Client Definition

Synopsis

Each client has a 'short name' that is used to distinguish it from other clients.

In versions 1.x, the string after the word client was the IP address of the client. In version 2.0, the IP address is configured via the ipaddr or ipv6addr fields. For compatibility, the 1.x format is still accepted.

Note
We STRONGLY recommended to use IP addresses rather than host names. Using host names means that the server will do DNS lookups when it starts, making it dependent on DNS; if anything goes wrong with DNS, then the server won’t start! The server also looks up the IP address from DNS once, and only once, when it starts. If the DNS record is later updated, the server WILL NOT see that update.

Directives

coa_server
Syntax

coa_server = string

Default

coa

Description

A pointer to the "home_server_pool" OR a "home_server" section that contains the CoA configuration for this client. For an example of a coa home server or pool, see raddb/sites-available/originate-coa

ipaddr
Syntax

ipaddr = ipaddr

Description

Only one of ipaddr, ipv4addr, ipv6addr may be specified for a client.

ipaddr will accept IPv4 or IPv6 addresses with optional CIDR notation /<mask> to specify ranges.

ipaddr will accept domain names, e.g., example.org, resolving them via DNS.

If both A and AAAA records are found, A records will be used in preference to AAAA.

It is now possible to specify one secret for a network of clients. When a client request comes in, the best match is chosen, i.e., the entry from the smallest possible network.

ipv4addr
Syntax

ipv4addr = ipaddr

Description

Same as ipaddr but allows IPv4 addresses only. Requires A record for domain names.

ipv6addr
Syntax

ipv6addr = ipv6addr

Description

Same as ipaddr but allows IPv6 addresses only. Requires AAAA record for domain names.

login
Syntax

login = string

Default

!root

Description

This field is optional, but is used by checkrad.pl for simultaneous use checks.

This configuration is for future use.

.nas_type

Syntax

nas_type = string

Default

other

Description

This field is optional, but is used by checkrad.pl for simultaneous use checks.

The nas_type tells checkrad.pl which NAS-specific method to use to query the NAS for simultaneous use.

The default is nas_type = other as localhost isn’t usually an NAS.

Permitted NAS types are as follows:

cisco
computone
livingston
juniper
max40xx
multitech
netserver
pathras
patton
portslave
tc
usrhiper
other        for all other types
password
Syntax

password = string

Description

This field is optional, but is used by checkrad.pl for simultaneous use checks.

This configuration is for future use.

.proto

Syntax

proto = string

Default

udp

Description

The transport protocol.

If unspecified, defaults to udp, which is the traditional RADIUS transport. It may also be tcp, in which case the server will accept connections from this client only over TCP.

require_message_authenticator
Syntax

require_message_authenticator = boolean

Default

no

Description

Old-style clients do not send a Message-Authenticator in an Access-Request. httpRFC 5080 suggests that all clients SHOULD include it in an Access-Request. This configuration item allows the server to require a Message-Authenticator. If a client is required to include a Message-Authenticator and does not, then the packet will be silently

discarded.

Allowed values: yes, no

response_window
Syntax

response_window = integer

Default

10.0

Description

Response window for proxied packets. If non-zero, then the lower of the home_server or client response_window will be used, i.e., this value can be used to lower the response_window packets from one client to a home server. This value cannot be used to raise the response_window.

secret
Syntax

secret = string

Default

testing123

Description

The shared secret use to "encrypt" and "sign" packets between the NAS and FreeRADIUS. This secret must be changed from the default, otherwise it is not a secret anymore!

The secret can be any string, up to 8k characters in length.

Non-ASCII control codes can be entered viaoctal encoding,

e.g., "\101\102" == "AB"

Quotation marks can be entered by escaping them,

e.g., "foo\"bar"

NOTE: The security of the RADIUS protocol depends completely on this secret! It is recommended to use a shared secret that is composed of:

upper case letters
lower case letters
numbers

and is at LEAST 8 characters - preferably 16 characters - in length. The secret MUST be random and should not be words, phrases, or anything else that is recognisable.

The default secret is only for testing and should not be used in any real environment.

It is possible to specify a secret for a network of clients. When a client request comes in, the best match is chosen, i.e., the entry from the smallest possible network.

shortname
Syntax

shortname = string

Description

The short name is used as an alias for the fully qualified domain name or for the IP address.

It is accepted for compatibility with versions 1.x, but it is no longer necessary in versions >= 2.0.

virtual_server
Syntax

virtual_server = string

Default

none

Description

As of version 2.0, clients can also be tied to a virtual server. This action is done by setting the virtual_server configuration item.

Limit

This section is ignored for clients sending UDP traffic.

Connection limiting is performed only for clients with proto = tcp.

Directives

max_connections
Syntax

max_connections = integer

Default

16

Description

Limits the number of simultaneous TCP connections from a client. Setting this to 0 means "no limit".

lifetime
Syntax

lifetime = integer

Default

0

Description

The lifetime, in seconds, of a TCP connection. After a connection has

been open for lifetime seconds, it will be closed.

Setting this parameter to 0 means "forever".

idle_timeout
Syntax

idle_timeout = integer

Default

30

Description

The idle timeout, in seconds, of a TCP connection. If no packets have been received over the connection for idle_timeout seconds, the connection will be closed.

Setting this parameter to 0 means "no timeout".

It is strongly recommended that an idle timeout be set.

Client groups or lists

The configuration entries for client groups or lists are exactly the same as above, except that they are nested inside of a section.

As many per-socket client lists as listen sections may be used, or a list among multiple listen sections may be used.

Un-comment this section and edit a listen section to add:

clients = per_socket_clients

That IP address/port combination will then accept only the clients listed in this section.

Client socket_client

Directives