From: aland Date: Fri, 7 Sep 2007 09:19:55 +0000 (+0000) Subject: Document new client format X-Git-Tag: release_2_0_0~442 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;ds=sidebyside;h=1aa6bd6a617f7a044ffb6026871546b195ada930;p=freeradius.git Document new client format --- diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5 index 428646b..92595e8 100644 --- a/man/man5/clients.conf.5 +++ b/man/man5/clients.conf.5 @@ -22,27 +22,24 @@ for more details. Each RADIUS client entry has the following basic form: .IP .nf -client { +client { = } .fi -.LP -ip-network is used to specify a network of clients. Networks are -specified in CIDR notation. If multiple overlapping networks are -defined, the best match (smallest possible network) will be chosen for -a packet. .SH ATTRIBUTES The attributes that can appear in a .B client section are listed below. Required attributes are labelled as such. All other attributes are optional. -.PP +.TP 0.5i +.B ipaddr [Required] +The IP address of the client. For IPv6, use "ipv6addr" .TP 0.5i .B secret [Required] The RADIUS shared secret used for communication between the client/NAS and the RADIUS server. .TP 0.5i -.B shortname [Required] +.B shortname [optional] A short alias that can be used in place of the IP address or fully qualified hostname provided in the first line of the section. .TP 0.5i @@ -76,7 +73,8 @@ Reserved for future use. .SH EXAMPLES .IP .nf -client 127.0.0.1 { +client localhost { + ipaddr = 127.0.0.1 secret = testing123 shortname = localhost nastype = other @@ -89,13 +87,18 @@ server locally, for example with .BR radclient (1). .IP .nf -client 192.168.0.0/24 { - secret = testing123-1 - shortname = private-network-1 +client private-network-1 { + ipaddr = 192.168.0.0 + netmask = 24 + secret = testing123-1 + shortname = private-network-1 } .fi .LP This entry represents any client from the 192.168.0.0/24 network. + +The old-style format from 1.x is still accepted by the server, but +that form is deprecated. .SH FILES .I /etc/raddb/clients.conf @@ -107,7 +110,5 @@ This entry represents any client from the 192.168.0.0/24 network. .BR naslist (5) .SH AUTHOR -This manual page was authored by Shawn K. O'Shea . - FreeRADIUS is authored by the FreeRADIUS team. http://freeradius.org/ diff --git a/raddb/clients.conf b/raddb/clients.conf index f0ed060..d1f6fcf 100644 --- a/raddb/clients.conf +++ b/raddb/clients.conf @@ -17,7 +17,7 @@ # # -# Defines a RADIUS client. The format is 'client [hostname|ip-address]' +# Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you @@ -25,47 +25,53 @@ # that you delete, or comment out, this entry. # # -# Rules for Prefixes -# ------------------ -# IPv6 prefixes MUST end with :: or IPv6 Address or hostname -# IPv4 Prefixes MUST end with .0 or IPv4 Address or hostname -# A hostname is a valid DNS lookup name -# -# Valid Prefixes -# -------------- -# For IPv4: -# 192.168.1.1/24 -# 10.0/8 = 10.0.0.0/16 = 10.0.0.1/8 != 10/8 -# 192.168.1.1/32 = 192.168.1.1/0 -# hostname/32 = hostname/0 = hostname -# (32 or 0 or NULL prefix lengths are treated same) -# -# For IPv6: -# fec0::/64 -# fec0::1/100 -# fec0::1/128 = fec0::1/0 = fec0::1 -# hostname/128 = hostname/0 = hostname -# (128 or 0 or NULL prefix lengths are treated same) -# -# Invalid prefixes -# ---------------- -# For IPv4: -# 1) 192.168/16 -# (MUST end with .0) -# (replace with 192.168.0/16 or 192.168.0.0/16 or 192.168.1.1/16) -# 2) 192.168 -# (No Prefix, so it is considered as hostname -# and also returns 192.0.0.168 instead of 192.168.0.0) -# -# For IPv6: -# 1) fec0/16 -# (MUST end with ::) -# (replace with fec0::/16 or fec0::1/16) -# 2) fec0:: -# (No prefix, so it is considered as hostname) -# - -client 127.0.0.1 { + +# +# Each client has a "short name" that is used to distinguish it from +# other clients. +# +# In version 1.x, this field was the IP address of the client. +# In 2.0, the IP address is configured via the "ipaddr" or "ipv6addr" +# fields. For compatibility, the 1.x format is still accepted. +# +client localhost { + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + ipaddr = 127.0.0.1 + + # OR, you can use an IPv6 address, but not both + # at the same time. +# ipv6addr = :: # any. ::1 == localhost + + # + # A note on DNS: We STRONGLY recommend using IP addresses + # rather than host names. Using host names means that the + # server will do DNS lookups when it starts, making it + # dependent on DNS. i.e. If anything goes wrong with DNS, + # the server won't start! + # + # The server also looks up the IP address from DNS once, and + # only once, when it starts. If the DNS record is later + # updated, the server WILL NOT see that update. + # + + # One client definition can be applied to an entire network. + # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and + # "netmask = 8" + # + # If not specified, the default netmask is 32 (i.e. /32) + # + # We do NOT recommend using anything other than 32. There + # are usually other, better ways to acheive the same goal. + # Using netmasks of other than 32 can cause security issues. + # + # You can specify overlapping networks (127/8 and 127.0/16) + # In that case, the smallest possible network will be used + # as the "best match" for the client. + # +# netmask = 32 + # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the @@ -78,13 +84,31 @@ client 127.0.0.1 { # Quotation marks can be entered by escaping them, # e.g. "foo\"bar" # + # A note on security: The security of the RADIUS protocol + # depends COMPLETELY on this secret! We recommend using a + # shared secret that is composed of: + # + # upper case letters + # lower case letters + # numbers + # + # And is at LEAST 8 characters long, preferably 16 characters in + # length. The secret MUST be random, and should not be words, + # phrase, or anything else that is recognizable. + # + # The default secret below is only for testing, and should + # not be used in any real environment. + # secret = testing123 # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # - shortname = localhost + # It is accepted for compatibility with 1.x, but it is no + # longer necessary in 2.0 + # +# shortname = localhost # # the following three fields are optional, but may be used by @@ -121,6 +145,13 @@ client 127.0.0.1 { # # login = !root # password = someadminpas + + # + # As of 2.0, clients can also be tied to a virtual server. + # This is done by setting the "server" configuration item, + # as in the example below. + # +# server = home1 } # IPv6 Client