RADIUSD
Section: �FreeRADIUS Daemon� (8)
Updated: 12 May 2002
Index
Return to Main Contents
NAME
radiusd - Authentication, Authorization and Accounting server
SYNOPSIS
radiusd
[-d
config_directory]
[-f]
[-l
log_directory]
[-g
facility]
[-s]
[-v]
[-x]
DESCRIPTION
This is the FreeRADIUS implementation of the well known
radius
server program. Even though this program is largely compatible with
Livingston's radius version 2.0, it's not based on any
part of that code.
RADIUS is a protocol spoken between an access server, typically
a device connected to several modems or ISDN lines, and a radius
server. When a user connects to the access server, (s)he is asked for
a loginname and a password. This information is then sent to the radius
server. The server replies with "access denied", or "access OK". In the
latter case login information is sent along, such as the IP address in
the case of a PPP connection.
The access server also sends login and logout records to the radius
server so accounting can be done. These records are kept for each terminal
server seperately in a file called detail, and in the wtmp
compatible logfile /var/log/radwtmp.
OPTIONS
- -l logging directory
-
This defaults to /var/log. Radiusd writes a logfile here
called radius.log. It contains informational and error messages,
and optionally a record of every login attempt (for aiding an ISP's
helpdesk). The special arguments stdout and stderr cause
the information to get written to the standard output, or standard
error instead. The special argument syslog sends the information
with syslog(3).
This command line option is deprecated. See the log_dir
configuration item in the radiusd.conf file.
- -g facility
-
Specifies the syslog facility to be used with -l syslog. Default is
daemon. Another reasonable choice would be authpriv.
- -d config directory
-
Defaults to /etc/raddb. Radiusd looks here for its configuration
files such as the dictionary and the users files.
- -f
-
Do not fork, stay running as a foreground process.
- -s
-
Normally, the server forks a seperate process for accounting, and a seperate
process for every authentication request. With this flag the server will not
do that. It won't even "daemonize" (auto-background) itself.
- -x
-
Debug mode. In this mode the server will print details of every request
on it's stderr output. Most useful in combination with -s.
You can specify this option more times (-xx, or -xxx) to get a bit more
debugging output.
DEPRECATED OPTIONS
The following command-line options are deprecated, and may be removed
in a future release.
- -A
-
Write a file detail.auth in addition to the standard detail file
in the same directory. This file will contain all the authentication-request
records. This can be useful for debugging, but not for normal operation.
- -a accounting directory
-
This defaults to /var/log/radacct. If that directory exists,
radiusd will write an ascii accounting record into a detail file for
every login/logout recorded. The location of the detail file is
acct_dir/terminal_server/detail.
- -i ip-address
-
Defines which IP addres to bind to for sending and receiving packets-
useful for multi-homed hosts.
This command line option is deprecated. See the bind_address
configuration item in the radiusd.conf file.
- -b
-
If the radius server binary was compiled with dbm support,
this flag tells it to actually use the database files instead of the
flat users file.
This command line option is deprecated, and does not do anything.
- -c
-
This is still an experimental feature.
Cache the password, group and shadow files in a hash-table in memory.
This makes the radius process use a bit more memory, but username
lookups in the password file are much faster.
-
After every change in the real password file (user added, password changed)
you need to send a SIGHUP to the radius server to let it re-read
its configuration and the password/group/shadow files !
This command line option is deprecated. See the cache
configuration item for the unix module in the radiusd.conf
file.
This command line option is deprecated. See the radacctdir
configuration item in the radiusd.conf file.
- -p port
-
Normally radiusd listens on the ports specified in /etc/services
(radius and radacct). With this option radiusd listens on the specified
port for authentication requests and on the specified port +1 for
accounting requests.
This command line option is deprecated. See the port
configuration item in the radiusd.conf file.
- -S
-
Write the stripped usernames (without prefix or suffix) in the detail
file instead of the raw record as received from the terminal server.
This command line option is deprecated. See the log_stripped_names
configuration item in the radiusd.conf file.
- -y
-
Write details about every authentication request in the
radius.log file.
This command line option is deprecated. See the log_auth
configuration item in the radiusd.conf file.
- -z
-
Include the password in the radius.log file even for successful
logins. This is very insecure!.
This command line option is deprecated. See the
log_auth_badpass and the log_auth_goodpass configuration
items in the radiusd.conf file.
CONFIGURATION
Radiusd uses a number of configuration files. Each file has it's
own manpage describing the format of the file. These files are:
- radiusd.conf
-
The main configuration file, which sets the administrator-controlled
items.
- dictionary
-
This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
It includes other dictionary files in the same directory.
- clients
-
[ Deprecated ] Contains the IP address and a secret key for every
client that wants to connect to the server.
- naslist
-
Contains an entry for every NAS (Network Access Server) in the network. This
is not the same as a client, especially if you have radius proxy server
in your network. In that case, the proxy server is the client and it sends
requests for different NASes.
-
It also contains a abbreviated name for each
terminal server, used to create the directory name where the detail
file is written, and used for the /var/log/radwtmp file. Finally
it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is.
- hints
-
Defines certain hints to the radius server based on the users's loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the Livingston 2.0 server has as "Prefix" and
"Suffix" support in the users file, but is more general. Ofcourse
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
- huntgroups
-
Defines the huntgroups that you have, and makes it possible to restrict
access to certain huntgroups to certain (groups of) users.
- users
-
Here the users are defined. On a typical setup, this file mainly contains
DEFAULT entries to process the different types of logins, based on hints
from the hints file. Authentication is then based on the contents of
the UNIX /etc/passwd file. However it is also possible to define all
users, and their passwords, in this file.
SEE ALSO
radiusd.conf(5), users(5), huntgroups(5), hints(5),
clients(5), dictionary(5).
AUTHOR
Miquel van Smoorenburg, miquels@cistron.nl, and others.
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- OPTIONS
-
- DEPRECATED OPTIONS
-
- CONFIGURATION
-
- SEE ALSO
-
- AUTHOR
-
This document was created by
man2html,
using the manual pages.
Time: 22:43:21 GMT, June 03, 2002