--- /dev/null
+#
+# proxy.conf - proxy radius and realm configuration directives
+#
+# This file is included by default. To disable it, you will need
+# to modify the PROXY CONFIGURATION section of "radiusd.conf".
+#
+#######################################################################
+#
+# Proxy server configuration
+#
+# This entry controls the servers behaviour towards ALL other servers
+# to which it sends proxy requests.
+#
+proxy server {
+
+#
+# If the NAS re-sends the request to us, we can immediately re-send
+# the proxy request to the end server. To do so, use 'yes' here.
+#
+# If this is set to 'no', then we send the retries on our own schedule,
+# and ignore any duplicate NAS requests.
+#
+# If you want to have the server send proxy retries ONLY when the NAS
+# sends it's retries to the server, then set this to 'yes', and
+# set the other proxy configuration parameters to 0 (zero).
+#
+# Additionally, if you want 'failover' to work, the server must manage
+# retries and timeouts. Therefore, if this is set to yes, then no
+# failover functionality is possible.
+#
+ synchronous = no
+
+#
+# The time (in seconds) to wait for a response from the proxy, before
+# re-sending the proxied request.
+#
+# If this time is set too high, then the NAS may re-send the request,
+# or it may give up entirely, and reject the user.
+#
+# If it is set too low, then the RADIUS server which receives the proxy
+# request will get kicked unnecessarily.
+#
+ retry_delay = 5
+
+#
+# The number of retries to send before giving up, and sending a reject
+# message to the NAS.
+#
+ retry_count = 3
+
+#
+# If the home server does not respond to any of the multiple retries,
+# then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
+#
+# If there are multiple entries configured for this realm, then the
+# server will fail-over to the next one listed. If no more are listed,
+# then no requests will be proxied to that realm.
+#
+#
+# After a configurable 'dead_time', in seconds, FreeRADIUS will
+# speculatively mark the home server active, and start sending requests
+# to it again.
+#
+# If this dead time is set too low, then you will lose requests,
+# as FreeRADIUS will quickly switch back to the home server, even if
+# it isn't up again.
+#
+# If this dead time is set too high, then FreeRADIUS may take too long
+# to switch back to the primary home server.
+#
+# Realistic values for this number are in the range of minutes to hours.
+# (60 to 3600)
+#
+ dead_time = 120
+
+# An ldflag attribute for all realms to be included in a round-robin
+# setup must be specified, and that ldflag must be the same for all
+# realms of the same name.
+# Currently (0 or fail_over) and (1 or round_robin) are the
+# supported values for ldflag. Fail over is the default setup.
+#
+# DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE.
+
+
+#
+# If all exact matching realms did not respond, we can try the
+# DEFAULT realm, too. This is what the server normally does.
+#
+# This behaviour may be undesired for some cases. e.g. You are proxying
+# for two different ISP's, and then act as a general dial-up for Gric.
+# If one of the first two ISP's has their RADIUS server go down, you do
+# NOT want to proxy those requests to GRIC. Instead, you probably want
+# to just drop the requests on the floor. In that case, set this value
+# to 'no'.
+#
+# allowed values: {yes, no}
+#
+ default_fallback = yes
+
+#
+# Older versions of the server would pass proxy requests through the
+# 'authorize' sections twice; once when the packet was received
+# from the NAS, and again after the reply was received from the home
+# server. Now that we have a 'post_proxy' section, the replies from
+# the home server should be sent through that, instead of through
+# the 'authorize' section again.
+#
+# However, for backwards compatibility, this behaviour is configurable.
+# The default configuration is 'no', because this option is deprecated
+# and will be removed in the future.
+#
+# allowed values: {yes, no}
+#
+ post_proxy_authorize = no
+
+}
+
+#######################################################################
+#
+# Configuration for the proxy realms.
+#
+# The information given here is used in conjunction with the 'realms'
+# file. This format is preferred, as it is more flexible. The realms
+# listed here take priority over those listed in the 'realms' file.
+
+# A standard realm entry. A request from "user@company.com" will be
+# sent to radius.company.com as "user", unless the 'nostrip'
+# configuration item is specified. If the 'nostrip' configuration
+# item is specified, then the request will be proxied as
+# "user@company.com"
+#
+#realm company.com {
+# type = radius
+# authhost = radius.company.com:1600
+# accthost = radius.company.com:1601
+# secret = testing123
+#}
+
+# A realm entry with an optional fail-over realm. A request from
+# "user@isp2.com" will be sent to radius.isp2.com as "user@isp2.com",
+# because the 'nostrip' directive is specified for this realm.
+#
+#realm isp2.com {
+# type = radius
+# authhost = radius.isp2.com:1645
+# accthost = radius.isp2.com:1646
+# secret = TheirKey
+# nostrip
+#}
+#
+# The fail-over realm for isp2.com
+#
+#realm isp2.com {
+# type = radius
+# authhost = radius2.isp2.com:1645
+# accthost = radius2.isp2.com:1646
+# secret = TheirKey2
+# nostrip
+#}
+
+#
+# 1st node serv.com...set up for round-robin.
+#
+# The load balancing 'ldflag' attribute can be used to perform
+# load balancing. Allowed values are 'fail_over' and 'round_robin'.
+#
+# If there is no ldflag attribute, or it is set to 'fail_over', then
+# the realms are treated as "fail-over". That is, the first matching
+# realm is used, unless it is down, in which case the realm "fails
+# over" to the second matching realm. The process continues until an
+# active matching realm is found, OR the DEFAULT realm is returned.
+#
+# If the ldflag attribute is set to 'round_robin', then all active
+# realms of the same name are put into a pool internally in the
+# server, and the proxied requests are evenly divided among the
+# realms in the pool. For this to work, all realms of the same name
+# MUST have the same value of their 'ldflag' attributes. Mixing up
+# different types of load balancing schemes for the same realm will
+# cause problems.
+#
+# The round_robin load balancing method is a probabilistic method
+# which evenly scatters the requests among the home servers.
+#
+# Note that you CANNOT include local auth/acct host realms in a
+# round-robin queue. Having a server load balance requests to itself
+# doesn't make any sense, as it only doubles the amount of work
+# which is needed to be done.
+#
+#realm serv.com {
+# type = radius
+# authhost = radius.serv.com:1645
+# accthost = radius.serv.com:1646
+# secret = TheirKey
+# ldflag = round_robin
+# nostrip
+#}
+
+#
+# Another node for serv.com
+#
+#realm serv.com {
+# type = radius
+# authhost = radius2.serv.com:1645
+# accthost = radius2.serv.com:1646
+# secret = TheirKey2
+# ldflag = round_robin
+# nostrip
+#}
+
+#
+# A third round-robin node realm for serv.com
+#
+#realm serv.com {
+# type = radius
+# authhost = radius3.serv.com:1645
+# accthost = radius3.serv.com:1646
+# secret = TheirKey2
+# ldflag = round_robin
+# nostrip
+#}
+#
+#
+
+#
+# This is a local realm. The requests are NOT proxied,
+# but instead are authenticated by the RADIUS server itself.
+#
+# You don't need a secret if BOTH 'authhost' and 'accthost' are
+# set to LOCAL.
+#
+#realm bla.com {
+# type = radius
+# authhost = LOCAL
+# accthost = LOCAL
+#}
+
+#
+# This is a sample entry for iPass.
+#
+#realm IPASS {
+# type = radius
+# authhost = ipass.server.hostname:11812
+# accthost = ipass.server.hostname:11813
+#
+ # The shared secret here must be the same
+ # value as the secret of the NetServer found in the
+ # /usr/ipass/raddb/clients file of your NetServer software.
+# secret = mysecret
+# nostrip
+#}
+
+#
+# This realm is used mainly to cancel proxying. You can have
+# the "realm suffix" module configured to proxy all requests for
+# a realm, and then later cancel the proxying, based on other
+# configuration.
+#
+# For example, you want to terminate PEAP or EAP-TTLS locally,
+# you can add the following to the "users" file:
+#
+# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
+#
+realm LOCAL {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
+
+#
+# This realm is for requests which don't have an explicit realm
+# prefix or suffix. User names like "bob" will match this one.
+#
+#realm NULL {
+# type = radius
+# authhost = radius.company.com:1600
+# accthost = radius.company.com:1601
+# secret = testing123
+#}
+
+#
+# This realm is for ALL OTHER requests.
+#
+#realm DEFAULT {
+# type = radius
+# authhost = radius.company.com:1600
+# accthost = radius.company.com:1601
+# secret = testing123
+#}