RADIUSD_IPCP(8) System Manager's Manual RADIUSD_IPCP(8)

radiusd_ipcpprovides IP configuration and manages IP address pool

radiusd_ipcp

The radiusd_ipcp module is executed by radiusd(8) as a module to provide IP configuration through RADIUS Access-Accept messages and manages the IP address pool through RADIUS accounting messages. The internal sessions can be shown or monitored by radiusctl(8). radiusd_ipcp also provides session timeouts and disconnects requested by radiusctl(8) through the Dynamic Authorization Extension (DAE, RFC 5176).

To use the radiusd_ipcp module, it should be configured as a decoration module of the authentication and as an accounting module.

authenticate * by (any auth module) decorate-by ipcp
account      * to ipcp

The radiusd_ipcp module supports the following configuration keys and values:

address-space ...
Specify the IP address spaces that is pooled. The address-space can be specified by an address range (e.g. 192.168.1.1-192.168.1.199) or an address mask (e.g. 192.168.1.0/24). The pooled addresses are used for dynamic assignment.
address-space ...
Specify the IP address spaces that is pooled for static assignment. The address-space is the same syntax as address pool, above.
primary-address [secondary-address]
Specify the DNS servers' IP addresses.
primary-address [secondary-address]
Specify the NetBIOS name servers' IP addresses.
seconds | “radius”
Specify the session-timeout in seconds, or “radius”. radiusd_ipcp disconnects the session through DAE at the specified time after starting. When “radius” is specified, the value of the Session-Timeout attribute in Access-Accept is used for the timeout. When the value is specified in seconds and the Session-Timeout attribute is specified for a session, the Session-Timeout attribute value is used to disconnect the session in preference. Configure dae server to use this option.
address[:port] secret [nas-id]
Configure a DAE server which radiusd_ipcp requests disconnection for sessions. Specify the address, optionally the port number, and the secret. If the optional nas-id is specified, the server is selected only for the session which NAS-Identifier is matched the specified value. The default port number is 3799.
number
Specify the maximum number of sessions. ‘0’ means no limit. The default value is 0.
number
Specify the maximum number of sessions per a user. ‘0’ means no limit. The default value is 0.
seconds
Specify the seconds waiting for the RADIUS Accounting Start for the session after Access-Accept. radiusd_ipcp preserves the assigned IP address for that period. The default value is 60 seconds.

/usr/libexec/radiusd/radiusd_ipcp
“ipcp” module executable.

An example with radiusd_ipcp working with npppd(8):

/etc/radiusd.conf:

listen on 127.0.0.1
listen on 127.0.0.1 accounting

client 127.0.0.1/32 {
	secret "SECRET"
}

module radius {
    set secret "SECRET2"
    set server 192.168.0.4:1812
}

module ipcp {
    set address pool      192.168.1.0/24
    set name-server       192.168.0.4
    set max-sessions      128
    set user-max-sessions 2
    set dae server        127.0.0.1 "SECRET3"
    set session-timeout   radius
}

authenticate * by radius decorate-by ipcp
account      * to ipcp

/etc/npppd/npppd.conf:

tunnel L2TP protocol l2tp {
    listen on 192.0.2.51
}
ipcp IPCP {
    pool-address 192.168.1.2-192.168.1.255 for dynamic
}
interface pppac0 address 192.168.1.1 ipcp IPCP
authentication RADIUS type radius {
    authentication-server {
	address 127.0.0.1 secret "SECRET"
    }
    accounting-server {
	address 127.0.0.1 secret "SECRET"
    }
}
bind tunnel from L2TP authenticated by RADIUS to pppac0

radius dae listen on 127.0.0.1
radius dae client 127.0.0.1 secret "SECRET3"

authenticate(3), radiusd.conf(5), npppd(8), radiusctl(8), radiusd(8)

The radiusd_ipcp module first appeared in OpenBSD 7.6.

OpenBSD 7.8 June 23, 2025 RADIUSD_IPCP(8)