All of the home servers in the "acct_pool" must |
| 644 | # be of type "acct". |
| 645 | # |
| 646 | # If you have a "home_server_pool" where all of the home servers |
| 647 | # are of type "auth+acct", you can just use the "pool" |
| 648 | # configuration item, instead of specifying both "auth_pool" |
| 649 | # and "acct_pool". |
| 650 | |
| 651 | auth_pool = my_auth_failover |
| 652 | # acct_pool = acct |
| 653 | |
| 654 | # As of Version 3.0, the server can proxy CoA packets |
| 655 | # based on the Operator-Name attribute. This requires |
| 656 | # that the "suffix" module be listed in the "recv-coa" |
| 657 | # section. |
| 658 | # |
| 659 | # See raddb/sites-available/coa |
| 660 | # |
| 661 | # coa_pool = name_of_coa_pool |
| 662 | |
| 663 | # |
| 664 | # Normally, when an incoming User-Name is matched against the |
| 665 | # realm, the realm name is "stripped" off, and the "stripped" |
| 666 | # user name is used to perform matches. |
| 667 | # |
| 668 | # e.g. User-Name = "bob@example.com" will result in two new |
| 669 | # attributes being created by the "realms" module: |
| 670 | # |
| 671 | # Stripped-User-Name = "bob" |
| 672 | # Realm = "example.com" |
| 673 | # |
| 674 | # The Stripped-User-Name is then used as a key in the "users" |
| 675 | # file, for example. |
| 676 | # |
| 677 | # If you do not want this to happen, uncomment "nostrip" below. |
| 678 | # |
| 679 | # nostrip |
| 680 | |
| 681 | # There are no more configuration entries for a realm. |
| 682 | } |
| 683 | |
| 684 | |
| 685 | # |
| 686 | # This is a sample entry for iPass. |
| 687 | # Note that you have to define "ipass_auth_pool" and |
| 688 | # "ipass_acct_pool", along with home_servers for them, too. |
| 689 | # |
| 690 | #realm IPASS { |
| 691 | # nostrip |
| 692 | # |
| 693 | # auth_pool = ipass_auth_pool |
| 694 | # acct_pool = ipass_acct_pool |
| 695 | #} |
| 696 | |
| 697 | # |
| 698 | # This realm is used mainly to cancel proxying. You can have |
| 699 | # the "realm suffix" module configured to proxy all requests for |
| 700 | # a realm, and then later cancel the proxying, based on other |
| 701 | # configuration. |
| 702 | # |
| 703 | # For example, you want to terminate PEAP or EAP-TTLS locally, |
| 704 | # you can add the following to the "users" file: |
| 705 | # |
| 706 | # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL |
| 707 | # |
| 708 | realm LOCAL { |
| 709 | # If we do not specify a server pool, the realm is LOCAL, and |
| 710 | # requests are not proxied to it. |
| 711 | } |
| 712 | |
| 713 | # |
| 714 | # This realm is for requests which don't have an explicit realm |
| 715 | # prefix or suffix. User names like "bob" will match this one. |
| 716 | # |
| 717 | #realm NULL { |
| 718 | # authhost = radius.company.com:1600 |
| 719 | # accthost = radius.company.com:1601 |
| 720 | # secret = testing123 |
| 721 | #} |
| 722 | |
| 723 | # |
| 724 | # This realm is for ALL OTHER requests. |
| 725 | # |
| 726 | #realm DEFAULT { |
| 727 | # authhost = radius.company.com:1600 |
| 728 | # accthost = radius.company.com:1601 |
| 729 | # secret = testing123 |
| 730 | #} |
| 731 | |
| 732 | |
| 733 | # This realm "proxies" requests internally to a virtual server. |
| 734 | # The pre-proxy and post-proxy sections are run just as with any |
| 735 | # other kind of home server. The virtual server then receives |
| 736 | # the request, and replies, just as with any other packet. |
| 737 | # |
| 738 | # Once proxied internally like this, the request CANNOT be proxied |
| 739 | # internally or externally. |
| 740 | # |
| 741 | #realm virtual.example.com { |
| 742 | # virtual_server = virtual.example.com |
| 743 | #} |
| 744 | # |
| 745 | |
| 746 | # |
| 747 | # Regular expressions may also be used as realm names. If these are used, |
| 748 | # then the "find matching realm" process is as follows: |
| 749 | # |
| 750 | # 1) Look for a non-regex realm with an *exact* match for the name. |
| 751 | # If found, it is used in preference to any regex matching realm. |
| 752 | # |
| 753 | # 2) Look for a regex realm, in the order that they are listed |
| 754 | # in the configuration files. Any regex match is performed in |
| 755 | # a case-insensitive fashion. |
| 756 | # |
| 757 | # 3) If no realm is found, return the DEFAULT realm, if any. |
| 758 | # |
| 759 | # The order of the realms matters in step (2). For example, defining |
| 760 | # two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in |
| 761 | # the second realm NEVER matching. This is because all of the realms |
| 762 | # which match the second regex also match the first one. Since the |
| 763 | # first regex matches, it is returned. |
| 764 | # |
| 765 | # The solution is to list the realms in the opposite order,. e.g. |
| 766 | # ".*\.test\.example.net$", followed by ".*\.example\.net$". |
| 767 | # |
| 768 | # |
| 769 | # Some helpful rules: |
| 770 | # |
| 771 | # - always place a '~' character at the start of the realm name. |
| 772 | # This signifies that it is a regex match, and not an exact match |
| 773 | # for the realm. |
| 774 | # |
| 775 | # - place the regex in double quotes. This helps the configuration |
| 776 | # file parser ignore any "special" characters in the regex. |
| 777 | # Yes, this rule is different than the normal "unlang" rules for |
| 778 | # regular expressions. That may be fixed in a future release. |
| 779 | # |
| 780 | # - use two back-slashes '\\' whenever you need one backslash in the |
| 781 | # regex. e.g. "~.*\\.example\\.net$", and not "~\.example\.net$". |
| 782 | # This is because the regex is in a double-quoted string, and normal |
| 783 | # rules apply for double-quoted strings. |
| 784 | # |
| 785 | # - If you are matching domain names, use two backslashes in front of |
| 786 | # every '.' (dot or period). This is because '.' has special meaning |
| 787 | # in a regular expression: match any character. If you do not do this, |
| 788 | # then "~.*.example.net$" will match "fooXexampleYnet", which is likely |
| 789 | # not what you want |
| 790 | # |
| 791 | # - If you are matching domain names, put a '$' at the end of the regex |
| 792 | # that matches the domain name. This tells the regex matching code |
| 793 | # that the realm ENDS with the domain name, so it does not match |
| 794 | # realms with the domain name in the middle. e.g. "~.*\\.example\\.net" |
| 795 | # will match "test.example.netFOO", which is likely not what you want. |
| 796 | # Using "~(.*\\.)example\\.net$" is better. |
| 797 | # |
| 798 | # The more regex realms that are defined, the more time it takes to |
| 799 | # process them. You should define as few regex realms as possible |
| 800 | # in order to maximize server performance. |
| 801 | # |
| 802 | #realm "~(.*\\.)*example\\.net$" { |
| 803 | # auth_pool = my_auth_failover |
| 804 | #} |