Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | ## |
| 3 | ## clients.conf -- client configuration directives |
| 4 | ## |
| 5 | ## $Id: 81f450102d9f1a3bc72264ab8d06543591fcab98 $ |
| 6 | |
| 7 | ####################################################################### |
| 8 | # |
| 9 | # Define RADIUS clients (usually a NAS, Access Point, etc.). |
| 10 | |
| 11 | # |
| 12 | # Defines a RADIUS client. |
| 13 | # |
| 14 | # '127.0.0.1' is another name for 'localhost'. It is enabled by default, |
| 15 | # to allow testing of the server after an initial installation. If you |
| 16 | # are not going to be permitting RADIUS queries from localhost, we suggest |
| 17 | # that you delete, or comment out, this entry. |
| 18 | # |
| 19 | # |
| 20 | |
| 21 | # |
| 22 | # Each client has a "short name" that is used to distinguish it from |
| 23 | # other clients. |
| 24 | # |
| 25 | # In version 1.x, the string after the word "client" was the IP |
| 26 | # address of the client. In 2.0, the IP address is configured via |
| 27 | # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x |
| 28 | # format is still accepted. |
| 29 | # |
| 30 | client 0.0.0.0/0{ |
| 31 | secret = testing123 |
| 32 | } |
| 33 | client ipv6{ |
| 34 | ipv6addr = :: |
| 35 | secret = |
| 36 | } |
| 37 | client 0.0.0.0/0{ |
| 38 | secret = |
| 39 | } |
| 40 | client ipv6{ |
| 41 | ipv6addr = :: |
| 42 | secret = |
| 43 | } |
| 44 | client 0.0.0.0/0{ |
| 45 | secret = testing123 |
| 46 | } |
| 47 | client ipv6{ |
| 48 | ipv6addr = :: |
| 49 | secret = testing123 |
| 50 | } |
| 51 | client 0.0.0.0/0{ |
| 52 | secret = testing123 |
| 53 | } |
| 54 | client ipv6{ |
| 55 | ipv6addr = :: |
| 56 | secret = testing123 |
| 57 | } |
| 58 | client localhost { |
| 59 | # Allowed values are: |
| 60 | # dotted quad (1.2.3.4) |
| 61 | # hostname (radius.example.com) |
| 62 | ipaddr = 127.0.0.1 |
| 63 | |
| 64 | # OR, you can use an IPv6 address, but not both |
| 65 | # at the same time. |
| 66 | # ipv6addr = :: # any. ::1 == localhost |
| 67 | |
| 68 | # |
| 69 | # The transport protocol. |
| 70 | # |
| 71 | # If unspecified, defaults to "udp", which is the traditional |
| 72 | # RADIUS transport. It may also be "tcp", in which case the |
| 73 | # server will accept connections from this client ONLY over TCP. |
| 74 | # |
| 75 | proto = * |
| 76 | |
| 77 | # |
| 78 | # A note on DNS: We STRONGLY recommend using IP addresses |
| 79 | # rather than host names. Using host names means that the |
| 80 | # server will do DNS lookups when it starts, making it |
| 81 | # dependent on DNS. i.e. If anything goes wrong with DNS, |
| 82 | # the server won't start! |
| 83 | # |
| 84 | # The server also looks up the IP address from DNS once, and |
| 85 | # only once, when it starts. If the DNS record is later |
| 86 | # updated, the server WILL NOT see that update. |
| 87 | # |
| 88 | |
| 89 | # One client definition can be applied to an entire network. |
| 90 | # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and |
| 91 | # "netmask = 8" |
| 92 | # |
| 93 | # If not specified, the default netmask is 32 (i.e. /32) |
| 94 | # |
| 95 | # We do NOT recommend using anything other than 32. There |
| 96 | # are usually other, better ways to achieve the same goal. |
| 97 | # Using netmasks of other than 32 can cause security issues. |
| 98 | # |
| 99 | # You can specify overlapping networks (127/8 and 127.0/16) |
| 100 | # In that case, the smallest possible network will be used |
| 101 | # as the "best match" for the client. |
| 102 | # |
| 103 | # Clients can also be defined dynamically at run time, based |
| 104 | # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, |
| 105 | # etc. |
| 106 | # See raddb/sites-available/dynamic-clients for details. |
| 107 | # |
| 108 | |
| 109 | # netmask = 32 |
| 110 | |
| 111 | # |
| 112 | # The shared secret use to "encrypt" and "sign" packets between |
| 113 | # the NAS and FreeRADIUS. You MUST change this secret from the |
| 114 | # default, otherwise it's not a secret any more! |
| 115 | # |
| 116 | # The secret can be any string, up to 8k characters in length. |
| 117 | # |
| 118 | # Control codes can be entered vi octal encoding, |
| 119 | # e.g. "\101\102" == "AB" |
| 120 | # Quotation marks can be entered by escaping them, |
| 121 | # e.g. "foo\"bar" |
| 122 | # |
| 123 | # A note on security: The security of the RADIUS protocol |
| 124 | # depends COMPLETELY on this secret! We recommend using a |
| 125 | # shared secret that is composed of: |
| 126 | # |
| 127 | # upper case letters |
| 128 | # lower case letters |
| 129 | # numbers |
| 130 | # |
| 131 | # And is at LEAST 8 characters long, preferably 16 characters in |
| 132 | # length. The secret MUST be random, and should not be words, |
| 133 | # phrase, or anything else that is recognisable. |
| 134 | # |
| 135 | # The default secret below is only for testing, and should |
| 136 | # not be used in any real environment. |
| 137 | # |
| 138 | secret = |
| 139 | |
| 140 | # |
| 141 | # Old-style clients do not send a Message-Authenticator |
| 142 | # in an Access-Request. RFC 5080 suggests that all clients |
| 143 | # SHOULD include it in an Access-Request. The configuration |
| 144 | # item below allows the server to require it. If a client |
| 145 | # is required to include a Message-Authenticator and it does |
| 146 | # not, then the packet will be silently discarded. |
| 147 | # |
| 148 | # allowed values: yes, no |
| 149 | require_message_authenticator = no |
| 150 | |
| 151 | # |
| 152 | # The short name is used as an alias for the fully qualified |
| 153 | # domain name, or the IP address. |
| 154 | # |
| 155 | # It is accepted for compatibility with 1.x, but it is no |
| 156 | # longer necessary in 2.0 |
| 157 | # |
| 158 | # shortname = localhost |
| 159 | |
| 160 | # |
| 161 | # the following three fields are optional, but may be used by |
| 162 | # checkrad.pl for simultaneous use checks |
| 163 | # |
| 164 | |
| 165 | # |
| 166 | # The nas_type tells 'checkrad.pl' which NAS-specific method to |
| 167 | # use to query the NAS for simultaneous use. |
| 168 | # |
| 169 | # Permitted NAS types are: |
| 170 | # |
| 171 | # cisco |
| 172 | # computone |
| 173 | # livingston |
| 174 | # juniper |
| 175 | # max40xx |
| 176 | # multitech |
| 177 | # netserver |
| 178 | # pathras |
| 179 | # patton |
| 180 | # portslave |
| 181 | # tc |
| 182 | # usrhiper |
| 183 | # other # for all other types |
| 184 | |
| 185 | # |
| 186 | nas_type = other # localhost isn't usually a NAS... |
| 187 | |
| 188 | # |
| 189 | # The following two configurations are for future use. |
| 190 | # The 'naspasswd' file is currently used to store the NAS |
| 191 | # login name and password, which is used by checkrad.pl |
| 192 | # when querying the NAS for simultaneous use. |
| 193 | # |
| 194 | # login = !root |
| 195 | # password = someadminpas |
| 196 | |
| 197 | # |
| 198 | # As of 2.0, clients can also be tied to a virtual server. |
| 199 | # This is done by setting the "virtual_server" configuration |
| 200 | # item, as in the example below. |
| 201 | # |
| 202 | # virtual_server = home1 |
| 203 | |
| 204 | # |
| 205 | # A pointer to the "home_server_pool" OR a "home_server" |
| 206 | # section that contains the CoA configuration for this |
| 207 | # client. For an example of a coa home server or pool, |
| 208 | # see raddb/sites-available/originate-coa |
| 209 | # coa_server = coa |
| 210 | |
| 211 | # |
| 212 | # Connection limiting for clients using "proto = tcp". |
| 213 | # |
| 214 | # This section is ignored for clients sending UDP traffic |
| 215 | # |
| 216 | limit { |
| 217 | # |
| 218 | # Limit the number of simultaneous TCP connections from a client |
| 219 | # |
| 220 | # The default is 16. |
| 221 | # Setting this to 0 means "no limit" |
| 222 | max_connections = 16 |
| 223 | |
| 224 | # The per-socket "max_requests" option does not exist. |
| 225 | |
| 226 | # |
| 227 | # The lifetime, in seconds, of a TCP connection. After |
| 228 | # this lifetime, the connection will be closed. |
| 229 | # |
| 230 | # Setting this to 0 means "forever". |
| 231 | lifetime = 0 |
| 232 | |
| 233 | # |
| 234 | # The idle timeout, in seconds, of a TCP connection. |
| 235 | # If no packets have been received over the connection for |
| 236 | # this time, the connection will be closed. |
| 237 | # |
| 238 | # Setting this to 0 means "no timeout". |
| 239 | # |
| 240 | # We STRONGLY RECOMMEND that you set an idle timeout. |
| 241 | # |
| 242 | idle_timeout = 30 |
| 243 | } |
| 244 | } |
| 245 | |
| 246 | # IPv6 Client |
| 247 | #client ::1 { |
| 248 | # secret = |
| 249 | # shortname = localhost |
| 250 | #} |
| 251 | # |
| 252 | # All IPv6 Site-local clients |
| 253 | #client fe80::/16 { |
| 254 | # secret = |
| 255 | # shortname = localhost |
| 256 | #} |
| 257 | |
| 258 | #client some.host.org { |
| 259 | # secret = |
| 260 | # shortname = localhost |
| 261 | #} |
| 262 | |
| 263 | # |
| 264 | # You can now specify one secret for a network of clients. |
| 265 | # When a client request comes in, the BEST match is chosen. |
| 266 | # i.e. The entry from the smallest possible network. |
| 267 | # |
| 268 | #client 192.0.2.0/24 { |
| 269 | # secret = -1 |
| 270 | # shortname = private-network-1 |
| 271 | #} |
| 272 | # |
| 273 | #client 198.51.100.0/24 { |
| 274 | # secret = -2 |
| 275 | # shortname = private-network-2 |
| 276 | #} |
| 277 | |
| 278 | |
| 279 | #client 203.0.113.1 { |
| 280 | # # secret and password are mapped through the "secrets" file. |
| 281 | # secret = |
| 282 | # shortname = liv1 |
| 283 | #} |
| 284 | |
| 285 | client 172.17.0.0/16 { |
| 286 | # secret and password are mapped through the "secrets" file. |
| 287 | secret = testing123 |
| 288 | shortname = auth-test |
| 289 | } |
| 290 | # The following three fields are optional, but may be used by |
| 291 | # checkrad.pl for simultaneous usage checks |
| 292 | |
| 293 | # nas_type = livingston |
| 294 | # login = !root |
| 295 | # password = someadminpas |
| 296 | #} |
| 297 | |
| 298 | ####################################################################### |
| 299 | # |
| 300 | # Per-socket client lists. The configuration entries are exactly |
| 301 | # the same as above, but they are nested inside of a section. |
| 302 | # |
| 303 | # You can have as many per-socket client lists as you have "listen" |
| 304 | # sections, or you can re-use a list among multiple "listen" sections. |
| 305 | # |
| 306 | # Un-comment this section, and edit a "listen" section to add: |
| 307 | # "clients = per_socket_clients". That IP address/port combination |
| 308 | # will then accept ONLY the clients listed in this section. |
| 309 | # |
| 310 | #clients per_socket_clients { |
| 311 | # client 192.0.2.4 { |
| 312 | # secret = |
| 313 | # } |
| 314 | #} |