PHP Classes

File: raspberry/boot-part/multiotp-tree/etc/freeradius/clients.conf

Recommend this page to a friend!
  Classes of André Liechti  >  multiOTP PHP class  >  raspberry/boot-part/multiotp-tree/etc/freeradius/clients.conf  >  Download  
File: raspberry/boot-part/multiotp-tree/etc/freeradius/clients.conf
Role: Auxiliary data
Content type: text/plain
Description: Auxiliary data
Class: multiOTP PHP class
Authenticate and manage OTP strong user tokens
Author: By
Last change:
Date: 4 months ago
Size: 6,703 bytes
 

Contents

Class file image Download
# -*- text -*-
##
## clients.conf -- client configuration directives
##
##	$Id$

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
	#  Allowed values are:
	#	dotted quad (1.2.3.4)
	#       hostname    (radius.example.com)
	ipaddr = 127.0.0.1

	#  OR, you can use an IPv6 address, but not both
	#  at the same time.
#	ipv6addr = ::	# any.  ::1 == localhost

	#
	#  A note on DNS:  We STRONGLY recommend using IP addresses
	#  rather than host names.  Using host names means that the
	#  server will do DNS lookups when it starts, making it
	#  dependent on DNS.  i.e. If anything goes wrong with DNS,
	#  the server won't start!
	#
	#  The server also looks up the IP address from DNS once, and
	#  only once, when it starts.  If the DNS record is later
	#  updated, the server WILL NOT see that update.
	#

	#  One client definition can be applied to an entire network.
	#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
	#  "netmask = 8"
	#
	#  If not specified, the default netmask is 32 (i.e. /32)
	#
	#  We do NOT recommend using anything other than 32.  There
	#  are usually other, better ways to achieve the same goal.
	#  Using netmasks of other than 32 can cause security issues.
	#
	#  You can specify overlapping networks (127/8 and 127.0/16)
	#  In that case, the smallest possible network will be used
	#  as the "best match" for the client.
	#
	#  Clients can also be defined dynamically at run time, based
	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
	#  etc.
	#  See raddb/sites-available/dynamic-clients for details.
	#

#	netmask = 32

	#
	#  The shared secret use to "encrypt" and "sign" packets between
	#  the NAS and FreeRADIUS.  You MUST change this secret from the
	#  default, otherwise it's not a secret any more!
	#
	#  The secret can be any string, up to 8k characters in length.
	#
	#  Control codes can be entered vi octal encoding,
	#	e.g. "\101\102" == "AB"
	#  Quotation marks can be entered by escaping them,
	#	e.g. "foo\"bar"
	#
	#  A note on security:  The security of the RADIUS protocol
	#  depends COMPLETELY on this secret!  We recommend using a
	#  shared secret that is composed of:
	#
	#	upper case letters
	#	lower case letters
	#	numbers
	#
	#  And is at LEAST 8 characters long, preferably 16 characters in
	#  length.  The secret MUST be random, and should not be words,
	#  phrase, or anything else that is recognizable.
	#
	#  The default secret below is only for testing, and should
	#  not be used in any real environment.
	#
	secret		= testing123

	#
	#  Old-style clients do not send a Message-Authenticator
	#  in an Access-Request.  RFC 5080 suggests that all clients
	#  SHOULD include it in an Access-Request.  The configuration
	#  item below allows the server to require it.  If a client
	#  is required to include a Message-Authenticator and it does
	#  not, then the packet will be silently discarded.
	#
	#  allowed values: yes, no
	require_message_authenticator = no

	#
	#  The short name is used as an alias for the fully qualified
	#  domain name, or the IP address.
	#
	#  It is accepted for compatibility with 1.x, but it is no
	#  longer necessary in 2.0
	#
#	shortname	= localhost

	#
	# the following three fields are optional, but may be used by
	# checkrad.pl for simultaneous use checks
	#

	#
	# The nastype tells 'checkrad.pl' which NAS-specific method to
	#  use to query the NAS for simultaneous use.
	#
	#  Permitted NAS types are:
	#
	#	cisco
	#	computone
	#	livingston
	#	max40xx
	#	multitech
	#	netserver
	#	pathras
	#	patton
	#	portslave
	#	tc
	#	usrhiper
	#	other		# for all other types

	#
	nastype     = other	# localhost isn't usually a NAS...

	#
	#  The following two configurations are for future use.
	#  The 'naspasswd' file is currently used to store the NAS
	#  login name and password, which is used by checkrad.pl
	#  when querying the NAS for simultaneous use.
	#
#	login       = !root
#	password    = someadminpas

	#
	#  As of 2.0, clients can also be tied to a virtual server.
	#  This is done by setting the "virtual_server" configuration
	#  item, as in the example below.
	#
#	virtual_server = home1

	#
	#  A pointer to the "home_server_pool" OR a "home_server"
	#  section that contains the CoA configuration for this
	#  client.  For an example of a coa home server or pool,
	#  see raddb/sites-available/originate-coa
#	coa_server = coa
}

# IPv6 Client
#client ::1 {
#	secret		= testing123
#	shortname	= localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#	secret		= testing123
#	shortname	= localhost
#}

#client some.host.org {
#	secret		= testing123
#	shortname	= localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#	secret		= testing123-1
#	shortname	= private-network-1
#}
#
#client 192.168.0.0/16 {
#	secret		= testing123-2
#	shortname	= private-network-2
#}


#client 10.10.10.10 {
#	# secret and password are mapped through the "secrets" file.
#	secret      = testing123
#	shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#	nastype     = livingston
#	login       = !root
#	password    = someadminpas
#}

#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#	client 192.168.3.4 {
#		secret = testing123
#        }
#}
For more information send a message to info at phpclasses dot org.