NAME¶
radiusd_attributes - extended users attributes
DESCRIPTION¶
This page describes the differences between YARD RADIUS syntax of
users
file and the `standard' one of Livingston RADIUS Daemon 2.1. A complete
description of the syntax of that file is not the scope of this document.
The
users text file contains security and configuration information for
each user. The first field is the user's name and can be up to 8 characters in
length. This is followed (on the same line) with the list of authentication
requirements for that user. This can include password, comm server name, comm
server port number, and an expiration date of the user's password. When an
authentication request is received from the comm server, these values are
tested. Special users named "DEFAULT", "DEFAULT2",
"DEFAULT3" can be created (and should be placed at the end of the
user file) to specify what to do with users not contained in the user file.
Indented (with the tab character) lines following the first line indicate the
configuration values to be passed back to the comm server to allow the
initiation of a user session. This can include things like the PPP
configuration values or the host to log the user onto.
Again, a description of all attributes and values is not the topic of this
document. See NOTES section below for a complete reference about.
YARD RADIUS ATTRIBUTES¶
YARD RADIUS uses some private non-protocol attributes to support its specific
features. They are integer or string attributes that you could set to manage
in some ways user accesses:
- Yard-Simultaneous-Use:
- The maximum number of simultaneous logins for a user. It's
a positive value.
- Yard-Time:
- It's a list of the access times (week day(s) and hours)
during which the user is authorized to login. It is a comma-separated list
of items such as "Wk0800-1800,Sa0800-2400,Su0800-2400". Each
item follows a syntax like "DDHHMM-HHMM", where
DD=Mo,Tu,We,Th,Fr,Sa,Su,Al,Wk and HHMM are the times of access in 4
characters form. 'Wk' means all 5 weekdays ('Mo'-'Fr') and 'Al' is the
whole week.
- Yard-Max-Monthly-Time:
- The maximum number of on-line hours the user can be on-line
per month. It is a positive value.
- Yard-Max-Monthly-Traffic:
- The maximum number of Kbytes of traffic the user can
totalize per month. It is a positive value.
Yard-Max-Daily-Time:
Yard-Max-Daily-Traffic:
Yard-Max-Yearly-Time:
- Yard-Max-Yearly-Traffic:
- At this point, all these attributes are obvious.
- Yard-Pam-Auth:
- This string is the name of the PAM authentication service
to use instead of the default one, which is "yard". This is used
to parse the pam.conf, or the pam.d directory to get the PAM
module to use for auth/acct. You could prefer something like
"radius", for instance.
YARD RADIUS extends also the predefined values of the standard Auth-Type
attribute, with the following ones:
- PAM
- Use PAM authentication module. The service name could be
specified with a Yard-Pam-Auth attribute or it implies the default
one "yard".
- System
- Use system passwd file with or without shadowing. Shadow
support should be enabled when calling the `configure' script only if your
system requires the use of getspnam() in order to get the encrypted
password. Not all systems that support shadow password have that function.
If your system has a transparent shadowing support, you do not need any
specific enabling. Notably this is true for FreeBSD.
If you like so, you can also enable 'shadow expirations'. Systems which
support this feature must have a compatible getspnam() with an expiration
field in the spwd structure. So, enabling this feature implies enabling
shadow support. When shadow expiration is enabled you can require
system-based expirations by using a conventional attribute value like
Expiration="SHADOW".
- Safeword
- Not yet supported.
- Defender
- Not yet supported.
But for the above attributes and values, many vendor specific attributes and
values are parsed and legal for YARD RADIUS server. You can refer to the
dictionary file for a complete list. Vendor attributes are useful only
when the communication server is configured to send VSA mode requests. Some
old communication servers could be unable to do this, and in that case you
should modify manually the dictionary.
FILES¶
- /usr/conf/users
- This file contains the human readable information for
users' accounting and authorization.
- /usr/conf/users.db
- The same of the previous one as compiled in by
builddbm in GDBM format.
- /usr/conf/dictionary
- This read-only file contains the codes and formats for
standard and vendor RADIUS protocol attributes and values along with their
human readable representation. It is subject to change, due to new access
server supports. It is a plain text file with a pletora of comments in
it.
- /usr/docs/rfc/rfc2138.txt
- Request For Comments about Remote Authentication Dial In
User Service (RADIUS).
- /usr/docs/rfc/rfc2139.txt
- Request For Comments about RADIUS Accounting.
SEE ALSO¶
radiusd(8), RFC2138, RFC2139
AUTHOR¶
Francesco Paolo Lovergine <francesco@yardradius.org>.
A complete list of contributors is contained in CREDITS file. You should get
that file among other ones within your distribution and possibly installed
under
/usr/docs directory
COPYRIGHT¶
Copyright (C) 1992-1999 Lucent Inc. All rights reserved.
Copyright (C) 1999-2004 Francesco Paolo Lovergine. All rights reserved.
See the LICENSE file enclosed within this software for conditions of use and
distribution. This is a pure
ISO BSD Open Source License .
NOTES¶
See the
RADIUS for UNIX Administrator's Guide as a complete reference for
all other attributes and values. It is freely available at
http://www.livingston.com/tech/docs/manuals.html at the time of this
document. Note that many vendor attributes are described only within vendor's
documentation.
Currently YARD RADIUS dictionary is updated with vendor's dictionary by Cisco,
Lucent, 3COM, Redback, Springtide, Nortel and possibly others, whenever
available.