Rev 4 | Blame | Compare with Previous | Last modification | View Log | RSS feed
######################################################################## An example virtual server configuration.## $Id: 89950303b94d5763ebd96744500b7a00da186c08 $######################################################################### This client will be available to any "listen" section that# are defined outside of a virtual server section. However,# when the server receives a packet from this client, the# request will be processed through the "example" virtual# server, as the "client" section contains a configuration item# to that effect.## Note that this client will be able to send requests to any# port defined in a global "listen" section. It will NOT,# however, be able to send requests to a port defined in a# "listen" section that is contained in a "server" section.## With careful matching of configurations, you should be able# to:## - Define one authentication port, but process each client# through a separate virtual server.## - define multiple authentication ports, each with a private# list of clients.## - define multiple authentication ports, each of which may# have the same client listed, but with different shared# secrets## FYI: We use an address in the 192.0.2.* space for this example,# as RFC 3330 says that that /24 range is used for documenation# and examples, and should not appear on the net. You shouldn't# use it for anything, either.#client 192.0.2.10 {shortname = example-clientsecret = testing123virtual_server = example}######################################################################## An example virtual server. It starts off with "server name {"# The "name" is used to reference this server from a "listen"# or "client" section.#######################################################################server example {## Listen on 192.0.2.1:1812 for Access-Requests## When the server receives a packet, it is processed# through the "authorize", etc. sections listed here,# NOT the global ones the "default" site.#listen {ipaddr = 192.0.2.1port = 1821type = auth}## This client is listed within the "server" section,# and is therefore known ONLY to the socket defined# in the "listen" section above. If the client IP# sends a request to a different socket, the server# will treat it as an unknown client, and will not# respond.## In contrast, the client listed at the top of this file# is outside of any "server" section, and is therefore# global in scope. It can send packets to any port# defined in a global "listen" section. It CANNOT send# packets to the listen section defined above, though.## Note that you don't have to have a "virtual_server = example"# line here, as the client is encapsulated within# the "server" section.#client 192.0.2.9 {shortname = example-clientsecret = testing123}authorize {## Some example policies. See "man unlang" for more.#if ("%{User-Name}" == "bob") {update control {Cleartext-Password := "bob"}}## And then reject the user. The next line requires# that the "always reject {}" section is defined in# the "modules" section of radiusd.conf.#reject}authenticate {}post-auth {Post-Auth-Type Reject {update reply {Reply-Message = "This is only an example."}}}}