EditDiscussionPage history

Difference between revisions of "Realm and proxy"

 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== RADIUS > 설정 > Realms/Proxys ===
+
=== RADIUS > Settings > Realms/Proxys ===
<br>
+
It is possible to use the imRAD as a proxy RADIUS server. This means that it can consult a remote RADIUS server to validate a user<ref>https://wiki.freeradius.org/config/Proxy</ref>.<br>
[[Realm|Realm 및 Proxy]] 정의는 3가지로 구성됩니다.
+
The RADIUS realm module splits a User-Name attribute into "user" and "realm" portions. If the realm is found, the modules sets the control:Proxy-To-Realm attribute to the realm name. The server will then proxy the packet to the given realm.<ref>https://networkradius.com/doc/3.0.10/raddb/mods-available/realm.html</ref><br>
{| class="wikitable"
+
For example, If a User-Name attribute is received as test@domain.com, "user" is "test" and "realm" is "domain.com".
| 홈 서버 풀 || 홈 서버의 그룹을 의미하며 하나의 홈 서버 풀에는 두 개 이상의 홈 서버를 포함 할 수 있습니다.<br>
+
 
만일 두 개의 홈 서버가 포함되어 있다면 로컬 RADIUS는 하나의 서버가 장애로 판단되면 또 다른 서버로 인증을 요청합니다.
+
Realms point to server pools, and server pools point to home servers.  Multiple realms can point to one server pool. One server pool can point to multiple home servers. Each home server can appear in one or more pools.
|-
 
| 홈 서버 || 인증을 처리할 외부 인증 서버 정보를 의미합니다. 홈 서버는 반드시 하나의 홈 서버 풀에 포함되어야 합니다.
 
|-
 
| Realm(렐름) || User-Name 영역을 지정하며 realm에 따라 특정 홈 서버에서 처리 할 것인지 아니면 로컬 RADIUS에서 처리 할 것인지를 정의합니다.
 
|-
 
|}
 
  
새로운 Proxy를 정의하는 단계는 다음과 같습니다.
 
1. 홈 서버 풀 생성
 
2. 홈 서버 생성
 
3. Realm 생성
 
  
 +
==== Home Server Pool ====
 +
You can define a pool of home servers that is used for fail-over and load-balancing.
 +
* fail-over(default): The request is sent to the first live home server in the list. i.e. If the first home server is marked "dead", the second one is chosen, etc.
 +
* client-balance: The home server is chosen by hashing the source IP address of the packet. If that home server is down, the next one in the list is used, just as with "fail-over".
  
==== 홈 서버 풀 ====
 
홈 서버 풀 목록 하단의 "추가" 버튼을 클릭하여 입력 할 수 있습니다.
 
{| class="wikitable"
 
! 항목 || 설명
 
|-
 
| 이름 || 홈 서버 풀을 식별 하기 위한 이름으로 원하는 이름으로 지정하면 되나 영문/숫자만 허용됩니다.
 
|-
 
| 유형 ||
 
* fail-over: 첫 번째 live 서버에 인증 요청을 시도하며 그 서버가 장애로 감시되면 두 번째 서버로 인증 요청을 전송합니다(default).
 
* client-balance: fail-over와 유사하나 인증 요청 패킷의 원본 IP 주소를 기반으로 외부 인증 서버(홈 서버)를 선택합니다.<ref>
 
이 외에도 load-balance, client-port-balance, keyed-balance와 같은 유형이 존재하나 imRAD에서는 지원하지 않습니다.
 
</ref>
 
|-
 
|}
 
  
 +
==== Home Server ====
 +
A Home server is another RADIUS server that gets sent proxied requests and you can define several home servers.
  
==== 홈 서버 ====
 
모든 정보는 필수 입니다.
 
 
{| class="wikitable"
 
{| class="wikitable"
! 항목 || 설명
+
! Item !! Required !! Description
 
|-
 
|-
| 이름 || 홈 서버를 식별 하기 위한 이름으로 원하는 이름으로 지정하면 되나 영문/숫자만 허용됩니다.
+
| style='width:150px' | Name || Yes || It is the name of home server to distinguish it from others. The multibyte or Non-ASCII characters(e.g, korean, japaneses) are not allowed.
 
|-
 
|-
| 유형 ||  
+
| Type || Yes ||
* auth: 인증 요청만 전송합니다(default).
+
Home servers can be sent Access-Request packets or Accounting-Request packets.
* acct: Accounting만 전송합니다.
+
* auth(default): Handles Access-Request packets
* auth+acct: 인증 요청 및 Accouting을 전송합니다.
+
* acct: Handles Accounting-Request packets
일반적으로 auth 및 auth+acct를 사용하며 어떠한 것을 사용 할 지는 외부 인증 서버 담당자에게 문의하세요.
+
* auth+acct: andles Access-Request packets at "port", and Accounting-Request packets at "port + 1"
 
|-
 
|-
| Proxy 서버 IP 주소 || 외부 인증 서버의 IP 주소를 입력하세요. a.b.c.d/bit와 같은 서브넷 형태는 지원하지 않습니다.
+
|IP Address || Yes || Input a IPv4 address of the home server(e.g. a.b.c.d)
 
|-
 
|-
| 공유키 || 공유키(hared secret key)를 입력하세요.
+
| Shared Secret || Yes || The shared secret use to "encrypt" and "sign" packets between the NAS and RADIUS.
 +
The secret can be any ascii string, up to 64 characters in length.
 +
The multibyte or Non-ASCII characters(e.g, korean, japaneses) are not allowed.
 
|-
 
|-
| 포트 || 인증 요청 혹은 accounting을 전송 할 외부 서버의 포트를 지정합니다.<br>표준 포트는 유형이 auth인 경우 1812 이며 acct인 경우는 1813 입니다. auth+acct인 경우도 1812를 입력하세요.<br>
+
| Port || Yes || It is the port to which packets are sent. Usually 1812 for type "auth", and  1813 for type "acct". Older servers may use 1645 and 1646.
오래된 인증 서버는 1645, 1646를 사용하기도 하나 자세한 정보는 부 인증 서버 담당자에게 문의하세요.
 
 
|-
 
|-
| 프로코콜 || 대부분의 radius 인증 서버는 udp를 사용합니다.
+
| Protocol || Yes || It is The transport protocol and the default is "udp". It may also be "tcp", in which case TCP will be used to talk to this home server.
 
|-
 
|-
| 홈 서버 풀 ||  
+
| Home Server Pool || Yes || A home server must be joined to a home server pool. ALL home servers in a home server pool have to be of the same type.  i.e. they all have to be "auth", or they all have to be "acct", or the all have to be "auth+acct".<ref>For example, the hsp-1 setting is ok but others are not ok.
이미 생성되어 있는 홈 서버 풀 중 하나를 선택하세요. <ref>
 
하나의 홈 서버 풀에 포함되어 있는 모든 홈 서버의 유형은 동일해야 합니다. 즉, 홈 서버의 유형이 auth라면 또 다른 홈서버도 auth 유형으로 지정되어야 합니다.
 
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! 홈 서버 풀 !! 홈 서버 !! 홈 서버 유형
+
! Home server pool !! Home server !! Home server type
 
|-
 
|-
| rowspan="2" | hsp-1<br>(정상) || hs-10 ||  auth
+
| rowspan="2" | hsp-1 (ok) || hs-10 ||  auth
 
|-
 
|-
 
| hs-11 || auth
 
| hs-11 || auth
 
|-
 
|-
| rowspan="2" | hsp-2<br>(잘못된 설정) || hs-20 ||  auth
+
| rowspan="2" | hsp-2 (not ok) || hs-20 ||  auth
 
|-
 
|-
 
| hs-21 || acct
 
| hs-21 || acct
 
|-
 
|-
| rowspan="2" | hsp-3<br>(잘못된 설정) || hs-30 ||  auth
+
| rowspan="2" | hsp-3 (not ok) || hs-30 ||  auth
 
|-
 
|-
 
| hs-31 || auth+acct
 
| hs-31 || auth+acct
Line 79: Line 58:
 
|-
 
|-
 
|}
 
|}
 +
===== Advanced =====
 +
If the home server does not respond to a request within this time, the server marks the request as timed out. After
 +
"'''response_timeouts'''", the home server is marked as being "zombie", and "'''zombie_period'''" starts. The '''response window''' can be a number between 0.001 and 60.000 Values on the low end are discouraged, as they will likely not work due to limitations of operating system timers.<br>
 +
The default response window is large because responses may be slow, especially when proxying across the Internet. Useful range of values: 5 to 60.
 +
 +
If the "zombie_period" and "'''revive_interval'''" configurations are set smaller, than it is possible for up to 50% of authentications to fail. As a result, we recommend enabling status checks, and we do NOT recommend using "revive_interval". The "revive_interval" is used ONLY if the "'''status_check'''" entry below is "none".  Otherwise, it will not be used, and should be deleted. Useful range of values: 10 to 3600.
 +
 +
The proxying server (i.e. this one) can do periodic status checks to see if a dead home server has come back alive. If set to "none", then the other configuration items listed below are not used, and the "revive_interval" time is used instead.<br>
 +
If set to "status-server", the Status-Server packets are sent. Many RADIUS servers support Status-Server.  If a server does not support it, please contact the server vendor and request that they add it. With status-server if the home server is marked as a zombie and a status-server response is received, it will be immediately marked as live.
 +
This prevents spurious failovers in federations such as eduroam, where intermediary proxy servers may be functional but the servers of a home institution may not be,<br>
 +
If set to "request", then Access-Request, or Accounting-Request packets are sent, depending on the "type" entry above (auth/acct).<ref>https://github.com/enckse/freeradius/blob/master/proxy.conf</ref>
  
  
 
==== Realms ====
 
==== Realms ====
realm은 DEFAULT realm과 <my.company.com>와 같은 영역 이름 형태로 지정 할 수 있습니다.<br>
+
The realm '''DEFAULT''' matches all realms. The realm NULL matches any requests WITHOUT a realm.<br>
DEFAULT realm은 reaml 포함된 모든 user-name은 지정된 홈 서버를 통해 인증을 처리한다는 의미입니다.
+
If you set the Home server pool to '''LOCAL''', the request will be handled locally as usual, without sending it to a remote radius server.
그렇지 않고 <my.company.com>와 같은 특정 realm에 홈 서버를 지정하면  <my.company.com>이 포함된 user-name은 지정된 홈 서버로 인증 요청을 전송합니다.<br>
 
  
아래 예시는 다음과 같습니다.<br>
+
The following examples show how the proxy works.<br>
kim@sales.basein.net과 같은 user-name은 hsp-2에 포함된 홈 서버에서 인증하며 park@tech.basein.net과 같은 user-name은 로컬 RADIUS를 통해 인증하고 나머지 realm이 포함된 user-name은 hsp-1에 포함된 홈 서버에서 인증을 처리합니다.<br>
+
If a User-Name attribute contains "sales.example.com" realm, the request will be sent to a home server in the hsp-2 home server pool.<br>
realm이 포함되지 않은 user-name(에, hong)은 로컬 RADIUS에서 인증 합니다.
+
If a User-Name attribute contains "tech.example.com" realm, the request will be processed in the local.<br>
 +
If a User-Name attribute contains any others realms, the request will be processed in the local.<br>
 +
If a User-Name attribute does not contain realm, the request will be processed in the local.
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! realm 이름 !! 홈 서버 풀
+
! realm !! Home server Pool
 
|-
 
|-
| DEFAULT || hsp-1
+
| DEFAULT || LOCAL
 
|-
 
|-
| sales.basein.net || hsp-2
+
| sales.example.com || hsp-2
 
|-
 
|-
| tech.basein.net || LOCAL
+
| tech.example.com || LOCAL
 
|-
 
|-
 
|}
 
|}
  
 
+
===== Edit realm =====
===== realm 등록 =====
 
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! 항목 !! 필수 !! 설명
+
! style='width:200px' | Item !! Required !! Description
 
|-
 
|-
| Realm 이름 || || Realm 이름을 지정하며 realm이 지정되지 않은 나머지 모든 realm은 DEFAULT라고 입력하세요.
+
| Realm || Yes ||  
 +
It is the realm. The multibyte or Non-ASCII characters(e.g, korean, japaneses) are not allowed.
 +
The realm can be "DEFAULT".
 
|-
 
|-
| 홈 서버 풀 || || realm이 포함된 User-name에 대한 인증을 처리할 풀을 선택하세요.<br>
+
| Home Server Pool || Yes || Choose on of the home server pools .
로컬에서 처리하려면 LOCAL 이라고 입력하세요.
 
 
|-
 
|-
| Realm 지정 NAS-ID || 아니오 || 이 값이 선택되면 지정된 NAS-ID를 통해 요청된 인증 정보만 홈 서버에 전송합니다.
+
| Realm specific NAS-ID || No || If you select a NAS-ID, a request only from the NAS-ID will be proxying.
 
|-
 
|-
| nostrip || 아니오 || User-name과 realm 영역을 분리해 홈 서버에 전송 할 것인지를 나타냅니다.<br>
+
| nostrip || No || By default the realm is stripped from the username before sending it on to the remote radius server. By specifying the "nostrip" option the @realm suffix will not be stripped.<ref>https://wiki.freeradius.org/config/Proxy</ref>
일반적으로 홈 서버에 User-Name을 전송 할 때는 원본 형태를 그대로 유지 합니다.<br>
 
예)<br>
 
{|
 
 
|-
 
|-
! nostrip !! 로컬 radius에 수신된 User-Name !! 홈 서버에 수신된 User-Name
+
| regex || No || Any regex match is performed in a case-insensitive fashion. If you input a realm as "example.net" and set the regex, the realm will be saving as "~(.*\.)*example\.net$".
|-
+
<br>
| 선택하지 않음 || hong@sales.baseinet || hong@sales.basinet
+
The more regex realms that are defined, the more time it takes to process them. You should define as few regex realms as possible in order to maximize server performance.
|-
 
| 선택 함 || hong@sales.baseinet || hong
 
 
|-
 
|-
 
|}
 
|}
|-
+
 
| 정규식 || 아니오 || 정규식 형태로 realm 이름을 지정 할 경우 선택하세요.<br> 정규식은 realm이 여러 sub-domain으로 이뤄진 환경에서 사용 하면 하나의 realm으로 여러 sub-domain을<br>포함 할 수 있습니다.<br>
+
=== References ===
만일 example.net와 같은 realm을 등록 후 정규식을 선택하면 '''~(.*\.)*example\.net$'''와 같은 정규식으로<br>자동 전환되며 example.net의 모든 sub-domain에 대해서 처리 할 수 있습니다.<ref>
 
realm은 구분자(delimiter)인 "@,/,%"등으로 User-Name과 realm을 분리하므로 정규식을 선택하지 않으면 모든 sub-doamin에 대해 각각 정의해야 합니다.<br>
 
예)
 
a.example.com, b.example.com, c.example.com, ....
 
</ref>
 
|-
 
|}
 
<br><br><br>
 
<hr>
 

Latest revision as of 14:39, 16 April 2021

RADIUS > Settings > Realms/Proxys

It is possible to use the imRAD as a proxy RADIUS server. This means that it can consult a remote RADIUS server to validate a user[1].
The RADIUS realm module splits a User-Name attribute into "user" and "realm" portions. If the realm is found, the modules sets the control:Proxy-To-Realm attribute to the realm name. The server will then proxy the packet to the given realm.[2]
For example, If a User-Name attribute is received as test@domain.com, "user" is "test" and "realm" is "domain.com".

Realms point to server pools, and server pools point to home servers. Multiple realms can point to one server pool. One server pool can point to multiple home servers. Each home server can appear in one or more pools.


Home Server Pool

You can define a pool of home servers that is used for fail-over and load-balancing.

  • fail-over(default): The request is sent to the first live home server in the list. i.e. If the first home server is marked "dead", the second one is chosen, etc.
  • client-balance: The home server is chosen by hashing the source IP address of the packet. If that home server is down, the next one in the list is used, just as with "fail-over".


Home Server

A Home server is another RADIUS server that gets sent proxied requests and you can define several home servers.

Item Required Description
Name Yes It is the name of home server to distinguish it from others. The multibyte or Non-ASCII characters(e.g, korean, japaneses) are not allowed.
Type Yes

Home servers can be sent Access-Request packets or Accounting-Request packets.

  • auth(default): Handles Access-Request packets
  • acct: Handles Accounting-Request packets
  • auth+acct: andles Access-Request packets at "port", and Accounting-Request packets at "port + 1"
IP Address Yes Input a IPv4 address of the home server(e.g. a.b.c.d)
Shared Secret Yes The shared secret use to "encrypt" and "sign" packets between the NAS and RADIUS.

The secret can be any ascii string, up to 64 characters in length. The multibyte or Non-ASCII characters(e.g, korean, japaneses) are not allowed.

Port Yes It is the port to which packets are sent. Usually 1812 for type "auth", and 1813 for type "acct". Older servers may use 1645 and 1646.
Protocol Yes It is The transport protocol and the default is "udp". It may also be "tcp", in which case TCP will be used to talk to this home server.
Home Server Pool Yes A home server must be joined to a home server pool. ALL home servers in a home server pool have to be of the same type. i.e. they all have to be "auth", or they all have to be "acct", or the all have to be "auth+acct".[3]
Advanced

If the home server does not respond to a request within this time, the server marks the request as timed out. After "response_timeouts", the home server is marked as being "zombie", and "zombie_period" starts. The response window can be a number between 0.001 and 60.000 Values on the low end are discouraged, as they will likely not work due to limitations of operating system timers.
The default response window is large because responses may be slow, especially when proxying across the Internet. Useful range of values: 5 to 60.

If the "zombie_period" and "revive_interval" configurations are set smaller, than it is possible for up to 50% of authentications to fail. As a result, we recommend enabling status checks, and we do NOT recommend using "revive_interval". The "revive_interval" is used ONLY if the "status_check" entry below is "none". Otherwise, it will not be used, and should be deleted. Useful range of values: 10 to 3600.

The proxying server (i.e. this one) can do periodic status checks to see if a dead home server has come back alive. If set to "none", then the other configuration items listed below are not used, and the "revive_interval" time is used instead.
If set to "status-server", the Status-Server packets are sent. Many RADIUS servers support Status-Server. If a server does not support it, please contact the server vendor and request that they add it. With status-server if the home server is marked as a zombie and a status-server response is received, it will be immediately marked as live. This prevents spurious failovers in federations such as eduroam, where intermediary proxy servers may be functional but the servers of a home institution may not be,
If set to "request", then Access-Request, or Accounting-Request packets are sent, depending on the "type" entry above (auth/acct).[4]


Realms

The realm DEFAULT matches all realms. The realm NULL matches any requests WITHOUT a realm.
If you set the Home server pool to LOCAL, the request will be handled locally as usual, without sending it to a remote radius server.

The following examples show how the proxy works.
If a User-Name attribute contains "sales.example.com" realm, the request will be sent to a home server in the hsp-2 home server pool.
If a User-Name attribute contains "tech.example.com" realm, the request will be processed in the local.
If a User-Name attribute contains any others realms, the request will be processed in the local.
If a User-Name attribute does not contain realm, the request will be processed in the local.

realm Home server Pool
DEFAULT LOCAL
sales.example.com hsp-2
tech.example.com LOCAL
Edit realm
Item Required Description
Realm Yes

It is the realm. The multibyte or Non-ASCII characters(e.g, korean, japaneses) are not allowed. The realm can be "DEFAULT".

Home Server Pool Yes Choose on of the home server pools .
Realm specific NAS-ID No If you select a NAS-ID, a request only from the NAS-ID will be proxying.
nostrip No By default the realm is stripped from the username before sending it on to the remote radius server. By specifying the "nostrip" option the @realm suffix will not be stripped.[5]
regex No Any regex match is performed in a case-insensitive fashion. If you input a realm as "example.net" and set the regex, the realm will be saving as "~(.*\.)*example\.net$".


The more regex realms that are defined, the more time it takes to process them. You should define as few regex realms as possible in order to maximize server performance.

References

  1. https://wiki.freeradius.org/config/Proxy
  2. https://networkradius.com/doc/3.0.10/raddb/mods-available/realm.html
  3. For example, the hsp-1 setting is ok but others are not ok.
    Home server pool Home server Home server type
    hsp-1 (ok) hs-10 auth
    hs-11 auth
    hsp-2 (not ok) hs-20 auth
    hs-21 acct
    hsp-3 (not ok) hs-30 auth
    hs-31 auth+acct
  4. https://github.com/enckse/freeradius/blob/master/proxy.conf
  5. https://wiki.freeradius.org/config/Proxy