radmin - Man Page

FreeRADIUS Administration tool

Synopsis

radmin [-d config_directory] [-D dictionary_directory] [-e command] [-E] [-f socket_file] [-h] [-i input_file] [-n name] [-q]

Description

FreeRADIUS Server administration tool that connects to the control socket of a running server, and gives a command-line interface to it.

At this time, only a few commands are supported.  Please type "help" at the command prompt for detailed information about the supported commands.

Warning

The security protections offered by this command are limited to the permissions on the Unix domain socket, and the server configuration.  If someone can connect to the Unix domain socket, they have a substantial amount of control over the server.

Options

The following command-line options are accepted by the program.

-d config directory

Defaults to /etc/raddb. radmin looks here for the server configuration files to find the "listen" section that defines the control socket filename.

-D dictionary directory

Set main dictionary directory. Defaults to /usr/share/freeradius.

-e command

Run command and exit.

-E

Echo commands as they are being executed.

-f socket_file

Specify the socket filename directly.  The radiusd.conf file is not read.

-h

Print usage help information.

-i input_file

Reads input from the specified file.  If not specified, stdin is used. This also sets "-q".

-n mname

Read raddb/name.conf instead of raddb/radiusd.conf.

-q

Quiet mode.

Commands

The commands implemented by the command-line interface are almost completely controlled by the server.  There are a few commands interpreted locally by radmin:

reconnect

Reconnect to the server.

quit

Exit from radmin.

exit

Exit from radmin.

The other commands are implemented by the server.  Type "help" at the prompt for more information.

Examples

debug file /var/log/radius/bob.log

Set debug logs to /var/log/radius/bob.log.  There is very little checking of this filename.  Rogue administrators may be able use this command to over-write almost any file on the system.  If those administrators have write access to "radius.conf", they can do the same thing without radmin, too.

debug condition '(User-Name == "bob")'

Enable debugging output for all requests that match the condition. Any "unlang" condition is valid here.  The condition is parsed as a string, so it must be enclosed in single or double quotes.  Strings enclosed in double-quotes must have back-slashes and the quotation marks escaped inside of the string.

Only one debug condition can be active at a time.

debug condition '((User-Name == "bob") || (Packet-Src-IP-Address == 192.0.2.22))'

A more complex condition that enables debugging output for requests containing User-Name "bob", or requests that originate from source IP address 192.0.2.22.

debug condition

Disable debug conditionals.

Full List of Commands

add <command>

do sub-command of add

add client <command>

Add client configuration commands

add client file <filename>

Add new client definition from <filename>

debug <command>

debugging commands

debug condition [condition]

Enable debugging for requests matching [condition]

debug level <number>

Set debug level to <number>.  Higher is more debugging.

debug file [filename]

Send all debugging output to [filename]

del <command>

do sub-command of del

del client <command>

Delete client configuration commands

del client ipaddr <ipaddr>

Delete a dynamically created client

hup [module]

sends a HUP signal to the server, or optionally to one module

inject <command>

commands to inject packets into a running server

inject to <ipaddr> <port>

Inject packets to the destination IP and port.

inject from <ipaddr>

Inject packets as if they came from <ipaddr>

inject file <input-file> <output-file>

Inject packet from input-file>, with results sent to <output-file>

reconnect

reconnect to a running server

terminate

terminates the server, and cause it to exit

set <command>

do sub-command of set

set module <command>

set module commands

set module config <module> variable value

set configuration for <module>

set module status [alive|dead]

set the module to be alive or dead (always return "fail")

set home_server <command>

set home server commands

set home_server state <ipaddr> <port> [alive|dead]

set state for given home server

show <command>

do sub-command of show

show client <command>

do sub-command of client

show client config <ipaddr> [udp|tcp]

shows configuration for a given client.

show client list

shows list of global clients

show debug <command>

show debug properties

show debug condition

Shows current debugging condition.

show debug level

Shows current debugging level.

show debug file

Shows current debugging file.

show home_server <command>

do sub-command of home_server

show home_server config <ipaddr> <port>

show configuration for given home server

show home_server list

shows list of home servers

show home_server state <ipaddr> <port>

shows state of given home server

show module <command>

do sub-command of module

show module config <module>

show configuration for given module

show module flags <module>

show other module properties

show module list

shows list of loaded modules

show module methods <module>

show sections where <module> may be used

show uptime

shows time at which server started

show version

Prints version of the running server

show xml <reference>

Prints out configuration as XML

stats <command>

do sub-command of stats

stats client [auth/acct] <ipaddr>

show statistics for given client, or for all clients (auth or acct)

stats home_server [<ipaddr>|auth|acct] <port>

show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)

stats detail <filename>

show statistics for the given detail file

See Also

unlang(5), radiusd.conf(5), raddb/sites-available/control-socket

Author

Alan DeKok <aland@freeradius.org>

Referenced By

raddebug(8), rlm_passwd(5).

11 Mar 2019 FreeRADIUS Server Administration Tool