OUR SITES NetworkRADIUS FreeRADIUS

Virtual Servers

FreeRADIUS 4.0 supports virtual servers. This is probably the single largest change that is NOT backwards compatible with 1.x.

The virtual servers do NOT have to be set up with the sites-available and sites-enabled directories. You can still have one "radiusd.conf" file, and put the server configuration there:

...
server {
    recv Access-Request {
        ...
    }
    authenticate pap {
        ...
    }
    ...
}
...

The power of virtual servers lies in their ability to separate policies. A policy can be placed into a virtual server, where it is guaranteed to affect only the requests that are passed through that virtual server. In 1.x, the policies were global, and it sometimes took much effort to write a policy so that it only applied in certain limited situations.

What do we mean by "virtual server"?

A virtual server is a (nearly complete) RADIUS server, just like a configuration for FreeRADIUS 1.x. However, FreeRADIUS can now run multiple virtual servers at the same time. The virtual servers can even proxy requests to each other!

The simplest way to create a virtual server is to take the all of the request processing sections from radius.conf, ("authorize" , "authenticate", etc.) and wrap them in a "server \{}" block, as above.

You can create another virtual server by:

  • defining a new "server foo \{…}" section in radiusd.conf

  • Putting the normal "authorize", etc. sections inside of it

  • Adding a "listen" section inside of the "server" section.

e.g.

...
server foo {
    listen {
        ipaddr = 127.0.0.1
        port = 2000
        type = auth
    }

    recv Access-Request {
        &control.Password.Cleartext := "bob"
        pap
    }

    authenticate pap {
        pap
    }
}
...

With that text added to radiusd.conf, run the server in debugging mode (radiusd -X), and in another terminal window, type:

$ radtest bob bob localhost:2000 0 testing123

You should see the server return an Access-Accept.

Capabilities and limitations

The only sub-sections that can appear in a virtual server section are:

listen
client
authorize
authenticate
post-auth
pre-proxy
post-proxy
preacct
accounting
session

All other configuration parameters (modules, etc.) are global.

Inside of a virtual server, the authorize, etc. sections have their normal meaning, and can contain anything that an authorize section could contain in 1.x.

When a "listen" section is inside of a virtual server definition, it means that all requests sent to that IP/port will be processed through the virtual server. There cannot be two "listen" sections with the same IP address and port number.

When a "client" section is inside of a virtual server definition, it means that that client is known only to the "listen" sections that are also inside of that virtual server. Not only is this client definition available only to this virtual server, but the details of the client configuration is also available only to this virtual server.

i.e. Two virtual servers can listen on different IP address and ports, but both can have a client with IP address 127.0.0.1. The shared secret for that client can be different for each virtual server.

More complex "listen" capabilities

The "listen" sections have a few additional configuration items that were not in 1.x, and were not mentioned above. These configuration items enable almost any mapping of IP / port to clients to virtual servers.

The configuration items are:

virtual_server = <name>

    If set, all requests sent to this IP / port are processed
    through the named virtual server.

    This directive can be used only for "listen" sections
    that are global.  i.e. It CANNOT be used if the
    "listen" section is inside of a virtual server.

clients = <name>

    If set, the "listen" section looks for a "clients" section:

        clients <name> {
            ...
        }

    It looks inside of that named "clients" section for
    "client" subsections, at least one of which must
    exist.  Each client in that section is added to the
    list of known clients for this IP / port.  No other
    clients are known.

    If it is set, it over-rides the list of clients (if
    any) in the same virtual server.  Note that the
    clients are NOT additive!

    If it is not set, then the clients from the current
    virtual server (if any) are used.  If there are no
    clients in this virtual server, then the global
    clients are used.

    i.e. The most specific directive is used:
        * configuration in this "listen" section
        * clients in the same virtual server
        * global clients

    The directives are also *exclusive*, not *additive*.
    If you have one client in a virtual server, and
    another client referenced from a "listen" section,
    then that "listen" section will ONLY use the second
    client.  It will NOT use both clients.

More complex "client" capabilities

The "client" sections have a few additional configuration items that were not in 1.x, and were not mentioned above. These configuration items enable almost any mapping of IP / port to clients to virtual servers.

The configuration items are:

virtual_server = <name>

    If set, all requests from this client are processed
    through the named virtual server.

    This directive can be used only for "client" sections
    that are global.  i.e. It CANNOT be used if the
    "client" section is inside of a virtual server.

If the "listen" section has a "server" entry, and a matching client is found ALSO with a "server" entry, then the clients server is used for that request.

Worked examples

Listening on one socket, and mapping requests from two clients to two different servers.

listen {
    ...
}
client one {
    ...
    virtual_server = server_one
}
client two {
    ...
    virtual_server = server_two
}
server server_one {
    recv Access-Request {
        ...
    }
    ...
}
server server_two {
    recv Access-Request {
        ...
    }
    ...
}

This could also be done as:

listen {
    ...
    virtual_server = server_one
}
client one {
    ...
}
client two {
    ...
    virtual_server = server_two
}
server server_one {
    recv Access-Request {
        ...
    }
    ...
}
server server_two {
    recv Access-Request {
        ...
    }
    ...
}

In this case, the default server for the socket is "server_one", so there is no need to set that in the client "one" configuration. The "server_two" configuration for client "two" over-rides the default setting for the socket.

Note that the following configuration will NOT work:

listen {
    ...
    virtual_server = server_one
}
client one {
    ...
}
server server_one {
    recv Access-Request {
        ...
    }
    ...
}
server server_two {
    client two {
        ...
    }
    recv Access-Request {
        ...
    }
    ...
}

In this example, client "two" is hidden inside of the virtual server, where the "listen" section cannot find it.

Outlined examples

This section outlines a number of examples, with alternatives.

  • one server, multiple sockets

    • multiple "listen" sections in a "server" section

  • one server per client

    • define multiple servers

    • have a global "listen" section

    • have multiple global "clients", each with "virtual_server = X"

  • two servers, each with their own sockets

    • define multiple servers

    • put "client" sections into each "server"

    • put a "listen" section into each "server"

      Each server can list the same client IP, and the secret can be different.

  • two sockets, sharing a list of clients, but pointing to different servers

    • define global "listen" sections

    • in each, set "virtual_server = X"

    • in each, set "clients = Y"

    • define "clients Y" section, containing multiple clients.

      This also means that you can have a third socket, which doesn’t share any of these clients.

How to decide what to do

If you want completely separate policies for a socket or a client, then create a separate virtual server. Then, map the request to that server by setting configuration entries in a "listen" section or in a "client" section.

Start off with the common cases first. If most of the clients and/or sockets get a particular policy, make that policy the default. Configure it without paying attention to the sockets or clients you want to add later, and without adding a second virtual server. Once it works, then add the second virtual server.

If you want to reuse the previously defined sockets with the second virtual server, then you will need one or more global "client" sections. Those clients will contain a "virtual_server = …" entry that will direct requests from those clients to the appropriate virtual server.