Provided by: xtradius_1.2.1-beta2-6ubuntu1_i386
radiusd -- Authentication, Authorization and Accounting server
radiusd [-A auth_detail_filename] [-C] [-D] [-F detail_filename] [-P
pid_filename] [-S] [-Z] [-a accounting_directory] [-b] [-c] [-d
config_directory] [-f] [-g syslog_facility] [-i ip-address] [-l
log_directory] [-p port] [-s] [-W radwtmp_filename] [-u
radutmp_filename] [-v] [-w] [-x] [-y] [-z]
This is the Cistron implementation of the well known radius server
program. It was originally based on Livingston's radius version 1.16.
Even though this program is largely compatible with Livingston's radius
version 2.0, it's not based on any part of that code. In fact no code
from the 1.16 version is left either.
RADIUS is a protocol spoken between an access server, typically a
device connected to several modems or ISDN lines, and a radius server.
When a user connects to the access server, (s)he is asked for a
loginname and a password. This information is then sent to the radius
server. The server replies with "access denied", or "access OK". In the
latter case login information is sent along, such as the IP address in
the case of a PPP connection.
The access server also sends login and logout records to the radius
server so accounting can be done. These records are kept for each
terminal server seperately in a file called detail, and in the wtmp
compatible logfile /var/log/radwtmp.
Write a file auth_detail in addition to the standard detail file
in the same directory. This file will contain all the
authentication-request records. This can be useful for
debugging, but not for normal operation. Takes the same syntax
as the -F option. For example, use -A %N/detail.auth.
Just check the syntax of the config files, print a diagnostic
message, and exit. If the config files are not OK the exit
value will be non-zero.
Radiusd writes the all accounting records it receives to a file
called NAS/detail in the accounting directory. This option
changes the name of that file. You can include a macro, %N, that
expands to (in order) the name of the remote proxy, the name of
the NAS, or the IP address of the server that the record was
received from. The default is %N/detail. Subdirectories of max.
1 level deep will be created on the fly if necessary.
If you specify this option multiple times, the first invocation
will override the default detail-file filename, and additional
invocations will make the server write to multiple detail files
At startup, radiusd writes its process-id to a file. By default
that is /var/run/radiusd.pid, this option overrides that.
-S Write the stripped usernames (without prefix or suffix) in the
detail file instead of the raw record as received from the
-a accounting directory
The (base) directory used for the radius accounting detail
files. If this directory doesn't exist, the server will not
create any accounting detail files. The default is
Available if the server was compiled with syslog support. This
will make radiusd log informational and authentication messages
to the syslog service with the specified facility in addition to
the standard radius.log file.
-l logging directory
This defaults to /var/log. Radiusd writes a logfile here called
radius.log. It contains informational and error messages, and
optionally a record of every login attempt (for aiding an ISP's
helpdesk). The special arguments stdout and stderr cause the
information to get written to standard output resp. standard
error instead, and the special argument none turns off logging
to radius.log. For compatibility with FreeRadius, syslog is an
alias for none.
-d config directory
Defaults to /etc/raddb. Radiusd looks here for its configuration
files such as the dictionary and the users files.
Defines which IP address to bind to for sending and receiving
packets- useful for hosts with more than one IP address.
-b If the radius server binary was compiled with dbm support, this
flag tells it to actually use the database files instead of the
flat users file.
-c This is still an experimental feature. Cache the password,
group and shadow files in a hash-table in memory. This makes
the radius process use a bit more memory, but username lookups
in the password file are much faster.
After every change in the real password file (user added,
password changed) you need to send a SIGHUP to the radius server
to let it re-read its configuration and the
password/group/shadow files !
-D Do not use DNS. Actually this means that DNS isn't used to
resolve IP addresses to hostnames whenever there is something to
be logged. If you really don't want to use DNS at all, you
should use dotted-quad notation for all hostnames/addresses
anywhere in the configuration files as well.
-f Do not fork, stay running as a foreground process.
Normally radiusd listens on the ports specified in /etc/services
(radius and radacct). With this option radiusd listens on the
specified port for authentication requests and on the specified
port +1 for accounting requests.
-s Normally, the server forks a seperate process for accounting,
and a seperate process for every authentication request. With
this flag the server will not do that - it will process all
authentication and accounting requests synchonously in one
-v Shows version and compilation flags, then exits.
The path to the wtmp-style accounting file maintained by the
server. Defaults to (on most systems) /var/log/radwtmp.
The path to the radutmp file, which is the session-database aka
list of logged in users. Defaults to (on most systems)
-w Do not write the radwtmp file.
-x Debug mode. In this mode the server will print details of every
request on it's stderr output. Most useful in combination with
-s. You can specify this option 2 times (-x -x or -xx) to get a
bit more debugging output.
-y Write details about every authentication request in the
radius.log file. If the password was incorrect, the password is
-z If the -y option is on, log the password in the radius.log file
even for successful logins. This is very insecure!.
-Z Never log any password in the radius.log file, correct or
Radiusd uses 6 configuration files. Each file has it's own manpage
describing the format of the file. These files are:
This file is usually static. It defines all the possible RADIUS
attributes used in the other configuration files. You don't have
to modify it.
Contains the IP address and a secret key for every client that
wants to connect to the server.
Contains an entry for every NAS (Network Access Server) in the
network. This is not the same as a client, especially if you
have radius proxy server in your network. In that case, the
proxy server is the client and it sends requests for different
It also contains a abbreviated name for each terminal server,
used to create the directory name where the detail file is
written, and used for the /var/log/radwtmp file. Finally it also
defines what type of NAS (Cisco, Livingston, Portslave) the NAS
hints Defines certain hints to the radius server based on the users's
loginname or other attributes sent by the access server. It also
provides for mapping user names (such as Pusername -> username).
This provides the functionality that the Livingston 2.0 server
has as "Prefix" and "Suffix" support in the users file, but is
more general. Ofcourse the Livingston way of doing things is
also supported, and you can even use both at the same time
(within certain limits).
Defines the huntgroups that you have, and makes it possible to
restrict access to certain huntgroups to certain (groups of)
users Here the users are defined. On a typical setup, this file mainly
contains DEFAULT entries to process the different types of
logins, based on hints from the hints file. Authentication is
then based on the contents of the UNIX /etc/passwd file. However
it is also possible to define all users, and their passwords, in
builddbm(8rad), users(5rad), huntgroups(5rad), hints(5rad),
Miquel van Smoorenburg, email@example.com.
23 Jan 2002 RADIUSD(8)