Radrelay Configuration
Use with:
radiusd -n radrelay
This file is a sample configuration that replaces the old
radrelay
program. It is a minimal configuration that
does little more than read the detail
file, and proxy the
packets to a home server. If you need it to do more than
just replace radrelay
, you will need to add additional
configuration.
See raddb/sites-available/copy-acct-to-home-server
for a
more complete example. That example is intended to be run
as part of a larger RADIUS configuration, where the server
also listens on ports 1812, etc. The example given here
is a minimal example that has only radrelay
functionality.
See radiusd.conf
for a complete description of the configuration
parameters used here.
Why radrelay is needed
Many sites run multiple radius servers; at least one primary and one backup server. When the primary goes down, most NASes will detect that and switch to the backup server.
That change will cause your accounting packets to go the the backup server - and some NASes will not switch back to the primary server when it comes back up.
The result is that accounting records are missed, and/or the administrator must jump through hoops in order to combine the different detail files from multiple servers. It also means that the accounting database gets out of sync.
radrelay
solves this issue by "relaying" packets from one server to
another, so they both have the same set of accounting data.
Overload
If the RADIUS server suddenly receives a many accounting packets, there may be insufficient CPU power to process them all in a timely manner. This problem is especially noticeable when the accounting packets are going to a back-end database.
Similarly, you may have one database that tracks "live" sessions, and another that tracks historical accounting data. In that case, accessing the first database is fast, as it is small. Accessing the second database many be slower, as it may contain multiple gigabytes of data. In addition, writing to the first database in a timely manner is important, while data may be written to the second database with a few minutes delay, without any harm being done.
General definitions
The following options define where the server files are stored when installed. They are set by 'make' at compile time, and it is unlikely to need to change them.
- name
-
This is the name of the running server.
See also the -n
command-line option.
Location of config and logfiles.
- max_request_time
- cleanup_delay
-
Request handling configuration.
Logging configuration
The following section defines global server logging options.
For more configurable and detailed logging, the logging modules
should be used (rlm_detail
, rlm_linelog
etc.)
destination: Destination for log messages.
This can be one of:
Destination |
Description |
files |
Log to |
syslog |
To syslog (see also the |
stdout |
Standard output. |
stderr |
Standard error. |
The command-line option -X
over-rides this option, and forces
logging to go to stdout.
- file
-
The logging messages for the server are appended to the tail of this file
if ${destination} == "files"
If the server is running in debugging mode, this file is NOT used. |
There may be multiple methods of attacking on the server. This section holds the configuration items which minimize the impact of those attacks
- max_attributes
-
The maximum number of attributes permitted in a RADIUS packet. Packets which have MORE than this number of attributes in them will be dropped.
If this number is set too low, then no RADIUS packets will be accepted.
If this number is set too high, then an attacker may be able to send a small number of packets which will cause the server to use all available memory on the machine.
Setting this number to 0 means "allow any number of attributes"
reject_delay && status_server don’t apply when we are only reading accounting packets from the detail file
allow_vulnerable_openssl: Allow the server to start with versions of OpenSSL known to have critical vulnerabilities.
This check is based on the version number reported by libssl and may not reflect patches applied to libssl by distribution maintainers.
Modules
If you need more modules, add them here. The radrelay
configuration is very simple, and only includes one module.
If you need to instantiate modules, add them here.
Home server configuration
Proxying has changed in v4. This example is no longer correct. |
Define a home server
, which is where packets should be
relayed to.
- type
- ipaddr
-
This directive replaces the
-r
command-line option inradrelay
. - port
- src_ipaddr
-
This directive replaces the
-i
command-line option inradrelay
. - secret
-
This directive replaces the
-s
,-S
, and-n
command-line options inradrelay
.
List one or more home servers here for fail-over,
load-balancing, etc. By default we just send all relayed
packets to the one home server, home1
, defined above.
Create a dummy realm that relays to the above server pool.
Server configuration
We now define a virtual server to read RADIUS packets from a 'detail' file, and proxy them to the dummy realm above.
Read the detail file:
- type
- filename
-
The filename here should be the same as the one used by the main
radiusd
program.
It writes the file using the detail
module (see raddb/modules/detail
).
- load_factor
-
This section is called when the server receives an Accounting-Request packet (which will be from the "detail" reader above.
See also raddb/sites-available/copy-acct-to-home-server
for additional description.
Proxy the packet using the given realm. Note that we do not use the realm for anything else such as prefix/suffix stripping, or comparisons.
Default Configuration
prefix = /Users/alandekok/git/wrapper//install
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radrelay
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
log {
destination = files
file = ${logdir}/${name}.log
}
security {
max_attributes = 200
allow_vulnerable_openssl = no
}
modules {
$INCLUDE ${confdir}/mods-enabled/always
}
instantiate {
}
home_server home1 {
type = acct
ipaddr = 192.0.2.20
port = 1812
# src_ipaddr = 192.0.2.1
secret = testing123
}
home_server_pool radrelay {
type = fail-over
home_server = home1
}
realm radrelay {
acct_pool = radrelay
}
server radrelay {
listen {
type = detail
filename = ${radacctdir}/detail
load_factor = 90
}
recv Accounting-Request {
&control.Proxy-To-Realm := "radrelay"
}
}