RADIUSD(8)                      FreeRADIUS Daemon                     RADIUSD(8)

       radiusd - Authentication, Authorization and Accounting server

       radiusd [-C] [-d config_directory] [-D dictionary_directory] [-f] [-h]
       [-i ip-address] [-l log_file] [-m] [-n name] [-p port] [-P] [-s] [-t]
       [-v] [-x] [-X]

       FreeRADIUS is a high-performance and highly configurable RADIUS server.
       It supports many database back-ends such as flat-text files, SQL, LDAP,
       Perl, Python, etc.  It also supports many authentication protocols such
       as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS, PEAP,
       EAP-TTLS, EAP-SIM, etc.).

       It also has fullsupport for Cisco's VLAN Query Protocol (VMPS) and DHCP.

       Please read the DEBUGGING section below.  It contains instructions for
       quickly configuring the server for your local system.

       The following command-line options are accepted by the server:

       -C     Check the configuration and exit immediately.  If there is a
              problem reading the configuration, then the server will exit with
              a non-zero status code.  If the configuration appears to be
              acceptable, then the server will exit with a zero status code.

              Note that there are limitations to this check.  Due to the
              complexities involved in almost starting a RADIUS server, these
              checks are necessarily incomplete.  The server can return a zero
              status code when run with -C, but may still exit with an error
              when run normally.

              See the output of radiusd -XC for an informative list of which
              modules are checked for correct configuration, and which modules
              are skipped, and therefore not checked.

       -d config directory
              Defaults to /etc/raddb. Radiusd looks here for its configuration
              files such as the dictionary and the users files.

       -D dictionary directory
              Set main dictionary directory. Defaults to /usr/share/freeradius.

       -f     Do not fork, stay running as a foreground process.

       -h     Print usage help information.

       -i ip-address
              Defines which IP address that the server uses for sending and
              receiving packets.

              If this command-line option is given, then the "bind_address" and
              all "listen{}" entries in radiusd.conf are ignored.

              This option MUST be used in conjunction with "-p".

       -l log_file
              Defaults to ${logdir}/radius.log. Radiusd writes it's logging
              information to this file. If log_file is the string "stdout"
              logging will be written to stdout.

       -m     On SIGINT or SIGQUIT exit cleanly instead of immediately.  This is
              most useful for when running the server with "valgrind".

       -n name
              Read raddb/name.conf instead of raddb/radiusd.conf.

       -p port
              Defines which port is used for receiving authentication packets.
              Accounting packets are received on "port + 1".

              When this command-line option is given, all "listen" sections in
              radiusd.conf are ignored.

              This option MUST be used in conjunction with "-i".

       -P     Always write out PID, even with -f.

       -s     Run in "single server" mode.  The server normally runs with
              multiple threads and/or processes, which can lower its response
              time to requests.  Some systems have issues with threading,
              however, so running in "single server" mode may help to address
              those issues.  In single server mode, the server will also not
              "daemonize" (auto-background) itself.

       -t     Do not spawn threads.

       -v     Print server version information and exit.

       -X     Debugging mode.  Equivalent to "-sfxx -l stdout".  When trying to
              understand how the server works, ALWAYS run it with "radiusd -X".
              For production servers, use "raddebug"

       -x     Finer-grained debug mode. In this mode the server will print
              details of every request on it's stdout output. You can specify
              this option multiple times (-x -x or -xx) to get more detailed

       The default configuration is set to work in the widest possible
       circumstances.  It requires minimal changes for your system.

       However, your needs may be complex, and may require significant changes
       to the server configuration.  Making random changes is a guaranteed
       method of failure.  Instead, we STRONGLY RECOMMEND proceeding via the
       following steps:

       1) Always run the server in debugging mode ( radiusd -X ) after making a
       configuration change.  We cannot emphasize this enough.  If you are not
       running the server in debugging mode, you will not be able to see what is
       doing, and you will not be able to correct any problems.

       If you ask questions on the mailing list, the first response will be to
       tell you "run the server in debugging mode".  Please, follow these

       2) Change as little as possible in the default configuration files.  The
       server contains a decade of experience with protocols, databases, and
       different systems.  Its default configuration is designed to work almost
       everywhere, and to do almost everything you need.

       3) When you make a small change, testing it before changing anything
       else.  If the change works, save a copy of the configuration, and make
       another change.  If the change doesn't work, debug it, and try to
       understand why it doesn't work.

       If you begin by making large changes to the server configuration, it will
       never work, and you will never be able to debug the problem.

       4) If you need to add a connection to a database FOO (e.g. LDAP or SQL),

          a) Edit raddb/modules/foo
          This file contains the default configuration for the module.  It
          contains comments describing what can be configured, and what those
          configuration entries mean.
          b) Edit raddb/sites-available/default
          This file contains the default policy for the server.  e.g. "enable
          CHAP, MS-CHAP, and EAP authentication".  Look in this file for all
          references to your module "foo".  Read the comments, and remove the
          leading hash '#' from the lines referencing the module.  This enables
          the module.
          c) Edit raddb/sites-available/inner-tunnel
          This file contains the default policy for the "tunneled" portion of
          certain EAP methods.  Perform the same kind of edits as above, for the
          "default" file..  If you are not using EAP (802.1X), then this step
          can be skipped.
          d) Start the server in debugging mode ( radiusd -X ), and start

       5) Ask questions on the mailing list (freeradius-
       users@lists.freeradius.org).  When asking questions, include the output
       from debugging mode ( radiusd -X ).  This information will allow people
       to help you.  If you do not include it, the first response to your
       message will be "post the output of debug mode".

       Ask questions earlier, rather than later.  If you cannot solve a problem
       in a day, ask a question on the mailing list.  Most questions have been
       seen before, and can be answered quickly.

       RADIUS is a protocol spoken between an access server, typically a device
       connected to several modems or ISDN lines, and a radius server. When a
       user connects to the access server, (s)he is asked for a loginname and a
       password. This information is then sent to the radius server. The server
       replies with "access denied", or "access OK". In the latter case login
       information is sent along, such as the IP address in the case of a PPP

       The access server also sends login and logout records to the radius
       server so accounting can be done. These records are kept for each
       terminal server separately in a file called detail, and in the wtmp
       compatible logfile /var/log/radwtmp.

       Radiusd uses a number of configuration files. Each file has it's own
       manpage describing the format of the file. These files are:

              The main configuration file, which sets the administrator-
              controlled items.

              This file is usually static. It defines all the possible RADIUS
              attributes used in the other configuration files.  You don't have
              to modify it.  It includes other dictionary files in the same

       hints  Defines certain hints to the radius server based on the users's
              loginname or other attributes sent by the access server. It also
              provides for mapping user names (such as Pusername -> username).
              This provides the functionality that the Livingston 2.0 server has
              as "Prefix" and "Suffix" support in the users file, but is more
              general. Ofcourse the Livingston way of doing things is also
              supported, and you can even use both at the same time (within
              certain limits).

              Defines the huntgroups that you have, and makes it possible to
              restrict access to certain huntgroups to certain (groups of)

       users  Here the users are defined. On a typical setup, this file mainly
              contains DEFAULT entries to process the different types of logins,
              based on hints from the hints file. Authentication is then based
              on the contents of the UNIX /etc/passwd file. However it is also
              possible to define all users, and their passwords, in this file.

       radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5),

       The FreeRADIUS Server Project (http://www.freeradius.org)

                                   26 Apr 2012                        RADIUSD(8)