diff options
Diffstat (limited to '')
-rw-r--r-- | man/man8/radcrypt.8 | 45 | ||||
-rw-r--r-- | man/man8/raddebug.8 | 104 | ||||
-rw-r--r-- | man/man8/radiusd.8 | 235 | ||||
-rw-r--r-- | man/man8/radmin.8 | 188 | ||||
-rw-r--r-- | man/man8/radrelay.8 | 49 | ||||
-rw-r--r-- | man/man8/radsniff.8 | 75 | ||||
-rw-r--r-- | man/man8/radsqlrelay.8 | 90 | ||||
-rw-r--r-- | man/man8/rlm_sqlippool_tool.8 | 157 |
8 files changed, 943 insertions, 0 deletions
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8 new file mode 100644 index 0000000..08336c6 --- /dev/null +++ b/man/man8/radcrypt.8 @@ -0,0 +1,45 @@ +.TH RADCRYPT 8 +.SH NAME +radcrypt - generate password hash for use with radius, or validates a password hash +.SH SYNOPSIS +.B radcrypt +.RB [ \-d | --des ] +.RB [ \-m | --md5 ] +.RB [ \-c | --check ] +\fIplaintext_password\fP [\fIhashed_password\fP] +.SH DESCRIPTION +\fBradcrypt\fP generates a hashed digest of a plaintext password, or can +validate if a password hash matches a plaintext password. DES and MD5 +hashes are currently supported. When generating a password hash a random +salt is generated and applied. +.PP +A hashed password can be validated by specifying \fI-c\fP or \fI--check\fP and +passing \fIhashed_password\fP after \fIplaintext_password\fP on the command line. +In this case \fIhashed_password\fP will be checked to see if it matches +\fIplaintext_password\fP. If so "Password OK" will be printed and the exit +status will be 1, otherwise "Password BAD" will be printed and exit status +will be 0 (Note this is the opposite of a normal successful shell status). + +.SH OPTIONS + +.IP "\-d --des" +Use a DES (Data Encryption Standard) hash (default). +Ignored if performing a password check. +.IP "\-m --md5" +Use a MD5 (Message Digest 5) hash. +Ignored if performing a password check. +.IP "\-c --check" +Perform a validation check on a password hash to verify if it matches +the plantext password. + +.SH EXAMPLES +.nf +$ radcrypt foobar +HaX0xn7Qy650Q +$ radcrypt \-c foobar HaX0xn7Qy650Q +Password OK +.fi +.SH SEE ALSO +radiusd(8), crypt(3) +.SH AUTHORS +Miquel van Smoorenburg <miquels@cistron-office.nl> diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8 new file mode 100644 index 0000000..6e27e24 --- /dev/null +++ b/man/man8/raddebug.8 @@ -0,0 +1,104 @@ +.TH RADDEBUG 8 "1 September 2010" "" "FreeRADIUS Daemon" +.SH NAME +raddebug - Display debugging output from a running server. +.SH SYNOPSIS +.B raddebug +.RB [ \-c +.IR condition ] +.RB [ \-d +.IR config_directory ] +.RB [ \-D +.IR dictionary_directory ] +.RB [ \-n +.IR name ] +.RB [ \-i +.IR ipv4-address ] +.RB [ \-I +.IR ipv6-address ] +.RB [ \-f +.IR socket_file ] +.RB [ \-t +.IR timeout ] +.RB [ \-u +.IR user-name ] +.SH DESCRIPTION +\fBraddebug\fP is a shell script wrapper around \fBradmin\fP that +automates the process of obtaining debugging output from a running +server. It does this without impacting service availability, unlike +using \fBradiusd -X\fP. There are a number of prerequisites that are +required for its proper operation: +.PP +.in +0.3i +* \fBradmin\fP must be available in the PATH. +.br +* The user running \fBraddebug\fP must have permission to connect to + the server control socket. +.br +* The control socket must be configured. For instructions, see + raddb/sites-available/control-socket +.br +* The control socket must be marked as "mode = rw". +.br +* The user running \fBraddebug\fP must have permission to read and + write files in the "logdir" directory. This is usually + /var/log/radiusd. +.in -0.3i +.PP +For a number of reasons, the debugging output is placed in an +intermediate file, rather than being sent directly to standard output. +In order to prevent this file from growing too large, the +\fBraddebug\fP program is automatically terminated after 10 seconds. +This timeout can be changed via the "-t" parameter. +.PP +When the script exits, debug mode in the server is disabled, and the +intermediate file is deleted. +.PP +Debug output from a live server can be redirected to only one +location. If a second instance of \fIraddebug\fP is started while the +first one is still running, the later one will over-ride the first +one, and the first will stop producing output. +.SH OPTIONS + +.IP \-c\ \fIcondition\fP +Set a specific debug condition. The format of the condition is as +specified in the CONDITIONS section of the \fIunlang\fP manual page. +.IP \-f\ \fIsocket_file\fP +The path to the control socket. See the \fIradmin\fP manual page for +more description of this option. +.IP \-i\ \fIipv4-address\fP +Show debug output for the client having the given IPv4 address. This +option is equivalent to using: +.br +.in +0.3i +-c '(Packet-Src-IP-Address == ipv4-address)' +.in -0.3i +.IP "\-d \fIconfig directory\fP" +The radius configuration directory, usually /etc/raddb. See the +\fIradmin\fP manual page for more description of this option. +.IP "\-D \fIdictionary directory\fP" +Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. +.IP "\-n \fImname\fP" +Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. +.IP \-I\ \fIipv6-address\fP +Show debug output for the client having the given IPv6 address. This +option is equivalent to using: +.br +.in +0.3i +-c '(Packet-Src-IPv6-Address == ipv6-address)' +.in -0.3i +.IP \-t\ \fItimeout\fP +Stop printing debug output after "timeout" seconds. The default +timeout is sixty (60) seconds. Use "-t 0" to print debugging output forever, +or until the script exits. +.IP \-u\ \fIname\fP +Show debug output for users having the given name. This +option is equivalent to using: +.br +.in +0.3i +-c '(User-Name == name)' +.in -0.3i + +.SH SEE ALSO +radmin(8), raddb/sites-available/control-socket, unlang(5), radiusd.conf(5) +.SH AUTHORS +Alan DeKok <aland@freeradius.org> diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8 new file mode 100644 index 0000000..74da13b --- /dev/null +++ b/man/man8/radiusd.8 @@ -0,0 +1,235 @@ +.TH RADIUSD 8 "26 Apr 2012" "" "FreeRADIUS Daemon" +.SH NAME +radiusd - Authentication, Authorization and Accounting server +.SH SYNOPSIS +.B radiusd +.RB [ \-C ] +.RB [ \-d +.IR config_directory ] +.RB [ \-D +.IR dictionary_directory ] +.RB [ \-f ] +.RB [ \-h ] +.RB [ \-i +.IR ip-address ] +.RB [ \-l +.IR log_file ] +.RB [ \-m ] +.RB [ \-n +.IR name ] +.RB [ \-p +.IR port ] +.RB [ \-P ] +.RB [ \-s ] +.RB [ \-t ] +.RB [ \-v ] +.RB [ \-x ] +.RB [ \-X ] +.SH DESCRIPTION +FreeRADIUS is a high-performance and highly configurable RADIUS +server. It supports many database back-ends such as flat-text files, +SQL, LDAP, Perl, Python, etc. It also supports many authentication +protocols such as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP +(EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.). + +It also has full support for Cisco's VLAN Query Protocol (VMPS) and +DHCP. + +Please read the DEBUGGING section below. It contains instructions +for quickly configuring the server for your local system. +.SH OPTIONS +The following command-line options are accepted by the server: +.IP \-C +Check the configuration and exit immediately. If there is a problem +reading the configuration, then the server will exit with a non-zero +status code. If the configuration appears to be acceptable, then the +server will exit with a zero status code. + +Note that there are limitations to this check. Due to the +complexities involved in \fIalmost\fP starting a RADIUS server, these +checks are necessarily incomplete. The server can return a zero +status code when run with \-C, but may still exit with an error when +run normally. + +See the output of +.B "radiusd \-XC" +for an informative list of which modules are checked for correct +configuration, and which modules are skipped, and therefore not checked. +.IP "\-d \fIconfig directory\fP" +Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration +files such as the \fIdictionary\fP and the \fIusers\fP files. +.IP "\-D \fIdictionary directory\fP" +Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. +.IP \-f +Do not fork, stay running as a foreground process. +.IP \-h +Print usage help information. +.IP "\-i \fIip-address\fP" +Defines which IP address that the server uses for sending and +receiving packets. + +If this command-line option is given, then the "bind_address" and all +"listen{}" entries in \fIradiusd.conf\fP are ignored. + +This option MUST be used in conjunction with "-p". +.IP "\-l \fIlog_file\fP" +Defaults to \fI${logdir}/radius.log\fP. \fBRadiusd\fP writes it's logging +information to this file. If log_file is the string "stdout" logging will +be written to stdout. +.IP \-m +On SIGINT or SIGQUIT exit cleanly instead of immediately. +This is most useful for when running the server with "valgrind". +.IP "\-n \fIname\fP" +Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. +.IP "\-p \fIport\fP" +Defines which port is used for receiving authentication packets. +Accounting packets are received on "port + 1". + +When this command-line option is given, all "listen" sections in +\fIradiusd.conf\fP are ignored. + +This option MUST be used in conjunction with "-i". +.IP "\-P +Always write out PID, even with -f. +.IP \-s +Run in "single server" mode. The server normally runs with multiple +threads and/or processes, which can lower its response time to +requests. Some systems have issues with threading, however, so +running in "single server" mode may help to address those issues. In +single server mode, the server will also not "daemonize" +(auto-background) itself. +.IP \-t +Do not spawn threads. +.IP \-v +Print server version information and exit. +.IP \-X +Debugging mode. Equivalent to "\-sfxx \-l stdout". When trying to +understand how the server works, ALWAYS run it with "radiusd \-X". +For production servers, use "raddebug" +.IP \-x +Finer-grained debug mode. In this mode the server will print details +of every request on it's \fBstdout\fP output. You can specify this +option multiple times (\-x \-x or \-xx) to get more detailed output. +.SH DEBUGGING +The default configuration is set to work in the widest possible +circumstances. It requires minimal changes for your system. + +However, your needs may be complex, and may require significant +changes to the server configuration. Making random changes is a +guaranteed method of failure. Instead, we STRONGLY RECOMMEND +proceeding via the following steps: +.PP +1) Always run the server in debugging mode ( +.B radiusd \-X +) after making a configuration change. We cannot emphasize this +enough. If you are not running the server in debugging mode, you +\fIwill not\fP be able to see what is doing, and you \fIwill not\fP be +able to correct any problems. + +If you ask questions on the mailing list, the first response will be +to tell you "run the server in debugging mode". Please, follow these +instructions. +.PP +2) Change as little as possible in the default configuration files. +The server contains a decade of experience with protocols, databases, +and different systems. Its default configuration is designed to work +almost everywhere, and to do almost everything you need. +.PP +3) When you make a small change, testing it before changing anything +else. If the change works, save a copy of the configuration, and make +another change. If the change doesn't work, debug it, and try to +understand why it doesn't work. +.PP +If you begin by making large changes to the server configuration, it +will never work, and you will never be able to debug the problem. +.PP +4) If you need to add a connection to a database FOO (e.g. LDAP or +SQL), then: +.PP +.in +0.3i +a) Edit raddb/modules/foo +.br +This file contains the default configuration for the module. It +contains comments describing what can be configured, and what those +configuration entries mean. +.br +.br +b) Edit raddb/sites-available/default +.br +This file contains the default policy for the server. e.g. "enable +CHAP, MS-CHAP, and EAP authentication". Look in this file for all +references to your module "foo". Read the comments, and remove the +leading hash '#' from the lines referencing the module. This enables +the module. +.br +.br +c) Edit raddb/sites-available/inner-tunnel +.br +This file contains the default policy for the "tunneled" portion of +certain EAP methods. Perform the same kind of edits as above, for the +"default" file.. If you are not using EAP (802.1X), then this step +can be skipped. +.br +.br +d) Start the server in debugging mode ( +.B radiusd \-X +), and start testing. +.in -0.3i +.PP +5) Ask questions on the mailing list +(freeradius-users@lists.freeradius.org). When asking questions, +include the output from debugging mode ( +.B radiusd \-X +). This information will allow people to help you. If you do not +include it, the first response to your message will be "post the +output of debug mode". +.PP +Ask questions earlier, rather than later. If you cannot solve a +problem in a day, ask a question on the mailing list. Most questions +have been seen before, and can be answered quickly. +.SH BACKGROUND +\fBRADIUS\fP is a protocol spoken between an access server, typically +a device connected to several modems or ISDN lines, and a \fBradius\fP +server. When a user connects to the access server, (s)he is asked for +a loginname and a password. This information is then sent to the \fBradius\fP +server. The server replies with "access denied", or "access OK". In the +latter case login information is sent along, such as the IP address in +the case of a PPP connection. +.PP +The access server also sends login and logout records to the \fBradius\fP +server so accounting can be done. These records are kept for each terminal +server separately in a file called \fBdetail\fP, and in the \fIwtmp\fP +compatible logfile \fB/var/log/radwtmp\fP. +.SH CONFIGURATION +\fBRadiusd\fP uses a number of configuration files. Each file has it's +own manpage describing the format of the file. These files are: +.IP radiusd.conf +The main configuration file, which sets the administrator-controlled +items. +.IP dictionary +This file is usually static. It defines all the possible RADIUS attributes +used in the other configuration files. You don't have to modify it. +It includes other dictionary files in the same directory. +.IP hints +Defines certain hints to the radius server based on the users's loginname +or other attributes sent by the access server. It also provides for +mapping user names (such as Pusername -> username). This provides the +functionality that the \fILivingston 2.0\fP server has as "Prefix" and +"Suffix" support in the \fIusers\fP file, but is more general. Of course +the Livingston way of doing things is also supported, and you can even use +both at the same time (within certain limits). +.IP huntgroups +Defines the huntgroups that you have, and makes it possible to restrict +access to certain huntgroups to certain (groups of) users. +.IP users +Here the users are defined. On a typical setup, this file mainly contains +DEFAULT entries to process the different types of logins, based on hints +from the hints file. Authentication is then based on the contents of +the UNIX \fI/etc/passwd\fP file. However it is also possible to define all +users, and their passwords, in this file. +.SH SEE ALSO +radiusd.conf(5), users(5), huntgroups(5), hints(5), +dictionary(5), raddebug(8) +.SH AUTHOR +The FreeRADIUS Server Project (http://www.freeradius.org) + diff --git a/man/man8/radmin.8 b/man/man8/radmin.8 new file mode 100644 index 0000000..b58a2e3 --- /dev/null +++ b/man/man8/radmin.8 @@ -0,0 +1,188 @@ +.TH RADMIN 8 "11 Mar 2019" "" "FreeRADIUS Server Administration Tool" +.SH NAME +radmin - FreeRADIUS Administration tool +.SH SYNOPSIS +.B radmin +.RB [ \-d +.IR config_directory ] +.RB [ \-D +.IR dictionary_directory ] +.RB [ \-e +.IR command ] +.RB [ \-E ] +.RB [ \-f +.IR socket_file ] +.RB [ \-h ] +.RB [ \-i +.IR input_file ] +.RB [ \-n +.IR name ] +.RB [ \-q ] +.SH DESCRIPTION +FreeRADIUS Server administration tool that connects to the control +socket of a running server, and gives a command-line interface to it. + +At this time, only a few commands are supported. Please type "help" +at the command prompt for detailed information about the supported +commands. +.SH WARNING +The security protections offered by this command are limited to the +permissions on the Unix domain socket, and the server +configuration. If someone can connect to the Unix domain socket, they +have a substantial amount of control over the server. +.SH OPTIONS +The following command-line options are accepted by the program. +.IP "\-d \fIconfig directory\fP" +Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server +configuration files to find the "listen" section that defines the +control socket filename. +.IP "\-D \fIdictionary directory\fP" +Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. +.IP "\-e \fIcommand\fP" +Run \fIcommand\fP and exit. +.IP \-E +Echo commands as they are being executed. +.IP "\-f \fIsocket_file\fP" +Specify the socket filename directly. The radiusd.conf file is not read. +.IP \-h +Print usage help information. +.IP "\-i \fIinput_file\fP" +Reads input from the specified file. If not specified, stdin is used. +This also sets "-q". +.IP "\-n \fImname\fP" +Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. +.IP \-q +Quiet mode. +.SH COMMANDS +The commands implemented by the command-line interface are almost +completely controlled by the server. There are a few commands +interpreted locally by radmin: +.IP reconnect +Reconnect to the server. +.IP quit +Exit from radmin. +.IP exit +Exit from radmin. +.PP +The other commands are implemented by the server. Type "help" at the +prompt for more information. +.SH EXAMPLES +.IP debug\ file\ /var/log/radius/bob.log +Set debug logs to /var/log/radius/bob.log. There is very little +checking of this filename. Rogue administrators may be able use this +command to over-write almost any file on the system. If those +administrators have write access to "radius.conf", they can do the +same thing without radmin, too. +.IP debug\ condition\ '(User-Name\ ==\ "bob")' +Enable debugging output for all requests that match the condition. +Any "unlang" condition is valid here. The condition is parsed as a +string, so it must be enclosed in single or double quotes. Strings +enclosed in double-quotes must have back-slashes and the quotation +marks escaped inside of the string. + +Only one debug condition can be active at a time. +.IP "debug condition '((User-Name == ""bob"") || (Packet-Src-IP-Address == 192.0.2.22))'" +A more complex condition that enables debugging output for requests +containing User-Name "bob", or requests that originate from source IP +address 192.0.2.22. +.IP debug\ condition +Disable debug conditionals. +.SH FULL LIST OF COMMANDS +.IP add\ <command> +do sub-command of add +.IP add\ client\ <command> +Add client configuration commands +.IP add\ client\ file\ <filename> +Add new client definition from <filename> +.IP debug\ <command> +debugging commands +.IP debug\ condition\ [condition] +Enable debugging for requests matching [condition] +.IP debug\ level\ <number> +Set debug level to <number>. Higher is more debugging. +.IP debug\ file\ [filename] +Send all debugging output to [filename] +.IP del\ <command> +do sub-command of del +.IP del\ client\ <command> +Delete client configuration commands +.IP del\ client\ ipaddr\ <ipaddr> +Delete a dynamically created client +.IP hup\ [module] +sends a HUP signal to the server, or optionally to one module +.IP inject\ <command> +commands to inject packets into a running server +.IP inject\ to\ <ipaddr>\ <port> +Inject packets to the destination IP and port. +.IP inject\ from\ <ipaddr> +Inject packets as if they came from <ipaddr> +.IP inject\ file\ <input-file>\ <output-file> +Inject packet from input-file>, with results sent to <output-file> +.IP reconnect +reconnect to a running server +.IP terminate +terminates the server, and cause it to exit +.IP set\ <command> +do sub-command of set +.IP set\ module\ <command> +set module commands +.IP set\ module\ config\ <module>\ variable\ value +set configuration for <module> +.IP set\ module\ status\ [alive|dead] +set the module to be alive or dead (always return "fail") +.IP set\ home_server\ <command> +set home server commands +.IP set\ home_server\ state\ <ipaddr>\ <port>\ [alive|dead] +set state for given home server +.IP show\ <command> +do sub-command of show +.IP show\ client\ <command> +do sub-command of client +.IP show\ client\ config\ <ipaddr>\ [udp|tcp] +shows configuration for a given client. +.IP show\ client\ list +shows list of global clients +.IP show\ debug\ <command> +show debug properties +.IP show\ debug\ condition +Shows current debugging condition. +.IP show\ debug\ level +Shows current debugging level. +.IP show\ debug\ file +Shows current debugging file. +.IP show\ home_server\ <command> +do sub-command of home_server +.IP show\ home_server\ config\ <ipaddr>\ <port> +show configuration for given home server +.IP show\ home_server\ list +shows list of home servers +.IP show\ home_server\ state\ <ipaddr>\ <port> +shows state of given home server +.IP show\ module\ <command> +do sub-command of module +.IP show\ module\ config\ <module> +show configuration for given module +.IP show\ module\ flags\ <module> +show other module properties +.IP show\ module\ list +shows list of loaded modules +.IP show\ module\ methods\ <module> +show sections where <module> may be used +.IP show\ uptime +shows time at which server started +.IP show\ version +Prints version of the running server +.IP show\ xml\ <reference> +Prints out configuration as XML +.IP stats\ <command> +do sub-command of stats +.IP stats\ client\ [auth/acct]\ <ipaddr> +show statistics for given client, or for all clients (auth or acct) +.IP stats\ home_server\ [<ipaddr>|auth|acct]\ <port> +show statistics for given home server (ipaddr and port), or for all home servers (auth or acct) +.IP stats\ detail\ <filename> +show statistics for the given detail file +.SH SEE ALSO +unlang(5), radiusd.conf(5), raddb/sites-available/control-socket +.SH AUTHOR +Alan DeKok <aland@freeradius.org> diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8 new file mode 100644 index 0000000..99e6573 --- /dev/null +++ b/man/man8/radrelay.8 @@ -0,0 +1,49 @@ +.TH RADRELAY 8 "23 October 2007" "" "FreeRADIUS Daemon" +.SH NAME +radrelay -- Deprecated command. +.SH DESCRIPTION +The functions of \fIradrelay\fP have been added to \fIradiusd\fP. One +benefit is that one instance of \fIradiusd\fP can read multiple detail +files, among others. +.PP +The \fIrlm_sql_log\fP module does something similar, but for SQL +queries. See it's man page for details. +.SH "REPLICATION FOR BACKUPS" +Many sites run multiple radius servers; at least one primary and one +backup server. When the primary goes down, most NASes detect that and +switch to the backup server. + +That will cause your accounting packets to go to the backup server - +and some NASes don't even switch back to the primary server when it +comes back up. + +The result is that accounting records are missed, and/or the +administrator must jump through hoops in order to combine the +different detail files from multiple servers. It also means that the +session database ("radutmp", used for radwho and simultaneous use +detection) gets out of sync. + +We solve this issue by "relaying" packets from one server to +another, so they both have the same set of accounting data. + +See raddb/sites-available/buffered-sql for more information. +.SH "BUFFERING FOR HIGH-LOAD SERVERS" +If the RADIUS server suddenly receives a many accounting packets, +there may be insufficient CPU power to process them all in a timely +manner. This problem is especially noticeable when the accounting +packets are going to a back-end database. + +Similarly, you may have one database that tracks "live" sessions, and +another that tracks historical accounting data. In that case, +accessing the first database is fast, as it is small. Accessing the +second database many be slower, as it may contain multiple gigabytes +of data. In addition, writing to the first database in a timely +manner is important, while data may be written to the second database +with a few minutes delay, without any harm being done. + +See raddb/sites-available/copy-to-home-server for more information. +.SH SEE ALSO +.BR radiusd(8), +.BR rlm_sql_log(5) +.SH AUTHOR +The FreeRADIUS Server Project diff --git a/man/man8/radsniff.8 b/man/man8/radsniff.8 new file mode 100644 index 0000000..24c0ee3 --- /dev/null +++ b/man/man8/radsniff.8 @@ -0,0 +1,75 @@ +.TH RADSNIFF 8 +.SH NAME +radsniff - dump radius protocol +.SH SYNOPSIS +.B radsniff +.RB [ \-c +.IR count ] +.RB [ \-d +.IR directory ] +.RB [ \-F ] +.RB [ \-f +.IR filter ] +.RB [ \-h ] +.RB [ \-i +.IR interface ] +.RB [ \-I +.IR filename ] +.RB [ \-m ] +.RB [ \-p +.IR port ] +.RB [ \-r +.IR request filter] +.RB [ \-R +.IR response filter ] +.RB [ \-s +.IR secret ] +.RB [ \-S ] +.RB [ \-w +.IR file ] +.RB [ \-x ] + +.SH DESCRIPTION +\fBradsniff\fP is a simple wrapper around libpcap. It can also print +out the contents of RADIUS packets using the FreeRADIUS dictionaries. + +.SH OPTIONS + +.IP \-c\ \fIcount\fP +Number of packets to capture. +.IP \-d\ \fIdirectory\fP +Directory where the dictionaries are found. +.IP \-F +Filter PCAP file from stdin to stdout. +Output file will contain RADIUS packets. +.IP \-f\ \fIfilter\fP +PCAP filter. (default is udp port 1812 or 1813) +.IP \-h +Print usage help information. +.IP \-i\ \fIinterface\fP +Interface to capture. +.IP \-I\ \fIfilename\fP +Read packets from filename. +.IP \-m +Print packet headers only, not contents. +.IP \-p\ \fIport\fP +\tListen for packets on port. +.IP \-r\ \fIattribute-filter\fP +RADIUS attribute request filter. +.IP \-R\ \fIattribute-filter\fP +RADIUS attribute response filter. +.IP \-s\ \fIsecret\fP +RADIUS secret. +.IP \-S +Sort attributes in the packet. +Used to compare server results. +.IP \-w\ \fIfile\fP +Write output packets to file. +.IP \-x +Print out debugging information. + + +.SH SEE ALSO +radiusd(8),pcap(3) +.SH AUTHORS +Nicolas Baradakis <nicolas.baradakis@cegetel.net> diff --git a/man/man8/radsqlrelay.8 b/man/man8/radsqlrelay.8 new file mode 100644 index 0000000..f161cc3 --- /dev/null +++ b/man/man8/radsqlrelay.8 @@ -0,0 +1,90 @@ +.\" # DS - begin display +.de DS +.RS +.nf +.sp +.. +.\" # DE - end display +.de DE +.fi +.RE +.sp +.. +.TH RADSQLRELAY 8 "19 June 2005" "" "FreeRADIUS helper program" + +.SH NAME +radsqlrelay - relay SQL queries to a central database server + +.SH SYNOPSIS +.B radsqlrelay +.RB [ \-? ] +.RB [ \-d +.IR sql_driver ] +.RB [ \-b +.IR database ] +.RB [ \-f +.IR file ] +.RB [ \-h +.IR host ] +.RB [ \-u +.IR user ] +.RB [ \-P +.IR port ] +.RB [ \-p +.IR password ] +.RB [ \-1 ] +.RB [ \-x ] +\fIfile_path\fP + +.SH DESCRIPTION +\fBradsqlrelay\fP tails a SQL \fIlogfile\fP and forwards the queries +to a database server. Used to replicate accounting records to one +(central) database, even if the database has extended downtime. +.PP +The SQL logfile is created by the \fBrlm_sql\fP module with the +rlm_sql_null driver logging to disk.. The module must be configured in +the \fBradiusd\fP server before you can use \fBradsqlrelay\fP. + +.SH OPTIONS +.IP "\-?" +Print usage help information. +.IP "\-d \fIsql_driver\fP" +Driver to use: mysql, pg, oracle. +.IP "\-b \fIdatabase\fP" +Name of the database to use. +.IP "\-f \fIfile\fP" +Read password from file, instead of command line. +.IP "\-h \fIhost\fP" +Connect to host. +.IP "\-u \fIuser\fP" +User for login. +.IP "\-P \fIport\fP" +Port number to use for connection. +.IP "\-p \fIpassword\fP" +Password to use when connecting to server. +.IP "\-1" +One-shot mode: push the file to database and exit. +.IP "\-x" +Turn on debugging. +.IP "file_path" +The pathname of the SQL logfile to use. + +.SH NOTES +.SS Oracle driver +The command "radsqlrelay \-d oracle \-b db.domain.tld sql-relay" reads the +database description stored in $TNS_ADMIN/tnsnames.ora: +.PP +.DS +db.domain.tld = + (DESCRIPTION = + (ADDRESS_LIST = + (ADDRESS = (PROTOCOL = TCP)(HOST = db.domain.tld)(PORT = 1521)) + ) + (CONNECT_DATA = + (SERVICE_NAME = <DB SID>) + ) + ) +.DE + +.SH AUTHOR +Nicolas Baradakis <nicolas.baradakis@cegetel.net> diff --git a/man/man8/rlm_sqlippool_tool.8 b/man/man8/rlm_sqlippool_tool.8 new file mode 100644 index 0000000..a7dfbb7 --- /dev/null +++ b/man/man8/rlm_sqlippool_tool.8 @@ -0,0 +1,157 @@ +.TH RLM_SQLIPPOOL_TOOL 8 +.SH NAME +rlm_sqlippool_tool - manage SQL IP pools +.SH SYNOPSIS +.B rlm_sqlippool_tool +.RB \-p +.IR pool_name +.RB \-s +.IR range_start +.RB \-e +.IR range_end +.RB \-t +.IR table_name +.RB \-d +.OR dialect +.RB \-f +.IR raddb_dir +.RB \-i +.IR instance +.RB [ \-c +.IR capacity ] +.RB [ \-x +.IR existing_ips_file ] + +.B rlm_sqlippool_tool +.RB \-y +.IR pool_defs_yaml_file +.RB \-t +.IR table_name +.RB \-d +.OR dialect +.RB \-f +.IR raddb_dir +.RB \-i +.IR instance +.RB [ \-x +.IR existing_ips_file ] + +.SH DESCRIPTION +\fBrlm_sqlippool_tool\fP is a tool to manage IP address in SQL IP +pools as used by FreeRADIUS. It will either output SQL that can +be used to manipulate the database or will interact directly with +a database to populate an IP pool table. + +The format of the SQL output or the commands operated on the database +are based on the default FreeRADIUS ippool schemas. The fields +populated are \fIpool_name\fP and \fIframedipaddress\fP. All other +fields are left to be populated with their database defaults. + +.SH OPTIONS + +.IP \-c\ \fIcapacity\fP +Number of IP addreses to populate the pool with. Defaults to 65536, +or the maximum number that can be provisioned between the start and +end of the range. +.IP \-d\ \fIdialect\fP +SQL dialect to use in producing the output. +.IP \-e\ \fIrange_end\fP +End IP address in the pool range. Either IPv4 or IPv6 addresses are +allowed. +.IP \-f\ \fIraddb_dir\fP +Directory containing the FreeRADIUS configuration. If this option +is specified, then \fBrlm_sqlippool_tool\fP will parse the configuration +and attempt to talk directly to the database server specified in +the FreeRADIUS configuration. +.IP \-i\ \fIinstance\fP +Used in conjuction with -f. Specifies the name of the sql module +instance to parse in the FreeRADIUS configuration. Defaults to \fIsql\fP. +.IP \-p\ \fIpool_name\fP +The pool name to populate. +.IP \-s\ \fIrange_start\fP +Start IP address in the pool range. Either IPv4 or IPv6 addresses +are allowed. +.IP \-t\ \fItable_name\fP +Name of the table in the database to populate. +.IP \-x\ \fIexisting_ips_file\fP +A file containing exsiting IP addresses in the pool. Use of this allows +for more controlled growth of a sparesly populated pool. +.IP \-y\ \fIpool_defs_yaml_file\fP +A YAML formatted file containing specifications for a number of pools. + +.SH EXAMPLES +To produce MySQL formatted SQL for a pool named \fIlocal\fP populated with +addresses from 10.0.0.1 to 10.0.0.199: +.PP +.nf +.RS +$ rlm_sqlippool_tool -p local -s 10.0.0.1 -e 10.0.0.199 \\ + -t dhcpippool -d mysql +.RE +.fi +.PP +To do the same but directly interacting with the SQL module configured +in the FreeRADIUS configuration under \fI/etc/raddb\fP: +.PP +.nf +.RS +$ rlm_sqlippool_tool -p local -s 10.0.0.1 -e 10.0.0.199 \\ + -t dhcpippool -f /etc/raddb +.RE +.fi +.PP +To use a YAML file to specify the pool ranges to be populated, outputting +PostgreSQL formatted SQL: +.PP +.nf +.RS +$ rlm_sqlippool_tool -y pools.yaml -t dhcpippool -d postgresql +.RE +.fi +.PP + +.SH YAML FORMAT + +A YAML file to populate multiple pools should be formatted like this: +.PP +.nf +.RS +pool_with_a_single_contiguous_range: + - start: 192.0.2.3 + end: 192.0.2.250 + +pool_with_a_single_sparse_range: + - start: 10.10.10.0 + end: 10.10.20.255 + capacity: 200 + +pool_with_multiple_ranges: + - start: 10.10.10.1 + end: 10.10.10.253 + - start: 10.10.100.0 + end: 10.10.199.255 + capacity: 1000 + +v6_pool_with_contiguous_range: + - start: '2001:db8:1:2:3:4:5:10' + end: '2001:db8:1:2:3:4:5:7f' + +v6_pool_with_sparse_range: + - start: '2001:db8:1:2::' + end: '2001:db8:1:2:ffff:ffff:ffff:ffff' + capacity: 200 +.RE +.ni +.PP + +.SH PREREQUISITES + +To output formatted SQL, the Perl Template::Toolkit module is required. + +Direct connection to databases is done using Perl DBI. The appropriate +Perl DBD driver needs to be installed to enable this functionality. + +.SH SEE ALSO +radiusd.conf(5), raddb/mods-available/sql +.SH AUTHORS +Nick Porter <nick@portercomputing.co.uk> |