usr.sbin/radiusd/radiusd.conf.5

.\"	$OpenBSD: radiusd.conf.5,v 1.14 2020/04/23 21:28:10 jmc Exp $
.\"
.\" Copyright (c) 2014 Esdenera Networks GmbH
.\" Copyright (c) 2014 Internet Initiative Japan Inc.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: April 23 2020 $
.Dt RADIUSD.CONF 5
.Os
.Sh NAME
.Nm radiusd.conf
.Nd RADIUS daemon configuration file
.Sh DESCRIPTION
.Nm
is the configuration file for the RADIUS daemon,
.Xr radiusd 8 .
It has the following format:
.Pp
Empty lines and lines beginning with the
.Sq #
character are ignored.
.Pp
Keywords may be specified multiple times within the configuration file.
The configuration options are as follows:
.Bl -tag -width Ds
.It Xo
.Ic listen on Ar address
.Ic port Ar port
.Xc
Specify an
.Ar address
and a
.Ar port
to listen on.
.It Ic client Ar address/mask Brq ...
Allow access to a client with the specified
.Ar address
and
.Ar mask .
It is followed by a block of options enclosed in curly brackets:
.Bl -tag -width Ds
.It Ic secret Ar secret
The shared secret with the clients.
This option cannot be omitted.
.It Ic msgauth-required Ar yes | no
Message authentication is required if
.Dq yes
is specified.
.El
.It Ic module load Ar name path
Load a module
from
.Ar path
and name it with the given
.Ar name .
The following modules are available:
.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX"
.It Sy "Path" Ta Sy "Description"
.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module
.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module
.El
.Bl -tag -width Ds
.It Do bsdauth Dc module
The
.Dq bsdauth
module provides authentication from the local system's
.Xr authenticate 3
interface,
known as
.Dq bsd auth .
It only supports PAP, password based authentication.
.It Do radius Dc module
The
.Dq radius
module provides authentication from upstream RADIUS servers.
.El
.It Ic module set Ar module key value ...
Configure the module specific configurations by
.Ar key
and
.Ar value
for the module specified by
.Ar module .
Notice that
.Ar module ,
.Ar key ,
and
.Ar value
must be quoted to be distinguished from the reserved word (e.g.\&
.Dq secret )
if needed.
.Pp
The
.Dq bsdauth
module supports the following configuration key and value:
.Bl -tag -width Ds -offset indent
.It Ic restrict-group Ar group ...
Restrict login only if the user is a member of the specified groups.
.El
.Pp
The
.Dq radius
module supports the following configuration key and value:
.Bl -tag -width Ds -offset indent
.It Ic server Ar address Ns Op : Ns Ar port
Specify the upstream server's address and port.
If
.Ar port
is omitted, 1812 is used.
This configuration can be specified multiple times.
.It Ic secret Ar secret
Specify the shared secret with the servers.
This configuration cannot be omitted.
.It Ic max-tries Ar number
Specify the maximum number of retransmissions for a server.
.Xr radiusd 8
will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission.
If the number of retransmissions per server reaches this value,
the current server is marked as
.Dq fail ,
and the next server is used for subsequent requests.
The default value is 3.
.It Ic max-failovers Ar number
If a positive number is specified,
.Xr radiusd 8
will failover to the next server
when the current server is marked
.Dq fail .
This key and value specifies the maximum number of failovers.
The default value is 0.
.It Ic request-timeout Ar sec
Specify the request timeout in seconds.
If this value is specified,
.Ar max-tries
and
.Ar max-failover
will not be used.
.El
.It Ic authenticate Ar username-pattern ... Brq ...
Specify an authentication configuration for the users specified by
.Ar username-pattern .
Use shell globbing rules for the pattern;
multiple patterns can be specified by separating with space characters.
When multiple
.Ic authenticate
lines are specified, the first
.Ic authenticate
setting whose
.Ar username-pattern
matches an authenticating user is used.
It is followed by a block of options enclosed in curly brackets:
.Bl -tag -width Ds
.It Ic authenticate-by Ar module
Specify the module name.
.El
.El
.Sh FILES
.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
.It Pa /etc/radiusd.conf
Default
.Xr radiusd 8
configuration file.
.It Pa /etc/examples/radiusd.conf
Example configuration file.
.It Pa /usr/libexec/radiusd/radiusd_bsdauth
.Dq bsdauth
module executable.
.It Pa /usr/libexec/radiusd/radiusd_radius
.Dq radius
module executable.
.El
.Sh EXAMPLES
.Bd -literal -offset indent
listen on 0.0.0.0
#listen on ::

client 127.0.0.1/32 {
	secret "secret"
}
client 192.168.0.0/24 {
	secret "secret"
	msgauth-required yes
}

module load "bsdauth" "/usr/libexec/radiusd/radiusd_bsdauth"
module set "bsdauth"  "restrict-group" "operator"

module load "radius" "/usr/libexec/radiusd/radiusd_radius"
module set "radius" "secret" "testing123"
module set "radius" "server" "127.0.0.1"

authenticate *@example.com {
	authenticate-by "radius"
}
authenticate * {
	authenticate-by "bsdauth"
}
.Ed
.Sh SEE ALSO
.Xr authenticate 3 ,
.Xr radiusd 8