radiusd - Authentication, Authorization and Accounting server Linux Man Page

NAME

radiusd - Authentication, Authorization and Accounting server

SYNOPSIS

radiusd

accounting_directory ]

config_directory ]

ip-address ]

log_directory ]

facility ]

port ]

DESCRIPTION

radius

Livingston's

not

radiusd -X

will not

radiusd.conf

authorize{}

users

almost all of the authentication methods will "just work"

radiusd -X

BACKGROUND

RADIUS

radius

detail

wtmp

/var/log/radwtmp

OPTIONS

-A: Write a file detail.auth in addition to the standard detail file in the same directory. This file will contain all the authentication-request records. This can be useful for debugging, but not for normal operation.
This command line option is accepted only for backwards compatibility. It no longer does anything. See the configuration for the detail module in radiusd.conf.

-S: Write the stripped usernames (without prefix or suffix) in the detail file instead of the raw record as received from the terminal server.
This command line option is deprecated. See the log_stripped_names configuration item in the radiusd.conf file.

"-a: This defaults to /var/log/radacct. If that directory exists, radiusd will write an ascii accounting record into a detail file for every login/logout recorded. The location of the detail file is acct_dir/terminal_server/detail.
This command line option is deprecated. See the radacctdir configuration item in the radiusd.conf file.

"-l: This defaults to /var/log. Radiusd writes a logfile here called radius.log. It contains informational and error messages, and optionally a record of every login attempt (for aiding an ISP's helpdesk). The special arguments stdout and stderr cause the information to get written to the standard output, or standard error instead. The special argument syslog sends the information with syslog(3) .
This command line option is deprecated. See the log_dir configuration item in the radiusd.conf file.

"-g: Specifies the syslog facility to be used with -l syslog. Default is daemon. Another reasonable choice would be authpriv.

"-d: Defaults to /etc/raddb. Radiusd looks here for its configuration files such as the dictionary and the users files.

"-i: Defines which IP addres to bind to for sending and receiving packets- useful for multi-homed hosts.
This command line option is deprecated. See the bind_address configuration item in the radiusd.conf file.

-b: If the radius server binary was compiled with dbm support, this flag tells it to actually use the database files instead of the flat users file.
This command line option is deprecated, and does not do anything.

-c: This is still an experimental feature. Cache the password, group and shadow files in a hash-table in memory. This makes the radius process use a bit more memory, but username lookups in the password file are much faster. After every change in the real password file (user added, password changed) you need to send a SIGHUP to the radius server to let it re-read its configuration and the password/group/shadow files !
This command line option is deprecated. See the cache configuration item for the unix module in the radiusd.conf file.

-f: Do not fork, stay running as a foreground process.

"-p: Normally radiusd listens on the ports specified in /etc/services (radius and radacct). With this option radiusd listens on the specified port for authentication requests and on the specified port +1 for accounting requests.
This command line option is deprecated. See the port configuration item in the radiusd.conf file.

-s: Run in "single server" mode. The server normally runs with multiple threads and/or processes, which can lower its response time to requests. Some systems have issues with threading, however, so running in "single server" mode may help to address those issues. In single server mode, the server will also not "daemonize" (auto-background) itself.

-v: Print server version information and exit.

-x: Debug mode. In this mode the server will print details of every request on it's stderr output. Most useful in combination with -s. You can specify this option 2 times (-x -x or -xx) to get a bit more debugging output.

-X: Extended debug mode. Equivalent to -sfxx, but simpler to explain.

-y: Write details about every authentication request in the radius.log file.
This command line option is deprecated. See the log_auth configuration item in the radiusd.conf file.

-z: Include the password in the radius.log file even for successful logins. This is very insecure!.
This command line option is deprecated. See the log_auth_badpass and the log_auth_goodpass configuration items in the radiusd.conf file.

CONFIGURATION

Radiusd

radiusd.conf: The main configuration file, which sets the administrator-controlled items.

dictionary: This file is usually static. It defines all the possible RADIUS attributes used in the other configuration files. You don't have to modify it. It includes other dictionary files in the same directory.

clients: [ Deprecated ] Contains the IP address and a secret key for every client that wants to connect to the server.

naslist: Contains an entry for every NAS (Network Access Server) in the network. This is not the same as a client, especially if you have radius proxy server in your network. In that case, the proxy server is the client and it sends requests for different NASes. It also contains a abbreviated name for each terminal server, used to create the directory name where the detail file is written, and used for the /var/log/radwtmp file. Finally it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is.

hints: Defines certain hints to the radius server based on the users's loginname or other attributes sent by the access server. It also provides for mapping user names (such as Pusername -> username). This provides the functionality that the Livingston 2.0 server has as "Prefix" and "Suffix" support in the users file, but is more general. Ofcourse the Livingston way of doing things is also supported, and you can even use both at the same time (within certain limits).

huntgroups: Defines the huntgroups that you have, and makes it possible to restrict access to certain huntgroups to certain (groups of) users.

users: Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process the different types of logins, based on hints from the hints file. Authentication is then based on the contents of the UNIX /etc/passwd file. However it is also possible to define all users, and their passwords, in this file.