src/usr.sbin/radiusd/radiusd.conf.5

.\"	$OpenBSD: radiusd.conf.5,v 1.18 2023/09/14 09:55:28 yasuoka Exp $
.\"
.\" Copyright (c) 2014 Esdenera Networks GmbH
.\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: September 14 2023 $
.Dt RADIUSD.CONF 5
.Os
.Sh NAME
.Nm radiusd.conf
.Nd RADIUS daemon configuration file
.Sh DESCRIPTION
.Nm
is the configuration file for the RADIUS daemon,
.Xr radiusd 8 .
It has the following format:
.Pp
Empty lines and lines beginning with the
.Sq #
character are ignored.
.Pp
Keywords may be specified multiple times within the configuration file.
The configuration options are as follows:
.Bl -tag -width Ds
.It Xo
.Ic listen on Ar address
.Ic port Ar port
.Xc
Specify an
.Ar address
and a
.Ar port
to listen on.
.It Ic client Ar address/mask Brq ...
Allow access to a client with the specified
.Ar address
and
.Ar mask .
It is followed by a block of options enclosed in curly brackets:
.Bl -tag -width Ds
.It Ic secret Ar secret
The shared secret with the clients.
This option cannot be omitted.
.It Ic msgauth-required Ar yes | no
Specify if message authentication is required.
The default is to require message authentication.
.El
.It Ic module load Ar name path
Load a module
from
.Ar path
and name it with the given
.Ar name .
The following modules are available:
.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX"
.It Sy "Path" Ta Sy "Description"
.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module
.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module
.It Pa /usr/libexec/radiusd/radiusd_standard Ta Do standard Dc module
.El
.Bl -tag -width Ds
.It Do bsdauth Dc module
The
.Dq bsdauth
module provides authentication from the local system's
.Xr authenticate 3
interface,
known as
.Dq bsd auth .
It only supports PAP, password based authentication.
.It Do radius Dc module
The
.Dq radius
module provides authentication from upstream RADIUS servers.
.It Do standard Dc module
The
.Dq standard
module provides standard decorations for Access-Request messages or its
response messages.
.El
.It Ic module set Ar module key value ...
Configure the module specific configurations by
.Ar key
and
.Ar value
for the module specified by
.Ar module .
Notice that
.Ar module ,
.Ar key ,
and
.Ar value
must be quoted to be distinguished from the reserved word (e.g.\&
.Dq secret )
if needed.
.Pp
The
.Dq bsdauth
module supports the following configuration key and value:
.Bl -tag -width Ds -offset indent
.It Ic restrict-group Ar group ...
Restrict login only if the user is a member of the specified groups.
.El
.Pp
The
.Dq radius
module supports the following configuration key and value:
.Bl -tag -width Ds -offset indent
.It Ic server Ar address Ns Op : Ns Ar port
Specify the upstream server's address and port.
If
.Ar port
is omitted, 1812 is used.
This configuration can be specified multiple times.
.It Ic secret Ar secret
Specify the shared secret with the servers.
This configuration cannot be omitted.
.It Ic max-tries Ar number
Specify the maximum number of retransmissions for a server.
.Xr radiusd 8
will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission
and subsequent retransmissions will occur every 8 seconds.
If the number of retransmissions per server reaches this value,
the current server is marked as
.Dq fail ,
and the next server is used for subsequent requests.
The default value is 3.
.It Ic max-failovers Ar number
If a positive number is specified,
.Xr radiusd 8
will failover to the next server
when the current server is marked
.Dq fail .
This key and value specifies the maximum number of failovers.
The default value is 0.
.It Ic request-timeout Ar sec
Specify the request timeout in seconds.
If this value is specified,
.Ar max-tries
and
.Ar max-failover
will not be used.
.El
.Pp
The
.Dq standard
module supports the following configuration key and value:
.Pp
.Bl -tag -width Ds -offset indent -compact
.It Ic strip-atmark-realm Ar true | false
Remove the realm part which starts with @
.Pq atmark
from the User-Name attribute of the Access-Request.
.Pp
.It Ic strip-nt-domain Ar true | false
Remove NT domain which ends with \\
.Pq backslash
from the User-Name attribute of the Access-Request.
.Pp
.It Cm remove-request-attribute Oo Ar vendor Oc Ar type
.It Cm remove-response-attribute Oo Ar vendor Oc Ar type
Remove all the specified attributes from request or response
messages of Access-Request.
Specify
.Ar type
of the attribute in a decimal number.
To specify a vendor attribute,
specify the Vendor-Id
in a decimal number for
.Ar vendor .
.El
.It Ic authenticate Ar username-pattern ... Brq ...
Specify an authentication configuration for the users specified by
.Ar username-pattern .
Use shell globbing rules for the pattern;
multiple patterns can be specified by separating with space characters.
When multiple
.Ic authenticate
lines are specified, the first
.Ic authenticate
setting whose
.Ar username-pattern
matches an authenticating user is used.
It is followed by a block of options enclosed in curly brackets:
.Bl -tag -width Ds
.It Ic authenticate-by Ar module
Specify the module name.
.It Ic decorate-by Ar module
Specify the module name.
.El
.El
.Sh FILES
.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
.It Pa /etc/radiusd.conf
Default
.Xr radiusd 8
configuration file.
.It Pa /etc/examples/radiusd.conf
Example configuration file.
.It Pa /usr/libexec/radiusd/radiusd_bsdauth
.Dq bsdauth
module executable.
.It Pa /usr/libexec/radiusd/radiusd_radius
.Dq radius
module executable.
.El
.Sh EXAMPLES
.Bd -literal -offset indent
listen on 0.0.0.0
listen on ::

client 127.0.0.1/32 {
	secret "secret"
	msgauth-required no
}
client 192.168.0.0/24 {
	secret "secret"
}

module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth"
module set bsdauth restrict-group operator

module load radius "/usr/libexec/radiusd/radiusd_radius"
module set radius secret "testing123"
module set radius server "127.0.0.1"

module load strip-realm "/usr/libexec/radiusd/radiusd_standard"
module set strip-realm strip-atmark-realm true

authenticate *@local {
	authenticate-by bsdauth
	decorate-by strip-realm
}
authenticate * {
	authenticate-by radius
}
.Ed
.Sh SEE ALSO
.Xr authenticate 3 ,
.Xr radiusd 8