# # proxy.conf - proxy radius and realm configuration directives # # This file is included by default. To disable it, you will need # to modify the PROXY CONFIGURATION section of "radiusd.conf". # ####################################################################### # # Proxy server configuration # # This entry controls the servers behaviour towards ALL other servers # to which it sends proxy requests. # proxy server { # # Note that as of 2.0, the "synchronous", "retry_delay", # "retry_count", and "dead_time" have all been deprecated. # For backwards compatibility, they are are still accepted # by the server, but they ONLY apply to the old-style realm # configuration. i.e. realms with "authhost" and/or "accthost" # entries. # # i.e. "retry_delay" and "retry_count" have been replaced # with per-home-server "pings". See the "home_server" example # below for details. # # i.e. "dead_time" has been replaced with a per-home-server # "revive_interval". We strongly recommend that this not # be used, however. The new "ping" method is much better. # Note that while we call these messages "pings" they are NOT # the same as the ICMP packets sent by the "ping" command. # These messages are normal RADIUS packets, sent to a home # server to determine if it is alive. # # In 2.0, the server is always "synchronous", and setting # "synchronous = no" is impossible. This simplifies the # server and increases the stability of the network. # # If you need to set "synchronous = no", please send a # message to the list # explaining why this feature is vital for your network. # # If a realm exists, but there are no live home servers for # it, we can fall back to using the "DEFAULT" realm. This is # most useful for accounting, where the server can proxy # accounting requests to home servers, but if they're down, # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL), # and then store the packets in the "detail" file. That data # can be later proxied to the home servers by radrelay, when # those home servers come back up again. # Setting this to "yes" may have issues for authentication. # i.e. If you are proxying for two different ISP's, and then # act as a general dial-up for Gric. If one of the first two # ISP's has their RADIUS server go down, you do NOT want to # proxy those requests to GRIC. Instead, you probably want # to just drop the requests on the floor. In that case, set # this value to 'no'. # # allowed values: {yes, no} # default_fallback = no } ####################################################################### # # Configuration for the proxy realms. # # As of 2.0. the old-style "realms" file is deprecated, and is not # used by FreeRADIUS. # # As of 2.0, the "realm" configuration has changed. Instead of # specifying "authhost" and "accthost" in a realm section, the home # servers are specified seperately in a "home_server" section. For # backwards compatibility, you can still use the "authhost" and # "accthost" directives. If you only have one home server for a # realm, it is easier to use the old-style configuration. # # However, if you have multiple servers for a realm, we STRONGLY # suggest moving to the new-style configuration. # # # Load-balancing and failover between home servers is handled via # a "server_pool" section. # # Finally, The "realm" section defines the realm, some options, and # indicates which server pool should be used for the realm. # # This change means that simple configurations now require multiple # ssections to define a realm. However, complex configurations # are much simpler than before, as multiple realms can share the same # server pool. # # That is, realms point to server pools, and server pools point to # home servers. Multiple realms can point to one server pool. One # server pool can point to multiple home servers. Each home server # can appear in one or more pools. # ###################################################################### # # This section defines a "Home Server" which is another RADIUS # server that gets sent proxied requests. In earlier versions # of FreeRADIUS, home servers were defined in "realm" sections, # which was awkward. In 2.0, they have been made independent # from realms, which is better for a number of reasons. # home_server localhost { # # Home servers can be sent Access-Request packets # or Accounting-Request packets. # # Allowed values are: # auth - send Access-Request packets # acct - send Accounting-Request packets type = auth # # Configure ONE OF the following three entries: # # IPv4 address # ipaddr = 127.0.0.1 # OR IPv6 address # ipv6addr = ::1 # OR hostname, which will do address detection automatically # # Note that we do NOT recommend using hostnames, because # it means that the server has to do a DNS lookup to # determine the IP address of the home server. If the # DNS server is slow or unresponsible, it means that # FreeRADIUS will NOT be able to determine the IP # address, and will therefore NOT start. # # hostname = localhost # # The port to which packets are sent. # # Usually 1812 for type "auth", and 1813 for type "acct". # Older servers may use 1645 and 1646. # port = 1812 # # The shared secret use to "encrypt" and "sign" packets between # FreeRADIUS and the home server. # # The secret can be any string, up to 8k characters in length. # # Control codes can be entered vi octal encoding, # e.g. "\101\102" == "AB" # Quotation marks can be entered by escaping them, # e.g. "foo\"bar" # Spaces or other "special" characters can be entered # by putting quotes around the string. # e.g. "foo bar" # "foo;bar" # secret = testing123 ############################################################ # # The rest of the configuration items listed here are optional, # and do not have to appear in every home server definition. # ############################################################ # # If the home server doesn't respond to the request within # this time, this server will consider the request dead, and # respond to the NAS with an Access-Reject. # # Useful range of values: 5 to 60 response_window = 20 # # If the home server does not respond to ANY packets for # a certain time, consider it dead. This time period is # called the "zombie" period, because the server is neither # alive nor dead. # # Useful range of values: 20 to 120 zombie_period = 40 ############################################################ # # As of 2.0, FreeRADIUS supports RADIUS layer "pings". These # are used by a proxy server to see if a home server is alive. # # Pings are sent ONLY if the proxying server believes that # the home server is dead. Pings are NOT sent if the proxying # server believes that the home server is alive. Pings are # NOT sent if the proxying server is not proxying packets. # # If the home server responds to the "pings", then it is # marked "alive" again, and is returned to use. # ############################################################ # # Some home servers do not support RADIUS layer "pings" via # the Status-Server packet. Others may not have a "test" # user configured that can be used to query the server, to # see if it is alive. For those servers, we have NO WAY # of knowing when it becomes alive again. Therefore, after # the server has been marked "dead", we wait a period of # time, and mark it "alive" again, in the hope that it has # come back to life. # # If it has NOT come back to life, then FreeRADIUS will wait # for "zombie_period" before marking it dead again. During # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because # the home server is still dead. There is NOTHING that can # be done about this, other than to enable "pings", as # documented below. # # e.g. if "zombie_period" is 40 seconds, and "revive_interval" # is 300 seconds, the for 40 seconds out of every 340, or about # 10% of the time, all authentications will fail. # # If the "zombie_period" and "revive_interval" configurations # are set smaller, than it is possible for up to 50% of # authentications to fail. # # As a result, we recommend enabling Status-Server "pings", and # we do NOT recommend using "revive_interval". # # If the "ping_check" entry below is not "none", then the # "revive_interval" entry can be deleted, as it will not be # used. # # Useful range of values: 60 to 3600 revive_interval = 120 # # The proxying server (i.e. this one) can do periodic "ping" # checks to see if a dead home server has come back alive. # # If set to "none", then the ping configuration items listed # below are not used, and the "revive_interval" time is used # instead. # # If set to "status-server", the Status-Server packets are # sent. Many RADIUS servers support Status-Server. If a # server does not support it, please contact the server # vendor and request that they add it. # # If set to "request", then Access-Request, or Accounting-Request # packets are sent, depending on the "type" entry above (auth/acct). # # Allowed values: none, status-server, request ping_check = status-server # # If the home server does not support Status-Server "pings", # then the server can still send Access-Request or # Accounting-Request packets, with a pre-defined user name. # # This practice is NOT recommended, as it may potentially let # users gain network access by using these "test" accounts! # # If it is used, we recommend that the home server ALWAYS # respond to Access-Request "pings" with Access-Reject. The # ping check just needs an answer, it does not need an # Access-Accept. # # For Accounting-Request "pings", only the username needs to # be set. # # username = "test_user_please_reject_me" # password = "this is really secret" # # Configure the interval between sending ping packets. # # Setting it too low increases the probability of spurious # fail-over and fallback attempts. # # Useful range of values: 6 to 120 ping_interval = 30 # # Configure the number of pings in a row that the home # server needs to respond to before it is marked alive. # # If you want to mark a home server as alive after a short # time period of being responsive, it is best to use a small # "ping_interval", and a large value for "num_pings_to_alive". # Using a long "ping_interval" and a small number for # "num_pings_to_alive" increases the probability of spurious # fail-over and fallback attempts. # # Useful range of values: 3 to 10 num_pings_to_alive = 3 } ###################################################################### # # This section defines a pool of home servers that is used # for fail-over and load-balancing. In earlier versions of # FreeRADIUS, fail-over and load-balancing were defined per-realm. # As a result, if a server had 5 home servers, each of which served # the same 10 realms, you would need 50 "realm" entries. # # In version 2.0, you would need 5 "home_server" sections, # 10 'realm" sections, and one "server_pool" section to tie the # two together. # server_pool my_auth_failover { # # The type of this pool is either "fail-over" or "load-balance". # # With "fail-over", the request is sent to the first live # home server in the list. # # With "load-balance", the request is load-balanced (randomly) # between the live home servers. This is equivalent to the # old per-realm configuration "round_robin". # type = fail-over # # Next, a list of one or more home servers. The names # of the home servers are NOT the hostnames, but the names # of the sections. (e.g. home_server foo {...} has name "foo". # home_server = localhost # Additional home servers can be listed. # There is NO LIMIT to the number of home servers that can # be listed, though using more than 10 or so will become # difficult to manage. # # home_server = foo.example.com # home_server = bar.example.com # home_server = baz.example.com # home_server = ... } ###################################################################### # # # This section defines a new-style "realm". Note the in version 2.0, # there are many fewer configuration items than in 1.x for a realm. # # Automatic proxying is done via the "realms" module (see "man # rlm_realm"). To manually proxy the request put this entry in the # "users" file: # # #DEFAULT Proxy-To-Realm := "realm_name" # # realm example.com { auth_pool = my_auth_failover # acct_pool = acct # # Normally, when an incoming User-Name is matched against the # realm, the realm name is "stripped" off, and the "stripped" # user name is used to perform matches. # # e.g. User-Name = "bob@example.com" will result in two new # attributes being created by the "realms" module: # # Stripped-User-Name = "bob" # Realm = "example.com" # # The Stripped-User-Name is then used as a key in the "users" # file, for example. # # If you do not want this to happen, uncomment "nostrip" below. # # nostrip # There are no more configuration entries for a realm. } # # This is a sample entry for iPass. # Note that you have to define "ipass_auth_pool" and # "ipass_acct_pool", along with home_servers for them, too. # #realm IPASS { # nostrip # # auth_pool = ipass_auth_pool # acct_pool = ipass_acct_pool #} # # This realm is used mainly to cancel proxying. You can have # the "realm suffix" module configured to proxy all requests for # a realm, and then later cancel the proxying, based on other # configuration. # # For example, you want to terminate PEAP or EAP-TTLS locally, # you can add the following to the "users" file: # # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL # realm LOCAL { # If we do not specify a server pool, the realm is LOCAL, and # requests are not proxied to it. } # # This realm is for requests which don't have an explicit realm # prefix or suffix. User names like "bob" will match this one. # #realm NULL { # type = radius # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 # secret = testing123 #} # # This realm is for ALL OTHER requests. # #realm DEFAULT { # type = radius # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 # secret = testing123 #}