2 FreeRadius as a proxy radius server.
7 It is possible to use FreeRadius as a proxy radius server. This
8 means that it can consult a remote radius server to validate a user.
9 This is handy for roaming setups, or for renting ports to someone else.
14 If a user logs in with a defined realm syntax, the "realm" portion is
15 matched against the configuration to determine how the request should
16 be handled. Common realm formats are:
21 The realm parsing syntax ( and search order ) is userdefinable via the
22 realm module config in the /etc/raddb/radiusd.conf configuration file.
23 You can define multiple instances of the realm module to support multiple
24 realm syntax's at the same time. Be sure to pay close attention to the
25 search order that you define, as you may inadvertantly get unexpected
26 behaviour ( by having a user use 'realm1/username@realm2' for instance ).
28 The realms are configured in two places. The first place is the
29 file /etc/raddb/proxy.conf, which is included by radiusd.conf. The
30 second place is from the /etc/raddb/realms file. The formats and
31 sample configurations are included as comments in the respective
32 files. The preferred ( as it is more flexible for future options )
33 file is proxy.conf. It is not recommended to use both, as that could
36 All accounting data for proxied requests does NOT get stored in the
37 standard logfiles, but in a seperate directory. The name of this
38 directory is the name of the remote radius server, and if you want you
39 can define a nickname for it in /etc/raddb/naslist just as for normal NASes.
41 If you use the /etc/raddb/realms file to enter realm configurations you will
42 need to add the hostname and secret for the remote server in the
43 file /etc/raddb/clients. On the remote server you need to add the
44 hostname of your server and the same secret to /etc/raddb/clients as well.
46 The realm "DEFAULT" (without the quotes) matches all realms.
48 If you set the remoteserver to "LOCAL", the request will be handled
49 locally as usual, without sending it to a remote radius server.
51 The realm "NULL" matches any requests WITHOUT a realm.
53 There are several options you can add in both files:
56 By default the realm is stripped from the username before sending it
57 on to the remote radius server. By specifying the "nostrip" option
58 the @realm suffix will not be stripped.
60 By default the original username is sent to the remote radius
61 server. By specifying the "hints" option the username will be
62 sent as it is after the "hints" file was processed.
64 By default if a realm is matched, it will be proxied to the server
65 specified. However, if you are using Replication functionality, you
66 may want to override this behaviour. This option will prevent a
67 user who enters 'user@foobar' from being proxied if the 'foobar'
68 realm configuration contains 'notrealm'. This function used to be
69 called 'notsuffix', and the old syntax is still supported.
73 The exact thing that happens is this:
75 - A user logs in with a realm
76 - The hints file gets processed as usual
77 - The user is checked against the huntgroups file. At this point
78 the user _might_ already be rejected.
79 - The realm is looked up in the realms file. If it isn't defined,
80 the users file is processed normally.
81 - If the 'notrealm' option is defined, the user is processed
83 - The realm is stripped from the username unless "nostrip" was
84 set, and the request is sent to a remote radius server. Note that
85 any stripping done in the hints file doesn't have an effect on the
86 username sent to the remote radius server unless you set the
88 - The remote server replies with ACK or REJECT
90 On ACK: The initial Auth-Type is set to Accept
91 On REJECT: The initial Auth-Type is set to Reject
93 Then the users file is processed as usual. The username used at
94 this point is the one after hints file processing (regardless of
95 the "hints" option). It also includes the realm (regardless of the
96 setting of the "nostrip" option) unless the realm is LOCAL.