radmin - FreeRADIUS Administration tool
radmin [-d config_directory] [-e command] [-f socket_file] [-i
input_file] [-n name] [-o output_file] [-q]
FreeRADIUS Server administration tool that connects to the control
socket of a running server, and gives a command-line interface to it.
At this time, only a few commands are supported. Please type "help" at
the command prompt for detailed information about the supported
This tool is experimental and should not be used in production
environments. Changes may be made at any time to the commands accepted
by the server, and/or to the resulting output.
The security protections offered by this command are pretty minimal.
If someone has permission to connect to the server, they can do almost
anything, from stopping the server, to changing its configuration.
Please exercise caution when using this command!
The following command-line options are accepted by the program.
-d config directory
Defaults to /etc/raddb. radmin looks here for the server
configuration files to find the "listen" section that defines
the control socket filename.
Run command and exit.
Specify the socket filename directly. The radiusd.conf file is
Reads input from the specified file. If not specified, stdin is
used. This also sets "-q".
Read raddb/name.conf instead of raddb/radiusd.conf.
Write output to the specified file. If not specified, stdout is
used. This also sets "-q".
-q Quiet mode.
The commands implemented by the command-line interface are almost
completely controlled by the server. There are a few commands
interpreted locally by radmin:
Reconnect to the server.
quit Exit from radmin.
exit Exit from radmin.
The other commands are implemented by the server. Type "help" at the
prompt for more information.
debug file /var/log/radius/bob.log
Set debug logs to /var/log/radius/bob.log. There is very little
checking of this filename. Rogue administrators may be able use
this command to over-write almost any file on the system. If
those administrators have write access to "radius.conf", they
can do the same thing without radmin, too.
debug condition ’(User-Name == "bob")’
Enable debugging output for all requests that match the
condition. Any "unlang" condition is valid here. The condition
is parsed as a string, so it must be enclosed in single or
double quotes. Strings enclosed in double-quotes must have
back-slashes and the quotation marks escaped inside of the
Only one debug condition can be active at a time.
debug condition ’((User-Name == "bob") || (Packet-Src-IP-
Address == 192.0.2.22))’
A more complex condition that enables debugging output for
requests containing User-Name "bob", or requests that originate
from source IP address 192.0.2.22.
Disable debug conditionals.
FULL LIST OF COMMANDS
do sub-command of add
add client <command>
Add client configuration commands
add client file <filename>
Add new client definition from <filename>
debug condition [condition]
Enable debugging for requests matching [condition]
debug level <number>
Set debug level to <number>. Higher is more debugging.
debug file [filename]
Send all debugging output to [filename]
sends a HUP signal to the server, or optionally to one module
reconnect to a running server
terminates the server, and cause it to exit
do sub-command of set
set module <command>
set module commands
set module config <module> variable value
set configuration for <module>
set home_server <command>
set home server commands
set home_server state <ipaddr> <port> [alive|dead]
set state for given home server
do sub-command of show
show client <command>
do sub-command of client
show client config <ipaddr>
show configuration for given client
show client list
shows list of global clients
show debug <command>
show debug properties
show debug condition
Shows current debugging condition.
show debug level
Shows current debugging level.
show debug file
Shows current debugging file.
show home_server <command>
do sub-command of home_server
show home_server config <ipaddr> <port>
show configuration for given home server
show home_server list
shows list of home servers
show home_server state <ipaddr> <port>
shows state of given home server
show module <command>
do sub-command of module
show module config <module>
show configuration for given module
show module flags <module>
show other module properties
show module list
shows list of loaded modules
show module methods <module>
show sections where <module> may be used
shows time at which server started
Prints version of the running server
show xml <reference>
Prints out configuration as XML
do sub-command of stats
stats client [auth/acct] <ipaddr>
show statistics for client
stats home_server <ipaddr> <port>
show statistics for home server
unlang(5), radiusd.conf(5), raddb/sites-available/control-socket
Alan DeKok <firstname.lastname@example.org>
15 Feb 2009