/etc/radius/clients file

The clients file contains a list of clients that are allowed to make requests of the RADIUS server.

Typically, for each client, NAS or AP, you must enter the client IP address along with the shared secret between the RADIUS server and the client and an optional poolname for IP pooling.

The file consists of entries in the following form:

<Client IP Address>    <Shared Secret>    <Pool Name>

A sample entry list appears as follows:

10.10.10.1      mysecret1      floor6
10.10.10.2      mysecret2      floor5

A shared secret is a character string that is configured on both the client hardware and on the RADIUS server. The maximum length of the shared secret is 256 bytes and is case sensitive. The shared secret is not sent in any of the RADIUS packets and is never sent over the network. System administrators must make sure the exact secret is configured on both sides (client and RADIUS server). The shared secret is used for encrypting the user password information and can be used for verifying message integrity by the use of a Message Authentication attribute.

Each client's shared secret should be unique in the /etc/radius/clients file and, like any good password, it is best to use a mixture of uppercase/lowercase letters, numbers, and symbols in the secret. To keep a shared secret secure, make it at least 16 characters in length. The /etc/radius/clients file can be modified using SMIT. The shared secret should be changed often to prevent dictionary attacks.

The poolname is the name of the pool from which global IP addresses are allocated during dynamic translation. The system administrator creates the poolname when setting up the RADIUS server. Using a SMIT panel, the poolname is added from Configure Proxy Rules > IP Pool > Create an IP Pool. It is used during server side IP pooling.