[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.8 List of Proxy Realms — ‘raddb/realms

The ‘raddb/realms’ file lists remote Radius servers that are allowed to communicate with the local Radius server (see section Proxying).

Each record consists of up to three fields, separated by whitespace. Two of them are mandatory. The fields are:

Realm name

Specifies the name of the realm being defined, i.e. part of the login name after the ‘@’ symbol. There are three special forms of this field.

The name ‘NOREALM’ defines the empty realm, i.e. lines marked with this name will match user names without any realm suffix.

The name ‘DEFAULT’ defines the default realm (see section Realms). The lines with this realm name will match any user name, not matched by any other line in ‘raddb/realms’.

Remote server list

A comma-separated list of remote servers to which the requests for this realm should be forwarded. Each item in the list is:

 
servername[:auth-port[:acct-port]]

Optional auth-port and acct-port are the authentication and accounting port numbers. If acct-port is omitted, it is computed as auth-port + 1. If auth-port is omitted, the default authentication port number is used.

The servers from this list are tried in turn until any of them replies or the list is exhausted, whichever occurs first. The timeout value and number of retries for each server are set via timeout and retry flags (see below).

There may be cases where you would wish a particular realm to be served by the server itself. It is tempting to write

 
# Wrong!
realm.name      localhost

however, this will not work. The special form of the server list is provided for this case. It is the word ‘LOCAL’. The correct configuration line for the above case will thus be:

 
# Use this to declare a locally handled realm
realm.nam       LOCAL
Flags (optional)

The flags meaningful in ‘raddb/realms’ are

ignorecase

Boolean value. When set, enables case-insensitive comparison of realm names. For example, if a realm were defined as

 
myrealm.net     remote.server.net:1812  ignorecase

then user name ‘[email protected]’ will match this definition.

strip

Boolean value. Controls whether the realm name should be stripped off the username before forwarding the request to the remote server. Setting strip enables stripping, setting nostrip disables it. Default is to always strip user names.

quota=num

Set maximum number of concurrent logins allowed from this realm to the given value (num).

timeout

Number of seconds to wait for reply from the remote server before retransmitting the request.

retries

Number of attempts to connect a server. If the server does not respond after the last attempt, the next server from the list is tried.

auth

Proxy only authentication requests.

acct

Proxy only accounting requests.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.8.1 Example of ‘realms’ file

Example 1.

 
# Realm                 Remote server[:port]            flags
#----------------       ---------------------           --------
that.net                radius.that.net                 nostrip
dom.ain                 server.dom.ain:3000             strip,quota=20
remote.net              srv1.remote.net,srv2.remote.net 

Example 2.

 
# Realm                 Remote server[:port]            flags
#----------------       ---------------------           --------
NOREALM                 radius.server.net               
that.net                radius.that.net                 nostrip
dom.ain                 server.dom.ain:3000             strip,quota=20

[ < ] [ > ]   [ << ] [ Up ] [ >> ]

This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.