Blame | Last modification | View Log | RSS feed
1. Virtual Servers.FreeRADIUS 2.0 supports virtual servers. This is probably thesingle largest change that is NOT backwards compatible with 1.x.The virtual servers do NOT have to be set up with the"sites-available" and "sites-enabled" directories. You can still haveone "radiusd.conf" file, and put the server configuration there:...server {authorize {...}authenticate {...}...}...The power of virtual servers lies in their ability to separatepolicies. A policy can be placed into a virtual server, where it isguaranteed to affect only the requests that are passed through thatvirtual server. In 1.x, the policies were global, and it sometimestook much effort to write a policy so that it only applied in certainlimited situations.2. What do we mean by "virtual server"?A virtual server is a (nearly complete) RADIUS server, just like aconfiguration for FreeRADIUS 1.x. However, FreeRADIUS can now runmultiple virtual servers at the same time. The virtual servers caneven proxy requests to each other!The simplest way to create a virtual server is to take the all ofthe request processing sections from radius.conf, ("authorize" ,"authenticate", etc.) and wrap them in a "server {}" block, as above.You can create another virtual server by:1) defining a new "server foo {...}" section in radiusd.conf2) Putting the normal "authorize", etc. sections inside of it3) Adding a "listen" section *inside* of the "server" section.e.g....server foo {listen {ipaddr = 127.0.0.1port = 2000type = auth}authorize {update control {Cleartext-Password := "bob"}pap}authenticate {pap}}...With that text added to "radiusd.conf", run the server in debuggingmode (radiusd -X), and in another terminal window, type:$ radtest bob bob localhost:2000 0 testing123You should see the server return an Access-Accept.3. Capabilities and limitationsThe only sub-sections that can appear in a virtual server sectionare:listenclientauthorizeauthenticatepost-authpre-proxypost-proxypreacctaccountingsessionAll other configuration parameters (modules, etc.) are global.Inside of a virtual server, the authorize, etc. sections have theirnormal meaning, and can contain anything that an authorize sectioncould contain in 1.x.When a "listen" section is inside of a virtual server definition, itmeans that all requests sent to that IP/port will be processed throughthe virtual server. There cannot be two "listen" sections with thesame IP address and port number.When a "client" section is inside of a virtual server definition, itmeans that that client is known only to the "listen" sections that arealso inside of that virtual server. Not only is this clientdefinition available only to this virtual server, but the details ofthe client configuration is also available only to this virtualserver.i.e. Two virtual servers can listen on different IP address andports, but both can have a client with IP address 127.0.0.1. Theshared secret for that client can be different for each virtualserver.4. More complex "listen" capabilitiesThe "listen" sections have a few additional configuration items thatwere not in 1.x, and were not mentioned above. These configurationitems enable almost any mapping of IP / port to clients to virtualservers.The configuration items are:virtual_server = <name>If set, all requests sent to this IP / port are processedthrough the named virtual server.This directive can be used only for "listen" sectionsthat are global. i.e. It CANNOT be used if the"listen" section is inside of a virtual server.clients = <name>If set, the "listen" section looks for a "clients" section:clients <name> {...}It looks inside of that named "clients" section for"client" subsections, at least one of which mustexist. Each client in that section is added to thelist of known clients for this IP / port. No otherclients are known.If it is set, it over-rides the list of clients (ifany) in the same virtual server. Note that theclients are NOT additive!If it is not set, then the clients from the currentvirtual server (if any) are used. If there are noclients in this virtual server, then the globalclients are used.i.e. The most specific directive is used:* configuration in this "listen" section* clients in the same virtual server* global clientsThe directives are also *exclusive*, not *additive*.If you have one client in a virtual server, andanother client referenced from a "listen" section,then that "listen" section will ONLY use the secondclient. It will NOT use both clients.5. More complex "client" capabilitiesThe "client" sections have a few additional configuration items thatwere not in 1.x, and were not mentioned above. These configurationitems enable almost any mapping of IP / port to clients to virtualservers.The configuration items are:virtual_server = <name>If set, all requests from this client are processedthrough the named virtual server.This directive can be used only for "client" sectionsthat are global. i.e. It CANNOT be used if the"client" section is inside of a virtual server.If the "listen" section has a "server" entry, and a matchingclient is found ALSO with a "server" entry, then the clients server isused for that request.6. Worked examplesListening on one socket, and mapping requests from two clients totwo different servers.listen {...}client one {...virtual_server = server_one}client two {...virtual_server = server_two}server server_one {authorize {...}...}server server_two {authorize {...}...}This could also be done as:listen {...virtual_server = server_one}client one {...}client two {...virtual_server = server_two}server server_one {authorize {...}...}server server_two {authorize {...}...}In this case, the default server for the socket is "server_one", sothere is no need to set that in the client "one" configuration. The"server_two" configuration for client "two" over-rides the defaultsetting for the socket.Note that the following configuration will NOT work:listen {...virtual_server = server_one}client one {...}server server_one {authorize {...}...}server server_two {client two {...}authorize {...}...}In this example, client "two" is hidden inside of the virtualserver, where the "listen" section cannot find it.7. Outlined examplesThis section outlines a number of examples, with alternatives.One server, multiple sockets- multiple "listen" sections in a "server" sectionone server per client- define multiple servers- have a global "listen" section- have multiple global "clients", each with "virtual_server = X"two servers, each with their own sockets- define multiple servers- put "client" sections into each "server"- put a "listen" section into each "server"Each server can list the same client IP, and the secretcan be differenttwo sockets, sharing a list of clients, but pointing to different servers- define global "listen" sections- in each, set "virtual_server = X"- in each, set "clients = Y"- define "clients Y" section, containing multiple clients.This also means that you can have a third socket, whichdoesn't share any of these clients.8. How to decide what to doIf you want *completely* separate policies for a socket or a client,then create a separate virtual server. Then, map the request to thatserver by setting configuration entries in a "listen" section or in a"client" section.Start off with the common cases first. If most of the clientsand/or sockets get a particular policy, make that policy the default.Configure it without paying attention to the sockets or clients youwant to add later, and without adding a second virtual server. Onceit works, then add the second virtual server.If you want to re-use the previously defined sockets with the secondvirtual server, then you will need one or more global "client"sections. Those clients will contain a "virtual_server = ..." entrythat will direct requests from those clients to the appropriatevirtual server.