1RADIUSD(8) FreeRADIUS Daemon RADIUSD(8)
2
3
4
6 radiusd - Authentication, Authorization and Accounting server
7
9 radiusd [-C] [-d config_directory] [-f] [-h] [-i ip-address] [-l
10 log_file] [-m] [-n name] [-p port] [-s] [-t] [-v] [-x] [-X]
11
13 FreeRADIUS is a high-performance and highly configurable RADIUS server.
14 It supports many database back-ends such as flat-text files, SQL, LDAP,
15 Perl, Python, etc. It also supports many authentication protocols such
16 as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS,
17 PEAP, EAP-TTLS, EAP-SIM, etc.).
18
19 It also has fullsupport for Cisco's VLAN Query Protocol (VMPS) and
20 DHCP.
21
22 Please read the DEBUGGING section below. It contains instructions for
23 quickly configuring the server for your local system.
24
26 The following command-line options are accepted by the server:
27
28 -C Check the configuration and exit immediately. If there is a
29 problem reading the configuration, then the server will exit
30 with a non-zero status code. If the configuration appears to be
31 acceptable, then the server will exit with a zero status code.
32
33 Note that there are limitations to this check. Due to the com‐
34 plexities involved in almost starting a RADIUS server, these
35 checks are necessarily incomplete. The server can return a zero
36 status code when run with -C, but may still exit with an error
37 when run normally.
38
39 See the output of radiusd -XC for an informative list of which
40 modules are checked for correct configuration, and which modules
41 are skipped, and therefore not checked.
42
43 -d config directory
44 Defaults to /etc/raddb. Radiusd looks here for its configuration
45 files such as the dictionary and the users files.
46
47 -f Do not fork, stay running as a foreground process.
48
49 -h Print usage help information.
50
51 -i ip-address
52 Defines which IP address that the server uses for sending and
53 receiving packets.
54
55 If this command-line option is given, then the "bind_address"
56 and all "listen{}" entries in radiusd.conf are ignored.
57
58 This option MUST be used in conjunction with "-p".
59
60 -l log_file
61 Defaults to ${logdir}/radius.log. Radiusd writes it's logging
62 information to this file. If log_file is the string "stdout"
63 logging will be written to stdout.
64
65 -m On SIGINT or SIGQUIT exit cleanly instead of immediately. This
66 is most useful for when running the server with "valgrind".
67
68 -n name
69 Read raddb/name.conf instead of raddb/radiusd.conf.
70
71 -p port
72 Defines which port is used for receiving authentication packets.
73 Accounting packets are received on "port + 1".
74
75 When this command-line option is given, all "listen" sections in
76 radiusd.conf are ignored.
77
78 This option MUST be used in conjunction with "-i".
79
80 -s Run in "single server" mode. The server normally runs with mul‐
81 tiple threads and/or processes, which can lower its response
82 time to requests. Some systems have issues with threading, how‐
83 ever, so running in "single server" mode may help to address
84 those issues. In single server mode, the server will also not
85 "daemonize" (auto-background) itself.
86
87 -t Do not spawn threads.
88
89 -v Print server version information and exit.
90
91 -X Debugging mode. Equivalent to "-sfxx -l stdout". When trying
92 to understand how the server works, ALWAYS run it with "radiusd
93 -X". For production servers, use "raddebug"
94
95 -x Finer-grained debug mode. In this mode the server will print
96 details of every request on it's stdout output. You can specify
97 this option multiple times (-x -x or -xx) to get more detailed
98 output.
99
101 The default configuration is set to work in the widest possible circum‐
102 stances. It requires minimal changes for your system.
103
104 However, your needs may be complex, and may require significant changes
105 to the server configuration. Making random changes is a guaranteed
106 method of failure. Instead, we STRONGLY RECOMMEND proceeding via the
107 following steps:
108
109 1) Always run the server in debugging mode ( radiusd -X ) after making
110 a configuration change. We cannot emphasize this enough. If you are
111 not running the server in debugging mode, you will not be able to see
112 what is doing, and you will not be able to correct any problems.
113
114 If you ask questions on the mailing list, the first response will be to
115 tell you "run the server in debugging mode". Please, follow these
116 instructions.
117
118 2) Change as little as possible in the default configuration files.
119 The server contains a decade of experience with protocols, databases,
120 and different systems. Its default configuration is designed to work
121 almost everywhere, and to do almost everything you need.
122
123 3) When you make a small change, testing it before changing anything
124 else. If the change works, save a copy of the configuration, and make
125 another change. If the change doesn't work, debug it, and try to
126 understand why it doesn't work.
127
128 If you begin by making large changes to the server configuration, it
129 will never work, and you will never be able to debug the problem.
130
131 4) If you need to add a connection to a database FOO (e.g. LDAP or
132 SQL), then:
133
134 a) Edit raddb/modules/foo
135 This file contains the default configuration for the module. It
136 contains comments describing what can be configured, and what those
137 configuration entries mean.
138 b) Edit raddb/sites-available/default
139 This file contains the default policy for the server. e.g. "enable
140 CHAP, MS-CHAP, and EAP authentication". Look in this file for all
141 references to your module "foo". Read the comments, and remove the
142 leading hash '#' from the lines referencing the module. This
143 enables the module.
144 c) Edit raddb/sites-available/inner-tunnel
145 This file contains the default policy for the "tunneled" portion of
146 certain EAP methods. Perform the same kind of edits as above, for
147 the "default" file.. If you are not using EAP (802.1X), then this
148 step can be skipped.
149 d) Start the server in debugging mode ( radiusd -X ), and start
150 testing.
151
152 5) Ask questions on the mailing list (freeradius-users@lists.freera‐
153 dius.org). When asking questions, include the output from debugging
154 mode ( radiusd -X ). This information will allow people to help you.
155 If you do not include it, the first response to your message will be
156 "post the output of debug mode".
157
158 Ask questions earlier, rather than later. If you cannot solve a prob‐
159 lem in a day, ask a question on the mailing list. Most questions have
160 been seen before, and can be answered quickly.
161
163 RADIUS is a protocol spoken between an access server, typically a
164 device connected to several modems or ISDN lines, and a radius server.
165 When a user connects to the access server, (s)he is asked for a login‐
166 name and a password. This information is then sent to the radius
167 server. The server replies with "access denied", or "access OK". In the
168 latter case login information is sent along, such as the IP address in
169 the case of a PPP connection.
170
171 The access server also sends login and logout records to the radius
172 server so accounting can be done. These records are kept for each ter‐
173 minal server seperately in a file called detail, and in the wtmp com‐
174 patible logfile /var/log/radwtmp.
175
177 Radiusd uses a number of configuration files. Each file has it's own
178 manpage describing the format of the file. These files are:
179
180 radiusd.conf
181 The main configuration file, which sets the administrator-con‐
182 trolled items.
183
184 dictionary
185 This file is usually static. It defines all the possible RADIUS
186 attributes used in the other configuration files. You don't
187 have to modify it. It includes other dictionary files in the
188 same directory.
189
190 hints Defines certain hints to the radius server based on the users's
191 loginname or other attributes sent by the access server. It also
192 provides for mapping user names (such as Pusername -> username).
193 This provides the functionality that the Livingston 2.0 server
194 has as "Prefix" and "Suffix" support in the users file, but is
195 more general. Ofcourse the Livingston way of doing things is
196 also supported, and you can even use both at the same time
197 (within certain limits).
198
199 huntgroups
200 Defines the huntgroups that you have, and makes it possible to
201 restrict access to certain huntgroups to certain (groups of)
202 users.
203
204 users Here the users are defined. On a typical setup, this file mainly
205 contains DEFAULT entries to process the different types of
206 logins, based on hints from the hints file. Authentication is
207 then based on the contents of the UNIX /etc/passwd file. However
208 it is also possible to define all users, and their passwords, in
209 this file.
210
212 rradiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5),
213 raddebug(8)
214
216 The FreeRADIUS Server Project (http://www.freeradius.org)
217
218
219
220
221 26 Apr 2012 RADIUSD(8)