NAME
radiusd.conf
—
RADIUS daemon configuration
file
DESCRIPTION
radiusd.conf
is the configuration file for
the RADIUS daemon,
radiusd(8). It has the following format:
Empty lines and lines beginning with the ‘#’ character are ignored.
Keywords may be specified multiple times within the configuration file. The configuration options are as follows:
listen on
addressport
port- Specify an address and a port to listen on.
client
address/mask {...}- Allow access to a client with the specified address
and mask. It is followed by a block of options
enclosed in curly brackets:
secret
secret- The shared secret with the clients. This option cannot be omitted.
msgauth-required
yes | no- Message authentication is required if “yes” is specified.
module load
name path- Load a module from path and name it with the given
name. The following modules are available:
Path Description /usr/libexec/radiusd/radiusd_bsdauth “bsdauth” module /usr/libexec/radiusd/radiusd_radius “radius” module - “bsdauth” module
- The “bsdauth” module provides authentication from the local system's authenticate(3) interface, known as “bsd auth”. It only supports PAP, password based authentication.
- “radius” module
- The “radius” module provides authentication from upstream RADIUS servers.
module set
module key value ...- Configure the module specific configurations by key
and value for the module specified by
module. Notice that module,
key, and value must be quoted
to be distinguished from the reserved word (e.g. “secret”)
if needed.
The “bsdauth” module supports the following configuration key and value:
restrict-group
group ...- Restrict login only if the user is a member of the specified groups.
The “radius” module supports the following configuration key and value:
server
address[:port]- Specify the upstream server's address and port. If port is omitted, 1812 is used. This configuration can be specified multiple times.
secret
secret- Specify the shared secret with the servers. This configuration cannot be omitted.
max-tries
number- Specify the maximum number of retransmissions for a server. radiusd(8) will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission. If the number of retransmissions per server reaches this value, the current server is marked as “fail”, and the next server is used for subsequent requests. The default value is 3.
max-failovers
number- If a positive number is specified, radiusd(8) will failover to the next server when the current server is marked “fail”. This key and value specifies the maximum number of failovers. The default value is 0.
request-timeout
sec- Specify the request timeout in seconds. If this value is specified, max-tries and max-failover will not be used.
authenticate
username-pattern ... {...}- Specify an authentication configuration for the users specified by
username-pattern. Use shell globbing rules for the
pattern; multiple patterns can be specified by separating with space
characters. When multiple
authenticate
lines are specified, the firstauthenticate
setting whose username-pattern matches an authenticating user is used. It is followed by a block of options enclosed in curly brackets:authenticate-by
module- Specify the module name.
FILES
- /etc/radiusd.conf
- Default radiusd(8) configuration file.
- /etc/examples/radiusd.conf
- Example configuration file.
- /usr/libexec/radiusd/radiusd_bsdauth
- “bsdauth” module executable.
- /usr/libexec/radiusd/radiusd_radius
- “radius” module executable.
EXAMPLES
listen on 0.0.0.0 #listen on :: client 127.0.0.1/32 { secret "secret" } client 192.168.0.0/24 { secret "secret" msgauth-required yes } module load "bsdauth" "/usr/libexec/radiusd/radiusd_bsdauth" module set "bsdauth" "restrict-group" "operator" module load "radius" "/usr/libexec/radiusd/radiusd_radius" module set "radius" "secret" "testing123" module set "radius" "server" "127.0.0.1" authenticate *@example.com { authenticate-by "radius" } authenticate * { authenticate-by "bsdauth" }