ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

 

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

This manual page is associated with Mac OS X Server. It is not available on standard Mac OS X (client) installations.

For more information about the manual page format, see the manual page for manpages(5).



RADIUSD(8)                                    FreeRADIUS Daemon                                   RADIUSD(8)



NAME
       radiusd - Authentication, Authorization and Accounting server

SYNOPSIS
       radiusd  [-A] [-S] [-a accounting_directory] [-b] [-c] [-d config_directory] [-f] [-i ip-address] [-l
       log_directory] [-g facility] [-p port] [-s] [-v] [-x] [-X] [-y] [-z]

DESCRIPTION
       This is the FreeRADIUS implementation of the well known radius server program.  Even though this pro-gram program
       gram  is largely compatible with Livingston's radius version 2.0, it is not based on any part of that
       code.

       FreeRADIUS is a high-performance and highly configurable RADIUS server.  As a result, it can be  dif-ficult difficult
       ficult  to configure in systems with complex requirements.  Our suggestion is to proceed via the fol-lowing following
       lowing steps:

       1) Always run the server in debugging mode ( radiusd -X ).  We cannot emphasize this enough.  If  you
       are not running the server in debugging mode, you will not be able to see what is doing, and you will
       not be able to correct any problems.

       2) When editing the radiusd.conf file, change as little as possible, especially  in  the  authorize{}
       section.  The ordering of the modules is critical for the server to be able to "automatically" figure
       out how to handle the request.  Changing the order of the modules ensures that the  server  will  not
       work.

       3)  When  testing,  start  off  by configuring a user and password in the users file.  So long as the
       server knows about a user, and has a clear-text password for that user, almost all of the authentica-tion authentication
       tion methods will "just work".

       4)  Gradually  add  more  complex configurations to the server, while testing them as you go.  If you
       start off by configuring the server in a complex configuration, you will never be able to debug it.

       5) Ask questions on the mailing list (freeradius-users@lists.freeradius.org).  When asking questions,
       include  the  output  from debugging mode ( radiusd -X ).  This information will allow people to help
       you.  Without it, your message will get ignored.


BACKGROUND
       RADIUS is a protocol spoken between an access server, typically a device connected to several  modems
       or  ISDN  lines, and a radius server. When a user connects to the access server, (s)he is asked for a
       loginname and a password. This information is then sent to the radius server. The server replies with
       "access  denied",  or "access OK". In the latter case login information is sent along, such as the IP
       address in the case of a PPP connection.

       The access server also sends login and logout records to the radius server so accounting can be done.
       These  records  are kept for each terminal server seperately in a file called detail, and in the wtmp
       compatible logfile /var/log/radwtmp.


OPTIONS
       -A     Write a file detail.auth in addition to the standard detail file in the same  directory.  This
              file  will  contain  all the authentication-request records. This can be useful for debugging,
              but not for normal operation.

              This command line option is accepted only for backwards compatibility.  It no longer does any-thing. anything.
              thing.  See the configuration for the detail module in radiusd.conf.


       -S     Write  the stripped usernames (without prefix or suffix) in the detail file instead of the raw
              record as received from the terminal server.

              This command line option is deprecated.  See the log_stripped_names configuration item in  the
              radiusd.conf file.


       -a accounting directory
              This  defaults  to  /var/log/radacct.  If  that  directory exists, radiusd will write an ascii
              accounting record into a detail file for every login/logout  recorded.  The  location  of  the
              detail file is acct_dir/terminal_server/detail.

              This  command  line  option  is  deprecated.   See  the  radacctdir  configuration item in the
              radiusd.conf file.


       -l logging directory
              This defaults to /var/log. Radiusd writes a logfile here called radius.log. It contains infor-mational informational
              mational  and  error  messages,  and optionally a record of every login attempt (for aiding an
              ISP's helpdesk). The special arguments stdout and stderr cause the information to get  written
              to  the  standard  output,  or  standard  error instead. The special argument syslog sends the
              information with syslog(3).

              This  command  line  option  is  deprecated.   See  the  log_dir  configuration  item  in  the
              radiusd.conf file.


       -g facility
              Specifies the syslog facility to be used with -l syslog. Default is daemon. Another reasonable
              choice would be authpriv.


       -d config directory
              Defaults to /etc/raddb. Radiusd looks here for its configuration files such as the  dictionary
              and the users files.


       -i ip-address
              Defines  which  IP addres to bind to for sending and receiving packets- useful for multi-homed
              hosts.

              This command line option is deprecated.   See  the  bind_address  configuration  item  in  the
              radiusd.conf file.


       -b     If  the radius server binary was compiled with dbm support, this flag tells it to actually use
              the database files instead of the flat users file.

              This command line option is deprecated, and does not do anything.


       -c     This is still an experimental feature.  Cache the password, group and shadow files in a  hash-table hashtable
              table in memory.  This makes the radius process use a bit more memory, but username lookups in
              the password file are much faster.

              After every change in the real password file (user added, password changed) you need to send a
              SIGHUP  to the radius server to let it re-read its configuration and the password/group/shadow
              files !

              This command line option is deprecated.  See the cache configuration item for the unix  module
              in the radiusd.conf file.


       -f     Do not fork, stay running as a foreground process.


       -p port
              Normally  radiusd  listens  on the ports specified in /etc/services (radius and radacct). With
              this option radiusd listens on the specified port for authentication requests and on the spec-ified specified
              ified port +1 for accounting requests.

              This  command  line option is deprecated.  See the port configuration item in the radiusd.conf
              file.


       -s     Run in "single server" mode.  The server normally runs with multiple threads and/or processes,
              which  can lower its response time to requests.  Some systems have issues with threading, how-ever, however,
              ever, so running in "single server" mode may help to address those issues.  In  single  server
              mode, the server will also not "daemonize" (auto-background) itself.


       -v     Print server version information and exit.


       -x     Debug mode. In this mode the server will print details of every request on it's stderr output.
              Most useful in combination with -s.  You can specify this option 2 times (-x -x or -xx) to get
              a bit more debugging output.


       -X     Extended debug mode.  Equivalent to -sfxx, but simpler to explain.


       -y     Write details about every authentication request in the radius.log file.

              This  command  line  option  is  deprecated.   See  the  log_auth  configuration  item  in the
              radiusd.conf file.


       -z     Include the password in the radius.log file even for successful logins.  This  is  very  inse-cure!. insecure!.
              cure!.

              This  command  line  option is deprecated.  See the log_auth_badpass and the log_auth_goodpass
              configuration items in the radiusd.conf file.


CONFIGURATION
       Radiusd uses a number of configuration files. Each file has it's own manpage describing the format of
       the file. These files are:

       radiusd.conf
              The main configuration file, which sets the administrator-controlled items.

       dictionary
              This  file  is usually static. It defines all the possible RADIUS attributes used in the other
              configuration files.  You don't have to modify it.  It includes other dictionary files in  the
              same directory.

       clients
              [ Deprecated ] Contains the IP address and a secret key for every client that wants to connect
              to the server.

       naslist
              Contains an entry for every NAS (Network Access Server) in the network. This is not  the  same
              as  a  client,  especially  if you have radius proxy server in your network. In that case, the
              proxy server is the client and it sends requests for different NASes.

              It also contains a abbreviated name for each terminal server, used  to  create  the  directory
              name where the detail file is written, and used for the /var/log/radwtmp file. Finally it also
              defines what type of NAS (Cisco, Livingston, Portslave) the NAS is.

       hints  Defines certain hints to the radius server based on the users's loginname or other  attributes
              sent by the access server. It also provides for mapping user names (such as Pusername -> user-name). username).
              name). This provides the functionality that the Livingston 2.0  server  has  as  "Prefix"  and
              "Suffix"  support in the users file, but is more general. Ofcourse the Livingston way of doing
              things is also supported, and you can even use both at the same time (within certain  limits).

       huntgroups
              Defines  the  huntgroups  that  you  have, and makes it possible to restrict access to certain
              huntgroups to certain (groups of) users.

       users  Here the users are defined. On a typical setup, this file mainly contains DEFAULT  entries  to
              process  the  different types of logins, based on hints from the hints file. Authentication is
              then based on the contents of the UNIX /etc/passwd file. However it is also possible to define
              all users, and their passwords, in this file.

SEE ALSO
       radiusd.conf(5), users(5), huntgroups(5), hints(5), clients(5), dictionary(5).

AUTHOR
       The FreeRADIUS Server Project (http://www.freeradius.org)




                                                23 June 2004                                      RADIUSD(8)

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.