Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RADIUSD(8)		     Cistron Radius Daemon		    RADIUSD(8)

       radiusd -- Authentication, Authorization	and Accounting server

       radiusd	[-A  auth_detail_filename]  [-C] [-D] [-F detail_filename] [-P
       pid_filename] [-S] [-Z] [-a accounting_directory] [-b]  [-c]  [-d  con-
       fig_directory] [-f] [-g syslog_facility]	[-i ip-address]	[-l log_direc-
       tory] [-p port] [-s] [-W	radwtmp_filename] [-u  radutmp_filename]  [-v]
       [-w] [-x] [-y] [-z]

       This is the Cistron implementation of the well known radius server pro-
       gram. It	was originally based  on  Livingston's	radius	version	 1.16.
       Even though this	program	is largely compatible with Livingston's	radius
       version 2.0, it's not based on any part of that code. In	fact  no  code
       from the	1.16 version is	left either.

       RADIUS  is  a protocol spoken between an	access server, typically a de-
       vice connected to several modems	or ISDN	lines, and  a  radius  server.
       When  a user connects to	the access server, (s)he is asked for a	login-
       name and	a password. This  information  is  then	 sent  to  the	radius
       server. The server replies with "access denied",	or "access OK".	In the
       latter case login information is	sent along, such as the	IP address  in
       the case	of a PPP connection.

       The  access  server  also  sends	login and logout records to the	radius
       server so accounting can	be done. These records are kept	for each  ter-
       minal  server  seperately in a file called detail, and in the wtmp com-
       patible logfile /var/log/radwtmp.

       -A auth_detail_filename
	      Write a file auth_detail in addition to the standard detail file
	      in  the same directory. This file	will contain all the authenti-
	      cation-request records. This can be useful  for  debugging,  but
	      not  for	normal operation.  Takes the same syntax as the	-F op-
	      tion. For	example, use -A	%N/detail.auth.


	      Just check the syntax of the config files,  print	 a  diagnostic
	      message,	and  exit.   If	 the  config files are not OK the exit
	      value will be non-zero.

       -F detail_filename

	      Radiusd writes the all accounting	records	it receives to a  file
	      called  NAS/detail  in  the  accounting  directory.  This	option
	      changes the name of that file. You can include a macro, %N, that
	      expands  to (in order) the name of the remote proxy, the name of
	      the NAS, or the IP address of the	server that the	record was re-
	      ceived  from. The	default	is %N/detail. Subdirectories of	max. 1
	      level deep will be created on the	fly if necessary.

	      If you specify this option multiple times, the first  invocation
	      will  override  the default detail-file filename,	and additional
	      invocations will make the	server write to	multiple detail	 files

       -P pid_filename

	      At  startup, radiusd writes its process-id to a file. By default
	      that is /var/run/, this option	overrides that.

       -S     Write the	stripped usernames (without prefix or suffix)  in  the
	      detail  file instead of the raw record as	received from the ter-
	      minal server.

       -a accounting directory
	      The (base) directory  used  for  the  radius  accounting	detail
	      files.   If  this	 directory  doesn't exist, the server will not
	      create   any   accounting	  detail   files.   The	  default   is

       -g syslog_facility

	      Available	 if  the server	was compiled with syslog support. This
	      will make	radiusd	log informational and authentication  messages
	      to the syslog service with the specified facility	in addition to
	      the standard radius.log file.

       -l logging directory
	      This defaults to /var/log. Radiusd writes	a logfile here	called
	      radius.log.  It  contains	 informational and error messages, and
	      optionally a record of every login attempt (for aiding an	 ISP's
	      helpdesk). The special arguments stdout and stderr cause the in-
	      formation	to get written to standard output resp.	standard error
	      instead,	and the	special	argument none turns off	logging	to ra-
	      dius.log.	For compatibility with FreeRadius, syslog is an	 alias
	      for none.

       -d config directory
	      Defaults to /etc/raddb. Radiusd looks here for its configuration
	      files such as the	dictionary and the users files.

       -i ip-address
	      Defines which IP address to bind to for  sending	and  receiving
	      packets- useful for hosts	with more than one IP address.

       -b     If  the radius server binary was compiled	with dbm support, this
	      flag tells it to actually	use the	database files instead of  the
	      flat users file.

       -c     This  is	still  an  experimental	 feature.  Cache the password,
	      group and	shadow files in	a hash-table in	 memory.   This	 makes
	      the  radius  process use a bit more memory, but username lookups
	      in the password file are much faster.

	      After every change in the	real password file (user added,	 pass-
	      word  changed) you need to send a	SIGHUP to the radius server to
	      let it re-read its configuration and  the	 password/group/shadow
	      files !

       -D     Do  not  use DNS.	Actually this means that DNS isn't used	to re-
	      solve IP addresses to hostnames whenever there is	 something  to
	      be  logged.  If  you  really  don't  want	to use DNS at all, you
	      should use dotted-quad notation for all hostnames/addresses any-
	      where in the configuration files as well.

       -f     Do not fork, stay	running	as a foreground	process.

       -p port
	      Normally radiusd listens on the ports specified in /etc/services
	      (radius and radacct). With this option radiusd  listens  on  the
	      specified	 port for authentication requests and on the specified
	      port +1 for accounting requests.

       -s     Normally,	the server forks a seperate  process  for  accounting,
	      and  a  seperate	process	for every authentication request. With
	      this flag	the server will	not do that - it will process all  au-
	      thentication   and   accounting  requests	 synchonously  in  one

       -v     Shows version and	compilation flags, then	exits.

       -W radwtmp_filename

	      The path to the wtmp-style accounting  file  maintained  by  the
	      server.	Defaults to (on	most systems) /var/log/radwtmp.	If set
	      to none, the server will not log wtmp-style  accounting  at  all
	      (same as -w).

       -u radutmp_filename

	      The  path	to the radutmp file, which is the session-database aka
	      list  of	logged	in  users.  Defaults  to  (on  most   systems)
	      /var/log/radutmp.	  If set to none, the server will not maintain
	      a	session-database (and radwho and simultaneous-use restrictions
	      will not work).

       -w     Do not write the radwtmp file.

       -x     Debug  mode. In this mode	the server will	print details of every
	      request on it's stderr output. Most useful in  combination  with
	      -s.  You can specify this	option 2 times (-x -x or -xx) to get a
	      bit more debugging output.

       -y     Write details about every	 authentication	 request  in  the  ra-
	      dius.log	file.  If  the password	was incorrect, the password is
	      logged too.

       -z     If the -y	option is on, log the password in the radius.log  file
	      even for successful logins. This is very insecure!.

       -Z     Never log	any password in	the radius.log file, correct or	incor-

       Radiusd uses 6 configuration files. Each	file has it's own manpage  de-
       scribing	the format of the file.	These files are:

	      This  file is usually static. It defines all the possible	RADIUS
	      attributes used in the other configuration files.	You don't have
	      to modify	it.

	      Contains	the  IP	address	and a secret key for every client that
	      wants to connect to the server.

	      Contains an entry	for every NAS (Network Access Server)  in  the
	      network.	This  is  not  the same	as a client, especially	if you
	      have radius proxy	server in your	network.  In  that  case,  the
	      proxy  server  is	the client and it sends	requests for different

	      It also contains a abbreviated name for  each  terminal  server,
	      used to create the directory name	where the detail file is writ-
	      ten, and used for	the /var/log/radwtmp file. Finally it also de-
	      fines  what  type	 of NAS	(Cisco,	Livingston, Portslave) the NAS

       hints  Defines certain hints to the radius server based on the  users's
	      loginname	or other attributes sent by the	access server. It also
	      provides for mapping user	names (such as Pusername -> username).
	      This  provides  the functionality	that the Livingston 2.0	server
	      has as "Prefix" and "Suffix" support in the users	file,  but  is
	      more  general.  Ofcourse	the  Livingston	way of doing things is
	      also supported, and you can even	use  both  at  the  same  time
	      (within certain limits).

	      Defines  the  huntgroups that you	have, and makes	it possible to
	      restrict access to certain huntgroups  to	 certain  (groups  of)

       users  Here the users are defined. On a typical setup, this file	mainly
	      contains DEFAULT entries to process the different	types  of  lo-
	      gins, based on hints from	the hints file.	Authentication is then
	      based on the contents of the UNIX	/etc/passwd file.  However  it
	      is  also	possible  to define all	users, and their passwords, in
	      this file.

       builddbm(8rad),	   users(5rad),	    huntgroups(5rad),	  hints(5rad),
       clients(5rad), dictionary(5rad).

       Miquel van Smoorenburg,

				  14 Jan 2003			    RADIUSD(8)


Want to link to this manual page? Use this URL:

home | help