xref: /freebsd/lib/libradius/radius.conf.5 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" Copyright 1998 Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd October 30, 1999
28.Dt RADIUS.CONF 5
29.Os
30.Sh NAME
31.Nm radius.conf
32.Nd RADIUS client configuration file
33.Sh SYNOPSIS
34.Pa /etc/radius.conf
35.Sh DESCRIPTION
36.Nm
37contains the information necessary to configure the RADIUS client
38library.
39It is parsed by
40.Xr rad_config 3 .
41The file contains one or more lines of text, each describing a
42single RADIUS server which will be used by the library.
43Leading
44white space is ignored, as are empty lines and lines containing
45only comments.
46.Pp
47A RADIUS server is described by three to five fields on a line:
48.Pp
49.Bl -item -offset indent -compact
50.It
51Service type
52.It
53Server host
54.It
55Shared secret
56.It
57Timeout
58.It
59Retries
60.El
61.Pp
62The fields are separated by white space.
63The
64.Ql #
65character at the beginning of a field begins a comment, which extends
66to the end of the line.
67A field may be enclosed in double quotes,
68in which case it may contain white space and/or begin with the
69.Ql #
70character.
71Within a quoted string, the double quote character can
72be represented by
73.Ql \e\&" ,
74and the backslash can be represented by
75.Ql \e\e .
76No other escape sequences are supported.
77.Pp
78.Pp
79The first field gives the service type, either
80.Ql auth
81for RADIUS authentication or
82.Ql acct
83for RADIUS accounting.
84If a single server provides both services, two
85lines are required in the file.
86Earlier versions of this file did
87not include a service type.
88For backward compatibility, if the first
89field is not
90.Ql auth
91or
92.Ql acct
93the library behaves as if
94.Ql auth
95were specified, and interprets the fields in the line as if they
96were fields two through five.
97.Pp
98The second field specifies
99the server host, either as a fully qualified domain name or as a
100dotted-quad IP address.
101The host may optionally be followed by a
102.Ql \&:
103and a numeric port number, without intervening white space.
104If the
105port specification is omitted, it defaults to the
106.Ql radius
107or
108.Ql radacct
109service in the
110.Pa /etc/services
111file for service types
112.Ql auth
113and
114.Ql acct ,
115respectively.
116If no such entry is present, the standard ports 1812 and 1813 are
117used.
118.Pp
119The third field contains the shared secret, which should be known
120only to the client and server hosts.
121It is an arbitrary string of
122characters, though it must be enclosed in double quotes if it
123contains white space.
124The shared secret may be
125any length, but the RADIUS protocol uses only the first 128
126characters.
127N.B., some popular RADIUS servers have bugs which
128prevent them from working properly with secrets longer than 16
129characters.
130.Pp
131The fourth field contains a decimal integer specifying the timeout in
132seconds for receiving a valid reply from the server.
133If this field
134is omitted, it defaults to 3 seconds.
135.Pp
136The fifth field contains a decimal integer specifying the maximum
137number of attempts that will be made to authenticate with the server
138before giving up.
139If omitted, it defaults to 3 attempts.
140Note,
141this is the total number of attempts and not the number of retries.
142.Pp
143Up to 10 RADIUS servers may be specified for each service type.
144The servers are tried in
145round-robin fashion, until a valid response is received or the
146maximum number of tries has been reached for all servers.
147.Pp
148The standard location for this file is
149.Pa /etc/radius.conf .
150But an alternate pathname may be specified in the call to
151.Xr rad_config 3 .
152Since the file contains sensitive information in the form of the
153shared secrets, it should not be readable except by root.
154.Sh FILES
155.Pa /etc/radius.conf
156.Sh EXAMPLES
157.Bd -literal
158# A simple entry using all the defaults:
159acct  radius1.domain.com  OurLittleSecret
160
161# A server still using the obsolete RADIUS port, with increased
162# timeout and maximum tries:
163auth  auth.domain.com:1645  "I can't see you"  5  4
164
165# A server specified by its IP address:
166auth  192.168.27.81  $X*#..38947ax-+=
167.Ed
168.Sh SEE ALSO
169.Xr libradius 3
170.Rs
171.%A C. Rigney, et al
172.%T "Remote Authentication Dial In User Service (RADIUS)"
173.%O RFC 2138
174.Re
175.Rs
176.%A C. Rigney
177.%T RADIUS Accounting
178.%O RFC 2139
179.Re
180.Sh AUTHORS
181This documentation was written by
182.An John Polstra ,
183and donated to the
184.Fx
185project by Juniper Networks, Inc.
186