| 4 |
- |
1 |
# -*- text -*-
|
|
|
2 |
######################################################################
|
|
|
3 |
#
|
|
|
4 |
# In 2.0.0, radrelay functionality is integrated into the
|
|
|
5 |
# server core. This virtual server gives an example of
|
|
|
6 |
# using radrelay functionality inside of the server.
|
|
|
7 |
#
|
|
|
8 |
# In this example, the detail file is read, and the packets
|
|
|
9 |
# are proxied to a home server. You will have to configure
|
|
|
10 |
# realms, home_server_pool, and home_server in proxy.conf
|
|
|
11 |
# for this to work.
|
|
|
12 |
#
|
|
|
13 |
# The purpose of this virtual server is to enable duplication
|
|
|
14 |
# of information across a load-balanced, or fail-over set of
|
|
|
15 |
# servers. For example, if a group of clients lists two
|
|
|
16 |
# home servers (primary, secondary), then RADIUS accounting
|
|
|
17 |
# messages will go only to one server at a time. This file
|
|
|
18 |
# configures a server (primary, secondary) to send copies of
|
|
|
19 |
# the accounting information to each other.
|
|
|
20 |
#
|
|
|
21 |
# That way, each server has the same set of information, and
|
|
|
22 |
# can make the same decision about the user.
|
|
|
23 |
#
|
|
|
24 |
# $Id$
|
|
|
25 |
#
|
|
|
26 |
######################################################################
|
|
|
27 |
|
|
|
28 |
server copy-acct-to-home-server {
|
|
|
29 |
listen {
|
|
|
30 |
type = detail
|
|
|
31 |
|
|
|
32 |
######################################################
|
|
|
33 |
#
|
|
|
34 |
# !!!! WARNING !!!!
|
|
|
35 |
#
|
|
|
36 |
# The detail file reader acts just like a NAS.
|
|
|
37 |
#
|
|
|
38 |
# This means that if accounting fails, the packet
|
|
|
39 |
# is re-tried FOREVER. It is YOUR responsibility
|
|
|
40 |
# to write an accounting policy that returns "ok"
|
|
|
41 |
# if the packet was processed properly, "fail" on
|
|
|
42 |
# a database error, AND "ok" if you want to ignore
|
|
|
43 |
# the packet (e.g. no Acct-Status-Type).
|
|
|
44 |
#
|
|
|
45 |
# Neither the detail file write OR the detail file
|
|
|
46 |
# reader look at the contents of the packets. They
|
|
|
47 |
# just either dump the packet verbatim to the file,
|
|
|
48 |
# or read it verbatim from the file and pass it to
|
|
|
49 |
# the server.
|
|
|
50 |
#
|
|
|
51 |
######################################################
|
|
|
52 |
|
|
|
53 |
|
|
|
54 |
# The location where the detail file is located.
|
|
|
55 |
# This should be on local disk, and NOT on an NFS
|
|
|
56 |
# mounted location!
|
|
|
57 |
#
|
|
|
58 |
# On most systems, this should support file globbing
|
|
|
59 |
# e.g. "${radacctdir}/detail-*:*"
|
|
|
60 |
# This lets you write many smaller detail files as in
|
|
|
61 |
# the example in radiusd.conf: ".../detail-%Y%m%d:%H"
|
|
|
62 |
# Writing many small files is often better than writing
|
|
|
63 |
# one large file. File globbing also means that with
|
|
|
64 |
# a common naming scheme for detail files, then you can
|
|
|
65 |
# have many detail file writers, and only one reader.
|
|
|
66 |
filename = ${radacctdir}/detail
|
|
|
67 |
|
|
|
68 |
#
|
|
|
69 |
# The server can read accounting packets from the
|
|
|
70 |
# detail file much more quickly than those packets
|
|
|
71 |
# can be written to a database. If the database is
|
|
|
72 |
# overloaded, then bad things can happen.
|
|
|
73 |
#
|
|
|
74 |
# The server will keep track of how long it takes to
|
|
|
75 |
# process an entry from the detail file. It will
|
|
|
76 |
# then pause between handling entries. This pause
|
|
|
77 |
# allows databases to "catch up", and gives the
|
|
|
78 |
# server time to notice that other packets may have
|
|
|
79 |
# arrived.
|
|
|
80 |
#
|
|
|
81 |
# The pause is calculated dynamically, to ensure that
|
|
|
82 |
# the load due to reading the detail files is limited
|
|
|
83 |
# to a small percentage of CPU time. The
|
|
|
84 |
# "load_factor" configuration item is a number
|
|
|
85 |
# between 1 and 100. The server will try to keep the
|
|
|
86 |
# percentage of time taken by "detail" file entries
|
|
|
87 |
# to "load_factor" percentage of the CPU time.
|
|
|
88 |
#
|
|
|
89 |
# If the "load_factor" is set to 100, then the server
|
|
|
90 |
# will read packets as fast as it can, usually
|
|
|
91 |
# causing databases to go into overload.
|
|
|
92 |
#
|
|
|
93 |
load_factor = 10
|
|
|
94 |
}
|
|
|
95 |
|
|
|
96 |
#
|
|
|
97 |
# Pre-accounting. Decide which accounting type to use.
|
|
|
98 |
#
|
|
|
99 |
preacct {
|
|
|
100 |
preprocess
|
|
|
101 |
|
|
|
102 |
# Since we're just proxying, we don't need acct_unique.
|
|
|
103 |
|
|
|
104 |
#
|
|
|
105 |
# Look for IPASS-style 'realm/', and if not found, look for
|
|
|
106 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
107 |
# that.
|
|
|
108 |
#
|
|
|
109 |
# Accounting requests are generally proxied to the same
|
|
|
110 |
# home server as authentication requests.
|
|
|
111 |
# IPASS
|
|
|
112 |
suffix
|
|
|
113 |
# ntdomain
|
|
|
114 |
|
|
|
115 |
#
|
|
|
116 |
# Read the 'acct_users' file. This isn't always
|
|
|
117 |
# necessary, and can be deleted if you do not use it.
|
|
|
118 |
files
|
|
|
119 |
}
|
|
|
120 |
|
|
|
121 |
#
|
|
|
122 |
# Accounting. Log the accounting data.
|
|
|
123 |
#
|
|
|
124 |
accounting {
|
|
|
125 |
#
|
|
|
126 |
# Since we're proxying, we don't log anything
|
|
|
127 |
# locally. Ensure that the accounting section
|
|
|
128 |
# "succeeds" by forcing an "ok" return.
|
|
|
129 |
ok
|
|
|
130 |
}
|
|
|
131 |
|
|
|
132 |
|
|
|
133 |
#
|
|
|
134 |
# When the server decides to proxy a request to a home server,
|
|
|
135 |
# the proxied request is first passed through the pre-proxy
|
|
|
136 |
# stage. This stage can re-write the request, or decide to
|
|
|
137 |
# cancel the proxy.
|
|
|
138 |
#
|
|
|
139 |
# Only a few modules currently have this method.
|
|
|
140 |
#
|
|
|
141 |
pre-proxy {
|
|
|
142 |
# attr_rewrite
|
|
|
143 |
|
|
|
144 |
# If you want to have a log of packets proxied to a home
|
|
|
145 |
# server, un-comment the following line, and the
|
|
|
146 |
# 'detail pre_proxy_log' section in radiusd.conf.
|
|
|
147 |
# pre_proxy_log
|
|
|
148 |
}
|
|
|
149 |
|
|
|
150 |
#
|
|
|
151 |
# When the server receives a reply to a request it proxied
|
|
|
152 |
# to a home server, the request may be massaged here, in the
|
|
|
153 |
# post-proxy stage.
|
|
|
154 |
#
|
|
|
155 |
post-proxy {
|
|
|
156 |
#
|
|
|
157 |
|
|
|
158 |
# If you want to have a log of replies from a home
|
|
|
159 |
# server, un-comment the following line, and the
|
|
|
160 |
# 'detail post_proxy_log' section in radiusd.conf.
|
|
|
161 |
# post_proxy_log
|
|
|
162 |
|
|
|
163 |
# attr_rewrite
|
|
|
164 |
|
|
|
165 |
# Uncomment the following line if you want to filter
|
|
|
166 |
# replies from remote proxies based on the rules
|
|
|
167 |
# defined in the 'attrs' file.
|
|
|
168 |
|
|
|
169 |
# attr_filter
|
|
|
170 |
}
|
|
|
171 |
}
|