robin.thoni
/
docker-radius-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
2 Branches
Tree: 75fd9cb597
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '75fd9cb597'
${ noResults }
docker-radius-server/freeradius/config/clients.conf

clients.conf 6.8KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241 
  1. # -*- text -*-

  2. ##

  3. ## clients.conf -- client configuration directives

  4. ##

  5. ##  $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $

  6. 

  7. #######################################################################

  8. #

  9. #  Define RADIUS clients (usually a NAS, Access Point, etc.).

  10. 

  11. #

  12. #  Defines a RADIUS client.

  13. #

  14. #  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,

  15. #  to allow testing of the server after an initial installation.  If you

  16. #  are not going to be permitting RADIUS queries from localhost, we suggest

  17. #  that you delete, or comment out, this entry.

  18. #

  19. #

  20. 

  21. #

  22. #  Each client has a "short name" that is used to distinguish it from

  23. #  other clients.

  24. #

  25. #  In version 1.x, the string after the word "client" was the IP

  26. #  address of the client.  In 2.0, the IP address is configured via

  27. #  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x

  28. #  format is still accepted.

  29. #

  30. client localhost {

  31.   #  Allowed values are:

  32.   # dotted quad (1.2.3.4)

  33.   #       hostname    (radius.example.com)

  34.   ipaddr = 127.0.0.1

  35. 

  36.   #  OR, you can use an IPv6 address, but not both

  37.   #  at the same time.

  38. # ipv6addr = :: # any.  ::1 == localhost

  39. 

  40.   #

  41.   #  A note on DNS:  We STRONGLY recommend using IP addresses

  42.   #  rather than host names.  Using host names means that the

  43.   #  server will do DNS lookups when it starts, making it

  44.   #  dependent on DNS.  i.e. If anything goes wrong with DNS,

  45.   #  the server won't start!

  46.   #

  47.   #  The server also looks up the IP address from DNS once, and

  48.   #  only once, when it starts.  If the DNS record is later

  49.   #  updated, the server WILL NOT see that update.

  50.   #

  51. 

  52.   #  One client definition can be applied to an entire network.

  53.   #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and

  54.   #  "netmask = 8"

  55.   #

  56.   #  If not specified, the default netmask is 32 (i.e. /32)

  57.   #

  58.   #  We do NOT recommend using anything other than 32.  There

  59.   #  are usually other, better ways to achieve the same goal.

  60.   #  Using netmasks of other than 32 can cause security issues.

  61.   #

  62.   #  You can specify overlapping networks (127/8 and 127.0/16)

  63.   #  In that case, the smallest possible network will be used

  64.   #  as the "best match" for the client.

  65.   #

  66.   #  Clients can also be defined dynamically at run time, based

  67.   #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,

  68.   #  etc.

  69.   #  See raddb/sites-available/dynamic-clients for details.

  70.   #

  71. 

  72. # netmask = 32

  73. 

  74.   #

  75.   #  The shared secret use to "encrypt" and "sign" packets between

  76.   #  the NAS and FreeRADIUS.  You MUST change this secret from the

  77.   #  default, otherwise it's not a secret any more!

  78.   #

  79.   #  The secret can be any string, up to 8k characters in length.

  80.   #

  81.   #  Control codes can be entered vi octal encoding,

  82.   # e.g. "\101\102" == "AB"

  83.   #  Quotation marks can be entered by escaping them,

  84.   # e.g. "foo\"bar"

  85.   #

  86.   #  A note on security:  The security of the RADIUS protocol

  87.   #  depends COMPLETELY on this secret!  We recommend using a

  88.   #  shared secret that is composed of:

  89.   #

  90.   # upper case letters

  91.   # lower case letters

  92.   # numbers

  93.   #

  94.   #  And is at LEAST 8 characters long, preferably 16 characters in

  95.   #  length.  The secret MUST be random, and should not be words,

  96.   #  phrase, or anything else that is recognizable.

  97.   #

  98.   #  The default secret below is only for testing, and should

  99.   #  not be used in any real environment.

  100.   #

  101.   secret    = testing123

  102. 

  103.   #

  104.   #  Old-style clients do not send a Message-Authenticator

  105.   #  in an Access-Request.  RFC 5080 suggests that all clients

  106.   #  SHOULD include it in an Access-Request.  The configuration

  107.   #  item below allows the server to require it.  If a client

  108.   #  is required to include a Message-Authenticator and it does

  109.   #  not, then the packet will be silently discarded.

  110.   #

  111.   #  allowed values: yes, no

  112.   require_message_authenticator = no

  113. 

  114.   #

  115.   #  The short name is used as an alias for the fully qualified

  116.   #  domain name, or the IP address.

  117.   #

  118.   #  It is accepted for compatibility with 1.x, but it is no

  119.   #  longer necessary in 2.0

  120.   #

  121. # shortname = localhost

  122. 

  123.   #

  124.   # the following three fields are optional, but may be used by

  125.   # checkrad.pl for simultaneous use checks

  126.   #

  127. 

  128.   #

  129.   # The nastype tells 'checkrad.pl' which NAS-specific method to

  130.   #  use to query the NAS for simultaneous use.

  131.   #

  132.   #  Permitted NAS types are:

  133.   #

  134.   # cisco

  135.   # computone

  136.   # livingston

  137.   # juniper

  138.   # max40xx

  139.   # multitech

  140.   # netserver

  141.   # pathras

  142.   # patton

  143.   # portslave

  144.   # tc

  145.   # usrhiper

  146.   # other   # for all other types

  147. 

  148.   #

  149.   nastype     = other # localhost isn't usually a NAS...

  150. 

  151.   #

  152.   #  The following two configurations are for future use.

  153.   #  The 'naspasswd' file is currently used to store the NAS

  154.   #  login name and password, which is used by checkrad.pl

  155.   #  when querying the NAS for simultaneous use.

  156.   #

  157. # login       = !root

  158. # password    = someadminpas

  159. 

  160.   #

  161.   #  As of 2.0, clients can also be tied to a virtual server.

  162.   #  This is done by setting the "virtual_server" configuration

  163.   #  item, as in the example below.

  164.   #

  165. # virtual_server = home1

  166. 

  167.   #

  168.   #  A pointer to the "home_server_pool" OR a "home_server"

  169.   #  section that contains the CoA configuration for this

  170.   #  client.  For an example of a coa home server or pool,

  171.   #  see raddb/sites-available/originate-coa

  172. # coa_server = coa

  173. }

  174. 

  175. # IPv6 Client

  176. #client ::1 {

  177. # secret    = testing123

  178. # shortname = localhost

  179. #}

  180. #

  181. # All IPv6 Site-local clients

  182. #client fe80::/16 {

  183. # secret    = testing123

  184. # shortname = localhost

  185. #}

  186. 

  187. #client some.host.org {

  188. # secret    = testing123

  189. # shortname = localhost

  190. #}

  191. 

  192. #

  193. #  You can now specify one secret for a network of clients.

  194. #  When a client request comes in, the BEST match is chosen.

  195. #  i.e. The entry from the smallest possible network.

  196. #

  197. #client 192.168.0.0/24 {

  198. # secret    = testing123-1

  199. # shortname = private-network-1

  200. #}

  201. #

  202. #client 192.168.0.0/16 {

  203. # secret    = testing123-2

  204. # shortname = private-network-2

  205. #}

  206. 

  207. 

  208. #client 10.10.10.10 {

  209. # # secret and password are mapped through the "secrets" file.

  210. # secret      = testing123

  211. # shortname   = liv1

  212. #       # the following three fields are optional, but may be used by

  213. #       # checkrad.pl for simultaneous usage checks

  214. # nastype     = livingston

  215. # login       = !root

  216. # password    = someadminpas

  217. #}

  218. 

  219. #######################################################################

  220. #

  221. #  Per-socket client lists.  The configuration entries are exactly

  222. #  the same as above, but they are nested inside of a section.

  223. #

  224. #  You can have as many per-socket client lists as you have "listen"

  225. #  sections, or you can re-use a list among multiple "listen" sections.

  226. #

  227. #  Un-comment this section, and edit a "listen" section to add:

  228. #  "clients = per_socket_clients".  That IP address/port combination

  229. #  will then accept ONLY the clients listed in this section.

  230. #

  231. #clients per_socket_clients {

  232. # client 192.168.3.4 {

  233. #   secret = testing123

  234. #        }

  235. #}

  236. 

  237. client everyone {

  238.   ipaddr = 0.0.0.0

  239.   netmask = 0

  240.   secret = testing123

  241. }