freeradius 参数说明

最新推荐文章于 2025-06-25 09:05:08 发布

软域科技苗旺

最新推荐文章于 2025-06-25 09:05:08 发布

阅读量1.6k

点赞数 41

CC 4.0 BY-SA版权

文章标签：服务器运维

本文链接：https://blog.youkuaiyun.com/happydog_miao/article/details/86516795

root@SD-AAA:/usr/sbin# man freeradius
RADIUSD(8) FreeRADIUS Daemon RADIUSD(8)

NAME
radiusd - Authentication, Authorization and Accounting server

SYNOPSIS      总共14个参数
       radiusd [-C] [-d config_directory] [-f] [-h] [-i ip-address] [-l log_file] [-m] [-n name] [-p port] [-s] [-t]
       [-v] [-x] [-X]

DESCRIPTION
FreeRADIUS is a high-performance and highly configurable RADIUS server. It supports many database back-ends
such as

flat-text files, SQL, LDAP, Perl, Python, etc. It also supports many authentication protocols such as
PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).

It also has fullsupport for Cisco's VLAN Query Protocol (VMPS) and DHCP.

Please read the DEBUGGING section below. It contains instructions for quickly configuring the server for your
local system.

OPTIONS
The following command-line options are accepted by the server:

       -C     Check the configuration and exit immediately. If there is a problem reading the configuration, then
              the server will exit with a non-zero status code. If the configuration appears to be acceptable, then
              the server will exit with a zero status code.

-C 用于检查配置文件是否正确，检查完成后立即退出，并且根据返回值是0 或者非0 来显示配置是否可以接受

              Note that there are limitations to this check. Due to the complexities involved in almost starting a
              RADIUS server, these checks are necessarily incomplete. The server can return a zero status code when
              run with -C, but may still exit with an error when run normally. 这个参数的返回也不靠谱？返回正确，但是也许正常无法运行

See the output of radiusd -XC for an informative list of which modules are checked for correct configu‐
ration, and which modules are skipped, and therefore not checked.

       -d config directory    指定配置目录
              Defaults to /etc/freeradius. Radiusd looks here for its configuration files such as the dictionary and
              the users files.

-f Do not fork, stay running as a foreground process. 作为一个前台程序？如果配置OK，则停留在非交互状态

-h Print usage help information.

-i ip-address
Defines which IP address that the server uses for sending and receiving packets.

If this command-line option is given, then the "bind_address" and all "listen{}" entries in
radiusd.conf are ignored.

This option MUST be used in conjunction with "-p". -i 参数和-p 参数要一起使用

       -l log_file
              Defaults to ${logdir}/radius.log. Radiusd writes it's logging information to this file. If log_file is
              the string "stdout" logging will be written to stdout.

-m On SIGINT or SIGQUIT exit cleanly instead of immediately. This is most useful for when running the
server with "valgrind". valgrind 是一个内存泄露检查工具

-n name 指定一个具体的配置文件码？
Read freeradius/name.conf instead of freeradius/radiusd.conf.

       -p port
              Defines which port is used for receiving authentication packets. Accounting packets are received on
              "port + 1".

When this command-line option is given, all "listen" sections in radiusd.conf are ignored.

This option MUST be used in conjunction with "-i".

       -s     Run in "single server" mode. The server normally runs with multiple threads and/or processes, which
              can lower its response time to requests. Some systems have issues with threading, however, so running
              in "single server" mode may help to address those issues. In single server mode, the server will also
              not "daemonize" (auto-background) itself. 在跑一个线程，默认可以运行个，用于排查是否是多线程引起的问题

-t Do not spawn threads.

-v Print server version information and exit.

-X Debugging mode. Equivalent to "-sfxx -l stdout". When trying to understand how the server works,
ALWAYS run it with "radiusd -X". For production servers, use "raddebug"

-x Finer-grained debug mode. In this mode the server will print details of every request on it's stdout
output. You can specify this option multiple times (-x -x or -xx) to get more detailed output.

DEBUGGING
The default configuration is set to work in the widest possible circumstances. It requires minimal changes
for your system.

       However, your needs may be complex, and may require significant changes to the server configuration. Making
       random changes is a guaranteed method of failure. Instead, we STRONGLY RECOMMEND proceeding via the following
       steps:

       1) Always run the server in debugging mode ( radiusd -X ) after making a configuration change. We cannot
       emphasize this enough. If you are not running the server in debugging mode, you will not be able to see what
       is doing, and you will not be able to correct any problems.

If you ask questions on the mailing list, the first response will be to tell you "run the server in debugging
mode". Please, follow these instructions.

       2) Change as little as possible in the default configuration files. The server contains a decade of experi‐
       ence with protocols, databases, and different systems. Its default configuration is designed to work almost
       everywhere, and to do almost everything you need.

       3) When you make a small change, testing it before changing anything else. If the change works, save a copy
       of the configuration, and make another change. If the change doesn't work, debug it, and try to understand
       why it doesn't work.

If you begin by making large changes to the server configuration, it will never work, and you will never be
able to debug the problem.

4) If you need to add a connection to a database FOO (e.g. LDAP or SQL), then:

          a) Edit freeradius/modules/foo
          This file contains the default configuration for the module. It contains comments describing what can be
          configured, and what those configuration entries mean.
          b) Edit freeradius/sites-available/default
          This file contains the default policy for the server. e.g. "enable CHAP, MS-CHAP, and EAP authentication".
          Look in this file for all references to your module "foo". Read the comments, and remove the leading hash
          '#' from the lines referencing the module. This enables the module.
          c) Edit freeradius/sites-available/inner-tunnel
          This file contains the default policy for the "tunneled" portion of certain EAP methods. Perform the same
          kind of edits as above, for the "default" file.. If you are not using EAP (802.1X), then this step can be
          skipped.
          d) Start the server in debugging mode ( radiusd -X ), and start testing.

       5) Ask questions on the mailing list (freeradius-users@lists.freeradius.org). When asking questions, include
       the output from debugging mode ( radiusd -X ). This information will allow people to help you. If you do not
       include it, the first response to your message will be "post the output of debug mode".

Ask questions earlier, rather than later. If you cannot solve a problem in a day, ask a question on the mail‐
ing list. Most questions have been seen before, and can be answered quickly.

BACKGROUND
       RADIUS is a protocol spoken between an access server, typically a device connected to several modems or ISDN
       lines, and a radius server. When a user connects to the access server, (s)he is asked for a loginname and a
       password. This information is then sent to the radius server. The server replies with "access denied", or
       "access OK". In the latter case login information is sent along, such as the IP address in the case of a PPP
       connection.

       The access server also sends login and logout records to the radius server so accounting can be done. These
       records are kept for each terminal server separately in a file called detail, and in the wtmp compatible log‐
       file /var/log/radwtmp.

CONFIGURATION
Radiusd uses a number of configuration files. Each file has it's own manpage describing the format of the
file. These files are:

radiusd.conf
The main configuration file, which sets the administrator-controlled items.

       dictionary
              This file is usually static. It defines all the possible RADIUS attributes used in the other configura‐
              tion files. You don't have to modify it. It includes other dictionary files in the same directory.

       hints Defines certain hints to the radius server based on the users's loginname or other attributes sent by
              the access server. It also provides for mapping user names (such as Pusername -> username). This pro‐
              vides the functionality that the Livingston 2.0 server has as "Prefix" and "Suffix" support in the
              users file, but is more general. Ofcourse the Livingston way of doing things is also supported, and you
              can even use both at the same time (within certain limits).

       huntgroups
              Defines the huntgroups that you have, and makes it possible to restrict access to certain huntgroups to
              certain (groups of) users.

       users Here the users are defined. On a typical setup, this file mainly contains DEFAULT entries to process
              the different types of logins, based on hints from the hints file. Authentication is then based on the
              contents of the UNIX /etc/passwd file. However it is also possible to define all users, and their pass‐
              words, in this file.

SEE ALSO
radiusd.conf(5), users(5), huntgroups(5), hints(5), dictionary(5), raddebug(8)