X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Fclients.conf;h=1af7f1d2d4847bf1fb04edf0e071e842ec7cba2a;hb=HEAD;hp=f0ed060cbe3487c63180778ec9422fa6ec435a5e;hpb=453fdacff5940e4ef329694a467e582de927896c;p=freeradius.git

diff --git a/raddb/clients.conf b/raddb/clients.conf
index f0ed060..1af7f1d 100644
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -1,23 +1,15 @@
-#
-# clients.conf - client configuration directives
-#
-#######################################################################
+# -*- text -*-
+##
+## clients.conf -- client configuration directives
+##
+##	$Id$
 
 #######################################################################
 #
-#  Definition of a RADIUS client (usually a NAS).
-#
-#  The information given here over rides anything given in the
-#  'clients' file, or in the 'naslist' file.  The configuration here
-#  contains all of the information from those two files, and allows
-#  for more configuration items.
-#
-#  The "shortname" is be used for logging.  The "nastype", "login" and
-#  "password" fields are mainly used for checkrad and are optional.
-#
+#  Define RADIUS clients (usually a NAS, Access Point, etc.).
 
 #
-#  Defines a RADIUS client.  The format is 'client [hostname|ip-address]'
+#  Defines a RADIUS client.
 #
 #  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
 #  to allow testing of the server after an initial installation.  If you
@@ -25,47 +17,69 @@
 #  that you delete, or comment out, this entry.
 #
 #
-#  Rules for Prefixes
-#  ------------------
-#  IPv6 prefixes MUST end with :: or IPv6 Address or hostname
-#  IPv4 Prefixes MUST end with .0 or IPv4 Address or hostname
-#  A hostname is a valid DNS lookup name
-#
-#  Valid Prefixes
-#  --------------
-#  For IPv4:
-#    192.168.1.1/24
-#    10.0/8 = 10.0.0.0/16 = 10.0.0.1/8    != 10/8 
-#    192.168.1.1/32 = 192.168.1.1/0
-#    hostname/32   = hostname/0  = hostname
-#   (32 or 0 or NULL prefix lengths are treated same)
-#
-#  For IPv6:
-#    fec0::/64
-#    fec0::1/100
-#    fec0::1/128  = fec0::1/0 = fec0::1 
-#    hostname/128 = hostname/0 = hostname
-#   (128 or 0 or NULL prefix lengths are treated same)
-#
-#  Invalid prefixes
-#  ----------------
-#  For IPv4:
-#  1) 192.168/16 
-#       (MUST end with .0)
-#       (replace with 192.168.0/16 or 192.168.0.0/16 or 192.168.1.1/16)
-#  2) 192.168
-#       (No Prefix, so it is considered as hostname 
-#         and also returns 192.0.0.168 instead of 192.168.0.0)
-#
-#  For IPv6:
-#  1) fec0/16
-#       (MUST end with ::)
-#       (replace with fec0::/16 or fec0::1/16)
-#  2) fec0::
-#       (No prefix, so it is considered as hostname)
-#
-
-client 127.0.0.1 {
+
+#
+#  Each client has a "short name" that is used to distinguish it from
+#  other clients.
+#
+#  In version 1.x, the string after the word "client" was the IP
+#  address of the client.  In 2.0, the IP address is configured via
+#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
+#  format is still accepted.
+#
+client localhost {
+	#  Allowed values are:
+	#	dotted quad (1.2.3.4)
+	#       hostname    (radius.example.com)
+	ipaddr = 127.0.0.1
+
+	#  OR, you can use an IPv6 address, but not both
+	#  at the same time.
+#	ipv6addr = ::	# any.  ::1 == localhost
+
+	#
+	#  The transport protocol.
+	#
+	#  If unspecified, defaults to "udp", which is the traditional
+	#  RADIUS transport.  It may also be "tcp", in which case the
+	#  server will accept connections from this client ONLY over TCP.
+	#
+	proto = *
+
+	#
+	#  A note on DNS:  We STRONGLY recommend using IP addresses
+	#  rather than host names.  Using host names means that the
+	#  server will do DNS lookups when it starts, making it
+	#  dependent on DNS.  i.e. If anything goes wrong with DNS,
+	#  the server won't start!
+	#
+	#  The server also looks up the IP address from DNS once, and
+	#  only once, when it starts.  If the DNS record is later
+	#  updated, the server WILL NOT see that update.
+	#
+
+	#  One client definition can be applied to an entire network.
+	#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
+	#  "netmask = 8"
+	#
+	#  If not specified, the default netmask is 32 (i.e. /32)
+	#
+	#  We do NOT recommend using anything other than 32.  There
+	#  are usually other, better ways to achieve the same goal.
+	#  Using netmasks of other than 32 can cause security issues.
+	#
+	#  You can specify overlapping networks (127/8 and 127.0/16)
+	#  In that case, the smallest possible network will be used
+	#  as the "best match" for the client.
+	#
+	#  Clients can also be defined dynamically at run time, based
+	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
+	#  etc.
+	#  See raddb/sites-available/dynamic-clients for details.
+	#
+
+#	netmask = 32
+
 	#
 	#  The shared secret use to "encrypt" and "sign" packets between
 	#  the NAS and FreeRADIUS.  You MUST change this secret from the
@@ -78,13 +92,51 @@ client 127.0.0.1 {
 	#  Quotation marks can be entered by escaping them,
 	#	e.g. "foo\"bar"
 	#
+	#  A note on security:  The security of the RADIUS protocol
+	#  depends COMPLETELY on this secret!  We recommend using a
+	#  shared secret that is composed of:
+	#
+	#	upper case letters
+	#	lower case letters
+	#	numbers
+	#
+	#  And is at LEAST 8 characters long, preferably 16 characters in
+	#  length.  The secret MUST be random, and should not be words,
+	#  phrase, or anything else that is recognizable.
+	#
+	#  The default secret below is only for testing, and should
+	#  not be used in any real environment.
+	#
 	secret		= testing123
 
 	#
+	#  Old-style clients do not send a Message-Authenticator
+	#  in an Access-Request.  RFC 5080 suggests that all clients
+	#  SHOULD include it in an Access-Request.  The configuration
+	#  item below allows the server to require it.  If a client
+	#  is required to include a Message-Authenticator and it does
+	#  not, then the packet will be silently discarded.
+	#
+	#  allowed values: yes, no
+	require_message_authenticator = no
+
+	#
+	#  Limit the number of TCP connections that this client is
+	#  allowed to have open to us.  This configuration entry
+	#  is ignored for UDP sockets.
+	#
+	#  This entry is the mirror of the "max_connections" entry
+	#  in the home server configuration.
+	max_connections = 16
+
+	#
 	#  The short name is used as an alias for the fully qualified
 	#  domain name, or the IP address.
 	#
-	shortname	= localhost
+	#  It is accepted for compatibility with 1.x, but it is no
+	#  longer necessary in 2.0
+	#
+#	shortname	= localhost
 
 	#
 	# the following three fields are optional, but may be used by
@@ -121,6 +173,20 @@ client 127.0.0.1 {
 	#
 #	login       = !root
 #	password    = someadminpas
+
+	#
+	#  As of 2.0, clients can also be tied to a virtual server.
+	#  This is done by setting the "virtual_server" configuration
+	#  item, as in the example below.
+	#
+#	virtual_server = home1
+
+	#
+	#  A pointer to the "home_server_pool" OR a "home_server"
+	#  section that contains the CoA configuration for this
+	#  client.  For an example of a coa home server or pool,
+	#  see raddb/sites-available/originate-coa
+#	coa_server = coa
 }
 
 # IPv6 Client
@@ -175,7 +241,11 @@ client 127.0.0.1 {
 #  You can have as many per-socket client lists as you have "listen"
 #  sections, or you can re-use a list among multiple "listen" sections.
 #
-#per_socket_clients {
+#  Un-comment this section, and edit a "listen" section to add:
+#  "clients = per_socket_clients".  That IP address/port combination
+#  will then accept ONLY the clients listed in this section.
+#
+#clients per_socket_clients {
 #	client 192.168.3.4 {
 #		secret = testing123
 #        }