From: Alan T. DeKok Date: Wed, 11 Feb 2026 13:46:25 +0000 (-0500) Subject: update now that we have a home_server_pool example. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08536d866feede3bc4dc9e6b2f84aa35ef75bfcd;p=thirdparty%2Ffreeradius-server.git update now that we have a home_server_pool example. --- diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc index 79ea9dcbd19..b3a77892bc8 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc @@ -17,18 +17,16 @@ It can be called from another virtual server via the `call` keyword: For server pools with load-balancing, fail-over, etc., you can just use the `load-balance` and `redundant` keywords. Those sections should then include multiple `radius` modules, one for each home -server. +server. See xref:reference:raddb/mods-available/home_server_pool.adoc[mods-available/home_server_pool] for an example of +how to convert a v3 `home_server` and `home_server_pool` +configuration to v4. -You can also create virtual modules in `mods-enabled/`, simply by -giving the `load-balance` section a name. See the keyword -documentation for `load-balance` for more details. - -See also the proxy upgrade documentation for examples. +See also the proxy upgrade documentation for more examples of +upgrading from v3 to v4: xref:howto:upgrade/proxy.adoc[proxy] - ``` server proxy { namespace = radius @@ -54,12 +52,19 @@ recv Access-Request { Rewrite the Access-Request before it gets sent to the home server +``` + Auth-Type := ::proxy +} + +authenticate proxy { +``` This is where you decide which home server the packet is -proxied to. +proxied to. See xref:reference:raddb/mods-available/home_server_pool.adoc[mods-available/home_server_pool] for an +example of the `pool1` module configuration. ``` -# radius +# pool1 } ``` @@ -100,8 +105,16 @@ recv Accounting-Request { As the last thing in the section, proxy it. - radius +Unlike `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets, there is no `Acct-Type = +proxy`. There are sections like `accounting start {...}`, but +those sections are called based on the `link:https://freeradius.org/rfc/rfc2866.html#Acct-Status-Type[Acct-Status-Type]` +attribute in the request. + +As a result, the `pool1` virtual module has to be listed in +this section. + ``` +# pool1 } ``` @@ -127,7 +140,11 @@ CoA-ACK`, etc. finally { ``` -Remove all Proxy-State attributes from the response +Remove all `link:https://freeradius.org/rfc/rfc2865.html#Proxy-State[Proxy-State]` attributes from the response. + +The `link:https://freeradius.org/rfc/rfc2865.html#Proxy-State[Proxy-State]` attributes we get from the home server +are specific to the link between the proxy and the home +server. They must not be sent back to the client. ``` reply -= Proxy-State[*] diff --git a/raddb/sites-available/proxy b/raddb/sites-available/proxy index 18e258998cf..726cc7419c0 100644 --- a/raddb/sites-available/proxy +++ b/raddb/sites-available/proxy @@ -17,16 +17,14 @@ # For server pools with load-balancing, fail-over, etc., you can just # use the `load-balance` and `redundant` keywords. Those sections # should then include multiple `radius` modules, one for each home -# server. +# server. See `mods-available/home_server_pool` for an example of +# how to convert a v3 `home_server` and `home_server_pool` +# configuration to v4. # -# You can also create virtual modules in `mods-enabled/`, simply by -# giving the `load-balance` section a name. See the keyword -# documentation for `load-balance` for more details. -# -# See also the proxy upgrade documentation for examples. +# See also the proxy upgrade documentation for more examples of +# upgrading from v3 to v4: # doc/antora/modules/howto/pages/upgrade/proxy.adoc # -# # $Id$ # ###################################################################### @@ -52,11 +50,16 @@ recv Access-Request { # Rewrite the Access-Request before it gets sent to the home server # + Auth-Type := ::proxy +} + +authenticate proxy { # # This is where you decide which home server the packet is - # proxied to. + # proxied to. See `mods-available/home_server_pool` for an + # example of the `pool1` module configuration. # -# radius +# pool1 } @@ -86,10 +89,18 @@ send Access-Challenge { # recv Accounting-Request { - # - # As the last thing in the section, proxy it. - # -# radius + # + # As the last thing in the section, proxy it. + # + # Unlike `Access-Request` packets, there is no `Acct-Type = + # proxy`. There are sections like `accounting start {...}`, but + # those sections are called based on the `Acct-Status-Type` + # attribute in the request. + # + # As a result, the `pool1` virtual module has to be listed in + # this section. + # +# pool1 } # @@ -110,7 +121,11 @@ send Accounting-Response { # finally { # - # Remove all Proxy-State attributes from the response + # Remove all `Proxy-State` attributes from the response. + # + # The `Proxy-State` attributes we get from the home server + # are specific to the link between the proxy and the home + # server. They must not be sent back to the client. # reply -= Proxy-State[*]