Provided by: freeradius-common_2.1.12+dfsg-1.2ubuntu8.2_all 
NAME
radiusd - Authentication, Authorization and Accounting server
SYNOPSIS
radiusd [-C] [-d config_directory] [-f] [-h] [-i ip-address] [-l log_file] [-m] [-n name]
[-p port] [-s] [-t] [-v] [-x] [-X]
DESCRIPTION
FreeRADIUS is a high-performance and highly configurable RADIUS server. It supports many
database back-ends such as flat-text files, SQL, LDAP, Perl, Python, etc. It also
supports many authentication protocols such as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and
EAP (EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).
It also has experimental support for Cisco's VLAN Query Protocol (VMPS) and DHCP.
Please read the DEBUGGING section below. It contains instructions for quickly configuring
the server for your local system.
OPTIONS
The following command-line options are accepted by the server.
-C Check the configuration and exit immediately. If there is a problem reading the
configuration, then the server will exit with a non-zero status code. If the
configuration appears to be acceptable, then the server will exit with a zero
status code.
Note that there are many limitations to this check. Due to the complexities
involved in almost starting a RADIUS server, these checks are necessarily
incomplete. The server can return a zero status code when run with -C, but may
still exit with an error when run normally.
See the output of radiusd -XC for an informative list of which modules are checked
for correct configuration, and which modules are skipped, and therefore not
checked.
-d config directory
Defaults to /etc/raddb. Radiusd looks here for its configuration files such as the
dictionary and the users files.
-i ip-address
Defines which IP address that the server uses for sending and receiving packets.
If this command-line option is given, then the "bind_address" and all "listen{}"
entries in radiusd.conf are ignored.
This option MUST be used in conjunction with "-p".
-f Do not fork, stay running as a foreground process.
-h Print usage help information.
-l log_file
Defaults to ${logdir}/radius.log. Radiusd writes it's logging information to this
file. If log_file is the string "stdout" logging will be written to stdout.
-m On SIGINT or SIGQUIT exit cleanly instead of immediately.
-n name
Read raddb/name.conf instead of raddb/radiusd.conf.
-p port
Normally radiusd listens on the ports specified in /etc/services (radius and
radacct). When this option is given, radiusd listens on the specified port for
authentication requests and on the specified port +1 for accounting requests.
If this command-line option is given, then the "port" directive in radiusd.conf is
ignored.
This option MUST be used in conjunction with "-i".
-s Run in "single server" mode. The server normally runs with multiple threads and/or
processes, which can lower its response time to requests. Some systems have issues
with threading, however, so running in "single server" mode may help to address
those issues. In single server mode, the server will also not "daemonize" (auto-
background) itself.
-t Do not spawn threads.
-v Print server version information and exit.
-X Debugging mode. Equivalent to "-sfxx -l stdout". When trying to understand how
the server works, ALWAYS run it with "radiusd -X".
-x Finer-grained debug mode. In this mode the server will print details of every
request on it's stdout output. You can specify this option multiple times (-x -x or
-xx) to get more detailed output.
DEBUGGING
The server can be difficult to configure correctly in systems with complex requirements.
We STRONGLY RECOMMEND proceeding via the following steps:
1) Always run the server in debugging mode ( radiusd -X ). We cannot emphasize this
enough. If you are not running the server in debugging mode, you will not be able to see
what is doing, and you will not be able to correct any problems.
2) Change as little as possible in the default configuration files. The server contains a
decade of experience with protocols, databases, and different systems. Its default
configuration is designed to work almost everywhere, and to do almost everything.
3) Make small changes to the configuration files, while testing each change as you make
it. If the change works, save a copy of the configuration, and make another change. If
the change doesn't work, debug it, and try to understand why it doesn't work.
If you begin by making large changes to the server configuration, it will never work, and
you will never be able to debug it.
4) If you need to add a connection to a database FOO (e.g. LDAP or SQL), then:
a) Edit raddb/modules/foo
This file contains the default configuration for the module. It contains comments
describing what can be configured, and what those configuration entries mean.
b) Edit raddb/sites-available/default
This file contains the default policy for the server. e.g. "enable CHAP, MS-CHAP, and
EAP authentication". Look in this file for all references to your module "foo". Read
the comments, and remove the leading hash '#' from the lines referencing the module.
This enables the module.
c) Edit raddb/sites-available/inner-tunnel
This file contains the default policy for the "tunneled" portion of certain EAP
methods. Perform the same kind of edits as above, for the "default" file.. If you are
not using EAP (802.1X), then this step can be skipped.
d) Start the server in debugging mode ( radiusd -X ), and start testing.
5) Ask questions on the mailing list (freeradius-users@lists.freeradius.org). When asking
questions, include the output from debugging mode ( radiusd -X ). This information will
allow people to help you. If you do not include it, the first response to your message
will be "post the output of debug mode".
Ask questions earlier, rather than later. If you cannot solve a problem in a day, ask a
question on the mailing list. Most questions have been seen before, and can be answered
quickly.
BACKGROUND
RADIUS is a protocol spoken between an access server, typically a device connected to
several modems or ISDN lines, and a radius server. When a user connects to the access
server, (s)he is asked for a loginname and a password. This information is then sent to
the radius server. The server replies with "access denied", or "access OK". In the latter
case login information is sent along, such as the IP address in the case of a PPP
connection.
The access server also sends login and logout records to the radius server so accounting
can be done. These records are kept for each terminal server seperately in a file called
detail, and in the wtmp compatible logfile /var/log/radwtmp.
CONFIGURATION
Radiusd uses a number of configuration files. Each file has it's own manpage describing
the format of the file. These files are:
radiusd.conf
The main configuration file, which sets the administrator-controlled items.
dictionary
This file is usually static. It defines all the possible RADIUS attributes used in
the other configuration files. You don't have to modify it. It includes other
dictionary files in the same directory.
hints Defines certain hints to the radius server based on the users's loginname or other
attributes sent by the access server. It also provides for mapping user names (such
as Pusername -> username). This provides the functionality that the Livingston 2.0
server has as "Prefix" and "Suffix" support in the users file, but is more general.
Ofcourse the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
huntgroups
Defines the huntgroups that you have, and makes it possible to restrict access to
certain huntgroups to certain (groups of) users.
users Here the users are defined. On a typical setup, this file mainly contains DEFAULT
entries to process the different types of logins, based on hints from the hints
file. Authentication is then based on the contents of the UNIX /etc/passwd file.
However it is also possible to define all users, and their passwords, in this file.
SEE ALSO
radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5).
AUTHOR
The FreeRADIUS Server Project (http://www.freeradius.org)
08 Mar 2009 RADIUSD(8)