RADPWTST(8)RADPWTST(8)NAMEradpwtst - authenticates a user's password using a RADIUS
server
SYNOPSISradpwtst [ -ccode ] [ -ddirectory ] [ -ffile ] [ -ggroup ]
[ -h ] [ -iclient_IP_address ] [ -lasync_port ] [ -n
]
[ -pUDP_port ] [ -rretries ] [ -sservername ]
[ -ttimeout ] [ -utype ] [ -v[ 1 | 2] ]
[ -wpassword ] [ -x ] [ -:<attribute>=<value> ]
userid [@realm ]
DESCRIPTION
Radpwtst authenticates a user using a RADIUS server. The
userid is required on the command line. Radpwtst prompts
for the password matching this userid and forwards the
userid/password tuple to a RADIUS server. When the
optional @realm is present, it indicates the user belongs
in some authentication realm. These realms are usually
listed in the first column of the RADIUS server's authfile
which is assumed (by default) to be located in either the
../raddb or the /usr/private/etc/raddb directories. See
authfile(5) for more information. When the optional
@realm is omitted, the userid is sought in the users file,
only. An exact match is required and if that fails the
DEFAULT entry ends up describing how to authenticate this
user. See users(5) for more information.
If authentication succeeds, radpwtst displays "authentica-
tion OK" on standard output. Otherwise, radpwtst dis-
plays:
"userid" authentication failed.
OPTIONS-c code
allows the user to specify several RADIUS packet
type codes from the following list: 1 (for Access-
Request), 4 (for Accounting-Request), 7 (for Pass-
word-Request) and 12 (for Status-Server).
-d directory
allows the user to specify an alternate directory
name containing the RADIUS authfile, clients and
users files instead of the default ../raddb and
/usr/private/etc/raddb directories. If no -d
directory argument is given, RADIUS will look first
for a directory ../raddb and, if none is found, use
/usr/private/etc/raddb. An error will be displayed
on stdout if neither directory can be used to
locate the various RADIUS configuration files.
Care should be taken to ensure the contents of
these configuration files match those of the RADIUS
18 November 1996 1
RADPWTST(8)RADPWTST(8)
server if the server is running on a different
machine than the one where radpwtst is being run.
-f file
allows the user to specify a "prefix" for a file in
the users file format (see the users(5) man page).
The name of this users file is assumed to be
<file>.users and found in the RADIUS configuration
file directory. This file contains arbitrary
check-items and reply-items (see users(5) for more
information) grouped into pseudo-users having names
which may be specified by the following -g option.
If no -g option is given, the DEFAULT entry (if one
is present) will be used. In this way, arbitrary
attribute-value pairs may be communicated to remote
RADIUS servers.
-g group
allows the user to specify an arbitrary "pseudo-
user" named group in the file specified by the
above -f option. This file contains arbitrary
check-items and reply-items (see users(5) for more
information) grouped by these pseudo-user names.
If no -g option is given, the DEFAULT entry (if one
is present) will be used. In this way, arbitrary
attribute-value pairs may be communicated to remote
RADIUS servers.
-h causes a usage (help) message to be placed onto
stdout.
-i clientIPaddress
allows the user to specify a different client IP
address instead of the using as default the IP
address of the originating machine.
-l async_port
allows the user to specify an alternate asynch port
number instead of the default async port 1.
-n allows the user to force the Authentication-Only
value to be used in the attribute-value pair Ser-
vice-Type.
-p UDPport
allows the user to specify an alternate UDP port
number instead of the default UDP port number 1645.
-r retries
allows the user to specify a maximum number of
retries instead of the default ten.
-s servername
allows the user to specify an alternate server
18 November 1996 2
RADPWTST(8)RADPWTST(8)
instead of the default homeless.merit.edu.
-t timeout
allows the user to specify an alternate timeout
value (in seconds) instead of the default three.
-u type
allows the user to specify one of several Service-
Type values instead of the default auth value.
Note, that the default auth value will fail if no
password (or an empty password) is included in the
Access-Request (default or -c1) produced by rad-
pwtst. This is because the RADIUS server requires
a valid (non-empty) password be provided in Access-
Request packets where the Service-Type is Authenti-
cate-Only. Valid types are: admin, auth, dumb,
exec, kchap, outbound, ppp, slip, dbadmin, dbdumb,
dbpppand dbslip, where db stands for "dial back" in
the last four types.
-v prints the version of RADIUS used to build the pro-
gram. If the option is given as -v1 or -v2 the
program will build the request according to the
RADIUS protocol version one or two, respectively.
-w password
allows the user to provide a password on the com-
mand line and not be prompted for one.
-x allows the user to turn on debugging output.
-:<attribute>=<value>
the text that follows the colon (":") character is
taken to specify the value of any attribute in the
dictionary. The syntax is identical to the reply-
items described in users(5).
EXIT STATUS
Normal successful completion returns zero to the system.
If the response from the RADIUS server had errors, rad-
pwtst returns -2. Local errors return -1, and timeout
errors return 1 as status.
FILES
../raddb the directory containing the RADIUS
configuration and database files.
/usr/private/etc/raddb
an alternate directory containing the
same files.
SEE ALSOradcheck(8), radiusd(8), authfile(5), clients(5), dictio-
nary(5), users(5)
18 November 1996 3