Introducing RadGraph

An Entra directory integration for FreeRADIUS, built with MS-Graph.

Repository: johnclearyconsulting/radgraph

Tip

TL;DR: For FreeRADIUS users authenticated via EAP-TLS, RadGraph will return the user's VLAN and other RADIUS "Class" attributes which can then be sent to an internet firewall/gateway via RADIUS Accounting. The appropriate VLAN and RADIUS attributes are derived from the user's EAP-TLS certificate CN (CommonName) which is matched to Entra ID group membership &/or Intune Device ownership.

Overview

The Goal

Admins often also want to allow only managaed devices to join their network (e.g. to stop users being able to re-use their credentials to join Wi-Fi on unmanaged devices). To achieve this, admins are moving away from 802.1x PEAP authentication (e.g. usernames & passwords) to EAP-TLS (device certificate authentication).

My Context

I work in the education sector. Previously, the most common authentication setup for Wi-Fi authentication was to use Windows ADDS for user identity and Windows NPS for PEAP 802.1x RADIUS Wi-Fi authentication which relies on usernames & passwords.

Given Windows NPS is integrated with ADDS, an admin could create rules based on group membership to evaluate which VLAN and/or other RADIUS atributes (e.g. Class) a user connecting should have applied to their user session.

These rules were important for assigning users to both the correct VLAN and also applying Internet Filtering which is typically built on the Class RADIUS accounting attribute (e.g. forwarded to firewall/gateway like a Fortigate or Cyberhound which then can map various firewall rules/restrictions to the user's sessions).

The Problem

When originally planning to move from PEAP to EAP-TLS, my first thought was to still use Windows NPS for the authentication. I soon ran into a widely known problem people trying to do this encounter, and boils down to this:

While Windows NPS supports EAP-TLS (e.g. certificate) authentication for clients, if the client device is not a member object in the Active Directory domain it will not evaluate it.

Most of the workarounds people have developed to continue using NPS for EAP-TLS mean having to create dummy objects in ADDS for computers that aren’t actually joined to the domain. And while Windows NPS will authenticate machines with an ADCS derived certificate if there is an object for the machine in the ADDS, it also doesn’t work for user certs meaning the NPS rules need to be based on machine not user.

The process for issuing a certificate to a managed device via SCEP (NDES in Windows nomenclature) from an MDM like Intune or Jamf essentially means you pass a value to the SCEP server to use as the certificate CommonName.

While for a computer you can set the hostname to the user (e.g. jcleary) so that the CommonName of the cert issued is obvious, it can cause issues with other devices. Intune for example cannot issue a SCEP certificate to an iPad in the device context with user details like {{userprincipalname}} but rather only device details like {{serial_number}}.

Enter FreeRADIUS

FreeRADIUS is an open source, performant, highly extensible alternative to Windows NPS. Fun fact, it is what drives most of the cloud "RADIUS" solutions (e.g. Foxpath; Cloud Radius and more).

If all we needed to do was to allow user devices to authenticate to via Wi-Fi with certificates, this is a 5 minute setup for FreeRADIUS. As long as the device has a SCEP issued certificate, and FreeRADIUS allows certificates issued by the SCEP server, you're in business. This is a pretty basic workflow, and is all you need for a flat network.

As above, however, the problem in Education (and Enterprise!) is that we need to control access to different users based on the user's identity. Instead of running YetAnotherEndpointAgent™ on user devices (which you can't even do easily on an iPad, of course) it's far better to authenicate the user with RADIUS and pass the identity to the internet filter via RADIUS accounting attributes.

The Solution

In this solution, FreeRADIUS authenticates machines with EAP-TLS using a certificate issued via MDM & SCEP as usual.

After the valid authentication, during "Post-Auth", FreeRADIUS runs an external program and passes the certificate’s CommonName (CN) which was originally set by the MDM as the device hostname or the device owner's username).

The lookups happen in this order:

Intune Lookup

Before looking up the user in the Entra Cache, RadGraph first checks if the CommonName it has been passed is a Serial Number in the Intune Cache. This is due to the note above, about Intune not allowing a SCEP certificate for an iPad in the device context to have user details like {{userprincipalname}} but rather only device details like {{serial_number}}.

If CommonName is a Serial Number then the entry cached upn is used to lookup from Entra Cache. If not, then the Entra lookup proceeds with the value supplied.

Entra Lookup

If the CommonName matches a user in the Entra Cache, the appropriate VLAN is returned, as are any Class attirbutes. (e.g. the All Staff group might be VLAN ID 20 etc.)

User-Name := "John Cleary (jcleary)"
Tunnel-Private-Group-Id := "100"
Class := "parents"
Class := "john"

The format of User-Name can be customised in the config.ps1 file. By default, it will return a concatenated string from the Entra user details in the form Display Name (CommonName). This is because in my environment I don't have "human readable" usernames, which makes looking at logging and the Fortigate interface less useful. You can change the $return_raw_username value to $true in config.ps1 to make it instead return:

User-Name := "jcleary"
Tunnel-Private-Group-Id := "100"
Class := "parents"
Class := "john"

The VLAN assignment is then returned from the RADIUS Server to the Network Access Server (e.g. the WAP or Switch initiating the RADIUS connection) which it will then dutifully use to assign the User's VLAN and pass the Class attribute(s) on to the accounting servers etc.

Note

On a Fortigate (my prefered firewall/filter) the Class attributes returned via RADIUS Accounting are matched to RSSO groups which are then used in Fortigate firewall rules (e.g. to give senior IT staff access to things they wouldn’t otherwise have).

Using RadGraph

RadGraph can either be run in interactive mode, or via three automatic workflows:

Cache Management

A process to populate a local cache of device serials & owner (from Intune) and User details (from Entra)

Authentication Lookups

A process that listens for requests from FreeRADIUS and looks up user details in realtime to return VLAN and Class attributes.

CRL Management

A process for automating the update of the Certificate Revokation List (CRL) nightly.

Cache Management Overview

When run with the -update_cache_now flag RadGraph will update the Intune and Entra caches to disk.

Once confrirmed working (e.g. run it directly on the CLI first, optionally with -debugging ) this should be scheduled to run nightly with cron. See documentation later in this document.

This will populate both caches in the formats below.

/opt/radgraph/intune_cache.json

{
  "SERIALNUMBER": {
    "hostname": "HOSTNAME",
    "username": "jcleary"
  },
  "SERIALNUMBER2": {
    "hostname": "HOSTNAME2",
    "username": "user2"
  }
}

/opt/radgraph/entra_cache.json

{
  "jcleary": {
    "vlan": 100,
    "web_filter_class": "parents john",
    "display_name": "John Cleary"
  },
  "user2": {
    "vlan": XXX,
    "web_filter_class": "XXX",
    "display_name": "XXX"
  }
}

Authentication Lookups Overview

In 802.1X RADIUS authentication, the components involved are referred to as:

Important

Supplicant

The User Device joining the network.

Authenticator

The WAP or Switch that manages the RADIUS session, forwarding authentication to the FreeRADIUS server and Fortigate etc.

Authentication Server

The FreeRADIUS server which handles the session authentication for the Authenticator.

In RadGraph, the EAP-TLS session happens as usual, but during the authentication the FreeRADIUS server calls an external application which looks up the information from a cache which is generated from Entra & Intune users & group membership.

CRL Management Overview

As part of a standard FreeRADIUS EAP-TLS setup you will have a CRL for revoked certs. When run with the -refresh_crl_from_file RadGraph will update the CRL used in FreeRADIUS and restart the FreeRADIUS server. I've included it in RadGraph as it is a key part of a successful FreeRADIUS deployment that isn't included by default. 🙂

To do this, RadGraph expects that the CA has already copied the latest CRL to the paths specified in config.ps1. The file needs to be copied to the FreeRADIUS server from the Certificate Authority (usually the SCEP/NDES server). We do it via TaskScheduler over SCP with key pairs.

We then have a cron job to process the new CRL on the FreeRADIUS server each night, and then restart the service (see later).

Installing RadGraph

Important

All sample code below is for FreeRADIUS running on Ubuntu 25.10.

Install Pre-Requisites

PowerShell

Important

You need to install PowerShell directly from Microsoft (e.g. not via snap as it can't access certain parts of the filesystem).

If using Ubuntu 25.10, run the following:

sudo mkdir -p /usr/local/powershell

wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.4/powershell-7.5.4-linux-x64.tar.gz

sudo tar -xzf powershell-7.5.4-linux-x64.tar.gz -C /usr/local/powershell

sudo ln -sf /usr/local/powershell/pwsh /usr/local/bin/pwsh

sudo chmod +x /usr/local/powershell/pwsh

Or if on a supported build of Ubuntu (25.10 isn't yet!), you can also follow Microsoft guide here.

Microsoft-Graph Powershell Module

You can follow the Microsoft guide here or just run:

sudo pwsh
Install-Module Microsoft.Graph.Authentication -Scope AllUsers -Repository PSGallery -Force
Install-Module Microsoft.Graph.Users -Scope AllUsers -Repository PSGallery -Force
Install-Module Microsoft.Graph.Groups -Scope AllUsers -Repository PSGallery -Force
Install-Module Microsoft.Graph.DeviceManagement -Scope AllUsers -Repository PSGallery -Force

Install radgraph

Add your Linux user to the freerad group to make things easier to manage:

sudo usermod -aG freerad theradboss

Once done you'll need to log out and back in.

Make required directories:

sudo mkdir -p /usr/local/bin/radgraph
sudo chown -R theradboss:freerad /usr/local/bin/radgraph
sudo chmod g+s /usr/local/bin/radgraph

Clone the Github Repo to /usr/local/bin/radgraph.

sudo -u theradboss git clone git@github.com:johnclearyconsulting/radgraph.git /usr/local/bin/radgraph

You can update the repo in future with:

sudo -u theradboss -u theradboss git -C /usr/local/bin/radgraph pull

Create Entra Certificate

1. Create a new server certificate: /opt/radgraph/radgraph.pfx

   cd /opt/radgraph/
   
   # Create private key
   openssl genrsa -out radgraph.key 2048
   
   # Create self-signed cert valid for 2 years
   openssl req -new -x509 -key radgraph.key -out radgraph.crt -days 730 -subj "/CN=radgraph"
   
   # Create PFX (leave blank at password prompt so can be used in automation)
   openssl pkcs12 -export \
   -out radgraph.pfx \
   -inkey radgraph.key \
   -in radgraph.crt

2. Register a new Entra application (guide)

3. Upload the public key from Step 1 under "Certificates & Secrets"

4. Grant the following Microsoft Graph API permissions with Admin consent

   • DeviceManagementManagedDevices.Read.All

   • Group.Read.All

   • User.Read.All

5. Note the Entra App ID and Tenant ID (needed in config file below).

Populate config.ps1 File

Make required directory:

sudo mkdir -p /opt/radgraph
sudo chown -R theradboss:freerad /opt/radgraph
sudo chmod g+s /opt/radgraph

Copy sample config to /opt/radgraph/:

cp /usr/local/bin/radgraph/sample_config.ps1 /opt/radgraph/config.ps1

Edit config to update values for your enivronment:

nano /opt/radgraph/config.ps1

# This file should be copied to: /opt/radgraph/config.ps1 and customised for your environment

## SERVER DETAILS
# Specify which OS the FreeRADIUS Server is runnning on ('Mac' | 'Linux')
$server_os = "Linux"
$local_username = "theradboss"
$server_hostname = $(hostname)

## ENTRA CONFIGURATION
# Entra UPN Suffix
$upn_suffix = "@cleary.au"
# Entra Cache Filename (must end in .json)
$entra_cache_filename = "/opt/radgraph/entra_cache.json"
$intune_cache_filename = "/opt/radgraph/intune_cache.json"
# Entra Tenant ID
$TenantId = "YOUR-ENTRA-TENANT-ID-HERE"
# Entra App/Client ID
$ClientId = "YOUR-ENTRA-APPCLIENT-ID-HERE"
# App Entra Certificate.
$entra_certificate = "/opt/radgraph/radgraph.pfx"

## CRL CONFIGURATION
# ADDS CRL FullPath
$root_ca_filename = "ca.cer"
$root_ca_source_path = "/home/$local_username/$root_ca_filename"
$crl_filename = "ca.crl"
$crl_source_path = "/home/$local_username/$crl_filename"
# FreeRADIUS CRL Fullpath
$freeradius_crl_fullpath = "/etc/freeradius/3.0/certs/ca_and_crl.pem"

## USER DETAILS CONFIGURATION
# Add an entry as below for each Entra RADIUS Group that will be used to assign users to a VLAN.
# The vlan number will be used to drop the user into the correct VLAN via the Radius response
# Lower priority is preferred over higher in the event a user is in two VLAN groups. 
# and the web_filter_class can be used to identify users e.g. via RSSO to a Fortigate.

# $entra_cache["GROUP_NAME"] = @{
# 	vlan = "VLAN_ID"
#   web_filter_class = "CLASS_NAME"
# }

# Initialise the Array
$radius_entra_groups = @{}

# VLAN Groups
$radius_entra_groups["Parents"] = @{
	priority = "1"
	vlan = "100"
    web_filter_class = "parents"
}
$radius_entra_groups["Kids"] = @{
	priority = "1"
	vlan = "200"
    web_filter_class = "kids"
}

# RSSO Attribute Only Groups
$radius_entra_groups["John"] = @{
	priority = "1000"
    web_filter_class = "john"
}

# Default values for users where no entry is matched from Entra/Intune
$default_vlan = "100"
$default_web_filter_class = "guest"

Monitoring (optional)

Note

I use Pushover and InfluxDB for logging and monitoring user connections, so you'll see config settings for those systems in the config file. You don't have to use them, and getting that all setup is outside the scope of this README file. I might get to documenting that later if it's not clear from the code! 🙂

## LOGGING / MONITORING CONFIGURATION
# Pushover Credentials
$enable_pushover = $false # or $true
$pushover_user = "PUT A USER HERE"
$pushover_token = "PUT A TOKEN HERE"
# Influx Details
$log_influx = $false # or $true
$influx_server = "INFLUX_SERVER:PORT"
$influx_token = "PUT A TOKEN HERE"
$influx_org = "ORG NAME"
$influx_db = "DATABASE"

Interactive Mode

You can run radgraph.ps1 in interactive mode with the following:

/usr/local/bin/pwsh -F /usr/local/bin/radgraph/radgraph.ps1 -interactive

This will let you run a few different things (should be self explanatory!)

Before continuing, you should populate the Intune and Entra caches, and do some test lookups! 🙂

The RadGraph Listener

When FreeRADIUS call's RadGraph during a user's authentication session ( in Post-Auth ) it will call

Load RadGraph Listener

Copy service file from repo to /etc/systemd/system

sudo cp /usr/local/bin/radgraph/radgraph-listener.service /etc/systemd/system/radgraph-listener.service

sudo chown root:root /etc/systemd/system/radgraph-listener.service
sudo chmod 744 /etc/systemd/system/radgraph-listener.service

sudo ls -al /etc/systemd/system/ | grep "radgraph"
# Should Return
# -rwxr--r--  1 root root  725 Apr 19 18:05 radgraph-listener.service

Edit the copied file with sudo nano /etc/systemd/system/radgraph-listener.service and update with the user and group for your Ubuntu server user:

# User=theradboss
# Group=theradboss

Start the service:

sudo systemctl start radgraph-listener.service

Confirm service is running:

sudo systemctl status radgraph-listener.service

# Should Return
# ● radgraph-listener.service - RadGraph JSON Lookup Daemon (PowerShell)
#      Loaded: loaded (/etc/systemd/system/radgraph-listener.service; disabled; preset: enabled)
#      Active: active (running) since Sun 2026-04-19 18:09:55 AEST; 5s ago
#  Invocation: a7bbba08e13f416c848eade59bee3fc4
#    Main PID: 82197 (pwsh)
#       Tasks: 17 (limit: 1858)
#      Memory: 43.8M (peak: 43.8M)
#         CPU: 730ms
#      CGroup: /system.slice/radgraph-listener.service
#              └─82197 /usr/local/bin/pwsh -File /usr/local/bin/radgraph/radgraph.ps1 -listener_daemon

To test it's running, you can run call the helper script with the following values...

/usr/local/bin/radgraph/call_listener_daemon.sh "<<commonname>>"

e.g.

/usr/local/bin/radgraph/call_listener_daemon.sh "jcleary"

You should see an entry in the log (see below for where logs are located).

2026-04-19 18h24m03s ❌ CommonName john not found in Intune Cache. Will check if john is a valid username now.
2026-04-19 18h24m03s ✅ User john is a valid user. Getting group(s) now.
2026-04-19 18h24m03s ✅ John Cleary (CN=john) authenticated successfully and was added to VLAN 100 with web-filter-class: guest.

Logging

Make Folder & Set Permissions

I set the logging location permissions as owned by the FreeRADIUS service so it can also (read/write to the logs) when it calls the RadGraph listener.

sudo mkdir -p /var/log/radgraph
sudo chown -R freerad:freerad /var/log/radgraph
sudo chmod -R 770 /var/log/radgraph
sudo chmod g+s /var/log/radgraph
echo "Testing $(/usr/bin/date +"%Y-%m-%d")" > /var/log/radgraph/test.log

sudo ls -al /var/log/radgraph
## Should Output
# total 12
# drwxrws---  2 freerad    freerad 4096 Apr 18 14:33 .
# drwxr-xr-x 14 root       syslog  4096 Apr 18 14:33 ..
# -rw-rw-r--  1 theradboss freerad    8 Apr 18 14:33 test.log

cat /var/log/radgraph/test.log
## Should Output
# Testing 2026-04-18

radgraph.ps1 log files output here, by date:

/var/log/radgraph/radgraph_$(/usr/bin/date +"%Y-%m-%d").log

radgraph-listener.service user connection logging is here, by date:

/var/log/radgraph/lookup_$(/usr/bin/date +"%Y-%m-%d").log

radgraph-listener.service service log files are here:

StandardOutput=append:/var/log/radgraph-listener-service.log
StandardError=append:/var/log/radgraph-listener-service.log

Sample Output

As above, when a user connects and RadGraph is called, it outputs the following two lines to the log:

2026-04-19 18h24m03s ❌ CommonName john not found in Intune Cache. Will check if john is a valid username now.
2026-04-19 18h24m03s ✅ User john is a valid user. Getting group(s) now.
2026-04-19 18h24m03s ✅ John Cleary (CN=john) authenticated successfully and was added to VLAN 100 with web-filter-class: guest.

Cache & CRL Refresh via cron

A key part of an ongoing FreeRADIUS setup is to manage the Cache and Certificate Revocation list.

Setup a root user crontab with sudo crontab -e to add them.

# For a file copied from SCEP server
5 2 * * * /usr/local/bin/pwsh -File /usr/local/bin/radgraph/radgraph.ps1 -refresh_crl_from_file

Setup a root user cron job to refresh the Intune and Entra caches nightly, then restart the lookup service:

5 3 * * * sudo /usr/local/bin/pwsh -File /usr/local/bin/radgraph/radgraph.ps1 -update_cache_now && /bin/systemctl restart radgraph-listener.service && /bin/systemctl restart freeradius

Integrate with FreeRADIUS

Pre-Requisites

• A Certificate Authority + SCEP Server (Windows ADCS + NDES or Intune Cloud PKI, etc) to issue client certificates
• An MDM (to use the SCEP flow to issue certificates to clients)
• An Ubuntu server with FreeRADIUS configured and working for EAP-TLS authentication.

FreeRADIUS Config

Note

You should already have basic EAP-TLS authentication working before you integrate RadGraph to your FreeRADIUS setup. These are the basic steps below, which should be pretty easy to follow or find a guide.

1. Install FreeRADIUS
2. Create a CSR on your FreeRADIUS Server
3. Issue Certificate for your FreeRADIUS Server (with your CA)
4. Copy the Root Certificate + CRL for your CA to your FreeRADIUS Server
5. Configure EAP-TLS auth; Root Certificate + CRL
6. Add your WAPs to clients.conf
7. Configure your Wi-Fi to authenticate to your FreeRADIUS server
8. Confirm a client device can authenticate and join Wi-Fi via EAP-TLS

Edit Config Files

While running the below, it's easier to set the path to freeradius install to a variable (needed for copy/paste of the commands below).

frdir="/etc/freeradius/3.0"

The following FreeRADIUS files need to be edited:

1. sites-available/default
2. mods-available/exec

sites-available/default

Add run_radgraph at the top of the default site:

sudo nano $frdir/sites-available/default

Add at the top, and leave other config below.

post-auth {
	# Call RadGraph to get User Details from Entra cache
	run-radgraph
	# Leave existing config below... 
}

mods-available/exec

sudo nano $frdir/mods-available/exec

# After this default section
exec {
        wait = no
        input_pairs = request
        shell_escape = yes
        timeout = 10
}

# Add this new section
exec run-radgraph {
    wait = yes
    input_pairs = request
    output_pairs = reply
    program = "/usr/local/bin/radgraph/call_listener_daemon.sh %{TLS-Client-Cert-Common-Name}"
}

Extending the Logging

RadGraph also supports passing additional data when run, which I use for logging. It's not required for VLAN and Class attributes, but is great if you're wanting to log connections. Before trying to pass additional variables, I would ensure that you have the basic functionality above working. 🙂

The logging section of Get-LookupCommonName (which is what powers the lookups), will accept values for the following metrics when when passed from FreeRADIUS at runtime in order:

CommonName
WapName
stationMACAddr
TLSSerial
wap_mac
connect_info

These additional metrics are only used for logging requests -- they do not affect the main functionality.

So, to log the additional data, you would add them to the FreeRADIUS mods-available/exec file like this:

exec run-radgraph {
    wait = yes
    input_pairs = request
    output_pairs = reply
    program = "/usr/local/bin/radgraph/call_listener_daemon.sh %{TLS-Client-Cert-Common-Name} %{Fortinet-AP-Name} %{Calling-Station-Id} %{TLS-Client-Cert-Serial} %{Connect-Info}"
}

Some of the variables above (e.g. %{Fortinet-AP-Name} %{Calling-Station-Id}) may not be the same in your environment. These are the attributes supplied to FreeRADIUS from the WAP doing the RADIUS authentication, and can be found from watching a successful EAP-TLS auth in the FreeRADIUS logs while Wrunning in debug mode via sudo freeradius -X.

e.g. for example with a MIST or Cambium WAP you'd use:

program = "/usr/local/bin/radgraph/call_listener_daemon.sh %{TLS-Client-Cert-Common-Name} %{NAS-Identifier} %{Calling-Station-Id} %{TLS-Client-Cert-Serial} %{Called-Station-Id} %{Connect-Info}"

To test this (e.g. while setting up Influx) you can run call the helper script with the following values...

/usr/local/bin/radgraph/call_listener_daemon.sh "<<commonname>>" "<<WapName>>" "<<stationMACAddr>>" "<<TLSSerial>>" "<<wap_mac>>" "<<connect_info>>"

e.g.

/usr/local/bin/radgraph/call_listener_daemon.sh "john" "LivingRoom" "XX:XX:XX:XX:XX:XX" "2342352352362" "XX:XX:XX:XX:XX:XX" "STRING"

You should see an entry in the log that includes the data:

2026-02-18 20h40m18s ❌ CommonName jcleary not found in Intune Cache. Will check if jcleary is a valid username now.
2026-02-18 20h40m18s ✅ John Cleary (CN=jcleary; MAC=XX:XX:XX:XX:XX:XX) authenticated successfully and was added to VLAN 100 with web-filter-class: parents john via WAP: LivingRoom.

Troubleshooting Tips

1. Run FreeRADIUS in -X mode (sudo freeradius -X) to see detailed runtime FreeRADIUS logs.

2. Run radgraph.ps1 with -debugging mode when using interactive mode to see more during the process.

3. Add these helpful commands to the server's bash profile with nano .profile so that you can just type commands like radgraph on the console and have it launch in interactive mode etc.

# Variables for use in paths
# e.g. nano $radconfdir/config.ps1
frdir="/etc/freeradius/3.0"
raddir="/usr/local/bin/radgraph/"
radconfdir="/opt/radgraph/"

# Aliases for going to folders
alias fr_dir="cd /etc/freeradius/3.0/"
alias rad_dir="cd /usr/local/bin/radgraph/"
alias radconf_dir="cd /opt/radgraph/"

# Aliases for running commands
alias radgraph="echo \"Running Command: sudo pwsh -F /usr/local/bin/radgraph/radgraph.ps1 -interactive -debugging\"; sudo pwsh -F /usr/local/bin/radgraph/radgraph.ps1 -interactive -debugging"

alias radgraph-debug="echo \"Running Command: sudo pwsh -F /usr/local/bin/radgraph/radgraph.ps1 -interactive -debugging\"; sudo pwsh -F /usr/local/bin/radgraph/radgraph.ps1 -interactive -debugging"

alias refresh_crl="sudo /usr/local/bin/pwsh -File /usr/local/bin/radgraph/radgraph.ps1 -refresh_crl_from_file"

alias restart_stack="sudo systemctl restart freeradius; sudo systemctl restart radgraph-listener.service"

alias pull_radgraph_repo="sudo -u theradboss git -C /usr/local/bin/radgraph pull; sudo systemctl restart freeradius; sudo systemctl restart radgraph-listener.service"

# Aliases for Viewing Logs
alias radgraph_log="echo \"Running Command: tail -f /var/log/radgraph/radgraph_$(/usr/bin/date +\"%Y-%m-%d\").log\"; tail -f /var/log/radgraph/radgraph_$(/usr/bin/date +\"%Y-%m-%d\").log"

alias lookup_log="echo \"Running Command: tail -f /var/log/radgraph/lookup_$(/usr/bin/date +\"%Y-%m-%d\").log\"; tail -f /var/log/radgraph/lookup_$(/usr/bin/date +\"%Y-%m-%d\").log"

alias lookup_fulllog="echo \"Running Command: cat /var/log/radgraph/lookup_$(/usr/bin/date +\"%Y-%m-%d\").log\"; cat /var/log/radgraph/lookup_$(/usr/bin/date +\"%Y-%m-%d\").log"