trusty (5) radiusd_attributes.5.gz
NAME
radiusd_attributes - extended users attributes
DESCRIPTION
This page describes the differences between YARD RADIUS syntax of users file and the `standard' one of
Livingston RADIUS Daemon 2.1. A complete description of the syntax of that file is not the scope of this
document.
The users text file contains security and configuration information for each user. The first field is the
user's name and can be up to 8 characters in length. This is followed (on the same line) with the list
of authentication requirements for that user. This can include password, comm server name, comm server
port number, and an expiration date of the user's password. When an authentication request is received
from the comm server, these values are tested. Special users named "DEFAULT", "DEFAULT2", "DEFAULT3" can
be created (and should be placed at the end of the user file) to specify what to do with users not
contained in the user file.
Indented (with the tab character) lines following the first line indicate the configuration values to be
passed back to the comm server to allow the initiation of a user session. This can include things like
the PPP configuration values or the host to log the user onto.
Again, a description of all attributes and values is not the topic of this document. See NOTES section
below for a complete reference about.
YARD RADIUS ATTRIBUTES
YARD RADIUS uses some private non-protocol attributes to support its specific features. They are integer
or string attributes that you could set to manage in some ways user accesses:
Yard-Simultaneous-Use:
The maximum number of simultaneous logins for a user. It's a positive value.
Yard-Time:
It's a list of the access times (week day(s) and hours) during which the user is authorized to
login. It is a comma-separated list of items such as "Wk0800-1800,Sa0800-2400,Su0800-2400". Each
item follows a syntax like "DDHHMM-HHMM", where DD=Mo,Tu,We,Th,Fr,Sa,Su,Al,Wk and HHMM are the
times of access in 4 characters form. 'Wk' means all 5 weekdays ('Mo'-'Fr') and 'Al' is the whole
week.
Yard-Max-Monthly-Time:
The maximum number of on-line hours the user can be on-line per month. It is a positive value.
Yard-Max-Monthly-Traffic:
The maximum number of Kbytes of traffic the user can totalize per month. It is a positive value.
Yard-Max-Daily-Time:
Yard-Max-Daily-Traffic:
Yard-Max-Yearly-Time:
Yard-Max-Yearly-Traffic:
At this point, all these attributes are obvious.
Yard-Pam-Auth:
This string is the name of the PAM authentication service to use instead of the default one, which
is "yard". This is used to parse the pam.conf, or the pam.d directory to get the PAM module to use
for auth/acct. You could prefer something like "radius", for instance.
YARD RADIUS extends also the predefined values of the standard Auth-Type attribute, with the following
ones:
PAM Use PAM authentication module. The service name could be specified with a Yard-Pam-Auth attribute
or it implies the default one "yard".
System Use system passwd file with or without shadowing. Shadow support should be enabled when calling
the `configure' script only if your system requires the use of getspnam() in order to get the
encrypted password. Not all systems that support shadow password have that function. If your
system has a transparent shadowing support, you do not need any specific enabling. Notably this is
true for FreeBSD.
If you like so, you can also enable 'shadow expirations'. Systems which support this feature must
have a compatible getspnam() with an expiration field in the spwd structure. So, enabling this
feature implies enabling shadow support. When shadow expiration is enabled you can require
system-based expirations by using a conventional attribute value like Expiration="SHADOW".
Safeword
Not yet supported.
Defender
Not yet supported.
But for the above attributes and values, many vendor specific attributes and values are parsed and legal
for YARD RADIUS server. You can refer to the dictionary file for a complete list. Vendor attributes are
useful only when the communication server is configured to send VSA mode requests. Some old communication
servers could be unable to do this, and in that case you should modify manually the dictionary.
FILES
/usr/conf/users
This file contains the human readable information for users' accounting and authorization.
/usr/conf/users.db
The same of the previous one as compiled in by builddbm in GDBM format.
/usr/conf/dictionary
This read-only file contains the codes and formats for standard and vendor RADIUS protocol
attributes and values along with their human readable representation. It is subject to change, due
to new access server supports. It is a plain text file with a pletora of comments in it.
/usr/docs/rfc/rfc2138.txt
Request For Comments about Remote Authentication Dial In User Service (RADIUS).
/usr/docs/rfc/rfc2139.txt
Request For Comments about RADIUS Accounting.
SEE ALSO
radiusd(8), RFC2138, RFC2139
AUTHOR
Francesco Paolo Lovergine <francesco@yardradius.org>. A complete list of contributors is contained in CREDITS file. You should get that file among other ones within your distribution and possibly installed under /usr/docs directory
COPYRIGHT
Copyright (C) 1992-1999 Lucent Inc. All rights reserved.
Copyright (C) 1999-2004 Francesco Paolo Lovergine. All rights reserved.
See the LICENSE file enclosed within this software for conditions of use and distribution. This is a pure
ISO BSD Open Source License .
NOTES
See the RADIUS for UNIX Administrator's Guide as a complete reference for all other attributes and
values. It is freely available at http://www.livingston.com/tech/docs/manuals.html at the time of this
document. Note that many vendor attributes are described only within vendor's documentation.
Currently YARD RADIUS dictionary is updated with vendor's dictionary by Cisco, Lucent, 3COM, Redback,
Springtide, Nortel and possibly others, whenever available.