1.\" Copyright 1998 Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd October 30, 1999 28.Dt RADIUS.CONF 5 29.Os FreeBSD 30.Sh NAME 31.Nm radius.conf 32.Nd RADIUS client configuration file 33.Sh SYNOPSIS 34.Pa /etc/radius.conf 35.Sh DESCRIPTION 36.Nm 37contains the information necessary to configure the RADIUS client 38library. It is parsed by 39.Xr rad_config 3 . 40The file contains one or more lines of text, each describing a 41single RADIUS server which will be used by the library. Leading 42white space is ignored, as are empty lines and lines containing 43only comments. 44.Pp 45A RADIUS server is described by three to five fields on a line: 46.Pp 47.Bl -item -offset indent -compact 48.It 49Service type 50.It 51Server host 52.It 53Shared secret 54.It 55Timeout 56.It 57Retries 58.El 59.Pp 60The fields are separated by white space. The 61.Ql # 62character at the beginning of a field begins a comment, which extends 63to the end of the line. A field may be enclosed in double quotes, 64in which case it may contain white space and/or begin with the 65.Ql # 66character. Within a quoted string, the double quote character can 67be represented by 68.Ql \e\&" , 69and the backslash can be represented by 70.Ql \e\e . 71No other escape sequences are supported. 72.Pp 73.Pp 74The first field gives the service type, either 75.Ql auth 76for RADIUS authentication or 77.Ql acct 78for RADIUS accounting. If a single server provides both services, two 79lines are required in the file. Earlier versions of this file did 80not include a service type. For backward compatibility, if the first 81field is not 82.Ql auth 83or 84.Ql acct 85the library behaves as if 86.Ql auth 87were specified, and interprets the fields in the line as if they 88were fields two through five. 89.Pp 90The second field specifies 91the server host, either as a fully qualified domain name or as a 92dotted-quad IP address. The host may optionally be followed by a 93.Ql \&: 94and a numeric port number, without intervening white space. If the 95port specification is omitted, it defaults to the 96.Ql radius 97or 98.Ql radacct 99service in the 100.Pa /etc/services 101file for service types 102.Ql auth 103and 104.Ql acct , 105respectively. 106If no such entry is present, the standard ports 1812 and 1813 are 107used. 108.Pp 109The third field contains the shared secret, which should be known 110only to the client and server hosts. It is an arbitrary string of 111characters, though it must be enclosed in double quotes if it 112contains white space. The shared secret may be 113any length, but the RADIUS protocol uses only the first 128 114characters. N.B., some popular RADIUS servers have bugs which 115prevent them from working properly with secrets longer than 16 116characters. 117.Pp 118The fourth field contains a decimal integer specifying the timeout in 119seconds for receiving a valid reply from the server. If this field 120is omitted, it defaults to 3 seconds. 121.Pp 122The fifth field contains a decimal integer specifying the maximum 123number of attempts that will be made to authenticate with the server 124before giving up. If omitted, it defaults to 3 attempts. Note, 125this is the total number of attempts and not the number of retries. 126.Pp 127Up to 10 RADIUS servers may be specified for each service type. 128The servers are tried in 129round-robin fashion, until a valid response is received or the 130maximum number of tries has been reached for all servers. 131.Pp 132The standard location for this file is 133.Pa /etc/radius.conf . 134But an alternate pathname may be specified in the call to 135.Xr rad_config 3 . 136Since the file contains sensitive information in the form of the 137shared secrets, it should not be readable except by root. 138.Sh FILES 139.Pa /etc/radius.conf 140.Sh EXAMPLES 141.Bd -literal 142# A simple entry using all the defaults: 143acct radius1.domain.com OurLittleSecret 144 145# A server still using the obsolete RADIUS port, with increased 146# timeout and maximum tries: 147auth auth.domain.com:1645 "I can't see you" 5 4 148 149# A server specified by its IP address: 150auth 192.168.27.81 $X*#..38947ax-+= 151.Ed 152.Sh SEE ALSO 153.Xr libradius 3 154.Rs 155.%A C. Rigney, et al 156.%T Remote Authentication Dial In User Service (RADIUS) 157.%O RFC 2138 158.Re 159.Rs 160.%A C. Rigney 161.%T RADIUS Accounting 162.%O RFC 2139 163.Re 164.Sh AUTHORS 165This documentation was written by 166.An John Polstra , 167and donated to the 168.Fx 169project by Juniper Networks, Inc. 170