Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / c56c55a6cfd9b21dbb5c82b3c47a0bed24c11ffb / . / src / test / setup / radius-config / freeradius / clients.conf.orig
blob: f9ad206211d2878e27dcb873803f0ae2ae738328 [file] [log] [blame]
Chetan Gaonker7f4bf742016-05-04 15:56:08 -0700[diff] [blame]1# -*- text -*-
2##
3## clients.conf -- client configuration directives
4##
5## $Id: 81f450102d9f1a3bc72264ab8d06543591fcab98 $
6
7#######################################################################
8#
9# Define RADIUS clients (usually a NAS, Access Point, etc.).
10
11#
12# Defines a RADIUS client.
13#
14# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
15# to allow testing of the server after an initial installation. If you
16# are not going to be permitting RADIUS queries from localhost, we suggest
17# that you delete, or comment out, this entry.
18#
19#
20
21#
22# Each client has a "short name" that is used to distinguish it from
23# other clients.
24#
25# In version 1.x, the string after the word "client" was the IP
26# address of the client. In 2.0, the IP address is configured via
27# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
28# format is still accepted.
29#
30client 0.0.0.0/0{
31 secret = testing123
32}
33client ipv6{
34 ipv6addr = ::
35 secret =
36}
37client 0.0.0.0/0{
38 secret =
39}
40client ipv6{
41 ipv6addr = ::
42 secret =
43}
44client 0.0.0.0/0{
45 secret = testing123
46}
47client ipv6{
48 ipv6addr = ::
49 secret = testing123
50}
51client 0.0.0.0/0{
52 secret = testing123
53}
54client ipv6{
55 ipv6addr = ::
56 secret = testing123
57}
58client localhost {
59 # Allowed values are:
60 # dotted quad (1.2.3.4)
61 # hostname (radius.example.com)
62 ipaddr = 127.0.0.1
63
64 # OR, you can use an IPv6 address, but not both
65 # at the same time.
66# ipv6addr = :: # any. ::1 == localhost
67
68 #
69 # The transport protocol.
70 #
71 # If unspecified, defaults to "udp", which is the traditional
72 # RADIUS transport. It may also be "tcp", in which case the
73 # server will accept connections from this client ONLY over TCP.
74 #
75 proto = *
76
77 #
78 # A note on DNS: We STRONGLY recommend using IP addresses
79 # rather than host names. Using host names means that the
80 # server will do DNS lookups when it starts, making it
81 # dependent on DNS. i.e. If anything goes wrong with DNS,
82 # the server won't start!
83 #
84 # The server also looks up the IP address from DNS once, and
85 # only once, when it starts. If the DNS record is later
86 # updated, the server WILL NOT see that update.
87 #
88
89 # One client definition can be applied to an entire network.
90 # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
91 # "netmask = 8"
92 #
93 # If not specified, the default netmask is 32 (i.e. /32)
94 #
95 # We do NOT recommend using anything other than 32. There
96 # are usually other, better ways to achieve the same goal.
97 # Using netmasks of other than 32 can cause security issues.
98 #
99 # You can specify overlapping networks (127/8 and 127.0/16)
100 # In that case, the smallest possible network will be used
101 # as the "best match" for the client.
102 #
103 # Clients can also be defined dynamically at run time, based
104 # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
105 # etc.
106 # See raddb/sites-available/dynamic-clients for details.
107 #
108
109# netmask = 32
110
111 #
112 # The shared secret use to "encrypt" and "sign" packets between
113 # the NAS and FreeRADIUS. You MUST change this secret from the
114 # default, otherwise it's not a secret any more!
115 #
116 # The secret can be any string, up to 8k characters in length.
117 #
118 # Control codes can be entered vi octal encoding,
119 # e.g. "\101\102" == "AB"
120 # Quotation marks can be entered by escaping them,
121 # e.g. "foo\"bar"
122 #
123 # A note on security: The security of the RADIUS protocol
124 # depends COMPLETELY on this secret! We recommend using a
125 # shared secret that is composed of:
126 #
127 # upper case letters
128 # lower case letters
129 # numbers
130 #
131 # And is at LEAST 8 characters long, preferably 16 characters in
132 # length. The secret MUST be random, and should not be words,
133 # phrase, or anything else that is recognisable.
134 #
135 # The default secret below is only for testing, and should
136 # not be used in any real environment.
137 #
138 secret =
139
140 #
141 # Old-style clients do not send a Message-Authenticator
142 # in an Access-Request. RFC 5080 suggests that all clients
143 # SHOULD include it in an Access-Request. The configuration
144 # item below allows the server to require it. If a client
145 # is required to include a Message-Authenticator and it does
146 # not, then the packet will be silently discarded.
147 #
148 # allowed values: yes, no
149 require_message_authenticator = no
150
151 #
152 # The short name is used as an alias for the fully qualified
153 # domain name, or the IP address.
154 #
155 # It is accepted for compatibility with 1.x, but it is no
156 # longer necessary in 2.0
157 #
158# shortname = localhost
159
160 #
161 # the following three fields are optional, but may be used by
162 # checkrad.pl for simultaneous use checks
163 #
164
165 #
166 # The nas_type tells 'checkrad.pl' which NAS-specific method to
167 # use to query the NAS for simultaneous use.
168 #
169 # Permitted NAS types are:
170 #
171 # cisco
172 # computone
173 # livingston
174 # juniper
175 # max40xx
176 # multitech
177 # netserver
178 # pathras
179 # patton
180 # portslave
181 # tc
182 # usrhiper
183 # other # for all other types
184
185 #
186 nas_type = other # localhost isn't usually a NAS...
187
188 #
189 # The following two configurations are for future use.
190 # The 'naspasswd' file is currently used to store the NAS
191 # login name and password, which is used by checkrad.pl
192 # when querying the NAS for simultaneous use.
193 #
194# login = !root
195# password = someadminpas
196
197 #
198 # As of 2.0, clients can also be tied to a virtual server.
199 # This is done by setting the "virtual_server" configuration
200 # item, as in the example below.
201 #
202# virtual_server = home1
203
204 #
205 # A pointer to the "home_server_pool" OR a "home_server"
206 # section that contains the CoA configuration for this
207 # client. For an example of a coa home server or pool,
208 # see raddb/sites-available/originate-coa
209# coa_server = coa
210
211 #
212 # Connection limiting for clients using "proto = tcp".
213 #
214 # This section is ignored for clients sending UDP traffic
215 #
216 limit {
217 #
218 # Limit the number of simultaneous TCP connections from a client
219 #
220 # The default is 16.
221 # Setting this to 0 means "no limit"
222 max_connections = 16
223
224 # The per-socket "max_requests" option does not exist.
225
226 #
227 # The lifetime, in seconds, of a TCP connection. After
228 # this lifetime, the connection will be closed.
229 #
230 # Setting this to 0 means "forever".
231 lifetime = 0
232
233 #
234 # The idle timeout, in seconds, of a TCP connection.
235 # If no packets have been received over the connection for
236 # this time, the connection will be closed.
237 #
238 # Setting this to 0 means "no timeout".
239 #
240 # We STRONGLY RECOMMEND that you set an idle timeout.
241 #
242 idle_timeout = 30
243 }
244}
245
246# IPv6 Client
247#client ::1 {
248# secret =
249# shortname = localhost
250#}
251#
252# All IPv6 Site-local clients
253#client fe80::/16 {
254# secret =
255# shortname = localhost
256#}
257
258#client some.host.org {
259# secret =
260# shortname = localhost
261#}
262
263#
264# You can now specify one secret for a network of clients.
265# When a client request comes in, the BEST match is chosen.
266# i.e. The entry from the smallest possible network.
267#
268#client 192.0.2.0/24 {
269# secret = -1
270# shortname = private-network-1
271#}
272#
273#client 198.51.100.0/24 {
274# secret = -2
275# shortname = private-network-2
276#}
277
278
279#client 203.0.113.1 {
280# # secret and password are mapped through the "secrets" file.
281# secret =
282# shortname = liv1
283#}
284
285client 172.17.0.0/16 {
286 # secret and password are mapped through the "secrets" file.
287 secret = testing123
288 shortname = auth-test
289}
290# The following three fields are optional, but may be used by
291# checkrad.pl for simultaneous usage checks
292
293# nas_type = livingston
294# login = !root
295# password = someadminpas
296#}
297
298#######################################################################
299#
300# Per-socket client lists. The configuration entries are exactly
301# the same as above, but they are nested inside of a section.
302#
303# You can have as many per-socket client lists as you have "listen"
304# sections, or you can re-use a list among multiple "listen" sections.
305#
306# Un-comment this section, and edit a "listen" section to add:
307# "clients = per_socket_clients". That IP address/port combination
308# will then accept ONLY the clients listed in this section.
309#
310#clients per_socket_clients {
311# client 192.0.2.4 {
312# secret =
313# }
314#}