Write a file auth_detail in addition to the standard detail file
in the same directory. This file will contain all the authentication-request
records. This can be useful for debugging, but not for normal operation.
Takes the same syntax as the -F option. For example, use
Just check the syntax of the config files, print a diagnostic message, and exit. If the config files are not OK the exit value will be non-zero.
Radiusd writes the all accounting records it receives to a file called NAS/detail in the accounting directory. This option changes the name of that file. You can include a macro, %N, that expands to (in order) the name of the remote proxy, the name of the NAS, or the IP address of the server that the record was received from. The default is %N/detail. Subdirectories of max. 1 level deep will be created on the fly if necessary.
If you specify this option multiple times, the first invocation will
override the default detail-file filename, and additional invocations
will make the server write to multiple detail files simultaneously.
At startup, radiusd writes its process-id to a file. By default that is /var/run/radiusd.pid, this option overrides that.
Write the stripped usernames (without prefix or suffix) in the detail
file instead of the raw record as received from the terminal server.
|-a accounting directory||
The (base) directory used for the radius accounting detail files.
If this directory doesnt exist, the server will not create any
accounting detail files. The default is /var/log/radacct.
Available if the server was compiled with syslog support. This will make radiusd log informational and authentication messages to the syslog service with the specified facility in addition to the standard radius.log file.
|-l logging directory||
This defaults to /var/log. Radiusd writes a logfile here called
radius.log. It contains informational and error messages, and optionally
a record of every login attempt (for aiding an ISPs helpdesk). The
special arguments stdout and stderr cause the information to
get written to standard output resp. standard error instead, and the
special argument none
turns off logging to radius.log. For compatibility with
FreeRadius, syslog is an alias for none.
|-d config directory||
Defaults to /etc/raddb. Radiusd looks here for its configuration
files such as the dictionary and the users files.
Defines which IP address to bind to for sending and receiving packets-
useful for hosts with more than one IP address.
If the radius server binary was compiled with dbm support,
this flag tells it to actually use the database files instead of the
flat users file.
|-c||This is still an experimental feature. Cache the password, group and shadow files in a hash-table in memory. This makes the radius process use a bit more memory, but username lookups in the password file are much faster.|
After every change in the real password file (user added, password changed)
you need to send a SIGHUP to the radius server to let it re-read
its configuration and the password/group/shadow files !
Do not use DNS. Actually this means that DNS isnt used to resolve IP
addresses to hostnames whenever there is something to be logged. If you
really dont want to use DNS at all, you should use dotted-quad notation for
all hostnames/addresses anywhere in the configuration files as well.
Do not fork, stay running as a foreground process.
Normally radiusd listens on the ports specified in /etc/services
(radius and radacct). With this option radiusd listens on the specified
port for authentication requests and on the specified port +1 for
Normally, the server forks a seperate process for accounting, and a seperate
process for every authentication request. With this flag the server will not
do that - it will process all authentication and accounting requests
synchonously in one process.
Shows version and compilation flags, then exits.
The path to the wtmp-style accounting file maintained by the server. Defaults to (on most systems) /var/log/radwtmp. If set to none, the server will not log wtmp-style accounting at all (same as -w).
The path to the radutmp file, which is the session-database aka list of logged in users. Defaults to (on most systems) /var/log/radutmp. If set to none, the server will not maintain a session-database (and radwho and simultaneous-use restrictions will not work).
Do not write the radwtmp file.
Debug mode. In this mode the server will print details of every request
on its stderr output. Most useful in combination with -s.
You can specify this option 2 times (-x -x or -xx) to get a bit more
Write details about every authentication request in the
radius.log file. If the password was incorrect, the password
is logged too.
If the -y option is on, log the password in the radius.log
file even for successful logins. This is very insecure!.
Never log any password in the radius.log file, correct or incorrect.
Radiusd uses 6 configuration files. Each file has its own manpage describing the format of the file. These files are:
dictionary This file is usually static. It defines all the possible RADIUS attributes used in the other configuration files. You dont have to modify it. clients Contains the IP address and a secret key for every client that wants to connect to the server. naslist Contains an entry for every NAS (Network Access Server) in the network. This is not the same as a client, especially if you have radius proxy server in your network. In that case, the proxy server is the client and it sends requests for different NASes. It also contains a abbreviated name for each terminal server, used to create the directory name where the detail file is written, and used for the /var/log/radwtmp file. Finally it also defines what type of NAS (Cisco, Livingston, Portslave) the NAS is. hints Defines certain hints to the radius server based on the userss loginname or other attributes sent by the access server. It also provides for mapping user names (such as Pusername -> username). This provides the functionality that the Livingston 2.0 server has as "Prefix" and "Suffix" support in the users file, but is more general. Ofcourse the Livingston way of doing things is also supported, and you can even use both at the same time (within certain limits). huntgroups Defines the huntgroups that you have, and makes it possible to restrict access to certain huntgroups to certain (groups of) users. users Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process the different types of logins, based on hints from the hints file. Authentication is then based on the contents of the UNIX /etc/passwd file. However it is also possible to define all users, and their passwords, in this file.
Miquel van Smoorenburg, firstname.lastname@example.org.
|RADIUSD (8)||14 Jan 2003|