1 .\" Copyright 1998 Juniper Networks, Inc.
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 .\" $FreeBSD: src/lib/libradius/libradius.3,v 1.6.2.6 2002/11/27 17:36:00 archie Exp $
32 .Nd RADIUS client library
35 .Ft struct rad_handle *
36 .Fn rad_acct_open "void"
38 .Fn rad_add_server "struct rad_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int max_tries"
39 .Ft struct rad_handle *
40 .Fn rad_auth_open "void"
42 .Fn rad_close "struct rad_handle *h"
44 .Fn rad_config "struct rad_handle *h" "const char *file"
46 .Fn rad_continue_send_request "struct rad_handle *h" "int selected" "int *fd" "struct timeval *tv"
48 .Fn rad_create_request "struct rad_handle *h" "int code"
50 .Fn rad_cvt_addr "const void *data"
52 .Fn rad_cvt_int "const void *data"
54 .Fn rad_cvt_string "const void *data" "size_t len"
56 .Fn rad_get_attr "struct rad_handle *h" "const void **data" "size_t *len"
58 .Fn rad_get_vendor_attr "u_int32_t *vendor" "const void **data" "size_t *len"
60 .Fn rad_init_send_request "struct rad_handle *h" "int *fd" "struct timeval *tv"
62 .Fn rad_put_addr "struct rad_handle *h" "int type" "struct in_addr addr"
64 .Fn rad_put_attr "struct rad_handle *h" "int type" "const void *data" "size_t len"
66 .Fn rad_put_int "struct rad_handle *h" "int type" "u_int32_t value"
68 .Fn rad_put_string "struct rad_handle *h" "int type" "const char *str"
70 .Fn rad_put_vendor_addr "struct rad_handle *h" "int vendor" "int type" "struct in_addr addr"
72 .Fn rad_put_vendor_attr "struct rad_handle *h" "int vendor" "int type" "const void *data" "size_t len"
74 .Fn rad_put_vendor_int "struct rad_handle *h" "int vendor" "int type" "u_int32_t value"
76 .Fn rad_put_vendor_string "struct rad_handle *h" "int vendor" "int type" "const char *str"
78 .Fn rad_request_authenticator "struct rad_handle *h" "char *buf" "size_t len"
80 .Fn rad_send_request "struct rad_handle *h"
82 .Fn rad_server_secret "struct rad_handle *h"
84 .Fn rad_strerror "struct rad_handle *h"
88 library implements the client side of the Remote Authentication Dial
89 In User Service (RADIUS). RADIUS, defined in RFCs 2138 and 2139,
90 allows clients to perform authentication and accounting by means of
91 network requests to remote servers.
93 To use the library, an application must first call
98 .Va struct rad_handle * ,
99 which provides the context for subsequent operations.
100 The former function is used for RADIUS authentication and the
101 latter is used for RADIUS accounting.
106 always succeed unless insufficient virtual memory is available. If
107 the necessary memory cannot be allocated, the functions return
109 For compatibility with earlier versions of this library,
111 is provided as a synonym for
114 Before issuing any RADIUS requests, the library must be made aware
115 of the servers it can contact. The easiest way to configure the
119 causes the library to read a configuration file whose format is
122 The pathname of the configuration file is passed as the
126 This argument may also be given as
128 in which case the standard configuration file
132 returns 0 on success, or -1 if an error occurs.
134 The library can also be configured programmatically by calls to
138 parameter specifies the server host, either as a fully qualified
139 domain name or as a dotted-quad IP address in text form.
142 parameter specifies the UDP port to contact on the server. If
144 is given as 0, the library looks up the
148 service in the network services database, and uses the port found
149 there. If no entry is found, the library uses the standard RADIUS
150 ports, 1812 for authentication and 1813 for accounting.
151 The shared secret for the server host is passed to the
154 It may be any NUL-terminated string of bytes. The RADIUS protocol
155 ignores all but the leading 128 bytes of the shared secret.
156 The timeout for receiving replies from the server is passed to the
158 parameter, in units of seconds. The maximum number of repeated
159 requests to make before giving up is passed into the
163 returns 0 on success, or -1 if an error occurs.
166 may be called multiple times, and it may be used together with
168 At most 10 servers may be specified.
169 When multiple servers are given, they are tried in round-robin
170 fashion until a valid response is received, or until each server's
172 limit has been reached.
173 .Sh CREATING A RADIUS REQUEST
174 A RADIUS request consists of a code specifying the kind of request,
175 and zero or more attributes which provide additional information. To
176 begin constructing a new request, call
177 .Fn rad_create_request .
178 In addition to the usual
179 .Va struct rad_handle * ,
180 this function takes a
182 parameter which specifies the type of the request. Most often this
184 .Dv RAD_ACCESS_REQUEST .
185 .Fn rad_create_request
186 returns 0 on success, or -1 on if an error occurs.
188 After the request has been created with
189 .Fn rad_create_request ,
190 attributes can be attached to it. This is done through calls to
197 parameter identifying the attribute, and a value which may be
198 an Internet address, an integer, or a NUL-terminated string,
201 .Fn rad_put_vendor_addr ,
202 .Fn rad_put_vendor_int
204 .Fn rad_put_vendor_string
205 may be used to specify vendor specific attributes. Vendor specific
206 definitions may be found in
209 The library also provides a function
211 which can be used to supply a raw, uninterpreted attribute. The
213 argument points to an array of bytes, and the
215 argument specifies its length.
219 functions return 0 on success, or -1 if an error occurs.
220 .Sh SENDING THE REQUEST AND RECEIVING THE RESPONSE
221 After the RADIUS request has been constructed, it is sent either by means of
223 or by a combination of calls to
224 .Fn rad_init_send_request
226 .Fn rad_continue_send_request .
230 function sends the request and waits for a valid reply,
231 retrying the defined servers in round-robin fashion as necessary.
232 If a valid response is received,
234 returns the RADIUS code which specifies the type of the response.
235 This will typically be
236 .Dv RAD_ACCESS_ACCEPT ,
237 .Dv RAD_ACCESS_REJECT ,
239 .Dv RAD_ACCESS_CHALLENGE .
240 If no valid response is received,
244 As an alternative, if you do not wish to block waiting for a response,
245 .Fn rad_init_send_request
247 .Fn rad_continue_send_request
248 may be used instead. If a reply is received from the RADIUS server or a
249 timeout occurs, these functions return a value as described for
250 .Fn rad_send_request .
251 Otherwise, a value of zero is returned and the values pointed to by
255 are set to the descriptor and timeout that should be passed to
258 .Fn rad_init_send_request
259 must be called first, followed by repeated calls to
260 .Fn rad_continue_send_request
261 as long as a return value of zero is given.
262 Between each call, the application should call
266 as a read descriptor and timing out after the interval specified by
269 .Fn rad_continue_send_request
270 should be called with
272 set to a non-zero value if
274 indicated that the descriptor is readable.
276 Like RADIUS requests, each response may contain zero or more
277 attributes. After a response has been received successfully by
280 .Fn rad_continue_send_request ,
281 its attributes can be extracted one by one using
285 is called, it gets the next attribute from the current response, and
286 stores a pointer to the data and the length of the data via the
291 respectively. Note that the data resides in the response itself,
292 and must not be modified.
295 returns the RADIUS attribute type.
296 If no more attributes remain in the current response,
299 If an error such as a malformed attribute is detected, -1 is
305 .Dv RAD_VENDOR_SPECIFIC ,
306 .Fn rad_get_vendor_attr
307 may be called to determine the vendor.
308 The vendor specific RADIUS attribute type is returned.
309 The reference parameters
313 .Pq as returned from Fn rad_get_attr
315 .Fn rad_get_vendor_attr ,
316 and are adjusted to point to the vendor specific attribute data.
318 The common types of attributes can be decoded using
323 These functions accept a pointer to the attribute data, which should
324 have been obtained using
327 .Fn rad_get_vendor_attr .
332 must also be given. These functions interpret the attribute as an
333 Internet address, an integer, or a string, respectively, and return
336 returns its value as a NUL-terminated string in dynamically
337 allocated memory. The application should free the string using
339 when it is no longer needed.
341 If insufficient virtual memory is available,
351 .Fn rad_request_authenticator
352 function may be used to obtain the Request-Authenticator attribute value
353 associated with the current RADIUS server according to the supplied
359 must be supplied and should be at least 16 bytes.
360 The return value is the number of bytes written to
362 or -1 to indicate that
364 was not large enough.
367 .Fn rad_server_secret
368 returns the secret shared with the current RADIUS server according to the
370 .Sh OBTAINING ERROR MESSAGES
371 Those functions which accept a
372 .Va struct rad_handle *
373 argument record an error message if they fail. The error message
374 can be retrieved by calling
376 The message text is overwritten on each new error for the given
377 .Va struct rad_handle * .
378 Thus the message must be copied if it is to be preserved through
379 subsequent library calls using the same handle.
381 To free the resources used by the RADIUS library, call
384 The following functions return a non-negative value on success. If
385 they detect an error, they return -1 and record an error message
386 which can be retrieved using
389 .Bl -item -offset indent -compact
395 .Fn rad_create_request
407 .Fn rad_init_send_request
409 .Fn rad_continue_send_request
414 The following functions return a
416 pointer on success. If they are unable to allocate sufficient
417 virtual memory, they return
419 without recording an error message.
421 .Bl -item -offset indent -compact
435 .%T "Remote Authentication Dial In User Service (RADIUS)"
440 .%T RADIUS Accounting
444 This software was originally written by
448 project by Juniper Networks, Inc.
449 Oleg Semyonov subsequently added the ability to perform RADIUS