Each RADIUS client entry has the following basic form:
.IP
.nf
-client <hostname|ip-address|ip-network> {
+client <short-name> {
<attribute> = <value>
}
.fi
-.LP
-ip-network is used to specify a network of clients. Networks are
-specified in CIDR notation. If multiple overlapping networks are
-defined, the best match (smallest possible network) will be chosen for
-a packet.
.SH ATTRIBUTES
The attributes that can appear in a
.B client
section are listed below. Required attributes are labelled as
such. All other attributes are optional.
-.PP
+.TP 0.5i
+.B ipaddr [Required]
+The IP address of the client. For IPv6, use "ipv6addr"
.TP 0.5i
.B secret [Required]
The RADIUS shared secret used for communication between the client/NAS
and the RADIUS server.
.TP 0.5i
-.B shortname [Required]
+.B shortname [optional]
A short alias that can be used in place of the IP address or fully
qualified hostname provided in the first line of the section.
.TP 0.5i
.SH EXAMPLES
.IP
.nf
-client 127.0.0.1 {
+client localhost {
+ ipaddr = 127.0.0.1
secret = testing123
shortname = localhost
nastype = other
.BR radclient (1).
.IP
.nf
-client 192.168.0.0/24 {
- secret = testing123-1
- shortname = private-network-1
+client private-network-1 {
+ ipaddr = 192.168.0.0
+ netmask = 24
+ secret = testing123-1
+ shortname = private-network-1
}
.fi
.LP
This entry represents any client from the 192.168.0.0/24 network.
+
+The old-style format from 1.x is still accepted by the server, but
+that form is deprecated.
.SH FILES
.I /etc/raddb/clients.conf
.BR naslist (5)
.SH AUTHOR
-This manual page was authored by Shawn K. O'Shea <shawn@eth0.net>.
-
FreeRADIUS is authored by the FreeRADIUS team.
http://freeradius.org/
#
#
-# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
+# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# that you delete, or comment out, this entry.
#
#
-# Rules for Prefixes
-# ------------------
-# IPv6 prefixes MUST end with :: or IPv6 Address or hostname
-# IPv4 Prefixes MUST end with .0 or IPv4 Address or hostname
-# A hostname is a valid DNS lookup name
-#
-# Valid Prefixes
-# --------------
-# For IPv4:
-# 192.168.1.1/24
-# 10.0/8 = 10.0.0.0/16 = 10.0.0.1/8 != 10/8
-# 192.168.1.1/32 = 192.168.1.1/0
-# hostname/32 = hostname/0 = hostname
-# (32 or 0 or NULL prefix lengths are treated same)
-#
-# For IPv6:
-# fec0::/64
-# fec0::1/100
-# fec0::1/128 = fec0::1/0 = fec0::1
-# hostname/128 = hostname/0 = hostname
-# (128 or 0 or NULL prefix lengths are treated same)
-#
-# Invalid prefixes
-# ----------------
-# For IPv4:
-# 1) 192.168/16
-# (MUST end with .0)
-# (replace with 192.168.0/16 or 192.168.0.0/16 or 192.168.1.1/16)
-# 2) 192.168
-# (No Prefix, so it is considered as hostname
-# and also returns 192.0.0.168 instead of 192.168.0.0)
-#
-# For IPv6:
-# 1) fec0/16
-# (MUST end with ::)
-# (replace with fec0::/16 or fec0::1/16)
-# 2) fec0::
-# (No prefix, so it is considered as hostname)
-#
-
-client 127.0.0.1 {
+
+#
+# Each client has a "short name" that is used to distinguish it from
+# other clients.
+#
+# In version 1.x, this field was the IP address of the client.
+# In 2.0, the IP address is configured via the "ipaddr" or "ipv6addr"
+# fields. For compatibility, the 1.x format is still accepted.
+#
+client localhost {
+ # Allowed values are:
+ # dotted quad (1.2.3.4)
+ # hostname (radius.example.com)
+ ipaddr = 127.0.0.1
+
+ # OR, you can use an IPv6 address, but not both
+ # at the same time.
+# ipv6addr = :: # any. ::1 == localhost
+
+ #
+ # A note on DNS: We STRONGLY recommend using IP addresses
+ # rather than host names. Using host names means that the
+ # server will do DNS lookups when it starts, making it
+ # dependent on DNS. i.e. If anything goes wrong with DNS,
+ # the server won't start!
+ #
+ # The server also looks up the IP address from DNS once, and
+ # only once, when it starts. If the DNS record is later
+ # updated, the server WILL NOT see that update.
+ #
+
+ # One client definition can be applied to an entire network.
+ # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
+ # "netmask = 8"
+ #
+ # If not specified, the default netmask is 32 (i.e. /32)
+ #
+ # We do NOT recommend using anything other than 32. There
+ # are usually other, better ways to acheive the same goal.
+ # Using netmasks of other than 32 can cause security issues.
+ #
+ # You can specify overlapping networks (127/8 and 127.0/16)
+ # In that case, the smallest possible network will be used
+ # as the "best match" for the client.
+ #
+# netmask = 32
+
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
+ # A note on security: The security of the RADIUS protocol
+ # depends COMPLETELY on this secret! We recommend using a
+ # shared secret that is composed of:
+ #
+ # upper case letters
+ # lower case letters
+ # numbers
+ #
+ # And is at LEAST 8 characters long, preferably 16 characters in
+ # length. The secret MUST be random, and should not be words,
+ # phrase, or anything else that is recognizable.
+ #
+ # The default secret below is only for testing, and should
+ # not be used in any real environment.
+ #
secret = testing123
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
- shortname = localhost
+ # It is accepted for compatibility with 1.x, but it is no
+ # longer necessary in 2.0
+ #
+# shortname = localhost
#
# the following three fields are optional, but may be used by
#
# login = !root
# password = someadminpas
+
+ #
+ # As of 2.0, clients can also be tied to a virtual server.
+ # This is done by setting the "server" configuration item,
+ # as in the example below.
+ #
+# server = home1
}
# IPv6 Client