.TH RADIUSD 8 "23 Jan 2002" "" "Cistron Radius Daemon"
.SH NAME
radiusd -- Authentication, Authorization and Accounting server
.SH SYNOPSIS
.B radiusd
.RB [ \-A 
.IR auth_detail_filename ]
.RB [ \-C ]
.RB [ \-D ]
.RB [ \-F
.IR detail_filename ]
.RB [ \-P
.IR pid_filename ]
.RB [ \-S ]
.RB [ \-Z ]
.RB [ \-a
.IR accounting_directory ]
.RB [ \-b ]
.RB [ \-c ]
.RB [ \-d
.IR config_directory ]
.RB [ \-f ]
.RB [ \-g
.IR syslog_facility ]
.RB [ \-i
.IR ip-address ]
.RB [ \-l
.IR log_directory ]
.RB [ \-p
.IR port ]
.RB [ \-s ]
.RB [ \-W
.IR radwtmp_filename ]
.RB [ \-u
.IR radutmp_filename ]
.RB [ \-v ]
.RB [ \-w ]
.RB [ \-x ]
.RB [ \-y ]
.RB [ \-z ]
.SH DESCRIPTION
This is the Cistron implementation of the well known
.B radius
server program. It was originally based on \fILivingston's\fP radius
version 1.16.  Even though this program is largely compatible with
\fILivingston's\fP radius version 2.0, it's \fBnot\fP based on any
part of that code. In fact no code from the 1.16 version is left either.
.PP
\fBRADIUS\fP is a protocol spoken between an access server, typically
a device connected to several modems or ISDN lines, and a \fBradius\fP
server. When a user connects to the access server, (s)he is asked for
a loginname and a password. This information is then sent to the \fBradius\fP
server. The server replies with "access denied", or "access OK". In the
latter case login information is sent along, such as the IP address in
the case of a PPP connection.
.PP
The access server also sends login and logout records to the \fBradius\fP
server so accounting can be done. These records are kept for each terminal
server seperately in a file called \fBdetail\fP, and in the \fIwtmp\fP
compatible logfile \fB/var/log/radwtmp\fP.
.SH OPTIONS

.IP "\-A \fIauth_detail_filename\fP"
Write a file \fIauth_detail\fP in addition to the standard \fBdetail\fP file
in the same directory. This file will contain all the authentication-request
records. This can be useful for debugging, but not for normal operation.
Takes the same syntax as the \fB-F\fP option. For example, use
\fB-A %N/detail.auth\fP.

.IP \-C

Just check the syntax of the config files, print a diagnostic message,
and exit.  If the config files are not OK the exit value will be non-zero.

.IP "\-F \fIdetail_filename\fP"

\fBRadiusd\fP writes the all accounting records it receives to a file called
\fINAS/detail\fP in the accounting directory. This option changes the
name of that file. You can include a macro, \fB%N\fP, that expands to
(in order) the name of the remote proxy, the name of the NAS, or the
IP address of the server that the record was received from. The
default is \fB%N/detail\fP. Subdirectories of max. 1 level deep will
be created on the fly if necessary.
.IP
If you specify this option multiple times, the first invocation will
override the default detail-file filename, and additional invocations
will make the server write to \fImultiple\fP detail files simultaneously.

.IP "\-P \fIpid_filename\fP"

At startup, \fBradiusd\fP writes its process-id to a file. By default
that is \fI/var/run/radiusd.pid\fP, this option overrides that.

.IP \-S
Write the stripped usernames (without prefix or suffix) in the \fIdetail\fP
file instead of the raw record as received from the terminal server.

.IP "\-a \fIaccounting directory\fP"
The (base) directory used for the radius accounting \fIdetail\fP files.
If this directory doesn't exist, the server will not create any
accounting detail files. The default is \fI/var/log/radacct\fP.

.IP "\-g \fIsyslog_facility\fP"

Available if the server was compiled with syslog support. This will make
\fBradiusd\fP log informational and authentication messages to the syslog
service with the specified facility in addition to the standard
radius.log file.

.IP "\-l \fIlogging directory\fP"
This defaults to \fI/var/log\fP. \fBRadiusd\fP writes a logfile here called
\fIradius.log\fP. It contains informational and error messages, and optionally
a record of every login attempt (for aiding an ISP's helpdesk). The
special arguments \fIstdout\fP and \fIstderr\fP cause the information to
get written to standard output resp. standard error instead, and the
special argument \fInone\fP
turns off logging to \fIradius.log\fP. For compatibility with
\fBFreeRadius\fP, \fIsyslog\fP is an alias for \fInone\fP.

.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.

.IP "\-i \fIip-address\fP"
Defines which IP address to bind to for sending and receiving packets-
useful for hosts with more than one IP address.

.IP \-b
If the \fBradius\fP server binary was compiled with \fIdbm\fP support,
this flag tells it to actually \fIuse\fP the database files instead of the
flat \fIusers\fP file.

.IP \-c
This is still an \fIexperimental\fP feature.
Cache the password, group and shadow files in a hash-table in memory.
This makes the radius process use a bit more memory, but username
lookups in the password file are \fImuch\fP faster.
.IP
After every change in the real password file (user added, password changed)
you need to send a \fBSIGHUP\fP to the radius server to let it re-read
its configuration and the password/group/shadow files !

.IP \-D
Do not use DNS. Actually this means that DNS isn't used to resolve IP
addresses to hostnames whenever there is something to be logged. If you
really don't want to use DNS at all, you should use dotted-quad notation for
all hostnames/addresses anywhere in the configuration files as well.

.IP \-f
Do not fork, stay running as a foreground process.

.IP "\-p \fIport\fP"
Normally radiusd listens on the ports specified in \fI/etc/services\fP
(radius and radacct). With this option radiusd listens on the specified
port for authentication requests and on the specified port +1 for
accounting requests.

.IP \-s
Normally, the server forks a seperate process for accounting, and a seperate
process for every authentication request. With this flag the server will not
do that - it will process all authentication and accounting requests
synchonously in one process.

.IP \-v
Shows version and compilation flags, then exits.

.IP "\-W \fIradwtmp_filename\fP"

The path to the wtmp-style accounting file maintained by the server.
Defaults to (on most systems) \fI/var/log/radwtmp\fP.

.IP "\-u \fIradutmp_filename\fP"

The path to the radutmp file, which is the session-database aka list
of logged in users. Defaults to (on most systems) \fI/var/log/radutmp\fP.

.IP \-w
Do not write the \fIradwtmp\fP file.

.IP \-x
Debug mode. In this mode the server will print details of every request
on it's \fBstderr\fP output. Most useful in combination with \fB-s\fP.
You can specify this option 2 times (-x -x or -xx) to get a bit more
debugging output.

.IP \-y
Write details about every authentication request in the
\fIradius.log\fP file. If the password was incorrect, the password
is logged too.

.IP \-z
If the \fB-y\fP option is on, log the password in the \fIradius.log\fP
file \fBeven\fP for successful logins. \fIThis is very insecure!\fP.

.IP \-Z
Never log any password in the \fIradius.log\fP file, correct or incorrect.

.SH CONFIGURATION
\fBRadiusd\fP uses 6 configuration files. Each file has it's own manpage
describing the format of the file. These files are:
.IP dictionary
This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
.IP clients
Contains the IP address and a secret key for every client that wants
to connect to the server.
.IP naslist
Contains an entry for every NAS (Network Access Server) in the network. This
is not the same as a client, especially if you have \fBradius\fP proxy server
in your network. In that case, the proxy server is the client and it sends
requests for different NASes.
.IP
It also contains a abbreviated name for each
terminal server, used to create the directory name where the \fBdetail\fP
file is written, and used for the \fB/var/log/radwtmp\fP file. Finally
it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is.
.IP hints
Defines certain hints to the radius server based on the users's loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
.IP huntgroups
Defines the huntgroups that you have, and makes it possible to restrict
access to certain huntgroups to certain (groups of) users.
.IP users
Here the users are defined. On a typical setup, this file mainly contains
DEFAULT entries to process the different types of logins, based on hints
from the hints file. Authentication is then based on the contents of
the UNIX \fI/etc/passwd\fP file. However it is also possible to define all
users, and their passwords, in this file.
.SH SEE ALSO
builddbm(8rad), users(5rad), huntgroups(5rad), hints(5rad),
clients(5rad), dictionary(5rad).
.SH AUTHOR
Miquel van Smoorenburg, miquels@cistron.nl.