1.\" $OpenBSD: radiusd.conf.5,v 1.34 2024/07/18 00:28:53 yasuoka Exp $ 2.\" 3.\" Copyright (c) 2014 Esdenera Networks GmbH 4.\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc. 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: July 18 2024 $ 19.Dt RADIUSD.CONF 5 20.Os 21.Sh NAME 22.Nm radiusd.conf 23.Nd RADIUS daemon configuration file 24.Sh DESCRIPTION 25.Nm 26is the configuration file for the RADIUS daemon, 27.Xr radiusd 8 . 28It has the following format: 29.Pp 30Empty lines and lines beginning with the 31.Sq # 32character are ignored. 33.Pp 34Keywords may be specified multiple times within the configuration file. 35The configuration options are as follows: 36.Bl -tag -width Ds 37.It Xo 38.Ic listen on Ar address Oo Ic accounting Oc Oo Ic port Ar port Oc 39.Xc 40Specify an 41.Ar address 42and a 43.Ar port 44to listen on. 45When 46.Ar accounting 47is specified, 48it is used for waiting for RADIUS accounting messages. 49The default port number is 1812 for authentication and 1813 for accounting. 50.It Ic client Ar address/mask Brq ... 51Allow access to a client with the specified 52.Ar address 53and 54.Ar mask . 55It is followed by a block of options enclosed in curly brackets: 56.Bl -tag -width Ds 57.It Ic secret Ar secret 58The shared secret with the clients. 59This option cannot be omitted. 60.It Ic msgauth-required Ar yes | no 61Specify if message authentication is required. 62The default is to require message authentication. 63.El 64.It Ic module Ar name Oo Ar path Oc Op Brq ... 65Load a module. 66Specify one of the predefined names for 67.Ar name , 68or specify 69.Ar name 70and 71.Ar path . 72When multiple modules of the same path are loaded with different names, 73each module can have configurations respectively and work independently. 74.Pp 75The following modules are predefined: 76.Bl -tag -width Ds 77.It Do bsdauth Dc module 78The 79.Dq bsdauth 80module provides authentication from the local system's 81.Xr authenticate 3 82interface. 83See 84.Xr radiusd_bsdauth 8 . 85.It Do eap2mschap Dc module 86The 87.Dq eap2mschap 88module provides conversion from EAP-MSCHAPv2 to MS-CHAPv2. 89See 90.Xr radiusd_eap2mschap 8 . 91.It Do file Dc module 92The 93.Dq file 94module provides authentication by a local file. 95See 96.Xr radiusd_file 8 . 97.It Do ipcp Dc module 98The 99.Dq ipcp 100module provides IP configuration and manages the IP address pool. 101It also provides session-timeout and disconnection feature. 102See 103.Xr radiusd_ipcp 8 . 104.It Do radius Dc module 105The 106.Dq radius 107module provides authentication from upstream RADIUS servers. 108See 109.Xr radiusd_radius 8 . 110.It Do standard Dc module 111The 112.Dq standard 113module provides standard decorations for RADIUS messages. 114See 115.Xr radiusd_standard 8 . 116.El 117.Pp 118It is optionally followed by a block of options enclosed in curly brackets. 119The following option can be used in the block: 120.Bl -tag -width Ds 121.It Ic set Ar key value ... 122Configure the module specific configurations by 123.Ar key 124and 125.Ar value 126for the module specified by 127.Ar module . 128Notice that 129.Ar key 130and 131.Ar value 132must be quoted to be distinguished from the reserved word if needed. 133.El 134.It Xo 135.Ic authenticate 136.Ar username-pattern ... 137.Ic by Ar auth 138.Op Ic decorate-by Ar deco ... 139.Xc 140Specify an authentication configuration for the users specified by 141.Ar username-pattern . 142The users matched by the pattern are authenticated by the module 143specified by 144.Ar auth . 145Use shell globbing rules for the pattern; 146multiple patterns can be specified by separating with space characters. 147When multiple 148.Ic authenticate 149lines are specified, the first 150.Ic authenticate 151setting whose 152.Ar username-pattern 153matches an authenticating user is used. 154.Pp 155Optionally decoration modules can be specified by 156.Ar deco . 157The specified modules decorate the RADIUS messages in the configured order. 158.It Xo 159.Ic authentication-filter 160.Ar username-pattern ... 161.Ic by Ar auth 162.Op Ic decorate-by Ar deco ... 163.Xc 164.Ic authentication-filter 165works the same as 166.Ic authenticate , 167but the module can work as a filter, 168it can ask the authentication to the following authentication modules, 169and then it receives the authentication reply and modifies the reply. 170.It Xo 171.Ic account 172.Op Ic quick 173.Ar username-pattern ... 174.Ic to Ar module 175.Op Ic decorate-by Ar deco ... 176.Xc 177Specify an accounting configuration for the users specified by 178.Ar username-pattern . 179The accounting messages for the users matched by the pattern are handled 180by the module specified by the 181.Ar module . 182Use shell globbing rules for the patterns; 183multiple patterns can be determined by separating them with space characters. 184When multiple 185.Ic account 186configurations are specified, 187all matches are used; 188if the user matches a pattern with the 189.Ic quick 190option, then processing stops after that configuration. 191.Pp 192Optionally decoration modules can be specified by 193.Ar deco . 194The specified modules decorate the RADIUS messages in the configured order. 195.El 196.Sh FILES 197.Bl -tag -width "/etc/examples/radiusd.conf" -compact 198.It Pa /etc/radiusd.conf 199Default 200.Xr radiusd 8 201configuration file. 202.It Pa /etc/examples/radiusd.conf 203Example configuration file. 204.El 205.Sh EXAMPLES 206.Bd -literal -offset indent 207listen on 0.0.0.0 208listen on 0.0.0.0 accounting 209listen on :: 210listen on :: accounting 211 212client 127.0.0.1/32 { 213 secret "secret" 214 msgauth-required no 215} 216client 192.168.0.0/24 { 217 secret "secret" 218} 219 220module bsdauth { 221 set restrict-group operator 222} 223 224module radius { 225 set secret "testing123" 226 set server "127.0.0.1" 227} 228 229module standard 230 231module strip-realm "/usr/libexec/radiusd/radiusd_standard" { 232 set strip-atmark-realm true 233} 234 235authenticate *@local by bsdauth decorate-by strip-realm 236 237authenticate * by radius 238 239account * to standard 240.Ed 241.Sh SEE ALSO 242.Xr radiusd 8 , 243.Xr radiusd_bsdauth 8 , 244.Xr radiusd_eap2mschap 8 , 245.Xr radiusd_file 8 , 246.Xr radiusd_ipcp 8 , 247.Xr radiusd_radius 8 , 248.Xr radiusd_standard 8 249