radiusd ‐ Authentication and accounting server

radiusd [‐A] [‐a acct_dir] [‐b] [‐d config_dir] [‐f] [‐l
log_dir] [‐mb] [‐mc] [‐mt] [‐n] [‐p port] [‐Ssv] [‐x
debug_level] [‐yz]

radiusd is the server implementing RADIUS protocol.

     RADIUS is a protocol spoken between the network access
server (NAS) and the authentication server. The network
access server is typically a device accepting connections
from several modem lines and the authentication server is
the server which decides whether some user has the right to
log in or he has not. This is called authentication.

     Also, when the user logs in or out, the NAS sends login
and logout packets. These packets are received by the radius
server and recorded appropriately. This is called

     Upon startup, radius server listens the following two
ports: authentication (default 1645), accounting (1646).
When configured with ‐‐enable‐snmp option, radiusd also
starts listening on the specified SNMP port.

     Upon receiving a packet from any of the above ports,
the server performs the following:

1. checks the authenticity of the request
     Depending on the type of the request this check is
     based on the source IP address.

2. looks up the request queue for duplicates
     If a request is found in the queue, it gets dropped and
     the appropriate diagnostics is output to the Warning

3. registers request in the queue
     This is needed to prevent any eventual duplicates of
     this packet from being processed.

4. processes and answers the request
     A child process may be forked during this stage to
     handle the request.

‐A, ‐‐log‐auth‐detail
     Write a file named detail.auth in the same directory as
     detail file. This file contains all the Attribute‐Value
     pairs for each authentication packet. Normally this
     should be used for debugging purposes.


     Configuration file equivalent: detail yes in auth

‐a, ‐‐acct‐directory PATH
     Specify alternate directory for accounting. Usually
     this defaults to /var/log/radacct.

     Configuration file equivalent: acct‐dir PATH in option

‐b, ‐‐dbm
     If the radiusd server was configured with ‐‐enable‐dbm
     option, this flag instructs it to use the DBM version
     of the users database (/usr/local/etc/raddb/users.db or
     /usr/local/etc/raddb/users.dir pair) instead of the
     plain text file (/usr/local/etc/raddb/users).

     Configuration file equivalent: usedbm yes.

‐d, ‐‐config‐directory, ‐‐directory PATH
     Specifies alternate name for the configuration
     directory. Radiusd looks there for its configuration
     files. It defaults to /usr/local/etc/raddb.

‐f, ‐‐foreground
     Instructs the server to not detach itself from the
     controlling terminal. This is used for debugging.

‐i, ‐‐ip‐address IP
     Specifies the IP address to listen on. If this option
     is not specified, the program will listen on all IP
     addresses, assigned to the machine it runs on.

     Configuration file equivalent: source‐ip IP in option

     Please note, that listen statement in raddb/config
     provides a better control over IP addresses to listen

‐L, ‐‐license
     Display GNU General Public License and exit.

‐l, ‐‐logging‐directory PATH
     Specifies alternate name for logging directory. Radiusd
     writes there its logfile(s). The default is /var/log.

     Configuration file equivalent: log‐dir PATH in option

‐m, ‐‐mode c
     Check mode. In this mode radiusd starts as usual,


     checks its configuration files and exits. All log
     channels are duplicated to stdout.

‐m, ‐‐mode b
     Build DBM users database out of plaintext file. If no
     argument is specified, the file
     /usr/local/etc/raddb/users is taken as input.
     Otherwise the argument specifies the filename to be
     used as input. This option takes effect only if the
     program was configured with ‐‐enable‐dbm option.

‐m, ‐‐mode t
     Start in test mode. In this mode radiusd starts
     interactive interpreter which allows to test various
     aspects of its configuration.

‐p, ‐‐port PORT
     Specifies alternate port for authentication requests.
     The port number for accounting requests is determined
     by adding 1 to this number. Port number should be
     specified in decimal. Defaults are 1645 and 1646.

‐S, ‐‐log‐stripped‐names
     Strip off the suffix and prefix from the username
     before writing it to the detail file.

     Configuration file equivalent: strip‐names yes in auth

‐s, ‐‐single‐process
     Tells the authentication server to operate in single
     process mode. When specified this flag, the
     authentications server will handle each request itself
     instead of forking child process to do that. This slows
     down the authentication processing to a crawl and
     should only be used for debugging purposes. The most
     convenient use is with the ‐f option.

‐v, ‐‐version
     When given this option radiusd prints on the standard
     output its version number, compilation flags and the
     file names it uses and exits with zero code.

‐x, ‐‐debug MOD‐LIST
     Sets the debug level. MOD‐LIST is a comma‐separated
     list of module‐level specifications. Each module‐level
     specification is either MOD‐NAME or MOD‐NAME=LEVEL,
     where MOD‐NAME is the name of the source module, LEVEL
     is the debugging level to be set for that module (0 <=
     LEVEL <= 100) If LEVEL is omitted, it defaults to 100.

     Configuration file equivalent: debug MOD‐LIST in
     logging block.


‐y, ‐‐log‐auth
     Write to the log file detailed information about each
     authentication request. The information is logged under
     auth loglevel.

     Configuration file equivalent: print‐auth yes in
     logging block.

‐z, ‐‐log‐auth‐pass
     Log the password along with the user name for each
     login. This is very insecure. This option is provided
     only for debugging purposes.

     Configuration file equivalent: print‐pass yes in
     logging block.

Radiusd uses rather complicated configuration file suite.
The files live in /usr/local/etc/raddb directory. The place
of their location can be overridden using ‐d option.

     The configuration files are:

     This file contains all the configurable parameters of
     the server itself: logging options, debug levels,
     notification and SNMP options, etc.

     The plaintext users database. Contains the per‐user
     authorization and accounting information.

     Or users.dir, users.pag pair. The DBM version of the
     users database. This is used when the server is
     compiled with ‐‐enable‐dbm option and either ‐b flag is
     specified in the command line, or usedbm yes option is
     used in config file.

     The list of users whose access is denied for some

     Defines the symbolic representation of the Radius
     attributes, attribute values, etc. Usually should not
     be modified.

     The list of network access servers that are allowed to
     use this Radius server. This file specifies for each
     NAS its long and short names, NAS type, and possibly
     its IP pool.


     The list of IP addresses and secret keys for each NAS
     that wants to communicate to the server.

     The radius server can alter its politics towards a user
     depending on its login name. It can, for example,
     supply a different kind of service, assign it the IP
     number, etc. This file specifies the rules to be
     applied to an incoming request depending on the
     username it contains.

     Defines the huntgroups. A huntgroup is a class of users
     that have some common attributes in the incoming
     packet, for example all users coming from a given NAS.

These are default values. They can be overridden either from
command line or from configuration file.

     Configuration files directory

     Default logfile.

     Accounting directory.

     /radius.pid Holds the PID number of the master Radius

The information in this manpage may be obsolete or
incomplete. Please refer to texinfo documentation for full
information about GNU Radius tools.

users(5rad), config(5rad), dictionary(5rad), naslist(5rad),
clients(5rad), hints(5rad), huntgroups(5rad),
builddbm(8rad), radlast(1rad), raduse(1rad), radwho(1rad),
radzap(8rad), radctl(8rad), radgrep(1rad), radping(8rad),
radtest(8rad), radsnmp(8rad)