xref: /openbsd/usr.sbin/radiusd/radiusd.conf.5 (revision 4bdff4be) 
1.\"	$OpenBSD: radiusd.conf.5,v 1.18 2023/09/14 09:55:28 yasuoka Exp $
2.\"
3.\" Copyright (c) 2014 Esdenera Networks GmbH
4.\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc.
5.\"
6.\" Permission to use, copy, modify, and distribute this software for any
7.\" purpose with or without fee is hereby granted, provided that the above
8.\" copyright notice and this permission notice appear in all copies.
9.\"
10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17.\"
18.Dd $Mdocdate: September 14 2023 $
19.Dt RADIUSD.CONF 5
20.Os
21.Sh NAME
22.Nm radiusd.conf
23.Nd RADIUS daemon configuration file
24.Sh DESCRIPTION
25.Nm
26is the configuration file for the RADIUS daemon,
27.Xr radiusd 8 .
28It has the following format:
29.Pp
30Empty lines and lines beginning with the
31.Sq #
32character are ignored.
33.Pp
34Keywords may be specified multiple times within the configuration file.
35The configuration options are as follows:
36.Bl -tag -width Ds
37.It Xo
38.Ic listen on Ar address
39.Ic port Ar port
40.Xc
41Specify an
42.Ar address
43and a
44.Ar port
45to listen on.
46.It Ic client Ar address/mask Brq ...
47Allow access to a client with the specified
48.Ar address
49and
50.Ar mask .
51It is followed by a block of options enclosed in curly brackets:
52.Bl -tag -width Ds
53.It Ic secret Ar secret
54The shared secret with the clients.
55This option cannot be omitted.
56.It Ic msgauth-required Ar yes | no
57Specify if message authentication is required.
58The default is to require message authentication.
59.El
60.It Ic module load Ar name path
61Load a module
62from
63.Ar path
64and name it with the given
65.Ar name .
66The following modules are available:
67.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX"
68.It Sy "Path" Ta Sy "Description"
69.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module
70.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module
71.It Pa /usr/libexec/radiusd/radiusd_standard Ta Do standard Dc module
72.El
73.Bl -tag -width Ds
74.It Do bsdauth Dc module
75The
76.Dq bsdauth
77module provides authentication from the local system's
78.Xr authenticate 3
79interface,
80known as
81.Dq bsd auth .
82It only supports PAP, password based authentication.
83.It Do radius Dc module
84The
85.Dq radius
86module provides authentication from upstream RADIUS servers.
87.It Do standard Dc module
88The
89.Dq standard
90module provides standard decorations for Access-Request messages or its
91response messages.
92.El
93.It Ic module set Ar module key value ...
94Configure the module specific configurations by
95.Ar key
96and
97.Ar value
98for the module specified by
99.Ar module .
100Notice that
101.Ar module ,
102.Ar key ,
103and
104.Ar value
105must be quoted to be distinguished from the reserved word (e.g.\&
106.Dq secret )
107if needed.
108.Pp
109The
110.Dq bsdauth
111module supports the following configuration key and value:
112.Bl -tag -width Ds -offset indent
113.It Ic restrict-group Ar group ...
114Restrict login only if the user is a member of the specified groups.
115.El
116.Pp
117The
118.Dq radius
119module supports the following configuration key and value:
120.Bl -tag -width Ds -offset indent
121.It Ic server Ar address Ns Op : Ns Ar port
122Specify the upstream server's address and port.
123If
124.Ar port
125is omitted, 1812 is used.
126This configuration can be specified multiple times.
127.It Ic secret Ar secret
128Specify the shared secret with the servers.
129This configuration cannot be omitted.
130.It Ic max-tries Ar number
131Specify the maximum number of retransmissions for a server.
132.Xr radiusd 8
133will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission
134and subsequent retransmissions will occur every 8 seconds.
135If the number of retransmissions per server reaches this value,
136the current server is marked as
137.Dq fail ,
138and the next server is used for subsequent requests.
139The default value is 3.
140.It Ic max-failovers Ar number
141If a positive number is specified,
142.Xr radiusd 8
143will failover to the next server
144when the current server is marked
145.Dq fail .
146This key and value specifies the maximum number of failovers.
147The default value is 0.
148.It Ic request-timeout Ar sec
149Specify the request timeout in seconds.
150If this value is specified,
151.Ar max-tries
152and
153.Ar max-failover
154will not be used.
155.El
156.Pp
157The
158.Dq standard
159module supports the following configuration key and value:
160.Pp
161.Bl -tag -width Ds -offset indent -compact
162.It Ic strip-atmark-realm Ar true | false
163Remove the realm part which starts with @
164.Pq atmark
165from the User-Name attribute of the Access-Request.
166.Pp
167.It Ic strip-nt-domain Ar true | false
168Remove NT domain which ends with \\
169.Pq backslash
170from the User-Name attribute of the Access-Request.
171.Pp
172.It Cm remove-request-attribute Oo Ar vendor Oc Ar type
173.It Cm remove-response-attribute Oo Ar vendor Oc Ar type
174Remove all the specified attributes from request or response
175messages of Access-Request.
176Specify
177.Ar type
178of the attribute in a decimal number.
179To specify a vendor attribute,
180specify the Vendor-Id
181in a decimal number for
182.Ar vendor .
183.El
184.It Ic authenticate Ar username-pattern ... Brq ...
185Specify an authentication configuration for the users specified by
186.Ar username-pattern .
187Use shell globbing rules for the pattern;
188multiple patterns can be specified by separating with space characters.
189When multiple
190.Ic authenticate
191lines are specified, the first
192.Ic authenticate
193setting whose
194.Ar username-pattern
195matches an authenticating user is used.
196It is followed by a block of options enclosed in curly brackets:
197.Bl -tag -width Ds
198.It Ic authenticate-by Ar module
199Specify the module name.
200.It Ic decorate-by Ar module
201Specify the module name.
202.El
203.El
204.Sh FILES
205.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
206.It Pa /etc/radiusd.conf
207Default
208.Xr radiusd 8
209configuration file.
210.It Pa /etc/examples/radiusd.conf
211Example configuration file.
212.It Pa /usr/libexec/radiusd/radiusd_bsdauth
213.Dq bsdauth
214module executable.
215.It Pa /usr/libexec/radiusd/radiusd_radius
216.Dq radius
217module executable.
218.El
219.Sh EXAMPLES
220.Bd -literal -offset indent
221listen on 0.0.0.0
222listen on ::
223
224client 127.0.0.1/32 {
225	secret "secret"
226	msgauth-required no
227}
228client 192.168.0.0/24 {
229	secret "secret"
230}
231
232module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth"
233module set bsdauth restrict-group operator
234
235module load radius "/usr/libexec/radiusd/radiusd_radius"
236module set radius secret "testing123"
237module set radius server "127.0.0.1"
238
239module load strip-realm "/usr/libexec/radiusd/radiusd_standard"
240module set strip-realm strip-atmark-realm true
241
242authenticate *@local {
243	authenticate-by bsdauth
244	decorate-by strip-realm
245}
246authenticate * {
247	authenticate-by radius
248}
249.Ed
250.Sh SEE ALSO
251.Xr authenticate 3 ,
252.Xr radiusd 8
253