.TH pam_radius_auth 5 .\" Copyright 2017, 2018 Cumulus Networks, Inc. All rights reserved. .SH NAME pam_radius_auth.conf \- RADIUS client configuration file .SH SYNOPSIS .B /etc/pam_radius_auth.conf is the RADIUS client configuration file for the PAM RADIUS client plugin. It contains the information on how to reach the RADIUS server(s), and because it contains the shared secret key, should be mode 600 and owned by root. .SH DESCRIPTION Other PAM-specific options are described in the .BR pam_radius_auth (8) manpage, and must be added to the PAM configuration files. .PP By default, all components source this file, enabling a single point of configuration for the TACACS server(s), debug settings, etc. .PP Not all keywords use all fields. .TP .I debug Output PAM and RADIUS communication debugging information via syslog(3). .TP .I server[:port] secret [timeout] [src_ip] the port name or number is optional. The default ports are not part of the code base, and are retrieved from the services database, e.g. .IR /etc/services . The ports used are .B radius for authentication and .B radacct for accounting. If the port is specified as numeric, port+1 is used as the accounting port. If a name is used for the port that is not .BR radius , .B radacct is still used for accounting. There is no way to specify a port to be used just for accounting. .P The timeout field is optional. The default timeout is 3 seconds. .IP For IPv6 literal addresses, the address has to be surrounded by square brackets as usual. E.g. [2001:0db8:85a3::4]. .IP If multiple RADIUS server lines exist, they are tried in order. The first server to return success or failure causes the module to return success or failure. Only if a server fails to response is it skipped, and the next server in turn is used. .IP The optional timeout field controls how many seconds the module waits before deciding that the server has failed to respond. It currently must be less than 60. .IP The optional src_ip may be used to configure the source IP address used in the RADIUS packets to the server. The timeout field must be set if setting the src_ip is desired .TP .I vrf-name VRFNAME If the management network is in a VRF, set this variable to the VRF name. This would usually be "mgmt". This is not normally needed with PAM. .TP .I priv-lvl VALUE This sets the minimum privilege level in VSA attribute .B shell:priv-lvl=VALUE to be considered a privileged login (ability to configure via nclu 'net' commands, and able to sudo. The default is 15. The range is 0-15. Only matters when the VSA attribute is returned. .TP .I mapped_priv_user accountname This sets the name of the privileged mapping account in /etc/passwd. It must match the privileged account name in .IR nss_mapuser (5) for correct operation. .SH "SEE ALSO" .BR pam_radius_auth (8), .BR nss_mapuser (5) .SH FILES .I /etc/pam_radius_auth.conf - RADIUS client configuration parameters .SH AUTHOR Dave Olson