radius
This backend sends RADIUS requests to external RADIUS servers. It supports two modes of operation:
- Proxying mode: Forwards the incoming RADIUS request to another RADIUS server. The proxy request and reply are derived from the original request context.
- Query mode: Sends independent RADIUS requests that you construct within the execution context. This allows issuing RADIUS requests from any protocol handler, not just RADIUS.
Server configuration
Both modes share the same server configuration. Define one or more target servers within the backend block.
Basic server configuration
backends {
radius "RADIUS_BACKEND" {
# Server selection strategy (optional)
# round-robin = distribute requests across healthy servers
# fallback = try next healthy server if first does not respond
# no-fallback = do not try next server if first does not respond
server-selection round-robin;
server "radius1.example.org" {
# RADIUS shared secret (required)
secret "ExampleSecret";
# Request timeout (supports duration units: ms, s, m, h)
timeout 7s;
# Number of times to retry a timed out request
retries 0;
# Enable periodical health detection
# status true;
# Maximum number of connections to open (optional)
#connections 16;
connect {
# Transport protocol: udp, tcp, or tls
protocol udp;
# Server IP address
ip 203.0.113.111;
# Alternatively, use hostname instead of ip
#host "radius1.example.org";
# Destination port
port 1812;
# Optional: socket buffer size in bytes
#buffer 1048576;
}
}
# Additional servers for redundancy
server "radius2.example.org" {
secret "ExampleSecret";
timeout 7s;
retries 0;
# status true; # default
connect {
protocol udp;
ip 203.0.113.112;
port 1812;
}
}
}
}
RadSec (RADIUS over TLS) server configuration
For TLS connections, add a tls block inside the connect block:
backends {
radius "RADSEC_BACKEND" {
server "radsec.example.org" {
secret "radsec";
timeout 60s;
retries 2;
status true;
connect {
protocol tls;
host "radsec.example.org";
port 2083;
tls {
# Client certificate for mutual TLS
certificate "RADSEC_CLIENT_CERT";
certificate_key "RADSEC_CLIENT_KEY";
# CA certificate to validate server
server_ca_certificate "RADSEC_SERVER_CA";
# Optional: custom certificate verification
@verification {
if any {
cert.subject_alt.dns != "radsec.example.org";
} then {
reject;
} else {
accept;
}
}
}
}
}
}
}
Proxying mode
In proxying mode, the backend forwards the incoming RADIUS request to the configured server. Use this mode when you want to relay requests to another RADIUS server.
Calling the proxy backend
Call the backend directly by name in a handler pipeline:
aaa {
policy "DEFAULT" {
handler "PROXY" {
@execute {
backend "RADIUS_BACKEND";
}
}
}
}
Modifying requests and replies
Use @pre-proxying and @post-proxying blocks within the backend configuration to filter or modify attributes:
backends {
radius "RADIUS_PROXY" {
# Modify request before sending to upstream server
@pre-proxying {
# Remove attributes from the proxy request
filter {
Tunnel-Type;
Tunnel-Medium-Type;
Tunnel-Private-Group-ID;
}
# Add or modify attributes
modify {
radiusproxy.request.attr.Operator-Name = "4EXAMPLE_COM:FI";
}
# Copy specific attributes from the original request
copy {
User-Name;
User-Password;
}
}
# Modify reply before returning to client
@post-proxying {
filter {
Tunnel-Type;
Tunnel-Medium-Type;
Tunnel-Private-Group-ID;
}
copy {
Reply-Message;
}
}
server "radius1.example.org" {
# ... server configuration ...
}
}
}
Logging proxy attributes
Use the bare radiusproxy.request.attrs and radiusproxy.reply.attrs accessors to log all proxy request or reply attributes as a JSON array of {name, value} objects. This is useful for logging all proxied attributes in @pre-proxying and @post-proxying hooks without enumerating each attribute individually.
backends {
radius "UPSTREAM" {
@pre-proxying {
copy {
User-Name;
User-Password;
Service-Type;
cisco-avpair;
}
log "PROXY_LOG" {
json {
"Request-Attributes" radiusproxy.request.attrs;
}
}
}
@post-proxying {
copy {
Class;
Cisco-AVPair;
}
log "PROXY_LOG" {
json {
"Reply-Attributes" radiusproxy.reply.attrs;
}
}
}
}
}
The logged JSON output contains all attributes as an array:
{
"Request-Attributes": [
{"name": "user-name", "value": "mikem"},
{"name": "service-type", "value": "framed-user"}
]
}
Server parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
secret | string | (required) | RADIUS shared secret |
timeout | duration | 3s | Request timeout |
retries | integer | 0 | Number of retry attempts for timed out requests |
status | boolean | true | Enable active health detection and automatic recovery |
nas_identifier | string | - | NAS-Identifier string included in outgoing Status-Server packets |
connections | integer | 16 | Maximum number of connections to open |
priority | integer | 0 | Server priority for fallback selection (lower = higher priority). When servers have equal priority, they are tried in alphabetical order by server name. |
Connect parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
protocol | enum | (required) | Transport protocol: udp, tcp, or tls |
ip | IP address | - | Server IP address (use either ip or host) |
host | string | - | Server hostname (use either ip or host) |
port | integer | 1812 | Destination port |
buffer | integer | - | Socket buffer size in bytes |
Backend parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
server-selection | enum | fallback | Server selection strategy: round-robin, fallback, or no-fallback |
Navigation