1.\" Copyright 1998 Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd October 30, 1999 28.Dt RADIUS.CONF 5 29.Os 30.Sh NAME 31.Nm radius.conf 32.Nd RADIUS client configuration file 33.Sh SYNOPSIS 34.Pa /etc/radius.conf 35.Sh DESCRIPTION 36.Nm 37contains the information necessary to configure the RADIUS client 38library. 39It is parsed by 40.Xr rad_config 3 . 41The file contains one or more lines of text, each describing a 42single RADIUS server which will be used by the library. 43Leading 44white space is ignored, as are empty lines and lines containing 45only comments. 46.Pp 47A RADIUS server is described by three to five fields on a line: 48.Pp 49.Bl -item -offset indent -compact 50.It 51Service type 52.It 53Server host 54.It 55Shared secret 56.It 57Timeout 58.It 59Retries 60.El 61.Pp 62The fields are separated by white space. 63The 64.Ql # 65character at the beginning of a field begins a comment, which extends 66to the end of the line. 67A field may be enclosed in double quotes, 68in which case it may contain white space and/or begin with the 69.Ql # 70character. 71Within a quoted string, the double quote character can 72be represented by 73.Ql \e\&" , 74and the backslash can be represented by 75.Ql \e\e . 76No other escape sequences are supported. 77.Pp 78The first field gives the service type, either 79.Ql auth 80for RADIUS authentication or 81.Ql acct 82for RADIUS accounting. 83If a single server provides both services, two 84lines are required in the file. 85Earlier versions of this file did 86not include a service type. 87For backward compatibility, if the first 88field is not 89.Ql auth 90or 91.Ql acct 92the library behaves as if 93.Ql auth 94were specified, and interprets the fields in the line as if they 95were fields two through five. 96.Pp 97The second field specifies 98the server host, either as a fully qualified domain name or as a 99dotted-quad IP address. 100The host may optionally be followed by a 101.Ql \&: 102and a numeric port number, without intervening white space. 103If the 104port specification is omitted, it defaults to the 105.Ql radius 106or 107.Ql radacct 108service in the 109.Pa /etc/services 110file for service types 111.Ql auth 112and 113.Ql acct , 114respectively. 115If no such entry is present, the standard ports 1812 and 1813 are 116used. 117.Pp 118The third field contains the shared secret, which should be known 119only to the client and server hosts. 120It is an arbitrary string of 121characters, though it must be enclosed in double quotes if it 122contains white space. 123The shared secret may be 124any length, but the RADIUS protocol uses only the first 128 125characters. 126N.B., some popular RADIUS servers have bugs which 127prevent them from working properly with secrets longer than 16 128characters. 129.Pp 130The fourth field contains a decimal integer specifying the timeout in 131seconds for receiving a valid reply from the server. 132If this field 133is omitted, it defaults to 3 seconds. 134.Pp 135The fifth field contains a decimal integer specifying the maximum 136number of attempts that will be made to authenticate with the server 137before giving up. 138If omitted, it defaults to 3 attempts. 139Note, 140this is the total number of attempts and not the number of retries. 141.Pp 142Up to 10 RADIUS servers may be specified for each service type. 143The servers are tried in 144round-robin fashion, until a valid response is received or the 145maximum number of tries has been reached for all servers. 146.Pp 147The standard location for this file is 148.Pa /etc/radius.conf . 149But an alternate pathname may be specified in the call to 150.Xr rad_config 3 . 151Since the file contains sensitive information in the form of the 152shared secrets, it should not be readable except by root. 153.Sh FILES 154.Pa /etc/radius.conf 155.Sh EXAMPLES 156.Bd -literal 157# A simple entry using all the defaults: 158acct radius1.domain.com OurLittleSecret 159 160# A server still using the obsolete RADIUS port, with increased 161# timeout and maximum tries: 162auth auth.domain.com:1645 "I can't see you" 5 4 163 164# A server specified by its IP address: 165auth 192.168.27.81 $X*#..38947ax-+= 166.Ed 167.Sh SEE ALSO 168.Xr libradius 3 169.Rs 170.%A C. Rigney, et al 171.%T "Remote Authentication Dial In User Service (RADIUS)" 172.%O RFC 2138 173.Re 174.Rs 175.%A C. Rigney 176.%T RADIUS Accounting 177.%O RFC 2139 178.Re 179.Sh AUTHORS 180This documentation was written by 181.An John Polstra , 182and donated to the 183.Fx 184project by Juniper Networks, Inc. 185