3 ## proxy.conf -- proxy radius and realm configuration directives
7 #######################################################################
9 # Proxy server configuration
11 # This entry controls the servers behaviour towards ALL other servers
12 # to which it sends proxy requests.
16 # Note that as of 2.0, the "synchronous", "retry_delay",
17 # "retry_count", and "dead_time" have all been deprecated.
18 # For backwards compatibility, they are are still accepted
19 # by the server, but they ONLY apply to the old-style realm
20 # configuration. i.e. realms with "authhost" and/or "accthost"
23 # i.e. "retry_delay" and "retry_count" have been replaced
24 # with per-home-server configuration. See the "home_server"
25 # example below for details.
27 # i.e. "dead_time" has been replaced with a per-home-server
28 # "revive_interval". We strongly recommend that this not
29 # be used, however. The new method is much better.
32 # In 2.0, the server is always "synchronous", and setting
33 # "synchronous = no" is impossible. This simplifies the
34 # server and increases the stability of the network.
35 # However, it means that the server (i.e. proxy) NEVER
36 # originates packets. It proxies packets ONLY when it receives
37 # a packet or a re-transmission from the NAS. If the NAS never
38 # re-transmits, the proxy never re-transmits, either. This can
39 # affect fail-over, where a packet does *not* fail over to a
40 # second home server.. because the NAS never retransmits the
43 # If you need to set "synchronous = no", please send a
44 # message to the list <freeradius-users@lists.freeradius.org>
45 # explaining why this feature is vital for your network.
48 # If a realm exists, but there are no live home servers for
49 # it, we can fall back to using the "DEFAULT" realm. This is
50 # most useful for accounting, where the server can proxy
51 # accounting requests to home servers, but if they're down,
52 # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL),
53 # and then store the packets in the "detail" file. That data
54 # can be later proxied to the home servers by radrelay, when
55 # those home servers come back up again.
57 # Setting this to "yes" may have issues for authentication.
58 # i.e. If you are proxying for two different ISP's, and then
59 # act as a general dial-up for Gric. If one of the first two
60 # ISP's has their RADIUS server go down, you do NOT want to
61 # proxy those requests to GRIC. Instead, you probably want
62 # to just drop the requests on the floor. In that case, set
65 # allowed values: {yes, no}
71 #######################################################################
73 # Configuration for the proxy realms.
75 # As of 2.0, the "realm" configuration has changed. Instead of
76 # specifying "authhost" and "accthost" in a realm section, the home
77 # servers are specified separately in a "home_server" section. For
78 # backwards compatibility, you can still use the "authhost" and
79 # "accthost" directives. If you only have one home server for a
80 # realm, it is easier to use the old-style configuration.
82 # However, if you have multiple servers for a realm, we STRONGLY
83 # suggest moving to the new-style configuration.
86 # Load-balancing and failover between home servers is handled via
87 # a "home_server_pool" section.
89 # Finally, The "realm" section defines the realm, some options, and
90 # indicates which server pool should be used for the realm.
92 # This change means that simple configurations now require multiple
93 # sections to define a realm. However, complex configurations
94 # are much simpler than before, as multiple realms can share the same
97 # That is, realms point to server pools, and server pools point to
98 # home servers. Multiple realms can point to one server pool. One
99 # server pool can point to multiple home servers. Each home server
100 # can appear in one or more pools.
102 # See sites-available/tls for an example of configuring home servers,
103 # pools, and realms with TLS.
106 ######################################################################
108 # This section defines a "Home Server" which is another RADIUS
109 # server that gets sent proxied requests. In earlier versions
110 # of FreeRADIUS, home servers were defined in "realm" sections,
111 # which was awkward. In 2.0, they have been made independent
112 # from realms, which is better for a number of reasons.
114 home_server localhost {
116 # Home servers can be sent Access-Request packets
117 # or Accounting-Request packets.
119 # Allowed values are:
120 # auth - Handles Access-Request packets
121 # acct - Handles Accounting-Request packets
122 # auth+acct - Handles Access-Request packets at "port",
123 # and Accounting-Request packets at "port + 1"
124 # coa - Handles CoA-Request and Disconnect-Request packets.
125 # See also raddb/sites-available/originate-coa
129 # Configure ONE OF the following entries:
139 # virtual_server = foo
141 # Note that while both ipaddr and ipv6addr will accept
142 # both addresses and host names, we do NOT recommend
143 # using host names. When you specify a host name, the
144 # server has to do a DNS lookup to find the IP address
145 # of the home server. If the DNS server is slow or
146 # unresponsive, it means that FreeRADIUS will NOT be
147 # able to determine the address, and will therefore NOT
150 # Also, the mapping of host name to address is done ONCE
151 # when the server starts. If DNS is later updated to
152 # change the address, FreeRADIUS will NOT discover that
153 # until after a re-start, or a HUP.
155 # If you specify a virtual_server here, then requests
156 # will be proxied internally to that virtual server.
157 # These requests CANNOT be proxied again, however. The
158 # intent is to have the local server handle packets
159 # when all home servers are dead.
161 # Requests proxied to a virtual server will be passed
162 # through the pre-proxy and post-proxy sections, just
163 # like any other request. See also the sample "realm"
164 # configuration, below.
166 # None of the rest of the home_server configuration is used
167 # for the "virtual_server" configuration.
170 # The port to which packets are sent.
172 # Usually 1812 for type "auth", and 1813 for type "acct".
173 # Older servers may use 1645 and 1646.
174 # Use 3799 for type "coa"
179 # The transport protocol.
181 # If unspecified, defaults to "udp", which is the traditional
182 # RADIUS transport. It may also be "tcp", in which case TCP
183 # will be used to talk to this home server.
185 # When home servers are put into pools, the pool can contain
186 # home servers with both UDP and TCP transports.
191 # The shared secret use to "encrypt" and "sign" packets between
192 # FreeRADIUS and the home server.
194 # The secret can be any string, up to 8k characters in length.
196 # Control codes can be entered vi octal encoding,
197 # e.g. "\101\102" == "AB"
198 # Quotation marks can be entered by escaping them,
200 # Spaces or other "special" characters can be entered
201 # by putting quotes around the string.
207 ############################################################
209 # The rest of the configuration items listed here are optional,
210 # and do not have to appear in every home server definition.
212 ############################################################
215 # You can optionally specify the source IP address used when
216 # proxying requests to this home server. When the src_ipaddr
217 # it set, the server will automatically create a proxy
218 # listener for that IP address.
220 # If you specify this field for one home server, you will
221 # likely need to specify it for ALL home servers.
223 # If you don't care about the source IP address, leave this
226 # src_ipaddr = 127.0.0.1
229 # If the home server does not respond to a request within
230 # this time, the server marks the request as timed out.
231 # After "response_timeouts", the home server is marked
232 # as being "zombie", and "zombie_period" starts.
234 # The response window can be a number between 0.001 and 60.000
235 # Values on the low end are discouraged, as they will likely
236 # not work due to limitations of operating system timers.
238 # The default response window is large because responses may
239 # be slow, especially when proxying across the Internet.
241 # Useful range of values: 5 to 60
245 # Start "zombie_period" after this many responses have
248 # response_timeouts = 1
251 # If you want the old behaviour of the server rejecting
252 # proxied requests after "response_window" timeout, set
253 # the following configuration item to "yes".
255 # This configuration WILL be removed in a future release
256 # If you believe you need it, email the freeradius-users
257 # list, and explain why it should stay in the server.
259 # no_response_fail = no
262 # If the home server does not respond to ANY packets during
263 # the "zombie period", it will be considered to be dead.
265 # A home server that is marked "zombie" will be used for
266 # proxying as a low priority. If there are live servers,
267 # they will always be preferred to a zombie. Requests will
268 # be proxied to a zombie server ONLY when there are no
271 # Any request that is proxied to a home server will continue
272 # to be sent to that home server until the home server is
273 # marked dead. At that point, it will fail over to another
274 # server, if a live server is available. If none is available,
275 # then the "post-proxy-type fail" handler will be called.
277 # If "status_check" below is something other than "none", then
278 # the server will start sending status checks at the start of
279 # the zombie period. It will continue sending status checks
280 # until the home server is marked "alive".
282 # Useful range of values: 20 to 120
285 ############################################################
287 # As of 2.0, FreeRADIUS supports RADIUS layer "status
288 # checks". These are used by a proxy server to see if a home
291 # These status packets are sent ONLY if the proxying server
292 # believes that the home server is dead. They are NOT sent
293 # if the proxying server believes that the home server is
294 # alive. They are NOT sent if the proxying server is not
297 # If the home server responds to the status check packet,
298 # then it is marked alive again, and is returned to use.
300 ############################################################
303 # Some home servers do not support status checks via the
304 # Status-Server packet. Others may not have a "test" user
305 # configured that can be used to query the server, to see if
306 # it is alive. For those servers, we have NO WAY of knowing
307 # when it becomes alive again. Therefore, after the server
308 # has been marked dead, we wait a period of time, and mark
309 # it alive again, in the hope that it has come back to
312 # If it has NOT come back to life, then FreeRADIUS will wait
313 # for "zombie_period" before marking it dead again. During
314 # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because
315 # the home server is still dead. There is NOTHING that can
316 # be done about this, other than to enable the status checks,
317 # as documented below.
319 # e.g. if "zombie_period" is 40 seconds, and "revive_interval"
320 # is 300 seconds, the for 40 seconds out of every 340, or about
321 # 10% of the time, all authentications will fail.
323 # If the "zombie_period" and "revive_interval" configurations
324 # are set smaller, than it is possible for up to 50% of
325 # authentications to fail.
327 # As a result, we recommend enabling status checks, and
328 # we do NOT recommend using "revive_interval".
330 # The "revive_interval" is used ONLY if the "status_check"
331 # entry below is "none". Otherwise, it will not be used,
332 # and should be deleted.
334 # Useful range of values: 60 to 3600
335 revive_interval = 120
338 # The proxying server (i.e. this one) can do periodic status
339 # checks to see if a dead home server has come back alive.
341 # If set to "none", then the other configuration items listed
342 # below are not used, and the "revive_interval" time is used
345 # If set to "status-server", the Status-Server packets are
346 # sent. Many RADIUS servers support Status-Server. If a
347 # server does not support it, please contact the server
348 # vendor and request that they add it. With status-server if
349 # the home server is marked as a zombie and a status-server
350 # response is received, it will be immediately marked as live.
352 # This prevents spurious failovers in federations such as
353 # eduroam, where intermediary proxy servers may be functional
354 # but the servers of a home institution may not be,
356 # If set to "request", then Access-Request, or Accounting-Request
357 # packets are sent, depending on the "type" entry above (auth/acct).
359 # Allowed values: none, status-server, request
360 status_check = status-server
363 # If the home server does not support Status-Server packets,
364 # then the server can still send Access-Request or
365 # Accounting-Request packets, with a pre-defined user name.
367 # This practice is NOT recommended, as it may potentially let
368 # users gain network access by using these "test" accounts!
370 # If it is used, we recommend that the home server ALWAYS
371 # respond to these Access-Request status checks with
372 # Access-Reject. The status check just needs an answer, it
373 # does not need an Access-Accept.
375 # For Accounting-Request status checks, only the username
376 # needs to be set. The rest of the accounting attribute are
377 # set to default values. The home server that receives these
378 # accounting packets SHOULD NOT treat them like normal user
379 # accounting packets. i.e It should probably NOT log them to
382 # username = "test_user_please_reject_me"
383 # password = "this is really secret"
386 # Configure the interval between sending status check packets.
388 # Setting it too low increases the probability of spurious
389 # fail-over and fallback attempts.
391 # Useful range of values: 6 to 120
395 # Wait "check_timeout" seconds for a reply to a status check
401 # Configure the number of status checks in a row that the
402 # home server needs to respond to before it is marked alive.
404 # If you want to mark a home server as alive after a short
405 # time period of being responsive, it is best to use a small
406 # "check_interval", and a large value for
407 # "num_answers_to_alive". Using a long "check_interval" and
408 # a small number for "num_answers_to_alive" increases the
409 # probability of spurious fail-over and fallback attempts.
411 # Useful range of values: 3 to 10
412 num_answers_to_alive = 3
415 # Limit the total number of outstanding packets to the home
418 # if ((#request sent) - (#requests received)) > max_outstanding
419 # then stop sending more packets to the home server
421 # This lets us gracefully fall over when the home server
423 max_outstanding = 65536
426 # The configuration items in the next sub-section are used ONLY
427 # when "type = coa". It is ignored for all other type of home
430 # See RFC 5080 for the definitions of the following terms.
431 # RAND is a function (internal to FreeRADIUS) returning
432 # random numbers between -0.1 and +0.1
434 # First Re-transmit occurs after:
436 # RT = IRT + RAND*IRT
438 # Subsequent Re-transmits occur after:
440 # RT = 2 * RTprev + RAND * RTprev
442 # Re-transmits are capped at:
444 # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT
446 # For a maximum number of attempts: MRC
448 # For a maximum (total) period of time: MRD.
451 # Initial retransmit interval: 1..5
454 # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
457 # Maximum Retransmit Count: 1..20 (0 == retransmit forever)
460 # Maximum Retransmit Duration: 5..60
465 # Connection limiting for home servers with "proto = tcp".
467 # This section is ignored for other home servers.
471 # Limit the number of TCP connections to the home server.
474 # Setting this to 0 means "no limit"
478 # Limit the total number of requests sent over one
479 # TCP connection. After this number of requests, the
480 # connection will be closed. Any new packets that are
481 # proxied to the home server will result in a new TCP
482 # connection being made.
484 # Setting this to 0 means "no limit"
488 # The lifetime, in seconds, of a TCP connection. After
489 # this lifetime, the connection will be closed.
491 # Setting this to 0 means "forever".
495 # The idle timeout, in seconds, of a TCP connection.
496 # If no packets have been sent over the connection for
497 # this time, the connection will be closed.
499 # Setting this to 0 means "no timeout".
505 # Sample virtual home server.
508 #home_server virtual.example.com {
509 # virtual_server = virtual.example.com
512 ######################################################################
514 # This section defines a pool of home servers that is used
515 # for fail-over and load-balancing. In earlier versions of
516 # FreeRADIUS, fail-over and load-balancing were defined per-realm.
517 # As a result, if a server had 5 home servers, each of which served
518 # the same 10 realms, you would need 50 "realm" entries.
520 # In version 2.0, you would need 5 "home_server" sections,
521 # 10 'realm" sections, and one "home_server_pool" section to tie the
524 home_server_pool my_auth_failover {
526 # The type of this pool controls how home servers are chosen.
528 # fail-over - the request is sent to the first live
529 # home server in the list. i.e. If the first home server
530 # is marked "dead", the second one is chosen, etc.
532 # load-balance - the least busy home server is chosen,
533 # where "least busy" is counted by taking the number of
534 # requests sent to that home server, and subtracting the
535 # number of responses received from that home server.
537 # If there are two or more servers with the same low
538 # load, then one of those servers is chosen at random.
539 # This configuration is most similar to the old
540 # "round-robin" method, though it is not exactly the same.
542 # Note that load balancing does not work well with EAP,
543 # as EAP requires packets for an EAP conversation to be
544 # sent to the same home server. The load balancing method
545 # does not keep state in between packets, meaning that
546 # EAP packets for the same conversation may be sent to
547 # different home servers. This will prevent EAP from
550 # For non-EAP authentication methods, and for accounting
551 # packets, we recommend using "load-balance". It will
552 # ensure the highest availability for your network.
554 # client-balance - the home server is chosen by hashing the
555 # source IP address of the packet. If that home server
556 # is down, the next one in the list is used, just as
559 # There is no way of predicting which source IP will map
560 # to which home server.
562 # This configuration is most useful to do simple load
563 # balancing for EAP sessions, as the EAP session will
564 # always be sent to the same home server.
566 # client-port-balance - the home server is chosen by hashing
567 # the source IP address and source port of the packet.
568 # If that home server is down, the next one in the list
569 # is used, just as with "fail-over".
571 # This method provides slightly better load balancing
572 # for EAP sessions than "client-balance". However, it
573 # also means that authentication and accounting packets
574 # for the same session MAY go to different home servers.
576 # keyed-balance - the home server is chosen by hashing (FNV)
577 # the contents of the Load-Balance-Key attribute from the
578 # control items. The request is then sent to home server
581 # server = (hash % num_servers_in_pool).
583 # If there is no Load-Balance-Key in the control items,
584 # the load balancing method is identical to "load-balance".
586 # For most non-EAP authentication methods, The User-Name
587 # attribute provides a good key. An "unlang" policy can
588 # be used to copy the User-Name to the Load-Balance-Key
589 # attribute. This method may not work for EAP sessions,
590 # as the User-Name outside of the TLS tunnel is often
591 # static, e.g. "anonymous@realm".
594 # The default type is fail-over.
598 # A virtual_server may be specified here. If so, the
599 # "pre-proxy" and "post-proxy" sections are called when
600 # the request is proxied, and when a response is received.
602 # This lets you have one policy for all requests that are proxied
603 # to a home server. This policy is completely independent of
604 # any policies used to receive, or process the request.
606 #virtual_server = pre_post_proxy_for_pool
609 # Next, a list of one or more home servers. The names
610 # of the home servers are NOT the hostnames, but the names
611 # of the sections. (e.g. home_server foo {...} has name "foo".
613 # Note that ALL home servers listed here have to be of the same
614 # type. i.e. they all have to be "auth", or they all have to
615 # be "acct", or the all have to be "auth+acct".
617 home_server = localhost
619 # Additional home servers can be listed.
620 # There is NO LIMIT to the number of home servers that can
621 # be listed, though using more than 10 or so will become
622 # difficult to manage.
624 # home_server = foo.example.com
625 # home_server = bar.example.com
626 # home_server = baz.example.com
631 # If ALL home servers are dead, then this "fallback" home server
632 # is used. If set, it takes precedence over any realm-based
633 # fallback, such as the DEFAULT realm.
635 # For reasons of stability, this home server SHOULD be a virtual
636 # server. Otherwise, the fallback may itself be dead!
638 #fallback = virtual.example.com
641 ######################################################################
644 # This section defines a new-style "realm". Note the in version 2.0,
645 # there are many fewer configuration items than in 1.x for a realm.
647 # Automatic proxying is done via the "realms" module (see "man
648 # rlm_realm"). To manually proxy the request put this entry in the
653 #DEFAULT Proxy-To-Realm := "realm_name"
658 # Realms point to pools of home servers.
660 # For authentication, the "auth_pool" configuration item
661 # should point to a "home_server_pool" that was previously
662 # defined. All of the home servers in the "auth_pool" must
665 # For accounting, the "acct_pool" configuration item
666 # should point to a "home_server_pool" that was previously
667 # defined. All of the home servers in the "acct_pool" must
670 # If you have a "home_server_pool" where all of the home servers
671 # are of type "auth+acct", you can just use the "pool"
672 # configuration item, instead of specifying both "auth_pool"
675 auth_pool = my_auth_failover
678 # As of Version 3.0, the server can proxy CoA packets
679 # based on the Operator-Name attribute. This requires
680 # that the "suffix" module be listed in the "recv-coa"
683 # See raddb/sites-available/coa
685 # coa_pool = name_of_coa_pool
688 # Normally, when an incoming User-Name is matched against the
689 # realm, the realm name is "stripped" off, and the "stripped"
690 # user name is used to perform matches.
692 # e.g. User-Name = "bob@example.com" will result in two new
693 # attributes being created by the "realms" module:
695 # Stripped-User-Name = "bob"
696 # Realm = "example.com"
698 # The Stripped-User-Name is then used as a key in the "users"
701 # If you do not want this to happen, uncomment "nostrip" below.
705 # There are no more configuration entries for a realm.
710 # This is a sample entry for iPass.
711 # Note that you have to define "ipass_auth_pool" and
712 # "ipass_acct_pool", along with home_servers for them, too.
717 # auth_pool = ipass_auth_pool
718 # acct_pool = ipass_acct_pool
722 # This realm is used mainly to cancel proxying. You can have
723 # the "realm suffix" module configured to proxy all requests for
724 # a realm, and then later cancel the proxying, based on other
727 # For example, you want to terminate PEAP or EAP-TTLS locally,
728 # you can add the following to the "users" file:
730 # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
733 # If we do not specify a server pool, the realm is LOCAL, and
734 # requests are not proxied to it.
738 # This realm is for requests which don't have an explicit realm
739 # prefix or suffix. User names like "bob" will match this one.
742 # authhost = radius.company.com:1600
743 # accthost = radius.company.com:1601
744 # secret = testing123
748 # This realm is for ALL OTHER requests.
751 # authhost = radius.company.com:1600
752 # accthost = radius.company.com:1601
753 # secret = testing123
757 # This realm "proxies" requests internally to a virtual server.
758 # The pre-proxy and post-proxy sections are run just as with any
759 # other kind of home server. The virtual server then receives
760 # the request, and replies, just as with any other packet.
762 # Once proxied internally like this, the request CANNOT be proxied
763 # internally or externally.
765 #realm virtual.example.com {
766 # virtual_server = virtual.example.com
771 # Regular expressions may also be used as realm names. If these are used,
772 # then the "find matching realm" process is as follows:
774 # 1) Look for a non-regex realm with an *exact* match for the name.
775 # If found, it is used in preference to any regex matching realm.
777 # 2) Look for a regex realm, in the order that they are listed
778 # in the configuration files. Any regex match is performed in
779 # a case-insensitive fashion.
781 # 3) If no realm is found, return the DEFAULT realm, if any.
783 # The order of the realms matters in step (2). For example, defining
784 # two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in
785 # the second realm NEVER matching. This is because all of the realms
786 # which match the second regex also match the first one. Since the
787 # first regex matches, it is returned.
789 # The solution is to list the realms in the opposite order,. e.g.
790 # ".*\.test\.example.net$", followed by ".*\.example\.net$".
793 # Some helpful rules:
795 # - always place a '~' character at the start of the realm name.
796 # This signifies that it is a regex match, and not an exact match
799 # - place the regex in double quotes. This helps the configuration
800 # file parser ignore any "special" characters in the regex.
801 # Yes, this rule is different than the normal "unlang" rules for
802 # regular expressions. That may be fixed in a future release.
804 # - for version 3.0.4 and following, with "correct_escapes = true",
805 # use normal regex backslash rules. Just one. Not two.
807 # - If you are matching domain names, put a '$' at the end of the regex
808 # that matches the domain name. This tells the regex matching code
809 # that the realm ENDS with the domain name, so it does not match
810 # realms with the domain name in the middle. e.g. "~.*\.example\.net"
811 # will match "test.example.netFOO", which is likely not what you want.
812 # Using "~(.*\.)example\.net$" is better.
814 # The more regex realms that are defined, the more time it takes to
815 # process them. You should define as few regex realms as possible
816 # in order to maximize server performance.
818 #realm "~(.*\.)*example\.net$" {
819 # auth_pool = my_auth_failover