# # proxy.conf - proxy radius and realm configuration directives # # This file is included by default. To disable it, you will need # to modify the PROXY CONFIGURATION section of "radiusd.conf". # ####################################################################### # # Proxy server configuration # # This entry controls the servers behaviour towards ALL other servers # to which it sends proxy requests. # proxy server { # # If the NAS re-sends the request to us, we can immediately re-send # the proxy request to the end server. To do so, use 'yes' here. # # If this is set to 'no', then we send the retries on our own schedule, # and ignore any duplicate NAS requests. # # If you want to have the server send proxy retries ONLY when the NAS # sends it's retries to the server, then set this to 'yes', and # set the other proxy configuration parameters to 0 (zero). # synchronous = no # # The time (in seconds) to wait for a response from the proxy, before # re-sending the proxied request. # # If this time is set too high, then the NAS may re-send the request, # or it may give up entirely, and reject the user. # # If it is set too low, then the RADIUS server which receives the proxy # request will get kicked unnecessarily. # retry_delay = 5 # # The number of retries to send before giving up, and sending a reject # message to the NAS. # retry_count = 3 # # If the home server does not respond to any of the multiple retries, # then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'. # # If there are multiple entries configured for this realm, then the # server will fail-over to the next one listed. If no more are listed, # then no requests will be proxied to that realm. # # # After a configurable 'dead_time', in seconds, FreeRADIUS will # speculatively mark the home server active, and start sending requests # to it again. # # If this dead time is set too low, then you will lose requests, # as FreeRADIUS will quickly switch back to the home server, even if # it isn't up again. # # If this dead time is set too high, then FreeRADIUS may take too long # to switch back to the primary home server. # # Realistic values for this number are in the range of minutes to hours. # (60 to 3600) # dead_time = 120 # If you choose to list a realm more then once for fall-through or # round-robin, then specify the total number of alternates here. Specify # a ldflag attribute for all realms to be included in a round-robin # setup. Currently (0 or fail_over) and (1 or round_robin) are the # supported values for ldflag. Fail-Over is the default setup. # servers_per_realm = 15 # # If all exact matching realms did not respond, we can try the # DEFAULT realm, too. This is what the server normally does. # # This behaviour may be undesired for some cases. e.g. You are proxying # for two different ISP's, and then act as a general dial-up for Gric. # If one of the first two ISP's has their RADIUS server go down, you do # NOT want to proxy those requests to GRIC. Instead, you probably want # to just drop the requests on the floor. In that case, set this value # to 'no'. # # allowed values: {yes, no} # default_fallback = yes } ####################################################################### # # Configuration for the proxy realms. # # The information given here is used in conjunction with the 'realms' # file. This format is preferred, as it is more flexible. The realms # listed here take priority over those listed in the 'realms' file. # #realm isp2.com { # type = radius # authhost = radius.isp2.com:1645 # accthost = radius.isp2.com:1646 # secret = TheirKey # nostrip #} # # a fail-over realm for isp2.com # #realm isp2.com { # type = radius # authhost = radius2.isp2.com:1645 # accthost = radius2.isp2.com:1646 # secret = TheirKey2 # nostrip #} # # 1st node serv.com...set up for round-robin. # The ldflag attribute must be specified on all # realms included in a rr scheme. ldflag may also # be set as zero on realms using fail-over. Currently # (0 or fail_over) and (1 or round_robin) are the only # accepted values for ldflag. Fail-Over is the default setup. # #realm serv.com { # type = radius # authhost = radius.serv.com:1645 # accthost = radius.serv.com:1646 # secret = TheirKey # ldflag = round_robin # nostrip #} # # Another node for serv.com # #realm serv.com { # type = radius # authhost = radius2.serv.com:1645 # accthost = radius2.serv.com:1646 # secret = TheirKey2 # ldflag = round_robin # nostrip #} # # A third round-robin node realm for serv.com # #realm serv.com { # type = radius # authhost = radius3.serv.com:1645 # accthost = radius3.serv.com:1646 # secret = TheirKey2 # ldflag = round_robin # nostrip #} # # #realm company.com { # type = radius # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 # secret = testing123 #} # # This is a local realm. The requests are NOT proxied, # but instead are authenticated by the RADIUS server itself. # # You don't need a secret if BOTH 'authhost' and 'accthost' are # set to LOCAL. # #realm bla.com { # type = radius # authhost = LOCAL # accthost = LOCAL #} # # This realm is for requests which don't have an explicit realm # prefix or suffix. User names like "bob" will match this one. # #realm NULL { # type = radius # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 # secret = testing123 #} # # This realm is for ALL OTHER requests. # #realm DEFAULT { # type = radius # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 # secret = testing123 #} #realm myfakerealm { # type = radius # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 # secret = testing123 # notrealm #}