dictionary(5) dictionary(5)
NAME
dictionary - RADIUS dictionary file
DESCRIPTION
The master RADIUS dictionary file resides in /etc/raddb/dictionary. It
references other dictionary files located in /usr/local/share/freera-
dius/. Each dictionary file contains a list of RADIUS attributes and
values, which the server uses to map between descriptive names and on-
the-wire data. The names have no meaning outside of the RADIUS server
itself, and are never exchanged between server and clients.
That is, editing the dictionaries will have NO EFFECT on anything other
than the server that is reading those files. Adding new attributes to
the dictionaries will have NO EFFECT on RADIUS clients, and will not
make RADIUS clients magically understand those attributes. The dictio-
naries are solely for local administrator convenience, and are specific
to each version of FreeRADIUS.
The dictionaries in /usr/local/share SHOULD NOT be edited unless you
know exactly what you are doing. Changing them will most likely break
your RADIUS deployment.
If you need to add new attributes, please edit the /etc/raddb/dictio-
nary file. It's sole purpose is to contain site-local defintions that
are added by the local administrator.
FORMAT
Every line starting with a hash sign ('#') is treated as comment and
ignored.
Each line of the file can contain one of the following strings
ATTRIBUTE name number type [vendor|options]
Define a RADIUS attribute name to number mapping. The name field
can be any non-space text, but is usually taken from RFC2865, and
other related documents. The number field is also taken from the
relevant documents, for that name. The type field can be one of
string, octets, ipaddr, integer, date, ifid, ipv6addr, ipv6prefix,
or ether abinary. See the RFC's, or the main dictionary file for
a description of the various types.
The last (optional) field of an attribute definition can have
either a vendor name, or options for that attribute. When a ven-
dor name is given, the attribute is defined to be a vendor spe-
cific attribute. Alternately, the options may be the a comma-sep-
arated list of the following options:
encrypt=[1-3]
Mark the attribute as being encrypted with one of three methods.
"1" means that the attribute is encrypted with the method as
defined in RFC2865 for the User-Password attribute. "2" means
that the password is encrypted with the method as defined in
RFC2868 for the Tunnel-Password attribute. "3" means that the
attribute is encrypted as per Ascend's definitions for the Ascend-
Send-Secret attribute.
has_tag
Mark the attribute as being permitted to have a tag, as defined in
RFC2868. The purpose of the tag is to allow grouping of
attributes for tunnelled users. See RFC2868 for more details.
When the server receives an encoded attribute in a RADIUS packet, it
looks up that attribute by number in the dictionary, and uses the name
found there for printing diagnostic and log messages.
VALUE attribute-name value-name number
Define an attribute value name to number mapping, for an attribute
of type integer. The attribute-name field MUST be previously
defined by an ATTRIBUTE entry. The value-name field can be any
non-space text, but is usually taken from RFC2865, or other docu-
ments.. The number field is also taken from the relevant docu-
ments, for that name.
When the server receives an encoded value in a RADIUS packet, it
looks up the value of that attribute by number in the dictionary,
and uses the name found there for printing diagnostic and log mes-
sages.
VENDOR vendor-name number [format=t,l]
Define a Vendor Specific Attribute encapsulation for vendor-name
to number. For a list of vendor names and numbers, see
http://www.iana.org/enterprise-numbers.txt.
The "format=t,l" statement tells the server how many octets to use to
encode/decode the vendor "type" and "length" fields in the attributes.
The default is "format=1,1", which does not have to be specified. For
USR VSA's, the format is "format=4,0", for Lucent VSA's it's "for-
mat=2,1", and for Starent VSA's it's "format=2,2".
The supported values for the number of type octets (i.e. the first
digit) are 1, 2, and 4. The support values for the number of length
octets (i.e. the second digit) are 0, 1, and 2. Any combination of
those values will work.
$INCLUDE filename
Include dictionary entries from the file filename. The filename
is taken as relative to the location of the file which is asking
for the inclusion.
FILES
/etc/raddb/dictionary, /usr/share/freeradius/dictionary.*
SEE ALSO
radiusd(8), naslist(5), RFC2865, RFC2866, RFC2868
31 Oct 2005 dictionary(5)
Mac OS X 10.6Server - Generated Thu Apr 15 07:12:12 CDT 2010