From 0981dfef84de4d45eebdb166a51a0fbdd2edfbc4 Mon Sep 17 00:00:00 2001 From: John Polstra Date: Sun, 31 Oct 1999 04:47:59 +0000 Subject: Add support for RADIUS accounting. Note, this changes the format of the /etc/radius.conf file. But the code contains hacks for backward compatibility, so old files will continue to work. I updated the man pages and made a couple of minor changes, but everything else was submitted by Oleg. PR: misc/14284 Submitted by: Oleg Semyonov --- lib/libradius/radius.conf.5 | 70 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 57 insertions(+), 13 deletions(-) (limited to 'lib/libradius/radius.conf.5') diff --git a/lib/libradius/radius.conf.5 b/lib/libradius/radius.conf.5 index 5c0143934e6e..f05f1b7a5ad8 100644 --- a/lib/libradius/radius.conf.5 +++ b/lib/libradius/radius.conf.5 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 29, 1998 +.Dd October 30, 1999 .Dt RADIUS.CONF 5 .Os FreeBSD .Sh NAME @@ -42,8 +42,22 @@ single RADIUS server which will be used by the library. Leading white space is ignored, as are empty lines and lines containing only comments. .Pp -A RADIUS server is described by two to four fields on a line. The -fields are separated by white space. The +A RADIUS server is described by three to five fields on a line: +.Pp +.Bl -item -offset indent -compact +.It +Service type +.It +Server host +.It +Shared secret +.It +Timeout +.It +Retries +.El +.Pp +The fields are separated by white space. The .Ql # character at the beginning of a field begins a comment, which extends to the end of the line. A field may be enclosed in double quotes, @@ -56,19 +70,43 @@ and the backslash can be represented by .Ql \e\e . No other escape sequences are supported. .Pp -The first field specifies +.Pp +The first field gives the service type, either +.Ql auth +for RADIUS authentication or +.Ql acct +for RADIUS accounting. If a single server provides both services, two +lines are required in the file. Earlier versions of this file did +not include a service type. For backward compatibility, if the first +field is not +.Ql auth +or +.Ql acct +the library behaves as if +.Ql auth +were specified, and interprets the fields in the line as if they +were fields two through five. +.Pp +The second field specifies the server host, either as a fully qualified domain name or as a dotted-quad IP address. The host may optionally be followed by a .Ql \&: and a numeric port number, without intervening white space. If the port specification is omitted, it defaults to the .Ql radius +or +.Ql radacct service in the .Pa /etc/services -file, or to the standard RADIUS port 1812 if there is no such entry in -.Pa /etc/services . +file for service types +.Ql auth +and +.Ql acct , +respectively. +If no such entry is present, the standard ports 1812 and 1813 are +used. .Pp -The second field contains the shared secret, which should be known +The third field contains the shared secret, which should be known only to the client and server hosts. It is an arbitrary string of characters, though it must be enclosed in double quotes if it contains white space. The shared secret may be @@ -77,16 +115,17 @@ characters. N.B., some popular RADIUS servers have bugs which prevent them from working properly with secrets longer than 16 characters. .Pp -The third field contains a decimal integer specifying the timeout in +The fourth field contains a decimal integer specifying the timeout in seconds for receiving a valid reply from the server. If this field is omitted, it defaults to 3 seconds. .Pp -The fourth field contains a decimal integer specifying the maximum +The fifth field contains a decimal integer specifying the maximum number of attempts that will be made to authenticate with the server before giving up. If omitted, it defaults to 3 attempts. Note, this is the total number of attempts and not the number of retries. .Pp -Up to 10 RADIUS servers may be specified. The servers are tried in +Up to 10 RADIUS servers may be specified for each service type. +The servers are tried in round-robin fashion, until a valid response is received or the maximum number of tries has been reached for all servers. .Pp @@ -101,14 +140,14 @@ shared secrets, it should not be readable except by root. .Sh EXAMPLES .Bd -literal # A simple entry using all the defaults: -radius1.domain.com OurLittleSecret +acct radius1.domain.com OurLittleSecret # A server still using the obsolete RADIUS port, with increased # timeout and maximum tries: -auth.domain.com:1645 "I can't see you, but I know you're there" 5 4 +auth auth.domain.com:1645 "I can't see you" 5 4 # A server specified by its IP address: -192.168.27.81 $X*#..38947ax-+= +auth 192.168.27.81 $X*#..38947ax-+= .Ed .Sh SEE ALSO .Xr libradius 3 @@ -117,6 +156,11 @@ auth.domain.com:1645 "I can't see you, but I know you're there" 5 4 .%T Remote Authentication Dial In User Service (RADIUS) .%O RFC 2138 .Re +.Rs +.%A C. Rigney +.%T RADIUS Accounting +.%O RFC 2139 +.Re .Sh AUTHORS This documentation was written by .An John Polstra , -- cgit v1.2.3