commit - 4a4dce94acbf203aec1c6f5ebc1d97ef1f1ad2d4
commit + da2270739c798f5d01e9d1afe269d4fa1c5000aa
blob - f02ac14445e6ce4ae3dd664929a88478c8524aa2
blob + 56a0f7b0aaa3318a7dc630f8c8decc6ecef6f67b
--- usr.sbin/radiusd/parse.y
+++ usr.sbin/radiusd/parse.y
-/* $OpenBSD: parse.y,v 1.18 2024/07/01 03:13:42 yasuoka Exp $ */
+/* $OpenBSD: parse.y,v 1.19 2024/07/02 00:00:12 yasuoka Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
#include "log.h"
static struct radiusd *conf;
-static struct radiusd_authentication authen;
-static struct radiusd_client client;
+static struct radiusd_authentication authen;
+static struct radiusd_module *conf_module = NULL;
+static struct radiusd_client client;
-static struct radiusd_module *find_module (const char *);
-static void free_str_l (void *);
-static struct radiusd_module_ref *create_module_ref (const char *);
-static void radiusd_authentication_init (struct radiusd_authentication *);
-static void radiusd_client_init (struct radiusd_client *);
+static struct radiusd_module *find_module(const char *);
+static void free_str_l(void *);
+static struct radiusd_module_ref *create_module_ref(const char *);
+static void radiusd_authentication_init(struct radiusd_authentication *);
+static void radiusd_client_init(struct radiusd_client *);
+static const char
+ *default_module_path(const char *);
TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
static struct file {
%}
%token INCLUDE LISTEN ON PORT CLIENT SECRET LOAD MODULE MSGAUTH_REQUIRED
-%token AUTHENTICATE AUTHENTICATE_BY DECORATE_BY SET
+%token AUTHENTICATE AUTHENTICATE_BY BY DECORATE_BY SET
%token ERROR YES NO
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.number> optport
%type <v.listen> listen_addr
-%type <v.str_l> str_l
+%type <v.str_l> str_l optdeco
%type <v.prefix> prefix
%type <v.yesno> yesno
%type <v.string> strnum
%type <v.string> key
+%type <v.string> optstring
%%
grammar : /* empty */
freeaddrinfo(res);
}
;
-module : MODULE LOAD STRING STRING {
+module : MODULE STRING optstring {
+ const char *path = $3;
+ if (path == NULL && (path = default_module_path($2))
+ == NULL) {
+ yyerror("default path for `%s' is unknown.",
+ $2);
+ free($2);
+ free($3);
+ YYERROR;
+ }
+ conf_module = radiusd_module_load(conf, path, $2);
+ free($2);
+ free($3);
+ if (conf_module == NULL)
+ YYERROR;
+ TAILQ_INSERT_TAIL(&conf->module, conf_module, next);
+ conf_module = NULL;
+ }
+ | MODULE STRING optstring {
+ const char *path = $3;
+ if (path == NULL && (path = default_module_path($2))
+ == NULL) {
+ yyerror("default path for `%s' is unknown.",
+ $2);
+ free($2);
+ free($3);
+ YYERROR;
+ }
+ conf_module = radiusd_module_load(conf, path, $2);
+ free($2);
+ free($3);
+ if (conf_module == NULL)
+ YYERROR;
+ } '{' moduleopts '}' {
+ TAILQ_INSERT_TAIL(&conf->module, conf_module, next);
+ conf_module = NULL;
+ }
+ /* following syntaxes are for backward compatilities */
+ | MODULE LOAD STRING STRING {
struct radiusd_module *module;
if ((module = radiusd_module_load(conf, $4, $3))
== NULL) {
}
;
+moduleopts : moduleopts '\n' moduleopt
+ | moduleopt
+ ;
+moduleopt : /* empty */
+ | SET key str_l {
+ if ($2[0] == '_') {
+ yyerror("setting `%s' is not allowed", $2);
+ free($2);
+ free_str_l(&$3);
+ YYERROR;
+ }
+ if (radiusd_module_set(conf_module, $2, $3.c, $3.v)) {
+ yyerror("syntax error by module `%s'",
+ conf_module->name);
+ free($2);
+ free_str_l(&$3);
+ YYERROR;
+ }
+ free($2);
+ free_str_l(&$3);
+ }
+ ;
+
key : STRING
| SECRET { $$ = strdup("secret"); }
;
-authenticate : AUTHENTICATE {
+authenticate : AUTHENTICATE str_l BY STRING optdeco {
+ int i;
+ struct radiusd_authentication *auth;
+ struct radiusd_module_ref *modref, *modreft;
+
+ if ((auth = calloc(1,
+ sizeof(struct radiusd_authentication))) == NULL) {
+ yyerror("Out of memory: %s", strerror(errno));
+ goto authenticate_error;
+ }
+ modref = create_module_ref($4);
+ if ((auth->auth = create_module_ref($4)) == NULL)
+ goto authenticate_error;
+ auth->username = $2.v;
+ TAILQ_INIT(&auth->deco);
+ for (i = 0; i < $5.c; i++) {
+ if ((modref = create_module_ref($5.v[i]))
+ == NULL)
+ goto authenticate_error;
+ TAILQ_INSERT_TAIL(&auth->deco, modref, next);
+ }
+ TAILQ_INSERT_TAIL(&conf->authen, auth, next);
+ auth = NULL;
+ authenticate_error:
+ if (auth != NULL) {
+ free(auth->auth);
+ TAILQ_FOREACH_SAFE(modref, &auth->deco, next,
+ modreft) {
+ TAILQ_REMOVE(&auth->deco, modref, next);
+ free(modref);
+ }
+ free_str_l(&$2);
+ }
+ free(auth);
+ free($4);
+ free_str_l(&$5);
+ }
+ /* the followings are for backward compatibilities */
+ | AUTHENTICATE str_l optnl '{' {
radiusd_authentication_init(&authen);
- } str_l optnl '{' authopts '}' {
- struct radiusd_authentication *a;
+ authen.username = $2.v;
+ } authopts '}' {
+ int i;
+ struct radiusd_authentication *a;
if (authen.auth == NULL) {
- free_str_l(&$3);
yyerror("no authentication module specified");
+ for (i = 0; authen.username[i] != NULL; i++)
+ free(authen.username[i]);
+ free(authen.username);
YYERROR;
}
if ((a = calloc(1,
sizeof(struct radiusd_authentication))) == NULL) {
- free_str_l(&$3);
+ for (i = 0; authen.username[i] != NULL; i++)
+ free(authen.username[i]);
+ free(authen.username);
goto outofmemory;
}
a->auth = authen.auth;
authen.auth = NULL;
a->deco = authen.deco;
- a->username = $3.v;
-
+ a->username = authen.username;
TAILQ_INSERT_TAIL(&conf->authen, a, next);
}
;
+optdeco : { $$.c = 0; $$.v = NULL; }
+ | DECORATE_BY str_l { $$ = $2; }
+ ;
+
authopts : authopts '\n' authopt
| authopt
;
;
optnl :
| '\n'
+ ;
+optstring : { $$ = NULL; }
+ | STRING { $$ = $1; }
;
yesno : YES { $$ = true; }
| NO { $$ = false; }
static const struct keywords keywords[] = {
{ "authenticate", AUTHENTICATE},
{ "authenticate-by", AUTHENTICATE_BY},
+ { "by", BY},
{ "client", CLIENT},
{ "decorate-by", DECORATE_BY},
{ "include", INCLUDE},
{
int errors = 0;
struct radiusd_listen *l;
- struct radiusd_module_ref *m, *mt;
conf = radiusd;
radiusd_conf_init(conf);
l->sock = -1;
}
radiusd_authentication_init(&authen);
- TAILQ_FOREACH_SAFE(m, &authen.deco, next, mt) {
- TAILQ_REMOVE(&authen.deco, m, next);
- free(m);
- }
+ if (conf_module != NULL)
+ radiusd_module_unload(conf_module);
out:
conf = NULL;
return (errors ? -1 : 0);
{
memset(clnt, 0, sizeof(struct radiusd_client));
clnt->msgauth_required = true;
+}
+
+static const char *
+default_module_path(const char *name)
+{
+ unsigned i;
+ struct {
+ const char *name;
+ const char *path;
+ } module_paths[] = {
+ { "bsdauth", "/usr/libexec/radiusd/radiusd_bsdauth" },
+ { "radius", "/usr/libexec/radiusd/radiusd_radius" },
+ { "standard", "/usr/libexec/radiusd/radiusd_standard" }
+ };
+
+ for (i = 0; i < nitems(module_paths); i++) {
+ if (strcmp(name, module_paths[i].name) == 0)
+ return (module_paths[i].path);
+ }
+
+ return (NULL);
}
blob - 6df77ef50ffeda83ddcfb00c2fec78cc95494925
blob + 5d02722c678e52a9e47acc48528a0c19ee462de1
--- usr.sbin/radiusd/radiusd.conf.5
+++ usr.sbin/radiusd/radiusd.conf.5
-.\" $OpenBSD: radiusd.conf.5,v 1.19 2024/07/01 03:22:06 yasuoka Exp $
+.\" $OpenBSD: radiusd.conf.5,v 1.20 2024/07/02 00:00:12 yasuoka Exp $
.\"
.\" Copyright (c) 2014 Esdenera Networks GmbH
.\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc.
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: July 1 2024 $
+.Dd $Mdocdate: July 2 2024 $
.Dt RADIUSD.CONF 5
.Os
.Sh NAME
Specify if message authentication is required.
The default is to require message authentication.
.El
-.It Ic module load Ar name path
-Load a module
-from
-.Ar path
-and name it with the given
-.Ar name .
-The following modules are available:
-.Bl -column "/usr/libexec/radiusd/radiusd_bsdauthXXX"
-.It Sy "Path" Ta Sy "Description"
-.It Pa /usr/libexec/radiusd/radiusd_bsdauth Ta Do bsdauth Dc module
-.It Pa /usr/libexec/radiusd/radiusd_radius Ta Do radius Dc module
-.It Pa /usr/libexec/radiusd/radiusd_standard Ta Do standard Dc module
-.El
+.It Ic module Ar name Oo Ar path Oc Op Brq ...
+Load a module.
+Specify one of the predefined names for
+.Ar name ,
+or specify
+.Ar name
+and
+.Ar path .
+When multiple modules of the same path are loaded with different names,
+each module can have configurations respectively and work independently.
+.Pp
+The following module are predefined:
.Bl -tag -width Ds
.It Do bsdauth Dc module
The
.Dq bsdauth
-module provides authentication from the local system's
+module
+provides authentication from the local system's
.Xr authenticate 3
-interface,
-known as
-.Dq bsd auth .
-It only supports PAP, password based authentication.
+interface.
+See
+.Xr radiusd_bsdauth 8 .
.It Do radius Dc module
The
.Dq radius
module provides authentication from upstream RADIUS servers.
+See
+.Xr radiusd_radius 8 .
.It Do standard Dc module
The
.Dq standard
-module provides standard decorations for Access-Request messages or its
-response messages.
+module provides standard decorations for RADIUS messages.
+See
+.Xr radiusd_standard 8 .
.El
-.It Ic module set Ar module key value ...
+.Pp
+It is optionally followed by a block of options enclosed in curly brackets.
+The following option can be used in the block:
+.Bl -tag -width Ds
+.It Ic set Ar key value ...
Configure the module specific configurations by
.Ar key
and
for the module specified by
.Ar module .
Notice that
-.Ar module ,
.Ar key ,
and
.Ar value
-must be quoted to be distinguished from the reserved word.
-.Pp
-The
-.Dq bsdauth
-module supports the following configuration key and value:
-.Bl -tag -width Ds -offset indent
-.It Ic restrict-group Ar group ...
-Restrict login only if the user is a member of the specified groups.
+must be quoted to be distinguished from the reserved word if needed.
.El
-.Pp
-The
-.Dq radius
-module supports the following configuration key and value:
-.Bl -tag -width Ds -offset indent
-.It Ic server Ar address Ns Op : Ns Ar port
-Specify the upstream server's address and port.
-If
-.Ar port
-is omitted, 1812 is used.
-This configuration can be specified multiple times.
-.It Ic secret Ar secret
-Specify the shared secret with the servers.
-This configuration cannot be omitted.
-.It Ic max-tries Ar number
-Specify the maximum number of retransmissions for a server.
-.Xr radiusd 8
-will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission
-and subsequent retransmissions will occur every 8 seconds.
-If the number of retransmissions per server reaches this value,
-the current server is marked as
-.Dq fail ,
-and the next server is used for subsequent requests.
-The default value is 3.
-.It Ic max-failovers Ar number
-If a positive number is specified,
-.Xr radiusd 8
-will failover to the next server
-when the current server is marked
-.Dq fail .
-This key and value specifies the maximum number of failovers.
-The default value is 0.
-.It Ic request-timeout Ar sec
-Specify the request timeout in seconds.
-If this value is specified,
-.Ar max-tries
-and
-.Ar max-failover
-will not be used.
-.El
-.Pp
-The
-.Dq standard
-module supports the following configuration key and value:
-.Pp
-.Bl -tag -width Ds -offset indent -compact
-.It Ic strip-atmark-realm Ar true | false
-Remove the realm part which starts with @
-.Pq atmark
-from the User-Name attribute of the Access-Request.
-.Pp
-.It Ic strip-nt-domain Ar true | false
-Remove NT domain which ends with \\
-.Pq backslash
-from the User-Name attribute of the Access-Request.
-.Pp
-.It Cm remove-request-attribute Oo Ar vendor Oc Ar type
-.It Cm remove-response-attribute Oo Ar vendor Oc Ar type
-Remove all the specified attributes from request or response
-messages of Access-Request.
-Specify
-.Ar type
-of the attribute in a decimal number.
-To specify a vendor attribute,
-specify the Vendor-Id
-in a decimal number for
-.Ar vendor .
-.El
-.It Ic authenticate Ar username-pattern ... Brq ...
+.It Ic authenticate Ar username-pattern ... Ic by Ar auth Oo Ic decorated-by \
+Ar deco ... Oc
Specify an authentication configuration for the users specified by
-.Ar username-pattern .
+.Ar username-pattern.
+The users matched by the pattern is authenticated by the module
+specified by
+.Ar auth .
Use shell globbing rules for the pattern;
multiple patterns can be specified by separating with space characters.
When multiple
setting whose
.Ar username-pattern
matches an authenticating user is used.
-It is followed by a block of options enclosed in curly brackets:
-.Bl -tag -width Ds
-.It Ic authenticate-by Ar module
-Specify the module name.
-.It Ic decorate-by Ar module
-Specify the module name.
+.Pp
+Optionally decoration modules can be specified by
+.Ar deco .
+The specified modules decorate the RADIUS messages in the configured order.
.El
-.El
.Sh FILES
-.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
+.Bl -tag -width "/etc/examples/radiusd.conf" -compact
.It Pa /etc/radiusd.conf
Default
.Xr radiusd 8
configuration file.
.It Pa /etc/examples/radiusd.conf
Example configuration file.
-.It Pa /usr/libexec/radiusd/radiusd_bsdauth
-.Dq bsdauth
-module executable.
-.It Pa /usr/libexec/radiusd/radiusd_radius
-.Dq radius
-module executable.
.El
.Sh EXAMPLES
.Bd -literal -offset indent
listen on ::
client 127.0.0.1/32 {
- secret "secret"
- msgauth-required no
+ secret "secret"
+ msgauth-required no
}
client 192.168.0.0/24 {
- secret "secret"
+ secret "secret"
}
-module load bsdauth "/usr/libexec/radiusd/radiusd_bsdauth"
-module set bsdauth restrict-group operator
+module bsdauth {
+ set restrict-group operator
+}
-module load radius "/usr/libexec/radiusd/radiusd_radius"
-module set radius secret "testing123"
-module set radius server "127.0.0.1"
+module radius {
+ set secret "testing123"
+ set server "127.0.0.1"
+}
-module load strip-realm "/usr/libexec/radiusd/radiusd_standard"
-module set strip-realm strip-atmark-realm true
-
-authenticate *@local {
- authenticate-by bsdauth
- decorate-by strip-realm
+module strip-realm "/usr/libexec/radiusd/radiusd_standard" {
+ set strip-atmark-realm true
}
-authenticate * {
- authenticate-by radius
-}
+
+authenticate *@local by bsdauth decorate-by strip-realm
+
+authenticate * by radius
.Ed
.Sh SEE ALSO
-.Xr authenticate 3 ,
-.Xr radiusd 8
+.Xr radiusd 8 ,
+.Xr radiusd_bsdauth 8 ,
+.Xr radiusd_radius 8 ,
+.Xr radiusd_standard 8
blob - f5e904d18c7b7250f6b312ff48ed2e0328abf7fc
blob + 008f6f4a127200abedcb3494555b042656ca3db3
--- usr.sbin/radiusd/radiusd_bsdauth/Makefile
+++ usr.sbin/radiusd/radiusd_bsdauth/Makefile
-# $OpenBSD: Makefile,v 1.2 2024/01/28 18:38:16 deraadt Exp $
+# $OpenBSD: Makefile,v 1.3 2024/07/02 00:00:12 yasuoka Exp $
PROG= radiusd_bsdauth
BINDIR= /usr/libexec/radiusd
SRCS= radiusd_bsdauth.c radiusd_module.c imsg_subr.c
LDADD+= -lradius -lcrypto -lutil
DPADD+= ${LIBRADIUS} ${LIBCRYPTO} ${LIBUTIL}
-NOMAN= #
+MAN= radiusd_bsdauth.8
.include <bsd.prog.mk>
blob - /dev/null
blob + 219eee0ea41cf3987a88dbc776414a9b9d75f5a3 (mode 644)
--- /dev/null
+++ usr.sbin/radiusd/radiusd_bsdauth.8
+.\" $OpenBSD: radiusd_bsdauth.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $
+.\"
+.\" Copyright (c) 2014 Esdenera Networks GmbH
+.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: July 2 2024 $
+.Dt RADIUSD_BSDAUTH 8
+.Os
+.Sh NAME
+.Nm radiusd_bsdauth
+.Nd provide authentication by BSD authentication system
+.Sh SYNOPSIS
+.Nm radiusd_bsdauth
+.Sh DESCRIPTION
+The
+.Nm
+utility is executed by
+.Xr radiusd 8
+as a module to provide authentication from the local system's
+.Xr authenticate 3
+interface,
+known as
+.Dq bsd auth .
+It only supports PAP, password based authentication.
+.Sh CONFIGURATIONS
+The
+.Nm
+supports the following configuration key and value:
+.Bl -tag -width Ds
+.It Ic restrict-group Ar group ...
+Restrict login only if the user is a member of the specified groups.
+.El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_bsdauth" -compact
+.It Pa /usr/libexec/radiusd/radiusd_bsdauth
+.Dq bsdauth
+module executable.
+.El
+.Sh SEE ALSO
+.Xr authenticate 3 ,
+.Xr radiusd 8 ,
+.Xr radiusd.conf 5
+.Sh HISTORY
+The
+.Nm
+daemon first appeared in
+.Ox 5.8 .
blob - 41aaac34f767f40a1eb774da34285a4a5ddfb915
blob + cd6d9731e9598a77a327d0a3120d45563b7f04b7
--- usr.sbin/radiusd/radiusd_radius/Makefile
+++ usr.sbin/radiusd/radiusd_radius/Makefile
-# $OpenBSD: Makefile,v 1.2 2024/01/28 18:38:16 deraadt Exp $
+# $OpenBSD: Makefile,v 1.3 2024/07/02 00:00:12 yasuoka Exp $
PROG= radiusd_radius
BINDIR= /usr/libexec/radiusd
SRCS= radiusd_radius.c radiusd_module.c util.c imsg_subr.c log.c
CFLAGS+= -DUSE_LIBEVENT
LDADD+= -lradius -lcrypto -lutil -levent
DPADD+= ${LIBRADIUS} ${LIBCRYPTO} ${LIBUTIL} ${LIBEVENT}
-NOMAN= #
+MAN= radiusd_radius.8
.include <bsd.prog.mk>
blob - 5dbea5e193b2edefcd3dd6df8db29fb91f4bb235
blob + d873dc2a86e823c4421f022fa3f60cbbd336b5c7
--- usr.sbin/radiusd/radiusd_standard/Makefile
+++ usr.sbin/radiusd/radiusd_standard/Makefile
-# $OpenBSD: Makefile,v 1.1 2023/09/08 05:56:22 yasuoka Exp $
+# $OpenBSD: Makefile,v 1.2 2024/07/02 00:00:12 yasuoka Exp $
PROG= radiusd_standard
BINDIR= /usr/libexec/radiusd
SRCS= radiusd_standard.c radiusd_module.c
LDADD= -lutil -lradius -lcrypto
-NOMAN= #
+MAN= radiusd_standard.8
.include <bsd.prog.mk>
blob - /dev/null
blob + 2ab83faf17498cdcd34b707de4576014ae9531e9 (mode 644)
--- /dev/null
+++ usr.sbin/radiusd/radiusd_radius.8
+.\" $OpenBSD: radiusd_radius.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $
+.\"
+.\" Copyright (c) 2014 Esdenera Networks GmbH
+.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: July 2 2024 $
+.Dt RADIUSD_RADIUS 8
+.Os
+.Sh NAME
+.Nm radiusd_radius
+.Nd provide authentication from upstream RADIUS servers
+.Sh SYNOPSIS
+.Nm radiusd_radius
+.Sh DESCRIPTION
+The
+.Nm
+utility is executed by
+.Xr radiusd 8
+as a module to provide authentication from upstream RADIUS servers.
+.Sh CONFIGURATIONS
+The
+.Nm
+supports the following configuration key and value:
+.Bl -tag -width Ds
+.It Ic server Ar address Ns Op : Ns Ar port
+Specify the upstream server's address and port.
+If
+.Ar port
+is omitted, 1812 is used.
+This configuration can be specified multiple times.
+.It Ic secret Ar secret
+Specify the shared secret with the servers.
+This configuration cannot be omitted.
+.It Ic max-tries Ar number
+Specify the maximum number of retransmissions for a server.
+.Xr radiusd 8
+will retransmit 2, 6, 14, 22, and 30 seconds after the first transmission
+and subsequent retransmissions will occur every 8 seconds.
+If the number of retransmissions per server reaches this value,
+the current server is marked as
+.Dq fail ,
+and the next server is used for subsequent requests.
+The default value is 3.
+.It Ic max-failovers Ar number
+If a positive number is specified,
+.Xr radiusd 8
+will failover to the next server
+when the current server is marked
+.Dq fail .
+This key and value specifies the maximum number of failovers.
+The default value is 0.
+.It Ic request-timeout Ar sec
+Specify the request timeout in seconds.
+If this value is specified,
+.Ar max-tries
+and
+.Ar max-failover
+will not be used.
+.El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_radius" -compact
+.It Pa /usr/libexec/radiusd/radiusd_radius
+.Dq radius
+module executable.
+.El
+.Sh HISTORY
+The
+.Nm
+daemon first appeared in
+.Ox 5.8 .
blob - /dev/null
blob + a75c9da3e970a8eec6665f41a9f1a88d62cb4df7 (mode 644)
--- /dev/null
+++ usr.sbin/radiusd/radiusd_standard.8
+.\" $OpenBSD: radiusd_standard.8,v 1.1 2024/07/02 00:00:12 yasuoka Exp $
+.\"
+.\" Copyright (c) 2014 Esdenera Networks GmbH
+.\" Copyright (c) 2014, 2024 Internet Initiative Japan Inc.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: July 2 2024 $
+.Dt RADIUSD_STANDARD 8
+.Os
+.Sh NAME
+.Nm radiusd_standard
+.Nd provide standard decorations for RADIUS messages
+.Sh SYNOPSIS
+.Nm radiusd_standard
+.Sh DESCRIPTION
+The
+.Nm
+utility processes files ...
+.Sh CONFIGURATIONS
+The
+.Nm
+module supports the following configuration key and value:
+.Pp
+.Bl -tag -width Ds
+.It Ic strip-atmark-realm Ar true | false
+Remove the realm part which starts with @
+.Pq atmark
+from the User-Name attribute of the Access-Request.
+.Pp
+.It Ic strip-nt-domain Ar true | false
+Remove NT domain which ends with \\
+.Pq backslash
+from the User-Name attribute of the Access-Request.
+.Pp
+.It Cm remove-request-attribute Oo Ar vendor Oc Ar type
+.It Cm remove-response-attribute Oo Ar vendor Oc Ar type
+Remove all the specified attributes from request or response
+messages of Access-Request.
+Specify
+.Ar type
+of the attribute in a decimal number.
+To specify a vendor attribute,
+specify the Vendor-Id
+in a decimal number for
+.Ar vendor .
+.El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_standard" -compact
+.It Pa /usr/libexec/radiusd/radiusd_standard
+.Dq standard
+module executable.
+.El
+.Sh HISTORY
+The
+.Nm
+daemon first appeared in
+.Ox 5.8 .