#
# [C] The Regents of the University of Michigan and Merit Network, Inc. 1992,
# 1993, 1994, 1995, 1996 All Rights Reserved
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for any purpose and without fee is hereby granted, provided
# that the above copyright notice and this permission notice appear in all
# copies of the software and derivative works or modified versions thereof,
# and that both the copyright notice and this permission and disclaimer
# notice appear in supporting documentation.
#
# THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
# EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE REGENTS OF THE
# UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE
# FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR
# THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE.  The Regents of the
# University of Michigan and Merit Network, Inc. shall not be liable for any
# special, indirect, incidental or consequential damages with respect to any
# claim by Licensee or any third party arising from use of the software.
#
#	This file provides information which is required if any entry in
#	the "users" file specifies "Authentication-Type = Realm as the type
#	of authentication to be performed.

#	This file contains a list of "realm" names which represent
#	authentication systems which may be used to authenticate a user.
#	Normally the user specifies the system where authentication is to
#	be performed by appending a realm name to his/her user id.  For
#	example, "joe@xyz" indicates that user joe wants to be authenticated
#	by realm xyz.  It is the purpose of this file to map the realm name
#	"xyz" to the actual DNS name of the authentication system and the
#	authentication protocol to be used.

#	The first field of each line is a realm name to be mapped.
#	Two optional entries may be placed between the realm name and the
#	"second" field.  The realm name may be followed by a parenthesized
#	list of aliases for the preferred authentication realm name.
#	It may also be followed by an optional indicator (marked with a
#	leading hyphen) of the authentication protocol to which the entry
#	is applicable.  By default, an entry applies to both password and
#	CHAP authentication, but an optional -CHAP or -PW indicates this
#	entry applies only to the specific protocol.  The default is -DFLT
#	which matches either protocol type.  The entries are searched in
#	order, so a -CHAP or -PW entry preceeding a -DFLT entry will take
#	precedence.
#
#	The second field identifies the type of authentication to be performed
#	for this realm name.  This field may contain one of the following
#	keywords:
#
#	Unix-PW - Indicating the local Unix /etc/passwd file is to be used;
#	Passwd  - Same as Unix-PW;
#	AFS-Krb - For AFS Kerberos authentication at the default Kerberos realm;
#	MIT-Krb - For MIT Kerberos authentication at the default Kerberos realm;
#	RADIUS  - The request is to be relayed to the specified RADIUS server;
#	FILE    - Flat file lookup with encrypted passwords in "users" format;
#		  this is only available with the Merit LAS license.
#	TACACS  - Make an extended (and encrypted) request to the specified
#		  TACACS server;
#	KCHAP   - Kerberos CHAP database lookup to be done in this machine;
#	MNET    - Strange and archaic Merit authentiation.
#
#	The third field is dependent upon the authentication type.
#	For KRB servers, the third field is the Kerberos realm name to
#	be used.  Note that the /etc/krb.conf file must have valid entries
#	for the realm.   For MNET servers, the third field is the name of
#	the /etc/minostab entry to use for the server.  For TACACS, it is
#	the DNS name of the machine running the appropriate TACACS server.
#
#	The RADIUS type indicates the authentication is to be performed
#	by a remote RADIUS server.  The attribute value-pairs returned
#	by the remote RADIUS server are propagated back to the NAS.  RADIUS
#	servers check to see if the third field contains their DNS name,
#	in which case the request is handled as a local "Unix-PW" request.
#
#	The last field, the filter ID, allows the optional specification
#	of a packet filter name to be associated with authentication via
#	this realm name.  It will override any explicit filter name specified
#	in the "users" file.
#
#	A "DEFAULT" entry may be included in this file which indicates how
#	to handle authentication requests specifying realm names not explicitly 
#	included in this file.  Usually it will specify a remote RADIUS server
#	to relay the request to.

#	A "NULL" entry may also be included in this file to indicate how
#	to handle authentication requests which don't specify a realm name,
#	but which are being authenticated using Authentication-Type = Realm.

#
#	The following two lines specify default server names to use for
#	Authentication-Type entries of RADIUS or TACACS, respectively, which
#	may be configured in a "users" file.  These override the corresponding
#	C pre-processor #define directives in the radius.h include file.
#

#DEFAULT_RADIUS_SERVER  radius.server.dns.name
#DEFAULT_TACACS_SERVER  tacacs.server.dns.name

#Realm [(alias[,alias])]  [-prot]  Type    REALM/DNS address	Filter ID
#-----------------------  -------  ----    -----------------	---------

#	Authentication requests for realm "umich.edu" which contain CHAP
#	protocol information are handled by the first entry.  Non-CHAP
#	requests for umich.edu are all handled by the second entry.

umich.edu (umich, test)   -CHAP    RADIUS  krbdb.merit.EDU	umich
umich.edu (umich)		   AFS-KRB UMICH.EDU		umich

merit.edu (merit, mrt )		   RADIUS  merit.edu		

tacacs (ta, vms)		   TACACS  vms.system.merit.edu
 
#	The following entry will typically be configured in the authfile for
#	the RADIUS server running on the system with the matching DNS name.
#	It says to use the UNIX password file for authentication.

your.realm.name			   UNIX-PW

#	This entry says to pass requests with authentication realm names
#	which didn't appear in this file along to another RADIUS server.

DEFAULT				   RADIUS  main-radius.server.net

#	This next entry says to handle requests which don't have a realm
#	name appended to the user id as local user ids.

NULL				   UNIX-PW
