radiusd.conf file
The radiusd.conf file contains the configuration parameters for RADIUS.
By default, RADIUS searches for the radiusd.conf file in the /etc/radius directory. Configuration file entries must be in the formats as shown in the file. RADIUS accepts only valid keywords and values, and uses the default if a valid keyword or value is not used. When you launch the RADIUS daemons, check the SYSLOG output for configuration parameter errors. Not all configuration errors lead to the server stopping.
This file should be appropriately read-protected and write-protected
because it affects the behavior of authentication and accounting servers.
Also, confidential data might exist in the file.
Important: If you edit the radiusd.conf file, do not change the order of the entries. SMIT panels rely on
the order.
The following is an example of the radiusd.conf file:
#------------------------------------------------------------------#
# CONFIGURATION FILE #
# #
# By default RADIUS will search for radiusd.conf in the #
# /etc/radius directory. #
# #
# Configuration file entries need to be in the below #
# formats. RADIUS will accept only valid "Keyword : value(s)", #
# and will use defaults, if "Keyword : value(s)" are not #
# present or are in error. #
# #
# It is important to check the syslog output when launching #
# the radius daemons to check for configuration parameter #
# errors. Once again, not all configuration errors will lead to #
# the server stopping. #
# #
# Lastly, this file should be appropriately read/write protected, #
# because it will affect the behavior of authentication and #
# accounting, and confidential or secretive material may #
# exist in this file. #
# #
# IF YOU ARE EDITING THIS FILE, DO NOT CHANGE THE ORDER OF THE #
# ENTRIES IN THIS FILE. SMIT PANELS DEPEND ON THE ORDER. #
# #
# #
#------------------------------------------------------------------#
#------------------------------------------------------------------#
# Global Configuration #
# #
# RADIUSdirectory : This is the base directory for the RADIUS #
# daemon. The daemon will search this #
# directory for further configuration files. #
# #
# Database_location : This is the value of where the #
# authentication (user ids & passwords) #
# will be stored and retrieved. #
# Valid values: Local, LDAP, UNIX #
# UNIX - User defined in AIX system #
# Local - Local AVL Database using raddbm #
# LDAP - Central Database #
# #
# Local_Database : This indicates the name of the local #
# database file to be used. #
# This field must be completed if the #
# Database location is Local. #
# #
# Debug_Level : This pair sets the debug level at which #
# the RADIUS server will run. Appropriate #
# values are 0,3 or 9. The default is 3. #
# Output is directed to location specified #
# by *.debug stanza in /etc/syslog.conf #
# #
# Each level increases the amount of messages#
# sent to syslog. For example "9" includes #
# the new messages provided by "9" as well #
# as all messages generated by level 0 and 3.#
# #
# 0 : provides the minimal output to the #
# syslogd log. It sends start up #
# and end messages for each RADIUS #
# process. It also logs error #
# conditions. #
# #
# 3 : includes general ACCESS ACCEPT, REJECT #
# and DISCARD messages for each packet. #
# This level provides a general audit #
# trail for authentication. #
# #
# 9 : Maximum amount of log data. Specific #
# values of attributes while a #
# transaction is passing thru #
# processing and more. #
# [NOT advised under normal operations] #
# #
#------------------------------------------------------------------#
RADIUSdirectory : /etc/radius
Database_location : UNIX
Local_Database : dbdata.bin
Debug_Level : 3
#------------------------------------------------------------------#
# Accounting Configuration #
# #
# Local_Accounting : When this flag is set to ON or TRUE a file #
# will contain a record of ACCOUNTING START #
# and STOP packets received from the Network #
# Access Server(NAS). The default log file #
# is: #
# /var/radius/data/accounting #
# #
# Local_accounting_loc : /var/radius/data/accounting #
# path and file name of the local #
# accounting data file. Used only if Local_ #
# Accounting=ON. If the default is #
# changed, then the path and file need to #
# to be created (with proper permissions) #
# by the admin. #
# #
#------------------------------------------------------------------#
Local_Accounting : ON
Local_Accounting_loc : /var/radius/data/accounting
#------------------------------------------------------------------#
# Reply Message Attributes #
# #
# Accept_Reply-Message : Sent when the RADIUS server #
# replies with an Access-Accept packet #
# #
# Reject_Reply-Message : Sent when the RADIUS server #
# replies with an Access-Reject packet #
# #
# Challenge_Reply-Message : Sent when the RADIUS server #
# replies with an Access-Challenge #
# packet #
#------------------------------------------------------------------#
Accept_Reply-Message :
Reject_Reply-Message :
Challenge_Reply-Message :
Password_Expired_Reply-Message :
#------------------------------------------------------------------#
# Support Renewal of Expired Password #
# #
# Allow_Password_Renewal: YES or NO #
# Setting this attribute to YES allows #
# users to update their expired password#
# via the RADIUS protocol. This requires#
# the hardware support of #
# Access-Password-Request packets. #
#------------------------------------------------------------------#
Allow_Password_Renewal : NO
#------------------------------------------------------------------#
# Require Message Authenticator in Access-Request #
# #
# Require_Message_Authenticator: YES or NO #
# Setting this attribute to YES #
# checks message authenticator #
# in Access-Request packet.If not#
# present, it will discard the #
# packet. #
#------------------------------------------------------------------#
Require_Message_Authenticator : NO
#------------------------------------------------------------------#
# Servers ( Authentication and Accounting ) #
# #
# Authentication_Ports : This field indicates on which port(s) #
# the authentication server(s) will listen#
# on. If the field is blank an #
# authentication daemon will not be #
# started. #
# The value field may contain more than #
# one value. Each value is REQUIRED to #
# be separated by a comma ','. #
# #
# The value field must contain a numeric #
# value, like "6666". In this case a #
# server daemon will listen on "6666". #
# #
# Accounting_Ports : The same as authentication_Ports. See #
# above definitions. #
# #
# [NOTE] There is no check for port conflicts. If a server is #
# currently running on the specified port the deamon will #
# error and not run. Be sure to check the syslog output #
# insure that all servers have started without incident. #
# #
# #
# [Example] #
# Authentication_Ports : 1812,6666 (No Space between commas) #
# #
# In the above example a sever will be start for each port #
# specified. In the case #
# #
# 6666 : port 6666 #
# #
#------------------------------------------------------------------#
Authentication_Ports : 1812
Accounting_Ports : 1813
#------------------------------------------------------------------#
# LDAP Directory User Information #
# #
# Required if RADIUS is to connect to a LDAP Version 3 Directory #
# and the Database_location field=LDAP #
# #
# LDAP_User : User ID which has admin permission to connect #
# to the remote (LDAP) database. This is the #
# the LDAP administrator's DN. #
# #
# LDAP_User_Pwd : Password associated with the above User Id #
# which is required to authenticate to the LDAP #
# directory. #
# #
#------------------------------------------------------------------#
LDAP_User : cn=root
LDAP_User_Pwd :
#------------------------------------------------------------------#
# LDAP Directory Information #
# #
# If the Database_location field is set to "LDAP" then the #
# following fields need to be completed. #
# #
# LDAP_Server_name : This field specifies the fully qualified#
# host name where the LDAP Version 3 #
# Server is located. #
# LDAP_Server_Port : The TCP port number for the LDAP server #
# The standard LDAP port is 389. #
# LDP_Base_DN : The distinguished name for search start #
# LDAP_Timeout : # seconds to wait for a response from #
# the LDAP server #
# LDAP_Hoplimit : maximum number of referrals to follow #
# in a sequence #
# LDAP_Sizelimit : size limit (in entries) for search #
# LDAP_Debug_level : 0=OFF 1=Trace ON #
# #
#------------------------------------------------------------------#
LDAP_Server_name :
LDAP_Server_port : 389
LDAP_Base_DN : cn=aixradius
LDAP_Timeout : 10
LDAP_Hoplimit : 0
LDAP_Sizelimit : 0
LDAP_Debug_level : 0
#------------------------------------------------------------------#
# PROXY RADIUS Information #
# #
# #
# Proxy_Allow : ON or OFF. If ON, then the server #
# can proxy packets to realms it #
# knows of and the following #
# fields must also be configured. #
# Proxy_Use_Table : ON or OFF. If ON, then the server #
# can use table for faster #
# processing of duplicate requests #
# Can be used without proxy ON, but #
# it is required to be ON if #
# Proxy_Use_Table is set to ON. #
# Proxy_Realm_name : This field specifies the realm #
# this server services. #
# Proxy_Prefix_delim : A list of separators for parsing #
# realm names added as a prefix to #
# the username. This list must be #
# mutually exclusive to the Suffix #
# delimiters. #
# Proxy_Suffix_delim : A list of separators for parsing #
# realm names added as a suffix to #
# the username. This list must be #
# mutually exclusive to the Prefix #
# delimiters. #
# Proxy_Remove_Hops : YES or NO. If YES then the #
# will remove its realm name, the #
# realm names of any previous hops #
# and the realm name of the next #
# server the packet will proxy to. #
# #
# Proxy_Retry_count : The number of times to attempt #
# to send the request packet. #
# #
# Proxy_Time_Out : The number of seconds to wait #
# in between send attempts. #
# #
#------------------------------------------------------------------#
Proxy_Allow : OFF
Proxy_Use_Table : OFF
Proxy_Realm_name :
Proxy_Prefix_delim : $/
Proxy_Suffix_delim : @.
Proxy_Remove_Hops : NO
Proxy_Retry_count : 2
Proxy_Time_Out : 30
#------------------------------------------------------------------#
# Local Operating System Authentication Configuration #
# #
# UNIX_Check_Login_Restrictions : ON or OFF. If ON, during #
# local operating system authen- #
# tication, a call to #
# loginrestrictions() will be #
# made to verify the user has #
# no local login restrictions. #
# #
#------------------------------------------------------------------#
UNIX_Check_Login_Restrictions : OFF
#------------------------------------------------------------------#
# Global IP Pooling Flag #
# #
# Enable_IP_Pool : ON or OFF. If ON, then RADIUS Server will do #
# IP address assignment from a pool of addresses #
# defined to the RADIUS server. #
# #
#------------------------------------------------------------------#
Enable_IP_Pool : OFF
#------------------------------------------------------------------#
# Send Accept MA: ON or OFF. Some NAS's dislike it if Message #
# Authenticators (MA's) are present in an ACCEPT #
# message. Use this option to disable sending MA #
# when sending an ACCEPT. #
# #
# NOTE: Sometimes these same NAS's do not like custom ACCEPT #
# messages either. #
# #
#------------------------------------------------------------------#
Send_Accept_MA : ON
#------------------------------------------------------------------#
# #
# Maximum_Threads : The number of threads that will get #
# spawned to handle authentication #
# requests. If nothing is specified #
# RADIUS defaults to 10. #
# #
#------------------------------------------------------------------#
Maximum_Threads : 99
#------------------------------------------------------------------#
# #
# EAP_Conversation_Timeout : The number of seconds to wait #
# before a conversation becomes #
# stale and gets deleted. #
# #
# NOTE: This prevents Denial-of-Service (DoS) attacks on the #
# RADIUS Authentication Server. You may need to increase #
# the value of this timeout if your network has high #
# latency. #
# #
#------------------------------------------------------------------#
EAP_Conversation_Timeout : 30
#------------------------------------------------------------------#
# Global EAP-TLS (eap-tls) Configuration Settings: #
# #
# Examples: #
# #
# Enable_EAP-TLS : ON or OFF. If ON, then the server #
# can use OpenSSL to authenticate users #
# using EAP-TLS. These users must first #
# have an EAP authentication type of 13 #
# (or EAP-TLS). This setting is found in #
# smitty, using: 'smitty rad_conf_users' #
# #
# NOTE: The following attributes below are completely ignored #
# if the above 'Enable_EAP' attribute is not 'ON'. #
# #
# OpenSSL_Library : /opt/freeware/lib/libssl.a(libssl.so.0.9.7) #
# OpenSSL_Ciphers : ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH #
# RootCA_Dir : /etc/radius/tls #
# RootCA_File : /etc/radius/tls/cacert.pem #
# Server_Cert_File : /etc/radius/tls/cert-srv.pem #
# Server_PrivKey_File : /etc/radius/tls/cert-srv.pem #
# Server_CRL_File : /etc/radius/tls/crl.pem #
# #
# NOTE: Server_Cert_File and Server_PrivKey_File can be the #
# same file if the file is of the following format (but #
# in any order): #
# #
# -----BEGIN RSA PRIVATE KEY----- #
# Proc-Type: 4,ENCRYPTED #
# <rsa private key data here> #
# -----END RSA PRIVATE KEY----- #
# -----BEGIN CERTIFICATE----- #
# <certificate data here> #
# -----END CERTIFICATE----- #
# #
#------------------------------------------------------------------#
Enable_EAP-TLS : ON
OpenSSL_Library : /opt/freeware/lib/libssl.a(libssl.so.0.9.7)
OpenSSL_Ciphers : ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH
RootCA_Dir : /etc/radius/tls
RootCA_File : /etc/radius/tls/radiusdcacert.pem
Server_Cert_File : /etc/radius/tls/cert-srv.pem
Server_PrivKey_File : /etc/radius/tls/cert-srv.pem
Server_CRL_File :
The EAP authentication methods for each user can be
set with SMIT. To set the EAP methods for each user, perform the following
steps:
Radius Server
-> Configure users
-> Local Database
LDAP Directory
-> Add a user
Change/Show Characteristics of a user
->
Login User ID [ ]
EAP Type [0 2 4]
Password Max Age- 0
- None
- 2
- MD5 - Challenge
- 4
- TLS