1RADIUSD(8)                     FreeRADIUS Daemon                    RADIUSD(8)
2
3
4

NAME

6       radiusd - Authentication, Authorization and Accounting server
7

SYNOPSIS

9       radiusd  [-C]  [-d  config_directory]  [-f]  [-h]  [-i  ip-address] [-l
10       log_file] [-m] [-n name] [-p port] [-s] [-t] [-v] [-x] [-X]
11

DESCRIPTION

13       FreeRADIUS is a high-performance and highly configurable RADIUS server.
14       It supports many database back-ends such as flat-text files, SQL, LDAP,
15       Perl, Python, etc.  It also supports many authentication protocols such
16       as  PAP,  CHAP,  MS-CHAP(v2),  HTTP  Digest, and EAP (EAP-MD5, EAP-TLS,
17       PEAP, EAP-TTLS, EAP-SIM, etc.).
18
19       It also has fullsupport for Cisco's  VLAN  Query  Protocol  (VMPS)  and
20       DHCP.
21
22       Please  read the DEBUGGING section below.  It contains instructions for
23       quickly configuring the server for your local system.
24

OPTIONS

26       The following command-line options are accepted by the server:
27
28       -C     Check the configuration and exit immediately.   If  there  is  a
29              problem  reading  the  configuration,  then the server will exit
30              with a non-zero status code.  If the configuration appears to be
31              acceptable, then the server will exit with a zero status code.
32
33              Note  that there are limitations to this check.  Due to the com‐
34              plexities involved in almost starting  a  RADIUS  server,  these
35              checks are necessarily incomplete.  The server can return a zero
36              status code when run with -C, but may still exit with  an  error
37              when run normally.
38
39              See  the  output of radiusd -XC for an informative list of which
40              modules are checked for correct configuration, and which modules
41              are skipped, and therefore not checked.
42
43       -d config directory
44              Defaults to /etc/raddb. Radiusd looks here for its configuration
45              files such as the dictionary and the users files.
46
47       -f     Do not fork, stay running as a foreground process.
48
49       -h     Print usage help information.
50
51       -i ip-address
52              Defines which IP address that the server uses  for  sending  and
53              receiving packets.
54
55              If  this  command-line  option is given, then the "bind_address"
56              and all "listen{}" entries in radiusd.conf are ignored.
57
58              This option MUST be used in conjunction with "-p".
59
60       -l log_file
61              Defaults to ${logdir}/radius.log. Radiusd  writes  it's  logging
62              information  to  this  file.  If log_file is the string "stdout"
63              logging will be written to stdout.
64
65       -m     On SIGINT or SIGQUIT exit cleanly instead of immediately.   This
66              is most useful for when running the server with "valgrind".
67
68       -n name
69              Read raddb/name.conf instead of raddb/radiusd.conf.
70
71       -p port
72              Defines which port is used for receiving authentication packets.
73              Accounting packets are received on "port + 1".
74
75              When this command-line option is given, all "listen" sections in
76              radiusd.conf are ignored.
77
78              This option MUST be used in conjunction with "-i".
79
80       -s     Run in "single server" mode.  The server normally runs with mul‐
81              tiple threads and/or processes, which  can  lower  its  response
82              time to requests.  Some systems have issues with threading, how‐
83              ever, so running in "single server" mode  may  help  to  address
84              those  issues.   In single server mode, the server will also not
85              "daemonize" (auto-background) itself.
86
87       -t     Do not spawn threads.
88
89       -v     Print server version information and exit.
90
91       -X     Debugging mode.  Equivalent to "-sfxx -l stdout".   When  trying
92              to  understand how the server works, ALWAYS run it with "radiusd
93              -X".  For production servers, use "raddebug"
94
95       -x     Finer-grained debug mode. In this mode  the  server  will  print
96              details  of every request on it's stdout output. You can specify
97              this option multiple times (-x -x or -xx) to get  more  detailed
98              output.
99

DEBUGGING

101       The default configuration is set to work in the widest possible circum‐
102       stances.  It requires minimal changes for your system.
103
104       However, your needs may be complex, and may require significant changes
105       to  the  server  configuration.   Making random changes is a guaranteed
106       method of failure.  Instead, we STRONGLY RECOMMEND proceeding  via  the
107       following steps:
108
109       1)  Always run the server in debugging mode ( radiusd -X ) after making
110       a configuration change.  We cannot emphasize this enough.  If  you  are
111       not  running  the server in debugging mode, you will not be able to see
112       what is doing, and you will not be able to correct any problems.
113
114       If you ask questions on the mailing list, the first response will be to
115       tell  you  "run  the  server  in debugging mode".  Please, follow these
116       instructions.
117
118       2) Change as little as possible in  the  default  configuration  files.
119       The  server  contains a decade of experience with protocols, databases,
120       and different systems.  Its default configuration is designed  to  work
121       almost everywhere, and to do almost everything you need.
122
123       3)  When  you  make a small change, testing it before changing anything
124       else.  If the change works, save a copy of the configuration, and  make
125       another  change.   If  the  change  doesn't  work, debug it, and try to
126       understand why it doesn't work.
127
128       If you begin by making large changes to the  server  configuration,  it
129       will never work, and you will never be able to debug the problem.
130
131       4)  If  you  need  to  add a connection to a database FOO (e.g. LDAP or
132       SQL), then:
133
134          a) Edit raddb/modules/foo
135          This file contains the default configuration  for  the  module.   It
136          contains  comments describing what can be configured, and what those
137          configuration entries mean.
138          b) Edit raddb/sites-available/default
139          This file contains the default policy for the server.  e.g.  "enable
140          CHAP,  MS-CHAP,  and EAP authentication".  Look in this file for all
141          references to your module "foo".  Read the comments, and remove  the
142          leading  hash  '#'  from  the  lines  referencing  the module.  This
143          enables the module.
144          c) Edit raddb/sites-available/inner-tunnel
145          This file contains the default policy for the "tunneled" portion  of
146          certain  EAP  methods.  Perform the same kind of edits as above, for
147          the "default" file..  If you are not using EAP (802.1X),  then  this
148          step can be skipped.
149          d)  Start  the  server  in  debugging mode ( radiusd -X ), and start
150          testing.
151
152       5) Ask questions on the  mailing  list  (freeradius-users@lists.freera‐
153       dius.org).   When  asking  questions, include the output from debugging
154       mode ( radiusd -X ).  This information will allow people to  help  you.
155       If  you  do  not include it, the first response to your message will be
156       "post the output of debug mode".
157
158       Ask questions earlier, rather than later.  If you cannot solve a  prob‐
159       lem  in a day, ask a question on the mailing list.  Most questions have
160       been seen before, and can be answered quickly.
161

BACKGROUND

163       RADIUS is a protocol spoken  between  an  access  server,  typically  a
164       device  connected to several modems or ISDN lines, and a radius server.
165       When a user connects to the access server, (s)he is asked for a  login‐
166       name  and  a  password.  This  information  is  then sent to the radius
167       server. The server replies with "access denied", or "access OK". In the
168       latter  case login information is sent along, such as the IP address in
169       the case of a PPP connection.
170
171       The access server also sends login and logout  records  to  the  radius
172       server  so accounting can be done. These records are kept for each ter‐
173       minal server seperately in a file called detail, and in the  wtmp  com‐
174       patible logfile /var/log/radwtmp.
175

CONFIGURATION

177       Radiusd  uses  a  number of configuration files. Each file has it's own
178       manpage describing the format of the file. These files are:
179
180       radiusd.conf
181              The main configuration file, which sets  the  administrator-con‐
182              trolled items.
183
184       dictionary
185              This  file is usually static. It defines all the possible RADIUS
186              attributes used in the other  configuration  files.   You  don't
187              have  to  modify  it.  It includes other dictionary files in the
188              same directory.
189
190       hints  Defines certain hints to the radius server based on the  users's
191              loginname or other attributes sent by the access server. It also
192              provides for mapping user names (such as Pusername -> username).
193              This  provides  the functionality that the Livingston 2.0 server
194              has as "Prefix" and "Suffix" support in the users file,  but  is
195              more  general.  Ofcourse  the  Livingston way of doing things is
196              also supported, and you can even  use  both  at  the  same  time
197              (within certain limits).
198
199       huntgroups
200              Defines  the  huntgroups that you have, and makes it possible to
201              restrict access to certain huntgroups  to  certain  (groups  of)
202              users.
203
204       users  Here the users are defined. On a typical setup, this file mainly
205              contains DEFAULT entries  to  process  the  different  types  of
206              logins,  based  on  hints from the hints file. Authentication is
207              then based on the contents of the UNIX /etc/passwd file. However
208              it is also possible to define all users, and their passwords, in
209              this file.
210

SEE ALSO

212       rradiusd.conf(5),  users(5),  huntgroups(5),  hints(5),  dictionary(5),
213       raddebug(8)
214

AUTHOR

216       The FreeRADIUS Server Project (http://www.freeradius.org)
217
218
219
220
221                                  26 Apr 2012                       RADIUSD(8)
Impressum