NAME
radiusd_attributes - extended users attributes
DESCRIPTION
This page describes the differences between YARD RADIUS syntax of users
file and the ‘standard’ one of Livingston RADIUS Daemon 2.1. A complete
description of the syntax of that file is not the scope of this
document.
The users text file contains security and configuration information for
each user. The first field is the user’s name and can be up to 8
characters in length. This is followed (on the same line) with the
list of authentication requirements for that user. This can include
password, comm server name, comm server port number, and an expiration
date of the user’s password. When an authentication request is
received from the comm server, these values are tested. Special users
named "DEFAULT", "DEFAULT2", "DEFAULT3" can be created (and should be
placed at the end of the user file) to specify what to do with users
not contained in the user file.
Indented (with the tab character) lines following the first line
indicate the configuration values to be passed back to the comm server
to allow the initiation of a user session. This can include things
like the PPP configuration values or the host to log the user onto.
Again, a description of all attributes and values is not the topic of
this document. See NOTES section below for a complete reference about.
YARD RADIUS ATTRIBUTES
YARD RADIUS uses some private non-protocol attributes to support its
specific features. They are integer or string attributes that you could
set to manage in some ways user accesses:
Yard-Simultaneous-Use:
The maximum number of simultaneous logins for a user. It’s a
positive value.
Yard-Time:
It’s a list of the access times (week day(s) and hours) during
which the user is authorized to login. It is a comma-separated
list of items such as "Wk0800-1800,Sa0800-2400,Su0800-2400".
Each item follows a syntax like "DDHHMM-HHMM", where
DD=Mo,Tu,We,Th,Fr,Sa,Su,Al,Wk and HHMM are the times of access
in 4 characters form. ’Wk’ means all 5 weekdays (’Mo’-’Fr’) and
’Al’ is the whole week.
Yard-Max-Monthly-Time:
The maximum number of on-line hours the user can be on-line per
month. It is a positive value.
Yard-Max-Monthly-Traffic:
The maximum number of Kbytes of traffic the user can totalize
per month. It is a positive value.
Yard-Max-Daily-Time:
Yard-Max-Daily-Traffic:
Yard-Max-Yearly-Time:
Yard-Max-Yearly-Traffic:
At this point, all these attributes are obvious.
Yard-Pam-Auth:
This string is the name of the PAM authentication service to use
instead of the default one, which is "yard". This is used to
parse the pam.conf, or the pam.d directory to get the PAM module
to use for auth/acct. You could prefer something like "radius",
for instance.
YARD RADIUS extends also the predefined values of the standard Auth-
Type attribute, with the following ones:
PAM Use PAM authentication module. The service name could be
specified with a Yard-Pam-Auth attribute or it implies the
default one "yard".
System Use system passwd file with or without shadowing. Shadow support
should be enabled when calling the ‘configure’ script only if
your system requires the use of getspnam() in order to get the
encrypted password. Not all systems that support shadow password
have that function. If your system has a transparent shadowing
support, you do not need any specific enabling. Notably this is
true for FreeBSD.
If you like so, you can also enable ’shadow expirations’.
Systems which support this feature must have a compatible
getspnam() with an expiration field in the spwd structure. So,
enabling this feature implies enabling shadow support. When
shadow expiration is enabled you can require system-based
expirations by using a conventional attribute value like
Expiration="SHADOW".
Safeword
Not yet supported.
Defender
Not yet supported.
But for the above attributes and values, many vendor specific
attributes and values are parsed and legal for YARD RADIUS server. You
can refer to the dictionary file for a complete list. Vendor attributes
are useful only when the communication server is configured to send VSA
mode requests. Some old communication servers could be unable to do
this, and in that case you should modify manually the dictionary.
FILES
/usr/conf/users
This file contains the human readable information for users’
accounting and authorization.
/usr/conf/users.db
The same of the previous one as compiled in by builddbm in GDBM
format.
/usr/conf/dictionary
This read-only file contains the codes and formats for standard
and vendor RADIUS protocol attributes and values along with
their human readable representation. It is subject to change,
due to new access server supports. It is a plain text file with
a pletora of comments in it.
/usr/docs/rfc/rfc2138.txt
Request For Comments about Remote Authentication Dial In User
Service (RADIUS).
/usr/docs/rfc/rfc2139.txt
Request For Comments about RADIUS Accounting.
SEE ALSO
radiusd(8), RFC2138, RFC2139
AUTHOR
Francesco Paolo Lovergine <francesco@yardradius.org>.
A complete list of contributors is contained in CREDITS file. You
should get that file among other ones within your distribution and
possibly installed under /usr/docs directory
COPYRIGHT
Copyright (C) 1992-1999 Lucent Inc. All rights reserved.
Copyright (C) 1999-2004 Francesco Paolo Lovergine. All rights reserved.
See the LICENSE file enclosed within this software for conditions of
use and distribution. This is a pure ISO BSD Open Source License .
NOTES
See the RADIUS for UNIX Administrators Guide as a complete reference
for all other attributes and values. It is freely available at
http://www.livingston.com/tech/docs/manuals.html at the time of this
document. Note that many vendor attributes are described only within
vendor’s documentation.
Currently YARD RADIUS dictionary is updated with vendor’s dictionary by
Cisco, Lucent, 3COM, Redback, Springtide, Nortel and possibly others,
whenever available.