radiusd_attributes

Langue: en

Version: Aug 25, 2004 (debian - 07/07/09)

Section: 5 (Format de fichier)

NAME

radiusd_attributes - extended users attributes

DESCRIPTION

This page describes the differences between YARD RADIUS syntax of users file and the `standard' one of Livingston RADIUS Daemon 2.1. A complete description of the syntax of that file is not the scope of this document.

The users text file contains security and configuration information for each user. The first field is the user's name and can be up to 8 characters in length. This is followed (on the same line) with the list of authentication requirements for that user. This can include password, comm server name, comm server port number, and an expiration date of the user's password. When an authentication request is received from the comm server, these values are tested. Special users named "DEFAULT", "DEFAULT2", "DEFAULT3" can be created (and should be placed at the end of the user file) to specify what to do with users not contained in the user file.

Indented (with the tab character) lines following the first line indicate the configuration values to be passed back to the comm server to allow the initiation of a user session. This can include things like the PPP configuration values or the host to log the user onto.

Again, a description of all attributes and values is not the topic of this document. See NOTES section below for a complete reference about.

YARD RADIUS ATTRIBUTES

YARD RADIUS uses some private non-protocol attributes to support its specific features. They are integer or string attributes that you could set to manage in some ways user accesses:
Yard-Simultaneous-Use:
The maximum number of simultaneous logins for a user. It's a positive value.
Yard-Time:
It's a list of the access times (week day(s) and hours) during which the user is authorized to login. It is a comma-separated list of items such as "Wk0800-1800,Sa0800-2400,Su0800-2400". Each item follows a syntax like "DDHHMM-HHMM", where DD=Mo,Tu,We,Th,Fr,Sa,Su,Al,Wk and HHMM are the times of access in 4 characters form. 'Wk' means all 5 weekdays ('Mo'-'Fr') and 'Al' is the whole week.
Yard-Max-Monthly-Time:
The maximum number of on-line hours the user can be on-line per month. It is a positive value.
Yard-Max-Monthly-Traffic:
The maximum number of Kbytes of traffic the user can totalize per month. It is a positive value.

Yard-Max-Daily-Time:

Yard-Max-Daily-Traffic:

Yard-Max-Yearly-Time:

Yard-Max-Yearly-Traffic:
At this point, all these attributes are obvious.
Yard-Pam-Auth:
This string is the name of the PAM authentication service to use instead of the default one, which is "yard". This is used to parse the pam.conf, or the pam.d directory to get the PAM module to use for auth/acct. You could prefer something like "radius", for instance.

YARD RADIUS extends also the predefined values of the standard Auth-Type attribute, with the following ones:

PAM
Use PAM authentication module. The service name could be specified with a Yard-Pam-Auth attribute or it implies the default one "yard".
System
Use system passwd file with or without shadowing. Shadow support should be enabled when calling the `configure' script only if your system requires the use of getspnam() in order to get the encrypted password. Not all systems that support shadow password have that function. If your system has a transparent shadowing support, you do not need any specific enabling. Notably this is true for FreeBSD.

If you like so, you can also enable 'shadow expirations'. Systems which support this feature must have a compatible getspnam() with an expiration field in the spwd structure. So, enabling this feature implies enabling shadow support. When shadow expiration is enabled you can require system-based expirations by using a conventional attribute value like Expiration="SHADOW".

Safeword
Not yet supported.
Defender
Not yet supported.

But for the above attributes and values, many vendor specific attributes and values are parsed and legal for YARD RADIUS server. You can refer to the dictionary file for a complete list. Vendor attributes are useful only when the communication server is configured to send VSA mode requests. Some old communication servers could be unable to do this, and in that case you should modify manually the dictionary.

FILES

/usr/conf/users
This file contains the human readable information for users' accounting and authorization.
/usr/conf/users.db
The same of the previous one as compiled in by builddbm in GDBM format.
/usr/conf/dictionary
This read-only file contains the codes and formats for standard and vendor RADIUS protocol attributes and values along with their human readable representation. It is subject to change, due to new access server supports. It is a plain text file with a pletora of comments in it.
/usr/docs/rfc/rfc2138.txt
Request For Comments about Remote Authentication Dial In User Service (RADIUS).
/usr/docs/rfc/rfc2139.txt
Request For Comments about RADIUS Accounting.

SEE ALSO

radiusd(8), RFC2138, RFC2139

AUTHOR

Francesco Paolo Lovergine <francesco@yardradius.org>.

A complete list of contributors is contained in CREDITS file. You should get that file among other ones within your distribution and possibly installed under /usr/docs directory

Copyright (C) 1992-1999 Lucent Inc. All rights reserved.

Copyright (C) 1999-2004 Francesco Paolo Lovergine. All rights reserved.

See the LICENSE file enclosed within this software for conditions of use and distribution. This is a pure ISO BSD Open Source License .

NOTES

See the RADIUS for UNIX Administrator's Guide as a complete reference for all other attributes and values. It is freely available at http://www.livingston.com/tech/docs/manuals.html at the time of this document. Note that many vendor attributes are described only within vendor's documentation.

Currently YARD RADIUS dictionary is updated with vendor's dictionary by Cisco, Lucent, 3COM, Redback, Springtide, Nortel and possibly others, whenever available.