xref: /freebsd/lib/libradius/radius.conf.5 (revision 5956d97f4b3204318ceb6aa9c77bd0bc6ea87a41)
1.\" Copyright 1998 Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd October 30, 1999
28.Dt RADIUS.CONF 5
29.Os
30.Sh NAME
31.Nm radius.conf
32.Nd RADIUS client configuration file
33.Sh SYNOPSIS
34.Pa /etc/radius.conf
35.Sh DESCRIPTION
36.Nm
37contains the information necessary to configure the RADIUS client
38library.
39It is parsed by
40.Xr rad_config 3 .
41The file contains one or more lines of text, each describing a
42single RADIUS server which will be used by the library.
43Leading
44white space is ignored, as are empty lines and lines containing
45only comments.
46.Pp
47A RADIUS server is described by three to seven fields on a line:
48.Pp
49.Bl -item -offset indent -compact
50.It
51Service type
52.It
53Server host
54.It
55Shared secret
56.It
57Timeout
58.It
59Retries
60.It
61Dead time
62.It
63Bind address
64.El
65.Pp
66The fields are separated by white space.
67The
68.Ql #
69character at the beginning of a field begins a comment, which extends
70to the end of the line.
71A field may be enclosed in double quotes,
72in which case it may contain white space and/or begin with the
73.Ql #
74character.
75Within a quoted string, the double quote character can
76be represented by
77.Ql \e\&" ,
78and the backslash can be represented by
79.Ql \e\e .
80No other escape sequences are supported.
81.Pp
82The first field gives the service type, either
83.Ql auth
84for RADIUS authentication or
85.Ql acct
86for RADIUS accounting.
87If a single server provides both services, two
88lines are required in the file.
89Earlier versions of this file did
90not include a service type.
91For backward compatibility, if the first
92field is not
93.Ql auth
94or
95.Ql acct
96the library behaves as if
97.Ql auth
98were specified, and interprets the fields in the line as if they
99were fields two through five.
100.Pp
101The second field specifies
102the server host, either as a fully qualified domain name or as a
103dotted-quad IP address.
104The host may optionally be followed by a
105.Ql \&:
106and a numeric port number, without intervening white space.
107If the
108port specification is omitted, it defaults to the
109.Ql radius
110or
111.Ql radacct
112service in the
113.Pa /etc/services
114file for service types
115.Ql auth
116and
117.Ql acct ,
118respectively.
119If no such entry is present, the standard ports 1812 and 1813 are
120used.
121.Pp
122The third field contains the shared secret, which should be known
123only to the client and server hosts.
124It is an arbitrary string of
125characters, though it must be enclosed in double quotes if it
126contains white space.
127The shared secret may be
128any length, but the RADIUS protocol uses only the first 128
129characters.
130N.B., some popular RADIUS servers have bugs which
131prevent them from working properly with secrets longer than 16
132characters.
133.Pp
134The fourth field contains a decimal integer specifying the timeout in
135seconds for receiving a valid reply from the server.
136If this field
137is omitted, it defaults to 3 seconds.
138.Pp
139The fifth field contains a decimal integer specifying the maximum
140number of attempts that will be made to authenticate with the server
141before giving up.
142If omitted, it defaults to 3 attempts.
143Note,
144this is the total number of attempts and not the number of retries.
145.Pp
146The sixth field contains a decimal integer specifying a time interval
147in seconds when the server will not requested if it was inaccessible
148on the last try. 0 means ask always.
149.Pp
150The seventh field contains an IP address on multihomed host. All
151requests will be binded to this IP.
152.Pp
153Up to 10 RADIUS servers may be specified for each service type.
154The servers are tried in
155round-robin fashion, until a valid response is received or the
156maximum number of tries has been reached for all servers.
157.Pp
158The standard location for this file is
159.Pa /etc/radius.conf .
160But an alternate pathname may be specified in the call to
161.Xr rad_config 3 .
162Since the file contains sensitive information in the form of the
163shared secrets, it should not be readable except by root.
164.Sh FILES
165.Bl -tag -width Pa
166.It Pa /etc/radius.conf
167.El
168.Sh EXAMPLES
169.Bd -literal
170# A simple entry using all the defaults:
171acct  radius1.domain.com  OurLittleSecret
172
173# A server still using the obsolete RADIUS port, with increased
174# timeout and maximum tries:
175auth  auth.domain.com:1645  "I can't see you"  5  4
176
177# As above but set dead time and bind address
178auth  auth.domain.com:1645  "I can't see you"  5  4  60  192.168.1.8
179
180# A server specified by its IP address:
181auth  192.168.27.81  $X*#..38947ax-+=
182.Ed
183.Sh SEE ALSO
184.Xr libradius 3
185.Rs
186.%A C. Rigney, et al
187.%T "Remote Authentication Dial In User Service (RADIUS)"
188.%O RFC 2138
189.Re
190.Rs
191.%A C. Rigney
192.%T RADIUS Accounting
193.%O RFC 2139
194.Re
195.Sh AUTHORS
196This documentation was written by
197.An John Polstra ,
198and donated to the
199.Fx
200project by Juniper Networks, Inc.
201