1.\" $OpenBSD: radiusd.conf.5,v 1.7 2015/10/26 06:44:40 yasuoka Exp $ 2.\" 3.\" Copyright (c) 2014 Esdenera Networks GmbH 4.\" Copyright (c) 2014 Internet Initiative Japan Inc. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: October 26 2015 $ 19.Dt RADIUSD.CONF 5 20.Os 21.Sh NAME 22.Nm radiusd.conf 23.Nd RADIUS daemon configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for the RADIUS daemon, 27.Xr radiusd 8 . 28It has the following format: 29.Pp 30Empty lines and lines beginning with the 31.Sq # 32character are ignored. 33.Pp 34Keywords may be specified multiple times within the configuration file. 35The configuration options are as follows: 36.Bl -tag -width Ds 37.It Xo 38.Ic listen on Ar address 39.Ic port Ar port 40.Xc 41Specify an 42.Ar address 43and a 44.Ar port 45to listen on. 46.It Ic client Ar address/mask Brq ... 47Allow access to a client with the specified 48.Ar address 49and 50.Ar mask . 51It is followed by a block of options enclosed in curly brackets: 52.Bl -tag -width Ds 53.It Ic secret Ar secret 54The shared secret with the clients. 55This option cannot be omitted. 56.It Ic msgauth-required Ar yes | no 57Message authentication is required if 58.Dq yes 59is specified. 60.El 61.It Ic module Ic load Ar name path 62Load module 63.Ar name 64from 65.Ar path . 66The following modules are available: 67.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX" 68.It Sy "Path" Ta Sy "Description" 69.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module 70.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module 71.El 72.Bl -tag -width Ds 73.It Do bsdauth Dc module 74The 75.Dq bsdauth 76module provides authentication from the local system's 77.Xr authenticate 3 78interface, 79known as 80.Dq bsd auth . 81It only supports PAP, password based authentication. 82.It Do radius Dc module 83The 84.Dq radius 85module provides authentication from upstream RADIUS servers. 86.El 87.It Ic module Ic set Ar key Ar value ... 88Configure the module specific configuration by 89.Ar key 90and 91.Ar value . 92.Pp 93The 94.Dq bsdauth 95module supports the following configuration key and value: 96.Bl -tag -width Ds -offset indent 97.It Ic restrict-group Ar group ... 98Restrict login only if the user is a member of the specified groups. 99.El 100.Pp 101The 102.Dq radius 103module supports the following configuration key and value: 104.Bl -tag -width Ds -offset indent 105.It Ic server Ar address Ns Op : Ns Ar port 106Specify the upstream server's address and port. 107If 108.Ar port 109is omitted, 1812 is used. 110This configuration can be specified multiple times. 111.It Ic secret Ar secret 112Specify the shared secret with the servers. 113.It Ic max-tries Ar number 114Specify the maximum number of retransmissions for a server. 115.Xr radiusd 8 116will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission. 117If the number of retransmissions per server reaches this value, 118the current server is marked as 119.Dq fail , 120and the next server is used for subsequent requests. 121The default value is 3. 122.It Ic max-failovers Ar number 123If a positive number is specified, 124.Xr radiusd 8 125will failover to the next server 126when the current server is marked 127.Dq fail . 128This key and value specifies the maximum number of failovers. 129The default value is 0. 130.It Ic request-timeout Ar sec 131Specify the request timeout in seconds. 132If this value is specified, 133.Ar max-tries 134and 135.Ar max-failover 136will not be used. 137.El 138.It Ic authenticate Ar username-pattern ... Brq ... 139Specify an authentication configuration for the users specified by 140.Ar username-pattern . 141Use shell globbing rules for the pattern; 142multiple patterns can be specified by separating with space characters. 143When multiple 144.Ic authenticate 145lines are specified, the first 146.Ic authenticate 147setting whose 148.Ar username-pattern 149matches an authenticating user is used. 150It is followed by a block of options enclosed in curly brackets: 151.Bl -tag -width Ds 152.It Ic authenticate-by Ar module 153Specify the module name. 154.El 155.El 156.Sh FILES 157.Bl -tag -width "/usr/libexec/radiusd/radius_bsdauth" -compact 158.It Pa /etc/radiusd.conf 159Default 160.Xr radiusd 8 161configuration file. 162.It Pa /usr/libexec/radiusd/radius_bsdauth 163.Dq bsdauth 164module executable. 165.It Pa /usr/libexec/radiusd/radius_radius 166.Dq radius 167module executable. 168.El 169.Sh EXAMPLES 170.Bd -literal -offset indent 171listen on 0.0.0.0 172#listen on :: 173 174client 127.0.0.1/32 { 175 secret "secret" 176} 177client 192.168.0.0/24 { 178 secret "secret" 179 msgauth-required yes 180} 181 182module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth" 183module set bsdauth restrict-group operator 184 185module load radius "/usr/libexec/radiusd/radiusd_radius" 186module set radius "secret" "testing123" 187module set radius "server" "127.0.0.1" 188 189authenticate *@example.com { 190 authenticate-by radius 191} 192authenticate * { 193 authenticate-by bsdauth 194} 195.Ed 196.Sh SEE ALSO 197.Xr authenticate 3 , 198.Xr radiusd 8 199