Manual Page Search Parameters

RADIUSD.CONF(5) File Formats Manual RADIUSD.CONF(5)


radiusd.confRADIUS daemon configuration file


radiusd.conf is the configuration file for the RADIUS daemon, radiusd(8). It has the following format:
Empty lines and lines beginning with the ‘#’ character are ignored.
Keywords may be specified multiple times within the configuration file. The configuration options are as follows:
listen on address port port
Specify an address and a port to listen on.
client address/mask {...}
Allow access to a client with the specified address and mask. It is followed by a block of options enclosed in curly brackets:
secret secret
The shared secret with the clients. This option cannot be omitted.
msgauth-required yes | no
Message authentication is required if “yes” is specified.
module load name path
Load module name from path. The following modules are available:
Path Description
/usr/libexec/radiusd/radiusd_bsdauth “bsdauth” module
/usr/libexec/radiusd/radiusd_radius “radius” module
“bsdauth” module
The “bsdauth” module provides authentication from the local system's authenticate(3) interface, known as “bsd auth”. It only supports PAP, password based authentication.
“radius” module
The “radius” module provides authentication from upstream RADIUS servers.
module set key value ...
Configure the module specific configuration by key and value.
The “bsdauth” module supports the following configuration key and value:
restrict-group group ...
Restrict login only if the user is a member of the specified groups.
The “radius” module supports the following configuration key and value:
server address[:port]
Specify the upstream server's address and port. If port is omitted, 1812 is used. This configuration can be specified multiple times.
secret secret
Specify the shared secret with the servers.
max-tries number
Specify the maximum number of retransmissions for a server. radiusd(8) will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission. If the number of retransmissions per server reaches this value, the current server is marked as “fail”, and the next server is used for subsequent requests. The default value is 3.
max-failovers number
If a positive number is specified, radiusd(8) will failover to the next server when the current server is marked “fail”. This key and value specifies the maximum number of failovers. The default value is 0.
request-timeout sec
Specify the request timeout in seconds. If this value is specified, max-tries and max-failover will not be used.
authenticate username-pattern ... {...}
Specify an authentication configuration for the users specified by username-pattern. Use shell globbing rules for the pattern; multiple patterns can be specified by separating with space characters. When multiple authenticate lines are specified, the first authenticate setting whose username-pattern matches an authenticating user is used. It is followed by a block of options enclosed in curly brackets:
authenticate-by module
Specify the module name.


Default radiusd(8) configuration file.
“bsdauth” module executable.
“radius” module executable.


listen on 
#listen on :: 
client { 
	secret "secret" 
client { 
	secret "secret" 
	msgauth-required yes 
module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth" 
module set bsdauth  restrict-group operator 
module load radius  "/usr/libexec/radiusd/radiusd_radius" 
module set radius "secret" "testing123" 
module set radius "server" "" 
authenticate *@example.com { 
	authenticate-by radius 
authenticate * { 
	authenticate-by bsdauth 


authenticate(3), radiusd(8)
March 13, 2017 OpenBSD-current