# In 2.0, the server is always "synchronous", and setting
# "synchronous = no" is impossible. This simplifies the
# server and increases the stability of the network.
+ # However, it means that the server (i.e. proxy) NEVER
+ # originates packets. It proxies packets ONLY when it receives
+ # a packet or a re-transmission from the NAS. If the NAS never
+ # re-transmits, the proxy never re-transmits, either. This can
+ # affect fail-over, where a packet does *not* fail over to a
+ # second home server.. because the NAS never retransmits the
+ # packet.
#
# If you need to set "synchronous = no", please send a
# message to the list <freeradius-users@lists.freeradius.org>
# packets sent to that home server will have a
# Message-Authenticator attribute.
#
+ # We STRONGLY recommend that this flag be set to "yes"
+ # for ALL home servers. Doing so will have no performance
+ # impact on the proxy or on the home servers. It will,
+ # however, allow administrators to detect problems earlier.
+ #
# allowed values: yes, no
- require_message_authenticator = no
+ require_message_authenticator = yes
#
# If the home server does not respond to a request within
# 3) If no realm is found, return the DEFAULT realm, if any.
#
# The order of the realms matters in step (2). For example, defining
-# two realms "*.example.com" and "*.test.example.com" will result in
+# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in
# the second realm NEVER matching. This is because all of the realms
# which match the second regex also match the first one. Since the
# first regex matches, it is returned.
#
# The solution is to list the realms in the opposite order,. e.g.
-# "*.test.example.com", followed by "*.example.com".
+# ".*\.test\.example.net$", followed by ".*\.example\.net$".
#
#
# Some helpful rules:
# regular expressions. That may be fixed in a future release.
#
# - use two back-slashes '\\' whenever you need one backslash in the
-# regex. e.g. "~*\\.example\\.com", and not "~*\.example\.com".
+# regex. e.g. "~.*\\.example\\.net$", and not "~\.example\.net$".
# This is because the regex is in a double-quoted string, and normal
# rules apply for double-quoted strings.
#
# - If you are matching domain names, use two backslashes in front of
# every '.' (dot or period). This is because '.' has special meaning
# in a regular expression: match any character. If you do not do this,
-# then "~*.example.com" will match "fooXexampleYcom", which is likely
+# then "~.*.example.net$" will match "fooXexampleYnet", which is likely
# not what you want
#
# - If you are matching domain names, put a '$' at the end of the regex
# that matches the domain name. This tells the regex matching code
# that the realm ENDS with the domain name, so it does not match
-# realms with the domain name in the middle. e.g. "~*\\.example\\.com"
-# will match "test.example.comFOO", which is likely not what you want.
-# Using "~*\\.example\\.com$" is better.
+# realms with the domain name in the middle. e.g. "~.*\\.example\\.net"
+# will match "test.example.netFOO", which is likely not what you want.
+# Using "~.*\\.example\\.net$" is better.
#
# The more regex realms that are defined, the more time it takes to
# process them. You should define as few regex realms as possible
# in order to maximize server performance.
#
-#realm "~*\\.example\\.com$" {
-# authhost = LOCAL # not strictly necessary
-# accthost = LOCAL # not strictly necessary
+#realm "~.*\\.example\\.net$" {
#}