# acct - Handles Accounting-Request packets
# auth+acct - Handles Access-Request packets at "port",
# and Accounting-Request packets at "port + 1"
+ # coa - Handles CoA-Request and Disconnect-Request packets.
+ # See also raddb/sites-available/originate-coa
type = auth
#
#
# Usually 1812 for type "auth", and 1813 for type "acct".
# Older servers may use 1645 and 1646.
+ # Use 3799 for type "coa"
#
port = 1812
############################################################
#
+ # You can optionally specify the source IP address used when
+ # proxying requests to this home server. When the src_ipaddr
+ # it set, the server will automatically create a proxy
+ # listener for that IP address.
+ #
+ # If you specify this field for one home server, you will
+ # likely need to specify it for ALL home servers.
+ #
+ # If you don't care about the source IP address, leave this
+ # entry commented.
+ #
+# src_ipaddr = 127.0.0.1
+
+ # RFC 5080 suggests that all clients SHOULD include it in an
+ # Access-Request. The configuration item below tells the
+ # proxying server (i.e. this one) whether or not the home
+ # server requires a Message-Authenticator attribute. If it
+ # is required (value set to "yes"), then all Access-Request
+ # packets sent to that home server will have a
+ # Message-Authenticator attribute.
+ #
+ # allowed values: yes, no
+ require_message_authenticator = no
+
+ #
# If the home server doesn't respond to the request within
# this time, this server will consider the request dead, and
# respond to the NAS with an Access-Reject.
#
+ # If NO responses are received to any requests sent within this
+ # time period, the home server will be marked "zombie", as below.
+ #
# Useful range of values: 5 to 60
response_window = 20
# called the "zombie" period, because the server is neither
# alive nor dead.
#
+ # If "status_check" below is something other than "none", then
+ # the server will start sending status checks at the start of
+ # the zombie period. It will continue sending status checks
+ # until the home server is marked "alive".
+ #
# Useful range of values: 20 to 120
zombie_period = 40
# As a result, we recommend enabling status checks, and
# we do NOT recommend using "revive_interval".
#
- # If the "status_check" entry below is not "none", then the
- # "revive_interval" entry can be deleted, as it will not be
- # used.
+ # The "revive_interval" is used ONLY if the "status_check"
+ # entry below is not "none". Otherwise, it will not be used,
+ # and should be deleted.
#
# Useful range of values: 60 to 3600
revive_interval = 120
#
# Useful range of values: 3 to 10
num_answers_to_alive = 3
+
+ #
+ # The configuration items in the next sub-section are used ONLY
+ # when "type = coa". It is ignored for all other type of home
+ # servers.
+ #
+ # See RFC 5080 for the definitions of the following terms.
+ # RAND is a function (internal to FreeRADIUS) returning
+ # random numbers between -0.1 and +0.1
+ #
+ # First Re-transmit occurs after:
+ #
+ # RT = IRT + RAND*IRT
+ #
+ # Subsequent Re-transmits occur after:
+ #
+ # RT = 2 * RTprev + RAND * RTprev
+ #
+ # Re-trasnmits are capped at:
+ #
+ # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT
+ #
+ # For a maximum number of attempts: MRC
+ #
+ # For a maximum (total) period of time: MRD.
+ #
+ coa {
+ # Initial retransmit interval: 1..5
+ irt = 2
+
+ # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
+ mrt = 16
+
+ # Maximum Retransmit Count: 1..20 (0 == retransmit forever)
+ mrc = 5
+
+ # Maximum Retransmit Duration: 5..60
+ mrd = 30
+ }
}
+# Sample virtual home server.
+home_server virtual.example.com {
+ virtual_server = virtual.example.com
+}
######################################################################
#
# If there is no Load-Balance-Key in the control items,
# the load balancing method is identical to "load-balance".
#
+ # For most non-EAP authentication methods, The User-Name
+ # attribute provides a good key. An "unlang" policy can
+ # be used to copy the User-Name to the Load-Balance-Key
+ # attribute. This method may not work for EAP sessions,
+ # as the User-Name outside of the TLS tunnel is often
+ # static, e.g. "anonymous@realm".
+ #
#
# The default type is fail-over.
type = fail-over
#
+ # A virtual_server may be specified here. If so, the
+ # "pre-proxy" and "post-proxy" sections are called when
+ # the request is proxied, and when a response is received.
+ #
+ # This lets you have one policy for all requests that are proxied
+ # to a home server. This policy is completely independent of
+ # any policies used to receive, or process the request.
+ #
+ #virtual_server = pre_post_proxy_for_pool
+
+ #
# Next, a list of one or more home servers. The names
# of the home servers are NOT the hostnames, but the names
# of the sections. (e.g. home_server foo {...} has name "foo".
# home_server = bar.example.com
# home_server = baz.example.com
# home_server = ...
+
+
+ #
+ # If ALL home servers are dead, then this "fallback" home server
+ # is used. If set, it takes precedence over any realm-based
+ # fallback, such as the DEFAULT realm.
+ #
+ # For reasons of stability, this home server SHOULD be a virtual
+ # server. Otherwise, the fallback may itself be dead!
+ #
+ #fallback = virtual.example.com
}
######################################################################
# virtual_server = virtual.example.com
#}
#
+
+#
+# Regular expressions may also be used as realm names. If these are used,
+# then the "find matching realm" process is as follows:
+#
+# 1) Look for a non-regex realm with an *exact* match for the name.
+# If found, it is used in preference to any regex matching realm.
+#
+# 2) Look for a regex realm, in the order that they are listed
+# in the configuration files. Any regex match is performed in
+# a case-insensitive fashion.
+#
+# 3) If no realm is found, return the DEFAULT realm, if any.
+#
+# The order of the realms matters in step (2). For example, defining
+# two realms "*.example.com" and "*.test.example.com" will result in
+# the second realm NEVER matching. This is because all of the realms
+# which match the second regex also match the first one. Since the
+# first regex matches, it is returned.
+#
+# The solution is to list the realms in the opposite order,. e.g.
+# "*.test.example.com", followed by "*.example.com".
+#
+#
+# Some helpful rules:
+#
+# - always place a '~' character at the start of the realm name.
+# This signifies that it is a regex match, and not an exact match
+# for the realm.
+#
+# - place the regex in double quotes. This helps the configuration
+# file parser ignore any "special" characters in the regex.
+# Yes, this rule is different than the normal "unlang" rules for
+# regular expressions. That may be fixed in a future release.
+#
+# - use two back-slashes '\\' whenever you need one backslash in the
+# regex. e.g. "~*\\.example\\.com", and not "~*\.example\.com".
+# This is because the regex is in a double-quoted string, and normal
+# rules apply for double-quoted strings.
+#
+# - If you are matching domain names, use two backslashes in front of
+# every '.' (dot or period). This is because '.' has special meaning
+# in a regular expression: match any character. If you do not do this,
+# then "~*.example.com" will match "fooXexampleYcom", which is likely
+# not what you want
+#
+# - If you are matching domain names, put a '$' at the end of the regex
+# that matches the domain name. This tells the regex matching code
+# that the realm ENDS with the domain name, so it does not match
+# realms with the domain name in the middle. e.g. "~*\\.example\\.com"
+# will match "test.example.comFOO", which is likely not what you want.
+# Using "~*\\.example\\.com$" is better.
+#
+# The more regex realms that are defined, the more time it takes to
+# process them. You should define as few regex realms as possible
+# in order to maximize server performance.
+#
+#realm "~*\\.example\\.com$" {
+# authhost = LOCAL # not strictly necessary
+# accthost = LOCAL # not strictly necessary
+#}