2 FreeRadius as a proxy radius server.
7 It is possible to use FreeRadius as a proxy radius server. This
8 means that it can consult a remote radius server to validate a user.
9 This is handy for roaming setups, or for renting ports to someone else.
13 If a user logs in as username@realm, the "realm" part is looked up in
14 the file /etc/raddb/realms. The format of this file is, for now:
16 realm remoteserver[:port] options
18 All accounting data for proxied requests does NOT get stored in the
19 standard logfiles, but in a seperate directory. The name of this
20 directory is the name of the remote radius server, and if you want you
21 can define a nickname for it in /etc/raddb/naslist just as for normal NASes.
23 You need to add the hostname and secret for the remote server in the
24 file /etc/raddb/clients. On the remote server you need to add the
25 hostname of your server and the same secret to /etc/raddb/clients as well.
27 The realm "DEFAULT" (without the quotes) matches all realms.
29 If you set the remoteserver to "LOCAL", the request will be handled
30 locally as usual, without sending it to a remote radius server.
32 The realm "NULL" matches any requests WITHOUT a realm.
34 Normally the @realm is stripped from the username before sending it on
35 to the remote radius server. If you add the keyword "nostrip" to the
36 options, the @realm suffix will not be stripped.
40 The exact thing that happens is this:
42 - A user logs in with an @realm suffix
43 - The hints file gets processed as usual
44 - The user is checked against the huntgroups file. At this point
45 the user _might_ already be rejected.
46 - The realm is looked up in the realms file. If it isn't defined,
47 the users file is processed normally.
48 - The realm suffix is stripped from the username unless "nostrip" was
49 set, and the request is sent to a remote radius server. Note that
50 any stripping done in the hints file doesn't have an effect on the
51 username sent to the remote radius server.
52 - The remote server replies with ACK or REJECT
54 On ACK: The initial Auth-Type is set to Accept
55 On REJECT: The initial Auth-Type is set to Reject
57 The remote server also replies with a set of attributes. For security,
58 all attributes are stripped except:
71 Then the users file is processed as usual.