1.\" Copyright 1998 Juniper Networks, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD: /repoman/r/ncvs/src/lib/libradius/radius.conf.5,v 1.8 2004/07/02 23:52:18 ru Exp $ 26.\" $NetBSD: radius.conf.5,v 1.2 2005/02/20 01:02:07 wiz Exp $ 27.\" 28.Dd October 30, 1999 29.Dt RADIUS.CONF 5 30.Os 31.Sh NAME 32.Nm radius.conf 33.Nd RADIUS client configuration file 34.Sh SYNOPSIS 35.Pa /etc/radius.conf 36.Sh DESCRIPTION 37.Nm 38contains the information necessary to configure the RADIUS client 39library. 40It is parsed by 41.Xr rad_config 3 . 42The file contains one or more lines of text, each describing a 43single RADIUS server which will be used by the library. 44Leading 45white space is ignored, as are empty lines and lines containing 46only comments. 47.Pp 48A RADIUS server is described by three to five fields on a line: 49.Pp 50.Bl -item -offset indent -compact 51.It 52Service type 53.It 54Server host 55.It 56Shared secret 57.It 58Timeout 59.It 60Retries 61.El 62.Pp 63The fields are separated by white space. 64The 65.Ql # 66character at the beginning of a field begins a comment, which extends 67to the end of the line. 68A field may be enclosed in double quotes, 69in which case it may contain white space and/or begin with the 70.Ql # 71character. 72Within a quoted string, the double quote character can 73be represented by 74.Ql \e\&" , 75and the backslash can be represented by 76.Ql \e\e . 77No other escape sequences are supported. 78.Pp 79The first field gives the service type, either 80.Ql auth 81for RADIUS authentication or 82.Ql acct 83for RADIUS accounting. 84If a single server provides both services, two 85lines are required in the file. 86Earlier versions of this file did 87not include a service type. 88For backward compatibility, if the first 89field is not 90.Ql auth 91or 92.Ql acct 93the library behaves as if 94.Ql auth 95were specified, and interprets the fields in the line as if they 96were fields two through five. 97.Pp 98The second field specifies 99the server host, either as a fully qualified domain name or as a 100dotted-quad IP address. 101The host may optionally be followed by a 102.Ql \&: 103and a numeric port number, without intervening white space. 104If the 105port specification is omitted, it defaults to the 106.Ql radius 107or 108.Ql radacct 109service in the 110.Pa /etc/services 111file for service types 112.Ql auth 113and 114.Ql acct , 115respectively. 116If no such entry is present, the standard ports 1812 and 1813 are 117used. 118.Pp 119The third field contains the shared secret, which should be known 120only to the client and server hosts. 121It is an arbitrary string of 122characters, though it must be enclosed in double quotes if it 123contains white space. 124The shared secret may be 125any length, but the RADIUS protocol uses only the first 128 126characters. 127N.B., some popular RADIUS servers have bugs which 128prevent them from working properly with secrets longer than 16 129characters. 130.Pp 131The fourth field contains a decimal integer specifying the timeout in 132seconds for receiving a valid reply from the server. 133If this field 134is omitted, it defaults to 3 seconds. 135.Pp 136The fifth field contains a decimal integer specifying the maximum 137number of attempts that will be made to authenticate with the server 138before giving up. 139If omitted, it defaults to 3 attempts. 140Note, 141this is the total number of attempts and not the number of retries. 142.Pp 143Up to 10 RADIUS servers may be specified for each service type. 144The servers are tried in 145round-robin fashion, until a valid response is received or the 146maximum number of tries has been reached for all servers. 147.Pp 148The standard location for this file is 149.Pa /etc/radius.conf . 150But an alternate pathname may be specified in the call to 151.Xr rad_config 3 . 152Since the file contains sensitive information in the form of the 153shared secrets, it should not be readable except by root. 154.Sh FILES 155.Pa /etc/radius.conf 156.Sh EXAMPLES 157.Bd -literal 158# A simple entry using all the defaults: 159acct radius1.domain.com OurLittleSecret 160 161# A server still using the obsolete RADIUS port, with increased 162# timeout and maximum tries: 163auth auth.domain.com:1645 "I can't see you" 5 4 164 165# A server specified by its IP address: 166auth 192.168.27.81 $X*#..38947ax-+= 167.Ed 168.Sh SEE ALSO 169.Xr libradius 3 170.Rs 171.%A C. Rigney, et al 172.%T "Remote Authentication Dial In User Service (RADIUS)" 173.%O RFC 2138 174.Re 175.Rs 176.%A C. Rigney 177.%T RADIUS Accounting 178.%O RFC 2139 179.Re 180.Sh AUTHORS 181This documentation was written by 182.An John Polstra , 183and donated to the 184.Fx 185project by Juniper Networks, Inc. 186