5.1.3 auth statement

Syntax:

auth { listen ( addr-list | no ); forward addr-list; port number ; max-requests number ; time-to-live number ; request-cleanup-delay number ; detail bool ; strip-names bool ; checkrad-assume-logged bool ; password-expire-warning number ; compare-atribute-flag character ; trace-rules bool ; reject-malformed-names bool ; } ;

Usage:

listen statement

This statement determines on which addresses radiusd will listen for incoming authentication requests. Its argument is a comma-separated list of items in the form ip:port-number. ip can be either an IP address in familiar "dotted-quad" notation or a hostname. :port-number part may be omitted, in which case the default authentication port is assumed.

If the listen statement is omitted, radiusd will accept incoming requests from any interface on the machine.

The special value no disables listening for authentication requests.

The following example configures radius to listen for the incoming requests on the default authentication port on the address 10.10.10.1 and on port 1645 on address 10.10.11.2.

listen 10.10.10.1, 10.10.11.2:1645;

forward statement

This statement enables forwarding of the requests to the given set of servers. Forwarding is an experimental feature of GNU Radius, it differs from proxying in that the requests are sent to the remote server (or servers) and processed locally. The remote server is not expected to reply.

This mode is intended primarily for debugging purposes. It could also be useful in some very complex and unusual configurations.

Numeric statements

port

Sets the number of which UDP port to listen on for the authentication requests.

max-requests

Sets the maximum number of authentication requests in the queue. Any surplus requests will be discarded.

time-to-live

Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue.

request-cleanup-delay

Sets the request cleanup delay in seconds, i.e. determines how long will the completed authentication request reside in the queue.

password-expire-warning

Sets the time interval for password expiration warning. If user's password expires within given number of seconds, radiusd will send a warning along with authentication-acknowledge response. Default is 0.

Boolean statements

detail

When set to true, radiusd will produce the detailed log of each received packet in the file `radacct/nasname/detail.auth'. The format of such log files is identical to the format of detailed accounting files (see section 8.2 Detailed Request Accounting).

strip-names

Determines whether radiusd should strip any prefixes/suffixes off the username before logging.

checkrad-assume-logged

See section 5.1.11 mlc statement, for the description of this setting. It is accepted in auth for compatibility with previous versions of GNU Radius.

trace-rules

Enables tracing of the configuration rules that were matched during processing of each received authentication request. See section 10.1 Rule Tracing, for detailed information about this mode.

reject-malformed-names

Enables sending access-reject replies for the access-accept requests that contain an invalid value in User-Name attribute. By default such requests are discarded without answering. See the description of username-chars (see section Option statement).

Character statement

compare-attribute-flag

The argument to this statement is a character from `1' through `9'. This statement modifies the request comparison method for authentication requests. See section 6.1 Extended Comparison, for a detailed description of its usage.