summaryrefslogtreecommitdiffstats
path: root/man/man8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--man/man8/radcrypt.845
-rw-r--r--man/man8/raddebug.8104
-rw-r--r--man/man8/radiusd.8235
-rw-r--r--man/man8/radmin.8188
-rw-r--r--man/man8/radrelay.849
-rw-r--r--man/man8/radsniff.875
-rw-r--r--man/man8/radsqlrelay.890
-rw-r--r--man/man8/rlm_sqlippool_tool.8157
8 files changed, 943 insertions, 0 deletions
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
new file mode 100644
index 0000000..08336c6
--- /dev/null
+++ b/man/man8/radcrypt.8
@@ -0,0 +1,45 @@
+.TH RADCRYPT 8
+.SH NAME
+radcrypt - generate password hash for use with radius, or validates a password hash
+.SH SYNOPSIS
+.B radcrypt
+.RB [ \-d | --des ]
+.RB [ \-m | --md5 ]
+.RB [ \-c | --check ]
+\fIplaintext_password\fP [\fIhashed_password\fP]
+.SH DESCRIPTION
+\fBradcrypt\fP generates a hashed digest of a plaintext password, or can
+validate if a password hash matches a plaintext password. DES and MD5
+hashes are currently supported. When generating a password hash a random
+salt is generated and applied.
+.PP
+A hashed password can be validated by specifying \fI-c\fP or \fI--check\fP and
+passing \fIhashed_password\fP after \fIplaintext_password\fP on the command line.
+In this case \fIhashed_password\fP will be checked to see if it matches
+\fIplaintext_password\fP. If so "Password OK" will be printed and the exit
+status will be 1, otherwise "Password BAD" will be printed and exit status
+will be 0 (Note this is the opposite of a normal successful shell status).
+
+.SH OPTIONS
+
+.IP "\-d --des"
+Use a DES (Data Encryption Standard) hash (default).
+Ignored if performing a password check.
+.IP "\-m --md5"
+Use a MD5 (Message Digest 5) hash.
+Ignored if performing a password check.
+.IP "\-c --check"
+Perform a validation check on a password hash to verify if it matches
+the plantext password.
+
+.SH EXAMPLES
+.nf
+$ radcrypt foobar
+HaX0xn7Qy650Q
+$ radcrypt \-c foobar HaX0xn7Qy650Q
+Password OK
+.fi
+.SH SEE ALSO
+radiusd(8), crypt(3)
+.SH AUTHORS
+Miquel van Smoorenburg <miquels@cistron-office.nl>
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
new file mode 100644
index 0000000..6e27e24
--- /dev/null
+++ b/man/man8/raddebug.8
@@ -0,0 +1,104 @@
+.TH RADDEBUG 8 "1 September 2010" "" "FreeRADIUS Daemon"
+.SH NAME
+raddebug - Display debugging output from a running server.
+.SH SYNOPSIS
+.B raddebug
+.RB [ \-c
+.IR condition ]
+.RB [ \-d
+.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-n
+.IR name ]
+.RB [ \-i
+.IR ipv4-address ]
+.RB [ \-I
+.IR ipv6-address ]
+.RB [ \-f
+.IR socket_file ]
+.RB [ \-t
+.IR timeout ]
+.RB [ \-u
+.IR user-name ]
+.SH DESCRIPTION
+\fBraddebug\fP is a shell script wrapper around \fBradmin\fP that
+automates the process of obtaining debugging output from a running
+server. It does this without impacting service availability, unlike
+using \fBradiusd -X\fP. There are a number of prerequisites that are
+required for its proper operation:
+.PP
+.in +0.3i
+* \fBradmin\fP must be available in the PATH.
+.br
+* The user running \fBraddebug\fP must have permission to connect to
+ the server control socket.
+.br
+* The control socket must be configured. For instructions, see
+ raddb/sites-available/control-socket
+.br
+* The control socket must be marked as "mode = rw".
+.br
+* The user running \fBraddebug\fP must have permission to read and
+ write files in the "logdir" directory. This is usually
+ /var/log/radiusd.
+.in -0.3i
+.PP
+For a number of reasons, the debugging output is placed in an
+intermediate file, rather than being sent directly to standard output.
+In order to prevent this file from growing too large, the
+\fBraddebug\fP program is automatically terminated after 10 seconds.
+This timeout can be changed via the "-t" parameter.
+.PP
+When the script exits, debug mode in the server is disabled, and the
+intermediate file is deleted.
+.PP
+Debug output from a live server can be redirected to only one
+location. If a second instance of \fIraddebug\fP is started while the
+first one is still running, the later one will over-ride the first
+one, and the first will stop producing output.
+.SH OPTIONS
+
+.IP \-c\ \fIcondition\fP
+Set a specific debug condition. The format of the condition is as
+specified in the CONDITIONS section of the \fIunlang\fP manual page.
+.IP \-f\ \fIsocket_file\fP
+The path to the control socket. See the \fIradmin\fP manual page for
+more description of this option.
+.IP \-i\ \fIipv4-address\fP
+Show debug output for the client having the given IPv4 address. This
+option is equivalent to using:
+.br
+.in +0.3i
+-c '(Packet-Src-IP-Address == ipv4-address)'
+.in -0.3i
+.IP "\-d \fIconfig directory\fP"
+The radius configuration directory, usually /etc/raddb. See the
+\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+.IP "\-n \fImname\fP"
+Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+.IP \-I\ \fIipv6-address\fP
+Show debug output for the client having the given IPv6 address. This
+option is equivalent to using:
+.br
+.in +0.3i
+-c '(Packet-Src-IPv6-Address == ipv6-address)'
+.in -0.3i
+.IP \-t\ \fItimeout\fP
+Stop printing debug output after "timeout" seconds. The default
+timeout is sixty (60) seconds. Use "-t 0" to print debugging output forever,
+or until the script exits.
+.IP \-u\ \fIname\fP
+Show debug output for users having the given name. This
+option is equivalent to using:
+.br
+.in +0.3i
+-c '(User-Name == name)'
+.in -0.3i
+
+.SH SEE ALSO
+radmin(8), raddb/sites-available/control-socket, unlang(5), radiusd.conf(5)
+.SH AUTHORS
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
new file mode 100644
index 0000000..74da13b
--- /dev/null
+++ b/man/man8/radiusd.8
@@ -0,0 +1,235 @@
+.TH RADIUSD 8 "26 Apr 2012" "" "FreeRADIUS Daemon"
+.SH NAME
+radiusd - Authentication, Authorization and Accounting server
+.SH SYNOPSIS
+.B radiusd
+.RB [ \-C ]
+.RB [ \-d
+.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-f ]
+.RB [ \-h ]
+.RB [ \-i
+.IR ip-address ]
+.RB [ \-l
+.IR log_file ]
+.RB [ \-m ]
+.RB [ \-n
+.IR name ]
+.RB [ \-p
+.IR port ]
+.RB [ \-P ]
+.RB [ \-s ]
+.RB [ \-t ]
+.RB [ \-v ]
+.RB [ \-x ]
+.RB [ \-X ]
+.SH DESCRIPTION
+FreeRADIUS is a high-performance and highly configurable RADIUS
+server. It supports many database back-ends such as flat-text files,
+SQL, LDAP, Perl, Python, etc. It also supports many authentication
+protocols such as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP
+(EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).
+
+It also has full support for Cisco's VLAN Query Protocol (VMPS) and
+DHCP.
+
+Please read the DEBUGGING section below. It contains instructions
+for quickly configuring the server for your local system.
+.SH OPTIONS
+The following command-line options are accepted by the server:
+.IP \-C
+Check the configuration and exit immediately. If there is a problem
+reading the configuration, then the server will exit with a non-zero
+status code. If the configuration appears to be acceptable, then the
+server will exit with a zero status code.
+
+Note that there are limitations to this check. Due to the
+complexities involved in \fIalmost\fP starting a RADIUS server, these
+checks are necessarily incomplete. The server can return a zero
+status code when run with \-C, but may still exit with an error when
+run normally.
+
+See the output of
+.B "radiusd \-XC"
+for an informative list of which modules are checked for correct
+configuration, and which modules are skipped, and therefore not checked.
+.IP "\-d \fIconfig directory\fP"
+Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
+files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+.IP \-f
+Do not fork, stay running as a foreground process.
+.IP \-h
+Print usage help information.
+.IP "\-i \fIip-address\fP"
+Defines which IP address that the server uses for sending and
+receiving packets.
+
+If this command-line option is given, then the "bind_address" and all
+"listen{}" entries in \fIradiusd.conf\fP are ignored.
+
+This option MUST be used in conjunction with "-p".
+.IP "\-l \fIlog_file\fP"
+Defaults to \fI${logdir}/radius.log\fP. \fBRadiusd\fP writes it's logging
+information to this file. If log_file is the string "stdout" logging will
+be written to stdout.
+.IP \-m
+On SIGINT or SIGQUIT exit cleanly instead of immediately.
+This is most useful for when running the server with "valgrind".
+.IP "\-n \fIname\fP"
+Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+.IP "\-p \fIport\fP"
+Defines which port is used for receiving authentication packets.
+Accounting packets are received on "port + 1".
+
+When this command-line option is given, all "listen" sections in
+\fIradiusd.conf\fP are ignored.
+
+This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
+.IP \-s
+Run in "single server" mode. The server normally runs with multiple
+threads and/or processes, which can lower its response time to
+requests. Some systems have issues with threading, however, so
+running in "single server" mode may help to address those issues. In
+single server mode, the server will also not "daemonize"
+(auto-background) itself.
+.IP \-t
+Do not spawn threads.
+.IP \-v
+Print server version information and exit.
+.IP \-X
+Debugging mode. Equivalent to "\-sfxx \-l stdout". When trying to
+understand how the server works, ALWAYS run it with "radiusd \-X".
+For production servers, use "raddebug"
+.IP \-x
+Finer-grained debug mode. In this mode the server will print details
+of every request on it's \fBstdout\fP output. You can specify this
+option multiple times (\-x \-x or \-xx) to get more detailed output.
+.SH DEBUGGING
+The default configuration is set to work in the widest possible
+circumstances. It requires minimal changes for your system.
+
+However, your needs may be complex, and may require significant
+changes to the server configuration. Making random changes is a
+guaranteed method of failure. Instead, we STRONGLY RECOMMEND
+proceeding via the following steps:
+.PP
+1) Always run the server in debugging mode (
+.B radiusd \-X
+) after making a configuration change. We cannot emphasize this
+enough. If you are not running the server in debugging mode, you
+\fIwill not\fP be able to see what is doing, and you \fIwill not\fP be
+able to correct any problems.
+
+If you ask questions on the mailing list, the first response will be
+to tell you "run the server in debugging mode". Please, follow these
+instructions.
+.PP
+2) Change as little as possible in the default configuration files.
+The server contains a decade of experience with protocols, databases,
+and different systems. Its default configuration is designed to work
+almost everywhere, and to do almost everything you need.
+.PP
+3) When you make a small change, testing it before changing anything
+else. If the change works, save a copy of the configuration, and make
+another change. If the change doesn't work, debug it, and try to
+understand why it doesn't work.
+.PP
+If you begin by making large changes to the server configuration, it
+will never work, and you will never be able to debug the problem.
+.PP
+4) If you need to add a connection to a database FOO (e.g. LDAP or
+SQL), then:
+.PP
+.in +0.3i
+a) Edit raddb/modules/foo
+.br
+This file contains the default configuration for the module. It
+contains comments describing what can be configured, and what those
+configuration entries mean.
+.br
+.br
+b) Edit raddb/sites-available/default
+.br
+This file contains the default policy for the server. e.g. "enable
+CHAP, MS-CHAP, and EAP authentication". Look in this file for all
+references to your module "foo". Read the comments, and remove the
+leading hash '#' from the lines referencing the module. This enables
+the module.
+.br
+.br
+c) Edit raddb/sites-available/inner-tunnel
+.br
+This file contains the default policy for the "tunneled" portion of
+certain EAP methods. Perform the same kind of edits as above, for the
+"default" file.. If you are not using EAP (802.1X), then this step
+can be skipped.
+.br
+.br
+d) Start the server in debugging mode (
+.B radiusd \-X
+), and start testing.
+.in -0.3i
+.PP
+5) Ask questions on the mailing list
+(freeradius-users@lists.freeradius.org). When asking questions,
+include the output from debugging mode (
+.B radiusd \-X
+). This information will allow people to help you. If you do not
+include it, the first response to your message will be "post the
+output of debug mode".
+.PP
+Ask questions earlier, rather than later. If you cannot solve a
+problem in a day, ask a question on the mailing list. Most questions
+have been seen before, and can be answered quickly.
+.SH BACKGROUND
+\fBRADIUS\fP is a protocol spoken between an access server, typically
+a device connected to several modems or ISDN lines, and a \fBradius\fP
+server. When a user connects to the access server, (s)he is asked for
+a loginname and a password. This information is then sent to the \fBradius\fP
+server. The server replies with "access denied", or "access OK". In the
+latter case login information is sent along, such as the IP address in
+the case of a PPP connection.
+.PP
+The access server also sends login and logout records to the \fBradius\fP
+server so accounting can be done. These records are kept for each terminal
+server separately in a file called \fBdetail\fP, and in the \fIwtmp\fP
+compatible logfile \fB/var/log/radwtmp\fP.
+.SH CONFIGURATION
+\fBRadiusd\fP uses a number of configuration files. Each file has it's
+own manpage describing the format of the file. These files are:
+.IP radiusd.conf
+The main configuration file, which sets the administrator-controlled
+items.
+.IP dictionary
+This file is usually static. It defines all the possible RADIUS attributes
+used in the other configuration files. You don't have to modify it.
+It includes other dictionary files in the same directory.
+.IP hints
+Defines certain hints to the radius server based on the users's loginname
+or other attributes sent by the access server. It also provides for
+mapping user names (such as Pusername -> username). This provides the
+functionality that the \fILivingston 2.0\fP server has as "Prefix" and
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
+the Livingston way of doing things is also supported, and you can even use
+both at the same time (within certain limits).
+.IP huntgroups
+Defines the huntgroups that you have, and makes it possible to restrict
+access to certain huntgroups to certain (groups of) users.
+.IP users
+Here the users are defined. On a typical setup, this file mainly contains
+DEFAULT entries to process the different types of logins, based on hints
+from the hints file. Authentication is then based on the contents of
+the UNIX \fI/etc/passwd\fP file. However it is also possible to define all
+users, and their passwords, in this file.
+.SH SEE ALSO
+radiusd.conf(5), users(5), huntgroups(5), hints(5),
+dictionary(5), raddebug(8)
+.SH AUTHOR
+The FreeRADIUS Server Project (http://www.freeradius.org)
+
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
new file mode 100644
index 0000000..b58a2e3
--- /dev/null
+++ b/man/man8/radmin.8
@@ -0,0 +1,188 @@
+.TH RADMIN 8 "11 Mar 2019" "" "FreeRADIUS Server Administration Tool"
+.SH NAME
+radmin - FreeRADIUS Administration tool
+.SH SYNOPSIS
+.B radmin
+.RB [ \-d
+.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
+.RB [ \-e
+.IR command ]
+.RB [ \-E ]
+.RB [ \-f
+.IR socket_file ]
+.RB [ \-h ]
+.RB [ \-i
+.IR input_file ]
+.RB [ \-n
+.IR name ]
+.RB [ \-q ]
+.SH DESCRIPTION
+FreeRADIUS Server administration tool that connects to the control
+socket of a running server, and gives a command-line interface to it.
+
+At this time, only a few commands are supported. Please type "help"
+at the command prompt for detailed information about the supported
+commands.
+.SH WARNING
+The security protections offered by this command are limited to the
+permissions on the Unix domain socket, and the server
+configuration. If someone can connect to the Unix domain socket, they
+have a substantial amount of control over the server.
+.SH OPTIONS
+The following command-line options are accepted by the program.
+.IP "\-d \fIconfig directory\fP"
+Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
+configuration files to find the "listen" section that defines the
+control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+.IP "\-e \fIcommand\fP"
+Run \fIcommand\fP and exit.
+.IP \-E
+Echo commands as they are being executed.
+.IP "\-f \fIsocket_file\fP"
+Specify the socket filename directly. The radiusd.conf file is not read.
+.IP \-h
+Print usage help information.
+.IP "\-i \fIinput_file\fP"
+Reads input from the specified file. If not specified, stdin is used.
+This also sets "-q".
+.IP "\-n \fImname\fP"
+Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+.IP \-q
+Quiet mode.
+.SH COMMANDS
+The commands implemented by the command-line interface are almost
+completely controlled by the server. There are a few commands
+interpreted locally by radmin:
+.IP reconnect
+Reconnect to the server.
+.IP quit
+Exit from radmin.
+.IP exit
+Exit from radmin.
+.PP
+The other commands are implemented by the server. Type "help" at the
+prompt for more information.
+.SH EXAMPLES
+.IP debug\ file\ /var/log/radius/bob.log
+Set debug logs to /var/log/radius/bob.log. There is very little
+checking of this filename. Rogue administrators may be able use this
+command to over-write almost any file on the system. If those
+administrators have write access to "radius.conf", they can do the
+same thing without radmin, too.
+.IP debug\ condition\ '(User-Name\ ==\ "bob")'
+Enable debugging output for all requests that match the condition.
+Any "unlang" condition is valid here. The condition is parsed as a
+string, so it must be enclosed in single or double quotes. Strings
+enclosed in double-quotes must have back-slashes and the quotation
+marks escaped inside of the string.
+
+Only one debug condition can be active at a time.
+.IP "debug condition '((User-Name == ""bob"") || (Packet-Src-IP-Address == 192.0.2.22))'"
+A more complex condition that enables debugging output for requests
+containing User-Name "bob", or requests that originate from source IP
+address 192.0.2.22.
+.IP debug\ condition
+Disable debug conditionals.
+.SH FULL LIST OF COMMANDS
+.IP add\ <command>
+do sub-command of add
+.IP add\ client\ <command>
+Add client configuration commands
+.IP add\ client\ file\ <filename>
+Add new client definition from <filename>
+.IP debug\ <command>
+debugging commands
+.IP debug\ condition\ [condition]
+Enable debugging for requests matching [condition]
+.IP debug\ level\ <number>
+Set debug level to <number>. Higher is more debugging.
+.IP debug\ file\ [filename]
+Send all debugging output to [filename]
+.IP del\ <command>
+do sub-command of del
+.IP del\ client\ <command>
+Delete client configuration commands
+.IP del\ client\ ipaddr\ <ipaddr>
+Delete a dynamically created client
+.IP hup\ [module]
+sends a HUP signal to the server, or optionally to one module
+.IP inject\ <command>
+commands to inject packets into a running server
+.IP inject\ to\ <ipaddr>\ <port>
+Inject packets to the destination IP and port.
+.IP inject\ from\ <ipaddr>
+Inject packets as if they came from <ipaddr>
+.IP inject\ file\ <input-file>\ <output-file>
+Inject packet from input-file>, with results sent to <output-file>
+.IP reconnect
+reconnect to a running server
+.IP terminate
+terminates the server, and cause it to exit
+.IP set\ <command>
+do sub-command of set
+.IP set\ module\ <command>
+set module commands
+.IP set\ module\ config\ <module>\ variable\ value
+set configuration for <module>
+.IP set\ module\ status\ [alive|dead]
+set the module to be alive or dead (always return "fail")
+.IP set\ home_server\ <command>
+set home server commands
+.IP set\ home_server\ state\ <ipaddr>\ <port>\ [alive|dead]
+set state for given home server
+.IP show\ <command>
+do sub-command of show
+.IP show\ client\ <command>
+do sub-command of client
+.IP show\ client\ config\ <ipaddr>\ [udp|tcp]
+shows configuration for a given client.
+.IP show\ client\ list
+shows list of global clients
+.IP show\ debug\ <command>
+show debug properties
+.IP show\ debug\ condition
+Shows current debugging condition.
+.IP show\ debug\ level
+Shows current debugging level.
+.IP show\ debug\ file
+Shows current debugging file.
+.IP show\ home_server\ <command>
+do sub-command of home_server
+.IP show\ home_server\ config\ <ipaddr>\ <port>
+show configuration for given home server
+.IP show\ home_server\ list
+shows list of home servers
+.IP show\ home_server\ state\ <ipaddr>\ <port>
+shows state of given home server
+.IP show\ module\ <command>
+do sub-command of module
+.IP show\ module\ config\ <module>
+show configuration for given module
+.IP show\ module\ flags\ <module>
+show other module properties
+.IP show\ module\ list
+shows list of loaded modules
+.IP show\ module\ methods\ <module>
+show sections where <module> may be used
+.IP show\ uptime
+shows time at which server started
+.IP show\ version
+Prints version of the running server
+.IP show\ xml\ <reference>
+Prints out configuration as XML
+.IP stats\ <command>
+do sub-command of stats
+.IP stats\ client\ [auth/acct]\ <ipaddr>
+show statistics for given client, or for all clients (auth or acct)
+.IP stats\ home_server\ [<ipaddr>|auth|acct]\ <port>
+show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)
+.IP stats\ detail\ <filename>
+show statistics for the given detail file
+.SH SEE ALSO
+unlang(5), radiusd.conf(5), raddb/sites-available/control-socket
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
new file mode 100644
index 0000000..99e6573
--- /dev/null
+++ b/man/man8/radrelay.8
@@ -0,0 +1,49 @@
+.TH RADRELAY 8 "23 October 2007" "" "FreeRADIUS Daemon"
+.SH NAME
+radrelay -- Deprecated command.
+.SH DESCRIPTION
+The functions of \fIradrelay\fP have been added to \fIradiusd\fP. One
+benefit is that one instance of \fIradiusd\fP can read multiple detail
+files, among others.
+.PP
+The \fIrlm_sql_log\fP module does something similar, but for SQL
+queries. See it's man page for details.
+.SH "REPLICATION FOR BACKUPS"
+Many sites run multiple radius servers; at least one primary and one
+backup server. When the primary goes down, most NASes detect that and
+switch to the backup server.
+
+That will cause your accounting packets to go to the backup server -
+and some NASes don't even switch back to the primary server when it
+comes back up.
+
+The result is that accounting records are missed, and/or the
+administrator must jump through hoops in order to combine the
+different detail files from multiple servers. It also means that the
+session database ("radutmp", used for radwho and simultaneous use
+detection) gets out of sync.
+
+We solve this issue by "relaying" packets from one server to
+another, so they both have the same set of accounting data.
+
+See raddb/sites-available/buffered-sql for more information.
+.SH "BUFFERING FOR HIGH-LOAD SERVERS"
+If the RADIUS server suddenly receives a many accounting packets,
+there may be insufficient CPU power to process them all in a timely
+manner. This problem is especially noticeable when the accounting
+packets are going to a back-end database.
+
+Similarly, you may have one database that tracks "live" sessions, and
+another that tracks historical accounting data. In that case,
+accessing the first database is fast, as it is small. Accessing the
+second database many be slower, as it may contain multiple gigabytes
+of data. In addition, writing to the first database in a timely
+manner is important, while data may be written to the second database
+with a few minutes delay, without any harm being done.
+
+See raddb/sites-available/copy-to-home-server for more information.
+.SH SEE ALSO
+.BR radiusd(8),
+.BR rlm_sql_log(5)
+.SH AUTHOR
+The FreeRADIUS Server Project
diff --git a/man/man8/radsniff.8 b/man/man8/radsniff.8
new file mode 100644
index 0000000..24c0ee3
--- /dev/null
+++ b/man/man8/radsniff.8
@@ -0,0 +1,75 @@
+.TH RADSNIFF 8
+.SH NAME
+radsniff - dump radius protocol
+.SH SYNOPSIS
+.B radsniff
+.RB [ \-c
+.IR count ]
+.RB [ \-d
+.IR directory ]
+.RB [ \-F ]
+.RB [ \-f
+.IR filter ]
+.RB [ \-h ]
+.RB [ \-i
+.IR interface ]
+.RB [ \-I
+.IR filename ]
+.RB [ \-m ]
+.RB [ \-p
+.IR port ]
+.RB [ \-r
+.IR request filter]
+.RB [ \-R
+.IR response filter ]
+.RB [ \-s
+.IR secret ]
+.RB [ \-S ]
+.RB [ \-w
+.IR file ]
+.RB [ \-x ]
+
+.SH DESCRIPTION
+\fBradsniff\fP is a simple wrapper around libpcap. It can also print
+out the contents of RADIUS packets using the FreeRADIUS dictionaries.
+
+.SH OPTIONS
+
+.IP \-c\ \fIcount\fP
+Number of packets to capture.
+.IP \-d\ \fIdirectory\fP
+Directory where the dictionaries are found.
+.IP \-F
+Filter PCAP file from stdin to stdout.
+Output file will contain RADIUS packets.
+.IP \-f\ \fIfilter\fP
+PCAP filter. (default is udp port 1812 or 1813)
+.IP \-h
+Print usage help information.
+.IP \-i\ \fIinterface\fP
+Interface to capture.
+.IP \-I\ \fIfilename\fP
+Read packets from filename.
+.IP \-m
+Print packet headers only, not contents.
+.IP \-p\ \fIport\fP
+\tListen for packets on port.
+.IP \-r\ \fIattribute-filter\fP
+RADIUS attribute request filter.
+.IP \-R\ \fIattribute-filter\fP
+RADIUS attribute response filter.
+.IP \-s\ \fIsecret\fP
+RADIUS secret.
+.IP \-S
+Sort attributes in the packet.
+Used to compare server results.
+.IP \-w\ \fIfile\fP
+Write output packets to file.
+.IP \-x
+Print out debugging information.
+
+
+.SH SEE ALSO
+radiusd(8),pcap(3)
+.SH AUTHORS
+Nicolas Baradakis <nicolas.baradakis@cegetel.net>
diff --git a/man/man8/radsqlrelay.8 b/man/man8/radsqlrelay.8
new file mode 100644
index 0000000..f161cc3
--- /dev/null
+++ b/man/man8/radsqlrelay.8
@@ -0,0 +1,90 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH RADSQLRELAY 8 "19 June 2005" "" "FreeRADIUS helper program"
+
+.SH NAME
+radsqlrelay - relay SQL queries to a central database server
+
+.SH SYNOPSIS
+.B radsqlrelay
+.RB [ \-? ]
+.RB [ \-d
+.IR sql_driver ]
+.RB [ \-b
+.IR database ]
+.RB [ \-f
+.IR file ]
+.RB [ \-h
+.IR host ]
+.RB [ \-u
+.IR user ]
+.RB [ \-P
+.IR port ]
+.RB [ \-p
+.IR password ]
+.RB [ \-1 ]
+.RB [ \-x ]
+\fIfile_path\fP
+
+.SH DESCRIPTION
+\fBradsqlrelay\fP tails a SQL \fIlogfile\fP and forwards the queries
+to a database server. Used to replicate accounting records to one
+(central) database, even if the database has extended downtime.
+.PP
+The SQL logfile is created by the \fBrlm_sql\fP module with the
+rlm_sql_null driver logging to disk.. The module must be configured in
+the \fBradiusd\fP server before you can use \fBradsqlrelay\fP.
+
+.SH OPTIONS
+.IP "\-?"
+Print usage help information.
+.IP "\-d \fIsql_driver\fP"
+Driver to use: mysql, pg, oracle.
+.IP "\-b \fIdatabase\fP"
+Name of the database to use.
+.IP "\-f \fIfile\fP"
+Read password from file, instead of command line.
+.IP "\-h \fIhost\fP"
+Connect to host.
+.IP "\-u \fIuser\fP"
+User for login.
+.IP "\-P \fIport\fP"
+Port number to use for connection.
+.IP "\-p \fIpassword\fP"
+Password to use when connecting to server.
+.IP "\-1"
+One-shot mode: push the file to database and exit.
+.IP "\-x"
+Turn on debugging.
+.IP "file_path"
+The pathname of the SQL logfile to use.
+
+.SH NOTES
+.SS Oracle driver
+The command "radsqlrelay \-d oracle \-b db.domain.tld sql-relay" reads the
+database description stored in $TNS_ADMIN/tnsnames.ora:
+.PP
+.DS
+db.domain.tld =
+ (DESCRIPTION =
+ (ADDRESS_LIST =
+ (ADDRESS = (PROTOCOL = TCP)(HOST = db.domain.tld)(PORT = 1521))
+ )
+ (CONNECT_DATA =
+ (SERVICE_NAME = <DB SID>)
+ )
+ )
+.DE
+
+.SH AUTHOR
+Nicolas Baradakis <nicolas.baradakis@cegetel.net>
diff --git a/man/man8/rlm_sqlippool_tool.8 b/man/man8/rlm_sqlippool_tool.8
new file mode 100644
index 0000000..a7dfbb7
--- /dev/null
+++ b/man/man8/rlm_sqlippool_tool.8
@@ -0,0 +1,157 @@
+.TH RLM_SQLIPPOOL_TOOL 8
+.SH NAME
+rlm_sqlippool_tool - manage SQL IP pools
+.SH SYNOPSIS
+.B rlm_sqlippool_tool
+.RB \-p
+.IR pool_name
+.RB \-s
+.IR range_start
+.RB \-e
+.IR range_end
+.RB \-t
+.IR table_name
+.RB \-d
+.OR dialect
+.RB \-f
+.IR raddb_dir
+.RB \-i
+.IR instance
+.RB [ \-c
+.IR capacity ]
+.RB [ \-x
+.IR existing_ips_file ]
+
+.B rlm_sqlippool_tool
+.RB \-y
+.IR pool_defs_yaml_file
+.RB \-t
+.IR table_name
+.RB \-d
+.OR dialect
+.RB \-f
+.IR raddb_dir
+.RB \-i
+.IR instance
+.RB [ \-x
+.IR existing_ips_file ]
+
+.SH DESCRIPTION
+\fBrlm_sqlippool_tool\fP is a tool to manage IP address in SQL IP
+pools as used by FreeRADIUS. It will either output SQL that can
+be used to manipulate the database or will interact directly with
+a database to populate an IP pool table.
+
+The format of the SQL output or the commands operated on the database
+are based on the default FreeRADIUS ippool schemas. The fields
+populated are \fIpool_name\fP and \fIframedipaddress\fP. All other
+fields are left to be populated with their database defaults.
+
+.SH OPTIONS
+
+.IP \-c\ \fIcapacity\fP
+Number of IP addreses to populate the pool with. Defaults to 65536,
+or the maximum number that can be provisioned between the start and
+end of the range.
+.IP \-d\ \fIdialect\fP
+SQL dialect to use in producing the output.
+.IP \-e\ \fIrange_end\fP
+End IP address in the pool range. Either IPv4 or IPv6 addresses are
+allowed.
+.IP \-f\ \fIraddb_dir\fP
+Directory containing the FreeRADIUS configuration. If this option
+is specified, then \fBrlm_sqlippool_tool\fP will parse the configuration
+and attempt to talk directly to the database server specified in
+the FreeRADIUS configuration.
+.IP \-i\ \fIinstance\fP
+Used in conjuction with -f. Specifies the name of the sql module
+instance to parse in the FreeRADIUS configuration. Defaults to \fIsql\fP.
+.IP \-p\ \fIpool_name\fP
+The pool name to populate.
+.IP \-s\ \fIrange_start\fP
+Start IP address in the pool range. Either IPv4 or IPv6 addresses
+are allowed.
+.IP \-t\ \fItable_name\fP
+Name of the table in the database to populate.
+.IP \-x\ \fIexisting_ips_file\fP
+A file containing exsiting IP addresses in the pool. Use of this allows
+for more controlled growth of a sparesly populated pool.
+.IP \-y\ \fIpool_defs_yaml_file\fP
+A YAML formatted file containing specifications for a number of pools.
+
+.SH EXAMPLES
+To produce MySQL formatted SQL for a pool named \fIlocal\fP populated with
+addresses from 10.0.0.1 to 10.0.0.199:
+.PP
+.nf
+.RS
+$ rlm_sqlippool_tool -p local -s 10.0.0.1 -e 10.0.0.199 \\
+ -t dhcpippool -d mysql
+.RE
+.fi
+.PP
+To do the same but directly interacting with the SQL module configured
+in the FreeRADIUS configuration under \fI/etc/raddb\fP:
+.PP
+.nf
+.RS
+$ rlm_sqlippool_tool -p local -s 10.0.0.1 -e 10.0.0.199 \\
+ -t dhcpippool -f /etc/raddb
+.RE
+.fi
+.PP
+To use a YAML file to specify the pool ranges to be populated, outputting
+PostgreSQL formatted SQL:
+.PP
+.nf
+.RS
+$ rlm_sqlippool_tool -y pools.yaml -t dhcpippool -d postgresql
+.RE
+.fi
+.PP
+
+.SH YAML FORMAT
+
+A YAML file to populate multiple pools should be formatted like this:
+.PP
+.nf
+.RS
+pool_with_a_single_contiguous_range:
+ - start: 192.0.2.3
+ end: 192.0.2.250
+
+pool_with_a_single_sparse_range:
+ - start: 10.10.10.0
+ end: 10.10.20.255
+ capacity: 200
+
+pool_with_multiple_ranges:
+ - start: 10.10.10.1
+ end: 10.10.10.253
+ - start: 10.10.100.0
+ end: 10.10.199.255
+ capacity: 1000
+
+v6_pool_with_contiguous_range:
+ - start: '2001:db8:1:2:3:4:5:10'
+ end: '2001:db8:1:2:3:4:5:7f'
+
+v6_pool_with_sparse_range:
+ - start: '2001:db8:1:2::'
+ end: '2001:db8:1:2:ffff:ffff:ffff:ffff'
+ capacity: 200
+.RE
+.ni
+.PP
+
+.SH PREREQUISITES
+
+To output formatted SQL, the Perl Template::Toolkit module is required.
+
+Direct connection to databases is done using Perl DBI. The appropriate
+Perl DBD driver needs to be installed to enable this functionality.
+
+.SH SEE ALSO
+radiusd.conf(5), raddb/mods-available/sql
+.SH AUTHORS
+Nick Porter <nick@portercomputing.co.uk>