radiusd.conf(5) - OpenBSD manual pages

NAME

radiusd.conf — RADIUS daemon configuration file

DESCRIPTION

radiusd.conf is the configuration file for the RADIUS daemon, radiusd(8). It has the following format:

Empty lines and lines beginning with the ‘#’ character are ignored.

Keywords may be specified multiple times within the configuration file. The configuration options are as follows:

listen on address port port

Specify an address and a port to listen on.

client address/mask {...}

Allow access to a client with the specified address and mask. It is followed by a block of options enclosed in curly brackets:

secret secret: The shared secret with the clients. This option cannot be omitted.
msgauth-required yes | no: Specify if message authentication is required. The default is to require message authentication.

module load name path

Load a module from path and name it with the given name. The following modules are available:

Path	Description
/usr/libexec/radiusd/radiusd_bsdauth	“bsdauth” module
/usr/libexec/radiusd/radiusd_radius	“radius” module
/usr/libexec/radiusd/radiusd_standard	“standard” module

“bsdauth” module: The “bsdauth” module provides authentication from the local system's authenticate(3) interface, known as “bsd auth”. It only supports PAP, password based authentication.
“radius” module: The “radius” module provides authentication from upstream RADIUS servers.
“standard” module: The “standard” module provides standard decorations for Access-Request messages or its response messages.

module set module key value ...

Configure the module specific configurations by key and value for the module specified by module. Notice that module, key, and value must be quoted to be distinguished from the reserved word (e.g. “secret”) if needed.

The “bsdauth” module supports the following configuration key and value:

restrict-group group ...: Restrict login only if the user is a member of the specified groups.

The “radius” module supports the following configuration key and value:

server address[:port]: Specify the upstream server's address and port. If port is omitted, 1812 is used. This configuration can be specified multiple times.
secret secret: Specify the shared secret with the servers. This configuration cannot be omitted.
max-tries number: Specify the maximum number of retransmissions for a server. radiusd(8) will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission and subsequent retransmissions will occur every 8 seconds. If the number of retransmissions per server reaches this value, the current server is marked as “fail”, and the next server is used for subsequent requests. The default value is 3.
max-failovers number: If a positive number is specified, radiusd(8) will failover to the next server when the current server is marked “fail”. This key and value specifies the maximum number of failovers. The default value is 0.
request-timeout sec: Specify the request timeout in seconds. If this value is specified, max-tries and max-failover will not be used.

The “standard” module supports the following configuration key and value:

strip-atmark-realm true | false: Remove the realm part which starts with @ (atmark) from the User-Name attribute of the Access-Request.
strip-nt-domain true | false: Remove NT domain which ends with \ (backslash) from the User-Name attribute of the Access-Request.
remove-request-attribute [vendor] type
remove-response-attribute [vendor] type: Remove all the specified attributes from request or response messages of Access-Request. Specify type of the attribute in a decimal number. To specify a vendor attribute, specify the Vendor-Id in a decimal number for vendor.

authenticate username-pattern ... {...}

Specify an authentication configuration for the users specified by username-pattern. Use shell globbing rules for the pattern; multiple patterns can be specified by separating with space characters. When multiple authenticate lines are specified, the first authenticate setting whose username-pattern matches an authenticating user is used. It is followed by a block of options enclosed in curly brackets:

authenticate-by module: Specify the module name.
decorate-by module: Specify the module name.

FILES

/etc/radiusd.conf: Default radiusd(8) configuration file.
/etc/examples/radiusd.conf: Example configuration file.
/usr/libexec/radiusd/radiusd_bsdauth: “bsdauth” module executable.
/usr/libexec/radiusd/radiusd_radius: “radius” module executable.

EXAMPLES

listen on 0.0.0.0
listen on ::

client 127.0.0.1/32 {
	secret "secret"
	msgauth-required no
}
client 192.168.0.0/24 {
	secret "secret"
}

module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth"
module set bsdauth restrict-group operator

module load radius "/usr/libexec/radiusd/radiusd_radius"
module set radius secret "testing123"
module set radius server "127.0.0.1"

module load strip-realm "/usr/libexec/radiusd/radiusd_standard"
module set strip-realm strip-atmark-realm true

authenticate *@local {
	authenticate-by bsdauth
	decorate-by strip-realm
}
authenticate * {
	authenticate-by radius
}

OpenBSD manual page server

NAME

DESCRIPTION

FILES

EXAMPLES

SEE ALSO