1RADIUSD(8) FreeRADIUS Daemon RADIUSD(8)
2
6 radiusd - Authentication, Authorization and Accounting server
7
9 radiusd [-A] [-S] [-a accounting_directory] [-b] [-c] [-d config_direc‐
10 tory] [-f] [-i ip-address] [-l log_directory] [-g facility] [-p port]
11 [-s] [-v] [-x] [-X] [-y] [-z]
12
14 This is the FreeRADIUS implementation of the well known radius server
15 program. Even though this program is largely compatible with Liv‐
16 ingston's radius version 2.0, it is not based on any part of that code.
17 FreeRADIUS is a high-performance and highly configurable RADIUS server.
19 As a result, it can be difficult to configure in systems with complex
20 requirements. Our suggestion is to proceed via the following steps:
21 1) Always run the server in debugging mode ( radiusd -X ). We cannot
23 emphasize this enough. If you are not running the server in debugging
24 mode, you will not be able to see what is doing, and you will not be
25 able to correct any problems.
26 2) When editing the radiusd.conf file, change as little as possible,
28 especially in the authorize{} section. The ordering of the modules is
29 critical for the server to be able to "automatically" figure out how to
30 handle the request. Changing the order of the modules ensures that the
31 server will not work.
32 3) When testing, start off by configuring a user and password in the
34 users file. So long as the server knows about a user, and has a clear-
35 text password for that user, almost all of the authentication methods
36 will "just work".
37 4) Gradually add more complex configurations to the server, while test‐
39 ing them as you go. If you start off by configuring the server in a
40 complex configuration, you will never be able to debug it.
41 5) Ask questions on the mailing list (freeradius-users@lists.freera‐
43 dius.org). When asking questions, include the output from debugging
44 mode ( radiusd -X ). This information will allow people to help you.
45 Without it, your message will get ignored.
46
49 RADIUS is a protocol spoken between an access server, typically a
50 device connected to several modems or ISDN lines, and a radius server.
51 When a user connects to the access server, (s)he is asked for a login‐
52 name and a password. This information is then sent to the radius
53 server. The server replies with "access denied", or "access OK". In the
54 latter case login information is sent along, such as the IP address in
55 the case of a PPP connection.
56 The access server also sends login and logout records to the radius
58 server so accounting can be done. These records are kept for each ter‐
59 minal server seperately in a file called detail, and in the wtmp com‐
60 patible logfile /var/log/radwtmp.
61
64 -A Write a file detail.auth in addition to the standard detail file
65 in the same directory. This file will contain all the authenti‐
66 cation-request records. This can be useful for debugging, but
67 not for normal operation.
68 This command line option is accepted only for backwards compati‐
70 bility. It no longer does anything. See the configuration for
71 the detail module in radiusd.conf.
72 -S Write the stripped usernames (without prefix or suffix) in the
75 detail file instead of the raw record as received from the ter‐
76 minal server.
77 This command line option is deprecated. See the
79 log_stripped_names configuration item in the radiusd.conf file.
80 -a accounting directory
83 This defaults to /var/log/radacct. If that directory exists,
84 radiusd will write an ascii accounting record into a detail file
85 for every login/logout recorded. The location of the detail file
86 is acct_dir/terminal_server/detail.
87 This command line option is deprecated. See the radacctdir con‐
89 figuration item in the radiusd.conf file.
90 -l logging directory
93 This defaults to /var/log. Radiusd writes a logfile here called
94 radius.log. It contains informational and error messages, and
95 optionally a record of every login attempt (for aiding an ISP's
96 helpdesk). The special arguments stdout and stderr cause the
97 information to get written to the standard output, or standard
98 error instead. The special argument syslog sends the information
99 with syslog(3).
100 This command line option is deprecated. See the log_dir config‐
102 uration item in the radiusd.conf file.
103 -g facility
106 Specifies the syslog facility to be used with -l syslog. Default
107 is daemon. Another reasonable choice would be authpriv.
108 -d config directory
111 Defaults to /etc/raddb. Radiusd looks here for its configuration
112 files such as the dictionary and the users files.
113 -i ip-address
116 Defines which IP addres to bind to for sending and receiving
117 packets- useful for multi-homed hosts.
118 This command line option is deprecated. See the bind_address
120 configuration item in the radiusd.conf file.
121 -b If the radius server binary was compiled with dbm support, this
124 flag tells it to actually use the database files instead of the
125 flat users file.
126 This command line option is deprecated, and does not do any‐
128 thing.
129 -c This is still an experimental feature. Cache the password,
132 group and shadow files in a hash-table in memory. This makes
133 the radius process use a bit more memory, but username lookups
134 in the password file are much faster.
135 After every change in the real password file (user added, pass‐
137 word changed) you need to send a SIGHUP to the radius server to
138 let it re-read its configuration and the password/group/shadow
139 files !
140 This command line option is deprecated. See the cache configu‐
142 ration item for the unix module in the radiusd.conf file.
143 -f Do not fork, stay running as a foreground process.
146 -p port
149 Normally radiusd listens on the ports specified in /etc/services
150 (radius and radacct). With this option radiusd listens on the
151 specified port for authentication requests and on the specified
152 port +1 for accounting requests.
153 This command line option is deprecated. See the port configura‐
155 tion item in the radiusd.conf file.
156 -s Run in "single server" mode. The server normally runs with mul‐
159 tiple threads and/or processes, which can lower its response
160 time to requests. Some systems have issues with threading, how‐
161 ever, so running in "single server" mode may help to address
162 those issues. In single server mode, the server will also not
163 "daemonize" (auto-background) itself.
164 -v Print server version information and exit.
167 -x Debug mode. In this mode the server will print details of every
170 request on it's stderr output. Most useful in combination with
171 -s. You can specify this option 2 times (-x -x or -xx) to get a
172 bit more debugging output.
173 -X Extended debug mode. Equivalent to -sfxx, but simpler to
176 explain.
177 -y Write details about every authentication request in the
180 radius.log file.
181 This command line option is deprecated. See the log_auth con‐
183 figuration item in the radiusd.conf file.
184 -z Include the password in the radius.log file even for successful
187 logins. This is very insecure!.
188 This command line option is deprecated. See the log_auth_bad‐
190 pass and the log_auth_goodpass configuration items in the
191 radiusd.conf file.
192
195 Radiusd uses a number of configuration files. Each file has it's own
196 manpage describing the format of the file. These files are:
197 radiusd.conf
199 The main configuration file, which sets the administrator-con‐
200 trolled items.
201 dictionary
203 This file is usually static. It defines all the possible RADIUS
204 attributes used in the other configuration files. You don't
205 have to modify it. It includes other dictionary files in the
206 same directory.
207 clients
209 [ Deprecated ] Contains the IP address and a secret key for
210 every client that wants to connect to the server.
211 naslist
213 Contains an entry for every NAS (Network Access Server) in the
214 network. This is not the same as a client, especially if you
215 have radius proxy server in your network. In that case, the
216 proxy server is the client and it sends requests for different
217 NASes.
218 It also contains a abbreviated name for each terminal server,
220 used to create the directory name where the detail file is writ‐
221 ten, and used for the /var/log/radwtmp file. Finally it also
222 defines what type of NAS (Cisco, Livingston, Portslave) the NAS
223 is.
224 hints Defines certain hints to the radius server based on the users's
226 loginname or other attributes sent by the access server. It also
227 provides for mapping user names (such as Pusername -> username).
228 This provides the functionality that the Livingston 2.0 server
229 has as "Prefix" and "Suffix" support in the users file, but is
230 more general. Ofcourse the Livingston way of doing things is
231 also supported, and you can even use both at the same time
232 (within certain limits).
233 huntgroups
235 Defines the huntgroups that you have, and makes it possible to
236 restrict access to certain huntgroups to certain (groups of)
237 users.
238 users Here the users are defined. On a typical setup, this file mainly
240 contains DEFAULT entries to process the different types of
241 logins, based on hints from the hints file. Authentication is
242 then based on the contents of the UNIX /etc/passwd file. However
243 it is also possible to define all users, and their passwords, in
244 this file.
245
247 radiusd.conf(5), users(5), huntgroups(5), hints(5), clients(5), dictio‐
248 nary(5).
249
251 The FreeRADIUS Server Project (http://www.freeradius.org)
252 23 June 2004 RADIUSD(8)