NAME

radiusd.conf — RADIUS daemon configuration file

DESCRIPTION

radiusd.conf is the configuration file for the RADIUS daemon, radiusd(8). It has the following format:

Empty lines and lines beginning with the ‘#’ character are ignored.

Keywords may be specified multiple times within the configuration file. The configuration options are as follows:

listen on address [accounting] [port port]

Specify an address and a port to listen on. When accounting is specified, it is used for waiting for RADIUS accounting messages. The default port number is 1812 for authentication and 1813 for accounting.

client address/mask {...}

Allow access to a client with the specified address and mask. It is followed by a block of options enclosed in curly brackets:

secret secret

The shared secret with the clients. This option cannot be omitted.

msgauth-required yes | no

Specify if message authentication is required. The default is to require message authentication.

module name [path] [{...}]

Load a module. Specify one of the predefined names for name, or specify name and path. When multiple modules of the same path are loaded with different names, each module can have configurations respectively and work independently.

The following modules are predefined:

“bsdauth” module

The “bsdauth” module provides authentication from the local system's authenticate(3) interface. See radiusd_bsdauth(8).

“eap2mschap” module

The “eap2mschap” module provides conversion from EAP-MSCHAPv2 to MS-CHAPv2. See radiusd_eap2mschap(8).

“file” module

The “file” module provides authentication by a local file. See radiusd_file(8).

“ipcp” module

The “ipcp” module provides IP configuration and manages the IP address pool. It also provides session-timeout and disconnection feature. See radiusd_ipcp(8).

“radius” module

The “radius” module provides authentication from upstream RADIUS servers. See radiusd_radius(8).

“standard” module

The “standard” module provides standard decorations for RADIUS messages. See radiusd_standard(8).

It is optionally followed by a block of options enclosed in curly brackets. The following option can be used in the block:

set key value ...

Configure the module specific configurations by key and value for the module specified by module. Notice that key and value must be quoted to be distinguished from the reserved word if needed.

authenticate username-pattern ... by auth [decorate-by deco ...]

Specify an authentication configuration for the users specified by username-pattern. The users matched by the pattern are authenticated by the module specified by auth. Use shell globbing rules for the pattern; multiple patterns can be specified by separating with space characters. When multiple authenticate lines are specified, the first authenticate setting whose username-pattern matches an authenticating user is used.

Optionally decoration modules can be specified by deco. The specified modules decorate the RADIUS messages in the configured order.

authentication-filter username-pattern ... by auth [decorate-by deco ...]

authentication-filter works the same as authenticate, but the module can work as a filter, it can ask the authentication to the following authentication modules, and then it receives the authentication reply and modifies the reply.

account [quick] username-pattern ... to module [decorate-by deco ...]

Specify an accounting configuration for the users specified by username-pattern. The accounting messages for the users matched by the pattern are handled by the module specified by the module. Use shell globbing rules for the patterns; multiple patterns can be determined by separating them with space characters. When multiple account configurations are specified, all matches are used; if the user matches a pattern with the quick option, then processing stops after that configuration.

Optionally decoration modules can be specified by deco. The specified modules decorate the RADIUS messages in the configured order.

FILES

/etc/radiusd.conf

Default radiusd(8) configuration file.

/etc/examples/radiusd.conf

Example configuration file.

EXAMPLES

listen on 0.0.0.0
listen on 0.0.0.0 accounting
listen on ::
listen on :: accounting

client 127.0.0.1/32 {
    secret "secret"
    msgauth-required no
}
client 192.168.0.0/24 {
    secret "secret"
}

module bsdauth {
    set restrict-group operator
}

module radius {
    set secret "testing123"
    set server "127.0.0.1"
}

module standard

module strip-realm "/usr/libexec/radiusd/radiusd_standard" {
    set strip-atmark-realm true
}

authenticate *@local by bsdauth decorate-by strip-realm

authenticate * by radius

account * to standard

SEE ALSO

radiusd(8), radiusd_bsdauth(8), radiusd_eap2mschap(8), radiusd_file(8), radiusd_ipcp(8), radiusd_radius(8), radiusd_standard(8)