manpagez: man pages & more
man radiusd(8)
Home | html | info | man
radiusd(8)                     FreeRADIUS Daemon                    radiusd(8)




NAME

       radiusd - Authentication, Authorization and Accounting server


SYNOPSIS

       radiusd  [-C]  [-d config_directory] [-f] [-i ip-address] [-n name] [-p
       port] [-s] [-v] [-x] [-X]


DESCRIPTION

       FreeRADIUS is a high-performance and highly configurable RADIUS server.
       It supports many database back-ends such as flat-text files, SQL, LDAP,
       Perl, Python, etc.  It also supports many authentication protocols such
       as  PAP,  CHAP,  MS-CHAP(v2),  HTTP  Digest, and EAP (EAP-MD5, EAP-TLS,
       PEAP, EAP-TTLS, EAP-SIM, etc.).

       Version 2.0 has preliminary support for Cisco's  VLAN  Query  Protocol,
       also known as VMPS.


OPTIONS

       The following command-line options are accepted by the server.

       -C     Check  the  configuration  and  exit immediately.  If there is a
              problem reading the configuration, then  the  server  will  exit
              with a non-zero status code.  If the configuration appears to be
              acceptable, then the server will exit with a zero status code.

              Note that there are many limitations to this check.  Due to  the
              complexities  involved in almost starting a RADIUS server, these
              checks are necessarily incomplete.  The server can return a zero
              status  code  when run with -C, but may still exit with an error
              when run normally.

              See the output of radiusd -XC for an informative list  of  which
              modules are checked for correct configuration, and which modules
              are skipped, and therefore not checked.

       -d config directory
              Defaults to /etc/raddb. Radiusd looks here for its configuration
              files such as the dictionary and the users files.

       -i ip-address
              Defines  which  IP  address that the server uses for sending and
              receiving packets.

              If this command-line option is given,  then  the  "bind_address"
              and all "listen{}" entries in radiusd.conf are ignored.

              This option MUST be used in conjunction with "-p".

       -f     Do not fork, stay running as a foreground process.

       -n     Read raddb/name.conf instead of raddb/radiusd.conf.

       -p port
              Normally radiusd listens on the ports specified in /etc/services
              (radius and radacct). When this option is given, radiusd listens
              on  the  specified  port  for authentication requests and on the
              specified port +1 for accounting requests.

              If this command-line option is given, then the "port"  directive
              in radiusd.conf is ignored.

              This option MUST be used in conjunction with "-i".

       -s     Run in "single server" mode.  The server normally runs with mul-
              tiple threads and/or processes, which  can  lower  its  response
              time to requests.  Some systems have issues with threading, how-
              ever, so running in "single server" mode  may  help  to  address
              those  issues.   In single server mode, the server will also not
              "daemonize" (auto-background) itself.

       -v     Print server version information and exit.

       -X     Debugging mode.  Equivalent to -sfxx -l stdout

       -x     Finer-grained debug mode. In this mode  the  server  will  print
              details  of every request on it's stdout output. You can specify
              this option multiple times (-x -x or -xx) to get  more  detailed
              output.


DEBUGGING

       The server can be difficult to configure correctly in systems with com-
       plex requirements.  We STRONGLY RECOMMEND proceeding via the  following
       steps:

       1)  Always  run the server in debugging mode ( radiusd -X ).  We cannot
       emphasize this enough.  If you are not running the server in  debugging
       mode,  you  will  not be able to see what is doing, and you will not be
       able to correct any problems.

       2) When editing the radiusd.conf file, change as  little  as  possible,
       especially  in the authorize{} section.  The ordering of the modules is
       critical for the server to be able to "automatically" figure out how to
       handle the request.  Changing the order of the modules ensures that the
       server will not work.

       3) When testing, start off by configuring a user and  password  in  the
       users file.  So long as the server knows about a user, and has a clear-
       text password for that user, almost all of the  authentication  methods
       will "just work".

       4) Gradually add more complex configurations to the server, while test-
       ing them as you go.  If you start off by configuring the  server  in  a
       complex configuration, you will never be able to debug it.

       5)  Ask  questions  on the mailing list (freeradius-users@lists.freera-
       dius.org).  When asking questions, include the  output  from  debugging
       mode  (  radiusd -X ).  This information will allow people to help you.
       Without it, your message will get ignored.


BACKGROUND

       RADIUS is a protocol spoken  between  an  access  server,  typically  a
       device  connected to several modems or ISDN lines, and a radius server.
       When a user connects to the access server, (s)he is asked for a  login-
       name  and  a  password.  This  information  is  then sent to the radius
       server. The server replies with "access denied", or "access OK". In the
       latter  case login information is sent along, such as the IP address in
       the case of a PPP connection.

       The access server also sends login and logout  records  to  the  radius
       server  so accounting can be done. These records are kept for each ter-
       minal server seperately in a file called detail, and in the  wtmp  com-
       patible logfile /var/log/radwtmp.


CONFIGURATION

       Radiusd  uses  a  number of configuration files. Each file has it's own
       manpage describing the format of the file. These files are:

       radiusd.conf
              The main configuration file, which sets  the  administrator-con-
              trolled items.

       dictionary
              This  file is usually static. It defines all the possible RADIUS
              attributes used in the other  configuration  files.   You  don't
              have  to  modify  it.  It includes other dictionary files in the
              same directory.

       hints  Defines certain hints to the radius server based on the  users's
              loginname or other attributes sent by the access server. It also
              provides for mapping user names (such as Pusername -> username).
              This  provides  the functionality that the Livingston 2.0 server
              has as "Prefix" and "Suffix" support in the users file,  but  is
              more  general.  Ofcourse  the  Livingston way of doing things is
              also supported, and you can even  use  both  at  the  same  time
              (within certain limits).

       huntgroups
              Defines  the  huntgroups that you have, and makes it possible to
              restrict access to certain huntgroups  to  certain  (groups  of)
              users.

       users  Here the users are defined. On a typical setup, this file mainly
              contains DEFAULT entries  to  process  the  different  types  of
              logins,  based  on  hints from the hints file. Authentication is
              then based on the contents of the UNIX /etc/passwd file. However
              it is also possible to define all users, and their passwords, in
              this file.


SEE ALSO

       radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5).


AUTHOR

       The FreeRADIUS Server Project (http://www.freeradius.org)




                                  27 Dec 2007                       radiusd(8)

Mac OS X 10.6Server - Generated Thu Apr 15 07:13:14 CDT 2010
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.