#  pam_radius_auth configuration file.
#
#  See 'man pam_radius_auth.conf pam_radius_auth'
#
#  For proper security, this file SHOULD have permissions 0600,
#  that is readable by root, and NO ONE else.  If anyone other than
#  root can read this file, then they can spoof responses from the server!
#
#  There are 2-4 fields per line in this file.  There may be multiple
#  lines.  Blank lines or lines beginning with '#' are treated as
#  comments, and are ignored.  The fields are:
#
#  server[:port] secret [timeout] [src_ip]
#
#  The port name or number is optional.  The default port name is
#  "radius", and "radacct" for accounting.  They are looked up
#  in the services database (e.g., /etc/services)
#  The timeout field is optional; the default timeout is 3 seconds.
#  If the port is specified as numeric, port+1 is used as the accounting
#  port.   If a name is used for the port that is not "radius", "radacct"
#  is still used for accounting.
#  There is no way to specify the port to be used for accounting.
#
#  For IPv6 literal addresses, the address has to be surrounded  by
#  square  brackets as usual. E.g. [2001:0db8:85a3::4].
#
#  If multiple RADIUS server lines exist, they are tried in order.  The
#  first server to return success or failure causes the module to return
#  success or failure.  Only if a server fails to response is it skipped,
#  and the next server in turn is used.
#
#  The optional timeout field controls how many seconds the module waits before
#  deciding that the server has failed to respond.  It currently must be
#  less than 60.
#
#  The optional src_ip may be used to configure the source IP address used
#  in the RADIUS packets to the server.  The timeout field must be set if
#  setting the source IP address is desired
#
# server[:port]             shared_secret      timeout (secs) src_ip
# 127.0.0.1                   secret             1
# other-server                other-secret       3            192.168.3.4
# [2001:0db8:85a3::4]:1812    other6-secret      1
#
#  This allows the radius client to work when a management VRF is in use.
#  The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt"
#  Since the keyword has an illegal character for a hostname ('-'), this can't
#  conflict with a valid hostname
# vrf-name mgmt
#
# Set the minimum privilege level in VSA attribute shell:priv-lvl=VALUE
# to be considered a #  privileged login (ability to configure via
# nclu 'net' commands, and able to sudo.  The default is 15, range is 0-15.
# priv-lvl 15
#
#  Uncomment to enable debugging, can be used instead of altering pam files
# debug
#
# Account for privileged radius user mapping.  If you change it here,  you need
# to change /etc/nss_mapuser.conf as well
mapped_priv_user radius_priv_user