RADIUS(8) InterNetNews Documentation RADIUS(8)NAME
radius - nnrpd RADIUS password authenticator
SYNOPSIS
radius [-h] [-f config]
DESCRIPTION
radius is an nnrpd authenticator, accepting a username and password from nnrpd (given to nnrpd by a reader connection) and attempting to
authenticate that username and password against a RADIUS server. See readers.conf(5) for more information on how to configure an nnrpd
authenticator. It is useful for a site that already does user authentication via RADIUS and wants to authenticate news reading connections
as well.
By default, radius reads pathetc/radius.conf for configuration information, but a different configuration file can be specified with -f.
See radius.conf(5) for a description of the configuration file.
OPTIONS -f config
Read config instead of pathetc/radius.conf for configuration information.
-h Print out a usage message and exit.
EXAMPLE
The following readers.conf(5) fragment tells nnrpd to authenticate all connections using this authenticator:
auth radius {
auth: radius
default: <FAIL>
default-domain: example.com
}
"@example.com" will be appended to the user-supplied identity, and if RADIUS authentication failes, the user will be assigned an identity
of "<FAIL>@example.com".
BUGS
It has been reported that this authenticator doesn't work with Ascend RADIUS servers, but does work with Cistron RADIUS servers. It's also
believed to work with Livingston's RADIUS server. Contributions to make it work better with different types of RADIUS servers would be
gratefully accepted.
This code has not been audited against the RADIUS protocol and may not implement it correctly.
HISTORY
The RADIUS authenticator was originally written by Aidan Cully. This documentation was written by Russ Allbery <rra@stanford.edu>.
$Id: radius.pod 7664 2007-09-02 12:58:07Z iulius $
SEE ALSO nnrpd(8), radius.conf(5), readers.conf(5)
RFC 2865, Remote Authentication Dial In User Service.
INN 2.5.3 2009-05-21 RADIUS(8)
Check Out this Related Man Page
RADIUS.CONF(5) BSD File Formats Manual RADIUS.CONF(5)NAME
radius.conf -- RADIUS client configuration file
SYNOPSIS
/etc/radius.conf
DESCRIPTION
radius.conf contains the information necessary to configure the RADIUS client library. It is parsed by rad_config(3). The file contains one
or more lines of text, each describing a single RADIUS server which will be used by the library. Leading white space is ignored, as are
empty lines and lines containing only comments.
A RADIUS server is described by three to five fields on a line:
Service type
Server host
Shared secret
Timeout
Retries
The fields are separated by white space. The '#' character at the beginning of a field begins a comment, which extends to the end of the
line. A field may be enclosed in double quotes, in which case it may contain white space and/or begin with the '#' character. Within a
quoted string, the double quote character can be represented by '"', and the backslash can be represented by '\'. No other escape
sequences are supported.
The first field gives the service type, either 'auth' for RADIUS authentication or 'acct' for RADIUS accounting. If a single server provides
both services, two lines are required in the file. Earlier versions of this file did not include a service type. For backward compatibil-
ity, if the first field is not 'auth' or 'acct' the library behaves as if 'auth' were specified, and interprets the fields in the line as if
they were fields two through five.
The second field specifies the server host, either as a fully qualified domain name or as a dotted-quad IP address. The host may optionally
be followed by a ':' and a numeric port number, without intervening white space. If the port specification is omitted, it defaults to the
'radius' or 'radacct' service in the /etc/services file for service types 'auth' and 'acct', respectively. If no such entry is present, the
standard ports 1812 and 1813 are used.
The third field contains the shared secret, which should be known only to the client and server hosts. It is an arbitrary string of charac-
ters, though it must be enclosed in double quotes if it contains white space. The shared secret may be any length, but the RADIUS protocol
uses only the first 128 characters. N.B., some popular RADIUS servers have bugs which prevent them from working properly with secrets longer
than 16 characters.
The fourth field contains a decimal integer specifying the timeout in seconds for receiving a valid reply from the server. If this field is
omitted, it defaults to 3 seconds.
The fifth field contains a decimal integer specifying the maximum number of attempts that will be made to authenticate with the server before
giving up. If omitted, it defaults to 3 attempts. Note, this is the total number of attempts and not the number of retries.
Up to 10 RADIUS servers may be specified for each service type. The servers are tried in round-robin fashion, until a valid response is
received or the maximum number of tries has been reached for all servers.
The standard location for this file is /etc/radius.conf. But an alternate pathname may be specified in the call to rad_config(3). Since the
file contains sensitive information in the form of the shared secrets, it should not be readable except by root.
FILES
/etc/radius.conf
EXAMPLES
# A simple entry using all the defaults:
acct radius1.domain.com OurLittleSecret
# A server still using the obsolete RADIUS port, with increased
# timeout and maximum tries:
auth auth.domain.com:1645 "I can't see you" 5 4
# A server specified by its IP address:
auth 192.168.27.81 $X*#..38947ax-+=
SEE ALSO libradius(3)
C. Rigney, et al, Remote Authentication Dial In User Service (RADIUS), RFC 2138.
C. Rigney, RADIUS Accounting, RFC 2139.
AUTHORS
This documentation was written by John Polstra, and donated to the FreeBSD project by Juniper Networks, Inc.
BSD October 30, 1999 BSD