summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:49:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:49:46 +0000
commit50b37d4a27d3295a29afca2286f1a5a086142cec (patch)
tree9212f763934ee090ef72d823f559f52ce387f268 /man
parentInitial commit. (diff)
downloadfreeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.tar.xz
freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.zip
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'man')
-rw-r--r--man/man1/dhcpclient.171
-rw-r--r--man/man1/rad_counter.142
-rw-r--r--man/man1/radclient.1195
-rw-r--r--man/man1/radeapclient.1100
-rw-r--r--man/man1/radlast.121
-rw-r--r--man/man1/radtest.181
-rw-r--r--man/man1/radwho.199
-rw-r--r--man/man1/radzap.168
-rw-r--r--man/man1/smbencrypt.122
-rw-r--r--man/man5/checkrad.595
-rw-r--r--man/man5/clients.conf.546
-rw-r--r--man/man5/dictionary.5185
-rw-r--r--man/man5/radiusd.conf.5202
-rw-r--r--man/man5/radrelay.conf.5146
-rw-r--r--man/man5/rlm_always.5119
-rw-r--r--man/man5/rlm_attr_filter.5145
-rw-r--r--man/man5/rlm_chap.530
-rw-r--r--man/man5/rlm_counter.589
-rw-r--r--man/man5/rlm_detail.589
-rw-r--r--man/man5/rlm_digest.579
-rw-r--r--man/man5/rlm_expr.5113
-rw-r--r--man/man5/rlm_files.595
-rw-r--r--man/man5/rlm_idn.545
-rw-r--r--man/man5/rlm_mschap.5110
-rw-r--r--man/man5/rlm_pap.5137
-rw-r--r--man/man5/rlm_passwd.5136
-rw-r--r--man/man5/rlm_realm.594
-rw-r--r--man/man5/rlm_sql.5152
-rw-r--r--man/man5/rlm_unix.566
-rw-r--r--man/man5/unlang.5900
-rw-r--r--man/man5/users.5228
-rw-r--r--man/man8/radcrypt.845
-rw-r--r--man/man8/raddebug.8104
-rw-r--r--man/man8/radiusd.8235
-rw-r--r--man/man8/radmin.8188
-rw-r--r--man/man8/radrelay.849
-rw-r--r--man/man8/radsniff.875
-rw-r--r--man/man8/radsqlrelay.890
-rw-r--r--man/man8/rlm_sqlippool_tool.8157
39 files changed, 4943 insertions, 0 deletions
diff --git a/man/man1/dhcpclient.1 b/man/man1/dhcpclient.1
new file mode 100644
index 0000000..d6a538e
--- /dev/null
+++ b/man/man1/dhcpclient.1
@@ -0,0 +1,71 @@
+.TH DHCPCLIENT 1 "19 September 2016" "" "FreeRADIUS Daemon"
+.SH NAME
+dhcpclient - Send a DHCP request with provided RADIUS attributes and get the output response.
+.SH SYNOPSIS
+.B dhcpclient
+.RB [ \-d
+.IR raddb_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-f
+.IR file ]
+.RB [ \-h ]
+.RB [ \-i
+.IR interface ]
+.RB [ \-t
+.IR timeout ]
+.RB [ \-v ]
+.RB [ \-x ]
+\fIserver[:port] {discover|request|decline|release|inform|auto}\fP
+.SH DESCRIPTION
+\fBdhcpclient\fP is a DHCP test client program. It can send arbitrary DHCP
+packets to the FreeRADIUS server running as DHCP server, then shows the reply.
+It can be used to test changes you made in the configuration of the radius server,
+or it can be used to monitor if a radius server is up.
+.PP
+\fBdhcpclient\fP reads radius attribute/value pairs from its standard
+input, or from a file specified on the command line. It then encodes
+these attribute/value pairs using the dictionary, and sends them
+to the local/remote server.
+.PP
+
+.SH OPTIONS
+
+.IP \-d\ \fIraddb_directory\fP
+The directory that contains the user dictionary file. Defaults to
+\fI/etc/raddb\fP.
+.IP \-D\ \fIdictionary_directory\fP
+The directory that contains the main dictionary file. Defaults to
+\fI/usr/share/freeradius\fP.
+.IP \-f\ \fIfile[:file]\fP
+File to read the attribute/value pairs from. If this is not specified,
+they are read from stdin. This option can be specified multiple
+times, in which case packets are sent in order by file, and within
+each file, by first packet to last packet. A blank line separates
+logical packets within a file.
+.IP \-h
+Print usage help information.
+.IP \-i\ \fIinterface\fP
+Select which interface to send/receive at packet level on a raw socket.
+.IP \-t\ \fItimeout\fP
+Wait \fItimeout\fP seconds before deciding that the NAS has not
+responded to a request, and re-sending the packet. This may be a floating
+point number, e.g. 2.2.
+.IP \-v
+Print out program version information.
+.IP \-x
+Print out debugging information.
+.IP server[:port]
+The hostname or IP address of the remote server. Optionally a UDP port
+can be specified. If no UDP port is specified, it is looked up in
+\fI/etc/services\fP. The service name looked for is \fBradacct\fP for
+accounting packets, and \fBradius\fP for all other requests. If a
+service is not found in \fI/etc/services\fP, 1813 and 1812 are used
+respectively.
+.IP discover\ |\ request\ |\ decline\ |\ release\ |\ inform\ |\ auto
+DHCP options - use the type relevant for testing
+
+.SH SEE ALSO
+radiusd(8)
+.SH AUTHORS
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man1/rad_counter.1 b/man/man1/rad_counter.1
new file mode 100644
index 0000000..74e7c73
--- /dev/null
+++ b/man/man1/rad_counter.1
@@ -0,0 +1,42 @@
+.TH RAD_COUNTER 1 "19 September 2016" "" "FreeRADIUS Daemon"
+.SH NAME
+rad_counter - Query and maintain FreeRADIUS rlm_counter DB file.
+
+This tool is deprecated
+
+.SH SYNOPSIS
+.B rad_counter
+.RB [ \--file
+.IR counter_filename ]
+.RB [ \--user
+.IR username ]
+.RB [ \--match
+.IR <regex> ]
+.RB [ \--reset
+.IR number]
+.RB [ \--help ]
+.RB [ \-\-hours | \-\-minutes | \-\-seconds ]
+
+.SH DESCRIPTION
+\fBrad_counter\fP is a tool that can query and maintain FreeRADIUS rlm_counter DB files.
+.PP
+
+.SH OPTIONS
+
+.IP \--file=
+Counter DB filename.
+.IP \--user=\ \fIusername\fP
+Information for specific user.
+.IP \--match=\ \fI<regex>\fP
+Information for matching users.
+.IP \--reset=\ \fInumber\fP
+Reset counter to <number>. If divisor is set use it, else <number> means seconds.
+.IP \--help
+Show the help screen.
+.IP \--(hours\ |\ minutes\ |\ seconds)
+Specify information divisor.
+
+.SH SEE ALSO
+radiusd(8)
+.SH AUTHORS
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man1/radclient.1 b/man/man1/radclient.1
new file mode 100644
index 0000000..229dcae
--- /dev/null
+++ b/man/man1/radclient.1
@@ -0,0 +1,195 @@
+.TH RADCLIENT 1 "22 March 2019" "" "FreeRADIUS Daemon"
+.SH NAME
+radclient - send packets to a RADIUS server, show reply
+.SH SYNOPSIS
+.B radclient
+.RB [ \-4 ]
+.RB [ \-6 ]
+.RB [ \-c
+.IR count ]
+.RB [ \-d
+.IR raddb_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-f
+.IR file ]
+.RB [ \-F ]
+.RB [ \-h ]
+.RB [ \-i
+.IR id ]
+.RB [ \-n
+.IR num_requests_per_second ]
+.RB [ \-p
+.IR num_requests_in_parallel ]
+.RB [ \-q ]
+.RB [ \-r
+.IR num_retries ]
+.RB [ \-s ]
+.RB [ \-S
+.IR shared_secret_file ]
+.RB [ \-t
+.IR timeout ]
+.RB [ \-v ]
+.RB [ \-x ]
+\fIserver {acct|auth|status|coa|disconnect|auto} secret\fP
+.SH DESCRIPTION
+\fBradclient\fP is a radius client program. It can send arbitrary radius
+packets to a radius server, then shows the reply. It can be used to
+test changes you made in the configuration of the radius server,
+or it can be used to monitor if a radius server is up.
+.PP
+\fBradclient\fP reads radius attribute/value pairs from it standard
+input, or from a file specified on the command line. It then encodes
+these attribute/value pairs using the dictionary, and sends them
+to the remote server.
+.PP
+The \fIUser-Password\fP and \fICHAP-Password\fP attributes are
+automatically encrypted before the packet is sent to the server.
+
+.SH OPTIONS
+
+.IP \-4
+Use IPv4 (default)
+.IP \-6
+Use IPv6
+.IP \-c\ \fIcount\fP
+Send each packet \fIcount\fP times.
+.IP \-d\ \fIraddb_directory\fP
+The directory that contains the user dictionary file. Defaults to
+\fI/etc/raddb\fP.
+.IP \-D\ \fIdictionary_directory\fP
+The directory that contains the main dictionary file. Defaults to
+\fI/usr/share/freeradius\fP.
+.IP \-f\ \fIfile[:file]\fP
+File to read the attribute/value pairs from. If this is not specified,
+they are read from stdin. This option can be specified multiple
+times, in which case packets are sent in order by file, and within
+each file, by first packet to last packet. A blank line separates
+logical packets within a file. If a pair of files separated by a
+colon is specified, the second file will be used to filter the
+responses to requests from the first. The number of requests and
+filters must be the same. A summary of filter results will be displayed
+if \-s is passed.
+.IP \-F
+Print the file name, packet number and reply code.
+.IP \-h
+Print usage help information.
+.IP \-i\ \fIid\fP
+Use \fIid\fP as the RADIUS request Id.
+.IP \-n\ \fInum_requests_per_second\fP
+Try to send \fInum_requests_per_second\fP, evenly spaced. This option
+allows you to slow down the rate at which radclient sends requests.
+When not using \-n, the default is to send packets as quickly as
+possible, with no inter-packet delays.
+
+Due to limitations in radclient, this option does not accurately send
+the requested number of packets per second.
+.IP \-p\ \fInum_requests_in_parallel\fP
+Send \fInum_requests_in_parallel\fP, without waiting for a response
+for each one. By default, radclient sends the first request it has
+read, waits for the response, and once the response is received, sends
+the second request in its list. This option allows you to send many
+requests at simultaneously. Once \fInum_requests_in_parallel\fP are
+sent, radclient waits for all of the responses to arrive (or for the
+requests to time out), before sending any more packets.
+
+This option permits you to discover the maximum load accepted by a
+RADIUS server.
+.IP "\-P\ \fIproto\fP"
+Use \fIproto\fP transport protocol ("tcp" or "udp").
+Only available if FreeRADIUS is compiled with TCP transport support.
+.IP \-q
+Go to quiet mode, and do not print out anything.
+.IP \-r\ \fInum_retries\fP
+Try to send each packet \fInum_retries\fP times, before giving up on
+it. The default is 10.
+.IP \-s
+Print out some summaries of packets sent and received.
+.IP \-S\ \fIshared_secret_file\fP
+Rather than reading the shared secret from the command-line (where it
+can be seen by others on the local system), read it instead from
+\fIshared_secret_file\fP.
+.IP \-t\ \fItimeout\fP
+Wait \fItimeout\fP seconds before deciding that the NAS has not
+responded to a request, and re-sending the packet. The default
+timeout is 3.
+.IP \-v
+Print out version information.
+.IP \-x
+Print out debugging information.
+.IP server[:port]
+The hostname or IP address of the remote server. Optionally a UDP port
+can be specified. If no UDP port is specified, it is looked up in
+\fI/etc/services\fP. The service name looked for is \fBradacct\fP for
+accounting packets, and \fBradius\fP for all other requests. If a
+service is not found in \fI/etc/services\fP, 1813 and 1812 are used
+respectively. For coa and disconnect packets, port 3799 is used.
+
+If a host name is specified, then radclient will do a DNS lookup, and
+use the A record to find the IP address of the RADIUS server. If
+there is no A record, then radclient will look for an AAAA record. If
+there is no AAAA record, an error will be produced.
+
+IPv6 addresses may be specified by surrounding it in square brackets.
+For example, [2002:c000:0201:0:0:0:0:0], or with a port,
+[2002:c000:0201:0:0:0:0:0]:18120.
+
+The RADIUS attributes read by \fIradclient\fP can contain the special
+attribute \fBPacket-Dst-IP-Address\fP. If this attribute exists, then
+that IP address is where the packet is sent, and the \fBserver\fP
+specified on the command-line is ignored.
+
+If the RADIUS attribute list always contains the
+\fBPacket-Dst-IP-Address\fP attribute, then the \fBserver\fP parameter
+can be given as \fB-\fP.
+
+The RADIUS attributes read by \fIradclient\fP can contain the special
+attribute \fBPacket-Dst-Port\fP. If this attribute exists, then that
+UDP port is where the packet is sent, and the \fB:port\fP specified
+on the command-line is ignored.
+
+.IP acct\ |\ auth\ |\ status\ |\ coa\ |\ disconnect\ |\ auto
+Use \fBauth\fP to send an authentication packet (Access-Request),
+\fBacct\fP to send an accounting packet (Accounting-Request),
+\fBstatus\fP to send a status packet (Status-Server), or
+\fBcoa\fP to send a CoA-Request, or
+\fBdisconnect\fP to send a disconnection request. Instead of these
+values, you can also use a decimal code here. For example, code 12 is
+also \fBStatus-Server\fP.
+
+The RADIUS attributes read by \fIradclient\fP can contain the special
+attribute \fBPacket-Type\fP. If this attribute exists, then that type
+of packet is sent, and the \fItype\fP specified on the command-line
+is ignored.
+
+If the RADIUS attribute list always contains the
+\fBPacket-Type\fP attribute, then the \fBtype\fP parameter can be
+given as \fBauto\fP.
+
+.IP secret
+The shared secret for this client. It needs to be defined on the
+radius server side too, for the IP address you are sending the radius
+packets from.
+
+.SH EXAMPLE
+
+A sample session that queries the remote server for
+\fIStatus-Server\fP (not all servers support this, but FreeRADIUS has
+configurable support for it).
+.RS
+.sp
+.nf
+.ne 3
+$ echo "Message-Authenticator = 0x00" | radclient 192.0.2.42 status s3cr3t
+Sending request to server 192.0.2.42, port 1812.
+radrecv: Packet from host 192.0.2.42 code=2, id=140, length=54
+ Reply-Message = "FreeRADIUS up 21 days, 02:05"
+.fi
+.sp
+.RE
+
+.SH SEE ALSO
+radiusd(8),
+.SH AUTHORS
+Miquel van Smoorenburg, miquels@cistron.nl.
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man1/radeapclient.1 b/man/man1/radeapclient.1
new file mode 100644
index 0000000..687ef61
--- /dev/null
+++ b/man/man1/radeapclient.1
@@ -0,0 +1,100 @@
+.TH RADEAPCLIENT 1 "08 September 2003" "" "FreeRADIUS Daemon"
+.SH NAME
+radeapclient - send EAP packets to a RADIUS server, calculate responses
+.SH SYNOPSIS
+.B radeapclient
+.RB [ \-4 ]
+.RB [ \-6 ]
+.RB [ \-c
+.IR count ]
+.RB [ \-d
+.IR raddb_directory ]
+.RB [ \-f
+.IR file ]
+.RB [ \-h ]
+.RB [ \-i
+.IR source_ip ]
+.RB [ \-q ]
+.RB [ \-s ]
+.RB [ \-r
+.IR retries ]
+.RB [ \-S
+.IR file ]
+.RB [ \-t
+.IR timeout ]
+.RB [ \-v ]
+.RB [ \-x ]
+\fIserver {acct|auth} secret\fP
+.SH DESCRIPTION
+\fBradeapclient\fP is a radius client program. It can send arbitrary radius
+packets to a radius server, then shows the reply. Radeapclient differs from
+radclient in that if there is an EAP-MD5 challenge, then it will be responded
+to.
+.PP
+\fBradeapclient\fP is otherwise identical to \fBradclient\fP.
+.PP
+The \fIEAP-Identity\fP attribute, if present is used to construct an
+EAP Identity message.
+.PP
+.PP
+The \fIEAP-MD5-Password\fP attribute, if present is used to respond to an
+MD5 challenge.
+.PP
+No other EAP types are currently supported.
+
+.SH OPTIONS
+.IP \-4
+Use IPv4 (default)
+.IP \-6
+Use IPv6
+.IP \-c\ \fIcount\fP
+Send each packet \fIcount\fP times.
+.IP \-d\ \fIraddb\fP
+Set dictionary directory.
+.IP \-f\ \fIfile\fP
+Read packets from \fIfile\fP, not stdin.
+.IP \-r\ \fIretries\fP
+If timeout, retry sending the packet \fIretries\fP times.
+.IP \-t\ \fItimeout\fP
+Wait \fItimeout\fP seconds before retrying (may be a floating point number).
+.IP \-h
+Print usage help information.
+.IP \-i\ \fIid\fP
+Set request id to '\fIid\fP'. Values may be 0..255
+.IP \-S\ \fIfile\fP
+Read secret from \fIfile\fP, not command line.
+.IP \-q
+Quiet, do not print anything out.
+.IP \-s
+Print out summary information of auth results.
+.IP \-v
+Show program version information.
+.IP \-x
+Enable debugging mode.
+
+.SH EXAMPLE
+
+A sample session that queries the remote server with an EAP-MD5
+challenge.
+.RS
+.sp
+.nf
+.ne 3
+( echo 'User-Name = "bob"';
+ echo 'EAP-MD5-Password = "hello"';
+ echo 'NAS-IP-Address = marajade.sandelman.ottawa.on.c';
+ echo 'EAP-Code = Response';
+ echo 'EAP-Id = 210';
+ echo 'EAP-Type-Identity = "bob";
+ echo 'Message-Authenticator = 0x00';
+ echo 'NAS-Port = 0' ) >req.txt
+
+radeapclient -x localhost auth testing123 <req.txt
+.fi
+.sp
+.RE
+
+.SH SEE ALSO
+radclient(1)
+.SH AUTHOR
+Michael Richardson, <mcr@sandelman.ottawa.on.ca>
diff --git a/man/man1/radlast.1 b/man/man1/radlast.1
new file mode 100644
index 0000000..ff48f22
--- /dev/null
+++ b/man/man1/radlast.1
@@ -0,0 +1,21 @@
+.TH RADLAST 1 "22 February 2001" "" "FreeRADIUS Daemon"
+.SH NAME
+radlast - show "last" info from the radwtmp file
+.SH SYNOPSIS
+.B radlast
+.IR [ options ]
+.SH DESCRIPTION
+The FreeRADIUS server can write an accounting log in the
+\fIwtmp\fP format of the local system. \fBradlast\fP is a frontend
+for the systems \fBlast\fP command - it just calls \fBlast\fP
+with the \fI-f path_to_radwtmp_file\fP argument, and passes all
+options on the command line to the system \fBlast\fP command.
+.SH OPTIONS
+See the manpage of the system \fBlast\fP command.
+.SH SEE ALSO
+radiusd(8),
+radiusd.conf(5),
+wtmp(5),
+last(1).
+.SH AUTHOR
+Miquel van Smoorenburg, miquels@cistron.nl.
diff --git a/man/man1/radtest.1 b/man/man1/radtest.1
new file mode 100644
index 0000000..2bf8997
--- /dev/null
+++ b/man/man1/radtest.1
@@ -0,0 +1,81 @@
+.TH RADTEST 1 "5 April 2010" "" "FreeRADIUS Daemon"
+.SH NAME
+radtest - send packets to a RADIUS server, show reply
+.SH SYNOPSIS
+.B radtest
+.RB [ \-d
+.IR raddb_directory ]
+.RB [ \-P
+.IR tcp/udp ]
+.RB [ \-t
+.IR pap/chap/mschap/eap-md5 ]
+.RB [ \-x
+.IR ]
+.RB [ \-4
+.IR ]
+.RB [ \-6
+.IR ]
+.I user password radius-server nas-port-number secret
+.RB [ ppphint ]
+.RB [ nasname ]
+.SH DESCRIPTION
+\fBradtest\fP is a frontend to \fBradclient\fP(1). It generates a
+list of attribute/value pairs based on the command line arguments,
+and feeds these into \fBradclient\fP. It's a fast and convenient
+way to test a radius server.
+
+.SH OPTIONS
+
+.IP "\-d \fIraddb_directory\fP"
+The directory that contains the RADIUS dictionary files. Defaults to
+\fI/etc/raddb\fP.
+
+.IP "\-P\ \fIproto\fP"
+Use \fIproto\fP transport protocol ("tcp" or "udp").
+Only available if FreeRADIUS is compiled with TCP transport support.
+
+.IP "\-t \fIpap/chap/mschap/eap-md5\fP"
+Choose the authentication method to use. e.g. "-t pap", "-t chap", "-t
+mschap", or "-t eap-md5",. Defaults to "pap". Using EAP-MD5 requires
+that the "radeapclient" program is installed.
+
+.IP "\-x"
+Enables debugging output for the RADIUS client.
+
+.IP "\-4"
+Use NAS-IP-Address for the NAS address (default)
+
+.IP "\-6"
+Use NAS-IPv6-Address for the NAS address (default)
+
+.IP user
+Username to send.
+
+.IP password
+Password of the user.
+
+.IP radius-server
+Hostname or IP address of the radius server. Optionally, you may specify a
+port by appending :port
+
+.IP nas-port-number
+The value of the NAS-Port attribute. Is an integer between 0 and 2^31,
+and it really doesn't matter what you put here. \fI10\fP will do fine.
+
+.IP secret
+The shared secret for this client.
+
+.IP ppphint
+If you put an integer > 0 here, radtest (or actually radclient) will
+add the attribute \fIFramed-Protocol = PPP\fP to the request packet.
+
+.IP nasname
+If present, this will be resolved to an IP address and added to
+the request packet as the \fINAS-IP-Address\fP attribute. If you
+don't specify it, the local hostname of the system will be used.
+
+.SH SEE ALSO
+radiusd(8),
+radclient(1).
+.SH AUTHOR
+Miquel van Smoorenburg, miquels@cistron.nl.
diff --git a/man/man1/radwho.1 b/man/man1/radwho.1
new file mode 100644
index 0000000..c131255
--- /dev/null
+++ b/man/man1/radwho.1
@@ -0,0 +1,99 @@
+.TH RADWHO 1 "17 Feb 2013" "" "FreeRADIUS Daemon"
+.SH NAME
+radwho - show online users
+.SH SYNOPSIS
+.B radwho
+.RB [ \-c ]
+.RB [ \-d
+.IR raddb_directory ]
+.RB [ \-F
+.IR radutmp_file ]
+.RB [ \-i ]
+.RB [ \-n ]
+.RB [ \-N
+.IR nas_ip_address ]
+.RB [ \-p ]
+.RB [ \-P
+.IR nas_port ]
+.RB [ \-r ]
+.RB [ \-R ]
+.RB [ \-s ]
+.RB [ \-S ]
+.RB [ \-u
+.IR user ]
+.RB [ \-U
+.IR user ]
+.RB [ \-Z ]
+.SH DESCRIPTION
+The FreeRADIUS server can be configured to maintain an active session
+database in a file called \fIradutmp\fP. This utility shows the
+content of that session database.
+.SH OPTIONS
+.IP \-c
+Shows caller ID (if available) instead of the full name.
+.IP \-d\ \fIraddb_directory\fP
+The directory that contains the RADIUS configuration files. Defaults to
+\fI/etc/raddb\fP.
+.IP \-F\ \fIradutmp_file\fP
+The file that contains the radutmp file. If this is specified, \-d is
+not necessary.
+.IP \-i
+Shows the session ID instead of the full name.
+.IP \-n
+Normally radwho looks up the username in the systems password file,
+and shows the full username as well. The \fB-n\fP flags prevents this.
+.IP \-N\ \fInas_ip_address\fP
+Show only those entries which match the given NAS IP address.
+.IP \-p
+Adds an extra column for the port type - I for ISDN, A for Analog.
+.IP \-P\ \fInas_port\fP
+Show only those entries which match the given NAS port.
+.IP \-r
+Outputs all data in \fIraw\fP format - no headers, no formatting,
+fields are comma-separated.
+.IP \-R
+Output all data in RADIUS attribute format. All fields are printed.
+.IP \-s
+Show full name.
+.IP \-S
+Hide shell users. Doesn't show the entries for users that do not
+have a SLIP or PPP session.
+.IP \-u\ \fIuser\fP
+Show only those entries which match the given username (case insensitive).
+.IP \-U\ \fIuser\fP
+Show only those entries which match the given username (case sensitive).
+.IP \-Z
+When combined with \fI-R\fP, prints out the contents of an
+Accounting-Request packet which can be passed to \fIradclient\fP, in
+order to "zap" that users session from \fIradutmp\fP.
+.PP
+For example,
+.RS
+.sp
+.nf
+.ne 3
+$ radwho -ZRN 10.0.0.1 | radclient -f - radius.example.net acct testing123
+.fi
+.sp
+.RE
+will result in all an Accounting-Request packet being sent to the
+RADIUS server, which tells the server that the NAS rebooted. i.e. It
+"zaps" all of the users on that NAS.
+
+To "zap" one user, specify NAS, username, and NAS port:
+.RS
+.sp
+.nf
+.ne 3
+$ radwho -ZRN 10.0.0.1 -u user -P 10 | radclient -f - radius.example.net acct testing123
+.fi
+.sp
+.RE
+Other combinations are also possible.
+
+.SH SEE ALSO
+radiusd(8),
+radclient(1),
+radiusd.conf(5).
+.SH AUTHOR
+Miquel van Smoorenburg, miquels@cistron.nl.
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
new file mode 100644
index 0000000..03b9a43
--- /dev/null
+++ b/man/man1/radzap.1
@@ -0,0 +1,68 @@
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
+.SH NAME
+radzap - remove rogue entries from the active sessions database
+.SH SYNOPSIS
+.B radzap
+.RB [ \-d
+.IR raddb_directory ]
+.RB [ \-h ]
+.RB [ \-N
+.IR nas_ip_address ]
+.RB [ \-P
+.IR nas_port ]
+.RB [ \-u
+.IR user ]
+.RB [ \-U
+.IR user ]
+.RB [ \-x ]
+\fIserver[:port] secret\fP
+.SH DESCRIPTION
+The FreeRADIUS server can be configured to maintain an active session
+database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
+use this database. Sometimes that database can get out of sync, and
+then it might contain rogue entries. \fBradzap\fP can clean up this
+database.
+
+As of FreeRADIUS 1.1.0, \fBradzap\fP is a simple shell-script wrapper
+around \fBradwho\fP(1) and \fBradclient\fP(1).
+
+The sessions are "zapped" by sending an Accounting-Request packet
+which contains the information necessary for the server to delete the
+session record. \fBradzap\fP sends a packet to the server, rather
+than writing to \fIradutmp\fP directly, because session records may
+also be maintained in SQL.
+.SH OPTIONS
+.IP \-d\ \fIraddb_directory\fP
+The directory that contains the RADIUS configuration files.
+\fBradzap\fP reads \fIradiusd.conf\fP to determine the location of the
+\fIradutmp\fP file.
+.IP \-h
+Print usage help information.
+.IP \-N\ \fInas_ip_address\fP
+Zap the entries which match the given NAS IP address.
+.IP \-P\ \fInas_port\fP
+Zap the entries which match the given NAS port.
+.IP \-u\ \fIuser\fP
+Zap the entries which match the given username (case insensitive).
+.IP \-U\ \fIuser\fP
+Zap the entries which match the given username (case sensitive).
+.IP \-x
+Enable debugging output.
+.IP server[:port]
+The hostname or IP address of the remote server. Optionally a UDP port
+can be specified. If no UDP port is specified, it is looked up in
+\fI/etc/services\fP. The service name looked for is \fBradacct\fP for
+accounting packets, and \fBradius\fP for all other requests. If a
+service is not found in \fI/etc/services\fP, 1813 and 1812 are used
+respectively.
+.IP secret
+The shared secret for this client. It needs to be defined on the
+radius server side too, for the IP address you are sending the radius
+packets from.
+.SH SEE ALSO
+radwho(1),
+radclient(1),
+radiusd(8),
+radiusd.conf(5).
+.SH AUTHOR
+Alan DeKok <aland@ox.org>
diff --git a/man/man1/smbencrypt.1 b/man/man1/smbencrypt.1
new file mode 100644
index 0000000..19e4d0e
--- /dev/null
+++ b/man/man1/smbencrypt.1
@@ -0,0 +1,22 @@
+.TH SMBENCRYPT 1
+.SH NAME
+smbencrypt - produce LM & NT password hashes from cleartext passwords
+.SH SYNOPSIS
+.B smbencrypt \fIpassword\fP [\fIpassword ...\fP]
+
+.SH DESCRIPTION
+\fBsmbencrypt\fP For each cleartext password passed on the command line
+emit the LM-Password and NT-Password hashes for that password.
+
+.SH EXAMPLE
+.nf
+$ smbencrypt foo bar
+LM Hash NT Hash
+-------------------------------- --------------------------------
+5BFAFBEBFB6A0942AAD3B435B51404EE AC8E657F83DF82BEEA5D43BDAF7800CC
+A6428F2551EDEE1BAAD3B435B51404EE 86C156FC198B358CCCF6278D8BD49B6A
+.fi
+
+.SH SEE ALSO
+radiusd(8)
+.SH AUTHORS
diff --git a/man/man5/checkrad.5 b/man/man5/checkrad.5
new file mode 100644
index 0000000..68a33f4
--- /dev/null
+++ b/man/man5/checkrad.5
@@ -0,0 +1,95 @@
+.TH CHECKRAD 5 "13 January 2006"
+.SH NAME
+checkrad -- See if a user is (still) logged in on a certain port.
+.SH SYNOPSIS
+.B checkrad
+.RB [ -d ]
+.I nas-type nas-ip nas-port login session-id
+.SH DESCRIPTION
+\fBCheckrad\fP is used by the radius server to check if its idea of a user logged in
+on a certain port/NAS is correct if a double login is detected.
+
+Returns: 0 = no duplicate, 1 = duplicate, >1 = error.
+
+.SH OPTIONS
+
+.IP -d
+Enable printing of debugging information.
+
+.IP nas-type
+Type of port/NAS. Can be one of:
+
+.RS
+.IP \(bu
+ascend
+.IP \(bu
+bay
+.IP \(bu
+cisco
+.IP \(bu
+cisco_l2tp
+.IP \(bu
+computone
+.IP \(bu
+cvx
+.IP \(bu
+digitro
+.IP \(bu
+dot1x
+.IP \(bu
+livingston
+.IP \(bu
+max40xx
+.IP \(bu
+mikrotik
+.IP \(bu
+mikrotik_snmp
+.IP \(bu
+multitech
+.IP \(bu
+netserver
+.IP \(bu
+other
+.IP \(bu
+pathras
+.IP \(bu
+patton
+.IP \(bu
+portslave
+.IP \(bu
+pr3000
+.IP \(bu
+pr4000
+.IP \(bu
+redback
+.IP \(bu
+tc
+.IP \(bu
+usrhiper
+.IP \(bu
+versanet
+.P
+The "other" type cause \fBcheckrad\fP to skip any check and always returns 1.
+.RE
+
+
+.IP nas-ip
+IP address of the NAS to check.
+
+.IP nas-port
+The NAS port to check (may be ignored by some nas-type).
+
+.IP login
+The login name to check.
+
+.IP session-id
+Session to check. (actually ignored by all nas-type)
+
+.SH SEE ALSO
+radiusd(8)
+
+.SH AUTHOR
+Written by Miquel van Smoorenburg, miquels@cistron.nl.
+
+This manual page was written by Marco Nenciarini <mnencia@debian.org> for
+the Debian project (but may be used by others).
diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5
new file mode 100644
index 0000000..6c6b3ee
--- /dev/null
+++ b/man/man5/clients.conf.5
@@ -0,0 +1,46 @@
+.TH clients.conf 5 "13 June 2005" "" "FreeRADIUS client configuration"
+.SH NAME
+clients.conf \- FreeRADIUS client configuration
+.SH DESCRIPTION
+The
+.I clients.conf
+file contains definitions of RADIUS clients.
+.PP
+The information in this file overrides any information provided in
+the deprecated
+.BR clients
+and
+.BR naslist
+files.
+.PP
+The file format is the same as that used for
+.I radiusd.conf.
+See
+.BR radiusd.conf (5)
+for more details.
+.PP
+Each RADIUS client entry has the following basic form:
+.IP
+.nf
+client <short-name> {
+ <attribute> = <value>
+ }
+.fi
+.PP
+Clients have many configuration parameters. Most are documented in the file
+itself as comments. This page documents only the format of the file. Please
+read the \fBclients.conf\fP file itself for more information.
+
+The old-style format from 1.x is still accepted by the server, but
+that form is deprecated.
+.SH FILES
+.I /etc/raddb/clients.conf
+
+.I /etc/raddb/radiusd.conf
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+
+.SH AUTHOR
+FreeRADIUS is authored by the FreeRADIUS team.
+http://freeradius.org/
diff --git a/man/man5/dictionary.5 b/man/man5/dictionary.5
new file mode 100644
index 0000000..ec63309
--- /dev/null
+++ b/man/man5/dictionary.5
@@ -0,0 +1,185 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH dictionary 5 "12 Jun 2015"
+.SH NAME
+dictionary \- RADIUS dictionary file
+.SH DESCRIPTION
+The master RADIUS dictionary file resides in
+\fI/etc/raddb/dictionary\fP. It references other \fIdictionary\fP
+files located in \fI/usr/local/share/freeradius/\fP. Each dictionary
+file contains a list of RADIUS attributes and values, which the server
+uses to map between descriptive names and on-the-wire data. The names
+have no meaning outside of the RADIUS server itself, and are never
+exchanged between server and clients.
+.PP
+That is, editing the dictionaries will have NO EFFECT on anything
+other than the server that is reading those files. Adding new
+attributes to the dictionaries will have NO EFFECT on RADIUS clients,
+and will not make RADIUS clients magically understand those
+attributes. The dictionaries are solely for local administrator
+convenience, and are specific to each version of FreeRADIUS.
+.PP
+The dictionaries in \fI/usr/local/share\fP SHOULD NOT be edited unless
+you know exactly what you are doing. Changing them will most likely
+break your RADIUS deployment.
+.PP
+If you need to add new attributes, please edit the
+\fI/etc/raddb/dictionary\fP file. It's sole purpose is to contain
+site-local definitions that are added by the local administrator.
+
+.SH FORMAT
+Every line starting with a hash sign
+.RB (' # ')
+is treated as comment and ignored.
+.PP
+Each line of the file can contain one of the following strings:
+.TP 0.5i
+.B ATTRIBUTE name oid type [flags]
+Define a RADIUS attribute name to number mapping.
+
+The \fIname\fP field is a printable field, taken from various
+specifications or vendor definitions. It is most commonly used as a
+series of words, separated by hyphens. e.g. "User-Name".
+Vendor-specific attributes (VSAs) are prefixed by the vendor name,
+e.g. "Cisco-AVPair". The names should be globally unique, as they are
+used as a key to look up the properties of the attribute.
+
+The \fIoid\fP field is taken from the relevant specification for that
+name. In most cases, it is a decimal number, such as "256". For
+certain attributes, a "dotted number" notation is used, e.g. "1.2".
+The "dotted number" notation is used only for certain attributes.
+
+The \fItype\fP field can be one of the standard types:
+
+ string UTF-8 printable text (the RFCs call this "text")
+ octets opaque binary data (the RFCs call this "string")
+ ipaddr IPv4 address
+ date Seconds since January 1, 1970 (32-bits)
+ integer 32-bit unsigned integer
+ ipv6addr IPv6 Address
+ ipv6prefix IPV6 prefix, with mask
+ ifid Interface Id (hex:hex:hex:hex)
+ integer64 64-bit unsigned integer
+
+The \fItype\fP field can be one of the following non-standard types:
+
+ ether Ethernet MAC address
+ abinary Ascend binary filter format
+ byte 8-bit unsigned integer
+ short 16-bit unsigned integer
+ signed 31-bit signed integer (packed into 32-bit field)
+ tlv Type-Length-Value (allows nested attributes)
+ ipv4prefix IPv4 Prefix as given in RFC 6572.
+
+The last (optional) field of an attribute definition are additional
+flags for that attribute, in a comma-separated list. Previous
+versions of the server allowed these flags to include a vendor name.
+This behavior may still work, but it is deprecated, and is not
+recommended.
+
+The options are:
+
+ encrypt=# set encryption type 1, 2, or 3.
+ has_tag The attribute can have an RFC 2868 style tag
+
+The "encrypt" flag marks the attribute as being encrypted with one of
+three possible methods. "1" means that the attribute is encrypted
+with the method as defined in \fIRFC2865\fP for the User-Password
+attribute. "2" means that the password is encrypted with the method
+as defined in \fIRFC2868\fP for the Tunnel-Password attribute. "3"
+means that the attribute is encrypted as per Ascend's definitions for
+the Ascend-Send-Secret attribute.
+
+The "has_tag" flag marks the attribute as being permitted to have a
+tag, as defined in \fIRFC2868\fP. The purpose of the tag is to allow
+grouping of attributes for tunneled users. See \fIRFC2868\fP for
+more details.
+
+When the server receives an encoded attribute in a RADIUS packet, it
+looks up that attribute by number in the dictionary, and uses the
+definition found there for printing diagnostic and log messages. When
+the server sees an attribute name in a configuration file, it looks up
+that attribute by name in the dictionary, and uses the definition
+found there.
+
+.TP 0.5i
+.B VALUE attribute-name value-name number
+Define an attribute value name to number mapping, for an attribute of
+type \fIinteger\fP. The \fIattribute-name\fP field MUST be previously
+defined by an \fIATTRIBUTE\fP entry. The \fIvalue-name\fP field can
+be any non-space text, but is usually taken from \fIRFC2865\fP, or
+other documents.. The \fInumber\fP field is also taken from the
+relevant documents, for that name.
+
+When the server receives an encoded value in a RADIUS packet, it looks
+up the value of that attribute by number in the dictionary, and uses
+the name found there for printing diagnostic and log messages.
+.TP 0.5i
+.B VENDOR vendor-name number [format=...]
+Define a Vendor Specific Attribute encapsulation for \fIvendor-name\fP
+to \fInumber\fP. For a list of vendor names and numbers, see
+http://www.iana.org/enterprise-numbers.txt.
+
+The "format=t,l" statement tells the server how many octets to use to
+encode/decode the vendor "type" and "length" fields in the attributes.
+The default is "format=1,1", which does not have to be specified. For
+USR VSA's, the format is "format=4,0", for Lucent VSA's it's
+"format=2,1", and for Starent VSA's it's "format=2,2".
+
+The supported values for the number of type octets (i.e. the first
+digit) are 1, 2, and 4. The support values for the number of length
+octets (i.e. the second digit) are 0, 1, and 2. Any combination of
+those values will work.
+
+.TP 0.5i
+.B BEGIN-VENDOR vendor-name
+Define the start of a block of Vendor-Specific attributes. All of the
+following \fIATTRIBUTE\fP definitions are interpreted as being for the
+named vendor, until the block is closed by an "END-VENDOR" statement.
+
+This practice is preferred to placing the vendor name at the end of an
+\fIATTRIBUTE\fP definition.
+
+For VSAs in the RFC 6929 "Extended vendor-specific" space, a format
+can be specified following the "vendor-name". The format should be
+"format=Extended-Vendor-Specific-1", through
+"format=Extended-Vendor-Specific-6". The matching "END-VENDOR" should
+just have the "vendor-name", without the format string.
+.TP 0.5i
+.B END-VENDOR vendor-name
+End a previously defined BEGIN-VENDOR block. The "vendor-name" must match.
+.TP 0.5i
+.B $INCLUDE filename
+Include dictionary entries from the file \fIfilename\fP. The
+\fIfilename\fP is taken as relative to the location of the file which
+is asking for the inclusion.
+.TP 0.5i
+.B BEGIN-TLV name
+This feature is supported for backwards compatibility with older
+dictionaries. It should not be used. The new "oid" form for defining
+the attribute number should be used instead.
+.TP 0.5i
+.B END-TLV name
+This feature is supported for backwards compatibility with older
+dictionaries. It should not be used. The new "oid" form for defining
+the attribute number should be used instead.
+.PP
+.SH FILES
+.I /etc/raddb/dictionary,
+.I /usr/share/freeradius/dictionary.*
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR RFC2865,
+.BR RFC2866,
+.BR RFC2868
+.BR RFC6929
diff --git a/man/man5/radiusd.conf.5 b/man/man5/radiusd.conf.5
new file mode 100644
index 0000000..3f7caa6
--- /dev/null
+++ b/man/man5/radiusd.conf.5
@@ -0,0 +1,202 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH radiusd.conf 5 "28 Jun 2013" "" "FreeRADIUS configuration file"
+.SH NAME
+radiusd.conf \- configuration file for the FreeRADIUS server
+.SH DESCRIPTION
+The \fBradiusd.conf\fP file resides in the radius database directory,
+by default \fB/etc/raddb\fP. It defines the global configuration for
+the FreeRADIUS RADIUS server.
+.SH "CONTENTS"
+There are a large number of configuration parameters for the server.
+Most are documented in the file itself as comments. This page
+documents only the format of the file. Please read the
+\fBradiusd.conf\fP file itself for more information.
+
+The configuration file parser is independent of the server
+configuration. This means that you can put almost anything into the
+configuration file. So long as it is properly formatted, the server
+will start.
+
+When the server parses the configuration file, it looks only for those
+configurations it understands. Extra configuration items are ignored.
+This "feature" can be (ab)used in certain interesting ways.
+.SH "FILE FORMAT"
+The file format is line-based, like many other Unix configuration
+files. Each entry in the file must be placed on a line by itself,
+although continuations are supported.
+
+The file consists of configuration items (variable = value pairs),
+sections, and comments.
+.IP Variables
+Variables can be set via:
+
+.DS
+.br
+ name = value
+.DE
+
+Single and double-quoted strings are permitted:
+
+.DS
+.br
+ string1 = "hello world"
+.br
+ string2 = 'hello mom'
+.DE
+.IP Sections
+A section begins with a section name, followed on the same line by an
+open bracket '\fB{\fP'. Section may contain other sections, comments, or
+variables. Sections may be nested to any depth, limited
+only by available memory. A section ends with a close bracket
+\'\fB}\fP', on a line by itself.
+
+.DS
+.br
+ section {
+.br
+ ...
+.br
+ }
+.DE
+
+Sections can sometimes have a second name following the first one.
+The situations where this is legal depend on the context. See the
+examples and comments in the \fBradiusd.conf\fP file for more
+information.
+
+.DS
+.br
+ section foo {
+.br
+ ...
+.br
+ }
+.DE
+.IP Comments
+Any line beginning with a (\fB#\fP) is deemed to be a comment, and is
+ignored. Comments can appear after a variable or section definitions.
+
+.DS
+.br
+ # comment
+.br
+ foo = bar # set variable 'foo' to value 'bar'
+.br
+ section { # start of section
+.br
+ ...
+.br
+ } # end of section
+.DE
+.IP Continuations
+Long lines can be broken up via continuations, using '\\' as the last
+character of the line. For example, the following entry:
+
+.DS
+.br
+ foo = "blah \\
+.br
+ blah \\
+.br
+ blah"
+.DE
+
+will set the value of the variable "foo" to "blah blah blah". Any CR
+or LF is not turned into a space, but all other whitespace is
+preserved in the final value.
+.SH "REFERENCES"
+The value of a variable can reference another variable. These
+references are evaluated when the configuration file is loaded, which
+means that there is no run-time cost associated with them. This
+feature is most useful for turning long, repeated pieces of text into
+short ones.
+
+Variables are referenced by ${variable_name}, as in the following examples.
+
+.DS
+ foo = bar # set variable 'foo' to value 'bar'
+.br
+ who = ${foo} # sets variable 'who' to value of variable 'foo'
+.br
+ my = "${foo} a" # sets variable 'my' to "bar a"
+.DE
+
+If the variable exists in a section or subsection, it can be
+referenced as ${section.subsection.variable}. Forward references are
+not allowed. Relative references are allowed, by pre-pending the name
+with one or more period.
+
+.DS
+ blogs = ${.foo}
+
+.DE
+Will set variable \fBblogs\fP to the value of variable \fBfoo\fP,
+from the current section.
+
+.DS
+ blogs = ${..foo}
+
+.DE
+Will set variable \fBblogs\fP to the value of variable \fBfoo\fP, from the
+section which contains the current section.
+
+.DS
+ blogs = ${modules.detail.filename}
+
+.DE
+Will set variable \fBblogs\fP to the value of variable \fBfilename\fP,
+of the \fBdetail\fP module, which is in the \fBmodules\fP section of
+the configuration file.
+
+Properties of anonymous parent sections may also be referenced, currently
+\fBname\fP and \fBinstance\fP are supported.
+
+.DS
+ modules {
+ example foo {
+ file = ${.:name}
+ }
+ }
+
+.DE
+Will set variable \fBfile\fP to the name of the containing section (example).
+
+.DS
+ modules {
+ example foo {
+ file = ${.:instance}
+ }
+ }
+
+.DE
+Will set variable \fBfile\fP to the instance name of the containing
+section (foo).
+
+.DS
+ modules {
+ example foo {
+ file = ${..:name}
+ }
+ }
+
+.DE
+Will set variable \fBfile\fP to the name of the parent of the containing
+section (modules).
+.SH FILES
+/etc/raddb/radiusd.conf
+.SH "SEE ALSO"
+.BR radiusd (8)
+.BR unlang (5)
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
new file mode 100644
index 0000000..db74d83
--- /dev/null
+++ b/man/man5/radrelay.conf.5
@@ -0,0 +1,146 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH radrelay.conf 5 "27 May 2005" "" "FreeRADIUS configuration file"
+.SH NAME
+radrelay.conf - configuration file for the FreeRADIUS server "radrelay" personality
+.SH DESCRIPTION
+The \fBradrelay.conf\fP file resides in the radius database directory,
+by default \fB/etc/raddb\fP. It defines the global configuration for
+the FreeRADIUS server, when the server is operating as "radrelay".
+.SH "FILE FORMAT"
+For a detailed description of the file format, see "man radiusd.conf".
+The configuration entries are much the same for radrelay.conf, with a
+few differences as noted here.
+.SH "REPLICATION FOR BACKUPS"
+Many sites run multiple radius servers; at least one primary and one
+backup server. When the primary goes down, most NASes detect that and
+switch to the backup server.
+
+That will cause your accounting packets to go to the backup server -
+and some NASes don't even switch back to the primary server when it
+comes back up.
+
+The result is that accounting records are missed, and/or the
+administrator must jump through hoops in order to combine the
+different detail files from multiple servers. It also means that the
+session database ("radutmp", used for radwho and simultaneous use
+detection) gets out of sync.
+
+radrelay solves this issue by "relaying" packets from one server to
+another, so they both have the same set of accounting data.
+.SH "BUFFERING FOR HIGH-LOAD SERVERS"
+If the RADIUS server suddenly receives a many accounting packets,
+there may be insufficient CPU power to process them all in a timely
+manner. This problem is especially noticeable when the accounting
+packets are going to a back-end database.
+
+Similarly, you may have one database that tracks "live" sessions, and
+another that tracks historical accounting data. In that case,
+accessing the first database is fast, as it is small. Accessing the
+second database many be slower, as it may contain multiple gigabytes
+of data. In addition, writing to the first database in a timely
+manner is important, while data may be written to the second database
+with a few minutes delay, without any harm being done.
+.SH "RELAYING OF ACCOUNTING PACKETS"
+The \fBradrelay.conf\fP file controls the "radrelay" personality of
+the server, which can perform both of the functions above at the same
+time.
+.SH USAGE
+First, you should configure the main radius server to log to an extra,
+single detail file. This may be done by adding an extra instance of
+the detail module to \fBradiusd.conf\fP:
+
+For example:
+
+.DS
+ detail radrelay-detail {
+.br
+ filename = ${radacctdir}/radrelay/detail
+.br
+ permissions = 0600
+.br
+ dir_permissions = 0755
+.br
+ locking = yes
+.br
+ }
+.br
+ ...
+.br
+ accounting {
+.br
+ ...
+.br
+ radrelay-detail
+.br
+ ...
+.br
+ }
+.br
+.DE
+This configuration will cause accounting packets to be logged to the
+\fI${radacctdir}/radrelay/detail\fP file. This file should not be
+rotated by standard log rotation scripts, as the \fBradrelay\fP
+program will read and rotate it.
+.SH RADRELAY.CONF EXAMPLE
+See the \fBradrelay.conf\fP file for detailed instructions on
+configuration entries, what they mean, and how to use them.
+
+To have the "radrelay" portion of the server read the above detail
+file, configure \fBradrelay.conf\fP with the following section:
+
+.DS
+.br
+ listen {
+.br
+ type = detail
+.br
+ filename = ${radacctdir}/radrelay/detail
+.br
+ max_outstanding = 100
+.br
+ identity = radrelay
+.br
+ }
+.br
+.DE
+
+The server will read the accounting packets from the detail file, and
+process them just as if it had received them from the NAS. Therefore,
+you should configure the "accounting" section of \fBradrelay.conf\fP
+to write the accounting records to an "sql" module, or to proxy them
+to another RADIUS server.
+
+Then, start the server via the following command:
+
+$ radiusd \-n radrelay
+
+The server should start up, read the detail file, and process
+accounting packets from it.
+.SH NOTES
+The \fBradiusd.conf\fP file is not read at all when the server is
+running as radrelay. Please edit \fBradrelay.conf\fP.
+.SH CREDITS
+The original "radrelay" program was written by Miquel van Smoorenburg
+for the Cistron radius project, and ported to FreeRADIUS by Simon
+Ekstrand. The "radsqlrelay" was written by Kostas Kalavras. It was
+never released as part of an official FreeRADIUS release, but served as
+a basis for the design of this implementation.
+.PP
+.SH FILES
+/etc/raddb/radrelay.conf
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Alan DeKok <aland@ox.org>
diff --git a/man/man5/rlm_always.5 b/man/man5/rlm_always.5
new file mode 100644
index 0000000..383b271
--- /dev/null
+++ b/man/man5/rlm_always.5
@@ -0,0 +1,119 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_always 5 "10 January 2015" "" "FreeRADIUS Module"
+.SH NAME
+rlm_always \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_always\fP module provides a simple way to "always" return a
+value during the processing of a configuration section.
+.PP
+The main configuration item is \fIrcode\fP, which sets the return code that
+this instantiation of the module will return. The default, if none
+specified, is 'fail'.
+.PP
+The valid options for rcode are as follows:
+.RS
+.TP
+reject
+reject the user;
+.IP fail
+a failure has occurred;
+.IP ok
+success;
+.IP handled
+the request has been handled: processing should be stopped and the response
+sent;
+.IP invalid
+request is invalid;
+.IP userlock
+the user account has been locked out;
+.IP notfound
+the user account cannot be found;
+.IP noop
+no-op: nothing has happened;
+.IP updated
+the request has been updated.
+.RE
+.SH CONFIGURATION
+.PP
+.IP "rcode = <code>"
+This module will always return with the code specified, as listed in the
+table above. If unspecified, the default is 'fail'.
+.IP "simulcount = <n>"
+If this module is used in the session{} section, the simulcount option
+simulates the user having 'n' current sessions. The default is to not
+override the number of sessions.
+.IP "mpp = <yes|no>"
+If set to yes, and this module is used in the session{} section, this
+simulates the user having multilink sessions. The default is 'no'.
+.PP
+.SH EXAMPLE
+.PP
+.DS
+modules {
+ ...
+.br
+ # instantiate the "always" module with the name "ok"
+.br
+ always ok {
+.br
+ # return code for this instantiation is "ok":
+.br
+ rcode = ok
+.br
+ }
+.br
+ ...
+.br
+}
+.br
+
+.br
+authorize {
+ ...
+.br
+ redundant {
+ sql1 # try to find the user in sql1
+.br
+ sql2 # try to find the user in sql2
+.br
+ # the default here would be to fail, but...
+.br
+ ok # if still not found, it's OK.
+.br
+ }
+ ...
+.br
+}
+.DE
+.SH SECTIONS
+.BR authorization,
+.BR authentication,
+.BR postauthentication,
+.BR preaccounting,
+.BR accounting,
+.BR preproxy,
+.BR postproxy
+.PP
+.SH FILES
+.I /etc/raddb/mods-available/always
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5),
+.BR unlang (5)
+.PP
+Further details of how module return codes operate can be found at <http://wiki.freeradius.org/config/Fail-over>.
+.SH AUTHOR
+Chris Parker <cparker@segv.org>, Matthew Newton
+<matthew@newtoncomputing.co.uk>.
diff --git a/man/man5/rlm_attr_filter.5 b/man/man5/rlm_attr_filter.5
new file mode 100644
index 0000000..adb6130
--- /dev/null
+++ b/man/man5/rlm_attr_filter.5
@@ -0,0 +1,145 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_attr_filter 5 "27 June 2013" "" "FreeRADIUS Module"
+.SH NAME
+rlm_attr_filter \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_attr_filter\fP module exists for filtering certain
+attributes and values in received ( or transmitted ) radius packets.
+It gives the server a flexible framework to filter the attributes we
+send to or receive from home servers or NASes. This makes sense, for
+example, in an out-sourced dialup situation to various policy
+decisions, such as restricting a client to certain ranges of
+Idle-Timeout or Session-Timeout.
+.PP
+Filter rules are normally defined and applied on a per-realm basis,
+where the realm is anything that is defined and matched based on the
+configuration of the \fIrlm_realm\fP module. Filter rules can
+optionally be applied using another attribute, by editing the
+\fIkey\fP configuration for this module.
+.PP
+In 2.0.1 and earlier versions, the "accounting" section filtered the
+Accounting-Request, even though it was documented as filtering the
+response. This issue has been fixed in version 2.0.2 and later
+versions. The "preacct" section may now be used to filter
+Accounting-Request packets. The "accounting" section now filters
+Accounting-Response packets. Administrators using "attr_filter" in
+the "accounting" section SHOULD move the reference to "attr_filter"
+from "accounting" to "preacct".
+.PP
+The file that defines the attribute filtering rules follows a similar
+syntax to the \fIusers\fP file. There are a few differences however:
+.PP
+.DS
+ There are no check-items allowed other than the name of the key.
+.PP
+ There can only be a single DEFAULT entry.
+.PP
+The rules for each entry are parsed to top to bottom, and an
+attribute must pass *all* the rules which affect it in order to
+make it past the filter. Order of the rules is important.
+The operators and their purpose in defining the rules are as
+follows:
+.TP
+.B =
+THIS OPERATOR IS NOT ALLOWED. If used, and warning message is
+printed and it is treated as ==
+.TP
+.B :=
+Set, this attribute and value will always be placed in the
+output A/V Pairs. If the attribute exists, it is overwritten.
+.TP
+.B ==
+Equal, value must match exactly.
+.TP
+.B =*
+Always Equal, allow all values for the specified attribute.
+.TP
+.B !*
+Never Equal, disallow all values for the specified attribute.
+( This is redundant, as any A/V Pair not explicitly permitted
+will be dropped ).
+.TP
+.B !=
+Not Equal, value must not match.
+.TP
+.B >=
+Greater Than or Equal
+.TP
+.B <=
+Less Than or Equal
+.TP
+.B >
+Greater Than
+.TP
+.B <
+Less Than
+.PP
+If regular expressions are enabled the following operators are
+also possible. ( Regular Expressions are included by default
+unless your system doesn't support them, which should be rare ).
+The value field uses standard regular expression syntax.
+.PP
+.TP
+.B =~
+Regular Expression Equal
+.TP
+.B !~
+Regular Expression Not Equal
+.PP
+See the default \fI/etc/raddb/mods-config/attr_filter/\fP for working examples of
+sample rule ordering and how to use the different operators.
+.DE
+.PP
+The configuration items are:
+.IP file
+This specifies the location of the file used to load the filter rules.
+This file is used to filter the accounting response, packet before it
+is proxied, proxy response from the home server, or our response to
+the NAS.
+.IP key
+Usually %{Realm} (the default). Can also be %{User-Name}, or other
+attribute that exists in the request. Note that the module always
+keys off of attributes in the request, and NOT in any other packet.
+.IP relaxed
+If set to 'yes', then attributes which do not match any filter rules
+explicitly, will also be allowed. This behaviour may be overridden
+for an individual filter block using the Relax-Filter check item.
+The default for this configuration item is 'no'.
+.PP
+.SH SECTIONS
+.IP preacct
+Filters Accounting-Request packets.
+.IP accounting
+Filters Accounting-Response packets.
+.IP pre-proxy
+Filters Accounting-Request or Access-Request packets prior to proxying
+them.
+.IP post-proxy
+Filters Accounting-Response, Access-Accept, Access-Reject, or
+Access-Challenge responses from a home server.
+.IP authorize
+Filters Access-Request packets.
+.IP post-auth
+Filters Access-Accept or Access-Reject packets.
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.I /etc/raddb/mods-config/attr_filter/*
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Chris Parker, cparker@segv.org
+
diff --git a/man/man5/rlm_chap.5 b/man/man5/rlm_chap.5
new file mode 100644
index 0000000..de0b8c0
--- /dev/null
+++ b/man/man5/rlm_chap.5
@@ -0,0 +1,30 @@
+.TH rlm_chap 5 "3 February 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_chap \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_chap\fP module provides CHAP functionality.
+.PP
+This module validates a user with CHAP authentication.
+If called in Authorize, it will look for CHAP-Password
+attribute in the Access-Request and adds an Auth-Type
+attribute set to CHAP if the Config-Items list unless
+Auth-Type has already set.
+.PP
+CHAP authentication requires access to the clear-text
+password for the user. Standard Unix system authentication
+or passwords encrypted via crypt() are not compatible
+with CHAP.
+.PP
+.SH SECTIONS
+.BR authorization,
+.BR authentication
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Chris Parker, cparker@segv.org
+
diff --git a/man/man5/rlm_counter.5 b/man/man5/rlm_counter.5
new file mode 100644
index 0000000..a8eae18
--- /dev/null
+++ b/man/man5/rlm_counter.5
@@ -0,0 +1,89 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_counter 5 "13 March 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_counter \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_counter\fP module provides a general framework to
+allow access based on accumulated usage of a resource, such as
+total time online in a given period, total data transferred in
+a given period, etc. This is very useful in a 'Prepaid Service'
+situation, where a user has paid for a finite amount of usage
+and should not be allowed to use more than that service. Collection,
+monitoring, and replenishment of prepaid services are beyond the
+scope of this module.
+.PP
+The main configuration items to be aware of are:
+.IP filename
+The filename where the usage data is stored.
+.IP key
+An attribute which will be present in the Access-Request to be used as
+the 'index' value for the counter. A counter entry is tracked for
+each unique key. The most likely key you will want to use is User-Name.
+.IP count_attribute
+An attribute which will be used to increment the counter value. If this
+attribute is Acct-Session-Time or an integer value the counter data is
+incremented by the Attribute value. For all other attribute types the
+counter is incremented by one.
+.IP reset
+How frequently the counter data should be set back to 0. Valid values for
+this variable are:
+.BR hourly,
+.BR daily,
+.BR weekly,
+.BR monthly,
+.BR or never
+Alternatively, it can be user defined, in the form: num[hdwm]. num is
+a numeric value, followed by one or none of the following letters. h: hours,
+d: days, w: weeks, m: months.
+.IP check_name
+This defines an attribute name which will be registered by the counter module
+and can be used to set the maximum allowed value for the counter after which
+the user is rejected. If Daily-Session-Time is set, you can use the following
+syntax in the Users file to set a cap of 3600 seconds ( 8 hours ):
+.PP
+.DS
+DEFAULT Max-Daily-Session := 3600
+.DE
+.PP
+.IP reply_name
+This is the name of the attribute which will contain the remaining value for
+the counter in the reply packet when the user is successfully authorized. The
+default attribute name is "Session-Timeout".
+.IP allowed_service_type
+This can be used to only apply the limitations to specific service types of
+sessions. For example, setting this to Framed-User will only apply the counter
+module to Framed sessions, excluding other types such as Telnet or Rlogin.
+.IP cache_size
+The maximum size of the cache to be used by the module. The default is 1000.
+.SH NOTES
+This module registers an attribute, so it should be added to the
+instantiate section, to be called on server startup. When used
+in the authorize section, it must come after any modules which
+set the 'check_name' attribute.
+.PP
+.SH SECTIONS
+.BR instantiate,
+.BR authorize,
+.BR accounting
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.BR rlm_sqlcounter (5)
+.SH AUTHOR
+Chris Parker, cparker@segv.org
+
diff --git a/man/man5/rlm_detail.5 b/man/man5/rlm_detail.5
new file mode 100644
index 0000000..6609e16
--- /dev/null
+++ b/man/man5/rlm_detail.5
@@ -0,0 +1,89 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_detail 5 "27 June 2013" "" "FreeRADIUS Module"
+.SH NAME
+rlm_detail \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_detail\fP module writes radius packets to 'detail' files.
+It is primarily used for storing accounting information, but can be
+used in other sections to write packet details as well.
+.PP
+The file format is similar to that of the old Livingston servers, and
+many 'detail' file parsers should work with FreeRADIUS.
+.PP
+The main configuration items to be aware of are:
+.IP file
+The file name in which to store the radius packet records. NOTE: this
+variable is run through dynamic string expansion, and can include
+FreeRADIUS variables to create a dynamic filename.
+.PP
+ %{radacctdir}/%{Client-IP-Address}/detail-%Y%m
+.PP
+ This will create one file per month, for each client.
+ This accomplishes 'file rotation' automatically from
+ within the server.
+.PP
+.IP permissions
+The file permissions of the file.
+If omitted, the default is 0600.
+.IP locking
+This option is set to 'yes' or 'no'. By default it is 'no'. Set this
+to yes to enable file locking, which is used with the 'radrelay'
+program.
+.SH CONFIGURATION
+.PP
+.DS
+modules {
+ ...
+.br
+ detail {
+.br
+ filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m
+.br
+ permissions = 0600
+.br
+ dir_permissions = 0755
+.br
+ locking = no
+.br
+ }
+.br
+ ...
+.br
+}
+ ...
+.br
+accounting {
+ ...
+.br
+ detail
+ ...
+.br
+}
+.DE
+.PP
+.SH SECTIONS
+.BR authorization,
+.BR accounting,
+.BR pre_proxy,
+.BR post_proxy,
+.BR post_authentication
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHORS
+Chris Parker, cparker@segv.org
diff --git a/man/man5/rlm_digest.5 b/man/man5/rlm_digest.5
new file mode 100644
index 0000000..fb99e0f
--- /dev/null
+++ b/man/man5/rlm_digest.5
@@ -0,0 +1,79 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_digest 5 "31 March 2005" "" "FreeRADIUS Module"
+.SH NAME
+rlm_digest \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_digest\fP module authenticates RADIUS Access-Request
+packets that contain Cisco SIP digest authentication attributes. The
+module should be listed in the \fIauthorize\fP and \fIauthenticate\fP
+sections of \fIradiusd.conf\fP.
+.SH CONFIGURATION
+The digest module requires no additional configuration items. When it
+is being used to authenticate requests, however, it does require
+access to the clear-text password for the user. Hashed passwords are
+not acceptable, and will not work.
+.SH EXAMPLES
+Add the following lines to the top of your 'raddb/users' file:
+.PP
+.DS
+#---
+.br
+test Auth-Type := Digest, User-Password = "test"
+.br
+ Reply-Message = "Hello, test with digest"
+.br
+#---
+.DE
+
+Once the server has been started (debugging mode is recommended),
+use '\fIradclient\fP to send the following packet to the server:
+.PP
+.DS
+$ radclient \-f digest localhost auth testing123
+.DE
+
+Where 'digest' is a file containing:
+.PP
+.DS
+ User-Name = "test",
+.br
+ Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7",
+.br
+ Digest-Realm = "testrealm",
+.br
+ Digest-Nonce = "1234abcd",
+.br
+ Digest-Method = "INVITE",
+.br
+ Digest-URI = "sip:5555551212@example.com",
+.br
+ Digest-Algorithm = "MD5",
+.br
+ Digest-User-Name = "test",
+.br
+ Message-Authenticator = ""
+.DE
+
+You should see the authentication succeed.
+
+.SH SECTIONS
+.BR authorize,
+.BR authenticate
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf,
+.I draft-sterman-aaa-sip-00.txt
+.PP
+.SH AUTHOR
+Alan DeKok <aland@ox.org>
diff --git a/man/man5/rlm_expr.5 b/man/man5/rlm_expr.5
new file mode 100644
index 0000000..313a16e
--- /dev/null
+++ b/man/man5/rlm_expr.5
@@ -0,0 +1,113 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_expr 5 "5 February 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_expr \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_expr\fP module allows the server to perform
+limited mathematical calculations. This module is not called
+directly in any section, it is invoked through the dynamic expansion
+of strings.
+.PP
+For example, some NAS boxes send a NAS-Port attribute
+which is a 32-bit number composed of port, card, and interface, all in
+different bytes. To see these attributes split into pieces, you can
+have an entry in the 'users' file like:
+
+.DS
+DEFAULT
+.br
+ Vendor-Interface = `%{expr: %{NAS-Port} / (256 * 256)}`,
+.br
+ Vendor-Card = `%{expr: (%{NAS-Port} / 256) %% 256}`,
+.br
+ Vendor-Port = `%{expr: %{NAS-Port} %% 256}`
+.br
+
+.DE
+where the attributes Vendor-Interface, Vendor-Card, and Vendor-Port
+are attributes created by either you or a vendor-supplied
+dictionary.
+
+The mathematical operators supported by the expression module are:
+.TP
+.B +
+addition
+.TP
+.B -
+subtraction
+.TP
+.B /
+division
+.TP
+.B %%
+modulo remainder
+.TP
+.B *
+multiplication
+.TP
+.B &
+boolean AND
+.TP
+.B |
+boolean OR
+.TP
+.B ()
+grouping of sub-expressions
+.PP
+NOTE: The modulo remainder operator is '%%', and not '%'. This
+is due to the '%' character being used as a special character for
+dynamic translation.
+.PP
+NOTE: These operators do NOT have precedence. The parsing
+of the input string, and the calculation of the answer, is done
+strictly left to right. If you wish to order the expressions, you
+MUST group them into sub-expression, as shown in the previous
+example.
+.PP
+All of the calculations are performed as unsigned 32-bit integers.
+.DE
+.SH CONFIGURATION
+.DS
+modules {
+ ...
+.br
+ expr {
+.br
+ }
+.br
+ ...
+.br
+}
+.br
+ ...
+.br
+instantiate {
+ ...
+.br
+ expr
+ ...
+.br
+}
+.SH SECTIONS
+.BR instantiate
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Chris Parker, cparker@segv.org
+
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
new file mode 100644
index 0000000..52f4734
--- /dev/null
+++ b/man/man5/rlm_files.5
@@ -0,0 +1,95 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_files 5 "5 February 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_files \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_files\fP module uses the 'users' file for accessing
+authorization information for users. Additionally, it supports
+a 'users' file syntax to be applied to the accounting and pre-proxy
+sections.
+.PP
+The main configuration items to be aware of are:
+.IP usersfile
+The filename of the 'users' file, which is parsed during the
+authorization stage of this module.
+.IP acctusersfile
+The filename of the 'users' file, which is parsed during the
+accounting stage of this module.
+.IP preproxy_usersfile
+The filename of the 'users' file, which is parsed during the
+pre_proxy stage of this module.
+.IP compat
+This option allows FreeRADIUS to parse an old style Cistron syntax.
+The default is 'no'. If you need to parse an old style Cistron
+file, set this option to 'cistron'.
+.IP key
+This option lets you set the attribute to use as a key to find
+entries. The default is "%{%{Stripped-User-Name}:-%{User-Name}}". Note
+that the key MUST supply real data. Dynamic attributes like "Group"
+will not work, because the "Group" attribute can only be used as a
+comparison, to see if a user is in a Unix group. It will not return
+the name of the Unix group that a user is in.
+.PP
+If you want to use groups as a key, see the \fIrlm_passwd\fP, which
+will create a real attribute that contains the group name.
+.PP
+This configuration entry enables you to have configurations that
+perform per-group checks, and return per-group attributes, where the
+group membership is dynamically defined by a previous module. It also
+lets you do things like key off of attributes in the reply, and
+express policies like "when I send replies containing attribute
+FOO with value BAR, do more checks, and maybe send additional
+attributes".
+.SH CONFIGURATION
+.PP
+.DS
+modules {
+ ... stuff here ...
+.br
+ files {
+.br
+ usersfile = %{confdir}/users
+.br
+ acctusersfile = %{confdir}/acct_users
+.br
+ preproxy_usersfile = %{confdir}/preproxy_users
+.br
+ compat = no
+.br
+ key = %{%{Stripped-User-Name}:-%{User-Name}}
+.br
+ }
+.br
+ ... stuff here ...
+.br
+}
+.DE
+.PP
+.SH SECTIONS
+.BR authorization,
+.BR accounting,
+.BR pre_proxy
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf,
+.I /etc/raddb/users,
+.I /etc/raddb/acct_users,
+.I /etc/raddb/preproxy_users
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5),
+.BR users (5)
+.SH AUTHORS
+Chris Parker, cparker@segv.org
diff --git a/man/man5/rlm_idn.5 b/man/man5/rlm_idn.5
new file mode 100644
index 0000000..391b7d9
--- /dev/null
+++ b/man/man5/rlm_idn.5
@@ -0,0 +1,45 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_idn 5 "8 May 2013" "" "FreeRADIUS Module"
+.SH NAME
+rlm_idn \- FreeRADIUS Module
+.SH DESCRIPTION
+When instantiated, the \fIrlm_idn\fP module provides an xlat
+for performing IDNA encoding of internationalized domain names.
+Decoding and other similar encodings like plain punycode are not
+currently supported.
+.PP
+For example, the following unlang expression would evaluate to TRUE:
+
+"%{idn:fūbar.site}" == "xn--fbar-v7a.site"
+
+.PP
+Each instance of rlm_idn may take the following parameters:
+.IP use_std3_ascii_rules
+This boolean is set by default and prohibits e.g. underscores in domain names.
+.IP allow_unassigned
+This boolean is unset by default, which prohibits use of unassigned Unicode points.
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH REFERENCES
+RFC 3490
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.BR idna_to_ascii_8z (3)
+.SH AUTHOR
+Brian S. Julin, bjulin@clarku.edu
+
diff --git a/man/man5/rlm_mschap.5 b/man/man5/rlm_mschap.5
new file mode 100644
index 0000000..cc3a72a
--- /dev/null
+++ b/man/man5/rlm_mschap.5
@@ -0,0 +1,110 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_mschap 5 "13 March 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_mschap \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_mschap\fP module provides MS-CHAP and MS-CHAPv2
+authentication support.
+.PP
+This module validates a user with MS-CHAP or MS-CHAPv2
+authentication.
+If called in Authorize, it will look for MS-CHAP Challenge/Response
+attributes in the Acess-Request and adds an Auth-Type
+attribute set to MS-CHAP in the Config-Items list unless
+Auth-Type has already set.
+.PP
+The module can authenticate the MS-CHAP session via plain-text
+passwords (User-Password attribute), or NT passwords (NT-Password
+attribute). The module cannot perform authentication against an NT
+domain.
+.PP
+The module also enforces the SMB-Account-Ctrl attribute. See the
+Samba documentation for the meaning of SMB account control. The
+module does not read Samba password files. Instead, the fIrlm_passwd\fP
+module can be used to read a Samba password file, and supply an
+NT-Password attribute which this module can use.
+.PP
+The main configuration items to be aware of are:
+.IP authtype
+This is the string used to set the authtype. Normally it should be
+left to the default value of MS-CHAP.
+.IP use_mppe
+Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for
+MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The
+default is 'yes'.
+.IP require_encryption
+If MPPE is enabled, setting this attribute to 'yes' will cause the
+MS-MPPE-Encryption-Policy attribute to be set to require encryption.
+The default is 'no'.
+.IP require_strong
+If MPPE is enabled, setting this attribute to 'yes' will cause the
+MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key.
+The default is 'no'.
+.IP with_ntdomain_hack
+Windows clients send User-Name in the form of "DOMAIN\\User", but send the
+challenge/response based only on the User portion. Setting this value
+to yes, enables a work-around for this error. The default is 'no'.
+.PP
+.SH CONFIGURATION
+.DS
+modules {
+ ...
+.br
+ mschap {
+.br
+ authtype = MS-CHAP
+.br
+ use_mppe = yes
+.br
+ }
+.br
+ ...
+.br
+}
+.br
+ ...
+.br
+authorize {
+ ...
+.br
+ mschap
+.br
+ ...
+.br
+}
+ ...
+.br
+authenticate {
+ ...
+.br
+ mschap
+.br
+ ...
+.br
+}
+.DE
+.PP
+.SH SECTIONS
+.BR authorization,
+.BR authentication
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Chris Parker, cparker@segv.org
+
diff --git a/man/man5/rlm_pap.5 b/man/man5/rlm_pap.5
new file mode 100644
index 0000000..e2ad426
--- /dev/null
+++ b/man/man5/rlm_pap.5
@@ -0,0 +1,137 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_pap 5 "10 January 2015" "" "FreeRADIUS Module"
+.SH NAME
+rlm_pap \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_pap\fP module authenticates RADIUS Access-Request packets
+that contain a User-Password attribute. The module should also be
+listed last in the \fIauthorize\fP section, so that it can set the
+Auth-Type attribute as appropriate.
+.PP
+When a RADIUS packet contains a clear-text password in the form of a
+User-Password attribute, the \fIrlm_pap\fP module may be used for
+authentication. The module requires a "known good" password, which it
+uses to validate the password given in the RADIUS packet. That "known
+good" password must be supplied by another module
+(e.g. \fIrlm_files\fP, \fIrlm_ldap\fP, etc.), and is usually taken
+from a database.
+.SH CONFIGURATION
+.PP
+The only configuration item is:
+.IP normalise
+The default is "yes". This means that the module will try to
+automatically detect passwords that are hex- or base64-encoded and
+decode them back to their binary representation. However, some clear
+text passwords may be erroneously converted. Setting this to "no"
+prevents that conversion.
+.SH USAGE
+.PP
+The module looks for the Password-With-Header control attribute to find
+the "known good" password. The attribute value comprises the header
+followed immediately by the password data. The header is given by the
+following table.
+.PP
+.DS
+.br
+Header Attribute Description
+.br
+------ --------- -----------
+.br
+{clear} Cleartext-Password Clear-text passwords
+.br
+{cleartext} Cleartext-Password Clear-text passwords
+.br
+{crypt} Crypt-Password Unix-style "crypt"ed passwords
+.br
+{md5} MD5-Password MD5 hashed passwords
+.br
+{base64_md5} MD5-Password MD5 hashed passwords
+.br
+{smd5} SMD5-Password MD5 hashed passwords, with a salt
+.br
+{sha} SHA-Password SHA1 hashed passwords
+.br
+ SHA1-Password SHA1 hashed passwords
+.br
+{ssha} SSHA-Password SHA1 hashed passwords, with a salt
+.br
+{sha2} SHA2-Password SHA2 hashed passwords
+.br
+{sha224} SHA2-Password SHA2 hashed passwords
+.br
+{sha256} SHA2-Password SHA2 hashed passwords
+.br
+{sha384} SHA2-Password SHA2 hashed passwords
+.br
+{sha512} SHA2-Password SHA2 hashed passwords
+.br
+{ssha224} SSHA2-224-Password SHA2 hashed passwords, with a salt
+.br
+{ssha256} SSHA2-256-Password SHA2 hashed passwords, with a salt
+.br
+{ssha384} SSHA2-384-Password SHA2 hashed passwords, with a salt
+.br
+{ssha512} SSHA2-512-Password SHA2 hashed passwords, with a salt
+.br
+{nt} NT-Password Windows NT hashed passwords
+.br
+{nthash} NT-Password Windows NT hashed passwords
+.br
+{md4} NT-Password Windows NT hashed passwords
+.br
+{x-nthash} NT-Password Windows NT hashed passwords
+.br
+{ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
+.br
+{x- orcllmv} LM-Password Windows LANMAN hashed passwords
+.br
+{X- orclntv} NT-Password Windows NT hashed passwords
+.DE
+
+The module tries to be flexible when handling the various password
+formats. It will automatically handle Base-64 encoded data, hex
+strings, and binary data, and convert them to a format that the server
+can use.
+.PP
+If there is no Password-With-Header attribute, the module looks for one
+of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes
+as listed in the above table. These attributes should contain the
+relevant format password directly, without the header prefix.
+.PP
+Only one control attribute should be set, otherwise behaviour is
+undefined as to which one is used for authentication.
+.SH NOTES
+.PP
+It is important to understand the difference between the User-Password
+and Cleartext-Password attributes. The Cleartext-Password attribute
+is the "known good" password for the user. Simply supplying the
+Cleartext-Password to the server will result in most authentication
+methods working. The User-Password attribute is the password as typed
+in by the user on their private machine. The two are not the same,
+and should be treated very differently. That is, you should generally
+not use the User-Password attribute anywhere in the RADIUS
+configuration.
+.SH SECTIONS
+.BR authorize
+.BR authenticate
+.PP
+.SH FILES
+.I /etc/raddb/mods-available/pap
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
+
diff --git a/man/man5/rlm_passwd.5 b/man/man5/rlm_passwd.5
new file mode 100644
index 0000000..5a9ac7b
--- /dev/null
+++ b/man/man5/rlm_passwd.5
@@ -0,0 +1,136 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_passwd 5 "20 January 2015" "" "FreeRADIUS Module"
+.SH NAME
+rlm_passwd \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_passwd\fP module provides authorization via files similar
+in format to /etc/passwd.
+.PP
+This module allows you to retrieve any account information from any
+files with passwd-like format (/etc/passwd, /etc/group,
+smbpasswd, .htpasswd, etc). Every field of the file may be mapped to
+a RADIUS attribute, with one of the fields used as a key.
+.PP
+The module reads the file when it initializes, and caches the data in
+memory. This makes it very fast, even for files with thousands of
+lines. To re-read the file the module will need to be reloaded with
+\fIradmin(8)\fP, or the server will need to be sent a SIGHUP, as
+dynamic updates are not supported.
+.PP
+.SH CONFIGURATION
+The configuration item(s):
+.IP allow_multiple_keys
+If set to 'yes', and more than one record in file matches the request,
+then the attributes from all records will be used. If set to 'no' (the
+default) the module will warn about duplicated records.
+.IP delimiter\ =\ ":"
+The character to use as a delimiter between fields. The default is
+":"
+.IP filename
+The path to the file.
+.IP format
+The format of the fields in the file, given as an example line from
+the file, with the content of the fields as the RADIUS attributes
+which the fields map to. The fields are separated by the ':' character
+in the configuration (no matter what is configured for the 'delimiter'
+option).
+.IP hash_size
+The size of the hash table. A larger value means less probability of a
+collision so records will be found faster, at the expense of greater
+memory usage. Having a hash_size in the range of 30-100% of the number
+of passwd file records is reasonable.
+.IP ignore_empty
+When set to "yes", the default, empty fields in the input will be
+skipped and the RADIUS attribute will not be added. By setting this
+value to "no", all attributes in the format list will always be added,
+even if they have no value.
+.IP ignore_nislike
+If set to 'yes', then all records from the file beginning with the '+'
+sign will be ignored. The default is 'no'.
+.PP
+.SH FORMAT
+The \fIformat\fP option controls how lines are read from the file, and
+which fields are mapped to which RADIUS attributes.
+.PP
+The key field is the field being searched for within the file. It is
+normally signified by being preceded with a '*' character, which
+indicates that the field has only one key, like the /etc/passwd file.
+The key field may instead be preceded with '*,', which indicates that
+the field has multiple possible comma-separated keys, such as when
+searching the /etc/group file.
+.PP
+The other fields signify RADIUS attributes. By default they will be
+added as a control attribute list.
+.PP
+To add an attribute to the RADIUS request (as though it had been sent
+by the NAS), prefix the attribute name in the "format" string with the
+\(aq~' character.
+.PP
+To add an attribute to the RADIUS reply (to be sent back to the NAS),
+prefix the attribute name in the "format" string with the '='
+character.
+.PP
+.SH EXAMPLES
+.DS
+format = "*User-Name:Crypt-Password:"
+.DE
+.IP
+For a file the looks similar to /etc/passwd. The first field,
+User-Name, is the key to look up in the file. When the record is
+found, a control attribute, 'Crypt-Password', will be added with the
+contents of the second field. (Note this will not work with shadow
+passwords.)
+.PP
+.DS
+format = "My-Group:::*,User-Name"
+.DE
+.IP
+Parse a file similar to the /etc/group file. An entry matches a
+request when the name in a User-Name attribute exists in the
+comma-separated list of a line in the file. When an entry matches,
+a "My-Group" attribute will be created and added to the control
+items for the request. The value of that attribute will be taken from
+the first field of the matching line in the file.
+.IP
+The ":::" in the format string means that there are extra two fields
+in the line, in between the group name and list of user names. Those
+fields do not map to any RADIUS attribute, and are therefore ignored.
+.IP
+For this example to work in practice, you will have to add the
+My-Group attribute to the dictionary file. See \fIdictionary(5)\fP
+for details on how this may be done.
+.PP
+.DS
+format = "~My-Group:::*,User-Name"
+.DE
+.IP
+Similar to the previous entry, except the My-Group attribute is added
+to the request, as though it was sent by the NAS.
+.PP
+.SH SECTIONS
+.BR authorize
+.PP
+.SH FILES
+.I /etc/raddb/mods-available/passwd
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5),
+.BR radmin (8),
+.BR dictionary (5),
+.BR rlm_unix (5)
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>, Matthew Newton
+<matthew@newtoncomputing.co.uk>.
+
diff --git a/man/man5/rlm_realm.5 b/man/man5/rlm_realm.5
new file mode 100644
index 0000000..8b8237a
--- /dev/null
+++ b/man/man5/rlm_realm.5
@@ -0,0 +1,94 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_realm 5 "14 March 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_realm \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_realm\fP module parses the User-Name attribute into a
+User section and a Realm section. This is used primarily in a
+proxy situation, however, Realms can also be used locally to provide
+different service profiles based on the Realm being used.
+.PP
+The main configuration items to be aware of are:
+.IP format
+This can be either 'prefix' or 'suffix'. It specifies whether the
+Realm is before or after the User portion in the User-Name string.
+.IP delimiter
+A single character in quotes, which is used as the delimiting
+character that separates the Realm and User sections of the string.
+.IP ignore_default
+This is set to either 'yes' or 'no'. If set to 'yes', this will
+prevent the module instance from matching a realm against the DEFAULT
+entry. This may be useful if you have multiple realm module instances.
+The default is 'no'.
+.IP ignore_null
+This is set to either 'yes' or 'no'. If set to 'yes', this will
+prevent the module instance from matching a realm against the NULL
+entry. This may be useful if you have multiple realm module instances.
+The default is 'no'.
+.PP
+This module parses the realm from the User-Name attribute according
+to the instance configuration, and then performs a lookup to find a
+matching realm in the '/etc/raddb/proxy.conf' file. Depending on the
+configuration of the Realm as matched in the file, the username may
+be rewritten in a 'stripped' format, or with the Realm portion
+removed. In either case, a Realm attribute is created and added to
+the packet on a match, which can be used by other modules.
+.SH CONFIGURATION
+.PP
+.DS
+modules {
+ ... stuff here ...
+.br
+.br
+ # useranme@realm syntax
+.br
+ realm suffix {
+.br
+ format = suffix
+.br
+ delimiter = "@"
+.br
+ }
+.br
+.br
+ # realm/username syntax
+.br
+ realm prefix {
+.br
+ format = prefix
+.br
+ delimiter = "/"
+.br
+ }
+.br
+.br
+ ... stuff here ...
+.br
+}
+.DE
+.PP
+.SH SECTIONS
+.BR authorization,
+.BR pre-accounting
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf,
+.I /etc/raddb/proxy.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5),
+.BR proxy.conf (5)
+.SH AUTHORS
+Chris Parker, cparker@segv.org
diff --git a/man/man5/rlm_sql.5 b/man/man5/rlm_sql.5
new file mode 100644
index 0000000..f0c42b5
--- /dev/null
+++ b/man/man5/rlm_sql.5
@@ -0,0 +1,152 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_sql 5 "5 February 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_sql \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_sql\fP module provides an SQL interface to retrieve
+authorization information and store accounting information. It can be
+used in conjunction with, or in lieu of the files and detail modules.
+The SQL module has drivers to support the following SQL databases:
+.PP
+.DS
+.br
+ db2
+.br
+ iodbc
+.br
+ mysql
+.br
+ oracle
+.br
+ postgresql
+.br
+ sybase
+.br
+ unixodbc
+.br
+.DE
+.PP
+Due to the size of the configuration variables, the sql module is
+usually configured in a separate file, which is included in the main
+radiusd.conf via an include directive.
+.PP
+The main configuration items to be aware of are:
+.IP driver
+This variable specifies the driver to be loaded.
+.IP server
+.IP login
+.IP password
+These specify the servername, username, and password the module will
+use to connect to the database.
+.IP radius_db
+The name of the database where the radius tables are stored.
+.IP acct_table1
+.IP acct_table2
+These specify the tables names for accounting records. acct_table1
+specifies the table where Start records are stored. acct_table2
+specifies the table where Stop records are stored. In most cases,
+this should be the same table.
+.IP postauth_table
+The name of the table to store post-authentication data.
+.IP authcheck_table
+.IP authreply_table
+The tables where individual Check-Items and Reply-Items are stored.
+.IP groupcheck_table
+.IP groupreply_table
+The tables where group Check-Items and Reply-Items are stored.
+.IP usergroup_table
+The table where username to group relationships are stored.
+.IP deletestalesessions
+This option is set to 'yes' or 'no'. If you are doing
+Simultaneous-Use checking, and this is set to yes, stale sessions (
+defined as sessions for which a Stop record was not received ) will be
+cleared.
+.IP logfile
+This option is useful for debugging sql problems. If logfile is set
+then all sql queries for the containing section are written to the
+file specified. This is useful for debugging and bulk inserts.
+.IP num_sql_socks
+The number of sql connections to make to the database.
+.IP connect_failure_retry_delay
+The number of seconds to wait before attempting to reconnect to a
+failed database connection.
+.IP sql_user_name
+This is the definition of the SQL-User-Name attribute. This is set
+once, so that you can use %{SQL-User-Name} in the SQL queries, rather
+than the nested username substitution. This ensures that Username is
+parsed consistently for all SQL queries executed.
+.IP default_user_profile
+This is the default profile name that will be applied to all users if
+set. This is not set by default.
+.IP query_on_not_found
+This option is set to 'yes' or 'no'. If set to yes, then the default
+user profile is returned if no specific match was found for the user.
+.IP authorize_check_query
+.IP authorize_reply_query
+These queries are run during the authorization stage to extract the
+user authorization information from the ${authcheck_table} and
+${authreply_table}.
+.IP authorize_group_check_query
+.IP authorize_group_reply_query
+These queries are run during the authorization stage to extract the
+group authorization information from the ${groupcheck_table} and
+${groupreply_table}.
+.IP accounting_onoff_query
+The query to be run when receiving an Accounting On or Accounting Off
+packet.
+.IP accounting_update_query
+.IP accounting_update_query_alt
+The query to be run when receiving an Accounting Update packet. If the
+primary query fails, the alt query is run.
+.IP accounting_start_query
+.IP accounting_start_query_alt
+The query to be run when receiving an Accounting Start packet. If the
+primary query fails, the alt query is run.
+.IP accounting_stop_query
+.IP accounting_stop_query_alt
+The query to be run when receiving an Accounting Stop packet. If the
+primary query fails, the alt query is run.
+.IP simul_count_query
+The query to be run to return the number simultaneous sessions for the
+purposes of limiting Simultaneous Use.
+.IP simul_verify_query
+The query to return the detail information needed to confirm that all
+suspected connected sessions are valid, and are not stale sessions.
+.IP group_membership_query
+The query to run to check user group membership.
+.IP postauth_query
+The query to run during the post-authentication stage.
+.SH CONFIGURATION
+.PP
+Due to the size of the configuration for this module, it is not
+included in this manual page. Please review the supplied
+configuration files for example queries and configuration details.
+.SH SECTIONS
+.BR authorization,
+.BR accounting,
+.BR checksimul,
+.BR post-authentication
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf,
+.I /etc/raddb/sql.conf,
+.I /etc/raddb/sql/<DB>/dialup.conf,
+.I /etc/raddb/sql/<DB>/schema.sql,
+.BR
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5),
+.SH AUTHORS
+Chris Parker, cparker@segv.org
diff --git a/man/man5/rlm_unix.5 b/man/man5/rlm_unix.5
new file mode 100644
index 0000000..38668e0
--- /dev/null
+++ b/man/man5/rlm_unix.5
@@ -0,0 +1,66 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_unix 5 "17 February 2005" "" "FreeRADIUS Module"
+.SH NAME
+rlm_unix \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_unix\fP module reads crypt(3) passwords from the system
+password file, and allows the server to use them for authentication.
+The module also provides FreeRADIUS an interface into a radwtmp file
+(used by "radlast") when added to the accounting section.
+.PP
+The \fIrlm_unix\fP module should be listed in the
+"authenticate" section. Please see the default \fIradiusd.conf\fP
+shipped with the server for an example of the correct usage of this
+module.
+.PP
+As of FreeRADIUS 1.1.0, the module no longer reads, or caches
+/etc/passwd, /etc/shadow, or /etc/group. If you wish to cache those
+files, see \fIrlm_passwd\fP. Most, if not all, configurations should
+not need those files to be cached.
+.PP
+The main configuration items to be aware of are:
+.IP radwtmp
+The path to the system wtmp file to be used for keeping the database
+of online users as read by the 'radlast' program.
+.SH CONFIGURATION
+.PP
+.DS
+modules {
+ ...
+.br
+ unix {
+.br
+ radwtmp = ${logdir}/radwtmp
+.br
+ }
+.br
+ ...
+.br
+}
+.DE
+.PP
+.SH SECTIONS
+.BR authentication,
+.BR accounting
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf,
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5),
+.BR rlm_passwd (5),
+.BR radlast (1)
+.SH AUTHORS
+Chris Parker, cparker@segv.org
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
new file mode 100644
index 0000000..63f5570
--- /dev/null
+++ b/man/man5/unlang.5
@@ -0,0 +1,900 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH unlang 5 "16 February 2021" "" "FreeRADIUS Processing un-language"
+.SH NAME
+unlang \- FreeRADIUS Processing un\-language
+.SH DESCRIPTION
+FreeRADIUS supports a simple processing language in its configuration
+files. We call it an "un-language" because the intention is NOT to
+create yet another programming language. If you need something more
+complicated than what is described here, we suggest using the Perl or
+Python modules rlm_perl, or rlm_python.
+
+The goal of the language is to allow simple policies to be written
+with minimal effort. Those policies are then applied when a request
+is being processed. Requests are processed through virtual servers
+(including the default one), in the sections titled "authorize",
+"authenticate", "post-auth", "preacct", "accounting", "pre-proxy",
+"post-proxy", and "session".
+
+These policies cannot be used in any other part of the configuration
+files, such as module or client configuration.
+.SH KEYWORDS
+The keywords for the language are a combination of pre-defined
+keywords, and references to loadable module names. We document only
+the pre-defined keywords here.
+
+Subject to a few limitations described below, any keyword can appear
+in any context. The language consists of a series of entries, each
+one line. Each entry begins with a keyword. Entries are
+organized into lists. Processing of the language is line by line,
+from the start of the list to the end. Actions are executed
+per-keyword.
+.IP module-name[.section-name]
+A reference to the named module. When processing reaches this point,
+the pre-compiled module is called. The module may succeed or fail,
+and will return a status to "unlang" if so. This status can be tested
+in a condition. See the "Simple Conditions" text in the CONDITIONS
+section, and MODULE RETURN CODES, below.
+If a section-name is provided, it will cause the module to execute
+as if it were listed in the named section.
+
+.DS
+ chap # call the CHAP module
+.br
+ sql # call the SQL module
+.br
+ ...
+.DE
+.IP if
+.br
+Checks for a particular condition. If true, the block after the
+condition is processed. Otherwise, the block is ignored. See
+CONDITIONS, below, for documentation on the format of the conditions.
+
+.DS
+ if (condition) {
+.br
+ ...
+.br
+ }
+.DE
+.IP else
+.br
+Define a block to be executed only if the previous "if" condition
+returned false.
+
+.DS
+ else {
+.br
+ ...
+.br
+ }
+.DE
+.IP elsif
+.br
+Define a block to be executed only if the previous "if" condition
+returned false, and if the specified condition evaluates to true.
+
+.DS
+ elsif (condition) {
+.br
+ ...
+.br
+ }
+.DE
+.IP foreach
+.br
+Loops over values of an attribute, running the block for each value.
+The return value of the block is the return value of the last
+statement executed. The loop can be exited early by using the "break"
+keyword. Unlike other languages, "break" here means "exit the loop at
+the next iteration", not "exit the loop now". The result is that any
+statements after the "break" keyword will still be executed. We
+recommend using "break" only when it is the last statement in a
+"foreach" block.
+
+Inside of the "foreach" block, the attribute which is being looped
+over can be referenced as "Foreach-Variable-#". Where "#" is the
+depth of the loop, starting at "0". e.g. "Foreach-Variable-0". The
+loops can be nested up to eight (8) deep, though this is not
+recommended.
+
+.DS
+ foreach &Attribute-Reference {
+.br
+ ...
+.br
+ }
+.DE
+.IP switch
+.br
+A "switch" statement takes one argument, and contains a series of
+"case" statements. When a "switch" statement is encountered, the
+argument from the "switch" is evaluated in turn against the argument
+from each "case" statement. The first "case" statement which matches
+is executed. All other "case" statements are ignored. A default
+"case" statement can be defined, by omitting its argument.
+
+If the argument is a double quoted string (e.g. "%{exec:1 + 2}", it is
+expanded as described in the DATA TYPES section, below. The match is
+then performed on the string returned from the expansion. If the
+argument is an attribute reference (e.g. &User-Name), then the match
+is performed on the value of that attribute. Otherwise, the argument
+is taken to be a literal string, and matching is done via simple
+comparison.
+
+No statement other than "case" can appear in a "switch" block.
+
+.DS
+ switch <argument> {
+.br
+ ...
+.br
+ }
+.DE
+.IP case
+.br
+Provides a place-holder which matches the argument of a parent
+"switch" statement.
+
+A "case" statement cannot appear outside of a "switch" block.
+
+If the argument is a double quoted string (e.g. "%{exec:1 + 2}", it is
+expanded as described in the DATA TYPES section, below. The match is
+then performed on the string returned from the expansion. If the
+argument is an attribute reference (e.g. &User-Name), then the match
+is performed on the value of that attribute. Otherwise, the argument
+is taken to be a literal string, and matching is done via simple
+comparison.
+
+.DS
+ case <argument> {
+.br
+ ...
+.br
+ }
+.DE
+A default entry can be defined by omitting the argument, as given
+below. This entry will be used if no other "case" entry matches.
+Only one default entry can exist in a "switch" section.
+
+.DS
+ case {
+.br
+ ...
+.br
+ }
+.DE
+.IP update
+.br
+Update a particular attribute list, based on the attributes given in
+the current block.
+
+.DS
+ update <list> {
+.br
+ &Attribute-Reference = value
+.br
+ ...
+.br
+ }
+.DE
+The <list> can be one of "request", "reply", "proxy-request",
+"proxy-reply", "coa", "disconnect", "session-state", or "control". As
+of Version 3, the <list> can be omitted, in which case "request" is
+assumed.
+
+The "control" list is the list of attributes maintained internally by
+the server that controls how the server processes the request. Any
+attribute that does not go in a packet on the network will generally
+be placed in the "control" list.
+
+For EAP methods with tunneled authentication sessions (i.e. PEAP and
+EAP-TTLS), the inner tunnel session can also reference
+"outer.request", "outer.reply", and "outer.control". Those references
+allow you to address the relevant list in the outer tunnel session.
+
+The "coa" and "disconnect" sections can only be used when the server
+receives an Access-Request or Accounting-Request. Use "request" and
+"reply" instead of "coa" when the server receives a CoA-Request or
+Disconnect-Request packet.
+
+Adding one or more attributes to either of the "coa" or "disconnect"
+list causes server to originate a CoA-Request or Disconnect-Request
+packet. That packet is sent when the current Access-Request or
+Accounting-Request has been finished, and a reply sent to the NAS.
+See raddb/sites-available/originate-coa for additional information.
+
+The "session-state" list is primarily used for EAP. Attributes put
+into the "session-state" list are saved for the next packet in the
+session. They are automatically retrieved when the next packet is
+received.
+
+The only contents permitted in an "update" section are attributes and
+values. The contents of the "update" section are described in the
+ATTRIBUTE REFERENCE and ATTRIBUTE ASSIGNMENT sections below.
+.IP redundant
+This section contains a simple list of modules. The first module is
+called when the section is being processed. If the first module
+succeeds in its operation, then the server stops processing the
+section, and returns to the parent section.
+
+If, however, the module fails, then the next module in the list is
+tried, as described above. The processing continues until one module
+succeeds, or until the list has been exhausted.
+
+Redundant sections can contain only a list of modules, and cannot
+contain keywords that perform conditional operations (if, else, etc)
+or update an attribute list.
+
+.DS
+ redundant {
+.br
+ sql1 # try this
+.br
+ sql2 # try this only if sql1 fails.
+.br
+ ...
+.br
+ }
+.DE
+.IP load-balance
+This section contains a simple list of modules. When the section is
+entered, one module is chosen at random to process the request. All
+of the modules in the list should be the same type (e.g. ldap or sql).
+All of the modules in the list should behave identically, otherwise
+the load-balance section will return different results for the same
+request.
+
+Load-balance sections can contain only a list of modules, and cannot
+contain keywords that perform conditional operations (if, else, etc)
+or update an attribute list.
+
+.DS
+ load-balance {
+.br
+ ldap1 # 50% of requests go here
+.br
+ ldap2 # 50% of requests go here
+.br
+ }
+.DE
+In general, we recommend using "redundant-load-balance" instead of
+"load-balance".
+.IP redundant-load-balance
+This section contains a simple list of modules. When the section is
+entered, one module is chosen at random to process the request. If
+that module succeeds, then the server stops processing the section.
+If, however, the module fails, then one of the remaining modules is
+chosen at random to process the request. This process repeats until
+one module succeeds, or until the list has been exhausted.
+
+All of the modules in the list should be the same type (e.g. ldap or
+sql). All of the modules in the list should behave identically,
+otherwise the load-balance section will return different results for
+the same request.
+
+Load-balance sections can contain only a list of modules, and cannot
+contain keywords that perform conditional operations (if, else, etc)
+or update an attribute list. Please see raddb/radiusd.conf
+"instantiate" section for more configuration examples.
+
+.DS
+ redundant-load-balance {
+.br
+ ldap1 # 50%, unless ldap2 is down, then 100%
+.br
+ ldap2 # 50%, unless ldap1 is down, then 100%
+.br
+ }
+.DE
+.IP return
+.br
+Returns from the current top-level section, e.g. "authorize" or
+"authenticate". This keyword is mainly used to avoid layers of nested
+"if" and "else" statements.
+
+.DS
+ authorize {
+.br
+ if (...) {
+.br
+ ...
+.br
+ return
+.br
+ }
+.br
+ ... # this is never reached when the "if"
+.br
+ ... # statement is executed
+.br
+ }
+.DE
+.SH ATTRIBUTE REFERENCES
+
+Attributes may be referenced via the following syntax:
+.DS
+ &Attribute-Name
+ &Attribute-Name:TAG
+ &Attribute-Name[NUM]
+ &<list>:Attribute-Name
+ &<list>:Attribute-Name:TAG[NUM]
+.DE
+Where <list> is one of "request", "reply", "control", "proxy-request",
+"proxy-reply", or "outer.request", "outer.reply", "outer.control",
+"outer.proxy-request", or "outer.proxy-reply". just as with the
+"update" section, above. The "<list>:" prefix is optional, and if
+omitted, is assumed to refer to the "request" list.
+
+The TAG portion is a decimal integer between 1 and 31. Please see RFC
+2868 for more information about tags. Tags can only be used for
+attributes which are marked in the dictionary as "has_tag".
+
+The NUM portion is used when there are multiple attributes of the same
+name in a list. The "Attribute-Name" reference will return the first
+attribute. Using an array offset allows the policy to refer to the
+second and subsequent attributes.
+
+If '*' is used in the NUM portion, it evaluates to all instances of
+the attribute in the request.
+
+If 'n' is used in the NUM portion, it evaluates to the last instance
+of the attribute in the request.
+
+When an attribute name is encountered, the given list is examined for
+an attribute of the given name. Some examples are:
+.DS
+ User-Name
+.br
+ request:User-Name # same as above
+.br
+ reply:User-Name
+.br
+ Tunnel-Password:1
+.br
+ Cisco-AVPAir[2]
+.br
+ outer.request:User-Name # from inside of a TTLS/PEAP tunnel
+.DE
+Note that unlike C, there is no way to define new attributes at
+run-time. They MUST be declared in a dictionary file, and loaded when
+the server starts.
+
+All attributes are defined in the dictionaries that accompany the
+server. These definitions define only the name and type, and do not
+define the value of the attribute. When the server receives a packet,
+it uses the packet contents to look up entries in the dictionary, and
+instantiates attributes with a name taken from the dictionaries, and a
+value taken from the packet contents. This process means that if an
+attribute does not exist, it is usually because it was not contained
+in a packet that the server received.
+
+Once the attribute is instantiated, it is added to a list. It can
+then be referenced, updated, replaced, etc.
+
+.SH CONDITIONS
+The conditions are similar to C conditions in syntax, though
+quoted strings are supported, as with the Unix shell.
+.IP Simple
+conditions
+.br
+.DS
+ (foo)
+.DE
+Evaluates to true if 'foo' is a non-empty string (single quotes, double
+quotes, or back-quoted). Also evaluates to true if 'foo' is a
+non-zero number. Note that the language is poorly typed, so the
+string "0000" can be interpreted as a numerical zero. This issue can
+be avoided by comparing strings to an empty string, rather than by
+evaluating the string by itself.
+
+If the word 'foo' is not a quoted string, then it can be taken as a
+reference to a named attribute. See "Referencing attribute lists",
+below, for examples of attribute references. The condition evaluates
+to true if the named attribute exists.
+
+Otherwise, if the word 'foo' is not a quoted string, and is not an
+attribute reference, then it is interpreted as a reference to a module
+return code. The condition evaluates to true if the most recent
+module return code matches the name given here. Valid module return
+codes are given in MODULE RETURN CODES, below.
+.IP Negation
+.DS
+ (!foo)
+.DE
+Evaluates to true if 'foo' evaluates to false, and vice-versa.
+.PP
+Short-circuit operators
+.RS
+.br
+.DS
+ (foo || bar)
+.br
+ (foo && bar)
+.DE
+"&&" and "||" are short-circuit operators. "&&" evaluates the first
+condition, and evaluates the second condition if and only if the
+result of the first condition is true. "||" is similar, but executes
+the second command if and only if the result of the first condition is
+false.
+.RE
+.IP Comparisons
+.DS
+ (foo == bar)
+.DE
+Compares 'foo' to 'bar', and evaluates to true if the comparison holds
+true. Valid comparison operators are "==", "!=", "<", "<=", ">",
+">=", "=~", and "!~", all with their usual meanings. The operators
+":=", "^=" and "=" are assignment operators, and are not allowed for
+comparisons.
+
+The operators "<", "<=", ">", and ">=" are also allowed for checking
+that an IP address is contained within a network. For example:
+.DS
+ if (<ipaddr>192.0.2.1 < 192.0.2.0/24) {
+.DE
+This comparison succeeds, because the address 192.0.2.1 is contained
+within the network 192.0.2.0/24.
+.RE
+.IP "Attribute Comparisons"
+When doing attribute comparisons, the data type of the attribute is
+used to determine the data type of the right-hand side argument.
+.DS
+ (&User-Name == "foo")
+.DE
+Compares the value of the User-Name attribute to the string 'foo', and
+evaluates to true if the comparison holds true.
+
+Similarly,
+.DS
+ (&Framed-IP-Address == 192.0.2.1)
+.DE
+Compares the value of the Framed-IP-Address attribute to the IP
+address 192.0.2.1. This IP address does not need to be quoted.
+.RE
+.IP "Inter-Attribute Comparisons"
+.DS
+ (&User-Name == &Filter-Id)
+.DE
+Compares the value of the User-Name attribute to the contents of the
+Filter-Id attribute, and evaluates to true if the comparison holds
+true. Unlike the previous example, this comparison is done in a
+type-safe way. For example, comparing the IP addresses 1.2.3.4 and
+127.0.0.1 as strings will return different results than comparing them
+as IP addresses.
+
+The "&" character in the condition means that the comparison "refers"
+to the Filter-Id attribute. If left off, it means that the User-Name
+attribute is compared to the literal string "Filter-Id".
+
+Where the left-hand side is an attribute, the "&" can be omitted.
+However, it is allowed for backwards compatibility. e.g. The comparison
+"(&User-Name == &Filter-Id)" is equivalent to the example above.
+
+We recommend using attribute references instead of printing
+attributes to a string, e.g. (User-Name == "%{Filter-Id}").
+Attribute references will be faster and more efficient.
+
+The conditions will check only the first occurrence of an attribute.
+If there is more than one instance of an attribute, the following
+syntax should be used:
+
+.DS
+ (&Attribute-Name[*] == "foo")
+.DE
+Using the "[*]" syntax means that it checks all of the instances of
+the named attribute. If one attribute matches, the condition
+succeeds. If none match, the condition fails.
+
+.RE
+.IP Casts
+.DS
+ (<type>foo == bar)
+.DE
+The left-hand-side of a condition can be "cast" to a specific data
+type. The data type must be one which is valid for the dictionaries.
+e.g. "integer", "ipaddr", etc.
+
+The comparison is performed in a type-safe way, as with
+"Inter-Attribute Comparisons", above. Both sides of the condition are
+parsed into temporary attributes, and the attributes compared via
+type-specific methods. The temporary attributes have no other effect,
+and are not saved anywhere.
+
+Casting allows conditions to perform type-specific comparisons. In
+previous versions of the server, the data would have to be manually
+placed into an intermediate attribute (or attributes), and then the
+attribute (or attributes) compared. The use of a cast allows for
+simpler policies.
+
+Casts are allowed only on the left-hand side argument of a condition.
+.PP
+Conditions may be nested to any depth, subject only to line length
+limitations (8192 bytes).
+.SH DATA TYPES
+There are only a few data types supported in the language. Reference
+to attributes, numbers, and strings. Any data type can appear in
+stand-alone condition, in which case they are evaluated as described
+in "Simple conditions", above. They can also appear (with some
+exceptions noted below) on the left-hand or on the right-hand side of
+a comparison.
+.IP numbers
+Numbers are composed of decimal digits. Floating point, hex, and
+octal numbers are not supported. The maximum value for a number is
+machine-dependent, but is usually 32-bits, including one bit for a
+sign value.
+.PP
+word
+.RS
+Text that is not enclosed in quotes is interpreted differently
+depending on where it occurs in a condition. On the left hand side of
+a condition, it is interpreted as a reference to an attribute. On the
+right hand side, it is interpreted as a simple string, in the same
+manner as a single-quoted string.
+
+Using attribute references permits limited type-specific comparisons,
+as seen in the examples below.
+
+.DS
+ if (&User-Name == "bob") {
+.br
+ ...
+.br
+ if (&Framed-IP-Address > 127.0.0.1) {
+.br
+ ...
+.br
+ if (&Service-Type == Login-User) {
+.DE
+.RE
+.IP """strings"""
+.RS
+Double-quoted strings are expanded by inserting the value of any
+attributes (see ATTRIBUTE REFERENCES, below) before being evaluated. If
+the result is a number it is evaluated in a numerical context.
+
+String length is limited by line-length, usually about 8000
+characters. A double quote character can be used in a string via
+the normal back-slash escaping method. ("like \\"this\\" !")
+.RE
+.IP 'strings'
+Single-quoted strings are evaluated as-is. Their values are not
+expanded as with double-quoted strings above, and they are not
+interpreted as attribute references.
+.IP `strings`
+Back-quoted strings are evaluated by expanding the contents of the
+string, as described above for double-quoted strings. The resulting
+command given inside of the string in a sub-shell, and taking the
+output as a string. This behavior is much the same as that of Unix
+shells.
+
+Note that for security reasons, the input string is split into command
+and arguments before string expansion is done.
+
+For performance reasons, we suggest that the use of back-quoted
+strings be kept to a minimum. Executing external programs is
+relatively expensive, and executing a large number of programs for
+every request can quickly use all of the CPU time in a server. If you
+believe that you need to execute many programs, we suggest finding
+alternative ways to achieve the same result. In some cases, using a
+real language may be sufficient.
+
+.IP /regex/im
+These strings are valid only on the right-hand side of a comparison,
+and then only when the comparison operator is "=~" or "!~". They are
+regular expressions, as implemented by the local regular expression
+library on the system. This is usually Posix regular expressions.
+
+The trailing 'i' is optional, and indicates that the regular
+expression match should be done in a case-insensitive fashion.
+
+The trailing 'm' is also optional, and indicates that carrot '^'
+and dollar '$' anchors should match on new lines as well as at the
+start and end of the subject string.
+
+If the comparison operator is "=~", then parentheses in the regular
+expression will define variables containing the matching text, as
+described below in the ATTRIBUTE REFERENCES section.
+.SH EXPANSIONS
+Attributes are expanded using the ATTRIBUTE REFERENCE syntax
+described above, and surrounding the reference with "%{...}"
+
+.DS
+ %{Attribute-Reference}
+.DE
+
+The result will be a string which contains the value of the attribute
+which was referenced, as a printable string. If the attribute does
+not exist, the result will be an empty string.
+.PP
+Results of regular expression matches
+.RS
+If a regular expression match has previously been performed, then the
+special variable %{0} will contain a copy of the matched portion of
+the input string. The variables %{1} through %{32} will contain the
+substring matches, starting from the left-most capture group, onwards.
+If there are more than 32 capture groups, the additional results will
+not be accessible.
+If the server is built with libpcre, the results of named capture groups
+are available using the "%{regex:capture group}" expansion. They will
+also be accessible using the variables described above.
+Every time a regular expression is evaluated, whether it matches or not,
+the capture group values will be cleared.
+.RE
+.PP
+Obtaining results from databases
+.RS
+It is useful to query a database for some information, and to use the
+result in a condition. The following syntax will call a module, pass
+it the given string, and replace the string expansion with the
+resulting string returned from the module.
+
+.DS
+ %{module: string ...}
+.DE
+
+The syntax of the string is module-specific. Please read the module
+documentation for additional details.
+.RE
+.PP
+Conditional Syntax
+.RS
+Conditional syntax similar to that used in Unix shells may also be
+used.
+.IP %{%{Foo}:-bar}
+If %{Foo} has a value, returns that value.
+.br
+Otherwise, returns literal string "bar".
+.IP %{%{Foo}:-%{Bar}}
+If %{Foo} has a value, returns that value.
+.br
+Otherwise, returns the expansion of %{Bar}.
+
+These conditional expansions can be nested to almost any depth, such
+as with %{%{One}:-%{%{Two}:-%{Three}}}
+.RE
+.PP
+String lengths and arrays
+.RS
+Similar to a Unix shell, there are ways to reference string lengths,
+and the second or more instance of an attribute in a list. If you
+need more than this functionality, we suggest using a real language.
+.IP %{strlen:string}
+The number of characters in "string". If "string" does not exist,
+then the length also does not exist, instead of being zero.
+
+The "string" is expanded before the length is taken.
+
+.IP %{integer:Attribute-Name}
+The integer value of the Attribute-Name, instead of the enumerated
+name.
+
+e.g. If a request contains "Service-Type = Login-User", the expansion
+of %{integer:Service-Type} will yield "1".
+
+.IP %{hex:Attribute-Name}
+The hex value of the Attribute-Name, as a series of hex digits.
+
+e.g. If a request contains "Framed-IP-Address = 127.0.0.1", the expansion
+of %{hex:Framed-IP-Address} will yield "0x7f000001".
+
+.IP %{Attribute-Name[#]}
+The number of instances of Attribute-Name.
+
+e.g. If a request contains "User-Name = bob", the expansion
+of %{User-Name[#]} will yield "1".
+
+.IP %{Attribute-Name[*]}
+All values of Attribute-Name, concatenated together with ',' as the
+separator.
+
+.IP %{List-Name:[#]}
+The number of attributes in the named list.
+
+.IP %{List-Name:[*]}
+All values of attributes in the named-list, concatenated together with ','
+as the separator. Use the %{pairs:} xlat to get a list of attributes and
+values.
+
+e.g. If a response contains "Reply-Message = 'Hello', Reply-Message = 'bob'
+the expansion of "%{reply:Reply-Message[*]} will yield "Hello\\nbob"
+
+.SH ATTRIBUTE ASSIGNMENTS
+The attribute lists described above may be edited by listing one or
+more attributes in an "update" section. Once the attributes have been
+defined, they may be referenced as described above in the ATTRIBUTE
+REFERENCES section.
+
+The following syntax defines attributes in an "update" section. Each
+attribute and value has to be all on one line in the configuration
+file. There is no need for commas or semi-colons after the value.
+
+.DS
+ Attribute-Reference = value
+.DE
+.PP
+Attribute Reference
+.RS
+The Attribute-Reference must be a reference (see above), using a name
+previously defined in a dictionary. If an undefined name is used, the
+server will return an error, and will not start.
+
+.RE
+.IP Operators
+The operator used to assign the value of the attribute may be one of
+the following, with the given meaning.
+.RS
+.IP =
+Add the attribute to the list, if and only if an attribute of the same
+name is not already present in that list.
+.IP :=
+Add the attribute to the list. If any attribute of the same name is
+already present in that list, its value is replaced with the value of
+the current attribute.
+.IP +=
+Add the attribute to the tail of the list, even if attributes of the
+same name are already present in the list. When the right hand side
+of the expression resolves to multiple values, it means add all values
+to the tail of the list.
+.IP ^=
+Add the attribute to the head of the list, even if attributes of the
+same name are already present in the list. When the right hand side
+of the expression resolves to multiple values, it means prepend all
+values to the head of the list.
+.RE
+.PP
+Enforcement and Filtering Operators
+.RS
+The following operators may also be used in addition to the ones
+listed above. Their function is to perform enforcement or filtering
+on attributes in a list.
+.IP -=
+Remove all matching attributes from the list. Both the attribute name
+and value have to match in order for the attribute to be removed from
+the list.
+.IP ==
+Keep all matching attributes. Both the attribute name and value have
+to match in order for the attribute to remain in the list.
+
+Note that this operator is very different than the '=' operator listed
+above!
+.IP !=
+Keep all attributes with matching name, and value not equal to the
+given one.
+.IP <
+Keep all attributes having values less than the value
+given here. Any larger value is replaced by the value given here. If
+no attribute exists, it is added with the value given here, as with
+"+=".
+.IP <=
+Keep all attributes having values less than, or equal to, the value
+given here. Any larger value is replaced by the value given here. If
+no attribute exists, it is added with the value given here, as with
+"+=".
+.IP >
+Keep all attributes having values greater than the value
+given here. Any smaller value is replaced by the value given here. If
+no attribute exists, it is added with the value given here, as with
+"+=".
+.IP >=
+Keep all attributes having values greater than, or equal to, the value
+given here. Any smaller value is replaced by the value given here. If
+no attribute exists, it is added with the value given here, as with
+"+=".
+.IP !*
+Delete all occurrences of the named attribute, no matter what the
+value.
+.IP =~
+Keep all attributes having values which match the given regular
+expression. If no attribute matches, nothing else is done.
+.IP !~
+Keep all attributes having values which fail to match the given
+regular expression. If no attribute matches, nothing else is done.
+.RE
+.IP Values
+.br
+The value can be an attribute reference, or an attribute-specific
+string.
+
+When the value is an attribute reference, it must take the form of
+"&Attribute-Name". The leading "&" signifies that the value is a
+reference. The "Attribute-Name" is an attribute name, such as
+"User-Name" or "request:User-Name". When an attribute reference is
+used, both attributes must have the same data type. For example,
+"User-Name := &NAS-Port" is invalid, because "User-Name" is a string,
+and "NAS-Port" is an integer.
+
+We recommend using the form "Attribute-1 = &Attribute-2" for updates,
+instead of "Attribute-1 = "%{Attribute-2}". The first version will
+copy the attribute data, no matter what its form. The second
+version will print the Attribute-2 to a string, and then parse it to
+create the value for Attribute-1. This second version is slower
+and more fragile than the first one.
+
+When the value is an attribute-specific string, it can be a string,
+integer, IP address, etc. The value may be expanded as described
+above in the DATA TYPES section, above. For example, specifying
+"Framed-IP-Address = 127.0.0.1" will cause the "Framed-IP-Address"
+attribute to be set to the IP address "127.0.0.1". However, using
+"Framed-IP-Address := \"%{echo: 127.0.0.1}\"" will cause the "echo"
+module to be run with a string "127.0.0.1". The output of the "echo"
+module will then be parsed as an IP address, and placed into the
+Framed-IP-Address attribute.
+
+This flexibility means that you can assign an IP address by specifying
+it directly, or by having the address returned from a database query,
+or by having the address returned as the output of a program that is
+executed.
+
+When string values are finally assigned to an attribute, they can have a
+maximum length of 253 characters. This limit is due in part to both
+protocol and internal server requirements. That is, the strings in
+the language can be nearly 8k in length, say for a long SQL query.
+However, the output of that SQL query should be no more than 253
+characters in length.
+.SH OTHER KEYWORDS
+Other keywords in the language are taken from the names of modules
+loaded by the server. These keywords are dependent on both the
+modules, and the local configuration.
+
+Some use keywords that are defined in the default configuration file
+are:
+.IP fail
+Cause the request to be treated as if a database failure had occurred.
+.IP noop
+Do nothing. This also serves as an instruction to the configurable
+failover tracking that nothing was done in the current section.
+.IP ok
+Instructs the server that the request was processed properly. This
+keyword can be used to over-ride earlier failures, if the local
+administrator determines that the failures are not catastrophic.
+.IP reject
+Causes the request to be immediately rejected
+.SH MODULE RETURN CODES
+When a module is called, it returns one of the following codes to
+"unlang", with the following meaning.
+
+.DS
+ notfound information was not found
+.br
+ noop the module did nothing
+.br
+ ok the module succeeded
+.br
+ updated the module updated the request
+.br
+ fail the module failed
+.br
+ reject the module rejected the request
+.br
+ userlock the user was locked out
+.br
+ invalid the configuration was invalid
+.br
+ handled the module has handled the request itself
+.DE
+
+These return codes can be tested for in a condition, as described
+above in the CONDITIONS section.
+
+See also the file doc/configurable_failover for additional methods of
+trapping and modifying module return codes.
+.SH FILES
+/etc/raddb/radiusd.conf
+.SH "SEE ALSO"
+.BR radiusd.conf (5),
+.BR dictionary (5)
+.SH AUTHOR
+Alan DeKok <aland@deployingradius.com>
diff --git a/man/man5/users.5 b/man/man5/users.5
new file mode 100644
index 0000000..4586b96
--- /dev/null
+++ b/man/man5/users.5
@@ -0,0 +1,228 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH USERS 5 "04 Jan 2004" "" "FreeRADIUS user authorization file"
+.SH NAME
+users \- user authorization file for the FreeRADIUS server
+.SH DESCRIPTION
+The \fBusers\fP files reside in the files module configuration directory,
+by default \fB/etc/raddb/mods-config/files/\fP. It contains a series
+of configuration directives which are used by the \fIfiles\fP
+module to decide how to authorize and authenticate each user request.
+
+Every line starting with a hash sign
+.RB (' # ')
+is treated as comment and ignored.
+.PP
+Each entry of the file begins with a username, followed by a (possibly
+empty) list of check items, all on one line. The next line begins
+with a tab, and a (possibly empty) list of reply items. Each item in
+the check or reply item list is an attribute of the form \fBname =
+value\fP. Multiple items may be placed on one line, in which case
+they must be separated by commas. The reply items may be specified
+over multiple lines, in which case each line must end with a comma,
+and the last line of the reply items must not end with a comma.
+
+The check items are a list of attributes used to match the incoming
+request. If the username matches, AND all of the check items match
+the incoming request, then the reply items are added to the list of
+attributes which will be used in the reply to that request. This
+process is repeated for all of the entries in the users file.
+
+If the incoming request matches NO entry, then the request is
+rejected.
+
+.SH CAVEATS
+The special keyword \fBDEFAULT\fP matches any usernames.
+
+The entries are processed in order, from the top of the \fBusers\fP file,
+on down. If an entry contains the special item \fBFall-Through =
+No\fP as a reply attribute, then the processing of the file stops, and
+no more entries are matched. Any reply item list without any
+\fBFall-Through\fP attribute is treated as though it included a
+\fBFall-Through = No\fP attribute.
+
+If an entry contains the special item \fBFall-Through = Yes\fP as a
+reply attribute, then the processing proceeds to the next entry in
+order.
+
+Care should be taken when using \fBFall-Through\fP. The server should
+be tested in debugging mode with a number of test requests, in order
+to verify that the configured entries behave as expected.
+
+The special attribute \fBAuth-Type\fP is used to identify the
+authentication type to be used for that user. See the
+\fBdictionary\fP file for a list of permitted values for the
+\fBAuth-Type\fP attribute.
+
+Once the \fBusers\fP file has been processed, the request is authenticated,
+using the method given by \fBAuth-Type\fP.
+
+.SH OPERATORS
+Additional operators other than \fB=\fP may be used for the attributes in
+either the check item, or reply item list. The following is a list of
+operators, and their meaning.
+
+.TP 0.5i
+.B "Attribute = Value"
+Not allowed as a check item for RADIUS protocol attributes. It is
+allowed for server configuration attributes (Auth-Type, etc), and sets
+the value of on attribute, only if there is no other item of the
+same attribute.
+.br
+As a reply item, it means "add the item
+to the reply list, but only if there is no other item of the same
+attribute."
+
+.TP 0.5i
+.B "Attribute := Value"
+Always matches as a check item, and replaces in the configuration
+items any attribute of the same name. If no attribute of that name
+appears in the request, then this attribute is added.
+.br
+As a reply item, it has an identical meaning, but for the reply items,
+instead of the request items.
+
+.TP 0.5i
+.B "Attribute == Value"
+As a check item, it matches if the named attribute is present in the
+request, AND has the given value.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute += Value"
+Always matches as a check item, and adds the current attribute with
+value to the tail of the list of configuration items.
+.br
+As a reply item, it has an identical meaning, but the attribute is
+added to the tail of the reply items list.
+
+.TP 0.5i
+.B "Attribute ^= Value"
+Always matches as a check item, and adds the current attribute with
+value to the head of the list of configuration items.
+.br
+As a reply item, it has an identical meaning, but the attribute is
+added to the head of the reply items list.
+
+.TP 0.5i
+.B "Attribute != Value"
+As a check item, matches if the given attribute is in the request, AND
+does not have the given value.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute > Value"
+As a check item, it matches if the request contains an attribute with
+a value greater than the one given.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute >= Value"
+As a check item, it matches if the request contains an attribute with
+a value greater than, or equal to the one given.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute < Value"
+As a check item, it matches if the request contains an attribute with
+a value less than the one given.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute <= Value"
+As a check item, it matches if the request contains an attribute with
+a value less than, or equal to the one given.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute =* Value"
+As a check item, it matches if the request contains the named
+attribute, no matter what the value is.
+.br
+Not allowed as a reply item.
+
+.TP 0.5i
+.B "Attribute !* Value"
+As a check item, it matches if the request does not contain the named
+attribute, no matter what the value is.
+.br
+Not allowed as a reply item.
+
+.SH EXAMPLES
+
+.DS
+bob Cleartext-Password := "hello"
+
+.DE
+.RS
+Requests containing the User-Name attribute, with value "bob", will be
+authenticated using the "known good" password "hello". There are no
+reply items, so the reply will be empty.
+.RE
+
+.DS
+DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP
+.br
+ Service-Type = Framed-User,
+.br
+ Framed-Protocol = PPP,
+.br
+ Fall-Through = Yes
+
+.DE
+.RS
+If the request packet contains the attributes Service-Type and
+Framed-Protocol, with the given values, then include those attributes
+in the reply.
+
+That is, give the user what they ask for. This entry also shows how
+to specify multiple reply items.
+.RE
+
+See the \fBusers\fP file supplied with the server for more examples
+and comments.
+
+.SH HINTS
+Run the server in debugging mode (\fB-X\fP), and use the
+\fBradclient\fP program to send it test packets which you think will
+match specific entries. The server will print out which entries were
+matched for that request, so you can verify your expectations. This
+should be the FIRST thing you do if you suspect problems with the
+file.
+
+Care should be taken when writing entries for the \fBusers\fP file. It is
+easy to misconfigure the server so that requests are accepted when you
+wish to reject them. The entries should be ordered, and the
+Fall-Through item should be used ONLY where it is required.
+
+Entries rejecting certain requests should go at the top of the file,
+and should not have a Fall-Through item in their reply items. Entries
+for specific users, who do not have a Fall-Through item, should come
+next. Any DEFAULT entries should usually come last, except as fall-through
+entries that set reply attributes.
+
+.SH FILES
+/etc/raddb/mods-config/files/
+.SH "SEE ALSO"
+.BR radclient (1),
+.BR radiusd (8),
+.BR dictionary (5),
+
+.SH AUTHOR
+The FreeRADIUS team.
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
new file mode 100644
index 0000000..08336c6
--- /dev/null
+++ b/man/man8/radcrypt.8
@@ -0,0 +1,45 @@
+.TH RADCRYPT 8
+.SH NAME
+radcrypt - generate password hash for use with radius, or validates a password hash
+.SH SYNOPSIS
+.B radcrypt
+.RB [ \-d | --des ]
+.RB [ \-m | --md5 ]
+.RB [ \-c | --check ]
+\fIplaintext_password\fP [\fIhashed_password\fP]
+.SH DESCRIPTION
+\fBradcrypt\fP generates a hashed digest of a plaintext password, or can
+validate if a password hash matches a plaintext password. DES and MD5
+hashes are currently supported. When generating a password hash a random
+salt is generated and applied.
+.PP
+A hashed password can be validated by specifying \fI-c\fP or \fI--check\fP and
+passing \fIhashed_password\fP after \fIplaintext_password\fP on the command line.
+In this case \fIhashed_password\fP will be checked to see if it matches
+\fIplaintext_password\fP. If so "Password OK" will be printed and the exit
+status will be 1, otherwise "Password BAD" will be printed and exit status
+will be 0 (Note this is the opposite of a normal successful shell status).
+
+.SH OPTIONS
+
+.IP "\-d --des"
+Use a DES (Data Encryption Standard) hash (default).
+Ignored if performing a password check.
+.IP "\-m --md5"
+Use a MD5 (Message Digest 5) hash.
+Ignored if performing a password check.
+.IP "\-c --check"
+Perform a validation check on a password hash to verify if it matches
+the plantext password.
+
+.SH EXAMPLES
+.nf
+$ radcrypt foobar
+HaX0xn7Qy650Q
+$ radcrypt \-c foobar HaX0xn7Qy650Q
+Password OK
+.fi
+.SH SEE ALSO
+radiusd(8), crypt(3)
+.SH AUTHORS
+Miquel van Smoorenburg <miquels@cistron-office.nl>
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
new file mode 100644
index 0000000..6e27e24
--- /dev/null
+++ b/man/man8/raddebug.8
@@ -0,0 +1,104 @@
+.TH RADDEBUG 8 "1 September 2010" "" "FreeRADIUS Daemon"
+.SH NAME
+raddebug - Display debugging output from a running server.
+.SH SYNOPSIS
+.B raddebug
+.RB [ \-c
+.IR condition ]
+.RB [ \-d
+.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-n
+.IR name ]
+.RB [ \-i
+.IR ipv4-address ]
+.RB [ \-I
+.IR ipv6-address ]
+.RB [ \-f
+.IR socket_file ]
+.RB [ \-t
+.IR timeout ]
+.RB [ \-u
+.IR user-name ]
+.SH DESCRIPTION
+\fBraddebug\fP is a shell script wrapper around \fBradmin\fP that
+automates the process of obtaining debugging output from a running
+server. It does this without impacting service availability, unlike
+using \fBradiusd -X\fP. There are a number of prerequisites that are
+required for its proper operation:
+.PP
+.in +0.3i
+* \fBradmin\fP must be available in the PATH.
+.br
+* The user running \fBraddebug\fP must have permission to connect to
+ the server control socket.
+.br
+* The control socket must be configured. For instructions, see
+ raddb/sites-available/control-socket
+.br
+* The control socket must be marked as "mode = rw".
+.br
+* The user running \fBraddebug\fP must have permission to read and
+ write files in the "logdir" directory. This is usually
+ /var/log/radiusd.
+.in -0.3i
+.PP
+For a number of reasons, the debugging output is placed in an
+intermediate file, rather than being sent directly to standard output.
+In order to prevent this file from growing too large, the
+\fBraddebug\fP program is automatically terminated after 10 seconds.
+This timeout can be changed via the "-t" parameter.
+.PP
+When the script exits, debug mode in the server is disabled, and the
+intermediate file is deleted.
+.PP
+Debug output from a live server can be redirected to only one
+location. If a second instance of \fIraddebug\fP is started while the
+first one is still running, the later one will over-ride the first
+one, and the first will stop producing output.
+.SH OPTIONS
+
+.IP \-c\ \fIcondition\fP
+Set a specific debug condition. The format of the condition is as
+specified in the CONDITIONS section of the \fIunlang\fP manual page.
+.IP \-f\ \fIsocket_file\fP
+The path to the control socket. See the \fIradmin\fP manual page for
+more description of this option.
+.IP \-i\ \fIipv4-address\fP
+Show debug output for the client having the given IPv4 address. This
+option is equivalent to using:
+.br
+.in +0.3i
+-c '(Packet-Src-IP-Address == ipv4-address)'
+.in -0.3i
+.IP "\-d \fIconfig directory\fP"
+The radius configuration directory, usually /etc/raddb. See the
+\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+.IP "\-n \fImname\fP"
+Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+.IP \-I\ \fIipv6-address\fP
+Show debug output for the client having the given IPv6 address. This
+option is equivalent to using:
+.br
+.in +0.3i
+-c '(Packet-Src-IPv6-Address == ipv6-address)'
+.in -0.3i
+.IP \-t\ \fItimeout\fP
+Stop printing debug output after "timeout" seconds. The default
+timeout is sixty (60) seconds. Use "-t 0" to print debugging output forever,
+or until the script exits.
+.IP \-u\ \fIname\fP
+Show debug output for users having the given name. This
+option is equivalent to using:
+.br
+.in +0.3i
+-c '(User-Name == name)'
+.in -0.3i
+
+.SH SEE ALSO
+radmin(8), raddb/sites-available/control-socket, unlang(5), radiusd.conf(5)
+.SH AUTHORS
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
new file mode 100644
index 0000000..74da13b
--- /dev/null
+++ b/man/man8/radiusd.8
@@ -0,0 +1,235 @@
+.TH RADIUSD 8 "26 Apr 2012" "" "FreeRADIUS Daemon"
+.SH NAME
+radiusd - Authentication, Authorization and Accounting server
+.SH SYNOPSIS
+.B radiusd
+.RB [ \-C ]
+.RB [ \-d
+.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-f ]
+.RB [ \-h ]
+.RB [ \-i
+.IR ip-address ]
+.RB [ \-l
+.IR log_file ]
+.RB [ \-m ]
+.RB [ \-n
+.IR name ]
+.RB [ \-p
+.IR port ]
+.RB [ \-P ]
+.RB [ \-s ]
+.RB [ \-t ]
+.RB [ \-v ]
+.RB [ \-x ]
+.RB [ \-X ]
+.SH DESCRIPTION
+FreeRADIUS is a high-performance and highly configurable RADIUS
+server. It supports many database back-ends such as flat-text files,
+SQL, LDAP, Perl, Python, etc. It also supports many authentication
+protocols such as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP
+(EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).
+
+It also has full support for Cisco's VLAN Query Protocol (VMPS) and
+DHCP.
+
+Please read the DEBUGGING section below. It contains instructions
+for quickly configuring the server for your local system.
+.SH OPTIONS
+The following command-line options are accepted by the server:
+.IP \-C
+Check the configuration and exit immediately. If there is a problem
+reading the configuration, then the server will exit with a non-zero
+status code. If the configuration appears to be acceptable, then the
+server will exit with a zero status code.
+
+Note that there are limitations to this check. Due to the
+complexities involved in \fIalmost\fP starting a RADIUS server, these
+checks are necessarily incomplete. The server can return a zero
+status code when run with \-C, but may still exit with an error when
+run normally.
+
+See the output of
+.B "radiusd \-XC"
+for an informative list of which modules are checked for correct
+configuration, and which modules are skipped, and therefore not checked.
+.IP "\-d \fIconfig directory\fP"
+Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
+files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+.IP \-f
+Do not fork, stay running as a foreground process.
+.IP \-h
+Print usage help information.
+.IP "\-i \fIip-address\fP"
+Defines which IP address that the server uses for sending and
+receiving packets.
+
+If this command-line option is given, then the "bind_address" and all
+"listen{}" entries in \fIradiusd.conf\fP are ignored.
+
+This option MUST be used in conjunction with "-p".
+.IP "\-l \fIlog_file\fP"
+Defaults to \fI${logdir}/radius.log\fP. \fBRadiusd\fP writes it's logging
+information to this file. If log_file is the string "stdout" logging will
+be written to stdout.
+.IP \-m
+On SIGINT or SIGQUIT exit cleanly instead of immediately.
+This is most useful for when running the server with "valgrind".
+.IP "\-n \fIname\fP"
+Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+.IP "\-p \fIport\fP"
+Defines which port is used for receiving authentication packets.
+Accounting packets are received on "port + 1".
+
+When this command-line option is given, all "listen" sections in
+\fIradiusd.conf\fP are ignored.
+
+This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
+.IP \-s
+Run in "single server" mode. The server normally runs with multiple
+threads and/or processes, which can lower its response time to
+requests. Some systems have issues with threading, however, so
+running in "single server" mode may help to address those issues. In
+single server mode, the server will also not "daemonize"
+(auto-background) itself.
+.IP \-t
+Do not spawn threads.
+.IP \-v
+Print server version information and exit.
+.IP \-X
+Debugging mode. Equivalent to "\-sfxx \-l stdout". When trying to
+understand how the server works, ALWAYS run it with "radiusd \-X".
+For production servers, use "raddebug"
+.IP \-x
+Finer-grained debug mode. In this mode the server will print details
+of every request on it's \fBstdout\fP output. You can specify this
+option multiple times (\-x \-x or \-xx) to get more detailed output.
+.SH DEBUGGING
+The default configuration is set to work in the widest possible
+circumstances. It requires minimal changes for your system.
+
+However, your needs may be complex, and may require significant
+changes to the server configuration. Making random changes is a
+guaranteed method of failure. Instead, we STRONGLY RECOMMEND
+proceeding via the following steps:
+.PP
+1) Always run the server in debugging mode (
+.B radiusd \-X
+) after making a configuration change. We cannot emphasize this
+enough. If you are not running the server in debugging mode, you
+\fIwill not\fP be able to see what is doing, and you \fIwill not\fP be
+able to correct any problems.
+
+If you ask questions on the mailing list, the first response will be
+to tell you "run the server in debugging mode". Please, follow these
+instructions.
+.PP
+2) Change as little as possible in the default configuration files.
+The server contains a decade of experience with protocols, databases,
+and different systems. Its default configuration is designed to work
+almost everywhere, and to do almost everything you need.
+.PP
+3) When you make a small change, testing it before changing anything
+else. If the change works, save a copy of the configuration, and make
+another change. If the change doesn't work, debug it, and try to
+understand why it doesn't work.
+.PP
+If you begin by making large changes to the server configuration, it
+will never work, and you will never be able to debug the problem.
+.PP
+4) If you need to add a connection to a database FOO (e.g. LDAP or
+SQL), then:
+.PP
+.in +0.3i
+a) Edit raddb/modules/foo
+.br
+This file contains the default configuration for the module. It
+contains comments describing what can be configured, and what those
+configuration entries mean.
+.br
+.br
+b) Edit raddb/sites-available/default
+.br
+This file contains the default policy for the server. e.g. "enable
+CHAP, MS-CHAP, and EAP authentication". Look in this file for all
+references to your module "foo". Read the comments, and remove the
+leading hash '#' from the lines referencing the module. This enables
+the module.
+.br
+.br
+c) Edit raddb/sites-available/inner-tunnel
+.br
+This file contains the default policy for the "tunneled" portion of
+certain EAP methods. Perform the same kind of edits as above, for the
+"default" file.. If you are not using EAP (802.1X), then this step
+can be skipped.
+.br
+.br
+d) Start the server in debugging mode (
+.B radiusd \-X
+), and start testing.
+.in -0.3i
+.PP
+5) Ask questions on the mailing list
+(freeradius-users@lists.freeradius.org). When asking questions,
+include the output from debugging mode (
+.B radiusd \-X
+). This information will allow people to help you. If you do not
+include it, the first response to your message will be "post the
+output of debug mode".
+.PP
+Ask questions earlier, rather than later. If you cannot solve a
+problem in a day, ask a question on the mailing list. Most questions
+have been seen before, and can be answered quickly.
+.SH BACKGROUND
+\fBRADIUS\fP is a protocol spoken between an access server, typically
+a device connected to several modems or ISDN lines, and a \fBradius\fP
+server. When a user connects to the access server, (s)he is asked for
+a loginname and a password. This information is then sent to the \fBradius\fP
+server. The server replies with "access denied", or "access OK". In the
+latter case login information is sent along, such as the IP address in
+the case of a PPP connection.
+.PP
+The access server also sends login and logout records to the \fBradius\fP
+server so accounting can be done. These records are kept for each terminal
+server separately in a file called \fBdetail\fP, and in the \fIwtmp\fP
+compatible logfile \fB/var/log/radwtmp\fP.
+.SH CONFIGURATION
+\fBRadiusd\fP uses a number of configuration files. Each file has it's
+own manpage describing the format of the file. These files are:
+.IP radiusd.conf
+The main configuration file, which sets the administrator-controlled
+items.
+.IP dictionary
+This file is usually static. It defines all the possible RADIUS attributes
+used in the other configuration files. You don't have to modify it.
+It includes other dictionary files in the same directory.
+.IP hints
+Defines certain hints to the radius server based on the users's loginname
+or other attributes sent by the access server. It also provides for
+mapping user names (such as Pusername -> username). This provides the
+functionality that the \fILivingston 2.0\fP server has as "Prefix" and
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
+the Livingston way of doing things is also supported, and you can even use
+both at the same time (within certain limits).
+.IP huntgroups
+Defines the huntgroups that you have, and makes it possible to restrict
+access to certain huntgroups to certain (groups of) users.
+.IP users
+Here the users are defined. On a typical setup, this file mainly contains
+DEFAULT entries to process the different types of logins, based on hints
+from the hints file. Authentication is then based on the contents of
+the UNIX \fI/etc/passwd\fP file. However it is also possible to define all
+users, and their passwords, in this file.
+.SH SEE ALSO
+radiusd.conf(5), users(5), huntgroups(5), hints(5),
+dictionary(5), raddebug(8)
+.SH AUTHOR
+The FreeRADIUS Server Project (http://www.freeradius.org)
+
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
new file mode 100644
index 0000000..b58a2e3
--- /dev/null
+++ b/man/man8/radmin.8
@@ -0,0 +1,188 @@
+.TH RADMIN 8 "11 Mar 2019" "" "FreeRADIUS Server Administration Tool"
+.SH NAME
+radmin - FreeRADIUS Administration tool
+.SH SYNOPSIS
+.B radmin
+.RB [ \-d
+.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-e
+.IR command ]
+.RB [ \-E ]
+.RB [ \-f
+.IR socket_file ]
+.RB [ \-h ]
+.RB [ \-i
+.IR input_file ]
+.RB [ \-n
+.IR name ]
+.RB [ \-q ]
+.SH DESCRIPTION
+FreeRADIUS Server administration tool that connects to the control
+socket of a running server, and gives a command-line interface to it.
+
+At this time, only a few commands are supported. Please type "help"
+at the command prompt for detailed information about the supported
+commands.
+.SH WARNING
+The security protections offered by this command are limited to the
+permissions on the Unix domain socket, and the server
+configuration. If someone can connect to the Unix domain socket, they
+have a substantial amount of control over the server.
+.SH OPTIONS
+The following command-line options are accepted by the program.
+.IP "\-d \fIconfig directory\fP"
+Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
+configuration files to find the "listen" section that defines the
+control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+.IP "\-e \fIcommand\fP"
+Run \fIcommand\fP and exit.
+.IP \-E
+Echo commands as they are being executed.
+.IP "\-f \fIsocket_file\fP"
+Specify the socket filename directly. The radiusd.conf file is not read.
+.IP \-h
+Print usage help information.
+.IP "\-i \fIinput_file\fP"
+Reads input from the specified file. If not specified, stdin is used.
+This also sets "-q".
+.IP "\-n \fImname\fP"
+Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+.IP \-q
+Quiet mode.
+.SH COMMANDS
+The commands implemented by the command-line interface are almost
+completely controlled by the server. There are a few commands
+interpreted locally by radmin:
+.IP reconnect
+Reconnect to the server.
+.IP quit
+Exit from radmin.
+.IP exit
+Exit from radmin.
+.PP
+The other commands are implemented by the server. Type "help" at the
+prompt for more information.
+.SH EXAMPLES
+.IP debug\ file\ /var/log/radius/bob.log
+Set debug logs to /var/log/radius/bob.log. There is very little
+checking of this filename. Rogue administrators may be able use this
+command to over-write almost any file on the system. If those
+administrators have write access to "radius.conf", they can do the
+same thing without radmin, too.
+.IP debug\ condition\ '(User-Name\ ==\ "bob")'
+Enable debugging output for all requests that match the condition.
+Any "unlang" condition is valid here. The condition is parsed as a
+string, so it must be enclosed in single or double quotes. Strings
+enclosed in double-quotes must have back-slashes and the quotation
+marks escaped inside of the string.
+
+Only one debug condition can be active at a time.
+.IP "debug condition '((User-Name == ""bob"") || (Packet-Src-IP-Address == 192.0.2.22))'"
+A more complex condition that enables debugging output for requests
+containing User-Name "bob", or requests that originate from source IP
+address 192.0.2.22.
+.IP debug\ condition
+Disable debug conditionals.
+.SH FULL LIST OF COMMANDS
+.IP add\ <command>
+do sub-command of add
+.IP add\ client\ <command>
+Add client configuration commands
+.IP add\ client\ file\ <filename>
+Add new client definition from <filename>
+.IP debug\ <command>
+debugging commands
+.IP debug\ condition\ [condition]
+Enable debugging for requests matching [condition]
+.IP debug\ level\ <number>
+Set debug level to <number>. Higher is more debugging.
+.IP debug\ file\ [filename]
+Send all debugging output to [filename]
+.IP del\ <command>
+do sub-command of del
+.IP del\ client\ <command>
+Delete client configuration commands
+.IP del\ client\ ipaddr\ <ipaddr>
+Delete a dynamically created client
+.IP hup\ [module]
+sends a HUP signal to the server, or optionally to one module
+.IP inject\ <command>
+commands to inject packets into a running server
+.IP inject\ to\ <ipaddr>\ <port>
+Inject packets to the destination IP and port.
+.IP inject\ from\ <ipaddr>
+Inject packets as if they came from <ipaddr>
+.IP inject\ file\ <input-file>\ <output-file>
+Inject packet from input-file>, with results sent to <output-file>
+.IP reconnect
+reconnect to a running server
+.IP terminate
+terminates the server, and cause it to exit
+.IP set\ <command>
+do sub-command of set
+.IP set\ module\ <command>
+set module commands
+.IP set\ module\ config\ <module>\ variable\ value
+set configuration for <module>
+.IP set\ module\ status\ [alive|dead]
+set the module to be alive or dead (always return "fail")
+.IP set\ home_server\ <command>
+set home server commands
+.IP set\ home_server\ state\ <ipaddr>\ <port>\ [alive|dead]
+set state for given home server
+.IP show\ <command>
+do sub-command of show
+.IP show\ client\ <command>
+do sub-command of client
+.IP show\ client\ config\ <ipaddr>\ [udp|tcp]
+shows configuration for a given client.
+.IP show\ client\ list
+shows list of global clients
+.IP show\ debug\ <command>
+show debug properties
+.IP show\ debug\ condition
+Shows current debugging condition.
+.IP show\ debug\ level
+Shows current debugging level.
+.IP show\ debug\ file
+Shows current debugging file.
+.IP show\ home_server\ <command>
+do sub-command of home_server
+.IP show\ home_server\ config\ <ipaddr>\ <port>
+show configuration for given home server
+.IP show\ home_server\ list
+shows list of home servers
+.IP show\ home_server\ state\ <ipaddr>\ <port>
+shows state of given home server
+.IP show\ module\ <command>
+do sub-command of module
+.IP show\ module\ config\ <module>
+show configuration for given module
+.IP show\ module\ flags\ <module>
+show other module properties
+.IP show\ module\ list
+shows list of loaded modules
+.IP show\ module\ methods\ <module>
+show sections where <module> may be used
+.IP show\ uptime
+shows time at which server started
+.IP show\ version
+Prints version of the running server
+.IP show\ xml\ <reference>
+Prints out configuration as XML
+.IP stats\ <command>
+do sub-command of stats
+.IP stats\ client\ [auth/acct]\ <ipaddr>
+show statistics for given client, or for all clients (auth or acct)
+.IP stats\ home_server\ [<ipaddr>|auth|acct]\ <port>
+show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)
+.IP stats\ detail\ <filename>
+show statistics for the given detail file
+.SH SEE ALSO
+unlang(5), radiusd.conf(5), raddb/sites-available/control-socket
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
new file mode 100644
index 0000000..99e6573
--- /dev/null
+++ b/man/man8/radrelay.8
@@ -0,0 +1,49 @@
+.TH RADRELAY 8 "23 October 2007" "" "FreeRADIUS Daemon"
+.SH NAME
+radrelay -- Deprecated command.
+.SH DESCRIPTION
+The functions of \fIradrelay\fP have been added to \fIradiusd\fP. One
+benefit is that one instance of \fIradiusd\fP can read multiple detail
+files, among others.
+.PP
+The \fIrlm_sql_log\fP module does something similar, but for SQL
+queries. See it's man page for details.
+.SH "REPLICATION FOR BACKUPS"
+Many sites run multiple radius servers; at least one primary and one
+backup server. When the primary goes down, most NASes detect that and
+switch to the backup server.
+
+That will cause your accounting packets to go to the backup server -
+and some NASes don't even switch back to the primary server when it
+comes back up.
+
+The result is that accounting records are missed, and/or the
+administrator must jump through hoops in order to combine the
+different detail files from multiple servers. It also means that the
+session database ("radutmp", used for radwho and simultaneous use
+detection) gets out of sync.
+
+We solve this issue by "relaying" packets from one server to
+another, so they both have the same set of accounting data.
+
+See raddb/sites-available/buffered-sql for more information.
+.SH "BUFFERING FOR HIGH-LOAD SERVERS"
+If the RADIUS server suddenly receives a many accounting packets,
+there may be insufficient CPU power to process them all in a timely
+manner. This problem is especially noticeable when the accounting
+packets are going to a back-end database.
+
+Similarly, you may have one database that tracks "live" sessions, and
+another that tracks historical accounting data. In that case,
+accessing the first database is fast, as it is small. Accessing the
+second database many be slower, as it may contain multiple gigabytes
+of data. In addition, writing to the first database in a timely
+manner is important, while data may be written to the second database
+with a few minutes delay, without any harm being done.
+
+See raddb/sites-available/copy-to-home-server for more information.
+.SH SEE ALSO
+.BR radiusd(8),
+.BR rlm_sql_log(5)
+.SH AUTHOR
+The FreeRADIUS Server Project
diff --git a/man/man8/radsniff.8 b/man/man8/radsniff.8
new file mode 100644
index 0000000..24c0ee3
--- /dev/null
+++ b/man/man8/radsniff.8
@@ -0,0 +1,75 @@
+.TH RADSNIFF 8
+.SH NAME
+radsniff - dump radius protocol
+.SH SYNOPSIS
+.B radsniff
+.RB [ \-c
+.IR count ]
+.RB [ \-d
+.IR directory ]
+.RB [ \-F ]
+.RB [ \-f
+.IR filter ]
+.RB [ \-h ]
+.RB [ \-i
+.IR interface ]
+.RB [ \-I
+.IR filename ]
+.RB [ \-m ]
+.RB [ \-p
+.IR port ]
+.RB [ \-r
+.IR request filter]
+.RB [ \-R
+.IR response filter ]
+.RB [ \-s
+.IR secret ]
+.RB [ \-S ]
+.RB [ \-w
+.IR file ]
+.RB [ \-x ]
+
+.SH DESCRIPTION
+\fBradsniff\fP is a simple wrapper around libpcap. It can also print
+out the contents of RADIUS packets using the FreeRADIUS dictionaries.
+
+.SH OPTIONS
+
+.IP \-c\ \fIcount\fP
+Number of packets to capture.
+.IP \-d\ \fIdirectory\fP
+Directory where the dictionaries are found.
+.IP \-F
+Filter PCAP file from stdin to stdout.
+Output file will contain RADIUS packets.
+.IP \-f\ \fIfilter\fP
+PCAP filter. (default is udp port 1812 or 1813)
+.IP \-h
+Print usage help information.
+.IP \-i\ \fIinterface\fP
+Interface to capture.
+.IP \-I\ \fIfilename\fP
+Read packets from filename.
+.IP \-m
+Print packet headers only, not contents.
+.IP \-p\ \fIport\fP
+\tListen for packets on port.
+.IP \-r\ \fIattribute-filter\fP
+RADIUS attribute request filter.
+.IP \-R\ \fIattribute-filter\fP
+RADIUS attribute response filter.
+.IP \-s\ \fIsecret\fP
+RADIUS secret.
+.IP \-S
+Sort attributes in the packet.
+Used to compare server results.
+.IP \-w\ \fIfile\fP
+Write output packets to file.
+.IP \-x
+Print out debugging information.
+
+
+.SH SEE ALSO
+radiusd(8),pcap(3)
+.SH AUTHORS
+Nicolas Baradakis <nicolas.baradakis@cegetel.net>
diff --git a/man/man8/radsqlrelay.8 b/man/man8/radsqlrelay.8
new file mode 100644
index 0000000..f161cc3
--- /dev/null
+++ b/man/man8/radsqlrelay.8
@@ -0,0 +1,90 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH RADSQLRELAY 8 "19 June 2005" "" "FreeRADIUS helper program"
+
+.SH NAME
+radsqlrelay - relay SQL queries to a central database server
+
+.SH SYNOPSIS
+.B radsqlrelay
+.RB [ \-? ]
+.RB [ \-d
+.IR sql_driver ]
+.RB [ \-b
+.IR database ]
+.RB [ \-f
+.IR file ]
+.RB [ \-h
+.IR host ]
+.RB [ \-u
+.IR user ]
+.RB [ \-P
+.IR port ]
+.RB [ \-p
+.IR password ]
+.RB [ \-1 ]
+.RB [ \-x ]
+\fIfile_path\fP
+
+.SH DESCRIPTION
+\fBradsqlrelay\fP tails a SQL \fIlogfile\fP and forwards the queries
+to a database server. Used to replicate accounting records to one
+(central) database, even if the database has extended downtime.
+.PP
+The SQL logfile is created by the \fBrlm_sql\fP module with the
+rlm_sql_null driver logging to disk.. The module must be configured in
+the \fBradiusd\fP server before you can use \fBradsqlrelay\fP.
+
+.SH OPTIONS
+.IP "\-?"
+Print usage help information.
+.IP "\-d \fIsql_driver\fP"
+Driver to use: mysql, pg, oracle.
+.IP "\-b \fIdatabase\fP"
+Name of the database to use.
+.IP "\-f \fIfile\fP"
+Read password from file, instead of command line.
+.IP "\-h \fIhost\fP"
+Connect to host.
+.IP "\-u \fIuser\fP"
+User for login.
+.IP "\-P \fIport\fP"
+Port number to use for connection.
+.IP "\-p \fIpassword\fP"
+Password to use when connecting to server.
+.IP "\-1"
+One-shot mode: push the file to database and exit.
+.IP "\-x"
+Turn on debugging.
+.IP "file_path"
+The pathname of the SQL logfile to use.
+
+.SH NOTES
+.SS Oracle driver
+The command "radsqlrelay \-d oracle \-b db.domain.tld sql-relay" reads the
+database description stored in $TNS_ADMIN/tnsnames.ora:
+.PP
+.DS
+db.domain.tld =
+ (DESCRIPTION =
+ (ADDRESS_LIST =
+ (ADDRESS = (PROTOCOL = TCP)(HOST = db.domain.tld)(PORT = 1521))
+ )
+ (CONNECT_DATA =
+ (SERVICE_NAME = <DB SID>)
+ )
+ )
+.DE
+
+.SH AUTHOR
+Nicolas Baradakis <nicolas.baradakis@cegetel.net>
diff --git a/man/man8/rlm_sqlippool_tool.8 b/man/man8/rlm_sqlippool_tool.8
new file mode 100644
index 0000000..a7dfbb7
--- /dev/null
+++ b/man/man8/rlm_sqlippool_tool.8
@@ -0,0 +1,157 @@
+.TH RLM_SQLIPPOOL_TOOL 8
+.SH NAME
+rlm_sqlippool_tool - manage SQL IP pools
+.SH SYNOPSIS
+.B rlm_sqlippool_tool
+.RB \-p
+.IR pool_name
+.RB \-s
+.IR range_start
+.RB \-e
+.IR range_end
+.RB \-t
+.IR table_name
+.RB \-d
+.OR dialect
+.RB \-f
+.IR raddb_dir
+.RB \-i
+.IR instance
+.RB [ \-c
+.IR capacity ]
+.RB [ \-x
+.IR existing_ips_file ]
+
+.B rlm_sqlippool_tool
+.RB \-y
+.IR pool_defs_yaml_file
+.RB \-t
+.IR table_name
+.RB \-d
+.OR dialect
+.RB \-f
+.IR raddb_dir
+.RB \-i
+.IR instance
+.RB [ \-x
+.IR existing_ips_file ]
+
+.SH DESCRIPTION
+\fBrlm_sqlippool_tool\fP is a tool to manage IP address in SQL IP
+pools as used by FreeRADIUS. It will either output SQL that can
+be used to manipulate the database or will interact directly with
+a database to populate an IP pool table.
+
+The format of the SQL output or the commands operated on the database
+are based on the default FreeRADIUS ippool schemas. The fields
+populated are \fIpool_name\fP and \fIframedipaddress\fP. All other
+fields are left to be populated with their database defaults.
+
+.SH OPTIONS
+
+.IP \-c\ \fIcapacity\fP
+Number of IP addreses to populate the pool with. Defaults to 65536,
+or the maximum number that can be provisioned between the start and
+end of the range.
+.IP \-d\ \fIdialect\fP
+SQL dialect to use in producing the output.
+.IP \-e\ \fIrange_end\fP
+End IP address in the pool range. Either IPv4 or IPv6 addresses are
+allowed.
+.IP \-f\ \fIraddb_dir\fP
+Directory containing the FreeRADIUS configuration. If this option
+is specified, then \fBrlm_sqlippool_tool\fP will parse the configuration
+and attempt to talk directly to the database server specified in
+the FreeRADIUS configuration.
+.IP \-i\ \fIinstance\fP
+Used in conjuction with -f. Specifies the name of the sql module
+instance to parse in the FreeRADIUS configuration. Defaults to \fIsql\fP.
+.IP \-p\ \fIpool_name\fP
+The pool name to populate.
+.IP \-s\ \fIrange_start\fP
+Start IP address in the pool range. Either IPv4 or IPv6 addresses
+are allowed.
+.IP \-t\ \fItable_name\fP
+Name of the table in the database to populate.
+.IP \-x\ \fIexisting_ips_file\fP
+A file containing exsiting IP addresses in the pool. Use of this allows
+for more controlled growth of a sparesly populated pool.
+.IP \-y\ \fIpool_defs_yaml_file\fP
+A YAML formatted file containing specifications for a number of pools.
+
+.SH EXAMPLES
+To produce MySQL formatted SQL for a pool named \fIlocal\fP populated with
+addresses from 10.0.0.1 to 10.0.0.199:
+.PP
+.nf
+.RS
+$ rlm_sqlippool_tool -p local -s 10.0.0.1 -e 10.0.0.199 \\
+ -t dhcpippool -d mysql
+.RE
+.fi
+.PP
+To do the same but directly interacting with the SQL module configured
+in the FreeRADIUS configuration under \fI/etc/raddb\fP:
+.PP
+.nf
+.RS
+$ rlm_sqlippool_tool -p local -s 10.0.0.1 -e 10.0.0.199 \\
+ -t dhcpippool -f /etc/raddb
+.RE
+.fi
+.PP
+To use a YAML file to specify the pool ranges to be populated, outputting
+PostgreSQL formatted SQL:
+.PP
+.nf
+.RS
+$ rlm_sqlippool_tool -y pools.yaml -t dhcpippool -d postgresql
+.RE
+.fi
+.PP
+
+.SH YAML FORMAT
+
+A YAML file to populate multiple pools should be formatted like this:
+.PP
+.nf
+.RS
+pool_with_a_single_contiguous_range:
+ - start: 192.0.2.3
+ end: 192.0.2.250
+
+pool_with_a_single_sparse_range:
+ - start: 10.10.10.0
+ end: 10.10.20.255
+ capacity: 200
+
+pool_with_multiple_ranges:
+ - start: 10.10.10.1
+ end: 10.10.10.253
+ - start: 10.10.100.0
+ end: 10.10.199.255
+ capacity: 1000
+
+v6_pool_with_contiguous_range:
+ - start: '2001:db8:1:2:3:4:5:10'
+ end: '2001:db8:1:2:3:4:5:7f'
+
+v6_pool_with_sparse_range:
+ - start: '2001:db8:1:2::'
+ end: '2001:db8:1:2:ffff:ffff:ffff:ffff'
+ capacity: 200
+.RE
+.ni
+.PP
+
+.SH PREREQUISITES
+
+To output formatted SQL, the Perl Template::Toolkit module is required.
+
+Direct connection to databases is done using Perl DBI. The appropriate
+Perl DBD driver needs to be installed to enable this functionality.
+
+.SH SEE ALSO
+radiusd.conf(5), raddb/mods-available/sql
+.SH AUTHORS
+Nick Porter <nick@portercomputing.co.uk>