Provided by: freeradius_1.1.0-1ubuntu2_i386 bug

NAME

       radiusd - Authentication, Authorization and Accounting server

SYNOPSIS

       radiusd   [-A]   [-S]   [-a   accounting_directory]   [-b]   [-c]   [-d
       config_directory] [-f] [-i ip-address] [-l log_directory] [-g facility]
       [-p port] [-s] [-v] [-x] [-X] [-y] [-z]

DESCRIPTION

       This  is  the FreeRADIUS implementation of the well known radius server
       program.   Even  though  this  program  is  largely   compatible   with
       Livingston’s  radius  version  2.0, it is not based on any part of that
       code.

       FreeRADIUS is a high-performance and highly configurable RADIUS server.
       As  a  result, it can be difficult to configure in systems with complex
       requirements.  Our suggestion is to proceed via the following steps:

       1) Always run the server in debugging mode ( radiusd -X ).   We  cannot
       emphasize  this enough.  If you are not running the server in debugging
       mode, you will not be able to see what is doing, and you  will  not  be
       able to correct any problems.

       2)  When  editing  the radiusd.conf file, change as little as possible,
       especially in the authorize{} section.  The ordering of the modules  is
       critical for the server to be able to "automatically" figure out how to
       handle the request.  Changing the order of the modules ensures that the
       server will not work.

       3)  When  testing,  start off by configuring a user and password in the
       users file.  So long as the server knows about a user, and has a clear-
       text  password  for that user, almost all of the authentication methods
       will "just work".

       4) Gradually add more  complex  configurations  to  the  server,  while
       testing  them as you go.  If you start off by configuring the server in
       a complex configuration, you will never be able to debug it.

       5)    Ask    questions    on    the    mailing    list     (freeradius-
       users@lists.freeradius.org).  When asking questions, include the output
       from debugging mode ( radiusd -X ).  This information will allow people
       to help you.  Without it, your message will get ignored.

BACKGROUND

       RADIUS  is  a  protocol  spoken  between  an access server, typically a
       device connected to several modems or ISDN lines, and a radius  server.
       When  a  user  connects  to  the  access  server,  (s)he is asked for a
       loginname and a password. This information is then sent to  the  radius
       server. The server replies with "access denied", or "access OK". In the
       latter case login information is sent along, such as the IP address  in
       the case of a PPP connection.

       The  access  server  also  sends login and logout records to the radius
       server so accounting can be done.  These  records  are  kept  for  each
       terminal  server  seperately  in  a file called detail, and in the wtmp
       compatible logfile /var/log/radwtmp.

OPTIONS

       -A     Write a file detail.auth in addition to the standard detail file
              in   the   same  directory.  This  file  will  contain  all  the
              authentication-request  records.  This   can   be   useful   for
              debugging, but not for normal operation.

              This   command  line  option  is  accepted  only  for  backwards
              compatibility.   It  no   longer   does   anything.    See   the
              configuration for the detail module in radiusd.conf.

       -S     Write  the  stripped usernames (without prefix or suffix) in the
              detail file instead of the  raw  record  as  received  from  the
              terminal server.

              This    command    line   option   is   deprecated.    See   the
              log_stripped_names configuration item in the radiusd.conf  file.

       -a accounting directory
              This  defaults  to  /var/log/radacct.  If that directory exists,
              radiusd will write an ascii accounting record into a detail file
              for every login/logout recorded. The location of the detail file
              is acct_dir/terminal_server/detail.

              This command line option  is  deprecated.   See  the  radacctdir
              configuration item in the radiusd.conf file.

       -l logging directory
              This  defaults to /var/log. Radiusd writes a logfile here called
              radius.log. It contains informational and  error  messages,  and
              optionally  a record of every login attempt (for aiding an ISP’s
              helpdesk). The special arguments stdout  and  stderr  cause  the
              information  to  get written to the standard output, or standard
              error instead. The special argument syslog sends the information
              with syslog(3).

              This  command  line  option  is  deprecated.   See  the  log_dir
              configuration item in the radiusd.conf file.

       -g facility
              Specifies the syslog facility to be used with -l syslog. Default
              is daemon. Another reasonable choice would be authpriv.

       -d config directory
              Defaults to /etc/raddb. Radiusd looks here for its configuration
              files such as the dictionary and the users files.

       -i ip-address
              Defines which IP addres to bind to  for  sending  and  receiving
              packets- useful for multi-homed hosts.

              This  command  line  option is deprecated.  See the bind_address
              configuration item in the radiusd.conf file.

       -b     If the radius server binary was compiled with dbm support,  this
              flag  tells it to actually use the database files instead of the
              flat users file.

              This  command  line  option  is  deprecated,  and  does  not  do
              anything.

       -c     This  is  still  an  experimental  feature.  Cache the password,
              group and shadow files in a hash-table in  memory.   This  makes
              the  radius  process use a bit more memory, but username lookups
              in the password file are much faster.

              After every change  in  the  real  password  file  (user  added,
              password changed) you need to send a SIGHUP to the radius server
              to    let    it    re-read    its    configuration    and    the
              password/group/shadow files !

              This   command   line  option  is  deprecated.   See  the  cache
              configuration item for the unix module in the radiusd.conf file.

       -f     Do not fork, stay running as a foreground process.

       -p port
              Normally radiusd listens on the ports specified in /etc/services
              (radius and radacct). With this option radiusd  listens  on  the
              specified  port for authentication requests and on the specified
              port +1 for accounting requests.

              This  command  line  option  is  deprecated.    See   the   port
              configuration item in the radiusd.conf file.

       -s     Run  in  "single  server"  mode.   The server normally runs with
              multiple threads and/or processes, which can lower its  response
              time  to  requests.   Some  systems  have issues with threading,
              however, so running in "single server" mode may help to  address
              those  issues.   In single server mode, the server will also not
              "daemonize" (auto-background) itself.

       -v     Print server version information and exit.

       -x     Debug mode. In this mode the server will print details of  every
              request  on  it’s stderr output. Most useful in combination with
              -s.  You can specify this option 2 times (-x -x or -xx) to get a
              bit more debugging output.

       -X     Extended  debug  mode.   Equivalent  to  -sfxx,  but  simpler to
              explain.

       -y     Write  details  about  every  authentication  request   in   the
              radius.log file.

              This  command  line  option  is  deprecated.   See  the log_auth
              configuration item in the radiusd.conf file.

       -z     Include the password in the radius.log file even for  successful
              logins. This is very insecure!.

              This    command    line   option   is   deprecated.    See   the
              log_auth_badpass and the log_auth_goodpass  configuration  items
              in the radiusd.conf file.

CONFIGURATION

       Radiusd  uses  a  number of configuration files. Each file has it’s own
       manpage describing the format of the file. These files are:

       radiusd.conf
              The main  configuration  file,  which  sets  the  administrator-
              controlled items.

       dictionary
              This  file is usually static. It defines all the possible RADIUS
              attributes used in the other  configuration  files.   You  don’t
              have  to  modify  it.  It includes other dictionary files in the
              same directory.

       clients
              [ Deprecated ] Contains the IP address  and  a  secret  key  for
              every client that wants to connect to the server.

       naslist
              Contains  an  entry for every NAS (Network Access Server) in the
              network. This is not the same as a  client,  especially  if  you
              have  radius  proxy  server  in  your network. In that case, the
              proxy server is the client and it sends requests  for  different
              NASes.

              It  also  contains  a abbreviated name for each terminal server,
              used to create the directory  name  where  the  detail  file  is
              written, and used for the /var/log/radwtmp file. Finally it also
              defines what type of NAS (Cisco, Livingston, Portslave) the  NAS
              is.

       hints  Defines  certain hints to the radius server based on the users’s
              loginname or other attributes sent by the access server. It also
              provides for mapping user names (such as Pusername -> username).
              This provides the functionality that the Livingston  2.0  server
              has  as  "Prefix" and "Suffix" support in the users file, but is
              more general. Ofcourse the Livingston way  of  doing  things  is
              also  supported,  and  you  can  even  use both at the same time
              (within certain limits).

       huntgroups
              Defines the huntgroups that you have, and makes it  possible  to
              restrict  access  to  certain  huntgroups to certain (groups of)
              users.

       users  Here the users are defined. On a typical setup, this file mainly
              contains  DEFAULT  entries  to  process  the  different types of
              logins, based on hints from the hints  file.  Authentication  is
              then based on the contents of the UNIX /etc/passwd file. However
              it is also possible to define all users, and their passwords, in
              this file.

SEE ALSO

       radiusd.conf(5),   users(5),   huntgroups(5),   hints(5),   clients(5),
       dictionary(5).

AUTHOR

       The FreeRADIUS Server Project (http://www.freeradius.org)

                                 23 June 2004                       RADIUSD(8)