2 # proxy.conf - proxy radius and realm configuration directives
4 # This file is included by default. To disable it, you will need
5 # to modify the PROXY CONFIGURATION section of "radiusd.conf".
7 #######################################################################
9 # Proxy server configuration
11 # This entry controls the servers behaviour towards ALL other servers
12 # to which it sends proxy requests.
16 # The time (in seconds) to wait for a response from the proxy, before
17 # re-sending the proxied request.
19 # If this time is set too high, then the NAS may re-send the request,
20 # or it may give up entirely, and reject the user.
22 # If it is set too low, then the RADIUS server which receives the proxy
23 # request will get kicked unnecessarily.
28 # The number of retries to send before giving up, and sending a reject
34 # If the home server does not respond to any of the multiple retries,
35 # then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
37 # If there are multiple entries configured for this realm, then the
38 # server will fail-over to the next one listed. If no more are listed,
39 # then no requests will be proxied to that realm.
42 # After a configurable 'dead_time', in seconds, FreeRADIUS will
43 # speculatively mark the home server active, and start sending requests
46 # If this dead time is set too low, then you will lose requests,
47 # as FreeRADIUS will quickly switch back to the home server, even if
50 # If this dead time is set too high, then FreeRADIUS may take too long
51 # to switch back to the primary home server.
53 # Realistic values for this number are in the range of minutes to hours.
58 # An ldflag attribute for all realms to be included in a round-robin
59 # setup must be specified, and that ldflag must be the same for all
60 # realms of the same name.
61 # Currently (0 or fail_over) and (1 or round_robin) are the
62 # supported values for ldflag. Fail over is the default setup.
64 # DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE.
68 # If all exact matching realms did not respond, we can try the
69 # DEFAULT realm, too. This is what the server normally does.
71 # This behaviour may be undesired for some cases. e.g. You are proxying
72 # for two different ISP's, and then act as a general dial-up for Gric.
73 # If one of the first two ISP's has their RADIUS server go down, you do
74 # NOT want to proxy those requests to GRIC. Instead, you probably want
75 # to just drop the requests on the floor. In that case, set this value
78 # allowed values: {yes, no}
80 default_fallback = yes
83 # Older versions of the server would pass proxy requests through the
84 # 'authorize' sections twice; once when the packet was received
85 # from the NAS, and again after the reply was received from the home
86 # server. Now that we have a 'post_proxy' section, the replies from
87 # the home server should be sent through that, instead of through
88 # the 'authorize' section again.
90 # However, for backwards compatibility, this behaviour is configurable.
91 # The default configuration is 'yes', for backwards compatibility.
92 # To use ONLY the new 'post_proxy' section, set this value to 'no'.
94 # allowed values: {yes, no}
96 post_proxy_authorize = yes
100 #######################################################################
102 # Configuration for the proxy realms.
104 # The information given here is used in conjunction with the 'realms'
105 # file. This format is preferred, as it is more flexible. The realms
106 # listed here take priority over those listed in the 'realms' file.
108 # A standard realm entry. A request from "user@company.com" will be
109 # sent to radius.company.com as "user", unless the 'nostrip'
110 # configuration item is specified. If the 'nostrip' configuration
111 # item is specified, then the request will be proxied as
116 # authhost = radius.company.com:1600
117 # accthost = radius.company.com:1601
118 # secret = testing123
121 # A realm entry with an optional fail-over realm. A request from
122 # "user@isp2.com" will be sent to radius.isp2.com as "user@isp2.com",
123 # because the 'nostrip' directive is specified for this realm.
127 # authhost = radius.isp2.com:1645
128 # accthost = radius.isp2.com:1646
133 # The fail-over realm for isp2.com
137 # authhost = radius2.isp2.com:1645
138 # accthost = radius2.isp2.com:1646
144 # 1st node serv.com...set up for round-robin.
146 # The load balancing 'ldflag' attribute can be used to perform
147 # load balancing. Allowed values are 'fail_over' and 'round_robin'.
149 # If there is no ldflag attribute, or it is set to 'fail_over', then
150 # the realms are treated as "fail-over". That is, the first matching
151 # realm is used, unless it is down, in which case the realm "fails
152 # over" to the second matching realm. The process continues until an
153 # active matching realm is found, OR the DEFAULT realm is returned.
155 # If the ldflag attribute is set to 'round_robin', then all active
156 # realms of the same name are put into a pool internally in the
157 # server, and the proxied requests are evenly divided among the
158 # realms in the pool. For this to work, all realms of the same name
159 # MUST have the same value of their 'ldflag' attributes. Mixing up
160 # different types of load balancing schemes for the same realm will
163 # The round_robin load balancing method is a probabilistic method
164 # which evenly scatters the requests among the home servers.
166 # Note that you CANNOT include local auth/acct host realms in a
167 # round-robin queue. Having a server load balance requests to itself
168 # doesn't make any sense, as it only doubles the amount of work
169 # which is needed to be done.
173 # authhost = radius.serv.com:1645
174 # accthost = radius.serv.com:1646
176 # ldflag = round_robin
181 # Another node for serv.com
185 # authhost = radius2.serv.com:1645
186 # accthost = radius2.serv.com:1646
188 # ldflag = round_robin
193 # A third round-robin node realm for serv.com
197 # authhost = radius3.serv.com:1645
198 # accthost = radius3.serv.com:1646
200 # ldflag = round_robin
207 # This is a local realm. The requests are NOT proxied,
208 # but instead are authenticated by the RADIUS server itself.
210 # You don't need a secret if BOTH 'authhost' and 'accthost' are
220 # This is a sample entry for iPass.
224 # authhost = ipass.server.hostname:11812
225 # accthost = ipass.server.hostname:11813
227 # The shared secret here must be the same
228 # value as the secret of the NetServer found in the
229 # /usr/ipass/raddb/clients file of your NetServer software.
235 # This realm is used mainly to cancel proxying. You can have
236 # the "realm suffix" module configured to proxy all requests for
237 # a realm, and then later cancel the proxying, based on other
240 # For example, you want to terminate PEAP or EAP-TTLS locally,
241 # you can add the following to the "users" file:
243 # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
252 # This realm is for requests which don't have an explicit realm
253 # prefix or suffix. User names like "bob" will match this one.
257 # authhost = radius.company.com:1600
258 # accthost = radius.company.com:1601
259 # secret = testing123
263 # This realm is for ALL OTHER requests.
267 # authhost = radius.company.com:1600
268 # accthost = radius.company.com:1601
269 # secret = testing123