| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radwho Radwho displays the list of users currently logged in by the
Radius server.
Default output information is made compatible with that of the standard
UNIX finger(1) utility. For each user the following information is
displayed: login name, name, connection protocol, NAS port, login date,
NAS name, assigned IP or corresponding network name.
When used with ‘-l’ option, the long output format is used. In this format the following information is output:
Login name of the user
Unique session ID assigned by the terminal server.
Connection prototype.
Port number
Login date and time
Name of the NAS that accepted the connection.
Framed IP or the corresponding network name.
Caller station ID ad reported by the NAS.
Duration of the session.
11.1.1 radwho Command Line Options | Command line options. | |
11.1.2 radwho Format Strings | ||
11.1.3 radwho Predefined Formats |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radwho Command Line Options The following command line options can be used to modify the behavior of the program:
Display the information about logged-out users as well. The logged-out users are shown with ‘Proto’ field set to HUP.
Display the calling station ID in the second column. Equivalent to ‘--format clid’.
Set the Radius configuration directory name.
Set the date representation. Th fmt is usual strftime(3)
format string. It defaults to %a %H:%M, i.e. the abbreviated weekday
name according to the current locale, and the hour and the minutes as two-digit
decimal numbers.
Display any empty field as STRING. This is useful when the output of
radwho is fed to some analyzing program, as it helps to keep
the same number of columns on each line of output.
Start in fingerd mode. In this mode radwho emulates the
behavior of the fingerd(8) utility. Use this option if starting
radwho from the ‘/etc/inetd.conf’ line like this (5):
finger stream tcp nowait nobody /usr/sbin/radwho radwho -fL |
This mode is also enabled by default if radwho notices that its
name (argv[0]) is ‘fingerd’ or ‘in.fingerd’.
Don't display header line.
Display session ID instead of GECOS in the second column. Equivalent to ‘--format sid’.
Display hostnames without domain part.
Display information about local users from the system ‘utmp’ file.
May prove useful when running radwho as a finger daemon.
Do not resolve IP.
Select customized output format. This can also be changed by setting
the value of environment variable RADWHO_FORMAT. The format
is either a symbolic name of one of the predefined formats or a format
specification (see next subsection).
Run in secure mode. Queries without a user name are rejected.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radwho Format Strings A format string controls the output of every record from ‘radutmp’. It contains two types of objects: ordinary characters, which are simply copied to the output, and format specifications, each of which causes output of a particular piece of information from the ‘radutmp’ record.
Each format specification starts with an opening brace and ends with a closing brace. The first word after the brace is the name of the format specification. The rest of words are positional arguments followed by keyword arguments. Both are optional. The keyword arguments begin with a colon and must follow the positional arguments.
The full list of format specifications follows.
Causes the newline character to be output. If the optional count is supplied, that many newlines will be printed
Advance to the next tabstop in the output stream. If optional num is present, then skip num tabstops. Each tabstop is eight characters long.
The following specifications output particular fields of a ‘radutmp’ record. They all take two positional arguments: width and title.
The first argument, width sets the maximum output
length for this specification. If the number of characters actually output
is less than the width, they will be padded with whitespace either to
the left or to the right, depending on the presence of the :right
keyword argument. If the number of characters is greater than width, they
will be truncated to fit. If width is
not given, the exact data are output as is.
The second argument, title, gives the title of this column for the heading line. By default no title is output.
Every field specification accepts at least two keyword arguments.
The keyword :right may be used to request alignment to the right
for the data. This keyword is ignored if width is not given.
The keyword :empty followed by a string causes radwho
to output that string if the resulting value for this specification
would otherwise be empty.
Print the user login name.
Print original login name as supplied with the request.
The GECOS field from the local ‘/etc/passwd’ corresponding to the login name. If the user does not have a local account, his login name is output.
NAS port number
The session ID.
The NAS name or IP.
The :nodomain keyword suppresses the output of the domain part of
the name, i.e., the hostname is displayed only up to the first dot.
Framed IP assigned to the user, if any.
The :nodomain keyword suppresses the output of the domain part of
the name, i.e. the hostname is displayed only up to the first dot.
Connection protocol as reported by Framed-Protocol attribute.
If the symbolic value is found in the dictionary file, it will be
displayed. Otherwise, the numeric value will be displayed as is.
Date and time when the session started.
The :format keyword introduces the strftime format string
to be used when converting the date for printing. The default value is
%a %H:%M.
Total time of the session duration.
Delay time (see section Acct-Delay-Time).
Port type as reported by the value of the NAS-Port-Type attribute.
If the symbolic value is found in the dictionary file, it will be
displayed. Otherwise, the numeric value will be displayed as is.
The calling station ID.
If the request was forwarded to a realm server, print the symbolic name
of the realm from the ‘raddb/realms’ file. If no symbolic name
is found, print the remote server IP or hostname. In the latter case,
the :nodomain keyword may be used to suppress the output of the
domain part of the name, i.e. to display the hostname only up to the
first dot.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radwho Predefined Formats The predefined formats are:
Default output format. Each record occupies one line. The fields output are: login name, GECOS name, connection protocol, port number, time when the connection was initiated, NAS IP, and assigned framed IP. This corresponds to the following format specification (split in several lines for readability:
(login 10 Login) (gecos 17 Name) \ (protocol 5 Proto) (nas-port 5 TTY) \ (time 9 When) (nas-address 9 From) \ (framed-address 16 Location) |
The same as ‘default’, except that the session ID is output in the second column.
The same as ‘default’, except that the calling station ID is output in the second column.
Outputs all information from each ‘radutmp’ record. It is equivalent to specifying the following format string:
(login 32 Login) (session-id 32 SID) \ (protocol 5 Proto) (nas-port 5 Port) \ (time 27 Date) (nas-address 32 NAS) \ (clid 17 CLID) (duration 7 Duration) \ (framed-address 16 Location) (realm 16 Realm) |
Each ‘radutmp’ record is represented as a table. It is equivalent to specifying the following format string:
User: (login)(newline)\ In real life: (gecos)(newline)\ Logged in: (time)(newline)\ NAS: (nas-address)(newline)\ Port: (nas-port)(newline)\ CLID: (clid)(newline)\ Protocol: (protocol)(newline)\ Session ID: (session-id)(newline)\ Uptime: (duration)(newline)\ Assigned IP: (framed-address)(newline)\ Realm: (realm)(newline)" |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radlast The radlast utility lists sessions of specified users, NASes,
NAS ports, and hosts, in reverse time order. By default, each line of output
contains the login name, the NAS short name and port number from where the
session was conducted, the host IP or name, the start and stop
times for the session, and the duration of the session. If the session
is still continuing, radlast will so indicate.
When the ‘-l’ option is specified, radlast produces long
output. It includes following fields:
11.2.1 radlast Command Line Options | Command line options. |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radlast Command Line Options Use following command line options to control the behavior of the
radlast utility:
When given this option, radlast will output at most this many
lines of information.
Read the specified file instead of the default ‘/var/log/radwtmp’.
Report the logins from given host. Host can be either a name or a dotted-quad Internet address.
Report the logins from the given NAS.
Long output format. Report all the information stored in ‘radwtmp’ file.
Report the logins on a given port. The port may be specified either fully or
abbreviated, e.g. radlast -p S03 or radlast -p 3.
Report the duration of the login session in seconds instead of the default days, hours, and minutes.
The same as ‘-p’. This flag is provided for compatibility with
last(1).
Widen the duration field to show seconds as well as the default days, hours and minutes.
If multiple arguments are given, the logical OR operation between them is assumed, i.e., the information selected by each argument is printed. This, however, does not apply to the ‘-c’ option. That option is always combined with the rest of command line by logical AND.
The pseudo-user ‘~reboot’ logs in on every reboot of the network access server.
If radlast is interrupted, it indicates to what date the search
had progressed.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radzap radzap searches the Radius accounting database for matching login
records and closes them.
At least one of the options ‘-n’, ‘-p’, or the user name must be specified. If they are used in conjunction, they are taken as if joined by the logical AND operation.
radzap operates in two modes: silent and confirm. The silent
mode is enabled by default. When run in this mode, radzap deletes
every record that matches the search conditions given.
In confirm mode radzap will ask for a confirmation
before zapping each matching record. Any line beginning with a ‘y’
is taken as a positive response; any other line is taken as a negative
response.
The confirm mode is toggled by the command line option ‘-c’.
radzap [options] [username] |
Options are:
Enable confirm mode.
Specify alternate configuration directory. Default is ‘/usr/local/etc/raddb’.
Operate on file instead of the default ‘RADLOG/radutmp’.
Search the file ‘radutmp’ in the given directory.
This option is deprecated. It is currently retained for backward compatibility with previous versions.
Disable confirm mode.
Display a short help summary, and exit.
Specify NAS name to zap user from.
Specify the port number of the session to be zapped. The port number
can be specified either in its full form, e.g. radzap -p S02, or in
its short form, e.g. radzap -p 2.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radgrep This utility allows one to quickly look up the user in the Radius
accounting database, using a regular expression match.
radgrep scans the output of radwho utility and
outputs only the lines that match given regular expressions.
radgrep accepts two sets of options separated by ‘--’
(double hyphen). The first subset is passed as the command line to the
radwho utility. The second one is passed to grep.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radping This utility is a shell program that determines the user's
framed IP and runs ping on that address.
radping username radping -c calling-station-id |
The second way of invoking the program allows one to use the calling station ID to indicate the user.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radauth The radauth utility sends the Radius server an Access-Request
packet and displays the result it gets. If the server responds with
Access-Accept radauth can also send an
Accounting-Request thereby initiating user's session.
The utility is a radtest program. See section Sample Radtest Program, for the detailed discussion of its internals.
radauth [options] [command] user-name [password] |
Options are:
Print verbose descriptions of what is being done.
Set NAS IP address
Set accounting session ID
Set NAS port number.
Valid commands are:
Send only Access-Request. This is the default.
Send Access-Request. If successfull, send
Accounting-Request with Acct-Status-Type = Start.
Send Accounting-Request with Acct-Status-Type = Start.
Accounting-Request with Acct-Status-Type = Stop.
The program determines which Radius server to use, the authentication port number, and the shared secret, following the procedure common to all client scripts (see section Client Configuration).
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radctl Radctl is a control interface to the radiusd
daemon. It allows the
user running it to query radiusd about various aspects of its
work and to issue administrative commands to it. The syntax is
radctl command [args] |
where command is a command telling radctl which actions to
take, and args are optional arguments to the command. Only one
command can be specified per invocation.
The valid commands are as follows:
start [args]If radiusd is not running already, it is started. When
present, args are passed as the command line to the
server.
stopStops running radiusd.
restart [args]Stops the server and then starts it again. When present, args are passed as the command line to the server.
reloadCauses the running radiusd server to reread its configuration files.
dumpdbTells radiusd to dump its user hash table into the file
‘radlog/radius.parse’. This can be used for debugging
configuration files.
statuswhichThis command shows the line of ps(1) describing the running copy
of radiusd program. The exact look depends on the version of
operating system you are running. Please refer to “man ps” for more
detail on ps output.
Here is an example of what radctl status prints on
GNU/Linux:
19692 ? 01:53:11 radiusd |
Here, first field is the PID of the process, second field (‘?’) indicates that the running program has detached from the controlling terminal, the third field gives total amount of CPU time used by the program, and, finally, the last field shows the full name under which the command was invoked.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
builddbm builddbm converts the plaintext Radius users database into
DBM files. Some versions of the Radius daemon have used this to
speed up the access to the users database.
However, with GNU Radius things go the other way around.
The server reads the entire plaintext database, converts it into internal
form, and stores into a hash table, which provides for fast
access. Actually, using a DBM version of the users database slows
down the access unless the machine that runs the Radius daemon is
short of address space for the daemon to store the users database.
When used without arguments, the builddbm utility attempts to
convert the file ‘raddb/users’ to ‘raddb/users.db’ or to
the pair
‘raddb/users.pag’, ‘raddb/users.dir’, depending on the
version of the DBM library used.
If used with one argument, that argument is taken as the name of the plaintext database file to operate upon.
Use the following command line options to modify the operation of
buildbm:
Specifies alternate directory for the Radius configuration files. This defaults to ‘/usr/local/etc/raddb’.
Outputs short usage summary and exits with 0 exit code.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
radscm: A Guile Interface to Radius Functions radscm is a Scheme interpreter based on Guile with the addition
of special functions and variables for communicating with
radiusd. This chapter concentrates on the special features
provided by radscm. Refer to Guile documentation for
information about Scheme and Guile (see (guile)Top section `Overview' in The Guile Reference Manual).
A path to the Radius configuration directory.
A list of radius servers. Each element of the list is:
(list id-str host-str secret-str auth-num acct-num
cntl-num)
|
where the arguments are as follows:
id-str | Server ID |
host-str | Server hostname or IP |
secret-str | Shared secret key to use |
auth-num | Authentication port number |
acct-num | Accounting port number |
cntl-num | Control channel port number |
Thus, each entry can be used as an argument to
rad-client-set-server or
rad-client-add-server.
Sends the request to currently selected server. Arguments are:
Port number to use. These values are allowed:
0 | Authentication port |
1 | Accounting port |
2 | Control port |
The actual port numbers are those configured for the given server.
Request code.
List of attribute-value pairs. Each pair is either
(cons attr-name-str value) |
or
(cons attr-number value) |
Return: On success,
(list return-code-number pair-list) |
On failure,
'() |
Sends a radius request. Actually it does the same work as
rad-send-internal,
but if verbose is specified, the verbose report about interaction with
the radius server is printed.
List currently configured servers. Two columns for each server are displayed: server ID and IP.
Returns the ID of the currently selected server.
Selects for use the server described by list. Here list takes the form
(list id-str host-str secret-str auth-num acct-num
cntl-num)
|
where the elements are as follows:
id-str | Server ID |
host-str | Server hostname or IP |
secret-str | Shared secret key to use |
auth-num | Authentication port number |
acct-num | Accounting port number |
cntl-num | Control channel port number |
Adds the server described by list to the list of active servers. Here list takes the form
(list id-str host-str secret-str auth-num acct-num
cntl-num)
|
where the elements are as follows:
id-str | Server ID |
host-str | Server hostname or IP |
secret-str | Shared secret key to use |
auth-num | Authentication port number |
acct-num | Accounting port number |
cntl-num | Control channel port number |
Prints the given prompt-str, disables echoing, reads a string up to the
next newline character, restores echoing, and returns the string entered.
This is the interface to the C getpass(3) function.
Sets the IP to be used as source. ip-str can be either an IP in dotted-quad form or a hostname.
Sets the timeout in seconds for waiting for a server reply.
Sets the number of retries for sending requests to a Radius server.
Format a radius reply code into a human-readable form.
dest-bool has the same meaning as in format
(see (guile)Formatted Output section `Formatted Output' in The Guile Reference Manual.)
Format a radius attribute-value pair for output.
dest-bool has the same meaning as in format.
pair is either
(cons name-str value) |
or
(cons attr-number value) |
where value may be of any type appropriate for the given attribute.
Output the radius attribute-value pairs from pair-list. dest-bool has the same meaning as in format. pair-list is a list of pairs in the form
(cons name-str value) |
or
(cons attr-number value) |
where value may be of any type appropriate for the given attribute.
All Reply-Message pairs from the list are concatenated and displayed
as one.
Concatenate and print text from all Reply-Message pairs from
pair-list. If text is specified, it is printed before the
concatenated
text.
For each server from rad-server-list, print its ID and hostname
or IP.
Select the server identified by id-str as a current server. The server data are looked up in rad-server-list variable.
Add the server identified by id-str to the list of current servers. The server data are looked up in rad-server-list variable.
| [ << ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.