RADIUSD(8)RADIUSD(8)NAME
radiusd - Remote Authentication Dial In User Service dae-
mon
SYNOPSIS
radiusd [ -ddatabase_directory ] [ -aaccounting_directory
]
[ -ccurrent_working_directory ] [ -C ] [ -P ]
[ -pradius_port ] [ -qaccounting_port ] [ -ffsm_file
]
[ -ppradius_relay_port ] [ -qqaccounting_relay_port ]
[ -g 'syslog' | 'logfile' | 'stderr ] [ -llogformat ]
[ -ttimeout ] [ -s ] [ -x ] [ -v ] [ -z ] [ -h ] [ -u
]
DESCRIPTION
The radiusd server handles Access-Requests for user
authentication from RADIUS clients. These clients may be
terminal servers, for example, a Network Access Server
(NAS) or other RADIUS servers. Authentication requests
come to radiusd in the form of UDP packets conforming to
the RADIUS protocol.
The radiusd server collects authentication requests and
processes them depending on their type (see the dictio-
nary(5) man page). If so requested, radiusd may authenti-
cate a user by calling upon other RADIUS servers, various
authentication services, such as Kerberos, and operating
system services, such as the UNIX system subroutines which
access the /etc/passwd file.
Once a request is received, radiusd validates the sending
client and then consults a local database of users (see
the users(5) man page) to find a user name matching the
request. The user entry contains a list of requirements
which must be met to allow the user to be authenticated.
This list normally includes verification of the password,
but it may not, and it may also specify other require-
ments. If any condition is not met, radiusd sends an
Access-Reject response. If all the conditions are met, a
list of configuration values (reply items) are placed into
an Access-Accept response. Such values as the type of
service allowed and other values necessary to deliver that
service are typically included.
The authfile, clients, dictionary and, optionally, the
users files (plus optional, prefixed authfile and users
files) are read into memory resident tables. As a purely
unrelated informational side note, the current version of
the Merit AAA server stores IP addresses internally in
host byte order (as opposed to network byte order). A
version of the Merit AAA server may be built that uses
dbm(3) to refer to the users file (see builddbm(8) for
more information). Sending radiusd a HUP signal refreshes
21 February 1997 1
RADIUSD(8)RADIUSD(8)
these internal tables. Sending radiusd a INT signal ini-
tializes only the AATV modules. Sending radiusd a USR1
signal turns on debugging much as the -x option does,
except repeated use of the USR1 signal continues to
increase the debugging level (see below, for more about
the -x flag). Sending radiusd a USR2 signal turns off
debugging altogether. Sending radiusd a TERM signal pro-
vides an orderly way of shutting down the the Merit AAA
server.
Installing the Merit AAA server involves adding the fol-
lowing lines to the /etc/services file:
# RADIUS protocol
radius 1645/udp
radacct 1646/udp
Since the Merit AAA server exits after a configurable num-
ber of minutes (currently fifteen minutes) of inactivity,
you may want to have the Merit AAA server run automati-
cally when requests arrive. It is possible to override
this default behaviour buy supplying the -t0 option on the
Merit AAA server's command line. So, for example, you may
want to install the following line in your /etc/inetd.conf
file:
radius dgram udp wait root /usr/private/etc/radiusd radiusd
Note, that the Merit AAA server need not run as root (UID
0), although it normally is run that way. It may be safer
to pick a less powerful user, say radius, which has no
password and is used only for administrative purposes,
unless the server needs superuser privilege to access some
shadow password file. Also, do not forget to send a HUP
signal to your running inetd process to force it to re-
read its own database file, /etc/inetd.conf, into memory.
OPTIONS-d database_directory
allows the user to override the default database
and configuration file directory by specifying an
alternate directory name containing the Merit AAA
server authfile, clients, dictionary, radius.fsm
and users configuration files instead of the
default /usr/private/etc/raddb directory. See the
authfile(5), clients(5), dictionary(5),
radius.fsm(5) and users(5) man pages for more
information.
-a accounting_directory
allows the user to override the default accounting
directory by specifying an alternate directory name
to contain the standard RADIUS accounting detail
files instead of the default
21 February 1997 2
RADIUSD(8)RADIUSD(8)
/usr/private/etc/radacct directory.
-c current_working_directory
allows the user to override the default current
working directory by specifying an alternate direc-
tory name instead of the default /usr/pri-
vate/etc/raddb directory. This option only affects
file system operation for files specified with rel-
ative file names (no leading slash ("/") charac-
ter).
-C enables the Merit AAA server to do token caching
[Ascend].
-P enables the Merit AAA server to honor password
changing requests [Ascend].
-p port
allows the user to specify an alternate authentica-
tion port number instead of the default port 1645.
-q acct_port
allows the user to specify an alternate accounting
port number instead of the default port 1646.
-f fsm_file
allows the user to specify an alternate FSM table
file instead of the default radius.fsm file.
-l logformat
specifies the optional strftime(3) format for the
Merit AAA server logfile.
-pp port
allows the user to specify an alternate authentica-
tion relay port number instead of the default port
1645.
-qq acct_port
allows the user to specify an alternate accounting
relay port number instead of the default port 1646.
-g 'syslog' | 'logfile' | 'stderr
allows the user to specify whether to use syslog(3)
style, logfile style or stderr logging for warning,
error and informational messages. It is possible
to specify arbirarily complex logfile file names
using the -l option. The strftime(3) format string
may be used to provide logfile renaming and
optional compression on a yearly, monthly, weekly,
daily, hourly or by the minute(!) basis. See the
RADIUS_COMPRESS and RAD_LOG_DEFAULT_FILENAME macros
in the radius.h include file.
21 February 1997 3
RADIUSD(8)RADIUSD(8)-t timeout
allows the user to specify a timeout value for the
select(2) system call which is different from the
default timeout value of fifteen minutes. If the
-t option is given with a value of zero -t0 then
the server is essentially put into a blocking mode,
that is, it will never timeout and terminate, but
will wait (at the select(2) call) forever.
-s places the Merit AAA server into the single process
(non-spawning) mode.
-x allows the user to turn on debugging output:
-x minimal debugging output, send/receive a/v pairs, etc.
-x -x above + FSM high level output + some function tracing.
-x -x -x above + remaining function tracing.
-x -x -x -x above + FSM low level output + low level config files.
Debugging output is directed to the radius.debug file.
Since the -x option turns off some of the daemon behaviour
of the server (such as disconnecting from the controlling
terminal, etc.) it is not a good idea to try running the
server from (x)inetd(8) while specifying one or more -x
options.
-v causes the Merit AAA server to place its version
information onto stdout.
-z causes the Merit AAA server logfile and debug file
to be emptied, but only if the debugging option -x
is enabled. This option has no effect on the log-
file if the -g option specifies syslog(3) style
logging.
-h causes the Merit AAA server to place a usage (help)
message onto stdout.
-u specifies to NOT read the users file into the
internal data structures. This option is typically
used when the Merit AAA server has been built to
use the dbm(3) support library.
EXIT STATUS
255 (-1) dict_init
254 (-2) config_init
253 (-3) init_fsm
252 (-4) config_files
251 (-5) disconnect
250 (-6) open PID file
21 February 1997 4
RADIUSD(8)RADIUSD(8)
249 (-7) SIG_FATAL
248 (-8) usage
247 (-9) user_update
246 (-10) version
245 (-11) setupsock (can't bind, is the Merit AAA server already running?)
244 (-12) init_id_to_key
243 (-13) list_copy
242 (-14) find_state
241 (-15) chdir
240 (-16) hostname
239 (-17) SC_OPEN_MAX error
238 (-18) exit on SIGQUIT
Also, look in the logfile, or syslog(3) entries, depending
upon configuration, for information about error termina-
tion conditions.
FILES
/usr/private/etc/raddb/*
directory containing Merit AAA server
configuration and database files.
/etc/passwd contains user passwords for UNIX
users.
/etc/(x)inetd.conf holds configuration information for
(x)inetd(3).
/etc/services contains lists of TCP/UDP services and
their port numbers.
/etc/shells used to check the user's shell entry
in /etc/passwd.
users.dir directory file for dbm(3) support of
the users file.
users.pag data file for dbm(3) support of the
users file.
SEE ALSOselect(2), dbm(3), signal(3), strftime(3), syslog(3),
authfile(5), clients(5), dictionary(5), users(5),
(x)inetd.conf(5), services(5), builddbm(8), radcheck(8),
radpwtst(8), (x)inetd(8)
21 February 1997 5