NAME
radius.conf —
RADIUS client
configuration file
SYNOPSIS
/etc/radius.conf
DESCRIPTION
radius.conf contains the information necessary to configure
the RADIUS client library. It is parsed by
rad_config(3). The file
contains one or more lines of text, each describing a single RADIUS server
which will be used by the library. Leading white space is ignored, as are
empty lines and lines containing only comments.
A RADIUS server is described by three to five fields on a line:
- Service type
- Server host
- Shared secret
- Timeout
- Retries
The fields are separated by white space. The
‘
#
’ character at the beginning of a field
begins a comment, which extends to the end of the line. A field may be
enclosed in double quotes, in which case it may contain white space and/or
begin with the ‘
#
’ character. Within a
quoted string, the double quote character can be represented by
‘
\"
’, and the backslash can be
represented by ‘
\\
’. No other escape
sequences are supported.
The first field gives the service type, either
‘
auth
’ for RADIUS authentication or
‘
acct
’ for RADIUS accounting. If a single
server provides both services, two lines are required in the file. Earlier
versions of this file did not include a service type. For backward
compatibility, if the first field is not
‘
auth
’ or
‘
acct
’ the library behaves as if
‘
auth
’ were specified, and interprets the
fields in the line as if they were fields two through five.
The second field specifies the server host, either as a fully qualified domain
name or as a dotted-quad IP address. The host may optionally be followed by a
‘
:
’ and a numeric port number, without
intervening white space. If the port specification is omitted, it defaults to
the ‘
radius
’ or
‘
radacct
’ service in the
/etc/services file for service types
‘
auth
’ and
‘
acct
’, respectively. If no such entry is
present, the standard ports 1812 and 1813 are used.
The third field contains the shared secret, which should be known only to the
client and server hosts. It is an arbitrary string of characters, though it
must be enclosed in double quotes if it contains white space. The shared
secret may be any length, but the RADIUS protocol uses only the first 128
characters. N.B., some popular RADIUS servers have bugs which prevent them
from working properly with secrets longer than 16 characters.
The fourth field contains a decimal integer specifying the timeout in seconds
for receiving a valid reply from the server. If this field is omitted, it
defaults to 3 seconds.
The fifth field contains a decimal integer specifying the maximum number of
attempts that will be made to authenticate with the server before giving up.
If omitted, it defaults to 3 attempts. Note, this is the total number of
attempts and not the number of retries.
Up to 10 RADIUS servers may be specified for each service type. The servers are
tried in round-robin fashion, until a valid response is received or the
maximum number of tries has been reached for all servers.
The standard location for this file is
/etc/radius.conf. But
an alternate pathname may be specified in the call to
rad_config(3). Since the
file contains sensitive information in the form of the shared secrets, it
should not be readable except by root.
FILES
/etc/radius.conf
EXAMPLES
# A simple entry using all the defaults:
acct radius1.domain.com OurLittleSecret
# A server still using the obsolete RADIUS port, with increased
# timeout and maximum tries:
auth auth.domain.com:1645 "I can't see you" 5 4
# A server specified by its IP address:
auth 192.168.27.81 $X*#..38947ax-+=
SEE ALSO
libradius(3)
C. Rigney, et al,
Remote Authentication Dial In User Service (RADIUS),
RFC 2138.
C. Rigney, RADIUS
Accounting, RFC 2139.
AUTHORS
This documentation was written by
John Polstra, and
donated to the
FreeBSD project by Juniper Networks,
Inc.