This manual page is for Mac OS X Server version 10.6

Reading manual pages

RADIUSD(8)                                    FreeRADIUS Daemon                                   RADIUSD(8)



NAME
       radiusd - Authentication, Authorization and Accounting server

SYNOPSIS
       radiusd [-C] [-d config_directory] [-f] [-i ip-address] [-n name] [-p port] [-s] [-v] [-x] [-X]

DESCRIPTION
       FreeRADIUS  is  a  high-performance and highly configurable RADIUS server.  It supports many database
       back-ends such as flat-text files, SQL, LDAP, Perl, Python, etc.  It also supports  many  authentica-tion authentication
       tion  protocols  such  as  PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAPTTLS,
       TTLS, EAP-SIM, etc.).

       Version 2.0 has preliminary support for Cisco's VLAN Query Protocol, also known as VMPS.

OPTIONS
       The following command-line options are accepted by the server.

       -C     Check the configuration and exit immediately.  If there is a problem  reading  the  configura-tion, configuration,
              tion,  then the server will exit with a non-zero status code.  If the configuration appears to
              be acceptable, then the server will exit with a zero status code.

              Note that there are many limitations to this check.   Due  to  the  complexities  involved  in
              almost  starting  a  RADIUS  server,  these checks are necessarily incomplete.  The server can
              return a zero status code when run with -C, but may still exit with an  error  when  run  nor-mally. normally.
              mally.

              See the output of radiusd -XC for an informative list of which modules are checked for correct
              configuration, and which modules are skipped, and therefore not checked.

       -d config directory
              Defaults to /etc/raddb. Radiusd looks here for its configuration files such as the  dictionary
              and the users files.

       -i ip-address
              Defines which IP address that the server uses for sending and receiving packets.

              If  this  command-line  option is given, then the "bind_address" and all "listen{}" entries in
              radiusd.conf are ignored.

              This option MUST be used in conjunction with "-p".

       -f     Do not fork, stay running as a foreground process.

       -n     Read raddb/name.conf instead of raddb/radiusd.conf.

       -p port
              Normally radiusd listens on the ports specified in /etc/services (radius  and  radacct).  When
              this option is given, radiusd listens on the specified port for authentication requests and on
              the specified port +1 for accounting requests.

              If this command-line option is given, then the "port" directive in radiusd.conf is ignored.

              This option MUST be used in conjunction with "-i".

       -s     Run in "single server" mode.  The server normally runs with multiple threads and/or processes,
              which  can lower its response time to requests.  Some systems have issues with threading, how-ever, however,
              ever, so running in "single server" mode may help to address those issues.  In  single  server
              mode, the server will also not "daemonize" (auto-background) itself.

       -v     Print server version information and exit.

       -X     Debugging mode.  Equivalent to -sfxx -l stdout

       -x     Finer-grained  debug mode. In this mode the server will print details of every request on it's
              stdout output. You can specify this option multiple times (-x -x or -xx) to get more  detailed
              output.

DEBUGGING
       The server can be difficult to configure correctly in systems with complex requirements.  We STRONGLY
       RECOMMEND proceeding via the following steps:

       1) Always run the server in debugging mode ( radiusd -X ).  We cannot emphasize this enough.  If  you
       are not running the server in debugging mode, you will not be able to see what is doing, and you will
       not be able to correct any problems.

       2) When editing the radiusd.conf file, change as little as possible, especially  in  the  authorize{}
       section.  The ordering of the modules is critical for the server to be able to "automatically" figure
       out how to handle the request.  Changing the order of the modules ensures that the  server  will  not
       work.

       3)  When  testing,  start  off  by configuring a user and password in the users file.  So long as the
       server knows about a user, and has a clear-text password for that user, almost all of the authentica-tion authentication
       tion methods will "just work".

       4)  Gradually  add  more  complex configurations to the server, while testing them as you go.  If you
       start off by configuring the server in a complex configuration, you will never be able to debug it.

       5) Ask questions on the mailing list ([email protected]).  When asking questions,
       include  the  output  from debugging mode ( radiusd -X ).  This information will allow people to help
       you.  Without it, your message will get ignored.

BACKGROUND
       RADIUS is a protocol spoken between an access server, typically a device connected to several  modems
       or  ISDN  lines, and a radius server. When a user connects to the access server, (s)he is asked for a
       loginname and a password. This information is then sent to the radius server. The server replies with
       "access  denied",  or "access OK". In the latter case login information is sent along, such as the IP
       address in the case of a PPP connection.

       The access server also sends login and logout records to the radius server so accounting can be done.
       These  records  are kept for each terminal server seperately in a file called detail, and in the wtmp
       compatible logfile /var/log/radwtmp.

CONFIGURATION
       Radiusd uses a number of configuration files. Each file has it's own manpage describing the format of
       the file. These files are:

       radiusd.conf
              The main configuration file, which sets the administrator-controlled items.

       dictionary
              This  file  is usually static. It defines all the possible RADIUS attributes used in the other
              configuration files.  You don't have to modify it.  It includes other dictionary files in  the
              same directory.

       hints  Defines  certain hints to the radius server based on the users's loginname or other attributes
              sent by the access server. It also provides for mapping user names (such as Pusername -> user-name). username).
              name).  This  provides  the  functionality  that the Livingston 2.0 server has as "Prefix" and
              "Suffix" support in the users file, but is more general. Ofcourse the Livingston way of  doing
              things  is also supported, and you can even use both at the same time (within certain limits).

       huntgroups
              Defines the huntgroups that you have, and makes it possible  to  restrict  access  to  certain
              huntgroups to certain (groups of) users.

       users  Here  the  users are defined. On a typical setup, this file mainly contains DEFAULT entries to
              process the different types of logins, based on hints from the hints file.  Authentication  is
              then based on the contents of the UNIX /etc/passwd file. However it is also possible to define
              all users, and their passwords, in this file.

SEE ALSO
       radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5).

AUTHOR
       The FreeRADIUS Server Project (http://www.freeradius.org)




                                                 27 Dec 2007                                      RADIUSD(8)