Please document dynamic in proxy server section in proxy.conf

Alan DeKok aland at
Thu Mar 19 13:47:16 CET 2015

On Mar 19, 2015, at 2:57 AM, Stefan Winter <stefan.winter at> wrote:
>>  If two realms claim to be served by a server with IP address
>>, we don't want one of these realms to be able to overwrite
>>  the key for the other.  Either both keys will work for the same IP
>>  address, or someone is being dishonest, but it's important not to
>>  combine home servers in this instance just because they have the same
>>  IP and hostname
> That is, hostname and port? The same IP can run multiple servers on
> different ports with different keys. There's no dishonesty in any of that.

  No.  The problem is different.

  Let’s say we have a proxy which uses *one* list for home servers.  In that case, I can take *everyones* roaming down with a simple configuration.

1) I sign up for a roaming consortium, as

2) When proxies ask for my RADIUS server information, I give them *my* certificate, and the RADIUS IP / port for

3) a user logs into the proxy with, and gets the RADIUS server IP/port

4) the certificate presented for that IP/port is for, so the roaming will fail

  As a result, the home server TLS information *must* be kept separate for each realm.

  Alan DeKok.

More information about the Freeradius-Devel mailing list