2 # proxy.conf - proxy radius and realm configuration directives
4 # This file is included by default. To disable it, you will need
5 # to modify the PROXY CONFIGURATION section of "radiusd.conf".
7 #######################################################################
9 # Proxy server configuration
11 # This entry controls the servers behaviour towards ALL other servers
12 # to which it sends proxy requests.
16 # Note that as of 2.0, the "synchronous", "retry_delay",
17 # "retry_count", and "dead_time" have all been deprecated.
18 # For backwards compatibility, they are are still accepted
19 # by the server, but they ONLY apply to the old-style realm
20 # configuration. i.e. realms with "authhost" and/or "accthost"
23 # i.e. "retry_delay" and "retry_count" have been replaced
24 # with per-home-server configuration. See the "home_server"
25 # example below for details.
27 # i.e. "dead_time" has been replaced with a per-home-server
28 # "revive_interval". We strongly recommend that this not
29 # be used, however. The new method is much better.
32 # In 2.0, the server is always "synchronous", and setting
33 # "synchronous = no" is impossible. This simplifies the
34 # server and increases the stability of the network.
36 # If you need to set "synchronous = no", please send a
37 # message to the list <freeradius-users@lists.freeradius.org>
38 # explaining why this feature is vital for your network.
41 # If a realm exists, but there are no live home servers for
42 # it, we can fall back to using the "DEFAULT" realm. This is
43 # most useful for accounting, where the server can proxy
44 # accounting requests to home servers, but if they're down,
45 # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL),
46 # and then store the packets in the "detail" file. That data
47 # can be later proxied to the home servers by radrelay, when
48 # those home servers come back up again.
50 # Setting this to "yes" may have issues for authentication.
51 # i.e. If you are proxying for two different ISP's, and then
52 # act as a general dial-up for Gric. If one of the first two
53 # ISP's has their RADIUS server go down, you do NOT want to
54 # proxy those requests to GRIC. Instead, you probably want
55 # to just drop the requests on the floor. In that case, set
58 # allowed values: {yes, no}
64 #######################################################################
66 # Configuration for the proxy realms.
68 # As of 2.0. the old-style "realms" file is deprecated, and is not
71 # As of 2.0, the "realm" configuration has changed. Instead of
72 # specifying "authhost" and "accthost" in a realm section, the home
73 # servers are specified seperately in a "home_server" section. For
74 # backwards compatibility, you can still use the "authhost" and
75 # "accthost" directives. If you only have one home server for a
76 # realm, it is easier to use the old-style configuration.
78 # However, if you have multiple servers for a realm, we STRONGLY
79 # suggest moving to the new-style configuration.
82 # Load-balancing and failover between home servers is handled via
83 # a "server_pool" section.
85 # Finally, The "realm" section defines the realm, some options, and
86 # indicates which server pool should be used for the realm.
88 # This change means that simple configurations now require multiple
89 # ssections to define a realm. However, complex configurations
90 # are much simpler than before, as multiple realms can share the same
93 # That is, realms point to server pools, and server pools point to
94 # home servers. Multiple realms can point to one server pool. One
95 # server pool can point to multiple home servers. Each home server
96 # can appear in one or more pools.
99 ######################################################################
101 # This section defines a "Home Server" which is another RADIUS
102 # server that gets sent proxied requests. In earlier versions
103 # of FreeRADIUS, home servers were defined in "realm" sections,
104 # which was awkward. In 2.0, they have been made independent
105 # from realms, which is better for a number of reasons.
107 home_server localhost {
109 # Home servers can be sent Access-Request packets
110 # or Accounting-Request packets.
112 # Allowed values are:
113 # auth - Handles Access-Request packets
114 # acct - Handles Accounting-Request packets
115 # auth+acct - Handles Access-Request packets at "port",
116 # and Accounting-Request packets at "port + 1"
120 # Configure ONE OF the following three entries:
129 # OR hostname, which will do address detection automatically
131 # Note that we do NOT recommend using hostnames, because
132 # it means that the server has to do a DNS lookup to
133 # determine the IP address of the home server. If the
134 # DNS server is slow or unresponsible, it means that
135 # FreeRADIUS will NOT be able to determine the IP
136 # address, and will therefore NOT start.
138 # hostname = localhost
141 # The port to which packets are sent.
143 # Usually 1812 for type "auth", and 1813 for type "acct".
144 # Older servers may use 1645 and 1646.
149 # The shared secret use to "encrypt" and "sign" packets between
150 # FreeRADIUS and the home server.
152 # The secret can be any string, up to 8k characters in length.
154 # Control codes can be entered vi octal encoding,
155 # e.g. "\101\102" == "AB"
156 # Quotation marks can be entered by escaping them,
158 # Spaces or other "special" characters can be entered
159 # by putting quotes around the string.
165 ############################################################
167 # The rest of the configuration items listed here are optional,
168 # and do not have to appear in every home server definition.
170 ############################################################
173 # If the home server doesn't respond to the request within
174 # this time, this server will consider the request dead, and
175 # respond to the NAS with an Access-Reject.
177 # Useful range of values: 5 to 60
181 # If the home server does not respond to ANY packets for
182 # a certain time, consider it dead. This time period is
183 # called the "zombie" period, because the server is neither
186 # Useful range of values: 20 to 120
189 ############################################################
191 # As of 2.0, FreeRADIUS supports RADIUS layer "status
192 # checks". These are used by a proxy server to see if a home
195 # These status packets are sent ONLY if the proxying server
196 # believes that the home server is dead. They are NOT sent
197 # if the proxying server believes that the home server is
198 # alive. They are NOT sent if the proxying server is not
201 # If the home server responds to the status check packet,
202 # then it is marked alive again, and is returned to use.
204 ############################################################
207 # Some home servers do not support status checks via the
208 # Status-Server packet. Others may not have a "test" user
209 # configured that can be used to query the server, to see if
210 # it is alive. For those servers, we have NO WAY of knowing
211 # when it becomes alive again. Therefore, after the server
212 # has been marked dead, we wait a period of time, and mark
213 # it alive again, in the hope that it has come back to
216 # If it has NOT come back to life, then FreeRADIUS will wait
217 # for "zombie_period" before marking it dead again. During
218 # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because
219 # the home server is still dead. There is NOTHING that can
220 # be done about this, other than to enable the status checks,
221 # as documented below.
223 # e.g. if "zombie_period" is 40 seconds, and "revive_interval"
224 # is 300 seconds, the for 40 seconds out of every 340, or about
225 # 10% of the time, all authentications will fail.
227 # If the "zombie_period" and "revive_interval" configurations
228 # are set smaller, than it is possible for up to 50% of
229 # authentications to fail.
231 # As a result, we recommend enabling status checks, and
232 # we do NOT recommend using "revive_interval".
234 # If the "status_check" entry below is not "none", then the
235 # "revive_interval" entry can be deleted, as it will not be
238 # Useful range of values: 60 to 3600
239 revive_interval = 120
242 # The proxying server (i.e. this one) can do periodic status
243 # checks to see if a dead home server has come back alive.
245 # If set to "none", then the other configuration items listed
246 # below are not used, and the "revive_interval" time is used
249 # If set to "status-server", the Status-Server packets are
250 # sent. Many RADIUS servers support Status-Server. If a
251 # server does not support it, please contact the server
252 # vendor and request that they add it.
254 # If set to "request", then Access-Request, or Accounting-Request
255 # packets are sent, depending on the "type" entry above (auth/acct).
257 # Allowed values: none, status-server, request
258 status_check = status-server
261 # If the home server does not support Status-Server packets,
262 # then the server can still send Access-Request or
263 # Accounting-Request packets, with a pre-defined user name.
265 # This practice is NOT recommended, as it may potentially let
266 # users gain network access by using these "test" accounts!
268 # If it is used, we recommend that the home server ALWAYS
269 # respond to these Access-Request status checks with
270 # Access-Reject. The status check just needs an answer, it
271 # does not need an Access-Accept.
273 # For Accounting-Request status checks, only the username
274 # needs to be set. The rest of the accounting attribute are
275 # set to default values. The home server that receives these
276 # accounting packets SHOULD NOT treat them like normal user
277 # accounting packets. i.e It should probably NOT log them to
280 # username = "test_user_please_reject_me"
281 # password = "this is really secret"
284 # Configure the interval between sending status check packets.
286 # Setting it too low increases the probability of spurious
287 # fail-over and fallback attempts.
289 # Useful range of values: 6 to 120
293 # Configure the number of status checks in a row that the
294 # home server needs to respond to before it is marked alive.
296 # If you want to mark a home server as alive after a short
297 # time period of being responsive, it is best to use a small
298 # "check_interval", and a large value for
299 # "num_answers_to_alive". Using a long "check_interval" and
300 # a small number for "num_answers_to_alive" increases the
301 # probability of spurious fail-over and fallback attempts.
303 # Useful range of values: 3 to 10
304 num_answers_to_alive = 3
308 ######################################################################
310 # This section defines a pool of home servers that is used
311 # for fail-over and load-balancing. In earlier versions of
312 # FreeRADIUS, fail-over and load-balancing were defined per-realm.
313 # As a result, if a server had 5 home servers, each of which served
314 # the same 10 realms, you would need 50 "realm" entries.
316 # In version 2.0, you would need 5 "home_server" sections,
317 # 10 'realm" sections, and one "server_pool" section to tie the
320 server_pool my_auth_failover {
322 # The type of this pool controls how home servers are chosen.
324 # fail-over - the request is sent to the first live
325 # home server in the list. i.e. If the first home server
326 # is marked "dead", the second one is chosen, etc.
328 # load-balance - the least busy home server is chosen,
329 # where "least busy" is counted by taking the number of
330 # requests sent to that home server, and subtracting the
331 # number of responses received from that home server.
333 # If there are two or more servers with the same low
334 # load, then one of those servers is chosen at random.
335 # This configuration is most similar to the old
336 # "round-robin" method, though it is not exactly the same.
338 # Note that load balancing does not work well with EAP,
339 # as EAP requires packets for an EAP conversation to be
340 # sent to the same home server. The load balancing method
341 # does not keep state in between packets, meaning that
342 # EAP packets for the same conversation may be sent to
343 # different home servers. This will prevent EAP from
346 # For non-EAP authentication methods, and for accounting
347 # packets, we recommend using "load-balance". It will
348 # ensure the highest availability for your network.
350 # client-balance - the home server is chosen by hashing the
351 # source IP address of the packet. If that home server
352 # is down, the next one in the list is used, just as
355 # There is no way of predicting which source IP will map
356 # to which home server.
358 # This configuration is most useful to do simple load
359 # balancing for EAP sessions, as the EAP session will
360 # always be sent to the same home server.
362 # client-port-balance - the home server is chosen by hashing
363 # the source IP address and source port of the packet.
364 # If that home server is down, the next one in the list
365 # is used, just as with "fail-over".
367 # This method provides slightly better load balancing
368 # for EAP sessions than "client-balance". However, it
369 # also means that authentication and accounting packets
370 # for the same session MAY go to different home servers.
372 # keyed-balance - the home server is chosen by hashing (FNV)
373 # the contents of the Load-Balance-Key attribute from the
374 # control items. The request is then sent to home server
377 # server = (hash % num_servers_in_pool).
379 # If there is no Load-Balance-Key in the control items,
380 # the load balancing method is identical to "load-balance".
385 # Next, a list of one or more home servers. The names
386 # of the home servers are NOT the hostnames, but the names
387 # of the sections. (e.g. home_server foo {...} has name "foo".
389 # Note that ALL home servers listed here have to be of the same
390 # type. i.e. they all have to be "auth", or they all have to
391 # be "acct", or the all have to be "auth+acct".
393 home_server = localhost
395 # Additional home servers can be listed.
396 # There is NO LIMIT to the number of home servers that can
397 # be listed, though using more than 10 or so will become
398 # difficult to manage.
400 # home_server = foo.example.com
401 # home_server = bar.example.com
402 # home_server = baz.example.com
406 ######################################################################
409 # This section defines a new-style "realm". Note the in version 2.0,
410 # there are many fewer configuration items than in 1.x for a realm.
412 # Automatic proxying is done via the "realms" module (see "man
413 # rlm_realm"). To manually proxy the request put this entry in the
418 #DEFAULT Proxy-To-Realm := "realm_name"
423 # Realms point to pools of home servers.
425 # For authentication, the "auth_pool" configuration item
426 # should point to a "server_pool" that was previously
427 # defined. All of the home servers in the "auth_pool" must
430 # For accounting, the "acct_pool" configuration item
431 # should point to a "server_pool" that was previously
432 # defined. All of the home servers in the "acct_pool" must
435 # If you have a "server_pool" where all of the home servers
436 # are of type "auth+acct", you can just use the "pool"
437 # configuration item, instead of specifying both "auth_pool"
440 auth_pool = my_auth_failover
444 # Normally, when an incoming User-Name is matched against the
445 # realm, the realm name is "stripped" off, and the "stripped"
446 # user name is used to perform matches.
448 # e.g. User-Name = "bob@example.com" will result in two new
449 # attributes being created by the "realms" module:
451 # Stripped-User-Name = "bob"
452 # Realm = "example.com"
454 # The Stripped-User-Name is then used as a key in the "users"
457 # If you do not want this to happen, uncomment "nostrip" below.
461 # There are no more configuration entries for a realm.
466 # This is a sample entry for iPass.
467 # Note that you have to define "ipass_auth_pool" and
468 # "ipass_acct_pool", along with home_servers for them, too.
473 # auth_pool = ipass_auth_pool
474 # acct_pool = ipass_acct_pool
478 # This realm is used mainly to cancel proxying. You can have
479 # the "realm suffix" module configured to proxy all requests for
480 # a realm, and then later cancel the proxying, based on other
483 # For example, you want to terminate PEAP or EAP-TTLS locally,
484 # you can add the following to the "users" file:
486 # DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
489 # If we do not specify a server pool, the realm is LOCAL, and
490 # requests are not proxied to it.
494 # This realm is for requests which don't have an explicit realm
495 # prefix or suffix. User names like "bob" will match this one.
498 # authhost = radius.company.com:1600
499 # accthost = radius.company.com:1601
500 # secret = testing123
504 # This realm is for ALL OTHER requests.
507 # authhost = radius.company.com:1600
508 # accthost = radius.company.com:1601
509 # secret = testing123