source: n4d-freeradius/trunk/fuentes/install/usr/share/n4d/templates/n4d-freeradius/clients.conf @ 2766

Last change on this file since 2766 was 2766, checked in by daduve, 3 years ago

wip

File size: 6.8 KB
Line 
1# -*- text -*-
2##
3## clients.conf -- client configuration directives
4##
5##      $Id$
6
7#######################################################################
8#
9#  Define RADIUS clients (usually a NAS, Access Point, etc.).
10
11#
12#  Defines a RADIUS client.
13#
14#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
15#  to allow testing of the server after an initial installation.  If you
16#  are not going to be permitting RADIUS queries from localhost, we suggest
17#  that you delete, or comment out, this entry.
18#
19#
20
21#
22#  Each client has a "short name" that is used to distinguish it from
23#  other clients.
24#
25#  In version 1.x, the string after the word "client" was the IP
26#  address of the client.  In 2.0, the IP address is configured via
27#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
28#  format is still accepted.
29#
30client localhost {
31        #  Allowed values are:
32        #       dotted quad (1.2.3.4)
33        #       hostname    (radius.example.com)
34        ipaddr = 127.0.0.1
35
36        #  OR, you can use an IPv6 address, but not both
37        #  at the same time.
38#       ipv6addr = ::   # any.  ::1 == localhost
39
40        #
41        #  A note on DNS:  We STRONGLY recommend using IP addresses
42        #  rather than host names.  Using host names means that the
43        #  server will do DNS lookups when it starts, making it
44        #  dependent on DNS.  i.e. If anything goes wrong with DNS,
45        #  the server won't start!
46        #
47        #  The server also looks up the IP address from DNS once, and
48        #  only once, when it starts.  If the DNS record is later
49        #  updated, the server WILL NOT see that update.
50        #
51
52        #  One client definition can be applied to an entire network.
53        #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
54        #  "netmask = 8"
55        #
56        #  If not specified, the default netmask is 32 (i.e. /32)
57        #
58        #  We do NOT recommend using anything other than 32.  There
59        #  are usually other, better ways to achieve the same goal.
60        #  Using netmasks of other than 32 can cause security issues.
61        #
62        #  You can specify overlapping networks (127/8 and 127.0/16)
63        #  In that case, the smallest possible network will be used
64        #  as the "best match" for the client.
65        #
66        #  Clients can also be defined dynamically at run time, based
67        #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
68        #  etc.
69        #  See raddb/sites-available/dynamic-clients for details.
70        #
71
72#       netmask = 32
73
74        #
75        #  The shared secret use to "encrypt" and "sign" packets between
76        #  the NAS and FreeRADIUS.  You MUST change this secret from the
77        #  default, otherwise it's not a secret any more!
78        #
79        #  The secret can be any string, up to 8k characters in length.
80        #
81        #  Control codes can be entered vi octal encoding,
82        #       e.g. "\101\102" == "AB"
83        #  Quotation marks can be entered by escaping them,
84        #       e.g. "foo\"bar"
85        #
86        #  A note on security:  The security of the RADIUS protocol
87        #  depends COMPLETELY on this secret!  We recommend using a
88        #  shared secret that is composed of:
89        #
90        #       upper case letters
91        #       lower case letters
92        #       numbers
93        #
94        #  And is at LEAST 8 characters long, preferably 16 characters in
95        #  length.  The secret MUST be random, and should not be words,
96        #  phrase, or anything else that is recognizable.
97        #
98        #  The default secret below is only for testing, and should
99        #  not be used in any real environment.
100        #
101        secret          = {{ RADIUS_SECRET }}
102
103        #
104        #  Old-style clients do not send a Message-Authenticator
105        #  in an Access-Request.  RFC 5080 suggests that all clients
106        #  SHOULD include it in an Access-Request.  The configuration
107        #  item below allows the server to require it.  If a client
108        #  is required to include a Message-Authenticator and it does
109        #  not, then the packet will be silently discarded.
110        #
111        #  allowed values: yes, no
112        require_message_authenticator = no
113
114        #
115        #  The short name is used as an alias for the fully qualified
116        #  domain name, or the IP address.
117        #
118        #  It is accepted for compatibility with 1.x, but it is no
119        #  longer necessary in 2.0
120        #
121#       shortname       = localhost
122
123        #
124        # the following three fields are optional, but may be used by
125        # checkrad.pl for simultaneous use checks
126        #
127
128        #
129        # The nastype tells 'checkrad.pl' which NAS-specific method to
130        #  use to query the NAS for simultaneous use.
131        #
132        #  Permitted NAS types are:
133        #
134        #       cisco
135        #       computone
136        #       livingston
137        #       max40xx
138        #       multitech
139        #       netserver
140        #       pathras
141        #       patton
142        #       portslave
143        #       tc
144        #       usrhiper
145        #       other           # for all other types
146
147        #
148        nastype     = other     # localhost isn't usually a NAS...
149
150        #
151        #  The following two configurations are for future use.
152        #  The 'naspasswd' file is currently used to store the NAS
153        #  login name and password, which is used by checkrad.pl
154        #  when querying the NAS for simultaneous use.
155        #
156#       login       = !root
157#       password    = someadminpas
158
159        #
160        #  As of 2.0, clients can also be tied to a virtual server.
161        #  This is done by setting the "virtual_server" configuration
162        #  item, as in the example below.
163        #
164#       virtual_server = home1
165
166        #
167        #  A pointer to the "home_server_pool" OR a "home_server"
168        #  section that contains the CoA configuration for this
169        #  client.  For an example of a coa home server or pool,
170        #  see raddb/sites-available/originate-coa
171#       coa_server = coa
172}
173
174# IPv6 Client
175#client ::1 {
176#       secret          = testing123
177#       shortname       = localhost
178#}
179#
180# All IPv6 Site-local clients
181#client fe80::/16 {
182#       secret          = testing123
183#       shortname       = localhost
184#}
185
186#client some.host.org {
187#       secret          = testing123
188#       shortname       = localhost
189#}
190
191#
192#  You can now specify one secret for a network of clients.
193#  When a client request comes in, the BEST match is chosen.
194#  i.e. The entry from the smallest possible network.
195#
196#client 192.168.0.0/24 {
197#       secret          = testing123-1
198#       shortname       = private-network-1
199#}
200#
201#client 192.168.0.0/16 {
202#       secret          = testing123-2
203#       shortname       = private-network-2
204#}
205
206client {{ INTERNAL_NETWORK }}/{{ INTERNAL_MASK }} {
207        secret = {{ RADIUS_SECRET }}
208        nastype = other
209}
210
211{% if ROUTER_IP is defined and ROUTER_IP != "" %}
212
213client {{ ROUTER_IP }} {
214        secret = {{ RADIUS_SECRET }}
215        nastype = other
216}
217{% endif %}
218
219#client 10.10.10.10 {
220#       # secret and password are mapped through the "secrets" file.
221#       secret      = testing123
222#       shortname   = liv1
223#       # the following three fields are optional, but may be used by
224#       # checkrad.pl for simultaneous usage checks
225#       nastype     = livingston
226#       login       = !root
227#       password    = someadminpas
228#}
229
230#######################################################################
231#
232#  Per-socket client lists.  The configuration entries are exactly
233#  the same as above, but they are nested inside of a section.
234#
235#  You can have as many per-socket client lists as you have "listen"
236#  sections, or you can re-use a list among multiple "listen" sections.
237#
238#  Un-comment this section, and edit a "listen" section to add:
239#  "clients = per_socket_clients".  That IP address/port combination
240#  will then accept ONLY the clients listed in this section.
241#
242#clients per_socket_clients {
243#       client 192.168.3.4 {
244#               secret = testing123
245#        }
246#}
Note: See TracBrowser for help on using the repository browser.