summaryrefslogtreecommitdiff
path: root/pam_radius_auth.5
blob: b4b67f8be58c37ac2971fd9a3d358c2acd904d1a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

.TH pam_radius_auth 5
.\" Copyright 2017, 2018 Cumulus Networks, Inc.  All rights reserved.
.SH NAME
pam_radius_auth.conf \- RADIUS client configuration file
.SH SYNOPSIS
.B /etc/pam_radius_auth.conf
is the RADIUS client configuration file for the PAM RADIUS client plugin.
It contains the information on how to reach the RADIUS server(s), and
because it contains the shared secret key, should be mode 600 and owned
by root.
.SH DESCRIPTION
Other PAM-specific options are described in the
.BR pam_radius_auth (8)
manpage, and must be added to the PAM configuration files.
.PP
By default, all components source this file, enabling a single point of
configuration for the TACACS server(s), debug settings, etc.
.PP
Not all keywords use all fields.
.TP
.I debug
Output PAM and RADIUS communication debugging information via syslog(3).
.TP
.I  server[:port] secret [timeout] [src_ip]
the port name or number is optional.  The default ports are not
part of the code base, and are retrieved from the services database, e.g.
.IR /etc/services .
The ports used are
.B radius
for authentication and
.B radacct
for accounting.
If the port is specified as numeric, port+1 is used as the accounting
port.   If a name is used for the port that is not
.BR radius ,
.B radacct
is still used for accounting.   There is no way to specify a port to
be used just for accounting.
.P
The timeout field is optional.  The default timeout is 3 seconds.
.IP
For IPv6 literal addresses, the address has to be surrounded  by
square  brackets as usual. E.g. [2001:0db8:85a3::4].
.IP
If multiple RADIUS server lines exist, they are tried in order.  The
first server to return success or failure causes the module to return
success or failure.  Only if a server fails to response is it skipped,
and the next server in turn is used.
.IP
The optional timeout field controls how many seconds the module waits before
deciding that the server has failed to respond.  It currently must be
less than 60.
.IP
The optional src_ip may be used to configure the source IP address used
in the RADIUS packets to the server.  The timeout field must be set if
setting the src_ip is desired
.TP
.I vrf-name VRFNAME
If the management network is in a VRF, set this variable to the VRF name. This
would  usually  be  "mgmt".  This is not normally needed with PAM.
.TP
.I priv-lvl VALUE
This sets the minimum privilege level in VSA attribute
.B shell:priv-lvl=VALUE
to be considered a
privileged login (ability to configure via nclu 'net' commands, and able to sudo.
The default is 15.  The range is 0-15.  Only matters when the VSA attribute is
returned.
.TP
.I mapped_priv_user accountname
This sets the name of the privileged mapping account in /etc/passwd.
It must match the privileged account name in
.IR nss_mapuser (5)
for correct operation.
.SH "SEE ALSO"
.BR pam_radius_auth (8),
.BR nss_mapuser (5)
.SH FILES
.I /etc/pam_radius_auth.conf
- RADIUS client configuration parameters
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 18:46:08 +0000