[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Proxy RADIUS Configuration (.pro) File

For each proxy realm that you want to configure on the Steel-Belted Radius Carrier server, you must create a file called RealmName.pro, where RealmName is the name of the realm, and you must add this RealmName to the [Realms] section of the proxy.ini file.

NOTE: If you create or edit a RealmName.pro file, you can apply your configuration changes dynamically, without stopping the server.

Issue the HUP signal to the Steel-Belted Radius Carrier process.
kill -HUP ProcessID

After you do this, Steel-Belted Radius Carrier re-reads proxy.ini, filter.ini, and all .pro and .dir files in the server directory, and resets its realm configuration accordingly.

If you edit radius.ini while configuring a realm, you must stop and restart Steel-Belted Radius Carrier to load your new configuration.


[Auth] Section

The [Auth] section of a RealmName.pro file (Table 86) configures authentication for the proxy realm. The key parameters in these sections are:



Table 86: RealmName.pro [Auth] Syntax 
Parameter
Function

Enable

  • If set to 1, enables forwarding of authentication packets to the realm called RealmName.
  • If set to 0, the realm called RealmName is disabled for authentication.

Default value is 0.

FilterOut=name

The FilterOut=name parameter causes Steel-Belted Radius Carrier to apply the filtering rules found in the [name] section of filter.ini. These rules are applied while Steel-Belted Radius Carrier is processing the incoming RADIUS request packet, and before it directs the packet out to the destination realm. You may also think of this as filtering various attributes and values out of the request before directing it to the realm.

FilterIn=name

The FilterIn=name parameter causes Steel-Belted Radius Carrier to apply the filtering rules found in the [name] section of filter.ini. These rules are applied after Steel-Belted Radius Carrier has received a response in from the destination realm, and while it is preparing the RADIUS response packet for its client. You may also think of this as filtering various attributes and values in to the response before returning it to the client.

MessageAuthenticator

If set to 1, a Message-Authenticator is inserted into each request forwarded to any target server in the realm.

Default value is 0.

NOTE: Both the proxy and the target RADIUS server requires this functionality.

NumAttempts

The number of times a timeout may occur when attempting to contact servers within the realm, before a failure is declared and the attempts to forward the request are stopped.

Default value is 3.

RequestTimeout=x, y, z

A list of times, in seconds, to wait when attempting to contact a target server before timing out. The first value is the time to wait before the first timeout, and so on.

The number of items in the list should not exceed the NumAttempts setting. If NumAttempts is greater, the last number listed is reused for subsequent timeouts.

Default value is 5.

NOTE: You can specify RequestTimeout or RequestTimeoutMills, but not both.

RequestTimeoutMills=x, y, z

A list of times, in milliseconds, to wait when attempting to contact a target server before timing out. The first value is the time to wait before the first timeout, and so on.

The number of items in the list should not exceed the NumAttempts setting. If NumAttempts is greater, the last number listed is reused for subsequent timeouts.

NOTE: You can specify RequestTimeout or RequestTimeoutMills, but not both.

RoundRobin

Specifies the number of target servers that are participating in round-robin load balancing. The count begins from the top of the list in the [name] section identified by TargetsSection. Other listed targets are used only after the round-robin targets fail for a particular request.

Default value is 2.

StripRealm

  • If set to 1, strip the realm name from the username before forwarding.
  • If set to 0, name stripping is disabled.

NOTE: For proxy realms, realm name stripping is disabled (StripRealm = 0) by default. If you want to enable it, you must explicitly set StripRealm to 1.

TargetsSection=name

name identifies a section called [name] that appears elsewhere in the .pro file. This section lists all the targets in a proxy realm. When it receives a request for this proxy realm, Steel-Belted Radius Carrier selects a target from this list.

Having the TargetsSection setting available in the [Auth] and [Acct] sections permits you to name different target selection parameters for proxy RADIUS authentication and accounting.

Default value of name is AuthTargets, indicating the name of the section is [AuthTargets].

UseMasterDictionary

  • If set to yes, inbound proxy responses for this realm use the master Steel-Belted Radius Carrier dictionary when authentication attributes are filtered in.
  • If set to no, proxy responses for this realm use the client-specific dictionary when authentication attributes are filtered in.

Default value is yes.

NOTE: This value overrides the global setting configured in the UseMasterDictionary parameter in the proxy.ini file.


[Acct] Section

The [Acct] section of a RealmName.pro file (Table 87) configures accounting. The key parameters in these sections are:



Table 87: RealmName.pro [Acct] Syntax 
Parameter
Function

Enable

  • If set to 1, enables forwarding of accounting packets to the realm called RealmName.
  • If set to 0, the realm called RealmName is disabled for accounting.

Default value is 0.

Block

  • If set to 0, the Steel-Belted Radius Carrier server sends an accounting acknowledgement immediately (for example, after Steel-Belted Radius Carrier records an accounting message).
  • If set to 1, the Steel-Belted Radius Carrier server waits for a response from the target realm before sending an accounting acknowledgement.

Default value is 1.

NOTE: Set the Block parameter to 0 if your network access device is not able to deal with long acknowledgment delays to accounting requests gracefully.

FilterOut=name

The FilterOut=name parameter causes Steel-Belted Radius Carrier to apply the filtering rules found in the [name] section of filter.ini. These rules are applied while Steel-Belted Radius Carrier is processing the incoming RADIUS request packet, and before it directs the packet out to the destination realm. You may also think of this as filtering various attributes and values out of the request before directing it to the realm.

FilterIn=name

The FilterIn=name parameter causes Steel-Belted Radius Carrier to apply the filtering rules found in the [name] section of filter.ini. These rules are applied after Steel-Belted Radius Carrier has received a response in from the destination realm, and while it is preparing the RADIUS response packet for its client. You may also think of this as filtering various attributes and values in to the response before returning it to the client.

NumAttempts

Specifies the number of times a timeout may occur when attempting to contact servers within the realm, before a failure is declared and the attempts are stopped.

Default value is 3.

RecordLocally

  • If set to 1, log the packet locally before forwarding.
  • If set to 0, forward the packet and do not log locally.

Default value is 1.

RequestTimeout=x, y, z

A list of times, in seconds, to wait when attempting to contact a target server before timing out. The first value is the time to wait before the first timeout, and so on.

The number of items in the list should not exceed the NumAttempts setting. If NumAttempts is greater, the last number listed is reused for subsequent timeouts.

NOTE: You can specify RequestTimeout or RequestTimeoutMills, but not both.

RequestTimeoutMills=x, y, z

A list of times, in milliseconds, to wait when attempting to contact a target server before timing out. The first value is the time to wait before the first timeout, and so on.

The number of items in the list should not exceed the NumAttempts setting. If NumAttempts is greater, the last number listed is reused for subsequent timeouts.

NOTE: You can specify RequestTimeout or RequestTimeoutMills, but not both.

RoundRobin

Specifies the number of target servers that are participating in "round-robin" load balancing. The count begins from the top of the list in the [name] section identified by TargetsSection. Other listed targets are only used after the round-robin targets fail for a particular request.

Default value is 1.

StaticAcctRealms

If a setting is supplied for this parameter, accounting packets are forwarded to a list of realms. The setting given must be a section name defined in the proxyrl.ini file that lists the realms to which the accounting packets are forwarded.

See Proxyrl.ini File.

StripRealm=n

  • If set to 1, strip the realm name from the username before forwarding.
  • If set to 0, name stripping is disabled.

Default value is 0.

NOTE: For proxy realms, realm name stripping is disabled (StripRealm = 0) by default. If you want to enable it, you must explicitly set StripRealm to 1.

TargetsSection=name

name identifies a section called [name] that appears elsewhere in the .pro file. This section lists all the targets in a proxy realm. When it receives a request for this proxy realm, Steel-Belted Radius Carrier selects a target from this list.

Having the TargetsSection parameter available in the [Auth] and [Acct] sections permits you to name different target selection parameters for proxy RADIUS authentication and accounting.

The default value of name is AcctTargets; in which case the name of the section is [AcctTargets].

UseMasterDictionary

  • If set to yes, inbound proxy responses for this realm use the master Steel-Belted Radius Carrier dictionary when accounting attributes are filtered in.
  • If set to no, proxy responses for this realm use the client-specific dictionary when accounting attributes are filtered in.

Default value is yes.

NOTE: This value overrides the global setting configured in the UseMasterDictionary parameter in the proxy.ini file.


[AutoStop] Section

The [AutoStop] section of a realm configuration file permits you to activate the Proxy AutoStop feature. When this feature is enabled, an AutoStop request is automatically recorded and associated with the session in the current sessions database when the initial Accounting-Start message is received. This AutoStop message may be used later to simulate an Accounting-Stop message which is fed back into the request processing engine, causing it to be forwarded to the appropriate realms and for the normal processes of ending the user session to be enacted.

NOTE: As the AutoStop record is generated when the session begins, it is simply a duplicate of the original Start request and does not have access to information about the lifetime of the user's actual activity.



NOTE: AutoStop records are not saved on persistent storage: this means that if Steel-Belted Radius Carrier is restarted, this information is lost and hence Accounting-Stop messages cannot be simulated for these user sessions.




Table 88: RealmName.pro [AutoStop] Syntax 
Parameter
Function

Enable

Set to 0 to disable AutoStop for the current realm.

Set to 1 to enable AutoStop for the current realm.

Default value is 0.


Table 89 lists the parameters in other configuration files you must enable (set to 1) for AutoStop to operate.



Table 89: AutoStop Configuration Requirements
File
Section
Parameter

RealmName.pro

[Acct]

Enable

RealmName.pro

[Acct]

RecordLocally

radius.ini

[Configuration]

AcctAutoStopEnable


[Called-Station-ID] Section

The [Called-Station-ID] section of a RealmName.pro file allows the target realm to be selected based on DNIS. The [Called-Station-ID] section lists each DNIS string that identifies the realm. If this string is found in the Called-Station-Id attribute of an incoming RADIUS request, the request is assumed to be addressed to this realm.

The syntax is:

[Called-Station-ID]
String
String
M

where String is a DNIS string.

For example:

[Called-Station-ID]
8005551212
8005551213
6175551212

You can also use wildcards, as in the following example:

[Called-Station-ID]
800*
508*

Target Selection Rules

Each [name] section of a RealmName.pro file specifies a set of rules that Steel-Belted Radius Carrier can use to select a target for proxy-forwarding within the proxy realm. Each [name] section consists of a list of target servers. For any particular request, if the first listed server fails to respond (or is presumed down), the other servers are tried in the order listed. A [name] section is activated by referencing it from the [Auth] and [Acct] sections.



Table 90: Proxy Realm Target Selection 
To activate...
Use...

a [name] section for authentication

TargetName=name in the [Auth] section

the same [name] section for accounting

TargetName=name in the [Acct] section

some [other] section for accounting

TargetName=other in the [Acct] section


The full syntax is:

[Auth]
TargetsSection=nameB

[Acct]
TargetsSection=nameA

[nameA]
Server = n
Server = n
M

[nameB]
Server = n
Server = n
M

where Server is the name of a server configured as a target for standard proxy RADIUS forwarding, and n is explained in the next section.

Server must match a Proxy entry in the Steel-Belted Radius Carrier database. This Proxy entry provides the address and shared secret for the target server. All other settings in the Proxy entry (retry policy, proxy accounting) are overridden by the settings that you configure in the RealmName.pro file.

NOTE: If your server has multiple interface cards, you may add a parameter referring to the interface to each line to order the outgoing proxy traffic for the realm through a particular interface. See [Interfaces] Section.


Round-Robin Load Balancing

If you have multiple target servers in a realm, you can select whether to use them in round-robin fashion (load balancing), primary/backup fashion, or a combination of both. The value of the RoundRobin entry in the [Auth] or [Acct] section indicates the number of targets that are to be used in round-robin fashion. The count begins from the top of list in the [name] section. Other listed targets are used only if the round-robin targets fail for a particular request. If RoundRobin is 0 or 1, all requests are routed to the first target in the [name] list, assuming that it is up, the others are tried in the order listed.

If RoundRobin is 2 or greater (say, n), each request is routed to a different target server, in rotation among the first n listed targets. Requests are then load- balanced evenly among those targets. For any particular request, if one target fails to respond, other targets are attempted. The round-robin targets are tried first; if they all fail to respond, any additional targets are then tried in the order in which they appear in the list.

In the following example, RoundRobin is 3. Under normal circumstances, requests are balanced in round-robin fashion among the first three targets. The first request goes to Bert; the next goes to Ernie; the next to George; the next to Bert; the next to Ernie; the next to George; and so on. If any of these servers go down at some point, the other two are tried, in list order. The fourth target (Mary) receives requests only when other targets are down.

[Auth]
RoundRobin=3
NumAttempts=8
TargetsSection=Targets

[Targets]
Bert=1
Ernie=1
George=1
Mary=5

Selecting a Backup Server

If RoundRobin is set to 0, Steel-Belted Radius Carrier makes a selection from the other servers in the list only if the primary server is down.

For example:

[Auth]
RoundRobin=0
NumAttempts=8
TargetsSection=Targets

[Targets]
Bert=1
Ernie=1


In this case, Bert is used until there is a problem; then Ernie becomes the server of second choice.

Realm Retry Policy

Each target selection rule in the [name] section permits you to name a target and assign it a numeric value:

[name]
Server = n
Server = n
M

The n setting indicates the number of times to retry requests to this target server when no response is received within the amount of time set by RequestTimeout in the [Auth] or [Acct] section.

The number of attempts to all servers within the entire realm is given by the NumAttempts value in the [Auth] or [Acct] section. For example, the NumAttempts is 8 and there are three target servers, each with n set to 3:

[Auth]
NumAttempts=8
TargetsSection=Targets

[Targets]
Bert=3
Ernie=3
George=3


All three servers are down when a request comes into the realm. The first target (Bert) is tried 3 times; then the second target (Ernie) is tried 3 times; and the third target (George) is tried 2 times. At this point, the number of tries to all servers in the realm is 8, which equals NumAttempts. Steel-Belted Radius Carrier returns a failure response from the realm.

NOTE: A third attempt to George will not be made unless you edited the RealmName.pro file, increased NumAttempts to 9, and reloaded Steel-Belted Radius Carrier.


[FastFail] Section

The [FastFail] section of a realm configuration file permits you to fine-tune retry policies for individual realms, and for specific targets within a realm. If you provide a [FastFail] section, the ProxyFastFail parameter in the radius.ini [Configuration] section is ignored.



Table 91: RealmName.pro [FastFail] Syntax 
Parameter
Function

MinFailures=x

MinSeconds=y

These parameters define a tolerance level for failures to reach a target server within a realm. Failures are judged according to the NumAttempts and RequestTimeout settings that you defined in the [Auth] or [Acct] sections.

A target is presumed down and is assigned that statue after x consecutive failures have occurred and at least y seconds have elapsed.

Once a target is presumed down, Steel-Belted Radius Carrier directs proxy requests to another target in the same realm, if available. It does not wait for responses from the failed target.

However, it sends strobe requests periodically to the failed target to detect when that server comes back up. Once a response is received to one of these strobe requests, that server is no longer presumed down.

NOTE: Strobe requests are sent to the failing target server only if there are proxy requests addressed to its realm.

ResetSeconds=z

Once the realm's tolerance level is exceeded, this parameter specifies how long a target may be presumed down.

The ResetSeconds value indicates the maximum number of seconds during which a server can be presumed down in the absence of strobe requests. If z seconds elapse with no strobe requests sent to the down server, the server is reset to up.

The status of a target that is presumed down is reset to up when one of the following occurs:

  • A response to a strobe request is received from the server.
  • There has been no request sent to the server for z seconds.

[ModifyUser] Section

The [ModifyUser] section of a realm configuration file permits you to decorate a realm, where the realm is determined by other means, such as DNIS or attribute mapping.

This is used mainly to enhance directed realms. For example, the following two users are in the database: george@gm and george@ford. Either user can log in as george, as Steel-Belted Radius Carrier would determine the realm, for example, by DNIS. Based on the realm, Steel-Belted Radius Carrier would append either @gm or @ford to the user name, and then use the Native User directed method to authenticate.

This methodology can also be used in a double-proxy situation. The first proxy uses DNIS to determine a realm, then decorates the name and forwards it to the next hop server. This second proxy (which may be a legacy RADIUS server that does not understand DNIS) can then handle realms based on the name decoration.



Table 92: RealmName.pro [ModifyUser] Syntax
Parameter
Function

AddPrefix=prefix

AddSuffix=suffix

These parameters define the User-Name prefix and suffix.


[SpooledAccounting] Section

Proxy spooling is configured within the [SpooledAccounting] section of a RealmName.pro file.

[SpooledAccounting]
Enable=1
RolloverSeconds=600
RolloverSize=1048576
Directory=./all_acct_data
RetryInterval=60
ShutdownDelay=20



Table 93: RealmName.pro [SpooledAccounting] Syntax 
Parameter
Function

Enable

  • If set to 1, proxy spooling is enabled.
  • If set to 0, proxy spooling is disabled.

Default value is 0.

RolloverSeconds

Specifies the rollover interval in seconds. After the interval elapses, the current spool file is closed and a new one is created.

Default value is 600 (10 minutes.)

RolloverSize

Specifies the rollover file size limit in bytes. After the file size exceeds this limit, the current spool file is closed and a new one is created.

If both RolloverSeconds and RolloverSize are set, the first parameter that exceeds its limit initiates rollover.

Default value is 1,048,576 bytes (1 megabyte).

Directory

Specifies the directory where the spool (.psf) files are stored. The directory must be manually created in the RADIUS service directory.

Default value is .\RealmName

NOTE: Each realm must have its own directory for spool files. Otherwise, packets for multiple realms would be interspersed and a problem in one realm can prevent subsequent packets to other realms from being forwarded.

RetryInterval

Specifies the interval in seconds prior to retrying a proxy request if the target system (the downstream server where accounting data for this realm is sent) is down.

Default value is 60.

ShutdownDelay

Specifies the amount of time (given as the number of seconds) prior to the execution of a shutdown request during which the final undelivered spooled packets in the spool file can be sent to their target. This value should reflect the amount of accounting data normally received for this realm and other network conditions that may have an impact on the delay.

If the target system is down when Steel-Belted Radius Carrier shuts down, this setting is not applied, and unspooling terminates immediately (and Steel-Belted Radius Carrier shuts down immediately). Upon restart, unspooling of accounting data restarts from the beginning of the oldest spool file.

Default value is 20.



NOTE: Do not enable proxy spooling for realms that are not enabled for accounting.

Retry Sequence

If Steel-Belted Radius Carrier receives an accounting packet for a realm, and the target system is down, Steel-Belted Radius Carrier implements the RealmName.pro retry configuration, as in the following example:

[Acct]
RequestTimeout=5, 3, 5
NumAttempts=3

In this example, Steel-Belted Radius Carrier attempts to proxy forward the accounting packet to the target IP address, as it would in a non-SpooledAccounting scenario. Three attempts are made; the first waits for five seconds before timing out, the second three seconds, and the third five seconds.

If there is still no response from the target after three attempts, the RetryInterval in the [SpooledAccounting] section is applied. If RetryInterval equals 60, then five seconds after the last unsuccessful NumAttempts is completed, Steel-Belted Radius Carrier waits another sixty seconds and then attempts the entire retry policy again.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]