#######################################################################
#
-# Definition of a RADIUS client (usually a NAS).
-#
-# The information given here over rides anything given in the
-# 'clients' file, or in the 'naslist' file. The configuration here
-# contains all of the information from those two files, and allows
-# for more configuration items.
-#
-# The "shortname" is be used for logging. The "nastype", "login" and
-# "password" fields are mainly used for checkrad and are optional.
-#
+# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
-# In version 1.x, this field was the IP address of the client.
-# In 2.0, the IP address is configured via the "ipaddr" or "ipv6addr"
-# fields. For compatibility, the 1.x format is still accepted.
+# In version 1.x, the string after the word "client" was the IP
+# address of the client. In 2.0, the IP address is configured via
+# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
+# format is still accepted.
#
client localhost {
# Allowed values are:
# ipv6addr = :: # any. ::1 == localhost
#
+ # The transport protocol.
+ #
+ # If unspecified, defaults to "udp", which is the traditional
+ # RADIUS transport. It may also be "tcp", in which case the
+ # server will accept connections from this client ONLY over TCP.
+ #
+ proto = *
+
+ #
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
- # are usually other, better ways to acheive the same goal.
+ # are usually other, better ways to achieve the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
+ # Clients can also be defined dynamically at run time, based
+ # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
+ # etc.
+ # See raddb/sites-available/dynamic-clients for details.
+ #
+
# netmask = 32
#
secret = testing123
#
+ # Old-style clients do not send a Message-Authenticator
+ # in an Access-Request. RFC 5080 suggests that all clients
+ # SHOULD include it in an Access-Request. The configuration
+ # item below allows the server to require it. If a client
+ # is required to include a Message-Authenticator and it does
+ # not, then the packet will be silently discarded.
+ #
+ # allowed values: yes, no
+ require_message_authenticator = no
+
+ #
+ # Limit the number of TCP connections that this client is
+ # allowed to have open to us. This configuration entry
+ # is ignored for UDP sockets.
+ #
+ # This entry is the mirror of the "max_connections" entry
+ # in the home server configuration.
+ max_connections = 16
+
+ #
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
#
# As of 2.0, clients can also be tied to a virtual server.
- # This is done by setting the "server" configuration item,
- # as in the example below.
+ # This is done by setting the "virtual_server" configuration
+ # item, as in the example below.
+ #
+# virtual_server = home1
+
#
-# server = home1
+ # A pointer to the "home_server_pool" OR a "home_server"
+ # section that contains the CoA configuration for this
+ # client. For an example of a coa home server or pool,
+ # see raddb/sites-available/originate-coa
+# coa_server = coa
}
# IPv6 Client
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
-#per_socket_clients {
+#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }