2 # proxy.conf - proxy radius and realm configuration directives
4 # This file is included by default. To disable it, you will need
5 # to modify the PROXY CONFIGURATION section of "radiusd.conf".
7 #######################################################################
9 # Proxy server configuration
11 # This entry controls the servers behaviour towards ALL other servers
12 # to which it sends proxy requests.
16 # Note that as of 2.0, the "synchronous", "retry_delay",
17 # "retry_count", and "dead_time" have all been deprecated.
18 # For backwards compatibility, they are are still accepted
19 # by the server, but they ONLY apply to the old-style realm
20 # configuration. i.e. realms with "authhost" and/or "accthost"
23 # i.e. "retry_delay" and "retry_count" have been replaced
24 # with per-home-server "pings". See the "home_server" example
27 # i.e. "dead_time" has been replaced with a per-home-server
28 # "revive_interval". We strongly recommend that this not
29 # be used, however. The new "ping" method is much better.
31 # Note that while we call these messages "pings" they are NOT
32 # the same as the ICMP packets sent by the "ping" command.
33 # These messages are normal RADIUS packets, sent to a home
34 # server to determine if it is alive.
37 # In 2.0, the server is always "synchronous", and setting
38 # "synchronous = no" is impossible. This simplifies the
39 # server and increases the stability of the network.
41 # If you need to set "synchronous = no", please send a
42 # message to the list <freeradius-users@lists.freeradius.org>
43 # explaining why this feature is vital for your network.
46 # If a realm exists, but there are no live home servers for
47 # it, we can fall back to using the "DEFAULT" realm. This is
48 # most useful for accounting, where the server can proxy
49 # accounting requests to home servers, but if they're down,
50 # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL),
51 # and then store the packets in the "detail" file. That data
52 # can be later proxied to the home servers by radrelay, when
53 # those home servers come back up again.
55 # Setting this to "yes" may have issues for authentication.
56 # i.e. If you are proxying for two different ISP's, and then
57 # act as a general dial-up for Gric. If one of the first two
58 # ISP's has their RADIUS server go down, you do NOT want to
59 # proxy those requests to GRIC. Instead, you probably want
60 # to just drop the requests on the floor. In that case, set
63 # allowed values: {yes, no}
69 #######################################################################
71 # Configuration for the proxy realms.
73 # As of 2.0. the old-style "realms" file is deprecated, and is not
76 # As of 2.0, the "realm" configuration has changed. Instead of
77 # specifying "authhost" and "accthost" in a realm section, the home
78 # servers are specified seperately in a "home_server" section. For
79 # backwards compatibility, you can still use the "authhost" and
80 # "accthost" directives. If you only have one home server for a
81 # realm, it is easier to use the old-style configuration.
83 # However, if you have multiple servers for a realm, we STRONGLY
84 # suggest moving to the new-style configuration.
87 # Load-balancing and failover between home servers is handled via
88 # a "server_pool" section.
90 # Finally, The "realm" section defines the realm, some options, and
91 # indicates which server pool should be used for the realm.
93 # This change means that simple configurations now require multiple
94 # ssections to define a realm. However, complex configurations
95 # are much simpler than before, as multiple realms can share the same
98 # That is, realms point to server pools, and server pools point to
99 # home servers. Multiple realms can point to one server pool. One
100 # server pool can point to multiple home servers. Each home server
101 # can appear in one or more pools.
104 ######################################################################
106 # This section defines a "Home Server" which is another RADIUS
107 # server that gets sent proxied requests. In earlier versions
108 # of FreeRADIUS, home servers were defined in "realm" sections,
109 # which was awkward. In 2.0, they have been made independent
110 # from realms, which is better for a number of reasons.
112 home_server localhost {
114 # Home servers can be sent Access-Request packets
115 # or Accounting-Request packets.
117 # Allowed values are:
118 # auth - send Access-Request packets
119 # acct - send Accounting-Request packets
123 # Configure ONE OF the following three entries:
132 # OR hostname, which will do address detection automatically
134 # Note that we do NOT recommend using hostnames, because
135 # it means that the server has to do a DNS lookup to
136 # determine the IP address of the home server. If the
137 # DNS server is slow or unresponsible, it means that
138 # FreeRADIUS will NOT be able to determine the IP
139 # address, and will therefore NOT start.
141 # hostname = localhost
144 # The port to which packets are sent.
146 # Usually 1812 for type "auth", and 1813 for type "acct".
147 # Older servers may use 1645 and 1646.
152 # The shared secret use to "encrypt" and "sign" packets between
153 # FreeRADIUS and the home server.
155 # The secret can be any string, up to 8k characters in length.
157 # Control codes can be entered vi octal encoding,
158 # e.g. "\101\102" == "AB"
159 # Quotation marks can be entered by escaping them,
161 # Spaces or other "special" characters can be entered
162 # by putting quotes around the string.
168 ############################################################
170 # The rest of the configuration items listed here are optional,
171 # and do not have to appear in every home server definition.
173 ############################################################
176 # If the home server doesn't respond to the request within
177 # this time, this server will consider the request dead, and
178 # respond to the NAS with an Access-Reject.
180 # Useful range of values: 5 to 60
184 # If the home server does not respond to ANY packets for
185 # a certain time, consider it dead. This time period is
186 # called the "zombie" period, because the server is neither
189 # Useful range of values: 20 to 120
192 ############################################################
194 # As of 2.0, FreeRADIUS supports RADIUS layer "pings". These
195 # are used by a proxy server to see if a home server is alive.
197 # Pings are sent ONLY if the proxying server believes that
198 # the home server is dead. Pings are NOT sent if the proxying
199 # server believes that the home server is alive. Pings are
200 # NOT sent if the proxying server is not proxying packets.
202 # If the home server responds to the "pings", then it is
203 # marked "alive" again, and is returned to use.
205 ############################################################
208 # Some home servers do not support RADIUS layer "pings" via
209 # the Status-Server packet. Others may not have a "test"
210 # user configured that can be used to query the server, to
211 # see if it is alive. For those servers, we have NO WAY
212 # of knowing when it becomes alive again. Therefore, after
213 # the server has been marked "dead", we wait a period of
214 # time, and mark it "alive" again, in the hope that it has
217 # If it has NOT come back to life, then FreeRADIUS will wait
218 # for "zombie_period" before marking it dead again. During
219 # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because
220 # the home server is still dead. There is NOTHING that can
221 # be done about this, other than to enable "pings", as
224 # e.g. if "zombie_period" is 40 seconds, and "revive_interval"
225 # is 300 seconds, the for 40 seconds out of every 340, or about
226 # 10% of the time, all authentications will fail.
228 # If the "zombie_period" and "revive_interval" configurations
229 # are set smaller, than it is possible for up to 50% of
230 # authentications to fail.
232 # As a result, we recommend enabling Status-Server "pings", and
233 # we do NOT recommend using "revive_interval".
235 # If the "ping_check" entry below is not "none", then the
236 # "revive_interval" entry can be deleted, as it will not be
239 # Useful range of values: 60 to 3600
240 revive_interval = 120
243 # The proxying server (i.e. this one) can do periodic "ping"
244 # checks to see if a dead home server has come back alive.
246 # If set to "none", then the ping configuration items listed
247 # below are not used, and the "revive_interval" time is used
250 # If set to "status-server", the Status-Server packets are
251 # sent. Many RADIUS servers support Status-Server. If a
252 # server does not support it, please contact the server
253 # vendor and request that they add it.
255 # If set to "request", then Access-Request, or Accounting-Request
256 # packets are sent, depending on the "type" entry above (auth/acct).
258 # Allowed values: none, status-server, request
259 ping_check = status-server
262 # If the home server does not support Status-Server "pings",
263 # then the server can still send Access-Request or
264 # Accounting-Request packets, with a pre-defined user name.
266 # This practice is NOT recommended, as it may potentially let
267 # users gain network access by using these "test" accounts!
269 # If it is used, we recommend that the home server ALWAYS
270 # respond to Access-Request "pings" with Access-Reject. The
271 # ping check just needs an answer, it does not need an
274 # For Accounting-Request "pings", only the username needs to
277 # username = "test_user_please_reject_me"
278 # password = "this is really secret"
281 # Configure the interval between sending ping packets.
283 # Setting it too low increases the probability of spurious
284 # fail-over and fallback attempts.
286 # Useful range of values: 6 to 120
290 # Configure the number of pings in a row that the home
291 # server needs to respond to before it is marked alive.
293 # If you want to mark a home server as alive after a short
294 # time period of being responsive, it is best to use a small
295 # "ping_interval", and a large value for "num_pings_to_alive".
296 # Using a long "ping_interval" and a small number for
297 # "num_pings_to_alive" increases the probability of spurious
298 # fail-over and fallback attempts.
300 # Useful range of values: 3 to 10
301 num_pings_to_alive = 3
305 ######################################################################
307 # This section defines a pool of home servers that is used
308 # for fail-over and load-balancing. In earlier versions of
309 # FreeRADIUS, fail-over and load-balancing were defined per-realm.
310 # As a result, if a server had 5 home servers, each of which served
311 # the same 10 realms, you would need 50 "realm" entries.
313 # In version 2.0, you would need 5 "home_server" sections,
314 # 10 'realm" sections, and one "server_pool" section to tie the
317 server_pool my_auth_failover {
319 # The type of this pool is either "fail-over" or "load-balance".
321 # With "fail-over", the request is sent to the first live
322 # home server in the list.
324 # With "load-balance", the request is load-balanced (randomly)
325 # between the live home servers. This is equivalent to the
326 # old per-realm configuration "round_robin".
331 # Next, a list of one or more home servers. The names
332 # of the home servers are NOT the hostnames, but the names
333 # of the sections. (e.g. home_server foo {...} has name "foo".
335 home_server = localhost
337 # Additional home servers can be listed.
338 # There is NO LIMIT to the number of home servers that can
339 # be listed, though using more than 10 or so will become
340 # difficult to manage.
342 # home_server = foo.example.com
343 # home_server = bar.example.com
344 # home_server = baz.example.com
348 ######################################################################
351 # This section defines a new-style "realm". Note the in version 2.0,
352 # there are many fewer configuration items than in 1.x for a realm.
354 # Automatic proxying is done via the "realms" module (see "man
355 # rlm_realm"). To manually proxy the request put this entry in the
360 #DEFAULT Proxy-To-Realm := "realm_name"
364 auth_pool = my_auth_failover
368 # Normally, when an incoming User-Name is matched against the
369 # realm, the realm name is "stripped" off, and the "stripped"
370 # user name is used to perform matches.
372 # e.g. User-Name = "bob@example.com" will result in two new
373 # attributes being created by the "realms" module:
375 # Stripped-User-Name = "bob"
376 # Realm = "example.com"
378 # The Stripped-User-Name is then used as a key in the "users"
381 # If you do not want this to happen, uncomment "nostrip" below.
385 # There are no more configuration entries for a realm.
390 # This is a sample entry for iPass.
391 # Note that you have to define "ipass_auth_pool" and
392 # "ipass_acct_pool", along with home_servers for them, too.
397 # auth_pool = ipass_auth_pool
398 # acct_pool = ipass_acct_pool
402 # This realm is used mainly to cancel proxying. You can have
403 # the "realm suffix" module configured to proxy all requests for
404 # a realm, and then later cancel the proxying, based on other
407 # For example, you want to terminate PEAP or EAP-TTLS locally,
408 # you can add the following to the "users" file:
410 # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
413 # If we do not specify a server pool, the realm is LOCAL, and
414 # requests are not proxied to it.
418 # This realm is for requests which don't have an explicit realm
419 # prefix or suffix. User names like "bob" will match this one.
423 # authhost = radius.company.com:1600
424 # accthost = radius.company.com:1601
425 # secret = testing123
429 # This realm is for ALL OTHER requests.
433 # authhost = radius.company.com:1600
434 # accthost = radius.company.com:1601
435 # secret = testing123