Man Linux: Main Page and Category List

NAME

       dictionary - RADIUS dictionary file

DESCRIPTION

       The master RADIUS dictionary file resides in /etc/raddb/dictionary.  It
       references      other      dictionary      files       located       in
       /usr/local/share/freeradius/.   Each dictionary file contains a list of
       RADIUS attributes and values, which the  server  uses  to  map  between
       descriptive  names  and  on-the-wire  data.   The names have no meaning
       outside of the RADIUS server itself, and are  never  exchanged  between
       server and clients.

       That is, editing the dictionaries will have NO EFFECT on anything other
       than the server that is reading those files.  Adding new attributes  to
       the  dictionaries  will  have NO EFFECT on RADIUS clients, and will not
       make  RADIUS  clients  magically  understand  those  attributes.    The
       dictionaries  are  solely  for local administrator convenience, and are
       specific to each version of FreeRADIUS.

       The dictionaries in /usr/local/share SHOULD NOT be  edited  unless  you
       know  exactly what you are doing.  Changing them will most likely break
       your RADIUS deployment.

       If   you   need   to   add   new   attributes,    please    edit    the
       /etc/raddb/dictionary file.  It’s sole purpose is to contain site-local
       defintions that are added by the local administrator.

FORMAT

       Every line starting with a hash sign (’#’) is treated  as  comment  and
       ignored.

       Each line of the file can contain one of the following strings

       ATTRIBUTE name number type [vendor|options]
            Define  a RADIUS attribute name to number mapping.  The name field
            can be any non-space text, but is usually taken from RFC2865,  and
            other  related documents.  The number field is also taken from the
            relevant documents, for that name.  The type field can be  one  of
            string, octets, ipaddr, integer, date, ifid, ipv6addr, ipv6prefix,
            or ether abinary.  See the RFC’s, or the main dictionary file  for
            a description of the various types.

            The  last  (optional)  field  of  an attribute definition can have
            either a vendor name, or  options  for  that  attribute.   When  a
            vendor  name  is  given,  the  attribute is defined to be a vendor
            specific attribute.  Alternately, the options may be the a  comma-
            separated list of the following options:

                             encrypt=[1-3]

            Mark  the  attribute as being encrypted with one of three methods.
            "1" means that the attribute  is  encrypted  with  the  method  as
            defined  in  RFC2865  for  the User-Password attribute.  "2" means
            that the password is encrypted  with  the  method  as  defined  in
            RFC2868  for  the  Tunnel-Password  attribute.  "3" means that the
            attribute is encrypted as per Ascend’s definitions for the Ascend-
            Send-Secret attribute.

                 has_tag

            Mark the attribute as being permitted to have a tag, as defined in
            RFC2868.   The  purpose  of  the  tag  is  to  allow  grouping  of
            attributes for tunnelled users.  See RFC2868 for more details.

       When  the  server  receives an encoded attribute in a RADIUS packet, it
       looks up that attribute by number in the dictionary, and uses the  name
       found there for printing diagnostic and log messages.

       VALUE attribute-name value-name number
            Define an attribute value name to number mapping, for an attribute
            of type integer.  The  attribute-name  field  MUST  be  previously
            defined  by  an  ATTRIBUTE entry.  The value-name field can be any
            non-space text, but  is  usually  taken  from  RFC2865,  or  other
            documents..   The  number  field  is  also taken from the relevant
            documents, for that name.

            When the server receives an encoded value in a RADIUS  packet,  it
            looks  up the value of that attribute by number in the dictionary,
            and uses the name found there  for  printing  diagnostic  and  log
            messages.

       VENDOR vendor-name number [format=t,l]
            Define  a  Vendor Specific Attribute encapsulation for vendor-name
            to  number.   For  a  list  of  vendor  names  and  numbers,   see
            http://www.iana.org/enterprise-numbers.txt.

       The  "format=t,l"  statement tells the server how many octets to use to
       encode/decode the vendor "type" and "length" fields in the  attributes.
       The  default is "format=1,1", which does not have to be specified.  For
       USR  VSA’s,  the  format  is  "format=4,0",  for  Lucent   VSA’s   it’s
       "format=2,1", and for Starent VSA’s it’s "format=2,2".

       The  supported  values  for  the  number of type octets (i.e. the first
       digit) are 1, 2, and 4.  The support values for the  number  of  length
       octets  (i.e.  the  second  digit) are 0, 1, and 2.  Any combination of
       those values will work.

       $INCLUDE filename
            Include dictionary entries from the file filename.   The  filename
            is  taken  as relative to the location of the file which is asking
            for the inclusion.

FILES

       /etc/raddb/dictionary, /usr/share/freeradius/dictionary.*

SEE ALSO

       radiusd(8), naslist(5), RFC2865, RFC2866, RFC2868

                                  31 Oct 2005                    dictionary(5)