# format is still accepted.
#
client localhost {
- # Allowed values are:
- # dotted quad (1.2.3.4)
- # hostname (radius.example.com)
- ipaddr = 127.0.0.1
-
- # OR, you can use an IPv6 address, but not both
- # at the same time.
-# ipv6addr = :: # any. ::1 == localhost
-
+ # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
+ # a client.
#
- # The transport protocol.
+ # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
+ # notation '/<mask>' to specify ranges.
#
- # If unspecified, defaults to "udp", which is the traditional
- # RADIUS transport. It may also be "tcp", in which case the
- # server will accept connections from this client ONLY over TCP.
+ # ipaddr will accept domain names e.g. example.org resolving
+ # them via DNS.
#
- proto = *
+ # If both A and AAAA records are found, A records will be
+ # used in preference to AAAA.
+ ipaddr = 127.0.0.1
+
+ # Same as ipaddr but allows v4 addresses only. Requires A
+ # record for domain names.
+# ipv4addr = * # any. 127.0.0.1 == localhost
+
+ # Same as ipaddr but allows v6 addresses only. Requires AAAA
+ # record for domain names.
+# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# updated, the server WILL NOT see that update.
#
- # One client definition can be applied to an entire network.
- # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
- # "netmask = 8"
- #
- # If not specified, the default netmask is 32 (i.e. /32)
- #
- # We do NOT recommend using anything other than 32. There
- # are usually other, better ways to achieve the same goal.
- # Using netmasks of other than 32 can cause security issues.
#
- # You can specify overlapping networks (127/8 and 127.0/16)
- # In that case, the smallest possible network will be used
- # as the "best match" for the client.
+ # The transport protocol.
#
- # Clients can also be defined dynamically at run time, based
- # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
- # etc.
- # See raddb/sites-available/dynamic-clients for details.
+ # If unspecified, defaults to "udp", which is the traditional
+ # RADIUS transport. It may also be "tcp", in which case the
+ # server will accept connections from this client ONLY over TCP.
#
-
-# netmask = 32
+ proto = *
#
# The shared secret use to "encrypt" and "sign" packets between
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
- # longer necessary in 2.0
+ # longer necessary in >= 2.0
#
# shortname = localhost
# coa_server = coa
#
+ # Response window for proxied packets. If non-zero,
+ # then the lower of (home, client) response_window
+ # will be used.
+ #
+ # i.e. it can be used to lower the response_window
+ # packets from one client to a home server. It cannot
+ # be used to raise the response_window.
+ #
+# response_window = 10.0
+
+ #
# Connection limiting for clients using "proto = tcp".
#
# This section is ignored for clients sending UDP traffic
}
# IPv6 Client
-#client ::1 {
-# secret = testing123
-# shortname = localhost
-#}
-#
+client localhost_ipv6 {
+ ipv6addr = ::1
+ secret = testing123
+}
+
# All IPv6 Site-local clients
-#client fe80::/16 {
+#client sitelocal_ipv6 {
+# ipv6addr = fe80::/16
# secret = testing123
-# shortname = localhost
#}
-#client some.host.org {
+#client example.org {
+# ipaddr = radius.example.org
# secret = testing123
-# shortname = localhost
#}
#
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
-#client 192.0.2.0/24 {
+#client private-network-1 {
+# ipaddr = 192.0.2.0/24
# secret = testing123-1
-# shortname = private-network-1
#}
-#
-#client 198.51.100.0/24 {
-# secret = testing123-2
-# shortname = private-network-2
-#}
-
-
-#client 203.0.113.1 {
-# # secret and password are mapped through the "secrets" file.
-# secret = testing123
-# shortname = liv1
-#}
-
-# The following three fields are optional, but may be used by
-# checkrad.pl for simultaneous usage checks
-# nas_type = livingston
-# login = !root
-# password = someadminpas
+#client private-network-2 {
+# ipaddr = 198.51.100.0/24
+# secret = testing123-2
#}
#######################################################################
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
-# client 192.0.2.4 {
+# client socket_client {
+# ipaddr = 192.0.2.4
# secret = testing123
# }
#}