# pam_radius_auth configuration file. # # See 'man pam_radius_auth.conf pam_radius_auth' # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 2-4 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] [src_ip] # # The port name or number is optional. The default port name is # "radius", and "radacct" for accounting. They are looked up # in the services database (e.g., /etc/services) # The timeout field is optional; the default timeout is 3 seconds. # If the port is specified as numeric, port+1 is used as the accounting # port. If a name is used for the port that is not "radius", "radacct" # is still used for accounting. # There is no way to specify the port to be used for accounting. # # For IPv6 literal addresses, the address has to be surrounded by # square brackets as usual. E.g. [2001:0db8:85a3::4]. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The optional timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. It currently must be # less than 60. # # The optional src_ip may be used to configure the source IP address used # in the RADIUS packets to the server. The timeout field must be set if # setting the source IP address is desired # # server[:port] shared_secret timeout (secs) src_ip # 127.0.0.1 secret 1 # other-server other-secret 3 192.168.3.4 # [2001:0db8:85a3::4]:1812 other6-secret 1 # # This allows the radius client to work when a management VRF is in use. # The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt" # Since the keyword has an illegal character for a hostname ('-'), this can't # conflict with a valid hostname # vrf-name mgmt # # Set the minimum privilege level in VSA attribute shell:priv-lvl=VALUE # to be considered a # privileged login (ability to configure via # nclu 'net' commands, and able to sudo. The default is 15, range is 0-15. # priv-lvl 15 # # Uncomment to enable debugging, can be used instead of altering pam files # debug # # Account for privileged radius user mapping. If you change it here, you need # to change /etc/nss_mapuser.conf as well mapped_priv_user radius_priv_user