tacplus.conf(5) [freebsd man page]

TACPLUS.CONF(5) 					      BSD File Formats Manual						   TACPLUS.CONF(5)

NAME

     tacplus.conf -- TACACS+ client configuration file

SYNOPSIS

     /etc/tacplus.conf

DESCRIPTION

     tacplus.conf contains the information necessary to configure the TACACS+ client library.  It is parsed by tac_config() (see libtacplus(3)).
     The file contains one or more lines of text, each describing a single TACACS+ server which is to be used by the library.  Leading white space
     is ignored, as are empty lines and lines containing only comments.

     A TACACS+ server is described by two to four fields on a line.  The fields are separated by white space.  The '#' character at the beginning
     of a field begins a comment, which extends to the end of the line.  A field may be enclosed in double quotes, in which case it may contain
     white space and/or begin with the '#' character.  Within a quoted string, the double quote character can be represented by '"', and the
     backslash can be represented by '\'.  No other escape sequences are supported.

     The first field specifies the server host, either as a fully qualified domain name or as a dotted-quad IP address.  The host may optionally
     be followed by a ':' and a numeric port number, without intervening white space.  If the port specification is omitted, it defaults to 49,
     the standard TACACS+ port.

     The second field contains the shared secret, which should be known only to the client and server hosts.  It is an arbitrary string of charac-
     ters, though it must be enclosed in double quotes if it contains white space or is empty.	An empty secret disables the normal encryption
     mechanism, causing all data to cross the network in cleartext.

     The third field contains a decimal integer specifying the timeout in seconds for communicating with the server.  The timeout applies sepa-
     rately to each connect, write, and read operation.  If this field is omitted, it defaults to 3 seconds.

     The optional fourth field may contain the string 'single-connection'.  If this option is included, the library will attempt to negotiate with
     the server to keep the TCP connection open for multiple sessions.	Some older TACACS+ servers become confused if this option is specified.

     Up to 10 TACACS+ servers may be specified.  The servers are tried in order, until a valid response is received or the list is exhausted.

     The standard location for this file is /etc/tacplus.conf.	An alternate pathname may be specified in the call to tac_config() (see
     libtacplus(3)).  Since the file contains sensitive information in the form of the shared secrets, it should not be readable except by root.

FILES

     /etc/tacplus.conf

EXAMPLES

     # A simple entry using all the defaults:
     tacserver.domain.com    OurLittleSecret

     # A server using a non-standard port, with an increased timeout and
     # the "single-connection" option.
     auth.domain.com:4333    "Don't tell!!"  15      single-connection

     # A server specified by its IP address:
     192.168.27.81	     $X*#..38947ax-+=

SEE ALSO

     libtacplus(3)

AUTHORS

     This documentation was written by John Polstra, and donated to the FreeBSD project by Juniper Networks, Inc.

BSD
								   July 29, 1998							       BSD

RADIUS.CONF(5)						    InterNetNews Documentation						    RADIUS.CONF(5)

NAME

       radius.conf - Configuration for nnrpd RADIUS authenticator

DESCRIPTION

       This describes the format and attributes of the configuration file for the nnrpd RADIUS authenticator.  See radius(1) for more information
       about the authenticator program.  The default location for this file is radius.conf in pathetc.

       Blank lines and lines beginning with "#" are ignored, as is anything after a "#" on a line.  All other lines should begin with a parameter
       name followed by a colon and the value of that key, except that each section of configuration for a particular server should be enclosed
       in:

	   server <name> {
	       # parameters...
	   }

       where <name> is just some convenient label for that server.

       The available parameters are:

       radhost
	   The hostname of the RADIUS server to use for authentication.  This parameter must be set.

       radport
	   The port to query on the RADIUS server.  Defaults to 1645 if not set.

       lochost
	   The hostname or IP address making the request.  The RADIUS server expects an IP address; a hostname will be translated into an IP
	   address with gethostbyname().  If not given, this information isn't included in the request (not all RADIUS setups require this
	   information).

       locport
	   The port the client being authenticated is connecting to.  If not given, defaults to 119.  This doesn't need to be set unless readers
	   are connecting to a non-standard port.

       secret
	   The shared secret with the RADIUS server.  If your secret includes spaces, tabs, or "#", be sure to include it in double quotes.  This
	   parameter must be set.

       prefix
	   Prepend the value of this parameter to all usernames before passing them to the RADIUS server.  Can be used to prepend something like
	   "news-" to all usernames in order to put news users into a different namespace from other accounts served by the same server.  If not
	   set, nothing is prepended.

       suffix
	   Append the value of this parameter to all usernames before passing them to the RADIUS server.  This is often something like
	   "@example.com", depending on how your RADIUS server is set up.  If not set, nothing is appended.

       ignore-source
	   Can be set to "true" or "false".  If set to false, the RADIUS authenticator will check to ensure that the response it receives is from
	   the same IP address as it sent the request to (for some added security).  If set to true, it will skip this verification check (if your
	   RADIUS server has multiple IP addresses or if other odd things are going on, it may be perfectly normal for the response to come from a
	   different IP address).

EXAMPLE

       Here is a configuration for a news server named news.example.com, authenticating users against radius.example.com and appending
       "@example.com" to all client-supplied usernames before passing them to the RADIUS server:

	   server example {
	       radhost: radius.example.com
	       lochost: news.example.com
	       secret: IamARADIUSsecRET
	       suffix: @example.com
	   }

       The shared secret with the RADIUS server is "IamARADIUSsecRET".

HISTORY

       This documentation was written by Russ Allbery <rra@stanford.edu> based on the comments in the sample radius.conf file by Yury B. Razbegin.

       $Id: radius.conf.pod 8200 2008-11-30 13:31:30Z iulius $

SEE ALSO

       radius(1)

INN 2.5.3							    2009-05-21							    RADIUS.CONF(5)