NAME¶
inn-radius.conf - Configuration for nnrpd RADIUS authenticator
DESCRIPTION¶
This describes the format and attributes of the configuration file for the nnrpd
RADIUS authenticator. See
radius(8) for more information about the
authenticator program. The default location for this file is
inn-radius.conf in
pathetc.
Blank lines and lines beginning with "#" are ignored, as is anything
after a "#" on a line. All other lines should begin with a parameter
name followed by a colon and the value of that key, except that each section
of configuration for a particular server should be enclosed in:
server <name> {
# parameters...
}
where <name> is just some convenient label for that server.
The available parameters are:
- radhost
- The hostname of the RADIUS server to use for authentication. This
parameter must be set.
- radport
- The port to query on the RADIUS server. Defaults to 1645 if not set.
- lochost
- The hostname or IP address making the request. The RADIUS server expects
an IP address; a hostname will be translated into an IP address with
gethostbyname(). If not given, this information isn't included in
the request (not all RADIUS setups require this information).
- locport
- The port the client being authenticated is connecting to. If not given,
defaults to 119. This doesn't need to be set unless readers are connecting
to a non-standard port.
- secret
- The shared secret with the RADIUS server. If your secret includes spaces,
tabs, or "#", be sure to include it in double quotes. This
parameter must be set.
- prefix
- Prepend the value of this parameter to all usernames before passing them
to the RADIUS server. Can be used to prepend something like
"news-" to all usernames in order to put news users into a
different namespace from other accounts served by the same server. If not
set, nothing is prepended.
- suffix
- Append the value of this parameter to all usernames before passing them to
the RADIUS server. This is often something like "@example.com",
depending on how your RADIUS server is set up. If not set, nothing is
appended.
- ignore-source
- Can be set to "true" or "false". If set to false, the
RADIUS authenticator will check to ensure that the response it receives is
from the same IP address as it sent the request to (for some added
security). If set to true, it will skip this verification check (if your
RADIUS server has multiple IP addresses or if other odd things are going
on, it may be perfectly normal for the response to come from a different
IP address).
EXAMPLE¶
Here is a configuration for a news server named news.example.com, authenticating
users against radius.example.com and appending "@example.com" to all
client-supplied usernames before passing them to the RADIUS server:
server example {
radhost: radius.example.com
lochost: news.example.com
secret: IamARADIUSsecRET
suffix: @example.com
}
The shared secret with the RADIUS server is "IamARADIUSsecRET".
HISTORY¶
This documentation was written by Russ Allbery <rra@stanford.edu> based on
the comments in the sample
inn-radius.conf file by Yury
B. Razbegin.
$Id: inn-radius.conf.pod 9478 2013-05-24 16:28:27Z iulius $
SEE ALSO¶
radius(8)