| 4 |
- |
1 |
# -*- text -*-
|
|
|
2 |
##
|
|
|
3 |
## proxy.conf -- proxy radius and realm configuration directives
|
|
|
4 |
##
|
|
|
5 |
## $Id$
|
|
|
6 |
|
|
|
7 |
#######################################################################
|
|
|
8 |
#
|
|
|
9 |
# Proxy server configuration
|
|
|
10 |
#
|
|
|
11 |
# This entry controls the servers behaviour towards ALL other servers
|
|
|
12 |
# to which it sends proxy requests.
|
|
|
13 |
#
|
|
|
14 |
proxy server {
|
|
|
15 |
#
|
|
|
16 |
# Note that as of 2.0, the "synchronous", "retry_delay",
|
|
|
17 |
# "retry_count", and "dead_time" have all been deprecated.
|
|
|
18 |
# For backwards compatibility, they are are still accepted
|
|
|
19 |
# by the server, but they ONLY apply to the old-style realm
|
|
|
20 |
# configuration. i.e. realms with "authhost" and/or "accthost"
|
|
|
21 |
# entries.
|
|
|
22 |
#
|
|
|
23 |
# i.e. "retry_delay" and "retry_count" have been replaced
|
|
|
24 |
# with per-home-server configuration. See the "home_server"
|
|
|
25 |
# example below for details.
|
|
|
26 |
#
|
|
|
27 |
# i.e. "dead_time" has been replaced with a per-home-server
|
|
|
28 |
# "revive_interval". We strongly recommend that this not
|
|
|
29 |
# be used, however. The new method is much better.
|
|
|
30 |
|
|
|
31 |
#
|
|
|
32 |
# In 2.0, the server is always "synchronous", and setting
|
|
|
33 |
# "synchronous = no" is impossible. This simplifies the
|
|
|
34 |
# server and increases the stability of the network.
|
|
|
35 |
# However, it means that the server (i.e. proxy) NEVER
|
|
|
36 |
# originates packets. It proxies packets ONLY when it receives
|
|
|
37 |
# a packet or a re-transmission from the NAS. If the NAS never
|
|
|
38 |
# re-transmits, the proxy never re-transmits, either. This can
|
|
|
39 |
# affect fail-over, where a packet does *not* fail over to a
|
|
|
40 |
# second home server.. because the NAS never retransmits the
|
|
|
41 |
# packet.
|
|
|
42 |
#
|
|
|
43 |
# If you need to set "synchronous = no", please send a
|
|
|
44 |
# message to the list <freeradius-users@lists.freeradius.org>
|
|
|
45 |
# explaining why this feature is vital for your network.
|
|
|
46 |
|
|
|
47 |
#
|
|
|
48 |
# If a realm exists, but there are no live home servers for
|
|
|
49 |
# it, we can fall back to using the "DEFAULT" realm. This is
|
|
|
50 |
# most useful for accounting, where the server can proxy
|
|
|
51 |
# accounting requests to home servers, but if they're down,
|
|
|
52 |
# use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL),
|
|
|
53 |
# and then store the packets in the "detail" file. That data
|
|
|
54 |
# can be later proxied to the home servers by radrelay, when
|
|
|
55 |
# those home servers come back up again.
|
|
|
56 |
|
|
|
57 |
# Setting this to "yes" may have issues for authentication.
|
|
|
58 |
# i.e. If you are proxying for two different ISP's, and then
|
|
|
59 |
# act as a general dial-up for Gric. If one of the first two
|
|
|
60 |
# ISP's has their RADIUS server go down, you do NOT want to
|
|
|
61 |
# proxy those requests to GRIC. Instead, you probably want
|
|
|
62 |
# to just drop the requests on the floor. In that case, set
|
|
|
63 |
# this value to 'no'.
|
|
|
64 |
#
|
|
|
65 |
# allowed values: {yes, no}
|
|
|
66 |
#
|
|
|
67 |
default_fallback = no
|
|
|
68 |
|
|
|
69 |
}
|
|
|
70 |
|
|
|
71 |
#######################################################################
|
|
|
72 |
#
|
|
|
73 |
# Configuration for the proxy realms.
|
|
|
74 |
#
|
|
|
75 |
# As of 2.0. the old-style "realms" file is deprecated, and is not
|
|
|
76 |
# used by FreeRADIUS.
|
|
|
77 |
#
|
|
|
78 |
# As of 2.0, the "realm" configuration has changed. Instead of
|
|
|
79 |
# specifying "authhost" and "accthost" in a realm section, the home
|
|
|
80 |
# servers are specified seperately in a "home_server" section. For
|
|
|
81 |
# backwards compatibility, you can still use the "authhost" and
|
|
|
82 |
# "accthost" directives. If you only have one home server for a
|
|
|
83 |
# realm, it is easier to use the old-style configuration.
|
|
|
84 |
#
|
|
|
85 |
# However, if you have multiple servers for a realm, we STRONGLY
|
|
|
86 |
# suggest moving to the new-style configuration.
|
|
|
87 |
#
|
|
|
88 |
#
|
|
|
89 |
# Load-balancing and failover between home servers is handled via
|
|
|
90 |
# a "home_server_pool" section.
|
|
|
91 |
#
|
|
|
92 |
# Finally, The "realm" section defines the realm, some options, and
|
|
|
93 |
# indicates which server pool should be used for the realm.
|
|
|
94 |
#
|
|
|
95 |
# This change means that simple configurations now require multiple
|
|
|
96 |
# sections to define a realm. However, complex configurations
|
|
|
97 |
# are much simpler than before, as multiple realms can share the same
|
|
|
98 |
# server pool.
|
|
|
99 |
#
|
|
|
100 |
# That is, realms point to server pools, and server pools point to
|
|
|
101 |
# home servers. Multiple realms can point to one server pool. One
|
|
|
102 |
# server pool can point to multiple home servers. Each home server
|
|
|
103 |
# can appear in one or more pools.
|
|
|
104 |
#
|
|
|
105 |
|
|
|
106 |
######################################################################
|
|
|
107 |
#
|
|
|
108 |
# This section defines a "Home Server" which is another RADIUS
|
|
|
109 |
# server that gets sent proxied requests. In earlier versions
|
|
|
110 |
# of FreeRADIUS, home servers were defined in "realm" sections,
|
|
|
111 |
# which was awkward. In 2.0, they have been made independent
|
|
|
112 |
# from realms, which is better for a number of reasons.
|
|
|
113 |
#
|
|
|
114 |
home_server localhost {
|
|
|
115 |
#
|
|
|
116 |
# Home servers can be sent Access-Request packets
|
|
|
117 |
# or Accounting-Request packets.
|
|
|
118 |
#
|
|
|
119 |
# Allowed values are:
|
|
|
120 |
# auth - Handles Access-Request packets
|
|
|
121 |
# acct - Handles Accounting-Request packets
|
|
|
122 |
# auth+acct - Handles Access-Request packets at "port",
|
|
|
123 |
# and Accounting-Request packets at "port + 1"
|
|
|
124 |
# coa - Handles CoA-Request and Disconnect-Request packets.
|
|
|
125 |
# See also raddb/sites-available/originate-coa
|
|
|
126 |
type = auth
|
|
|
127 |
|
|
|
128 |
#
|
|
|
129 |
# Configure ONE OF the following entries:
|
|
|
130 |
#
|
|
|
131 |
# IPv4 address
|
|
|
132 |
#
|
|
|
133 |
ipaddr = 127.0.0.1
|
|
|
134 |
|
|
|
135 |
# OR IPv6 address
|
|
|
136 |
# ipv6addr = ::1
|
|
|
137 |
|
|
|
138 |
# OR virtual server
|
|
|
139 |
# virtual_server = foo
|
|
|
140 |
|
|
|
141 |
# Note that while both ipaddr and ipv6addr will accept
|
|
|
142 |
# both addresses and host names, we do NOT recommend
|
|
|
143 |
# using host names. When you specify a host name, the
|
|
|
144 |
# server has to do a DNS lookup to find the IP address
|
|
|
145 |
# of the home server. If the DNS server is slow or
|
|
|
146 |
# unresponsive, it means that FreeRADIUS will NOT be
|
|
|
147 |
# able to determine the address, and will therefore NOT
|
|
|
148 |
# start.
|
|
|
149 |
#
|
|
|
150 |
# Also, the mapping of host name to address is done ONCE
|
|
|
151 |
# when the server starts. If DNS is later updated to
|
|
|
152 |
# change the address, FreeRADIUS will NOT discover that
|
|
|
153 |
# until after a re-start, or a HUP.
|
|
|
154 |
#
|
|
|
155 |
# If you specify a virtual_server here, then requests
|
|
|
156 |
# will be proxied internally to that virtual server.
|
|
|
157 |
# These requests CANNOT be proxied again, however. The
|
|
|
158 |
# intent is to have the local server handle packets
|
|
|
159 |
# when all home servers are dead.
|
|
|
160 |
#
|
|
|
161 |
# Requests proxied to a virtual server will be passed
|
|
|
162 |
# through the pre-proxy and post-proxy sections, just
|
|
|
163 |
# like any other request. See also the sample "realm"
|
|
|
164 |
# configuration, below.
|
|
|
165 |
#
|
|
|
166 |
# None of the rest of the home_server configuration is used
|
|
|
167 |
# for the "virtual_server" configuration.
|
|
|
168 |
|
|
|
169 |
#
|
|
|
170 |
# The port to which packets are sent.
|
|
|
171 |
#
|
|
|
172 |
# Usually 1812 for type "auth", and 1813 for type "acct".
|
|
|
173 |
# Older servers may use 1645 and 1646.
|
|
|
174 |
# Use 3799 for type "coa"
|
|
|
175 |
#
|
|
|
176 |
port = 1812
|
|
|
177 |
|
|
|
178 |
#
|
|
|
179 |
# The shared secret use to "encrypt" and "sign" packets between
|
|
|
180 |
# FreeRADIUS and the home server.
|
|
|
181 |
#
|
|
|
182 |
# The secret can be any string, up to 8k characters in length.
|
|
|
183 |
#
|
|
|
184 |
# Control codes can be entered vi octal encoding,
|
|
|
185 |
# e.g. "\101\102" == "AB"
|
|
|
186 |
# Quotation marks can be entered by escaping them,
|
|
|
187 |
# e.g. "foo\"bar"
|
|
|
188 |
# Spaces or other "special" characters can be entered
|
|
|
189 |
# by putting quotes around the string.
|
|
|
190 |
# e.g. "foo bar"
|
|
|
191 |
# "foo;bar"
|
|
|
192 |
#
|
|
|
193 |
secret = testing123
|
|
|
194 |
|
|
|
195 |
############################################################
|
|
|
196 |
#
|
|
|
197 |
# The rest of the configuration items listed here are optional,
|
|
|
198 |
# and do not have to appear in every home server definition.
|
|
|
199 |
#
|
|
|
200 |
############################################################
|
|
|
201 |
|
|
|
202 |
#
|
|
|
203 |
# You can optionally specify the source IP address used when
|
|
|
204 |
# proxying requests to this home server. When the src_ipaddr
|
|
|
205 |
# it set, the server will automatically create a proxy
|
|
|
206 |
# listener for that IP address.
|
|
|
207 |
#
|
|
|
208 |
# If you specify this field for one home server, you will
|
|
|
209 |
# likely need to specify it for ALL home servers.
|
|
|
210 |
#
|
|
|
211 |
# If you don't care about the source IP address, leave this
|
|
|
212 |
# entry commented.
|
|
|
213 |
#
|
|
|
214 |
# src_ipaddr = 127.0.0.1
|
|
|
215 |
|
|
|
216 |
# RFC 5080 suggests that all clients SHOULD include it in an
|
|
|
217 |
# Access-Request. The configuration item below tells the
|
|
|
218 |
# proxying server (i.e. this one) whether or not the home
|
|
|
219 |
# server requires a Message-Authenticator attribute. If it
|
|
|
220 |
# is required (value set to "yes"), then all Access-Request
|
|
|
221 |
# packets sent to that home server will have a
|
|
|
222 |
# Message-Authenticator attribute.
|
|
|
223 |
#
|
|
|
224 |
# We STRONGLY recommend that this flag be set to "yes"
|
|
|
225 |
# for ALL home servers. Doing so will have no performance
|
|
|
226 |
# impact on the proxy or on the home servers. It will,
|
|
|
227 |
# however, allow administrators to detect problems earlier.
|
|
|
228 |
#
|
|
|
229 |
# allowed values: yes, no
|
|
|
230 |
require_message_authenticator = yes
|
|
|
231 |
|
|
|
232 |
#
|
|
|
233 |
# If the home server does not respond to a request within
|
| 9 |
- |
234 |
# this time, the server marks the request as timed out.
|
|
|
235 |
# After "response_timeouts", the home server is marked
|
|
|
236 |
# as being "zombie", and "zombie_period" starts.
|
| 4 |
- |
237 |
#
|
| 9 |
- |
238 |
# The response window can be a number between 0.001 and 60.000
|
|
|
239 |
# Values on the low end are discouraged, as they will likely
|
|
|
240 |
# not work due to limitations of operating system timers.
|
|
|
241 |
#
|
| 4 |
- |
242 |
# The response window is large because responses MAY be slow,
|
|
|
243 |
# especially when proxying across the Internet.
|
|
|
244 |
#
|
|
|
245 |
# Useful range of values: 5 to 60
|
|
|
246 |
response_window = 20
|
|
|
247 |
|
|
|
248 |
#
|
| 9 |
- |
249 |
# Start "zombie_period" after this many responses have
|
|
|
250 |
# timed out.
|
|
|
251 |
#
|
|
|
252 |
# response_timeouts = 1
|
|
|
253 |
|
|
|
254 |
#
|
| 4 |
- |
255 |
# If you want the old behavior of the server rejecting
|
|
|
256 |
# proxied requests after "response_window" timeout, set
|
|
|
257 |
# the following configuration item to "yes".
|
|
|
258 |
#
|
|
|
259 |
# This configuration WILL be removed in a future release
|
|
|
260 |
# If you believe you need it, email the freeradius-users
|
|
|
261 |
# list, and explain why it should stay in the server.
|
|
|
262 |
#
|
|
|
263 |
# no_response_fail = no
|
|
|
264 |
|
|
|
265 |
#
|
|
|
266 |
# If the home server does not respond to ANY packets during
|
|
|
267 |
# the "zombie period", it will be considered to be dead.
|
|
|
268 |
#
|
|
|
269 |
# A home server that is marked "zombie" will be used for
|
|
|
270 |
# proxying as a low priority. If there are live servers,
|
|
|
271 |
# they will always be preferred to a zombie. Requests will
|
|
|
272 |
# be proxied to a zombie server ONLY when there are no
|
|
|
273 |
# live servers.
|
|
|
274 |
#
|
|
|
275 |
# Any request that is proxied to a home server will continue
|
|
|
276 |
# to be sent to that home server until the home server is
|
|
|
277 |
# marked dead. At that point, it will fail over to another
|
|
|
278 |
# server, if a live server is available. If none is available,
|
|
|
279 |
# then the "post-proxy-type fail" handler will be called.
|
|
|
280 |
#
|
|
|
281 |
# If "status_check" below is something other than "none", then
|
|
|
282 |
# the server will start sending status checks at the start of
|
|
|
283 |
# the zombie period. It will continue sending status checks
|
|
|
284 |
# until the home server is marked "alive".
|
|
|
285 |
#
|
|
|
286 |
# Useful range of values: 20 to 120
|
|
|
287 |
zombie_period = 40
|
|
|
288 |
|
|
|
289 |
############################################################
|
|
|
290 |
#
|
|
|
291 |
# As of 2.0, FreeRADIUS supports RADIUS layer "status
|
|
|
292 |
# checks". These are used by a proxy server to see if a home
|
|
|
293 |
# server is alive.
|
|
|
294 |
#
|
|
|
295 |
# These status packets are sent ONLY if the proxying server
|
|
|
296 |
# believes that the home server is dead. They are NOT sent
|
|
|
297 |
# if the proxying server believes that the home server is
|
|
|
298 |
# alive. They are NOT sent if the proxying server is not
|
|
|
299 |
# proxying packets.
|
|
|
300 |
#
|
|
|
301 |
# If the home server responds to the status check packet,
|
|
|
302 |
# then it is marked alive again, and is returned to use.
|
|
|
303 |
#
|
|
|
304 |
############################################################
|
|
|
305 |
|
|
|
306 |
#
|
|
|
307 |
# Some home servers do not support status checks via the
|
|
|
308 |
# Status-Server packet. Others may not have a "test" user
|
|
|
309 |
# configured that can be used to query the server, to see if
|
|
|
310 |
# it is alive. For those servers, we have NO WAY of knowing
|
|
|
311 |
# when it becomes alive again. Therefore, after the server
|
|
|
312 |
# has been marked dead, we wait a period of time, and mark
|
|
|
313 |
# it alive again, in the hope that it has come back to
|
|
|
314 |
# life.
|
|
|
315 |
#
|
|
|
316 |
# If it has NOT come back to life, then FreeRADIUS will wait
|
|
|
317 |
# for "zombie_period" before marking it dead again. During
|
|
|
318 |
# the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because
|
|
|
319 |
# the home server is still dead. There is NOTHING that can
|
|
|
320 |
# be done about this, other than to enable the status checks,
|
|
|
321 |
# as documented below.
|
|
|
322 |
#
|
|
|
323 |
# e.g. if "zombie_period" is 40 seconds, and "revive_interval"
|
|
|
324 |
# is 300 seconds, the for 40 seconds out of every 340, or about
|
|
|
325 |
# 10% of the time, all authentications will fail.
|
|
|
326 |
#
|
|
|
327 |
# If the "zombie_period" and "revive_interval" configurations
|
|
|
328 |
# are set smaller, than it is possible for up to 50% of
|
|
|
329 |
# authentications to fail.
|
|
|
330 |
#
|
|
|
331 |
# As a result, we recommend enabling status checks, and
|
|
|
332 |
# we do NOT recommend using "revive_interval".
|
|
|
333 |
#
|
|
|
334 |
# The "revive_interval" is used ONLY if the "status_check"
|
|
|
335 |
# entry below is "none". Otherwise, it will not be used,
|
|
|
336 |
# and should be deleted.
|
|
|
337 |
#
|
|
|
338 |
# Useful range of values: 60 to 3600
|
|
|
339 |
revive_interval = 120
|
|
|
340 |
|
|
|
341 |
#
|
|
|
342 |
# The proxying server (i.e. this one) can do periodic status
|
|
|
343 |
# checks to see if a dead home server has come back alive.
|
|
|
344 |
#
|
|
|
345 |
# If set to "none", then the other configuration items listed
|
|
|
346 |
# below are not used, and the "revive_interval" time is used
|
|
|
347 |
# instead.
|
|
|
348 |
#
|
|
|
349 |
# If set to "status-server", the Status-Server packets are
|
|
|
350 |
# sent. Many RADIUS servers support Status-Server. If a
|
|
|
351 |
# server does not support it, please contact the server
|
|
|
352 |
# vendor and request that they add it.
|
|
|
353 |
#
|
|
|
354 |
# If set to "request", then Access-Request, or Accounting-Request
|
|
|
355 |
# packets are sent, depending on the "type" entry above (auth/acct).
|
|
|
356 |
#
|
|
|
357 |
# Allowed values: none, status-server, request
|
|
|
358 |
status_check = status-server
|
|
|
359 |
|
|
|
360 |
#
|
|
|
361 |
# If the home server does not support Status-Server packets,
|
|
|
362 |
# then the server can still send Access-Request or
|
|
|
363 |
# Accounting-Request packets, with a pre-defined user name.
|
|
|
364 |
#
|
|
|
365 |
# This practice is NOT recommended, as it may potentially let
|
|
|
366 |
# users gain network access by using these "test" accounts!
|
|
|
367 |
#
|
|
|
368 |
# If it is used, we recommend that the home server ALWAYS
|
|
|
369 |
# respond to these Access-Request status checks with
|
|
|
370 |
# Access-Reject. The status check just needs an answer, it
|
|
|
371 |
# does not need an Access-Accept.
|
|
|
372 |
#
|
|
|
373 |
# For Accounting-Request status checks, only the username
|
|
|
374 |
# needs to be set. The rest of the accounting attribute are
|
|
|
375 |
# set to default values. The home server that receives these
|
|
|
376 |
# accounting packets SHOULD NOT treat them like normal user
|
|
|
377 |
# accounting packets. i.e It should probably NOT log them to
|
|
|
378 |
# a database.
|
|
|
379 |
#
|
|
|
380 |
# username = "test_user_please_reject_me"
|
|
|
381 |
# password = "this is really secret"
|
|
|
382 |
|
|
|
383 |
#
|
|
|
384 |
# Configure the interval between sending status check packets.
|
|
|
385 |
#
|
|
|
386 |
# Setting it too low increases the probability of spurious
|
|
|
387 |
# fail-over and fallback attempts.
|
|
|
388 |
#
|
|
|
389 |
# Useful range of values: 6 to 120
|
|
|
390 |
check_interval = 30
|
|
|
391 |
|
|
|
392 |
#
|
|
|
393 |
# Configure the number of status checks in a row that the
|
|
|
394 |
# home server needs to respond to before it is marked alive.
|
|
|
395 |
#
|
|
|
396 |
# If you want to mark a home server as alive after a short
|
|
|
397 |
# time period of being responsive, it is best to use a small
|
|
|
398 |
# "check_interval", and a large value for
|
|
|
399 |
# "num_answers_to_alive". Using a long "check_interval" and
|
|
|
400 |
# a small number for "num_answers_to_alive" increases the
|
|
|
401 |
# probability of spurious fail-over and fallback attempts.
|
|
|
402 |
#
|
|
|
403 |
# Useful range of values: 3 to 10
|
|
|
404 |
num_answers_to_alive = 3
|
|
|
405 |
|
|
|
406 |
#
|
|
|
407 |
# Limit the total number of outstanding packets to the home
|
|
|
408 |
# server.
|
|
|
409 |
#
|
|
|
410 |
# if ((#request sent) - (#requests received)) > max_outstanding
|
|
|
411 |
# then stop sending more packets to the home server
|
|
|
412 |
#
|
|
|
413 |
# This lets us gracefully fall over when the home server
|
|
|
414 |
# is overloaded.
|
|
|
415 |
max_outstanding = 65536
|
|
|
416 |
|
|
|
417 |
#
|
|
|
418 |
# The configuration items in the next sub-section are used ONLY
|
|
|
419 |
# when "type = coa". It is ignored for all other type of home
|
|
|
420 |
# servers.
|
|
|
421 |
#
|
|
|
422 |
# See RFC 5080 for the definitions of the following terms.
|
|
|
423 |
# RAND is a function (internal to FreeRADIUS) returning
|
|
|
424 |
# random numbers between -0.1 and +0.1
|
|
|
425 |
#
|
|
|
426 |
# First Re-transmit occurs after:
|
|
|
427 |
#
|
|
|
428 |
# RT = IRT + RAND*IRT
|
|
|
429 |
#
|
|
|
430 |
# Subsequent Re-transmits occur after:
|
|
|
431 |
#
|
|
|
432 |
# RT = 2 * RTprev + RAND * RTprev
|
|
|
433 |
#
|
|
|
434 |
# Re-trasnmits are capped at:
|
|
|
435 |
#
|
|
|
436 |
# if (MRT && (RT > MRT)) RT = MRT + RAND * MRT
|
|
|
437 |
#
|
|
|
438 |
# For a maximum number of attempts: MRC
|
|
|
439 |
#
|
|
|
440 |
# For a maximum (total) period of time: MRD.
|
|
|
441 |
#
|
|
|
442 |
coa {
|
|
|
443 |
# Initial retransmit interval: 1..5
|
|
|
444 |
irt = 2
|
|
|
445 |
|
|
|
446 |
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
|
|
|
447 |
mrt = 16
|
|
|
448 |
|
|
|
449 |
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
|
|
|
450 |
mrc = 5
|
|
|
451 |
|
|
|
452 |
# Maximum Retransmit Duration: 5..60
|
|
|
453 |
mrd = 30
|
|
|
454 |
}
|
|
|
455 |
}
|
|
|
456 |
|
|
|
457 |
# Sample virtual home server.
|
|
|
458 |
#
|
|
|
459 |
#
|
|
|
460 |
#home_server virtual.example.com {
|
|
|
461 |
# virtual_server = virtual.example.com
|
|
|
462 |
#}
|
|
|
463 |
|
|
|
464 |
######################################################################
|
|
|
465 |
#
|
|
|
466 |
# This section defines a pool of home servers that is used
|
|
|
467 |
# for fail-over and load-balancing. In earlier versions of
|
|
|
468 |
# FreeRADIUS, fail-over and load-balancing were defined per-realm.
|
|
|
469 |
# As a result, if a server had 5 home servers, each of which served
|
|
|
470 |
# the same 10 realms, you would need 50 "realm" entries.
|
|
|
471 |
#
|
|
|
472 |
# In version 2.0, you would need 5 "home_server" sections,
|
|
|
473 |
# 10 'realm" sections, and one "home_server_pool" section to tie the
|
|
|
474 |
# two together.
|
|
|
475 |
#
|
|
|
476 |
home_server_pool my_auth_failover {
|
|
|
477 |
#
|
|
|
478 |
# The type of this pool controls how home servers are chosen.
|
|
|
479 |
#
|
|
|
480 |
# fail-over - the request is sent to the first live
|
|
|
481 |
# home server in the list. i.e. If the first home server
|
|
|
482 |
# is marked "dead", the second one is chosen, etc.
|
|
|
483 |
#
|
|
|
484 |
# load-balance - the least busy home server is chosen,
|
|
|
485 |
# where "least busy" is counted by taking the number of
|
|
|
486 |
# requests sent to that home server, and subtracting the
|
|
|
487 |
# number of responses received from that home server.
|
|
|
488 |
#
|
|
|
489 |
# If there are two or more servers with the same low
|
|
|
490 |
# load, then one of those servers is chosen at random.
|
|
|
491 |
# This configuration is most similar to the old
|
|
|
492 |
# "round-robin" method, though it is not exactly the same.
|
|
|
493 |
#
|
|
|
494 |
# Note that load balancing does not work well with EAP,
|
|
|
495 |
# as EAP requires packets for an EAP conversation to be
|
|
|
496 |
# sent to the same home server. The load balancing method
|
|
|
497 |
# does not keep state in between packets, meaning that
|
|
|
498 |
# EAP packets for the same conversation may be sent to
|
|
|
499 |
# different home servers. This will prevent EAP from
|
|
|
500 |
# working.
|
|
|
501 |
#
|
|
|
502 |
# For non-EAP authentication methods, and for accounting
|
|
|
503 |
# packets, we recommend using "load-balance". It will
|
|
|
504 |
# ensure the highest availability for your network.
|
|
|
505 |
#
|
|
|
506 |
# client-balance - the home server is chosen by hashing the
|
|
|
507 |
# source IP address of the packet. If that home server
|
|
|
508 |
# is down, the next one in the list is used, just as
|
|
|
509 |
# with "fail-over".
|
|
|
510 |
#
|
|
|
511 |
# There is no way of predicting which source IP will map
|
|
|
512 |
# to which home server.
|
|
|
513 |
#
|
|
|
514 |
# This configuration is most useful to do simple load
|
|
|
515 |
# balancing for EAP sessions, as the EAP session will
|
|
|
516 |
# always be sent to the same home server.
|
|
|
517 |
#
|
|
|
518 |
# client-port-balance - the home server is chosen by hashing
|
|
|
519 |
# the source IP address and source port of the packet.
|
|
|
520 |
# If that home server is down, the next one in the list
|
|
|
521 |
# is used, just as with "fail-over".
|
|
|
522 |
#
|
|
|
523 |
# This method provides slightly better load balancing
|
|
|
524 |
# for EAP sessions than "client-balance". However, it
|
|
|
525 |
# also means that authentication and accounting packets
|
|
|
526 |
# for the same session MAY go to different home servers.
|
|
|
527 |
#
|
|
|
528 |
# keyed-balance - the home server is chosen by hashing (FNV)
|
|
|
529 |
# the contents of the Load-Balance-Key attribute from the
|
|
|
530 |
# control items. The request is then sent to home server
|
|
|
531 |
# chosen by taking:
|
|
|
532 |
#
|
|
|
533 |
# server = (hash % num_servers_in_pool).
|
|
|
534 |
#
|
|
|
535 |
# If there is no Load-Balance-Key in the control items,
|
|
|
536 |
# the load balancing method is identical to "load-balance".
|
|
|
537 |
#
|
|
|
538 |
# For most non-EAP authentication methods, The User-Name
|
|
|
539 |
# attribute provides a good key. An "unlang" policy can
|
|
|
540 |
# be used to copy the User-Name to the Load-Balance-Key
|
|
|
541 |
# attribute. This method may not work for EAP sessions,
|
|
|
542 |
# as the User-Name outside of the TLS tunnel is often
|
|
|
543 |
# static, e.g. "anonymous@realm".
|
|
|
544 |
#
|
|
|
545 |
#
|
|
|
546 |
# The default type is fail-over.
|
|
|
547 |
type = fail-over
|
|
|
548 |
|
|
|
549 |
#
|
|
|
550 |
# A virtual_server may be specified here. If so, the
|
|
|
551 |
# "pre-proxy" and "post-proxy" sections are called when
|
|
|
552 |
# the request is proxied, and when a response is received.
|
|
|
553 |
#
|
|
|
554 |
# This lets you have one policy for all requests that are proxied
|
|
|
555 |
# to a home server. This policy is completely independent of
|
|
|
556 |
# any policies used to receive, or process the request.
|
|
|
557 |
#
|
|
|
558 |
#virtual_server = pre_post_proxy_for_pool
|
|
|
559 |
|
|
|
560 |
#
|
|
|
561 |
# Next, a list of one or more home servers. The names
|
|
|
562 |
# of the home servers are NOT the hostnames, but the names
|
|
|
563 |
# of the sections. (e.g. home_server foo {...} has name "foo".
|
|
|
564 |
#
|
|
|
565 |
# Note that ALL home servers listed here have to be of the same
|
|
|
566 |
# type. i.e. they all have to be "auth", or they all have to
|
|
|
567 |
# be "acct", or the all have to be "auth+acct".
|
|
|
568 |
#
|
|
|
569 |
home_server = localhost
|
|
|
570 |
|
|
|
571 |
# Additional home servers can be listed.
|
|
|
572 |
# There is NO LIMIT to the number of home servers that can
|
|
|
573 |
# be listed, though using more than 10 or so will become
|
|
|
574 |
# difficult to manage.
|
|
|
575 |
#
|
|
|
576 |
# home_server = foo.example.com
|
|
|
577 |
# home_server = bar.example.com
|
|
|
578 |
# home_server = baz.example.com
|
|
|
579 |
# home_server = ...
|
|
|
580 |
|
|
|
581 |
|
|
|
582 |
#
|
|
|
583 |
# If ALL home servers are dead, then this "fallback" home server
|
|
|
584 |
# is used. If set, it takes precedence over any realm-based
|
|
|
585 |
# fallback, such as the DEFAULT realm.
|
|
|
586 |
#
|
|
|
587 |
# For reasons of stability, this home server SHOULD be a virtual
|
|
|
588 |
# server. Otherwise, the fallback may itself be dead!
|
|
|
589 |
#
|
|
|
590 |
#fallback = virtual.example.com
|
|
|
591 |
}
|
|
|
592 |
|
|
|
593 |
######################################################################
|
|
|
594 |
#
|
|
|
595 |
#
|
|
|
596 |
# This section defines a new-style "realm". Note the in version 2.0,
|
|
|
597 |
# there are many fewer configuration items than in 1.x for a realm.
|
|
|
598 |
#
|
|
|
599 |
# Automatic proxying is done via the "realms" module (see "man
|
|
|
600 |
# rlm_realm"). To manually proxy the request put this entry in the
|
|
|
601 |
# "users" file:
|
|
|
602 |
|
|
|
603 |
#
|
|
|
604 |
#
|
|
|
605 |
#DEFAULT Proxy-To-Realm := "realm_name"
|
|
|
606 |
#
|
|
|
607 |
#
|
|
|
608 |
realm example.com {
|
|
|
609 |
#
|
|
|
610 |
# Realms point to pools of home servers.
|
|
|
611 |
#
|
|
|
612 |
# For authentication, the "auth_pool" configuration item
|
|
|
613 |
# should point to a "home_server_pool" that was previously
|
|
|
614 |
# defined. All of the home servers in the "auth_pool" must
|
|
|
615 |
# be of type "auth".
|
|
|
616 |
#
|
|
|
617 |
# For accounting, the "acct_pool" configuration item
|
|
|
618 |
# should point to a "home_server_pool" that was previously
|
|
|
619 |
# defined. All of the home servers in the "acct_pool" must
|
|
|
620 |
# be of type "acct".
|
|
|
621 |
#
|
|
|
622 |
# If you have a "home_server_pool" where all of the home servers
|
|
|
623 |
# are of type "auth+acct", you can just use the "pool"
|
|
|
624 |
# configuration item, instead of specifying both "auth_pool"
|
|
|
625 |
# and "acct_pool".
|
|
|
626 |
|
|
|
627 |
auth_pool = my_auth_failover
|
|
|
628 |
# acct_pool = acct
|
|
|
629 |
|
|
|
630 |
#
|
|
|
631 |
# Normally, when an incoming User-Name is matched against the
|
|
|
632 |
# realm, the realm name is "stripped" off, and the "stripped"
|
|
|
633 |
# user name is used to perform matches.
|
|
|
634 |
#
|
|
|
635 |
# e.g. User-Name = "bob@example.com" will result in two new
|
|
|
636 |
# attributes being created by the "realms" module:
|
|
|
637 |
#
|
|
|
638 |
# Stripped-User-Name = "bob"
|
|
|
639 |
# Realm = "example.com"
|
|
|
640 |
#
|
|
|
641 |
# The Stripped-User-Name is then used as a key in the "users"
|
|
|
642 |
# file, for example.
|
|
|
643 |
#
|
|
|
644 |
# If you do not want this to happen, uncomment "nostrip" below.
|
|
|
645 |
#
|
|
|
646 |
# nostrip
|
|
|
647 |
|
|
|
648 |
# There are no more configuration entries for a realm.
|
|
|
649 |
}
|
|
|
650 |
|
|
|
651 |
|
|
|
652 |
#
|
|
|
653 |
# This is a sample entry for iPass.
|
|
|
654 |
# Note that you have to define "ipass_auth_pool" and
|
|
|
655 |
# "ipass_acct_pool", along with home_servers for them, too.
|
|
|
656 |
#
|
|
|
657 |
#realm IPASS {
|
|
|
658 |
# nostrip
|
|
|
659 |
#
|
|
|
660 |
# auth_pool = ipass_auth_pool
|
|
|
661 |
# acct_pool = ipass_acct_pool
|
|
|
662 |
#}
|
|
|
663 |
|
|
|
664 |
#
|
|
|
665 |
# This realm is used mainly to cancel proxying. You can have
|
|
|
666 |
# the "realm suffix" module configured to proxy all requests for
|
|
|
667 |
# a realm, and then later cancel the proxying, based on other
|
|
|
668 |
# configuration.
|
|
|
669 |
#
|
|
|
670 |
# For example, you want to terminate PEAP or EAP-TTLS locally,
|
|
|
671 |
# you can add the following to the "users" file:
|
|
|
672 |
#
|
|
|
673 |
# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
|
|
|
674 |
#
|
|
|
675 |
realm LOCAL {
|
|
|
676 |
# If we do not specify a server pool, the realm is LOCAL, and
|
|
|
677 |
# requests are not proxied to it.
|
|
|
678 |
}
|
|
|
679 |
|
|
|
680 |
#
|
|
|
681 |
# This realm is for requests which don't have an explicit realm
|
|
|
682 |
# prefix or suffix. User names like "bob" will match this one.
|
|
|
683 |
#
|
|
|
684 |
#realm NULL {
|
|
|
685 |
# authhost = radius.company.com:1600
|
|
|
686 |
# accthost = radius.company.com:1601
|
|
|
687 |
# secret = testing123
|
|
|
688 |
#}
|
|
|
689 |
|
|
|
690 |
#
|
|
|
691 |
# This realm is for ALL OTHER requests.
|
|
|
692 |
#
|
|
|
693 |
#realm DEFAULT {
|
|
|
694 |
# authhost = radius.company.com:1600
|
|
|
695 |
# accthost = radius.company.com:1601
|
|
|
696 |
# secret = testing123
|
|
|
697 |
#}
|
|
|
698 |
|
|
|
699 |
|
|
|
700 |
# This realm "proxies" requests internally to a virtual server.
|
|
|
701 |
# The pre-proxy and post-proxy sections are run just as with any
|
|
|
702 |
# other kind of home server. The virtual server then receives
|
|
|
703 |
# the request, and replies, just as with any other packet.
|
|
|
704 |
#
|
|
|
705 |
# Once proxied internally like this, the request CANNOT be proxied
|
|
|
706 |
# internally or externally.
|
|
|
707 |
#
|
|
|
708 |
#realm virtual.example.com {
|
|
|
709 |
# virtual_server = virtual.example.com
|
|
|
710 |
#}
|
|
|
711 |
#
|
|
|
712 |
|
|
|
713 |
#
|
|
|
714 |
# Regular expressions may also be used as realm names. If these are used,
|
|
|
715 |
# then the "find matching realm" process is as follows:
|
|
|
716 |
#
|
|
|
717 |
# 1) Look for a non-regex realm with an *exact* match for the name.
|
|
|
718 |
# If found, it is used in preference to any regex matching realm.
|
|
|
719 |
#
|
|
|
720 |
# 2) Look for a regex realm, in the order that they are listed
|
|
|
721 |
# in the configuration files. Any regex match is performed in
|
|
|
722 |
# a case-insensitive fashion.
|
|
|
723 |
#
|
|
|
724 |
# 3) If no realm is found, return the DEFAULT realm, if any.
|
|
|
725 |
#
|
|
|
726 |
# The order of the realms matters in step (2). For example, defining
|
|
|
727 |
# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in
|
|
|
728 |
# the second realm NEVER matching. This is because all of the realms
|
|
|
729 |
# which match the second regex also match the first one. Since the
|
|
|
730 |
# first regex matches, it is returned.
|
|
|
731 |
#
|
|
|
732 |
# The solution is to list the realms in the opposite order,. e.g.
|
|
|
733 |
# ".*\.test\.example.net$", followed by ".*\.example\.net$".
|
|
|
734 |
#
|
|
|
735 |
#
|
|
|
736 |
# Some helpful rules:
|
|
|
737 |
#
|
|
|
738 |
# - always place a '~' character at the start of the realm name.
|
|
|
739 |
# This signifies that it is a regex match, and not an exact match
|
|
|
740 |
# for the realm.
|
|
|
741 |
#
|
|
|
742 |
# - place the regex in double quotes. This helps the configuration
|
|
|
743 |
# file parser ignore any "special" characters in the regex.
|
|
|
744 |
# Yes, this rule is different than the normal "unlang" rules for
|
|
|
745 |
# regular expressions. That may be fixed in a future release.
|
|
|
746 |
#
|
|
|
747 |
# - use two back-slashes '\\' whenever you need one backslash in the
|
|
|
748 |
# regex. e.g. "~.*\\.example\\.net$", and not "~\.example\.net$".
|
|
|
749 |
# This is because the regex is in a double-quoted string, and normal
|
|
|
750 |
# rules apply for double-quoted strings.
|
|
|
751 |
#
|
|
|
752 |
# - If you are matching domain names, use two backslashes in front of
|
|
|
753 |
# every '.' (dot or period). This is because '.' has special meaning
|
|
|
754 |
# in a regular expression: match any character. If you do not do this,
|
|
|
755 |
# then "~.*.example.net$" will match "fooXexampleYnet", which is likely
|
|
|
756 |
# not what you want
|
|
|
757 |
#
|
|
|
758 |
# - If you are matching domain names, put a '$' at the end of the regex
|
|
|
759 |
# that matches the domain name. This tells the regex matching code
|
|
|
760 |
# that the realm ENDS with the domain name, so it does not match
|
|
|
761 |
# realms with the domain name in the middle. e.g. "~.*\\.example\\.net"
|
|
|
762 |
# will match "test.example.netFOO", which is likely not what you want.
|
|
|
763 |
# Using "~(.*\\.)example\\.net$" is better.
|
|
|
764 |
#
|
|
|
765 |
# The more regex realms that are defined, the more time it takes to
|
|
|
766 |
# process them. You should define as few regex realms as possible
|
|
|
767 |
# in order to maximize server performance.
|
|
|
768 |
#
|
|
|
769 |
#realm "~(.*\\.)*example\\.net$" {
|
|
|
770 |
# auth_pool = my_auth_failover
|
|
|
771 |
#}
|