xref: /freebsd/lib/libradius/radius.conf.5 (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1.\" Copyright 1998 Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd October 30, 1999
28.Dt RADIUS.CONF 5
29.Os
30.Sh NAME
31.Nm radius.conf
32.Nd RADIUS client configuration file
33.Sh SYNOPSIS
34.Pa /etc/radius.conf
35.Sh DESCRIPTION
36.Nm
37contains the information necessary to configure the RADIUS client
38library.
39It is parsed by
40.Xr rad_config 3 .
41The file contains one or more lines of text, each describing a
42single RADIUS server which will be used by the library.
43Leading
44white space is ignored, as are empty lines and lines containing
45only comments.
46.Pp
47A RADIUS server is described by three to five fields on a line:
48.Pp
49.Bl -item -offset indent -compact
50.It
51Service type
52.It
53Server host
54.It
55Shared secret
56.It
57Timeout
58.It
59Retries
60.El
61.Pp
62The fields are separated by white space.
63The
64.Ql #
65character at the beginning of a field begins a comment, which extends
66to the end of the line.
67A field may be enclosed in double quotes,
68in which case it may contain white space and/or begin with the
69.Ql #
70character.
71Within a quoted string, the double quote character can
72be represented by
73.Ql \e\&" ,
74and the backslash can be represented by
75.Ql \e\e .
76No other escape sequences are supported.
77.Pp
78The first field gives the service type, either
79.Ql auth
80for RADIUS authentication or
81.Ql acct
82for RADIUS accounting.
83If a single server provides both services, two
84lines are required in the file.
85Earlier versions of this file did
86not include a service type.
87For backward compatibility, if the first
88field is not
89.Ql auth
90or
91.Ql acct
92the library behaves as if
93.Ql auth
94were specified, and interprets the fields in the line as if they
95were fields two through five.
96.Pp
97The second field specifies
98the server host, either as a fully qualified domain name or as a
99dotted-quad IP address.
100The host may optionally be followed by a
101.Ql \&:
102and a numeric port number, without intervening white space.
103If the
104port specification is omitted, it defaults to the
105.Ql radius
106or
107.Ql radacct
108service in the
109.Pa /etc/services
110file for service types
111.Ql auth
112and
113.Ql acct ,
114respectively.
115If no such entry is present, the standard ports 1812 and 1813 are
116used.
117.Pp
118The third field contains the shared secret, which should be known
119only to the client and server hosts.
120It is an arbitrary string of
121characters, though it must be enclosed in double quotes if it
122contains white space.
123The shared secret may be
124any length, but the RADIUS protocol uses only the first 128
125characters.
126N.B., some popular RADIUS servers have bugs which
127prevent them from working properly with secrets longer than 16
128characters.
129.Pp
130The fourth field contains a decimal integer specifying the timeout in
131seconds for receiving a valid reply from the server.
132If this field
133is omitted, it defaults to 3 seconds.
134.Pp
135The fifth field contains a decimal integer specifying the maximum
136number of attempts that will be made to authenticate with the server
137before giving up.
138If omitted, it defaults to 3 attempts.
139Note,
140this is the total number of attempts and not the number of retries.
141.Pp
142Up to 10 RADIUS servers may be specified for each service type.
143The servers are tried in
144round-robin fashion, until a valid response is received or the
145maximum number of tries has been reached for all servers.
146.Pp
147The standard location for this file is
148.Pa /etc/radius.conf .
149But an alternate pathname may be specified in the call to
150.Xr rad_config 3 .
151Since the file contains sensitive information in the form of the
152shared secrets, it should not be readable except by root.
153.Sh FILES
154.Pa /etc/radius.conf
155.Sh EXAMPLES
156.Bd -literal
157# A simple entry using all the defaults:
158acct  radius1.domain.com  OurLittleSecret
159
160# A server still using the obsolete RADIUS port, with increased
161# timeout and maximum tries:
162auth  auth.domain.com:1645  "I can't see you"  5  4
163
164# A server specified by its IP address:
165auth  192.168.27.81  $X*#..38947ax-+=
166.Ed
167.Sh SEE ALSO
168.Xr libradius 3
169.Rs
170.%A C. Rigney, et al
171.%T "Remote Authentication Dial In User Service (RADIUS)"
172.%O RFC 2138
173.Re
174.Rs
175.%A C. Rigney
176.%T RADIUS Accounting
177.%O RFC 2139
178.Re
179.Sh AUTHORS
180This documentation was written by
181.An John Polstra ,
182and donated to the
183.Fx
184project by Juniper Networks, Inc.
185