RADIUSD(8) | FreeRADIUS Daemon | RADIUSD(8) |
radiusd - Authentication, Authorization and Accounting server
radiusd [-C] [-d config_directory] [-D dictionary_directory] [-f] [-h] [-i ip-address] [-l log_file] [-m] [-n name] [-p port] [-P] [-s] [-t] [-v] [-x] [-X]
FreeRADIUS is a high-performance and highly configurable RADIUS server. It supports many database back-ends such as flat-text files, SQL, LDAP, Perl, Python, etc. It also supports many authentication protocols such as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).
It also has full support for Cisco's VLAN Query Protocol (VMPS) and DHCP.
Please read the DEBUGGING section below. It contains instructions for quickly configuring the server for your local system.
The following command-line options are accepted by the server:
Note that there are limitations to this check. Due to the complexities involved in almost starting a RADIUS server, these checks are necessarily incomplete. The server can return a zero status code when run with -C, but may still exit with an error when run normally.
See the output of radiusd -XC for an informative list of which modules are checked for correct configuration, and which modules are skipped, and therefore not checked.
If this command-line option is given, then the "bind_address" and all "listen{}" entries in radiusd.conf are ignored.
This option MUST be used in conjunction with "-p".
When this command-line option is given, all "listen" sections in radiusd.conf are ignored.
This option MUST be used in conjunction with "-i".
The default configuration is set to work in the widest possible circumstances. It requires minimal changes for your system.
However, your needs may be complex, and may require significant changes to the server configuration. Making random changes is a guaranteed method of failure. Instead, we STRONGLY RECOMMEND proceeding via the following steps:
1) Always run the server in debugging mode ( radiusd -X ) after making a configuration change. We cannot emphasize this enough. If you are not running the server in debugging mode, you will not be able to see what is doing, and you will not be able to correct any problems.
If you ask questions on the mailing list, the first response will be to tell you "run the server in debugging mode". Please, follow these instructions.
2) Change as little as possible in the default configuration files. The server contains a decade of experience with protocols, databases, and different systems. Its default configuration is designed to work almost everywhere, and to do almost everything you need.
3) When you make a small change, testing it before changing anything else. If the change works, save a copy of the configuration, and make another change. If the change doesn't work, debug it, and try to understand why it doesn't work.
If you begin by making large changes to the server configuration, it will never work, and you will never be able to debug the problem.
4) If you need to add a connection to a database FOO (e.g. LDAP or SQL), then:
a) Edit freeradius/modules/foo
This file contains the default configuration for the module. It contains
comments describing what can be configured, and what those configuration
entries mean.
b) Edit freeradius/sites-available/default
This file contains the default policy for the server. e.g. "enable CHAP,
MS-CHAP, and EAP authentication". Look in this file for all references
to your module "foo". Read the comments, and remove the leading
hash '#' from the lines referencing the module. This enables the module.
c) Edit freeradius/sites-available/inner-tunnel
This file contains the default policy for the "tunneled" portion of
certain EAP methods. Perform the same kind of edits as above, for the
"default" file.. If you are not using EAP (802.1X), then this step
can be skipped.
d) Start the server in debugging mode ( radiusd -X ), and start
testing.
5) Ask questions on the mailing list (freeradius-users@lists.freeradius.org). When asking questions, include the output from debugging mode ( radiusd -X ). This information will allow people to help you. If you do not include it, the first response to your message will be "post the output of debug mode".
Ask questions earlier, rather than later. If you cannot solve a problem in a day, ask a question on the mailing list. Most questions have been seen before, and can be answered quickly.
RADIUS is a protocol spoken between an access server, typically a device connected to several modems or ISDN lines, and a radius server. When a user connects to the access server, (s)he is asked for a loginname and a password. This information is then sent to the radius server. The server replies with "access denied", or "access OK". In the latter case login information is sent along, such as the IP address in the case of a PPP connection.
The access server also sends login and logout records to the radius server so accounting can be done. These records are kept for each terminal server separately in a file called detail, and in the wtmp compatible logfile /var/log/radwtmp.
Radiusd uses a number of configuration files. Each file has it's own manpage describing the format of the file. These files are:
radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5), raddebug(8)
The FreeRADIUS Server Project (http://www.freeradius.org)
26 Apr 2012 |