# pam_radius_auth configuration file. # # See 'man pam_radius_auth.conf pam_radius_auth' # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 2-4 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] [src_ip] # # the port name or number is optional. The default port name is # "radius", and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # For IPv6 literal addresses, the address has to be surrounded by # square brackets as usual. E.g. [2001:0db8:85a3::4]. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The optional timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. It currently must be # less than 60. # # The optional src_ip may be used to configure the source IP address used # in the RADIUS packets to the server. The timeout field must be set if # setting the source IP address is desired # # server[:port] shared_secret timeout (secs) src_ip # 127.0.0.1 secret 1 # other-server other-secret 3 192.168.3.4 # [2001:0db8:85a3::4]:1812 other6-secret 1 # # This allows the radius client to work when a management VRF is in use. # The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt" # Since the keyword has an illegal character for a hostname ('-'), this can't # conflict with a valid hostname # vrf-name mgmt # # Uncomment to enable debugging, can be used instead of altering pam files # debug