Provided by: xtradius_1.2.1-beta2-6ubuntu1_i386 bug

NAME

       radiusd -- Authentication, Authorization and Accounting server

SYNOPSIS

       radiusd  [-A  auth_detail_filename]  [-C] [-D] [-F detail_filename] [-P
       pid_filename]  [-S]  [-Z]  [-a  accounting_directory]  [-b]  [-c]   [-d
       config_directory]   [-f]   [-g  syslog_facility]  [-i  ip-address]  [-l
       log_directory]   [-p   port]    [-s]    [-W    radwtmp_filename]    [-u
       radutmp_filename] [-v] [-w] [-x] [-y] [-z]

DESCRIPTION

       This  is  the  Cistron  implementation  of the well known radius server
       program. It was originally based on Livingston's radius  version  1.16.
       Even though this program is largely compatible with Livingston's radius
       version 2.0, it's not based on any part of that code. In fact  no  code
       from the 1.16 version is left either.

       RADIUS  is  a  protocol  spoken  between  an access server, typically a
       device connected to several modems or ISDN lines, and a radius  server.
       When  a  user  connects  to  the  access  server,  (s)he is asked for a
       loginname and a password. This information is then sent to  the  radius
       server. The server replies with "access denied", or "access OK". In the
       latter case login information is sent along, such as the IP address  in
       the case of a PPP connection.

       The  access  server  also  sends login and logout records to the radius
       server so accounting can be done.  These  records  are  kept  for  each
       terminal  server  seperately  in  a file called detail, and in the wtmp
       compatible logfile /var/log/radwtmp.

OPTIONS

       -A auth_detail_filename
              Write a file auth_detail in addition to the standard detail file
              in   the   same  directory.  This  file  will  contain  all  the
              authentication-request  records.  This   can   be   useful   for
              debugging,  but not for normal operation.  Takes the same syntax
              as the -F option. For example, use -A %N/detail.auth.

       -C

              Just check the syntax of the config files,  print  a  diagnostic
              message,  and  exit.   If  the  config files are not OK the exit
              value will be non-zero.

       -F detail_filename

              Radiusd writes the all accounting records it receives to a  file
              called  NAS/detail  in  the  accounting  directory.  This option
              changes the name of that file. You can include a macro, %N, that
              expands  to (in order) the name of the remote proxy, the name of
              the NAS, or the IP address of the server  that  the  record  was
              received  from. The default is %N/detail. Subdirectories of max.
              1 level deep will be created on the fly if necessary.

              If you specify this option multiple times, the first  invocation
              will  override  the default detail-file filename, and additional
              invocations will make the server write to multiple detail  files
              simultaneously.

       -P pid_filename

              At  startup, radiusd writes its process-id to a file. By default
              that is /var/run/radiusd.pid, this option overrides that.

       -S     Write the stripped usernames (without prefix or suffix)  in  the
              detail  file  instead  of  the  raw  record as received from the
              terminal server.

       -a accounting directory
              The (base) directory  used  for  the  radius  accounting  detail
              files.   If  this  directory  doesn't exist, the server will not
              create   any   accounting   detail   files.   The   default   is
              /var/log/radacct.

       -g syslog_facility

              Available  if  the server was compiled with syslog support. This
              will make radiusd log informational and authentication  messages
              to the syslog service with the specified facility in addition to
              the standard radius.log file.

       -l logging directory
              This defaults to /var/log. Radiusd writes a logfile here  called
              radius.log.  It  contains  informational and error messages, and
              optionally a record of every login attempt (for aiding an  ISP's
              helpdesk).  The  special  arguments  stdout and stderr cause the
              information to get written to  standard  output  resp.  standard
              error  instead,  and the special argument none turns off logging
              to radius.log. For compatibility with FreeRadius, syslog  is  an
              alias for none.

       -d config directory
              Defaults to /etc/raddb. Radiusd looks here for its configuration
              files such as the dictionary and the users files.

       -i ip-address
              Defines which IP address to bind to for  sending  and  receiving
              packets- useful for hosts with more than one IP address.

       -b     If  the radius server binary was compiled with dbm support, this
              flag tells it to actually use the database files instead of  the
              flat users file.

       -c     This  is  still  an  experimental  feature.  Cache the password,
              group and shadow files in a hash-table in  memory.   This  makes
              the  radius  process use a bit more memory, but username lookups
              in the password file are much faster.

              After every change  in  the  real  password  file  (user  added,
              password changed) you need to send a SIGHUP to the radius server
              to    let    it    re-read    its    configuration    and    the
              password/group/shadow files !

       -D     Do  not  use  DNS.  Actually  this  means that DNS isn't used to
              resolve IP addresses to hostnames whenever there is something to
              be  logged.  If  you  really  don't  want to use DNS at all, you
              should use  dotted-quad  notation  for  all  hostnames/addresses
              anywhere in the configuration files as well.

       -f     Do not fork, stay running as a foreground process.

       -p port
              Normally radiusd listens on the ports specified in /etc/services
              (radius and radacct). With this option radiusd  listens  on  the
              specified  port for authentication requests and on the specified
              port +1 for accounting requests.

       -s     Normally, the server forks a seperate  process  for  accounting,
              and  a  seperate  process for every authentication request. With
              this flag the server will not do that  -  it  will  process  all
              authentication  and  accounting  requests  synchonously  in  one
              process.

       -v     Shows version and compilation flags, then exits.

       -W radwtmp_filename

              The path to the wtmp-style accounting  file  maintained  by  the
              server.  Defaults to (on most systems) /var/log/radwtmp.

       -u radutmp_filename

              The  path to the radutmp file, which is the session-database aka
              list  of  logged  in  users.  Defaults  to  (on  most   systems)
              /var/log/radutmp.

       -w     Do not write the radwtmp file.

       -x     Debug  mode. In this mode the server will print details of every
              request on it's stderr output. Most useful in  combination  with
              -s.  You can specify this option 2 times (-x -x or -xx) to get a
              bit more debugging output.

       -y     Write  details  about  every  authentication  request   in   the
              radius.log  file. If the password was incorrect, the password is
              logged too.

       -z     If the -y option is on, log the password in the radius.log  file
              even for successful logins. This is very insecure!.

       -Z     Never  log  any  password  in  the  radius.log  file, correct or
              incorrect.

CONFIGURATION

       Radiusd uses 6 configuration files. Each  file  has  it's  own  manpage
       describing the format of the file. These files are:

       dictionary
              This  file is usually static. It defines all the possible RADIUS
              attributes used in the other configuration files. You don't have
              to modify it.

       clients
              Contains  the  IP address and a secret key for every client that
              wants to connect to the server.

       naslist
              Contains an entry for every NAS (Network Access Server)  in  the
              network.  This  is  not  the same as a client, especially if you
              have radius proxy server in your  network.  In  that  case,  the
              proxy  server  is the client and it sends requests for different
              NASes.

              It also contains a abbreviated name for  each  terminal  server,
              used  to  create  the  directory  name  where the detail file is
              written, and used for the /var/log/radwtmp file. Finally it also
              defines  what type of NAS (Cisco, Livingston, Portslave) the NAS
              is.

       hints  Defines certain hints to the radius server based on the  users's
              loginname or other attributes sent by the access server. It also
              provides for mapping user names (such as Pusername -> username).
              This  provides  the functionality that the Livingston 2.0 server
              has as "Prefix" and "Suffix" support in the users file,  but  is
              more  general.  Ofcourse  the  Livingston way of doing things is
              also supported, and you can even  use  both  at  the  same  time
              (within certain limits).

       huntgroups
              Defines  the  huntgroups that you have, and makes it possible to
              restrict access to certain huntgroups  to  certain  (groups  of)
              users.

       users  Here the users are defined. On a typical setup, this file mainly
              contains DEFAULT entries  to  process  the  different  types  of
              logins,  based  on  hints from the hints file. Authentication is
              then based on the contents of the UNIX /etc/passwd file. However
              it is also possible to define all users, and their passwords, in
              this file.

SEE ALSO

       builddbm(8rad),     users(5rad),     huntgroups(5rad),     hints(5rad),
       clients(5rad), dictionary(5rad).

AUTHOR

       Miquel van Smoorenburg, miquels@cistron.nl.

                                  23 Jan 2002                       RADIUSD(8)