1 .TH RADIUSD 8 "23 June 2004" "" "FreeRADIUS Daemon"
3 radiusd - Authentication, Authorization and Accounting server
9 .IR accounting_directory ]
13 .IR config_directory ]
30 FreeRADIUS is a high-performance and highly configurable RADIUS
31 server. As a result, it can be difficult to configure in systems with
32 complex requirements. Our suggestion is to proceed via the following
35 1) Always run the server in debugging mode (
37 ). We cannot emphasize this enough. If you are not running the
38 server in debugging mode, you \fIwill not\fP be able to see what is
39 doing, and you \fIwill not\fP be able to correct any problems.
41 2) When editing the \fIradiusd.conf\fP file, change as little as
42 possible, especially in the \fIauthorize{}\fP section. The ordering
43 of the modules is critical for the server to be able to
44 "automatically" figure out how to handle the request. Changing the
45 order of the modules ensures that the server will not work.
47 3) When testing, start off by configuring a user and password in the
48 \fIusers\fP file. So long as the server knows about a user, and has a
49 clear-text password for that user, \fBalmost all of the authentication
50 methods will "just work"\fP.
52 4) Gradually add more complex configurations to the server, while
53 testing them as you go. If you start off by configuring the server in
54 a complex configuration, you will never be able to debug it.
56 5) Ask questions on the mailing list
57 (freeradius-users@lists.freeradius.org). When asking questions,
58 include the output from debugging mode (
60 ). This information will allow people to help you. Without it, your
61 message will get ignored.
64 \fBRADIUS\fP is a protocol spoken between an access server, typically
65 a device connected to several modems or ISDN lines, and a \fBradius\fP
66 server. When a user connects to the access server, (s)he is asked for
67 a loginname and a password. This information is then sent to the \fBradius\fP
68 server. The server replies with "access denied", or "access OK". In the
69 latter case login information is sent along, such as the IP address in
70 the case of a PPP connection.
72 The access server also sends login and logout records to the \fBradius\fP
73 server so accounting can be done. These records are kept for each terminal
74 server seperately in a file called \fBdetail\fP, and in the \fIwtmp\fP
75 compatible logfile \fB/var/log/radwtmp\fP.
80 Write a file \fIdetail.auth\fP in addition to the standard \fBdetail\fP file
81 in the same directory. This file will contain all the authentication-request
82 records. This can be useful for debugging, but not for normal operation.
84 This command line option is accepted only for backwards
85 compatibility. It no longer does anything. See the configuration for
86 the \fIdetail\fP module in \fIradiusd.conf\fP.
89 Write the stripped usernames (without prefix or suffix) in the \fBdetail\fP
90 file instead of the raw record as received from the terminal server.
92 This command line option is deprecated. See the \fIlog_stripped_names\fP
93 configuration item in the \fIradiusd.conf\fP file.
95 .IP "\-a \fIaccounting directory\fP"
96 This defaults to \fI/var/log/radacct\fP. If that directory exists,
97 \fBradiusd\fP will write an ascii accounting record into a detail file for
98 every login/logout recorded. The location of the detail file is
99 \fIacct_dir/\fP\fBterminal_server\fP\fI/detail\fP.
101 This command line option is deprecated. See the \fIradacctdir\fP
102 configuration item in the \fIradiusd.conf\fP file.
104 .IP "\-l \fIlogging directory\fP"
105 This defaults to \fI/var/log\fP. \fBRadiusd\fP writes a logfile here
106 called \fIradius.log\fP. It contains informational and error messages,
107 and optionally a record of every login attempt (for aiding an ISP's
108 helpdesk). The special arguments \fIstdout\fP and \fIstderr\fP cause
109 the information to get written to the standard output, or standard
110 error instead. The special argument \fIsyslog\fP sends the information
111 with \fBsyslog\fP(3).
113 This command line option is deprecated. See the \fIlog_dir\fP
114 configuration item in the \fIradiusd.conf\fP file.
116 .IP "\-g \fIfacility\fP"
117 Specifies the syslog facility to be used with \fB-l syslog\fP. Default is
118 \fIdaemon\fP. Another reasonable choice would be \fIauthpriv\fP.
120 .IP "\-d \fIconfig directory\fP"
121 Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
122 files such as the \fIdictionary\fP and the \fIusers\fP files.
124 .IP "\-i \fIip-address\fP"
125 Defines which IP address that the server uses for sending and
128 If this command-line option is given, then the "bind_address" and all
129 "listen{}" entries in \fIradiusd.conf\fP are ignored.
132 If the \fBradius\fP server binary was compiled with \fIdbm\fP support,
133 this flag tells it to actually \fIuse\fP the database files instead of the
134 flat \fIusers\fP file.
136 This command line option is deprecated, and does not do anything.
139 This is still an \fIexperimental\fP feature.
140 Cache the password, group and shadow files in a hash-table in memory.
141 This makes the radius process use a bit more memory, but username
142 lookups in the password file are \fImuch\fP faster.
144 After every change in the real password file (user added, password changed)
145 you need to send a \fBSIGHUP\fP to the radius server to let it re-read
146 its configuration and the password/group/shadow files !
148 This command line option is deprecated. See the \fIcache\fP
149 configuration item for the \fIunix\fP module in the \fIradiusd.conf\fP
153 Do not fork, stay running as a foreground process.
156 Normally radiusd listens on the ports specified in \fI/etc/services\fP
157 (radius and radacct). When this option is given, radiusd listens on
158 the specified port for authentication requests and on the specified
159 port +1 for accounting requests.
161 If this command-line option is given, then the "port" directive in
162 \fIradiusd.conf\fP is ignored.
165 Run in "single server" mode. The server normally runs with multiple
166 threads and/or processes, which can lower its response time to
167 requests. Some systems have issues with threading, however, so
168 running in "single server" mode may help to address those issues. In
169 single server mode, the server will also not "daemonize"
170 (auto-background) itself.
173 Print server version information and exit.
176 Debugging mode. Equivalent to -sfxx.
179 Finer-grained debug mode. In this mode the server will print details
180 of every request on it's \fBstdout\fP output. You can specify this
181 option multiple times (-x -x or -xx) to get more detailed output.
184 Write details about every authentication request in the
185 \fIradius.log\fP file.
187 This command line option is deprecated. See the \fIlog_auth\fP
188 configuration item in the \fIradiusd.conf\fP file.
191 Include the password in the \fIradius.log\fP file \fBeven\fP for successful
192 logins. \fIThis is very insecure!\fP.
194 This command line option is deprecated. See the
195 \fIlog_auth_badpass\fP and the \fIlog_auth_goodpass\fP configuration
196 items in the \fIradiusd.conf\fP file.
199 \fBRadiusd\fP uses a number of configuration files. Each file has it's
200 own manpage describing the format of the file. These files are:
202 The main configuration file, which sets the administrator-controlled
205 This file is usually static. It defines all the possible RADIUS attributes
206 used in the other configuration files. You don't have to modify it.
207 It includes other dictionary files in the same directory.
209 [ Deprecated ] Contains the IP address and a secret key for every
210 client that wants to connect to the server.
212 Contains an entry for every NAS (Network Access Server) in the network. This
213 is not the same as a client, especially if you have \fBradius\fP proxy server
214 in your network. In that case, the proxy server is the client and it sends
215 requests for different NASes.
217 It also contains a abbreviated name for each
218 terminal server, used to create the directory name where the \fBdetail\fP
219 file is written, and used for the \fB/var/log/radwtmp\fP file. Finally
220 it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is.
222 Defines certain hints to the radius server based on the users's loginname
223 or other attributes sent by the access server. It also provides for
224 mapping user names (such as Pusername -> username). This provides the
225 functionality that the \fILivingston 2.0\fP server has as "Prefix" and
226 "Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
227 the Livingston way of doing things is also supported, and you can even use
228 both at the same time (within certain limits).
230 Defines the huntgroups that you have, and makes it possible to restrict
231 access to certain huntgroups to certain (groups of) users.
233 Here the users are defined. On a typical setup, this file mainly contains
234 DEFAULT entries to process the different types of logins, based on hints
235 from the hints file. Authentication is then based on the contents of
236 the UNIX \fI/etc/passwd\fP file. However it is also possible to define all
237 users, and their passwords, in this file.
239 radiusd.conf(5), users(5), huntgroups(5), hints(5),
240 clients(5), dictionary(5).
242 The FreeRADIUS Server Project (http://www.freeradius.org)