OpenBSD manual page server

Manual Page Search Parameters

LOGIN_RADIUS(8)         OpenBSD System Manager's Manual        LOGIN_RADIUS(8)

NAME
     login_radius - contact radiusd for authentication

SYNOPSIS
     login_radius [-s service] [-v name=value] user [class]

DESCRIPTION
     The login_radius utility contacts the radiusd daemon to authenticate a
     user.  If no class is specified, the login class will be obtained from
     the password database.

     When executed as the name login_style, login_radius will request radiusd
     use the authentication specified by style.

     Available options are:

     -s      Specify the service.  Currently only challenge, login, and
             response are supported.

     -v      This option and its value are ignored.

     The login_radius utility needs to know a shared secret for each radius
     server it talks to.  Shared secrets are stored in the file
     /etc/raddb/servers with the format:

           server shared_secret

     It is expected that rather than requesting the radius style directly (in
     which case the radiusd server uses a default style) that login_radius
     will be linked to the various mechanisms desired.  For instance, to have
     all CRYPTOCard and ActivCard authentication take place on a remote server
     via the radius protocol, remove the login_activ and login_crypto modules
     and link login_radius to both of those names.  Now when the user requests
     one of those authentication styles, login_radius will automatically for-
     ward the request to the remote radiusd and request it do the requested
     style of authentication.

LOGIN.CONF VARIABLES
     The login_radius utility uses the following radius-specific
     /etc/login.conf variables:

     radius-server            Hostname of the radius server to contact.

     radius-server-alt        Alternate radius server to use when the primary
                              is not responding.

     radius-challenge-styles  Comma-separated list of authentication styles
                              that the radius server knows about.  If the us-
                              er's authentication style is in this list the
                              challenge will be provided by the radius server.
                              If not, login_radius will prompt the user for
                              the password before sending the request (along
                              with the password) to the radius server.

     radius-timeout           Number of seconds to wait for a response from
                              the radius server.  Defaults to 2 seconds.

     radius-retries           Number of times to attempt to contact the radius
                              server before giving up (or falling back to the
                              alternate server if there is one).  Defaults to
                              6 tries.

FILES
     /etc/login.conf       login configuration database
     /etc/raddb/servers    list of radius servers and their associated shared
                           secrets

SEE ALSO
     login(1), login.conf(5)

CAVEATS
     OpenBSD does not ship with a radius server in the default install, howev-
     er several are available via packages(7).

     For login_radius to function, the /etc/raddb directory must be owned by
     group ``_radius'' and have group-execute permissions.  Likewise, the
     /etc/raddb/servers file must be readable by group ``_radius''.

OpenBSD 3.4                     August 23, 1996                              2