radiusd_ipcpprovides IP configuration and manages IP address pool


The radiusd_ipcp module is executed by radiusd(8) as a module to provide IP configuration through RADIUS Access-Accept messages and manages the IP address pool through RADIUS accounting messages. The internal sessions can be shown or monitored by radiusctl(8). radiusd_ipcp also provides session timeouts and disconnects requested by radiusctl(8) through the Dynamic Authorization Extension (DAE, RFC 5176).

To use the radiusd_ipcp module, it should be configured as a decoration module of the authentication and as an accounting module.

authenticate * by (any auth module) decorate-by ipcp
account      * to ipcp

The radiusd_ipcp module supports the following configuration keys and values:

address-space ...
Specify the IP address spaces that is pooled. The address-space can be specified by an address range (e.g. or an address mask (e.g. The pooled addresses are used for dynamic assignment.
address-space ...
Specify the IP address spaces that is pooled for static assignment. The address-space is the same syntax as address pool, above.
primary-address [secondary-address]
Specify the DNS servers' IP addresses.
primary-address [secondary-address]
Specify the NetBIOS name servers' IP addresses.
seconds | “radius”
Specify the session-timeout in seconds, or “radius”. radiusd_ipcp disconnects the session through DAE at the specified time after starting. When “radius” is specified, the value of the Session-Timeout attribute in Access-Accept is used for the timeout. Configure dae server to use this option.
address[:port] secret [nas-id]
Configure a DAE server which radiusd_ipcp requests disconnection for sessions. Specify the address, optionally the port number, and the secret. If the optional nas-id is specified, the server is selected only for the session which NAS-Identifier is matched the specified value. The default port number is 3799.
Specify the maximum number of sessions. ‘0’ means no limit. The default value is 0.
Specify the maximum number of sessions per a user. ‘0’ means no limit. The default value is 0.
Specify the seconds waiting for the RADIUS Accounting Start for the session after Access-Accept. radiusd_ipcp preserves the assigned IP address for that period. The default value is 60 seconds.

“ipcp” module executable.

An example with radiusd_ipcp working with npppd(8):


listen on
listen on accounting

client {
	secret "SECRET"

module radius {
    set secret "SECRET2"
    set server

module ipcp {
    set address pool
    set name-server
    set max-sessions      128
    set user-max-sessions 2
    set dae server "SECRET3"
    set session-timeout   radius

authenticate * by radius decorate-by ipcp
account      * to ipcp


tunnel L2TP protocol l2tp {
    listen on
ipcp IPCP {
    pool-address for dynamic
interface pppac0 address ipcp IPCP
authentication RADIUS type radius {
    authentication-server {
	address secret "SECRET"
    accounting-server {
	address secret "SECRET"
bind tunnel from L2TP authenticated by RADIUS to pppac0

radius dae listen on
radius dae client secret "SECRET3"

authenticate(3), radiusd.conf(5), npppd(8), radiusctl(8), radiusd(8)

The radiusd_ipcp module first appeared in OpenBSD 7.6.

