Product Versions | Eltex-RADIUS 1.7+ |
Eltex-RADIUS allows proxying to a home server. By default, the opportunity is available only for authorization requests proxying to one server. The section describes how to configure both authorization and accounting proxying to one or more servers.
Default configuration
Proxying default configuration is located in /etc/eltex-radius/local.conf
file and looks like this:
# Proxying proxy_auth=0 proxy_domain_regex="^(.+\.)?enterprise\.root$" proxy_host="127.0.0.1" proxy_port=18121 proxy_secret="eltex"
proxy_auth
– proxying status, allowed values 0 and 1, 0 by default, disabledproxy_domain_regex
– a regular expression that defines domains in which authorization requests will be proxied to proxy all requests, set this parameter to"^(.+\.)?root$"
proxy_host
– an address of a home server requests will be proxied toproxy_port
– a server's interfaceproxy_secret
– a key set on a home server for Eltex-RADIUS serverremember that Eltex-RADIUS will act as NAS within such a configuration
Fine settings can be done in /etc/eltex-radius/proxy.conf
in the following way:
proxy server { default_fallback = no } home_server auth_proxy { type = auth ipaddr = "${proxy_host}" port = "${proxy_port}" secret = "${proxy_secret}" response_window = 20 # # Start "zombie_period" after this many responses have # timed out. # # response_timeouts = 1 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 65536 } home_server_pool auth_proxy_failover { type = fail-over home_server = auth_proxy } realm auth_proxy { auth_pool = auth_proxy_failover } realm LOCAL { # If we do not specify a server pool, the realm is LOCAL, and # requests are not proxied to it. }
The following sections are important:
home_server
home_server_pool
realm auth_proxy
Proxying authorization to another (home) RADIUS server
The simplest case is proxying authorization requests to one home RADIUS server. /etc/eltex-radius/local.conf
file should be modified in a following way:
# Proxying proxy_auth=1 proxy_domain_regex="^(.+\.)?enterprise\.root$" proxy_host="10.10.10.11" proxy_port=1812 proxy_secret="topsecret"
According to the configuration, all authorization requests in enterprise.root domain hierarchy will be proxied to 1812 port of a server with 10.10.10.11 address, topsecret
will be used as a secret
.
/etc/eltex-radius/proxy.conf
file modification is not required.
Proxying authorization and accounting to home RADIUS server
To proxy accounting requests as well as authorization requests, /etc/eltex-radius/proxy.conf file should be modified.
In the section home_server
, change a value of type
parameter to auth+acct
:
home_server auth_proxy { type = auth+acct ipaddr = "${proxy_host}" port = "${proxy_port}" secret = "${proxy_secret}" response_window = 20 # # Start "zombie_period" after this many responses have # timed out. # # response_timeouts = 1 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 65536 }
In the section realm auth proxy
, replace the parameter auth_pool
to pool
, the value should remain the same:
realm auth_proxy { pool = auth_proxy_failover }
In the file /etc/eltex-radius/servers/default
, add a line proxy_auth
after preprocess
in preacct
section:
preacct { preprocess proxy_auth acct_counters64 acct_unique acct_ciscoavpair # Parse common cisco-avp ('domain' for example) common_ciscoavpair rewrite_called_station_id if (${pcrf_enabled} == 0) { fill_ap_domain fill_ssid_security } files }
Proxying authorization and accounting to multiple RADIUS servers
This option requires significant modification of configuration files. Proxying to two home servers will be considered below, but the method suggested is also available for further scaling.
Edit /etc/eltex-radius/local.conf by adding host, port and secret individual parameters for each home server:
# Proxying proxy_auth=1 proxy_domain_regex="^(.+\.)?root$" proxy1_host="10.10.10.11" proxy1_port=1812 proxy1_secret="topsecret" proxy2_host="10.10.10.12" proxy2_port=1812 proxy2_secret="topsecret"
Modify /etc/eltex-radius/local.conf
in accordance with the configuration above. home_server section with unique name should be described for each server.
All home_server should be added to home_server_pool
that, in turn, should be added to auth_proxy realm. As both accounting and authorization are intended to be proxied, the parameter that points to the pool should be named pool
.
home_server auth_proxy1 { type = auth+acct ipaddr = "${proxy1_host}" port = "${proxy1_port}" secret = "${proxy1_secret}" response_window = 20 # # Start "zombie_period" after this many responses have # timed out. # # response_timeouts = 1 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 65536 } home_server auth_proxy2 { type = auth+acct ipaddr = "${proxy2_host}" port = "${proxy2_port}" secret = "${proxy2_secret}" response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 65536 } home_server_pool auth_proxy_failover { type = fail-over home_server = auth_proxy1 home_server = auth_proxy2 } realm auth_proxy { pool = auth_proxy_failover }
Add a line proxy_auth
after preprocess
to preacct
section of /etc/eltex-radius/servers/default
file, as described above.
Disabling home server's status check
When proxying is performed, home server's status checking mechanism is enabled. If a home server does not respond for some time, and then becomes available again, it should respond to status-server request — only after that, proxying will resume.
During operation, it would appear that a home server can not respond to status-server, or it is not appropriately configured. In such a case, the check can be disabled.
To do that, the following changes are required:
In /etc/eltex-radiu/proxy.conf file:
in home_server auth_proxy section set:
status_check = none , is set to status-server by default
revive_interval = 60, 120 by default
in home_server_pool auth_proxy_failover section set:
type = fail-over, set to load-balance by default
After that, restart the daemon with service eltex-radius restart
As a result, if the connection between the servers fails, the service will become available in 60 seconds after re-establishing communication.