OpenBSD manual page server

NAME

radiusd_ipcp — provides IP configuration and manages IP address pool

SYNOPSIS

DESCRIPTION

The radiusd_ipcp module is executed by radiusd(8) as a module to provide IP configuration through RADIUS Access-Accept messages and manages the IP address pool through RADIUS accounting messages. The internal sessions can be shown or monitored by radiusctl(8). radiusd_ipcp also provides session timeouts and disconnects requested by radiusctl(8) through the Dynamic Authorization Extension (DAE, RFC 5176).

CONFIGURATIONS

To use the radiusd_ipcp module, it should be configured as a decoration module of the authentication and as an accounting module.

authenticate * by (any auth module) decorate-by ipcp
account      * to ipcp

The radiusd_ipcp module supports the following configuration keys and values:

address pool address-space ...

Specify the IP address spaces that is pooled. The address-space can be specified by an address range (e.g. 192.168.1.1-192.168.1.199) or an address mask (e.g. 192.168.1.0/24). The pooled addresses are used for dynamic assignment.

address static address-space ...

Specify the IP address spaces that is pooled for static assignment. The address-space is the same syntax as address pool, above.

name-server primary-address [secondary-address]

Specify the DNS servers' IP addresses.

netbios-server primary-address [secondary-address]

Specify the NetBIOS name servers' IP addresses.

session-timeout seconds | “radius”

Specify the session-timeout in seconds, or “radius”. radiusd_ipcp disconnects the session through DAE at the specified time after starting. When “radius” is specified, the value of the Session-Timeout attribute in Access-Accept is used for the timeout. Configure dae server to use this option.

dae server address[:port] secret [nas-id]

Configure a DAE server which radiusd_ipcp requests disconnection for sessions. Specify the address, optionally the port number, and the secret. If the optional nas-id is specified, the server is selected only for the session which NAS-Identifier is matched the specified value. The default port number is 3799.

max-sessions number

Specify the maximum number of sessions. ‘0’ means no limit. The default value is 0.

user-max-sessions number

Specify the maximum number of sessions per a user. ‘0’ means no limit. The default value is 0.

start-wait seconds

Specify the seconds waiting for the RADIUS Accounting Start for the session after Access-Accept. radiusd_ipcp preserves the assigned IP address for that period. The default value is 60 seconds.

FILES

/usr/libexec/radiusd/radiusd_ipcp

“ipcp” module executable.

EXAMPLES

An example with radiusd_ipcp working with npppd(8):

/etc/radiusd.conf:

listen on 127.0.0.1
listen on 127.0.0.1 accounting

client 127.0.0.1/32 {
	secret "SECRET"
}

module radius {
    set secret "SECRET2"
    set server 192.168.0.4:1812
}

module ipcp {
    set address pool      192.168.1.0/24
    set name-server       192.168.0.4
    set max-sessions      128
    set user-max-sessions 2
    set dae server        127.0.0.1 "SECRET3"
    set session-timeout   radius
}

authenticate * by radius decorate-by ipcp
account      * to ipcp

/etc/npppd/npppd.conf:

tunnel L2TP protocol l2tp {
    listen on 192.0.2.51
}
ipcp IPCP {
    pool-address 192.168.1.2-192.168.1.255 for dynamic
}
interface pppac0 address 192.168.1.1 ipcp IPCP
authentication RADIUS type radius {
    authentication-server {
	address 127.0.0.1 secret "SECRET"
    }
    accounting-server {
	address 127.0.0.1 secret "SECRET"
    }
}
bind tunnel from L2TP authenticated by RADIUS to pppac0

radius dae listen on 127.0.0.1
radius dae client 127.0.0.1 secret "SECRET3"

SEE ALSO

authenticate(3), radiusd.conf(5), npppd(8), radiusctl(8), radiusd(8)

HISTORY

The radiusd_ipcp module first appeared in OpenBSD 7.6.