Eltex Documentation EN
Быстрые ссылки
Дерево страниц
Перейти к концу метаданных
Переход к началу метаданных

Product Versions

Eltex-RADIUS 1.7+

Eltex-RADIUS allows proxying to a home server. By default, the opportunity is available only for authorization requests proxying to one server. The section describes how to configure both authorization and accounting proxying to one or more servers.

Default configuration

Proxying default configuration is located in /etc/eltex-radius/local.conf file and looks like this:

a part of /etc/eltex-radius/local.conf file
# Proxying
proxy_auth=0
proxy_domain_regex="^(.+\.)?enterprise\.root$"
proxy_host="127.0.0.1"
proxy_port=18121
proxy_secret="eltex"
  • proxy_auth  – proxying status, allowed values 0 and 1, 0 by default, disabled
  • proxy_domain_regex – a regular expression that defines domains in which authorization requests will be proxied to proxy all requests, set this parameter to "^(.+\.)?root$"
  • proxy_host – an address of a home server requests will be proxied to
  • proxy_port – a server's interface
  • proxy_secret – a key set on a home server for Eltex-RADIUS serverremember that Eltex-RADIUS will act as NAS within such a configuration

Fine settings can be done in /etc/eltex-radius/proxy.conf in the following way:

proxy server {
        default_fallback = no
}

home_server auth_proxy {
        type = auth
        ipaddr = "${proxy_host}"
        port = "${proxy_port}"
        secret = "${proxy_secret}"

        response_window = 20

        #
        #  Start "zombie_period" after this many responses have
        #  timed out.
        #
#       response_timeouts = 1
        zombie_period = 40
        revive_interval = 120

        status_check = status-server
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server_pool auth_proxy_failover {
        type = fail-over
        home_server = auth_proxy
}

realm auth_proxy {
        auth_pool = auth_proxy_failover
}

realm LOCAL {
        #  If we do not specify a server pool, the realm is LOCAL, and
        #  requests are not proxied to it.
}

The following sections are important: 

  • home_server
  • home_server_pool
  • realm auth_proxy

Proxying authorization to another (home) RADIUS server

The simplest case is proxying authorization requests to one home RADIUS server. /etc/eltex-radius/local.conf file should be modified in a following way:

a part of /etc/eltex-radius/local.conf file
# Proxying
proxy_auth=1
proxy_domain_regex="^(.+\.)?enterprise\.root$"
proxy_host="10.10.10.11"
proxy_port=1812
proxy_secret="topsecret"

According to the configuration, all authorization requests in enterprise.root domain hierarchy will be proxied to 1812 port of a server with 10.10.10.11 address, topsecret will be used as a secret.

According to the configuration, accounting will still be processed locally, i.e., by Eltex-RADIUS.

/etc/eltex-radius/proxy.conf file modification is not required.

Proxying authorization and accounting to home RADIUS server

To proxy accounting requests as well as authorization requests, /etc/eltex-radius/proxy.conf file should be modified.
In the section home_server, change a value of type parameter to auth+acct:

home_server auth_proxy {
        type = auth+acct
        ipaddr = "${proxy_host}"
        port = "${proxy_port}"
        secret = "${proxy_secret}"

        response_window = 20

        #
        #  Start "zombie_period" after this many responses have
        #  timed out.
        #
#       response_timeouts = 1
        zombie_period = 40
        revive_interval = 120

        status_check = status-server
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        max_outstanding = 65536
}

In the section realm auth proxy, replace the parameter auth_pool to pool, the value should remain the same:

realm auth_proxy {
		pool = auth_proxy_failover
}


In the file /etc/eltex-radius/servers/default, add a line proxy_auth after preprocess in preacct section:

preacct {
        preprocess
        proxy_auth
        acct_counters64
        acct_unique
        acct_ciscoavpair

        # Parse common cisco-avp ('domain' for example)
        common_ciscoavpair
       rewrite_called_station_id

       if (${pcrf_enabled} == 0) {
           fill_ap_domain
           fill_ssid_security
       }

       files
}

Proxying authorization and accounting to multiple RADIUS servers

This option requires significant modification of configuration files. Proxying to two home servers will be considered below, but the method suggested is also available for further scaling.
Edit /etc/eltex-radius/local.conf by adding host, port and secret individual parameters for each home server:

# Proxying
proxy_auth=1
proxy_domain_regex="^(.+\.)?root$"

proxy1_host="10.10.10.11"
proxy1_port=1812
proxy1_secret="topsecret"

proxy2_host="10.10.10.12"
proxy2_port=1812
proxy2_secret="topsecret"


Modify /etc/eltex-radius/local.conf in accordance with the configuration above. home_server section with unique name should be described for each server.
All home_server should be added to home_server_pool that, in turn, should be added to auth_proxy realm. As both accounting and authorization are intended to be proxied, the parameter that points to the pool should be named pool.

home_server auth_proxy1 {
        type = auth+acct
        ipaddr = "${proxy1_host}"
        port = "${proxy1_port}"
        secret = "${proxy1_secret}"

        response_window = 20

        #
        #  Start "zombie_period" after this many responses have
        #  timed out.
        #
#       response_timeouts = 1
        zombie_period = 40
        revive_interval = 120

        status_check = status-server
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server auth_proxy2 {
        type = auth+acct
        ipaddr = "${proxy2_host}"
        port = "${proxy2_port}"
        secret = "${proxy2_secret}"

        response_window = 20

        zombie_period = 40
        revive_interval = 120

        status_check = status-server
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        max_outstanding = 65536
}


home_server_pool auth_proxy_failover {
        type = fail-over
        home_server = auth_proxy1
        home_server = auth_proxy2
}

realm auth_proxy {
        pool = auth_proxy_failover
}

Add a line proxy_auth after preprocess to preacct section of /etc/eltex-radius/servers/default file, as described above.

The configuration considered handles failover between home servers and is set via 'type' parameter in home_server_pool section. The load-balancing mode is also available, follow link 2 in the "Sources" section to get further information.

Disabling home server's status check

When proxying is performed, home server's status checking mechanism is enabled. If a home server does not respond for some time, and then becomes available again, it should respond to status-server request — only after that, proxying will resume.

During operation, it would appear that a home server can not respond to status-server, or it is not appropriately configured. In such a case, the check can be disabled.


To do that, the following changes are required:


In /etc/eltex-radiu/proxy.conf file:

in home_server auth_proxy section set:                 

    status_check = none , is set to status-server by default               

    revive_interval = 60, 120 by default

in home_server_pool auth_proxy_failover section set:                 

    type = fail-over, set to load-balance by default


After that, restart the daemon with service eltex-radius restart


As a result, if the connection between the servers fails, the service will become available in 60 seconds after re-establishing communication.

Sources

  1. https://wiki.freeradius.org/version4/upgrade/proxy
  2. https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/proxy.conf
  • Нет меток