OUR SITES NetworkRADIUS FreeRADIUS

Radrelay Configuration

Use with:

radiusd -n radrelay

This file is a sample configuration that replaces the old radrelay program. It is a minimal configuration that does little more than read the detail file, and proxy the packets to a home server. If you need it to do more than just replace radrelay, you will need to add additional configuration.

See raddb/sites-available/copy-acct-to-home-server for a more complete example. That example is intended to be run as part of a larger RADIUS configuration, where the server also listens on ports 1812, etc. The example given here is a minimal example that has only radrelay functionality.

See radiusd.conf for a complete description of the configuration parameters used here.

Why radrelay is needed

Many sites run multiple radius servers; at least one primary and one backup server. When the primary goes down, most NASes will detect that and switch to the backup server.

That change will cause your accounting packets to go the the backup server - and some NASes will not switch back to the primary server when it comes back up.

The result is that accounting records are missed, and/or the administrator must jump through hoops in order to combine the different detail files from multiple servers. It also means that the accounting database gets out of sync.

radrelay solves this issue by "relaying" packets from one server to another, so they both have the same set of accounting data.

Overload

If the RADIUS server suddenly receives a many accounting packets, there may be insufficient CPU power to process them all in a timely manner. This problem is especially noticeable when the accounting packets are going to a back-end database.

Similarly, you may have one database that tracks "live" sessions, and another that tracks historical accounting data. In that case, accessing the first database is fast, as it is small. Accessing the second database many be slower, as it may contain multiple gigabytes of data. In addition, writing to the first database in a timely manner is important, while data may be written to the second database with a few minutes delay, without any harm being done.

General definitions

The following options define where the server files are stored when installed. They are set by 'make' at compile time, and it is unlikely to need to change them.

name

This is the name of the running server.

See also the -n command-line option.

Location of config and logfiles.

max_request_time
cleanup_delay

Request handling configuration.

Logging configuration

The following section defines global server logging options. For more configurable and detailed logging, the logging modules should be used (rlm_detail, rlm_linelog etc.)

destination: Destination for log messages.

This can be one of:

Destination

Description

file

Log to file, as defined below.

syslog

To syslog (see also the syslog_facility, below.

stdout

Standard output.

stderr

Standard error.

The command-line option -X over-rides this option, and forces logging to go to stdout.

file

The logging messages for the server are appended to the tail of this file if ${destination} == "file"

If the server is running in debugging mode, this file is NOT used.
SECURITY CONFIGURATION

There may be multiple methods of attacking on the server. This section holds the configuration items which minimize the impact of those attacks

max_attributes

The maximum number of attributes permitted in a RADIUS packet. Packets which have MORE than this number of attributes in them will be dropped.

If this number is set too low, then no RADIUS packets will be accepted.

If this number is set too high, then an attacker may be able to send a small number of packets which will cause the server to use all available memory on the machine.

Setting this number to 0 means "allow any number of attributes"

reject_delay && status_server don’t apply when we are only reading accounting packets from the detail file

allow_vulnerable_openssl: Allow the server to start with versions of OpenSSL known to have critical vulnerabilities.

This check is based on the version number reported by libssl and may not reflect patches applied to libssl by distribution maintainers.

Modules

If you need more modules, add them here. The radrelay configuration is very simple, and only includes one module.

If you need to instantiate modules, add them here.

Home server configuration

Proxying has changed in v4. This example is no longer correct.

Define a home server, which is where packets should be relayed to.

type
ipaddr

This directive replaces the -r command-line option in radrelay.

port
src_ipaddr

This directive replaces the -i command-line option in radrelay.

secret

This directive replaces the -s, -S, and -n command-line options in radrelay.

List one or more home servers here for fail-over, load-balancing, etc. By default we just send all relayed packets to the one home server, home1, defined above.

Create a dummy realm that relays to the above server pool.

Server configuration

We now define a virtual server to read RADIUS packets from a 'detail' file, and proxy them to the dummy realm above.

Read the detail file:

type
filename

The filename here should be the same as the one used by the main radiusd program.

It writes the file using the detail module (see raddb/modules/detail).

load_factor

This section is called when the server receives an Accounting-Request packet (which will be from the "detail" reader above.

See also raddb/sites-available/copy-acct-to-home-server for additional description.

Proxy the packet using the given realm. Note that we do not use the realm for anything else such as prefix/suffix stripping, or comparisons.

Default Configuration

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radrelay
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
log {
	destination = file
	file = ${logdir}/${name}.log
}
security {
	max_attributes = 200
	allow_vulnerable_openssl = no
}
modules {
	$INCLUDE ${confdir}/mods-enabled/always
}
instantiate {
}
home_server home1 {
	type = acct
	ipaddr = 192.0.2.20
	port = 1812
#	src_ipaddr = 192.0.2.1
	secret = testing123
}
home_server_pool radrelay {
	type = fail-over
	home_server = home1
}
realm radrelay {
	acct_pool = radrelay
}
server radrelay {
	listen {
		type = detail
		filename = ${radacctdir}/detail
		load_factor = 90
	}
	recv Accounting-Request {
		update control {
			Proxy-To-Realm := "radrelay"
		}
	}
}