 |
Index for
Section 8 |
|
 |
Alphabetical
listing for R |
|
 |
Bottom of
page |
|
RADIUSD(8)
NAME
radiusd - Remote Authentication Dial In User Service daemon
SYNOPSIS
radiusd [ -dconfiguration_directory ]
[ -daaatv_directory ] [ -dllogfiles_directory ]
[ -aaccounting_directory ]
[ -ccurrent_working_directory ] [ -C ] [ -P ] [ -n ]
[ -pradius_port ] [ -qaccounting_port ] [ -ffsm_file ]
[ -ppradius_relay_port ] [ -qqaccounting_relay_port ]
[ -g 'syslog' | 'logfile' | 'stderr' ] [ -llogformat ]
[ -ttimeout ] [ -s ] [ -x ] [ -v ] [ -z ] [ -h ] [ -u ]
DESCRIPTION
The radiusd server handles Access-Requests for user authentication and
Accounting-Requests for accounting from RADIUS clients. These clients may
be terminal servers, for example, a Network Access Server (NAS) or other
RADIUS servers. Authentication and accounting requests come to radiusd in
the form of UDP packets conforming to the RADIUS protocol.
The radiusd server collects these requests and processes them depending on
their type (see the dictionary(5) man page). If so requested, radiusd may
authenticate a user by calling upon other RADIUS servers, various
authentication services, such as Kerberos, and operating system services,
such as the UNIX system subroutines which access the /etc/passwd file.
Once a request is received, radiusd validates the sending client and then
consults a local database of users (see the users(5) man page) to find a
user name matching the request. The user entry contains a list of
requirements which must be met to allow the user to be authenticated. This
list normally includes verification of the password, but it may not, and it
may also specify other requirements. If any condition is not met, radiusd
sends an Access-Reject response. If all the conditions are met, a list of
configuration values (reply-items, see the users(5) man page) are placed
into an Access-Accept response. Such values as the type of service allowed
and other values necessary to deliver that service typically are included.
The authfile, clients, dictionary, vendors and, optionally, the users files
(plus optional, prefixed authfile and users files) are read into memory
resident tables. As a purely unrelated informational side note, the
current version of the Interlink AAA Server stores IP addresses internally
in host byte order (as opposed to network byte order). A version of the
Interlink AAA Server may be built that uses dbm(3) to refer to the users
file (see builddbm(8) for more information). Please note that we do not
actively support this feature and it may be deprecated in the future.
Sending radiusd a HUP signal refreshes the above mentioned internal tables.
Sending radiusd an INT signal initializes only the AATV modules. Sending
radiusd a USR1 signal turns on debugging much as the -x option does, except
repeated use of the USR1 signal continues to increase the debugging level
(see below, for more about the -x flag). Sending radiusd a USR2 signal
turns off debugging altogether. Sending radiusd a TERM signal provides an
orderly way of shutting down the the Interlink AAA Server.
Installing the Interlink AAA Server involves adding the following lines to
the /etc/services file:
# RADIUS protocol
radius 1812/udp
radacct 1813/udp
Since the Interlink AAA Server exits after a configurable number of minutes
(currently fifteen minutes) of inactivity, you may want to have the
Interlink AAA Server run automatically when requests arrive. It is
possible to override this default behaviour by supplying the -t0 option on
the Interlink AAA Server's command line. So, for example, you may want to
install the following line in your /etc/inetd.conf file:
radius dgram udp wait root /usr/private/etc/radiusd radiusd
Note, that the Interlink AAA Server need not run as root (UID 0), although
it normally is run that way. It may be safer to pick a less powerful user,
say radius, which has no password and is used only for administrative
purposes, unless the server needs superuser privilege to access some shadow
password file. Also, do not forget to send a HUP signal to your running
inetd process to force it to re-read its own database file,
/etc/inetd.conf, into memory.
A configuration file (see the man page engine.config(5) for more
information) is available to allow for overridding at runtime of certain
built-in default values. This is useful to control the operation of a
running server without having to recompile the server from source. This is
especially useful for those users with binary copies of the Interlink AAA
Server.
OPTIONS
-d configuration_directory
allows the user to override the default database and configuration
file directory by specifying an alternate directory name containing
the Interlink AAA Server authfile, clients, dictionary, radius.fsm,
vendors and users configuration files instead of the default
/usr/private/etc/raddb directory. See the authfile(5), clients(5),
dictionary(5), radius.fsm(5) vendors(5) and users(5) man pages for
more information.
-da aatv_directory
allows the user to override the default directory where binary AATV
modules are located by specifying an alternate directory name instead
of the default /usr/private/etc/aatv directory.
-dl logfiles_directory
allows the user to override the default directory where logfiles and
other files which may grow in size are located by specifying an
alternate directory name instead of the default /usr/private/etc/raddb
directory.
-a accounting_directory
allows the user to override the default accounting directory by
specifying an alternate directory name to contain the standard RADIUS
accounting detail files instead of the default
/usr/private/etc/radacct directory.
-c current_working_directory
allows the user to override the default current working directory by
specifying an alternate directory name instead of the default
/usr/private/etc/raddb directory. This option only affects file
system operation for files specified with relative file names (no
leading slash ("/") character).
-C enables the Interlink AAA Server to do token caching [Ascend].
-P enables the Interlink AAA Server to honor password changing requests
[Ascend].
-p port
allows the user to specify an alternate authentication port number
instead of the default port 1812.
-q acct_port
allows the user to specify an alternate accounting port number instead
of the default port 1813.
-f fsm_file
allows the user to specify an alternate FSM table file instead of the
default radius.fsm file.
-l logformat
specifies the optional strftime(3) format for the Interlink AAA Server
logfile. See also the radius_log_fmt configuration item in the
engine.config(5) man page.
-n do not load the saved session state file [Advanced only].
-pp port
allows the user to specify an alternate authentication relay port
number instead of the default port 1812.
-qq acct_port
allows the user to specify an alternate accounting relay port number
instead of the default port 1813.
-g 'syslog' | 'logfile' | 'stderr'
allows the user to specify whether to use syslog(3) style, logfile
style or stderr logging for warning, error and informational messages.
It is possible to specify arbirarily complex logfile file names using
the -l option. The strftime(3) format string may be used to provide
logfile renaming and optional compression on a yearly, monthly,
weekly, daily, hourly or by the minute(!) basis. See the RAD_COMPRESS
and RADIUS_LOG_FMT macros in the radius.h include file. See also the
radius_log_fmt configuration item in the engine.config(5) man page.
-t timeout
allows the user to specify a timeout value for the select(2) system
call which is different from the default timeout value of fifteen
minutes. If the -t option is given with a value of zero -t0, then the
server is essentially put into a blocking mode, that is, it will never
timeout and terminate, but will wait (at the select(2) call) forever.
-s places the Interlink AAA Server into the single process (non-spawning)
mode.
-x allows the user to turn on debugging output:
-x minimal debugging output
-x -x above + FSM high level output + some function tracing.
-x -x -x above + remaining function tracing.
-x -x -x -x above + FSM low level output + low level config files.
Debugging output is directed to the radius.debug file. Since the -x option
turns off some of the daemon behaviour of the server (such as disconnecting
from the controlling terminal, etc.) it is not recommended to run the
Interlink AAA Server from (x)inetd(8) while specifying one or more of the
-x options.
-v causes the Interlink AAA Server to place its version information onto
stdout.
-z causes the Interlink AAA Server logfile and debug file to be emptied,
but only if the debugging option -x is enabled. This option has no
effect on the logfile if the -g option specifies syslog(3) style
logging.
-h causes the Interlink AAA Server to place a usage (help) message onto
stdout.
-u specifies to NOT read the users file into the internal data
structures. This option is typically used when the Interlink AAA
Server has been built to use the dbm(3) support library.
EXIT STATUS
255 (-1) dict_init
254 (-2) config_init
253 (-3) init_fsm
252 (-4) config_files
251 (-5) disconnect
250 (-6) open PID file
249 (-7) SIG_FATAL
248 (-8) usage
247 (-9) user_update
246 (-10) version
245 (-11) setupsock (can't bind, is the Interlink AAA Server already
running?)
244 (-12) init_id_to_key
243 (-13) list_copy
242 (-14) find_state
241 (-15) chdir
240 (-16) hostname
239 (-17) SC_OPEN_MAX error
238 (-18) exit on SIGQUIT
237 (-19) setup_logfile (logfile could not be opened)
Also, look in the logfile, or syslog(3) entries, depending upon
configuration, for information about error termination conditions.
FILES
/usr/private/etc/raddb/*
directory containing Interlink AAA Server configuration
and database files.
/etc/passwd contains user passwords for UNIX users.
/etc/(x)inetd.conf holds configuration information for (x)inetd(8).
/etc/services contains lists of TCP/UDP services and their port
numbers.
/etc/shells used to check the user's shell entry in /etc/passwd.
users.dir directory file for dbm(3) support of the users file.
users.pag data file for dbm(3) support of the users file.
SEE ALSO
select(2), dbm(3), signal(3), strftime(3), syslog(3), authfile(5),
clients(5), dictionary(5), engine.config(5), users(5), vendors(5),
(x)inetd.conf(5), services(5), builddbm(8), radcheck(8), radpwtst(8),
(x)inetd(8)
|
Index for
Section 8 |
|
|
Alphabetical
listing for R |
|
 |
Top of
page |
|