1.\" Copyright 1998 Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd October 30, 1999 28.Dt RADIUS.CONF 5 29.Os 30.Sh NAME 31.Nm radius.conf 32.Nd RADIUS client configuration file 33.Sh SYNOPSIS 34.Pa /etc/radius.conf 35.Sh DESCRIPTION 36.Nm 37contains the information necessary to configure the RADIUS client 38library. 39It is parsed by 40.Xr rad_config 3 . 41The file contains one or more lines of text, each describing a 42single RADIUS server which will be used by the library. 43Leading 44white space is ignored, as are empty lines and lines containing 45only comments. 46.Pp 47A RADIUS server is described by three to five fields on a line: 48.Pp 49.Bl -item -offset indent -compact 50.It 51Service type 52.It 53Server host 54.It 55Shared secret 56.It 57Timeout 58.It 59Retries 60.El 61.Pp 62The fields are separated by white space. 63The 64.Ql # 65character at the beginning of a field begins a comment, which extends 66to the end of the line. 67A field may be enclosed in double quotes, 68in which case it may contain white space and/or begin with the 69.Ql # 70character. 71Within a quoted string, the double quote character can 72be represented by 73.Ql \e\&" , 74and the backslash can be represented by 75.Ql \e\e . 76No other escape sequences are supported. 77.Pp 78.Pp 79The first field gives the service type, either 80.Ql auth 81for RADIUS authentication or 82.Ql acct 83for RADIUS accounting. 84If a single server provides both services, two 85lines are required in the file. 86Earlier versions of this file did 87not include a service type. 88For backward compatibility, if the first 89field is not 90.Ql auth 91or 92.Ql acct 93the library behaves as if 94.Ql auth 95were specified, and interprets the fields in the line as if they 96were fields two through five. 97.Pp 98The second field specifies 99the server host, either as a fully qualified domain name or as a 100dotted-quad IP address. 101The host may optionally be followed by a 102.Ql \&: 103and a numeric port number, without intervening white space. 104If the 105port specification is omitted, it defaults to the 106.Ql radius 107or 108.Ql radacct 109service in the 110.Pa /etc/services 111file for service types 112.Ql auth 113and 114.Ql acct , 115respectively. 116If no such entry is present, the standard ports 1812 and 1813 are 117used. 118.Pp 119The third field contains the shared secret, which should be known 120only to the client and server hosts. 121It is an arbitrary string of 122characters, though it must be enclosed in double quotes if it 123contains white space. 124The shared secret may be 125any length, but the RADIUS protocol uses only the first 128 126characters. 127N.B., some popular RADIUS servers have bugs which 128prevent them from working properly with secrets longer than 16 129characters. 130.Pp 131The fourth field contains a decimal integer specifying the timeout in 132seconds for receiving a valid reply from the server. 133If this field 134is omitted, it defaults to 3 seconds. 135.Pp 136The fifth field contains a decimal integer specifying the maximum 137number of attempts that will be made to authenticate with the server 138before giving up. 139If omitted, it defaults to 3 attempts. 140Note, 141this is the total number of attempts and not the number of retries. 142.Pp 143Up to 10 RADIUS servers may be specified for each service type. 144The servers are tried in 145round-robin fashion, until a valid response is received or the 146maximum number of tries has been reached for all servers. 147.Pp 148The standard location for this file is 149.Pa /etc/radius.conf . 150But an alternate pathname may be specified in the call to 151.Xr rad_config 3 . 152Since the file contains sensitive information in the form of the 153shared secrets, it should not be readable except by root. 154.Sh FILES 155.Pa /etc/radius.conf 156.Sh EXAMPLES 157.Bd -literal 158# A simple entry using all the defaults: 159acct radius1.domain.com OurLittleSecret 160 161# A server still using the obsolete RADIUS port, with increased 162# timeout and maximum tries: 163auth auth.domain.com:1645 "I can't see you" 5 4 164 165# A server specified by its IP address: 166auth 192.168.27.81 $X*#..38947ax-+= 167.Ed 168.Sh SEE ALSO 169.Xr libradius 3 170.Rs 171.%A C. Rigney, et al 172.%T "Remote Authentication Dial In User Service (RADIUS)" 173.%O RFC 2138 174.Re 175.Rs 176.%A C. Rigney 177.%T RADIUS Accounting 178.%O RFC 2139 179.Re 180.Sh AUTHORS 181This documentation was written by 182.An John Polstra , 183and donated to the 184.Fx 185project by Juniper Networks, Inc. 186