| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The ‘raddb/realms’ file lists remote Radius servers that are allowed to communicate with the local Radius server (see section Proxying).
Each record consists of up to three fields, separated by whitespace. Two of them are mandatory. The fields are:
Specifies the name of the realm being defined, i.e. part of the login name after the ‘@’ symbol. There are three special forms of this field.
The name ‘NOREALM’ defines the empty realm, i.e. lines marked with this name will match user names without any realm suffix.
The name ‘DEFAULT’ defines the default realm (see section Realms). The lines with this realm name will match any user name, not matched by any other line in ‘raddb/realms’.
A comma-separated list of remote servers to which the requests for this realm should be forwarded. Each item in the list is:
servername[:auth-port[:acct-port]] |
Optional auth-port and acct-port are the authentication and accounting port numbers. If acct-port is omitted, it is computed as auth-port + 1. If auth-port is omitted, the default authentication port number is used.
The servers from this list are tried in turn until any of them replies
or the list is exhausted, whichever occurs first. The timeout value and
number of retries for each server are set via timeout and
retry flags (see below).
There may be cases where you would wish a particular realm to be served by the server itself. It is tempting to write
# Wrong! realm.name localhost |
however, this will not work. The special form of the server list is provided for this case. It is the word ‘LOCAL’. The correct configuration line for the above case will thus be:
# Use this to declare a locally handled realm realm.nam LOCAL |
The flags meaningful in ‘raddb/realms’ are
Boolean value. When set, enables case-insensitive comparison of realm names. For example, if a realm were defined as
myrealm.net remote.server.net:1812 ignorecase |
then user name ‘user@MyREAlm.NeT’ will match this definition.
Boolean value. Controls whether the realm name should be stripped off
the username before forwarding the request to the remote server. Setting
strip enables stripping, setting nostrip disables
it. Default is to always strip user names.
Set maximum number of concurrent logins allowed from this realm to the given value (num).
Number of seconds to wait for reply from the remote server before retransmitting the request.
Number of attempts to connect a server. If the server does not respond after the last attempt, the next server from the list is tried.
Proxy only authentication requests.
Proxy only accounting requests.
| 4.8.1 Example of ‘realms’ file | An example of ‘realms’ file. |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
# Realm Remote server[:port] flags #---------------- --------------------- -------- that.net radius.that.net nostrip dom.ain server.dom.ain:3000 strip,quota=20 remote.net srv1.remote.net,srv2.remote.net |
# Realm Remote server[:port] flags #---------------- --------------------- -------- NOREALM radius.server.net that.net radius.that.net nostrip dom.ain server.dom.ain:3000 strip,quota=20 |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] |
This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.