summaryrefslogtreecommitdiff
path: root/pam_radius_auth.5
blob: 2d25ddf4c0fec9e9c00da52977396f3e77c6b1af (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

.TH pam_radius_auth 5
.\" Copyright 2017 Cumulus Networks, Inc.  All rights reserved.
.SH NAME
pam_radius_auth.conf \- RADIUS client configuration file
.SH SYNOPSIS
.B /etc/pam_radius_auth.conf
is the RADIUS client configuration file for the PAM RADIUS client plugin.
It contains the information on how to reach the RADIUS server(s), and
because it contains the shared secret key, should be mode 600 and owned
by root.
.SH DESCRIPTION
Other PAM-specific options are described in the
.BR pam_radius_auth (8)
manpage, and must be added to the PAM configuration files.
.PP
By default, all components source this file, enabling a single point of
configuration for the TACACS server(s), debug settings, etc.
.PP
Not all keywords use all fields.
.TP
.I debug
Output PAM and RADIUS communication debugging information via syslog(3).
.TP
.I  server[:port] secret [timeout] [src_ip]
the port name or number is optional.  The default ports are not
part of the code base, and are retrieved from
.IR /etc/services .
The ports used are
.BR " radius "
for authentication and
.BR " radacct "
for accounting.
.P
The timeout field is optional.  The default timeout is 3 seconds.
.IP
For IPv6 literal addresses, the address has to be surrounded  by
square  brackets as usual. E.g. [2001:0db8:85a3::4].
.IP
If multiple RADIUS server lines exist, they are tried in order.  The
first server to return success or failure causes the module to return
success or failure.  Only if a server fails to response is it skipped,
and the next server in turn is used.
.IP
The optional timeout field controls how many seconds the module waits before
deciding that the server has failed to respond.  It currently must be
less than 60.
.IP
The optional src_ip may be used to configure the source IP address used
in the RADIUS packets to the server.  The timeout field must be set if
setting the src_ip is desired
.TP
.I vrf-name VRFNAME
If the management network is in a VRF, set this variable to the VRF name. This
would  usually  be  "mgmt".  This is not normally needed with PAM.
.SH "SEE ALSO"
.BR pam_radius_auth (8),
.BR nss_mapuser (5)
.SH FILES
.I /etc/pam_radius_auth.conf
- RADIUS client configuration parameters
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 18:46:17 +0000