1.\" $OpenBSD: radiusd_ipcp.8,v 1.6 2024/08/07 07:15:18 yasuoka Exp $ 2.\" 3.\" Copyright (c) 2024 Internet Initiative Japan Inc. 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.\" The following requests are required for all man pages. 18.\" 19.Dd $Mdocdate: August 7 2024 $ 20.Dt RADIUSD_IPCP 8 21.Os 22.Sh NAME 23.Nm radiusd_ipcp 24.Nd provides IP configuration and manages IP address pool 25.Sh SYNOPSIS 26.Nm radiusd_ipcp 27.Sh DESCRIPTION 28The 29.Nm 30module is executed by 31.Xr radiusd 8 32as a module to provide IP configuration through RADIUS Access-Accept messages 33and manages the IP address pool through RADIUS accounting messages. 34The internal sessions can be shown or monitored by 35.Xr radiusctl 8 . 36.Nm 37also provides session timeouts and disconnects requested by 38.Xr radiusctl 8 39through the Dynamic Authorization Extension 40.Pq DAE, RFC 5176 . 41.Sh CONFIGURATIONS 42To use the 43.Nm 44module, 45it should be configured as a decoration module of the authentication 46and as an accounting module. 47.Bd -literal -offset indent 48authenticate * by (any auth module) decorate-by ipcp 49account * to ipcp 50.Ed 51.Pp 52The 53.Nm 54module supports the following configuration keys and values: 55.Bl -tag -width Ds 56.It Ic address pool Ar address-space ... 57Specify the IP address spaces that is pooled. 58The 59.Ar address-space 60can be specified by an address range 61.Pq e.g. 192.168.1.1-192.168.1.199 62or an address mask 63.Pq e.g. 192.168.1.0/24 . 64The pooled addresses are used for dynamic assignment. 65.It Ic address static Ar address-space ... 66Specify the IP address spaces that is pooled for static assignment. 67The 68.Ar address-space 69is the same syntax as 70.Ic address pool , 71above. 72.It Ic name-server Ar primary-address Op Ar secondary-address 73Specify the DNS servers' IP addresses. 74.It Ic netbios-server Ar primary-address Op Ar secondary-address 75Specify the NetBIOS name servers' IP addresses. 76.It Ic session-timeout Ar seconds | Do radius Dc 77Specify the session-timeout in seconds, 78or 79.Dq radius . 80.Nm 81disconnects the session through DAE at the specified time after starting. 82When 83.Dq radius 84is specified, 85the value of the Session-Timeout attribute in Access-Accept is used for 86the timeout. 87Configure 88.Ic dae server 89to use this option. 90.It Ic dae server Ar address Ns Oo Ar :port Oc Ar secret Op Ar nas-id 91Configure a DAE server which 92.Nm 93requests disconnection for sessions. 94Specify the 95.Ar address , 96optionally the 97.Ar port 98number, 99and the 100.Ar secret . 101If the optional 102.Ar nas-id 103is specified, 104the server is selected only for the session which NAS-Identifier is 105matched the specified value. 106The default port number is 3799. 107.It Ic max-sessions Ar number 108Specify the maximum number of sessions. 109.Sq 0 110means no limit. 111The default value is 0. 112.It Ic user-max-sessions Ar number 113Specify the maximum number of sessions per a user. 114.Sq 0 115means no limit. 116The default value is 0. 117.It Ic start-wait Ar seconds 118Specify the seconds waiting for the RADIUS Accounting Start for the 119session after Access-Accept. 120.Nm 121preserves the assigned IP address for that period. 122The default value is 60 seconds. 123.El 124.Sh FILES 125.Bl -tag -width "/usr/libexec/radiusd/radiusd_ipcp" -compact 126.It Pa /usr/libexec/radiusd/radiusd_ipcp 127.Dq ipcp 128module executable. 129.El 130.Sh EXAMPLES 131An example with 132.Nm 133working with 134.Xr npppd 8 : 135.Pp 136.Pa /etc/radiusd.conf : 137.Bd -literal -offset indent 138listen on 127.0.0.1 139listen on 127.0.0.1 accounting 140 141client 127.0.0.1/32 { 142 secret "SECRET" 143} 144 145module radius { 146 set secret "SECRET2" 147 set server 192.168.0.4:1812 148} 149 150module ipcp { 151 set address pool 192.168.1.0/24 152 set name-server 192.168.0.4 153 set max-sessions 128 154 set user-max-sessions 2 155 set dae server 127.0.0.1 "SECRET3" 156 set session-timeout radius 157} 158 159authenticate * by radius decorate-by ipcp 160account * to ipcp 161.Ed 162.Pp 163.Pa /etc/npppd/npppd.conf : 164.Bd -literal -offset indent 165tunnel L2TP protocol l2tp { 166 listen on 192.0.2.51 167} 168ipcp IPCP { 169 pool-address 192.168.1.2-192.168.1.255 for dynamic 170} 171interface pppac0 address 192.168.1.1 ipcp IPCP 172authentication RADIUS type radius { 173 authentication-server { 174 address 127.0.0.1 secret "SECRET" 175 } 176 accounting-server { 177 address 127.0.0.1 secret "SECRET" 178 } 179} 180bind tunnel from L2TP authenticated by RADIUS to pppac0 181 182radius dae listen on 127.0.0.1 183radius dae client 127.0.0.1 secret "SECRET3" 184.Ed 185.Sh SEE ALSO 186.Xr authenticate 3 , 187.Xr radiusd.conf 5 , 188.Xr npppd 8 , 189.Xr radiusctl 8 , 190.Xr radiusd 8 191.Sh HISTORY 192The 193.Nm 194module first appeared in 195.Ox 7.6 . 196