1RADIUSD(8) FreeRADIUS Daemon RADIUSD(8)
2
6 radiusd - Authentication, Authorization and Accounting server
7
9 radiusd [-C] [-d config_directory] [-D dictionary_directory] [-f] [-h]
10 [-i ip-address] [-l log_file] [-m] [-n name] [-p port] [-P] [-s] [-t]
11 [-v] [-x] [-X]
12
14 FreeRADIUS is a high-performance and highly configurable RADIUS server.
15 It supports many database back-ends such as flat-text files, SQL, LDAP,
16 Perl, Python, etc. It also supports many authentication protocols such
17 as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS,
18 PEAP, EAP-TTLS, EAP-SIM, etc.).
19 It also has full support for Cisco's VLAN Query Protocol (VMPS) and
21 DHCP.
22 Please read the DEBUGGING section below. It contains instructions for
24 quickly configuring the server for your local system.
25
27 The following command-line options are accepted by the server:
28 -C Check the configuration and exit immediately. If there is a
30 problem reading the configuration, then the server will exit
31 with a non-zero status code. If the configuration appears to be
32 acceptable, then the server will exit with a zero status code.
33 Note that there are limitations to this check. Due to the com‐
35 plexities involved in almost starting a RADIUS server, these
36 checks are necessarily incomplete. The server can return a zero
37 status code when run with -C, but may still exit with an error
38 when run normally.
39 See the output of radiusd -XC for an informative list of which
41 modules are checked for correct configuration, and which modules
42 are skipped, and therefore not checked.
43 -d config directory
45 Defaults to /etc/raddb. Radiusd looks here for its configuration
46 files such as the dictionary and the users files.
47 -D dictionary directory
49 Set main dictionary directory. Defaults to /usr/share/freera‐
50 dius.
51 -f Do not fork, stay running as a foreground process.
53 -h Print usage help information.
55 -i ip-address
57 Defines which IP address that the server uses for sending and
58 receiving packets.
59 If this command-line option is given, then the "bind_address"
61 and all "listen{}" entries in radiusd.conf are ignored.
62 This option MUST be used in conjunction with "-p".
64 -l log_file
66 Defaults to ${logdir}/radius.log. Radiusd writes it's logging
67 information to this file. If log_file is the string "stdout"
68 logging will be written to stdout.
69 -m On SIGINT or SIGQUIT exit cleanly instead of immediately. This
71 is most useful for when running the server with "valgrind".
72 -n name
74 Read raddb/name.conf instead of raddb/radiusd.conf.
75 -p port
77 Defines which port is used for receiving authentication packets.
78 Accounting packets are received on "port + 1".
79 When this command-line option is given, all "listen" sections in
81 radiusd.conf are ignored.
82 This option MUST be used in conjunction with "-i".
84 -P Always write out PID, even with -f.
86 -s Run in "single server" mode. The server normally runs with mul‐
88 tiple threads and/or processes, which can lower its response
89 time to requests. Some systems have issues with threading, how‐
90 ever, so running in "single server" mode may help to address
91 those issues. In single server mode, the server will also not
92 "daemonize" (auto-background) itself.
93 -t Do not spawn threads.
95 -v Print server version information and exit.
97 -X Debugging mode. Equivalent to "-sfxx -l stdout". When trying
99 to understand how the server works, ALWAYS run it with "radiusd
100 -X". For production servers, use "raddebug"
101 -x Finer-grained debug mode. In this mode the server will print de‐
103 tails of every request on it's stdout output. You can specify
104 this option multiple times (-x -x or -xx) to get more detailed
105 output.
106
108 The default configuration is set to work in the widest possible circum‐
109 stances. It requires minimal changes for your system.
110 However, your needs may be complex, and may require significant changes
112 to the server configuration. Making random changes is a guaranteed
113 method of failure. Instead, we STRONGLY RECOMMEND proceeding via the
114 following steps:
115 1) Always run the server in debugging mode ( radiusd -X ) after making
117 a configuration change. We cannot emphasize this enough. If you are
118 not running the server in debugging mode, you will not be able to see
119 what is doing, and you will not be able to correct any problems.
120 If you ask questions on the mailing list, the first response will be to
122 tell you "run the server in debugging mode". Please, follow these in‐
123 structions.
124 2) Change as little as possible in the default configuration files.
126 The server contains a decade of experience with protocols, databases,
127 and different systems. Its default configuration is designed to work
128 almost everywhere, and to do almost everything you need.
129 3) When you make a small change, testing it before changing anything
131 else. If the change works, save a copy of the configuration, and make
132 another change. If the change doesn't work, debug it, and try to un‐
133 derstand why it doesn't work.
134 If you begin by making large changes to the server configuration, it
136 will never work, and you will never be able to debug the problem.
137 4) If you need to add a connection to a database FOO (e.g. LDAP or
139 SQL), then:
140 a) Edit raddb/modules/foo
142 This file contains the default configuration for the module. It
143 contains comments describing what can be configured, and what those
144 configuration entries mean.
145 b) Edit raddb/sites-available/default
146 This file contains the default policy for the server. e.g. "enable
147 CHAP, MS-CHAP, and EAP authentication". Look in this file for all
148 references to your module "foo". Read the comments, and remove the
149 leading hash '#' from the lines referencing the module. This en‐
150 ables the module.
151 c) Edit raddb/sites-available/inner-tunnel
152 This file contains the default policy for the "tunneled" portion of
153 certain EAP methods. Perform the same kind of edits as above, for
154 the "default" file.. If you are not using EAP (802.1X), then this
155 step can be skipped.
156 d) Start the server in debugging mode ( radiusd -X ), and start
157 testing.
158 5) Ask questions on the mailing list (freeradius-users@lists.freera‐
160 dius.org). When asking questions, include the output from debugging
161 mode ( radiusd -X ). This information will allow people to help you.
162 If you do not include it, the first response to your message will be
163 "post the output of debug mode".
164 Ask questions earlier, rather than later. If you cannot solve a prob‐
166 lem in a day, ask a question on the mailing list. Most questions have
167 been seen before, and can be answered quickly.
168
170 RADIUS is a protocol spoken between an access server, typically a de‐
171 vice connected to several modems or ISDN lines, and a radius server.
172 When a user connects to the access server, (s)he is asked for a login‐
173 name and a password. This information is then sent to the radius
174 server. The server replies with "access denied", or "access OK". In the
175 latter case login information is sent along, such as the IP address in
176 the case of a PPP connection.
177 The access server also sends login and logout records to the radius
179 server so accounting can be done. These records are kept for each ter‐
180 minal server separately in a file called detail, and in the wtmp com‐
181 patible logfile /var/log/radwtmp.
182
184 Radiusd uses a number of configuration files. Each file has it's own
185 manpage describing the format of the file. These files are:
186 radiusd.conf
188 The main configuration file, which sets the administrator-con‐
189 trolled items.
190 dictionary
192 This file is usually static. It defines all the possible RADIUS
193 attributes used in the other configuration files. You don't
194 have to modify it. It includes other dictionary files in the
195 same directory.
196 hints Defines certain hints to the radius server based on the users's
198 loginname or other attributes sent by the access server. It also
199 provides for mapping user names (such as Pusername -> username).
200 This provides the functionality that the Livingston 2.0 server
201 has as "Prefix" and "Suffix" support in the users file, but is
202 more general. Of course the Livingston way of doing things is
203 also supported, and you can even use both at the same time
204 (within certain limits).
205 huntgroups
207 Defines the huntgroups that you have, and makes it possible to
208 restrict access to certain huntgroups to certain (groups of)
209 users.
210 users Here the users are defined. On a typical setup, this file mainly
212 contains DEFAULT entries to process the different types of lo‐
213 gins, based on hints from the hints file. Authentication is then
214 based on the contents of the UNIX /etc/passwd file. However it
215 is also possible to define all users, and their passwords, in
216 this file.
217
219 radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5), rad‐
220 debug(8)
221
223 The FreeRADIUS Server Project (http://www.freeradius.org)
224 26 Apr 2012 RADIUSD(8)