coa_server = string

coa

A pointer to the "home_server_pool" OR a "home_server" section that contains the CoA configuration for this client. For an example of a coa home server or pool, see raddb/sites-available/originate-coa

ipaddr = ipaddr

Only one of ipaddr, ipv4addr, ipv6addr may be specified for a client.

ipaddr will accept IPv4 or IPv6 addresses with optional CIDR notation /<mask> to specify ranges.

ipaddr will accept domain names, e.g., example.org, resolving them via DNS.

If both A and AAAA records are found, A records will be used in preference to AAAA.

It is now possible to specify one secret for a network of clients. When a client request comes in, the best match is chosen, i.e., the entry from the smallest possible network.

ipv4addr = ipaddr

Same as ipaddr but allows IPv4 addresses only. Requires A record for domain names.

ipv6addr = ipv6addr

Same as ipaddr but allows IPv6 addresses only. Requires AAAA record for domain names.

login = string

!root

This field is optional, but is used by checkrad.pl for simultaneous use checks.

This configuration is for future use.

.nas_type

nas_type = string

other

This field is optional, but is used by checkrad.pl for simultaneous use checks.

The nas_type tells checkrad.pl which NAS-specific method to use to query the NAS for simultaneous use.

The default is nas_type = other as localhost isn’t usually an NAS.

Permitted NAS types are as follows:

password = string

This field is optional, but is used by checkrad.pl for simultaneous use checks.

This configuration is for future use.

.proto

proto = string

udp

The transport protocol.

If unspecified, defaults to udp, which is the traditional RADIUS transport. It may also be tcp, in which case the server will accept connections from this client only over TCP.

require_message_authenticator = boolean

no

Old-style clients do not send a Message-Authenticator in an Access-Request. httpRFC 5080 suggests that all clients SHOULD include it in an Access-Request. This configuration item allows the server to require a Message-Authenticator. If a client is required to include a Message-Authenticator and does not, then the packet will be silently

Allowed values: yes, no

response_window = integer

10.0

Response window for proxied packets. If non-zero, then the lower of the home_server or client response_window will be used, i.e., this value can be used to lower the response_window packets from one client to a home server. This value cannot be used to raise the response_window.

secret = string

testing123

The shared secret use to "encrypt" and "sign" packets between the NAS and FreeRADIUS. This secret must be changed from the default, otherwise it is not a secret anymore!

The secret can be any string, up to 8k characters in length.

Non-ASCII control codes can be entered viaoctal encoding,

Quotation marks can be entered by escaping them,

NOTE: The security of the RADIUS protocol depends completely on this secret! It is recommended to use a shared secret that is composed of:

and is at LEAST 8 characters - preferably 16 characters - in length. The secret MUST be random and should not be words, phrases, or anything else that is recognisable.

The default secret is only for testing and should not be used in any real environment.

It is possible to specify a secret for a network of clients. When a client request comes in, the best match is chosen, i.e., the entry from the smallest possible network.

shortname = string

The short name is used as an alias for the fully qualified domain name or for the IP address.

It is accepted for compatibility with versions 1.x, but it is no longer necessary in versions >= 2.0.

virtual_server = string

none

As of version 2.0, clients can also be tied to a virtual server. This action is done by setting the virtual_server configuration item.