Rev 9 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# -*- text -*-#### clients.conf -- client configuration directives#### $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $######################################################################### Define RADIUS clients (usually a NAS, Access Point, etc.).## Defines a RADIUS client.## '127.0.0.1' is another name for 'localhost'. It is enabled by default,# to allow testing of the server after an initial installation. If you# are not going to be permitting RADIUS queries from localhost, we suggest# that you delete, or comment out, this entry.#### Each client has a "short name" that is used to distinguish it from# other clients.## In version 1.x, the string after the word "client" was the IP# address of the client. In 2.0, the IP address is configured via# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x# format is still accepted.#client localhost {# Allowed values are:# dotted quad (1.2.3.4)# hostname (radius.example.com)ipaddr = 127.0.0.1# OR, you can use an IPv6 address, but not both# at the same time.# ipv6addr = :: # any. ::1 == localhost## A note on DNS: We STRONGLY recommend using IP addresses# rather than host names. Using host names means that the# server will do DNS lookups when it starts, making it# dependent on DNS. i.e. If anything goes wrong with DNS,# the server won't start!## The server also looks up the IP address from DNS once, and# only once, when it starts. If the DNS record is later# updated, the server WILL NOT see that update.## One client definition can be applied to an entire network.# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and# "netmask = 8"## If not specified, the default netmask is 32 (i.e. /32)## We do NOT recommend using anything other than 32. There# are usually other, better ways to achieve the same goal.# Using netmasks of other than 32 can cause security issues.## You can specify overlapping networks (127/8 and 127.0/16)# In that case, the smallest possible network will be used# as the "best match" for the client.## Clients can also be defined dynamically at run time, based# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,# etc.# See raddb/sites-available/dynamic-clients for details.## netmask = 32## The shared secret use to "encrypt" and "sign" packets between# the NAS and FreeRADIUS. You MUST change this secret from the# default, otherwise it's not a secret any more!## The secret can be any string, up to 8k characters in length.## Control codes can be entered vi octal encoding,# e.g. "\101\102" == "AB"# Quotation marks can be entered by escaping them,# e.g. "foo\"bar"## A note on security: The security of the RADIUS protocol# depends COMPLETELY on this secret! We recommend using a# shared secret that is composed of:## upper case letters# lower case letters# numbers## And is at LEAST 8 characters long, preferably 16 characters in# length. The secret MUST be random, and should not be words,# phrase, or anything else that is recognizable.## The default secret below is only for testing, and should# not be used in any real environment.#secret = testing123## Old-style clients do not send a Message-Authenticator# in an Access-Request. RFC 5080 suggests that all clients# SHOULD include it in an Access-Request. The configuration# item below allows the server to require it. If a client# is required to include a Message-Authenticator and it does# not, then the packet will be silently discarded.## allowed values: yes, norequire_message_authenticator = no## The short name is used as an alias for the fully qualified# domain name, or the IP address.## It is accepted for compatibility with 1.x, but it is no# longer necessary in 2.0## shortname = localhost## the following three fields are optional, but may be used by# checkrad.pl for simultaneous use checks### The nastype tells 'checkrad.pl' which NAS-specific method to# use to query the NAS for simultaneous use.## Permitted NAS types are:## cisco# computone# livingston# juniper# max40xx# multitech# netserver# pathras# patton# portslave# tc# usrhiper# other # for all other types#nastype = other # localhost isn't usually a NAS...## The following two configurations are for future use.# The 'naspasswd' file is currently used to store the NAS# login name and password, which is used by checkrad.pl# when querying the NAS for simultaneous use.## login = !root# password = someadminpas## As of 2.0, clients can also be tied to a virtual server.# This is done by setting the "virtual_server" configuration# item, as in the example below.## virtual_server = home1## A pointer to the "home_server_pool" OR a "home_server"# section that contains the CoA configuration for this# client. For an example of a coa home server or pool,# see raddb/sites-available/originate-coa# coa_server = coa## Response window for proxied packets. If non-zero,# then the lower of (home, client) response_window# will be used.## i.e. it can be used to lower the response_window# packets from one client to a home server. It cannot# be used to raise the response_window.## response_window = 10.0}# IPv6 Client#client ::1 {# secret = testing123# shortname = localhost#}## All IPv6 Site-local clients#client fe80::/16 {# secret = testing123# shortname = localhost#}#client some.host.org {# secret = testing123# shortname = localhost#}## You can now specify one secret for a network of clients.# When a client request comes in, the BEST match is chosen.# i.e. The entry from the smallest possible network.##client 192.168.0.0/24 {# secret = testing123-1# shortname = private-network-1#}##client 192.168.0.0/16 {# secret = testing123-2# shortname = private-network-2#}#client 10.10.10.10 {# # secret and password are mapped through the "secrets" file.# secret = testing123# shortname = liv1# # the following three fields are optional, but may be used by# # checkrad.pl for simultaneous usage checks# nastype = livingston# login = !root# password = someadminpas#}######################################################################### Per-socket client lists. The configuration entries are exactly# the same as above, but they are nested inside of a section.## You can have as many per-socket client lists as you have "listen"# sections, or you can re-use a list among multiple "listen" sections.## Un-comment this section, and edit a "listen" section to add:# "clients = per_socket_clients". That IP address/port combination# will then accept ONLY the clients listed in this section.##clients per_socket_clients {# client 192.168.3.4 {# secret = testing123# }#}