1RADIUSD(8) FreeRADIUS Daemon RADIUSD(8)
2
6 radiusd - Authentication, Authorization and Accounting server
7
9 radiusd [-C] [-d config_directory] [-f] [-h] [-i ip-address] [-l
10 log_file] [-m] [-n name] [-p port] [-s] [-t] [-v] [-x] [-X]
11
13 FreeRADIUS is a high-performance and highly configurable RADIUS server.
14 It supports many database back-ends such as flat-text files, SQL, LDAP,
15 Perl, Python, etc. It also supports many authentication protocols such
16 as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS,
17 PEAP, EAP-TTLS, EAP-SIM, etc.).
18 It also has experimental support for Cisco's VLAN Query Protocol (VMPS)
20 and DHCP.
21 Please read the DEBUGGING section below. It contains instructions for
23 quickly configuring the server for your local system.
24
26 The following command-line options are accepted by the server.
27 -C Check the configuration and exit immediately. If there is a
29 problem reading the configuration, then the server will exit
30 with a non-zero status code. If the configuration appears to be
31 acceptable, then the server will exit with a zero status code.
32 Note that there are many limitations to this check. Due to the
34 complexities involved in almost starting a RADIUS server, these
35 checks are necessarily incomplete. The server can return a zero
36 status code when run with -C, but may still exit with an error
37 when run normally.
38 See the output of radiusd -XC for an informative list of which
40 modules are checked for correct configuration, and which modules
41 are skipped, and therefore not checked.
42 -d config directory
44 Defaults to /etc/raddb. Radiusd looks here for its configuration
45 files such as the dictionary and the users files.
46 -i ip-address
48 Defines which IP address that the server uses for sending and
49 receiving packets.
50 If this command-line option is given, then the "bind_address"
52 and all "listen{}" entries in radiusd.conf are ignored.
53 This option MUST be used in conjunction with "-p".
55 -f Do not fork, stay running as a foreground process.
57 -h Print usage help information.
59 -l log_file
61 Defaults to ${logdir}/radius.log. Radiusd writes it's logging
62 information to this file. If log_file is the string "stdout"
63 logging will be written to stdout.
64 -m On SIGINT or SIGQUIT exit cleanly instead of immediately.
66 -n name
68 Read raddb/name.conf instead of raddb/radiusd.conf.
69 -p port
71 Normally radiusd listens on the ports specified in /etc/services
72 (radius and radacct). When this option is given, radiusd listens
73 on the specified port for authentication requests and on the
74 specified port +1 for accounting requests.
75 If this command-line option is given, then the "port" directive
77 in radiusd.conf is ignored.
78 This option MUST be used in conjunction with "-i".
80 -s Run in "single server" mode. The server normally runs with mul‐
82 tiple threads and/or processes, which can lower its response
83 time to requests. Some systems have issues with threading, how‐
84 ever, so running in "single server" mode may help to address
85 those issues. In single server mode, the server will also not
86 "daemonize" (auto-background) itself.
87 -t Do not spawn threads.
89 -v Print server version information and exit.
91 -X Debugging mode. Equivalent to "-sfxx -l stdout". When trying
93 to understand how the server works, ALWAYS run it with "radiusd
94 -X".
95 -x Finer-grained debug mode. In this mode the server will print
97 details of every request on it's stdout output. You can specify
98 this option multiple times (-x -x or -xx) to get more detailed
99 output.
100
102 The server can be difficult to configure correctly in systems with com‐
103 plex requirements. We STRONGLY RECOMMEND proceeding via the following
104 steps:
105 1) Always run the server in debugging mode ( radiusd -X ). We cannot
107 emphasize this enough. If you are not running the server in debugging
108 mode, you will not be able to see what is doing, and you will not be
109 able to correct any problems.
110 2) Change as little as possible in the default configuration files.
112 The server contains a decade of experience with protocols, databases,
113 and different systems. Its default configuration is designed to work
114 almost everywhere, and to do almost everything.
115 3) Make small changes to the configuration files, while testing each
117 change as you make it. If the change works, save a copy of the config‐
118 uration, and make another change. If the change doesn't work, debug
119 it, and try to understand why it doesn't work.
120 If you begin by making large changes to the server configuration, it
122 will never work, and you will never be able to debug it.
123 4) If you need to add a connection to a database FOO (e.g. LDAP or
125 SQL), then:
126 a) Edit raddb/modules/foo
128 This file contains the default configuration for the module. It
129 contains comments describing what can be configured, and what those
130 configuration entries mean.
131 b) Edit raddb/sites-available/default
132 This file contains the default policy for the server. e.g. "enable
133 CHAP, MS-CHAP, and EAP authentication". Look in this file for all
134 references to your module "foo". Read the comments, and remove the
135 leading hash '#' from the lines referencing the module. This
136 enables the module.
137 c) Edit raddb/sites-available/inner-tunnel
138 This file contains the default policy for the "tunneled" portion of
139 certain EAP methods. Perform the same kind of edits as above, for
140 the "default" file.. If you are not using EAP (802.1X), then this
141 step can be skipped.
142 d) Start the server in debugging mode ( radiusd -X ), and start
143 testing.
144 5) Ask questions on the mailing list (freeradius-users@lists.freera‐
146 dius.org). When asking questions, include the output from debugging
147 mode ( radiusd -X ). This information will allow people to help you.
148 If you do not include it, the first response to your message will be
149 "post the output of debug mode".
150 Ask questions earlier, rather than later. If you cannot solve a prob‐
152 lem in a day, ask a question on the mailing list. Most questions have
153 been seen before, and can be answered quickly.
154
156 RADIUS is a protocol spoken between an access server, typically a
157 device connected to several modems or ISDN lines, and a radius server.
158 When a user connects to the access server, (s)he is asked for a login‐
159 name and a password. This information is then sent to the radius
160 server. The server replies with "access denied", or "access OK". In the
161 latter case login information is sent along, such as the IP address in
162 the case of a PPP connection.
163 The access server also sends login and logout records to the radius
165 server so accounting can be done. These records are kept for each ter‐
166 minal server seperately in a file called detail, and in the wtmp com‐
167 patible logfile /var/log/radwtmp.
168
170 Radiusd uses a number of configuration files. Each file has it's own
171 manpage describing the format of the file. These files are:
172 radiusd.conf
174 The main configuration file, which sets the administrator-con‐
175 trolled items.
176 dictionary
178 This file is usually static. It defines all the possible RADIUS
179 attributes used in the other configuration files. You don't
180 have to modify it. It includes other dictionary files in the
181 same directory.
182 hints Defines certain hints to the radius server based on the users's
184 loginname or other attributes sent by the access server. It also
185 provides for mapping user names (such as Pusername -> username).
186 This provides the functionality that the Livingston 2.0 server
187 has as "Prefix" and "Suffix" support in the users file, but is
188 more general. Ofcourse the Livingston way of doing things is
189 also supported, and you can even use both at the same time
190 (within certain limits).
191 huntgroups
193 Defines the huntgroups that you have, and makes it possible to
194 restrict access to certain huntgroups to certain (groups of)
195 users.
196 users Here the users are defined. On a typical setup, this file mainly
198 contains DEFAULT entries to process the different types of
199 logins, based on hints from the hints file. Authentication is
200 then based on the contents of the UNIX /etc/passwd file. However
201 it is also possible to define all users, and their passwords, in
202 this file.
203
205 radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5).
206
208 The FreeRADIUS Server Project (http://www.freeradius.org)
209 08 Mar 2009 RADIUSD(8)