RADIUSD(8) FreeRADIUS Daemon RADIUSD(8)NAMEradiusd - Authentication, Authorization and Accounting server
SYNOPSISradiusd [-C] [-d config_directory] [-f] [-i ip-address] [-n name] [-p
port] [-s] [-v] [-x] [-X]
DESCRIPTION
FreeRADIUS is a high-performance and highly configurable RADIUS server.
It supports many database back-ends such as flat-text files, SQL, LDAP,
Perl, Python, etc. It also supports many authentication protocols such
as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS,
PEAP, EAP-TTLS, EAP-SIM, etc.).
Version 2.0 has preliminary support for Cisco's VLAN Query Protocol,
also known as VMPS.
OPTIONS
The following command-line options are accepted by the server.
-C Check the configuration and exit immediately. If there is a
problem reading the configuration, then the server will exit
with a non-zero status code. If the configuration appears to be
acceptable, then the server will exit with a zero status code.
Note that there are many limitations to this check. Due to the
complexities involved in almost starting a RADIUS server, these
checks are necessarily incomplete. The server can return a zero
status code when run with -C, but may still exit with an error
when run normally.
See the output of radiusd-XC for an informative list of which
modules are checked for correct configuration, and which modules
are skipped, and therefore not checked.
-d config directory
Defaults to /etc/raddb. Radiusd looks here for its configuration
files such as the dictionary and the users files.
-i ip-address
Defines which IP address that the server uses for sending and
receiving packets.
If this command-line option is given, then the "bind_address"
and all "listen{}" entries in radiusd.conf are ignored.
This option MUST be used in conjunction with "-p".
-f Do not fork, stay running as a foreground process.
-n Read raddb/name.conf instead of raddb/radiusd.conf.
-p port
Normally radiusd listens on the ports specified in /etc/services
(radius and radacct). When this option is given, radiusd listens
on the specified port for authentication requests and on the
specified port +1 for accounting requests.
If this command-line option is given, then the "port" directive
in radiusd.conf is ignored.
This option MUST be used in conjunction with "-i".
-s Run in "single server" mode. The server normally runs with mul‐
tiple threads and/or processes, which can lower its response
time to requests. Some systems have issues with threading, how‐
ever, so running in "single server" mode may help to address
those issues. In single server mode, the server will also not
"daemonize" (auto-background) itself.
-v Print server version information and exit.
-X Debugging mode. Equivalent to -sfxx -l stdout
-x Finer-grained debug mode. In this mode the server will print
details of every request on it's stdout output. You can specify
this option multiple times (-x -x or -xx) to get more detailed
output.
DEBUGGING
The server can be difficult to configure correctly in systems with com‐
plex requirements. We STRONGLY RECOMMEND proceeding via the following
steps:
1) Always run the server in debugging mode ( radiusd-X ). We cannot
emphasize this enough. If you are not running the server in debugging
mode, you will not be able to see what is doing, and you will not be
able to correct any problems.
2) When editing the radiusd.conf file, change as little as possible,
especially in the authorize{} section. The ordering of the modules is
critical for the server to be able to "automatically" figure out how to
handle the request. Changing the order of the modules ensures that the
server will not work.
3) When testing, start off by configuring a user and password in the
users file. So long as the server knows about a user, and has a clear-
text password for that user, almost all of the authentication methods
will "just work".
4) Gradually add more complex configurations to the server, while test‐
ing them as you go. If you start off by configuring the server in a
complex configuration, you will never be able to debug it.
5) Ask questions on the mailing list (freeradius-users@lists.freera‐
dius.org). When asking questions, include the output from debugging
mode ( radiusd-X ). This information will allow people to help you.
Without it, your message will get ignored.
BACKGROUND
RADIUS is a protocol spoken between an access server, typically a
device connected to several modems or ISDN lines, and a radius server.
When a user connects to the access server, (s)he is asked for a login‐
name and a password. This information is then sent to the radius
server. The server replies with "access denied", or "access OK". In the
latter case login information is sent along, such as the IP address in
the case of a PPP connection.
The access server also sends login and logout records to the radius
server so accounting can be done. These records are kept for each ter‐
minal server seperately in a file called detail, and in the wtmp com‐
patible logfile /var/log/radwtmp.
CONFIGURATION
Radiusd uses a number of configuration files. Each file has it's own
manpage describing the format of the file. These files are:
radiusd.conf
The main configuration file, which sets the administrator-con‐
trolled items.
dictionary
This file is usually static. It defines all the possible RADIUS
attributes used in the other configuration files. You don't
have to modify it. It includes other dictionary files in the
same directory.
hints Defines certain hints to the radius server based on the users's
loginname or other attributes sent by the access server. It also
provides for mapping user names (such as Pusername -> username).
This provides the functionality that the Livingston 2.0 server
has as "Prefix" and "Suffix" support in the users file, but is
more general. Ofcourse the Livingston way of doing things is
also supported, and you can even use both at the same time
(within certain limits).
huntgroups
Defines the huntgroups that you have, and makes it possible to
restrict access to certain huntgroups to certain (groups of)
users.
users Here the users are defined. On a typical setup, this file mainly
contains DEFAULT entries to process the different types of
logins, based on hints from the hints file. Authentication is
then based on the contents of the UNIX /etc/passwd file. However
it is also possible to define all users, and their passwords, in
this file.
SEE ALSOradiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5).
AUTHOR
The FreeRADIUS Server Project (http://www.freeradius.org)
27 Dec 2007 RADIUSD(8)