1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
.TH RADIUSD 8 "28 June 2000" "" "Cistron Radius Daemon"
.SH NAME
radiusd -- Authentication, Authorization and Accounting server
.SH SYNOPSIS
.B radiusd
.RB [ \-A ]
.RB [ \-C ]
.RB [ \-D ]
.RB [ \-S ]
.RB [ \-a
.IR accounting_directory ]
.RB [ \-b ]
.RB [ \-c ]
.RB [ \-d
.IR config_directory ]
.RB [ \-f ]
.RB [ \-i
.IR ip-address ]
.RB [ \-l
.IR log_directory ]
.RB [ \-p
.IR port ]
.RB [ \-s ]
.RB [ \-v ]
.RB [ \-w ]
.RB [ \-x ]
.RB [ \-y ]
.RB [ \-z ]
.SH DESCRIPTION
This is the Cistron implementation of the well known
.B radius
server program. It is based on \fILivingston's\fP radius version 1.16.
Even though this program is largely compatible with \fILivingston's\fP
radius version 2.0, it's \fBnot\fP based on any part of that code.
.PP
\fBRADIUS\fP is a protocol spoken between an access server, typically
a device connected to several modems or ISDN lines, and a \fBradius\fP
server. When a user connects to the access server, (s)he is asked for
a loginname and a password. This information is then sent to the \fBradius\fP
server. The server replies with "access denied", or "access OK". In the
latter case login information is sent along, such as the IP address in
the case of a PPP connection.
.PP
The access server also sends login and logout records to the \fBradius\fP
server so accounting can be done. These records are kept for each terminal
server seperately in a file called \fBdetail\fP, and in the \fIwtmp\fP
compatible logfile \fB/var/log/radwtmp\fP.
.SH OPTIONS
.IP \-A
Write a file \fIdetail.auth\fP in addition to the standard \fBdetail\fP file
in the same directory. This file will contain all the authentication-request
records. This can be useful for debugging, but not for normal operation.
.IP \-C
Just check the syntax of the config files, print a diagnostic message,
and exit. If the config files are not OK the exit value will be non-zero.
.IP \-S
Write the stripped usernames (without prefix or suffix) in the \fIdetail\fP
file instead of the raw record as received from the terminal server.
.IP "\-a \fIaccounting directory\fP"
This defaults to \fI/var/log/radacct\fP. If that directory exists,
\fBradiusd\fP will create a subdirectory with the name of the terminal
server and write an ascii accounting record into a detail file (called
\fIdetail\fP) for every login/logout recorded.
The subdirectory name is the "short name"
as defined in \fI/etc/raddb/naslist\fP or, if there isn't one, the
full DNS name.
.IP
If the name of the accounting directory ends in a "/" then no subdirectories
will be created and all accounting data will be written into one common
"detail" file.
.IP "\-l \fIlogging directory\fP"
This defaults to \fI/var/log\fP. \fBRadiusd\fP writes a logfile here called
\fIradius.log\fP. It contains informational and error messages, and optionally
a record of every login attempt (for aiding an ISP's helpdesk). The
special argument \fIstdout\fP causes the information to get written
to the standard output instead.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
.IP "\-i \fIip-address\fP"
Defines which IP addres to bind to for sending and receiving packets-
useful for multi-homed hosts.
.IP \-b
If the \fBradius\fP server binary was compiled with \fIdbm\fP support,
this flag tells it to actually \fIuse\fP the database files instead of the
flat \fIusers\fP file.
.IP \-c
This is still an \fIexperimental\fP feature.
Cache the password, group and shadow files in a hash-table in memory.
This makes the radius process use a bit more memory, but username
lookups in the password file are \fImuch\fP faster.
.IP
After every change in the real password file (user added, password changed)
you need to send a \fBSIGHUP\fP to the radius server to let it re-read
its configuration and the password/group/shadow files !
.IP \-D
Do not use DNS. Actually this means that DNS isn't used to resolve IP
addresses to hostnames whenever there is something to be logged. If you
really don't want to use DNS at all, you should use dotted-quad notation for
all hostnames/addresses anywhere in the configuration files as well.
.IP \-f
Do not fork, stay running as a foreground process.
.IP "\-p \fIport\fP"
Normally radiusd listens on the ports specified in \fI/etc/services\fP
(radius and radacct). With this option radiusd listens on the specified
port for authentication requests and on the specified port +1 for
accounting requests.
.IP \-s
Normally, the server forks a seperate process for accounting, and a seperate
process for every authentication request. With this flag the server will not
do that. It won't even "daemonize" (auto-background) itself.
.IP \-w
Do not write the \fIradwtmp\fP file.
.IP \-x
Debug mode. In this mode the server will print details of every request
on it's \fBstderr\fP output. Most useful in combination with \fB-s\fP.
You can specify this option 2 times (-x -x or -xx) to get a bit more
debugging output.
.IP \-y
Write details about every authentication request in the
\fIradius.log\fP file.
.IP \-z
Include the password in the \fIradius.log\fP file \fBeven\fP for successful
logins. \fIThis is very insecure!\fP.
.SH CONFIGURATION
\fBRadiusd\fP uses 6 configuration files. Each file has it's own manpage
describing the format of the file. These files are:
.IP dictionary
This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
.IP clients
Contains the IP address and a secret key for every client that wants
to connect to the server.
.IP naslist
Contains an entry for every NAS (Network Access Server) in the network. This
is not the same as a client, especially if you have \fBradius\fP proxy server
in your network. In that case, the proxy server is the client and it sends
requests for different NASes.
.IP
It also contains a abbreviated name for each
terminal server, used to create the directory name where the \fBdetail\fP
file is written, and used for the \fB/var/log/radwtmp\fP file. Finally
it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is.
.IP hints
Defines certain hints to the radius server based on the users's loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
.IP huntgroups
Defines the huntgroups that you have, and makes it possible to restrict
access to certain huntgroups to certain (groups of) users.
.IP users
Here the users are defined. On a typical setup, this file mainly contains
DEFAULT entries to process the different types of logins, based on hints
from the hints file. Authentication is then based on the contents of
the UNIX \fI/etc/passwd\fP file. However it is also possible to define all
users, and their passwords, in this file.
.SH SEE ALSO
builddbm(8rad), users(5rad), huntgroups(5rad), hints(5rad),
clients(5rad), dictionary(5rad).
.SH AUTHOR
Miquel van Smoorenburg, miquels@cistron.nl.
|
