2 # proxy.conf - proxy radius and realm configuration directives
4 # This file is included by default. To disable it, you will need
5 # to modify the PROXY CONFIGURATION section of "radiusd.conf".
7 #######################################################################
9 # Proxy server configuration
11 # This entry controls the servers behaviour towards ALL other servers
12 # to which it sends proxy requests.
17 # If the NAS re-sends the request to us, we can immediately re-send
18 # the proxy request to the end server. To do so, use 'yes' here.
20 # If this is set to 'no', then we send the retries on our own schedule,
21 # and ignore any duplicate NAS requests.
23 # If you want to have the server send proxy retries ONLY when the NAS
24 # sends it's retries to the server, then set this to 'yes', and
25 # set the other proxy configuration parameters to 0 (zero).
30 # The time (in seconds) to wait for a response from the proxy, before
31 # re-sending the proxied request.
33 # If this time is set too high, then the NAS may re-send the request,
34 # or it may give up entirely, and reject the user.
36 # If it is set too low, then the RADIUS server which receives the proxy
37 # request will get kicked unnecessarily.
42 # The number of retries to send before giving up, and sending a reject
48 # If the home server does not respond to any of the multiple retries,
49 # then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
51 # If there are multiple entries configured for this realm, then the
52 # server will fail-over to the next one listed. If no more are listed,
53 # then no requests will be proxied to that realm.
56 # After a configurable 'dead_time', in seconds, FreeRADIUS will
57 # speculatively mark the home server active, and start sending requests
60 # If this dead time is set too low, then you will lose requests,
61 # as FreeRADIUS will quickly switch back to the home server, even if
64 # If this dead time is set too high, then FreeRADIUS may take too long
65 # to switch back to the primary home server.
67 # Realistic values for this number are in the range of minutes to hours.
72 # If you choose to list a realm more then once for fall-through or
73 # round-robin, DO NOT LIST THE REALM MORE THAN 32 TIMES.
76 # An ldflag attribute for all realms to be included in a round-robin
77 # setup must be specified, and that ldflag must be the same for all
78 # realms of the same name.
79 # Currently (0 or fail_over) and (1 or round_robin) are the
80 # supported values for ldflag. Fail over is the default setup.
82 # DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE.
86 # If all exact matching realms did not respond, we can try the
87 # DEFAULT realm, too. This is what the server normally does.
89 # This behaviour may be undesired for some cases. e.g. You are proxying
90 # for two different ISP's, and then act as a general dial-up for Gric.
91 # If one of the first two ISP's has their RADIUS server go down, you do
92 # NOT want to proxy those requests to GRIC. Instead, you probably want
93 # to just drop the requests on the floor. In that case, set this value
96 # allowed values: {yes, no}
98 default_fallback = yes
101 # Older versions of the server would pass proxy requests through the
102 # 'authorize' sections twice; once when the packet was received
103 # from the NAS, and again after the reply was received from the home
104 # server. Now that we have a 'post_proxy' section, the replies from
105 # the home server should be sent through that, instead of through
106 # the 'authorize' section again.
108 # However, for backwards compatibility, this behaviour is configurable.
109 # The default configuration is 'yes', for backwards compatibility.
110 # To use ONLY the new 'post_proxy' section, set this value to 'no'.
112 # allowed values: {yes, no}
114 post_proxy_authorize = yes
118 #######################################################################
120 # Configuration for the proxy realms.
122 # The information given here is used in conjunction with the 'realms'
123 # file. This format is preferred, as it is more flexible. The realms
124 # listed here take priority over those listed in the 'realms' file.
128 # authhost = radius.isp2.com:1645
129 # accthost = radius.isp2.com:1646
135 # a fail-over realm for isp2.com
139 # authhost = radius2.isp2.com:1645
140 # accthost = radius2.isp2.com:1646
146 # 1st node serv.com...set up for round-robin.
148 # The load balancing 'ldflag' attribute can be used to perform
149 # load balancing. Allowed values are 'fail_over' and 'round_robin'.
151 # If there is no ldflag attribute, or it is set to 'fail_over', then
152 # the realms are treated as "fail-over". That is, the first matching
153 # realm is used, unless it is down, in which case the realm "fails
154 # over" to the second matching realm. The process continues until an
155 # active matching realm is found, OR the DEFAULT realm is returned.
157 # If the ldflag attribute is set to 'round_robin', then all active
158 # realms of the same name are put into a pool internally in the
159 # server, and the proxied requests are evenly divided among the
160 # realms in the pool. For this to work, all realms of the same name
161 # MUST have the same value of their 'ldflag' attributes. Mixing up
162 # different types of load balancing schemes for the same realm will
165 # The round_robin load balancing method guarantees that once a
166 # particular realm is sent a request, then it will NOT be sent
167 # another request until all other realms of the same name have been
170 # Note that you CANNOT include local auth/acct host realms in a
171 # round-robin queue. Having a server load balance requests to itself
172 # doesn't make any sense, as it only doubles the amount of work
173 # which is needed to be done.
177 # authhost = radius.serv.com:1645
178 # accthost = radius.serv.com:1646
180 # ldflag = round_robin
185 # Another node for serv.com
189 # authhost = radius2.serv.com:1645
190 # accthost = radius2.serv.com:1646
192 # ldflag = round_robin
197 # A third round-robin node realm for serv.com
201 # authhost = radius3.serv.com:1645
202 # accthost = radius3.serv.com:1646
204 # ldflag = round_robin
212 # authhost = radius.company.com:1600
213 # accthost = radius.company.com:1601
214 # secret = testing123
218 # This is a local realm. The requests are NOT proxied,
219 # but instead are authenticated by the RADIUS server itself.
221 # You don't need a secret if BOTH 'authhost' and 'accthost' are
231 # This realm is for requests which don't have an explicit realm
232 # prefix or suffix. User names like "bob" will match this one.
236 # authhost = radius.company.com:1600
237 # accthost = radius.company.com:1601
238 # secret = testing123
242 # This realm is for ALL OTHER requests.
246 # authhost = radius.company.com:1600
247 # accthost = radius.company.com:1601
248 # secret = testing123
253 # authhost = radius.company.com:1600
254 # accthost = radius.company.com:1601
255 # secret = testing123