1RADIUSD(8)                     FreeRADIUS Daemon                    RADIUSD(8)
2
3
4

NAME

6       radiusd - Authentication, Authorization and Accounting server
7

SYNOPSIS

9       radiusd  [-C] [-d config_directory] [-D dictionary_directory] [-f] [-h]
10       [-i ip-address] [-l log_file] [-m] [-n name] [-p port] [-P]  [-s]  [-t]
11       [-v] [-x] [-X]
12

DESCRIPTION

14       FreeRADIUS is a high-performance and highly configurable RADIUS server.
15       It supports many database back-ends such as flat-text files, SQL, LDAP,
16       Perl, Python, etc.  It also supports many authentication protocols such
17       as PAP, CHAP, MS-CHAP(v2), HTTP  Digest,  and  EAP  (EAP-MD5,  EAP-TLS,
18       PEAP, EAP-TTLS, EAP-SIM, etc.).
19
20       It  also  has  fullsupport  for  Cisco's VLAN Query Protocol (VMPS) and
21       DHCP.
22
23       Please read the DEBUGGING section below.  It contains instructions  for
24       quickly configuring the server for your local system.
25

OPTIONS

27       The following command-line options are accepted by the server:
28
29       -C     Check  the  configuration  and  exit immediately.  If there is a
30              problem reading the configuration, then  the  server  will  exit
31              with a non-zero status code.  If the configuration appears to be
32              acceptable, then the server will exit with a zero status code.
33
34              Note that there are limitations to this check.  Due to the  com‐
35              plexities  involved  in  almost  starting a RADIUS server, these
36              checks are necessarily incomplete.  The server can return a zero
37              status  code  when run with -C, but may still exit with an error
38              when run normally.
39
40              See the output of radiusd -XC for an informative list  of  which
41              modules are checked for correct configuration, and which modules
42              are skipped, and therefore not checked.
43
44       -d config directory
45              Defaults to /etc/raddb. Radiusd looks here for its configuration
46              files such as the dictionary and the users files.
47
48       -D dictionary directory
49              Set  main  dictionary  directory. Defaults to /usr/share/freera‐
50              dius.
51
52       -f     Do not fork, stay running as a foreground process.
53
54       -h     Print usage help information.
55
56       -i ip-address
57              Defines which IP address that the server uses  for  sending  and
58              receiving packets.
59
60              If  this  command-line  option is given, then the "bind_address"
61              and all "listen{}" entries in radiusd.conf are ignored.
62
63              This option MUST be used in conjunction with "-p".
64
65       -l log_file
66              Defaults to ${logdir}/radius.log. Radiusd  writes  it's  logging
67              information  to  this  file.  If log_file is the string "stdout"
68              logging will be written to stdout.
69
70       -m     On SIGINT or SIGQUIT exit cleanly instead of immediately.   This
71              is most useful for when running the server with "valgrind".
72
73       -n name
74              Read raddb/name.conf instead of raddb/radiusd.conf.
75
76       -p port
77              Defines which port is used for receiving authentication packets.
78              Accounting packets are received on "port + 1".
79
80              When this command-line option is given, all "listen" sections in
81              radiusd.conf are ignored.
82
83              This option MUST be used in conjunction with "-i".
84
85       -P     Always write out PID, even with -f.
86
87       -s     Run in "single server" mode.  The server normally runs with mul‐
88              tiple threads and/or processes, which  can  lower  its  response
89              time to requests.  Some systems have issues with threading, how‐
90              ever, so running in "single server" mode  may  help  to  address
91              those  issues.   In single server mode, the server will also not
92              "daemonize" (auto-background) itself.
93
94       -t     Do not spawn threads.
95
96       -v     Print server version information and exit.
97
98       -X     Debugging mode.  Equivalent to "-sfxx -l stdout".   When  trying
99              to  understand how the server works, ALWAYS run it with "radiusd
100              -X".  For production servers, use "raddebug"
101
102       -x     Finer-grained debug mode. In this mode  the  server  will  print
103              details  of every request on it's stdout output. You can specify
104              this option multiple times (-x -x or -xx) to get  more  detailed
105              output.
106

DEBUGGING

108       The default configuration is set to work in the widest possible circum‐
109       stances.  It requires minimal changes for your system.
110
111       However, your needs may be complex, and may require significant changes
112       to  the  server  configuration.   Making random changes is a guaranteed
113       method of failure.  Instead, we STRONGLY RECOMMEND proceeding  via  the
114       following steps:
115
116       1)  Always run the server in debugging mode ( radiusd -X ) after making
117       a configuration change.  We cannot emphasize this enough.  If  you  are
118       not  running  the server in debugging mode, you will not be able to see
119       what is doing, and you will not be able to correct any problems.
120
121       If you ask questions on the mailing list, the first response will be to
122       tell  you  "run  the  server  in debugging mode".  Please, follow these
123       instructions.
124
125       2) Change as little as possible in  the  default  configuration  files.
126       The  server  contains a decade of experience with protocols, databases,
127       and different systems.  Its default configuration is designed  to  work
128       almost everywhere, and to do almost everything you need.
129
130       3)  When  you  make a small change, testing it before changing anything
131       else.  If the change works, save a copy of the configuration, and  make
132       another  change.   If  the  change  doesn't  work, debug it, and try to
133       understand why it doesn't work.
134
135       If you begin by making large changes to the  server  configuration,  it
136       will never work, and you will never be able to debug the problem.
137
138       4)  If  you  need  to  add a connection to a database FOO (e.g. LDAP or
139       SQL), then:
140
141          a) Edit raddb/modules/foo
142          This file contains the default configuration  for  the  module.   It
143          contains  comments describing what can be configured, and what those
144          configuration entries mean.
145          b) Edit raddb/sites-available/default
146          This file contains the default policy for the server.  e.g.  "enable
147          CHAP,  MS-CHAP,  and EAP authentication".  Look in this file for all
148          references to your module "foo".  Read the comments, and remove  the
149          leading  hash  '#'  from  the  lines  referencing  the module.  This
150          enables the module.
151          c) Edit raddb/sites-available/inner-tunnel
152          This file contains the default policy for the "tunneled" portion  of
153          certain  EAP  methods.  Perform the same kind of edits as above, for
154          the "default" file..  If you are not using EAP (802.1X),  then  this
155          step can be skipped.
156          d)  Start  the  server  in  debugging mode ( radiusd -X ), and start
157          testing.
158
159       5) Ask questions on the  mailing  list  (freeradius-users@lists.freera‐
160       dius.org).   When  asking  questions, include the output from debugging
161       mode ( radiusd -X ).  This information will allow people to  help  you.
162       If  you  do  not include it, the first response to your message will be
163       "post the output of debug mode".
164
165       Ask questions earlier, rather than later.  If you cannot solve a  prob‐
166       lem  in a day, ask a question on the mailing list.  Most questions have
167       been seen before, and can be answered quickly.
168

BACKGROUND

170       RADIUS is a protocol spoken  between  an  access  server,  typically  a
171       device  connected to several modems or ISDN lines, and a radius server.
172       When a user connects to the access server, (s)he is asked for a  login‐
173       name  and  a  password.  This  information  is  then sent to the radius
174       server. The server replies with "access denied", or "access OK". In the
175       latter  case login information is sent along, such as the IP address in
176       the case of a PPP connection.
177
178       The access server also sends login and logout  records  to  the  radius
179       server  so accounting can be done. These records are kept for each ter‐
180       minal server separately in a file called detail, and in the  wtmp  com‐
181       patible logfile /var/log/radwtmp.
182

CONFIGURATION

184       Radiusd  uses  a  number of configuration files. Each file has it's own
185       manpage describing the format of the file. These files are:
186
187       radiusd.conf
188              The main configuration file, which sets  the  administrator-con‐
189              trolled items.
190
191       dictionary
192              This  file is usually static. It defines all the possible RADIUS
193              attributes used in the other  configuration  files.   You  don't
194              have  to  modify  it.  It includes other dictionary files in the
195              same directory.
196
197       hints  Defines certain hints to the radius server based on the  users's
198              loginname or other attributes sent by the access server. It also
199              provides for mapping user names (such as Pusername -> username).
200              This  provides  the functionality that the Livingston 2.0 server
201              has as "Prefix" and "Suffix" support in the users file,  but  is
202              more  general.  Ofcourse  the  Livingston way of doing things is
203              also supported, and you can even  use  both  at  the  same  time
204              (within certain limits).
205
206       huntgroups
207              Defines  the  huntgroups that you have, and makes it possible to
208              restrict access to certain huntgroups  to  certain  (groups  of)
209              users.
210
211       users  Here the users are defined. On a typical setup, this file mainly
212              contains DEFAULT entries  to  process  the  different  types  of
213              logins,  based  on  hints from the hints file. Authentication is
214              then based on the contents of the UNIX /etc/passwd file. However
215              it is also possible to define all users, and their passwords, in
216              this file.
217

SEE ALSO

219       radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5), rad‐
220       debug(8)
221

AUTHOR

223       The FreeRADIUS Server Project (http://www.freeradius.org)
224
225
226
227
228                                  26 Apr 2012                       RADIUSD(8)
Impressum