 |
Index for
Section 8 |
|
 |
Alphabetical
listing for R |
|
 |
Bottom of
page |
|
RADPWTST(8)
NAME
radpwtst - authenticates a user's password using a RADIUS server
SYNOPSIS
radpwtst [ -ccode ] [ -ddirectory ] [ -ffile ] [ -ggroup ]
[ -h ] [ -iclient_IP_address ] [ -lasync_port ] [ -n ]
[ -pUDP_port ] [ -rretries ] [ -sservername ]
[ -ttimeout ] [ -utype ] [ -v[ 1 | 2] ]
[ -wpassword ] [ -x ] [ -:<attribute>=<value> ]
userid [@realm ]
DESCRIPTION
Radpwtst authenticates a user using a RADIUS server. The userid is
required on the command line. Radpwtst prompts for the password matching
this userid and forwards the userid/password tuple to a RADIUS server.
When the optional @realm is present, it indicates the user belongs in some
authentication realm. These realms are usually listed in the first column
of the RADIUS server's authfile which is assumed (by default) to be located
in either the ../raddb or the /usr/private/etc/raddb directories. See
authfile(5) for more information. When the optional @realm is omitted, the
userid is sought in the users file, only. An exact match is required and
if that fails the DEFAULT entry ends up describing how to authenticate this
user. See users(5) for more information.
If authentication succeeds, radpwtst displays "authentication OK" on
standard output. Otherwise, radpwtst displays:
"userid" authentication failed.
OPTIONS
-c code
allows the user to specify several RADIUS packet type codes from the
following list: 1 (for Access-Request), 4 (for Accounting-Request), 7
(for Password-Request) and 12 (for Status-Server).
-d directory
allows the user to specify an alternate directory name containing the
RADIUS authfile, clients and users files instead of the default
../raddb and /usr/private/etc/raddb directories. If no -d directory
argument is given, RADIUS will look first for a directory ../raddb
and, if none is found, use /usr/private/etc/raddb. An error will be
displayed on stdout if neither directory can be used to locate the
various RADIUS configuration files. Care should be taken to ensure
the contents of these configuration files match those of the RADIUS
server if the server is running on a different machine than the one
where radpwtst is being run.
-f file
allows the user to specify a "prefix" for a file in the users file
format (see the users(5) man page). The name of this users file is
assumed to be <file>.users and found in the RADIUS configuration file
directory. This file contains arbitrary check-items and reply-items
(see users(5) for more information) grouped into pseudo-users having
names which may be specified by the following -g option. If no -g
option is given, the DEFAULT entry (if one is present) will be used.
In this way, arbitrary attribute-value pairs may be communicated to
remote RADIUS servers.
-g group
allows the user to specify an arbitrary "pseudo-user" named group in
the file specified by the above -f option. This file contains
arbitrary check-items and reply-items (see users(5) for more
information) grouped by these pseudo-user names. If no -g option is
given, the DEFAULT entry (if one is present) will be used. In this
way, arbitrary attribute-value pairs may be communicated to remote
RADIUS servers.
-h causes a usage (help) message to be placed onto stdout.
-i clientIPaddress
allows the user to specify a different client IP address instead of
the using as default the IP address of the originating machine.
-l async_port
allows the user to specify an alternate asynch port number instead of
the default async port 1.
-n allows the user to force the Authentication-Only value to be used in
the attribute-value pair Service-Type.
-p UDPport
allows the user to specify an alternate UDP port number instead of the
default UDP port number 1812.
-r retries
allows the user to specify a maximum number of retries instead of the
default ten.
-s servername
allows the user to specify an alternate server instead of the default
homeless.interlinknetworks.com.
-t timeout
allows the user to specify an alternate timeout value (in seconds)
instead of the default three.
-u type
allows the user to specify one of several Service-Type values instead
of the default auth value. Note, that the default auth value will
fail if no password (or an empty password) is included in the Access-
Request (default or -c1) produced by radpwtst. This is because the
RADIUS server requires a valid (non-empty) password be provided in
Access-Request packets where the Service-Type is Authenticate-Only.
Valid types are: admin, auth, dumb, exec, chap, newchap, outbound,
ppp, slip, dbadmin, dbdumb, dbpppand dbslip, where db stands for "dial
back" in the last four types.
-v prints the version of RADIUS used to build the program. If the option
is given as -v1 or -v2 the program will build the request according to
the RADIUS protocol version one or two, respectively.
-w password
allows the user to provide a password on the command line and not be
prompted for one.
-x allows the user to turn on debugging output.
-:<attribute>=<value>
the text that follows the colon (":") character is taken to specify
the value of any attribute in the dictionary. The syntax is identical
to the reply-items described in users(5).
EXIT STATUS
Normal successful completion returns zero to the system. If the response
from the RADIUS server had errors, radpwtst returns -2. Local errors
return -1, and timeout errors return 1 as status.
FILES
../raddb the directory containing the RADIUS configuration and
database files.
/usr/private/etc/raddb
an alternate directory containing the same files.
SEE ALSO
radcheck(8), radiusd(8), authfile(5), clients(5), dictionary(5), users(5)
|
Index for
Section 8 |
|
|
Alphabetical
listing for R |
|
 |
Top of
page |
|