radiusd man page on BSDi

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDi logo
[printable version]



RADIUSD(8)					       RADIUSD(8)

NAME
       radiusd	- Remote Authentication Dial In User Service dae-
       mon

SYNOPSIS
       radiusd [ -ddatabase_directory ] [  -aaccounting_directory
       ]
	    [ -ccurrent_working_directory ] [ -C ] [ -P ]
	    [  -pradius_port ] [ -qaccounting_port ] [ -ffsm_file
       ]
	    [ -ppradius_relay_port ] [ -qqaccounting_relay_port ]
	    [ -g 'syslog' | 'logfile' | 'stderr ] [ -llogformat ]
	    [ -ttimeout ] [ -s ] [ -x ] [ -v ] [ -z ] [ -h ] [ -u
       ]

DESCRIPTION
       The   radiusd  server  handles  Access-Requests	for  user
       authentication from RADIUS clients.  These clients may  be
       terminal	 servers,  for	example,  a Network Access Server
       (NAS) or other RADIUS  servers.	 Authentication	 requests
       come  to	 radiusd in the form of UDP packets conforming to
       the RADIUS protocol.

       The radiusd server collects  authentication  requests  and
       processes  them	depending  on their type (see the dictio-
       nary(5) man page).  If so requested, radiusd may authenti-
       cate  a user by calling upon other RADIUS servers, various
       authentication services, such as Kerberos,  and	operating
       system services, such as the UNIX system subroutines which
       access the /etc/passwd file.

       Once a request is received, radiusd validates the  sending
       client  and  then  consults a local database of users (see
       the users(5) man page) to find a user  name  matching  the
       request.	  The  user entry contains a list of requirements
       which must be met to allow the user to  be  authenticated.
       This  list normally includes verification of the password,
       but it may not, and it may  also	 specify  other	 require-
       ments.	If  any	 condition  is	not met, radiusd sends an
       Access-Reject response.	If all the conditions are met,	a
       list of configuration values (reply items) are placed into
       an Access-Accept response.  Such values	as  the	 type  of
       service allowed and other values necessary to deliver that
       service are typically included.

       The authfile, clients,  dictionary  and,	 optionally,  the
       users  files  (plus  optional, prefixed authfile and users
       files) are read into memory resident tables.  As a  purely
       unrelated  informational side note, the current version of
       the Merit AAA server stores  IP	addresses  internally  in
       host  byte  order  (as  opposed to network byte order).	A
       version of the Merit AAA server may  be	built  that  uses
       dbm(3)  to  refer  to  the users file (see builddbm(8) for
       more information).  Sending radiusd a HUP signal refreshes

			 21 February 1997			1

RADIUSD(8)					       RADIUSD(8)

       these  internal tables.	Sending radiusd a INT signal ini-
       tializes only the AATV modules.	Sending	 radiusd  a  USR1
       signal  turns  on  debugging  much  as the -x option does,
       except repeated	use  of	 the  USR1  signal  continues  to
       increase	 the  debugging	 level (see below, for more about
       the -x flag).  Sending radiusd a	 USR2  signal  turns  off
       debugging  altogether.  Sending radiusd a TERM signal pro-
       vides an orderly way of shutting down the  the  Merit  AAA
       server.

       Installing  the	Merit AAA server involves adding the fol-
       lowing lines to the /etc/services file:

	      #	 RADIUS protocol
	      radius	      1645/udp
	      radacct	      1646/udp

       Since the Merit AAA server exits after a configurable num-
       ber  of minutes (currently fifteen minutes) of inactivity,
       you may want to have the Merit AAA  server  run	automati-
       cally  when  requests  arrive.  It is possible to override
       this default behaviour buy supplying the -t0 option on the
       Merit AAA server's command line.	 So, for example, you may
       want to install the following line in your /etc/inetd.conf
       file:

	radius dgram udp wait root /usr/private/etc/radiusd radiusd

       Note,  that the Merit AAA server need not run as root (UID
       0), although it normally is run that way.  It may be safer
       to  pick	 a  less  powerful user, say radius, which has no
       password and is used  only  for	administrative	purposes,
       unless the server needs superuser privilege to access some
       shadow password file.  Also, do not forget to send  a  HUP
       signal  to  your	 running inetd process to force it to re-
       read its own database file, /etc/inetd.conf, into  memory.

OPTIONS
       -d database_directory
	      allows  the  user	 to override the default database
	      and configuration file directory by  specifying  an
	      alternate	 directory  name containing the Merit AAA
	      server authfile,	clients,  dictionary,  radius.fsm
	      and   users  configuration  files	 instead  of  the
	      default /usr/private/etc/raddb directory.	 See  the
	      authfile(5),	 clients(5),	   dictionary(5),
	      radius.fsm(5)  and  users(5)  man	 pages	for  more
	      information.

       -a accounting_directory
	      allows  the user to override the default accounting
	      directory by specifying an alternate directory name
	      to  contain  the	standard RADIUS accounting detail
	      files	 instead       of	the	  default

			 21 February 1997			2

RADIUSD(8)					       RADIUSD(8)

	      /usr/private/etc/radacct directory.

       -c current_working_directory
	      allows  the  user	 to  override the default current
	      working directory by specifying an alternate direc-
	      tory   name   instead   of  the  default	/usr/pri-
	      vate/etc/raddb directory.	 This option only affects
	      file system operation for files specified with rel-
	      ative file names (no leading  slash  ("/")  charac-
	      ter).

       -C     enables  the  Merit  AAA server to do token caching
	      [Ascend].

       -P     enables the Merit	 AAA  server  to  honor	 password
	      changing requests [Ascend].

       -p port
	      allows the user to specify an alternate authentica-
	      tion port number instead of the default port  1645.

       -q acct_port
	      allows  the user to specify an alternate accounting
	      port number instead of the default port 1646.

       -f fsm_file
	      allows the user to specify an alternate  FSM  table
	      file instead of the default radius.fsm file.

       -l logformat
	      specifies	 the  optional strftime(3) format for the
	      Merit AAA server logfile.

       -pp port
	      allows the user to specify an alternate authentica-
	      tion  relay port number instead of the default port
	      1645.

       -qq acct_port
	      allows the user to specify an alternate  accounting
	      relay port number instead of the default port 1646.

       -g 'syslog' | 'logfile' | 'stderr
	      allows the user to specify whether to use syslog(3)
	      style, logfile style or stderr logging for warning,
	      error and informational messages.	 It  is	 possible
	      to  specify  arbirarily  complex logfile file names
	      using the -l option.  The strftime(3) format string
	      may   be	used  to  provide  logfile  renaming  and
	      optional compression on a yearly, monthly,  weekly,
	      daily,  hourly  or by the minute(!) basis.  See the
	      RADIUS_COMPRESS and RAD_LOG_DEFAULT_FILENAME macros
	      in the radius.h include file.

			 21 February 1997			3

RADIUSD(8)					       RADIUSD(8)

       -t timeout
	      allows  the user to specify a timeout value for the
	      select(2) system call which is different	from  the
	      default  timeout	value of fifteen minutes.  If the
	      -t option is given with a value of  zero	-t0  then
	      the server is essentially put into a blocking mode,
	      that is, it will never timeout and  terminate,  but
	      will wait (at the select(2) call) forever.

       -s     places the Merit AAA server into the single process
	      (non-spawning) mode.

       -x     allows the user to turn on debugging output:

		   -x	     minimal debugging output, send/receive a/v pairs, etc.

		   -x -x	  above + FSM high level output + some function tracing.

		   -x -x -x	  above + remaining function tracing.

		   -x -x -x -x	  above + FSM low level output + low level config files.

       Debugging output is directed  to	 the  radius.debug  file.
       Since the -x option turns off some of the daemon behaviour
       of the server (such as disconnecting from the  controlling
       terminal,  etc.)	 it is not a good idea to try running the
       server from (x)inetd(8) while specifying one  or	 more  -x
       options.

       -v     causes  the  Merit  AAA server to place its version
	      information onto stdout.

       -z     causes the Merit AAA server logfile and debug  file
	      to  be emptied, but only if the debugging option -x
	      is enabled.  This option has no effect on the  log-
	      file  if	the  -g	 option specifies syslog(3) style
	      logging.

       -h     causes the Merit AAA server to place a usage (help)
	      message onto stdout.

       -u     specifies	 to  NOT  read	the  users  file into the
	      internal data structures.	 This option is typically
	      used  when  the  Merit AAA server has been built to
	      use the dbm(3) support library.

EXIT STATUS
       255 (-1)	 dict_init
       254 (-2)	 config_init
       253 (-3)	 init_fsm
       252 (-4)	 config_files
       251 (-5)	 disconnect
       250 (-6)	 open PID file

			 21 February 1997			4

RADIUSD(8)					       RADIUSD(8)

       249 (-7)	 SIG_FATAL
       248 (-8)	 usage
       247 (-9)	 user_update
       246 (-10) version
       245 (-11) setupsock (can't bind, is the Merit AAA server already running?)
       244 (-12) init_id_to_key
       243 (-13) list_copy
       242 (-14) find_state
       241 (-15) chdir
       240 (-16) hostname
       239 (-17) SC_OPEN_MAX error
       238 (-18) exit on SIGQUIT

       Also, look in the logfile, or syslog(3) entries, depending
       upon  configuration,  for information about error termina-
       tion conditions.

FILES
       /usr/private/etc/raddb/*
			   directory containing Merit AAA  server
			   configuration and database files.
       /etc/passwd	   contains   user   passwords	for  UNIX
			   users.
       /etc/(x)inetd.conf  holds  configuration	 information  for
			   (x)inetd(3).
       /etc/services	   contains lists of TCP/UDP services and
			   their port numbers.
       /etc/shells	   used to check the user's  shell  entry
			   in /etc/passwd.
       users.dir	   directory  file  for dbm(3) support of
			   the users file.
       users.pag	   data file for dbm(3)	 support  of  the
			   users file.

SEE ALSO
       select(2),   dbm(3),  signal(3),	 strftime(3),  syslog(3),
       authfile(5),    clients(5),    dictionary(5),	users(5),
       (x)inetd.conf(5),  services(5),	builddbm(8), radcheck(8),
       radpwtst(8), (x)inetd(8)

			 21 February 1997			5

[top]

List of man pages available for BSDi

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net