xref: /freebsd/lib/libradius/radius.conf.5 (revision 59c8e88e72633afbc47a4ace0d2170d00d51f7dc)
1.\" Copyright 1998 Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd October 30, 1999
26.Dt RADIUS.CONF 5
27.Os
28.Sh NAME
29.Nm radius.conf
30.Nd RADIUS client configuration file
31.Sh SYNOPSIS
32.Pa /etc/radius.conf
33.Sh DESCRIPTION
34.Nm
35contains the information necessary to configure the RADIUS client
36library.
37It is parsed by
38.Xr rad_config 3 .
39The file contains one or more lines of text, each describing a
40single RADIUS server which will be used by the library.
41Leading
42white space is ignored, as are empty lines and lines containing
43only comments.
44.Pp
45A RADIUS server is described by three to seven fields on a line:
46.Pp
47.Bl -item -offset indent -compact
48.It
49Service type
50.It
51Server host
52.It
53Shared secret
54.It
55Timeout
56.It
57Retries
58.It
59Dead time
60.It
61Bind address
62.El
63.Pp
64The fields are separated by white space.
65The
66.Ql #
67character at the beginning of a field begins a comment, which extends
68to the end of the line.
69A field may be enclosed in double quotes,
70in which case it may contain white space and/or begin with the
71.Ql #
72character.
73Within a quoted string, the double quote character can
74be represented by
75.Ql \e\&" ,
76and the backslash can be represented by
77.Ql \e\e .
78No other escape sequences are supported.
79.Pp
80The first field gives the service type, either
81.Ql auth
82for RADIUS authentication or
83.Ql acct
84for RADIUS accounting.
85If a single server provides both services, two
86lines are required in the file.
87Earlier versions of this file did
88not include a service type.
89For backward compatibility, if the first
90field is not
91.Ql auth
92or
93.Ql acct
94the library behaves as if
95.Ql auth
96were specified, and interprets the fields in the line as if they
97were fields two through five.
98.Pp
99The second field specifies
100the server host, either as a fully qualified domain name or as a
101dotted-quad IP address.
102The host may optionally be followed by a
103.Ql \&:
104and a numeric port number, without intervening white space.
105If the
106port specification is omitted, it defaults to the
107.Ql radius
108or
109.Ql radacct
110service in the
111.Pa /etc/services
112file for service types
113.Ql auth
114and
115.Ql acct ,
116respectively.
117If no such entry is present, the standard ports 1812 and 1813 are
118used.
119.Pp
120The third field contains the shared secret, which should be known
121only to the client and server hosts.
122It is an arbitrary string of
123characters, though it must be enclosed in double quotes if it
124contains white space.
125The shared secret may be
126any length, but the RADIUS protocol uses only the first 128
127characters.
128N.B., some popular RADIUS servers have bugs which
129prevent them from working properly with secrets longer than 16
130characters.
131.Pp
132The fourth field contains a decimal integer specifying the timeout in
133seconds for receiving a valid reply from the server.
134If this field
135is omitted, it defaults to 3 seconds.
136.Pp
137The fifth field contains a decimal integer specifying the maximum
138number of attempts that will be made to authenticate with the server
139before giving up.
140If omitted, it defaults to 3 attempts.
141Note,
142this is the total number of attempts and not the number of retries.
143.Pp
144The sixth field contains a decimal integer specifying a time interval
145in seconds when the server will not requested if it was inaccessible
146on the last try. 0 means ask always.
147.Pp
148The seventh field contains an IP address on multihomed host. All
149requests will be binded to this IP.
150.Pp
151Up to 10 RADIUS servers may be specified for each service type.
152The servers are tried in
153round-robin fashion, until a valid response is received or the
154maximum number of tries has been reached for all servers.
155.Pp
156The standard location for this file is
157.Pa /etc/radius.conf .
158But an alternate pathname may be specified in the call to
159.Xr rad_config 3 .
160Since the file contains sensitive information in the form of the
161shared secrets, it should not be readable except by root.
162.Sh FILES
163.Bl -tag -width Pa
164.It Pa /etc/radius.conf
165.El
166.Sh EXAMPLES
167.Bd -literal
168# A simple entry using all the defaults:
169acct  radius1.domain.com  OurLittleSecret
170
171# A server still using the obsolete RADIUS port, with increased
172# timeout and maximum tries:
173auth  auth.domain.com:1645  "I can't see you"  5  4
174
175# As above but set dead time and bind address
176auth  auth.domain.com:1645  "I can't see you"  5  4  60  192.168.1.8
177
178# A server specified by its IP address:
179auth  192.168.27.81  $X*#..38947ax-+=
180.Ed
181.Sh SEE ALSO
182.Xr libradius 3
183.Rs
184.%A C. Rigney, et al
185.%T "Remote Authentication Dial In User Service (RADIUS)"
186.%O RFC 2138
187.Re
188.Rs
189.%A C. Rigney
190.%T RADIUS Accounting
191.%O RFC 2139
192.Re
193.Sh AUTHORS
194This documentation was written by
195.An John Polstra ,
196and donated to the
197.Fx
198project by Juniper Networks, Inc.
199