Radiator Frequently Asked Questions

This does not mean that either the test suites or the dictionaries are broken. It is an unfortunate incompatibility between different vendor's dictionaries.

We recommend that you use the standard dictionary supplied with Radiator whenever possible. This will work in the vast majority of cases.

5. OK, which dictionary should I use then?

Dictionaries are a vexed question. If you are operating with NASs from only vendor, choose the standard dictionary, or dictionary for that vendor. If you are operating in a mixed environment, use the default dictionary. If that does not work for you, try concatenating the dictionaries for the vendors you are using into one big dictionary.

6. How do I configure a Cisco NAS for Radius?

You will need something like this in your Terminal server configuration:


aaa new-model
aaa authentication login DIAL-SCRIPT-USERS radius
aaa authentication login TELNET-USERS local
aaa authentication ppp PAP-USERS if-needed radius
aaa authorization network radius
aaa accounting network start-stop radius
...
radius-server host 1.2.3.4 auth-port 1645 acct-port 1646
radius-server key blahblahblah

You will probably want to use these reply attributes in order to enable PPP sessions:


        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = None,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

There is a description of Cisco's use of Radius attributes for IOS 12 in RADIUS Attributes overview.

7. How do I use Livingston users file?

Livingston and many other Radius servers use the users file for configuring the behaviour of the server, as well as describing the users. Radiator takes a slightly different approach, where the server configuration is described in the config file, and the users file only describes the users.

You can use a Livingston users file unchanged, provided you set up your Radiator config file properly. A typical example config file is provided in goodies/livingCompat.cfg in the Radiator distribution. The principal requirements are to have a DEFAULT Realm, and an with the Identifier "System". This will cause any users with the check item Auth-Type="System" to be authenticated with UNIX Authentication (i.e. with a standard Unix password file)

See Installation and Reference manual for more details.

11. I keep getting Bad Authenticator messages when I get accounting requests from a GRIC roaming connection. Why?

A number of radius servers, such as Merit, the AimTraveler server that GRIC uses and others do not correctly compute the authenticator on accounting requests. They do not conform to the Radius specification. Radiator checks all authenticators against the specification and complains if a bad authenticator is received. It does not look like these servers are going to be repaired, so Radiator has a special flag to ignore the authenticator in incoming accounting requests. See IgnoreAcctSignature in the clause.

12. How can I authenticate against NT passwords and Groups

On NT, you can authenticate users using their NT user password and NT Global Groups. This means that you can ensure that only real NT users can log in. You can also ensure they get special NAS configurations that depend on which NT Local Group they are in.

Your configuration file should look something like this:


# put <Client ...> etc clauses here
.....
<Realm DEFAULT>
	<AuthBy FILE>
	# might want to specify the name of the users file here
	# See below for the contents of the users file
	</AuthBy>
</Realm>

# This clause says that for entries in the users file
# that specify Auth-Type=System, use the NT module to 
# authenticate them
<AuthBy NT>
	Identifier System
</AuthBy>

And your users file could be something like this


# This will match all users in the Administrators local group
DEFAULT Auth-Type=System, Group=Administrators
        reply-item = .....

# This will match all users in the User local group
DEFAULT Auth-Type=System, Group=Users
        reply-item = .....

# And this will match everyone else
DEFAULT Auth-Type=System
        reply-item = .....

This allows you to have distinct groups of users who get special checks and special reply items. A similar technique can be used with the UNIX module.

13. How are DEFAULT users entered in a DBM file?

When the DBM file is built, the first DEFAULT entry in the input file is entered as DEFAULT, the second as DEFAULT1, the third as DEFAULT2 etc. This guarantees the uniqueness and ordering of DEFAULT entries. When AuthBy DBM fails to match a user name it will then try to match DEFAULT, then DEFAULT1, DEFAULT2 etc.

14. How can I connect to Microsoft SQL from a Unix box?

As of September 2003, the best and most portable way to connect from Unix to Microsoft SQL (including MS-SQL 2000) is to use freetds 0.53 (www.freetds.org) and DBD-Sybase 0.94 (www.cpan.org) These are both freely available and work well. This will work on almost all flavours of Unix, including Linux and Solaris. There is a helpful tutorial article in 'Linux Journal' April 2002. Do not use later versions of freetds or DBD-Sybase as there have been reported instabilities.

There are a number of other ways to do it, and you may wish to choose one of these alternatives if you have special constraints within your organisation:

Use OpenLink's Multi-Tier ODBC for Unix plus DBD-ODBC. You will also need their NT server side package which includes their Request Broker. This package is good for accessing MS-SQL, MS-Access, Oracle, Sybase etc etc on NT from Unix. A nice package without license fees for some applications. We recommend this option.
Linux only: Use the free Sybase driver here, and use DBD-Sybase. Or (preferred) install Adaptive Server Enterprise then install the DBD-Sybase RPM. Works fine for MS-SQL 6.5. To work with MS-SQL 7, you will need some patches from Microsoft to permit MS-SQL 7 to work with Sybase client libraries. Does not work with MSSQL 2000.
Unix other than Linux: Purchase the the OpenClient/C Developer package for US$795.00 straight from Sybase for the CTLib, and use DBD-Sybase. Works fine for MS-SQL 6.5. To work with MS-SQL 7, you will need the SQL server 7.0 Service Pack from Microsoft to permit MS-SQL 7 to work with Sybase or FreeTDS client libraries. If you are using DBD-Sybase, you will need at least DBD-Sybase-0.22.
Use the DBI::Proxy module available in DBI-1.02.tar.gz. This module will proxy DBI requests across the network to a target box where it can be access an ODBC database. More details below.
Use the DBD-FreeTDS module from ftp://freetds.internetcds.com/pub/freetds_dbd/ which can talk to Sybase, MS-SQL 6.5 and 7.0 without the need for any proprietary client libraries. We have found that revision DBD-FreeTDS-0.02 did not work properly, but the later snapshots work fine. This is a very quick and easy solution for getting from Unix to MS-SQL or Sybase on any platform. However, the DBD-FreeTDS module is still quite immature, and we know for a fact that even the snapshots dont work properly with stored procedures (and it should therefore not be used for AuthBy RODOPI and others). You mileage may vary.
Use the Merant ODBC drivers (commercial) (www.merant.com).

Note: MSSQL 6.5 is really the same as Sybase, and Unix Sybase client libraries can happily connect to MSSQL 6.5. One gotcha: the default TCP port to connect to MSSQL is 1433 decimal, which is different to the default for Sybase, so you may have to alter your /opt/sybase/interfaces file)

Note: DBD-Sybase with the Sybase client libraries does not work with Microsoft SQL Server 2000. Microsoft have removed the Sybase compatibility from this product.

15. How do I set up anti-spoofing filters

You can set up anti-spoofing filters in NASs that support filters such as USR (3COM) Hiperarcs. In the Radiator config file put something like:


        
                UseAddressHint
                Dynamic USR-IP-Input-Filter

(you can have multiple Dynamic lines, one for each unique attribute you want % interpolation on) A typical users files entry might look like this (for a 3COM hiperarc)...

DEFAULT Auth-Type = System
        Framed-IP-Address = 255.255.255.254,
        Framed-Routing = None,
        Framed-IP-Netmask = 255.255.255.255,
        IP-Filter-In = "1 REJECT src-addr!=%a",
        Service-Type = Framed-User

(it'll work on anything, not just DEFAULT)

Which will end up authenticating the user with a reply message like... (assuming you have hint-assigned on the NAS enabled, and the address that it assigned from it's pool was 0.0.0.1)


        Framed-IP-Address = 0.0.0.1
        Framed-Routing = None
        Framed-IP-Netmask = 255.255.255.255
        IP-Filter-In = "1 REJECT src-addr!=0.0.0.1"
        Service-Type = Framed-User

So you can create ANTI-spoof filter rules that will be filled in with the right values on the fly! Cool, huh? BTW, you must use dictionary.usr, which is the one that defines IP-Filter-In.

(Thanks to Aaron Nabil for this example and the code to implement it.)

16. Why are my DBM files so big?

Radiator is shipped with the AuthBy DBFILE module using Perl's built in SDBM module. We do this because it is available built in on every platform, including Win95 and NT. The down side of SDBM is that is makes large database files.

You can get AuthBy DBFILE to use the Berkeley DB format instead by editing Radius/AuthDBFILE.pm. Change the 2 occurrences of SDBM_File to DB_File, and reinstall Radiator. Radiator will now use the Berkeley DB format for DBM files, and they will be much smaller than with SDBM.

17. Why do tests 2n, 2r, 2t, 2v and 4a fail on freebsd?

Freebsd optionally uses MD5 for encrypting passwords in crypt(3), but the example passwd file we provide for testing the AuthBy UNIX uses standard DES encryption.

You can fix this by copying passwd.md5 to passwd and rerunning make test.

18. How do I set up automatic IP address allocation

Basically, you need to do 2 things:

Add 1 or more FramedGroupBaseAddress items to each Client in your Radiator configuration file.
Add a Framed-Group reply item to each user for whom you want address allocation.

For example in the Radiator configuration file:

    
        # This is the base address for Framed-Group = 0
        FramedGroupBaseAddress	10.0.0.1
        # This is the base address for Framed-Group = 1
        FramedGroupBaseAddress	10.0.1.1
        # This is the base address for Framed-Group = 2
        FramedGroupBaseAddress	10.0.2.1
        .....

and in the users file, something like:

mikem    Password = "fred"
         Framed-Group = 1,
         Framed-Protocol = PPP,
             etc.

Now if mikem logs into the Client at port 5, he will be allocated an IP address of 10.0.1.6 (ie 10.0.1.1 + 5). If the users file said Framed-Group = 0, and he logged in on port 11, he would be allocated an IP address of 10.0.0.12 (10.0.0.1 + 11).

19. How do I make Radiator work with Emerald?

Emerald is a good ISP billing system from IEA. It uses Microsoft SQL database for user and billing data. IEA also offer an NT based radius server called RadiusNT that can authenticate from and insert accounting into Emerald.

Radiator can also authenticate from and insert accounting into Emerald, but with Radiator, you can do it from a Unix host, and with the extra features that Radiator has but RadiusNT does not.

There is an example Radiator configuration file in goodies/emerald.cfg in the Radiator distribution. Use it as a starting point for integrating with Emerald. You will need to configure some attributes like DBSource, DBUsername and DBAuth to suit your Emerald setup. You will most likely want to use ODBC to connect to the Emerald MSSQL database, but you could also use the Sybase driver, if you have that instead.

20. How do I make Radiator work with LDAP on NT?

Follow these steps:

Make sure you have installed the Perl NT binaries from Gurusamy Sarathy.

Fetch and install NETSCAPE DIRECTORY SDK 1.0 Win32 for Windows NT with SSL support (self-extracting archive)
Fetch and install the Net-LDAP Windows NT Binaries v1.40. Make sure you follow all the instructions in the Readme file.
Configure an clause in your Radiator configuration file. See the example radius.cfg in the Radiator distribution for examples.

21. How do I make Radiator work with Platypus?

Platypus is an excellent ISP billing system from Boardtown. It uses Microsoft SQL database for user and billing data.

Radiator can authenticate from and insert accounting into Platypus. This makes for seamless integration between your radius server and your customer management/billing system. Using ODBC, you can run your radius server on Unix, Win95 or NT.

There is an example Radiator configuration file in goodies/platypus.cfg in the Radiator distribution. Use it as a starting point for integrating with Platypus. You will need to configure some attributes like DBSource, DBUsername and DBAuth to suit your PLatypus setup. You will most likely want to use ODBC to connect to the Platypus MSSQL database, but you could also use the Sybase driver, if you have that instead.

22. How can I apply the same check or reply items to all the users in my SQL database?

Sometimes you need to have a common set of check or reply items for all users, but you dont want to have to put them in every user in the database. Or maybe you want to be able to tune them for all users easily. You can arrange for Radiator to cascade from SQL to a flat file or other user database.



    AuthByPolicy ContinueWhileAccept
    
	...
    
    
	...

(See goodies/common-sql.cfg for example code). You can then have a DEFAULT user in the users file specified in the AuthBy FILE with the common reply items you want:


DEFAULT Service-Type = Framed-User
        Framed-Protocol = PPP,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = None,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

Another alternative is to fall cascade from SQL to another SQL that only selects the check and reply items for a DEFAULT user:



    AuthByPolicy ContinueWhileAccept
    
	...
    
    
	AuthSelect select NULL, CHECKATTR, REPLYATTR from SUBSCRIBERS \
         where USERNAME = 'DEFAULT';

With some (but not all: mSQL does not support it) SQL servers you provide common check and reply items more easily with a special AuthSelect statement:


AuthSelect select PASSWORD, 'Service-Type = Framed-User', 
  'Framed-Protocol = PPP, etc etc etc' 
   from SUBSCRIBERS where USERNAME = '%n'

With some SQL servers (eg Oracle), you could even combine the common and per-user check and reply items by using concatenation in the select statement.

23. How can I make Radiator work with the PPTP server?

Changes are outlined in Microsoft Online Support article Q172216.

Start Regedit
Goto: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP
Click on SPAP, click Edit, and Delete. Yes to confirm deletion.
Click on CHAP, click Edit, and Delete. Yes to confirm deletion.
Close Regedit, stop and restart Routing and Remote Access Service.

(Contributed by Dalton, Robert W (Robert.Dalton@88CG.WPAFB.AF.MIL))

24. How can I connect to Microsoft SQL server from Unix using OpenLink?

The best option is to use the "Combined OpenLinkODBC/iODBC package" from OpenLink. This package (smkoxxxx.taz for Solaris) allows ODBC requests to be sent by RPC from your Unix client to (for example) an NT host running Miscrosoft SQL Server 6. It really does work.

You will also need the OpenLink request broker for NT (ntadm65x.zip) installed on the NT host where the MS-SQL server is running. This broker receives RPC calls from the iODBC package on the Unix host and translates them into MS-SQL calls. After installation, start the Oplrqb.exe program.

Further, you will have to build DBD-ODBC 0.16 or better on your Unix host to use the include files and libraries that come with the OpenLinkODBC/iODBC package (this will involve some minor changes to Makefile.PL before building DBD-ODBC. Change

my $myodbc = 'odbc';	# edit and hack to suit!
 to
my $myodbc = 'iodbc';	# edit and hack to suit!

and add a line at:

	
        print SQLH qq{#include <iodbc.h>\n}; # ADD this line
	print SQLH qq{#include <isql.h>\n};
	print SQLH qq{#include <isqlext.h>\n};

You will also need to create ~/.odbc.ini on the Unix host as descibed in the OpenLinkODBC/iODBC package, as well as create /etc/udbc.ini with something like this:

[radius_udbc]
Description 	= Sample MS SQLServer DSN
Host		= fred
ServerType	= SQLServer 6
ServerOptions	=
Database	= radius
FetchBufferSize	= 30

If your wanted to connect to a Platypus database on NT, you would put something like this in udbc.ini:

[plat_udbc]
Description 	= Sample MS SQLServer DSN
Host		= fred
ServerType	= SQLServer 6
ServerOptions	=
Database	= plat
FetchBufferSize	= 30

Finally, you would specify something like this in the Radiator config file for your AuthBy SQL:

		DBSource	dbi:ODBC:radius_udbc
		DBUsername	sa
		DBAuth		sa

25. How do I run Radiator as a service on NT?

See the reference manual for details.

26. I dont know where to get SRVANY, what can I do to run as a service on NT

Some people have had success with FireDaemon as an alternative NT Service installer.

27. How can I use Microsoft Access as my database?

We have not tested against Microsft Access, but here are some notes from the coal face by Nicholas Barrington (nbarrington@smart.net.au) and Anton Sparrius (anton@smart.net.au) who have made it work.

BC5.0 didn't work! We use the compiled version of perl, so that was ok. However, to get DBD and DBI working we had to do a few extra things. Firstly, the DBD module told us that it wanted version 0.90, and we had version 0.93, so it wouldn't work. Once we download the newer version of DBD v0.19 everything there worked OK.
BC5.0 still didn't work. Make that comes with BC5 would just bomb out, but using dmake that came with perl was much better. However, there was a cupple of .h files (sql.h and sqlext.h) that it needed that BC5 didn't have. I was able to find them on MSVC and copy those across and that seemed to work. Then, there was a cupple of libraries that were needed, once again, I had to find them in MSVC and use IMPLIB (comes with BC5) to import them. One was called odbc32.dll (which gets converted to a .lib with IMPLIB). I cant remeber if there was another one, but if there was, it was of a similar nature.
Compile worked! Simply set up an ODBC in WinNT and we were away and working. Bit of a hack really, but it runs beautifully. Running off a Cisco 5200 so we get heaps of information.
Trying to use BC5 dmake (make produces errors) causes .DEF file errors in the DBI and DBD module makes. We had to edit the .DEF and remove the quotes "" from the top line before it would continue.
We had to use the latest .19 release of the ODBC DBD instead of the .16 as specified in the notes.
We used version .93 of the DBI module, which again had the .DEF errors but were overcome.
When creating our table in MS Access, we initially tried using field names that were the same as the NAS return names. This caused us massive headaches at run time, until we figured out we had to use different field names than the NAS return names.
We also tried using a column name of Timestamp for a NAS return item called Timestamp and it failed in the same way anything did when we had column name = NAS return name. So that looks like a big no-no, too (at least with the MS Access database).

In all, we didn't really have any success at all with Sarathy's binary distribution of perl. Once we downloaded and included the latest version of the components we managed to fire it up.

28. Where can I get pmwho?

The program pmwho is used for verifying logins on Total Control NAS's. You can get it from here, amongst other places. Credit for this belongs to Johan Persson, jp@abc.se.

29. I think Im seeing a memory leak. What can I do?

First, you should note that Radiator will grow a little when it first starts up, as it finds out about the users currently logged on and the NAS's it is getting requests from. Then, as your user population settles down, the growth will slow down and stop. Depending on your configuration, you should not see Radiator grow by more than a few Mb from its initial size. Steady, continued growth in the size of the image even after a few days running indicates a problem.

Upgrade to the latest version of Perl. Perl 5.003 had a number of leaks in perl itself, mostly to do with evals.
Upgrade to the latest version of Radiator. At as of 2.12. there are no leaks that we are aware of.
If you have any local modifications to Radiator, remove them and see if it still leaks.
Try to identify what kinds of requests are causing the leak: Authentication or accounting requests, AuthBy FILE or AuthBy SQL etc?
If you are using any perl modules (DBD-*, LDAP etc), upgrade to the latest versions and see if it still leaks.
Report the problem to us, along with your configuration file (remove any secrets and passwords), and an estimate of the growth rate.

30. Where can I get a copy of snmpget?

Get Net-SNMP Don't use the CMU snmp, as its output is not understood by Radiator.

On Windows, you can use net-snmp (v5.0.8) (or ucd-snmp v4.2.3).

31. I cant build DBD-Sybase against the free Sybase client library on Linux. Why?

On some version of linux, we have observed that compiling and linking the shared Sybase library for DBD-Sybase results in compiler crashes. One way to work around this is to build a statically linked perl that includes the Sybase libraries statically linked:

Uncomment the LINKTYPE=static line in CONFIG
perl Makefile.PL
make
make perl
Install the newly created perl binary in place of your normal perl binary.

It works, weve tried it. There is a good reference to getting ctlib to work for linux here, and also about setting up DBI/DBD::Sybase on Linux here

32. My USR radius attributes dont seem to be numbered correctly. Why?

On the netservers you have control over whether certain VSAs start counting at 0 or 1 using the set format command:

Formatting connect-info message output: This command allows you to specify whether the information sent to RADIUS is 0-based or 1-based. The USR vendor-specific RADIUS attributes affected are; Connect-Speed (0x9023), Modulation-Type (0x006C), Error-Control-Type (0x0099), and Compression-Type (0x00C7). The default is to begin the slot and channel numbering at zero.

	set format connect-info <0-based | 1-based>

33. I'm having problems compiling MD5 on Rhapsody. Why

Rhapsody still has some unusual behaviour, but its basically OK.

This is the basic process on Rhapsody:

Unpack MD5 in a work directory
perl Makefile.PL
Edit Makefile and remove USE_NEXT_CTYPE
make dynamic
make test
make install
You may also need to add MD5 to the perl config file (usually /System/Library/Frameworks/Perl.framework/Config.pm)

34. I'm having problems with NT services and ODBC

When I run Radiator from line command (in foreground), everything goes well. But when I start Radiator as a service on NT, I receive the following message (I enabled "interact with desktop" for this service):

[Microsoft][ODBC Driver Manager] Data source name not found and no default
driver specified (SQL-IM002)(DBD: db_login/SQLConnect err=-1) at
c:\Perl\lib/Radius/SqlDb.pm line 99

You have probably set up your ODBC data source as a user DSN and not a System DSN (Platypus users note: Platypus may be set up this way). You will probably need to remove the existing ODBC DSN, and add it bask as a System DSN.

35. How do I make DBI::Proxy work between unix and NT?

It works fine, but it takes a little effort to get going. Heres what we did:

Active State perl running on NT (hostname romeo in our test)
MS SQL running on NT
On NT, define ODBC system DSN called 'MSSQL', with appropriate configuration to be able to conenct to your MS-SQL database
Install PlRPC module from active state on NT, using PPM
Install Net-Daemon module from active state on NT, using PPM
Install DBD-ODBC module from active state on NT, using PPM
Install DBI module from active state on NT, using PPM
Build and install Net-Daemon-0.31 or better from CPAN on Unix
Build and install PlRPC-0.2012 or better from CPAN on Unix
Build and install DBI-1.13 or better from CPAN on Unix
ON NT in dir c:\perl\bin run the proxy server with
```
	perl dbiproxy --localport 9991
```

On Unix, Radiator configured for AuthBy SQL with:

 DBSource	dbi:Proxy:hostname=romeo;port=9991;dsn=dbi:ODBC:MSSQL
 DBUsername	sa
 DBAuth		sa

Caution: be sure that you have the same version of DBI and its support modules (especially Storable) on both machines. We have seen crashes when incompatible versions of Storable are used.

36. I cant unzip the Radiator distribution on Windows. Why?

The Radiator distribution will unzip fine with recent versions of WinZip. We use WinZip 6.3 through to 9.0 here (with the classic interface). If you are using that or a later WinZip, and it still wont unzip, check these:

Some browsers will rename the file when you download it. Make sure it has a ".tgz" extension. WinZip uses the extension to determine what to do with the file. Try renaming your file so that it has a ".tgz" extension.
Some browsers will corrupt the file if they think it is a text file. Try Shift-Click on the Accept link to download the distribution.
Check that you have downloaded the whole file. Get a directory listing of the downloads areea, and check that your copy is about the same size as reported on the directory listing.
Try downloading the file again.
Try using a different browser, or a different computer to download.

37. How do I make Radiator work with Interbiller 98?

Radiator can authenticate from the Interbiller 98 user database using AuthBy SQL. There is an example configuration file in goodies/interbiller.cfg to get you started. Interbiller uses a Microsoft Access database, so on Win95 or NT, you will need to install the Perl DBI and DBD-ODBC modules, and configure a System DSN to point to the Interbiller database (usually called 'Subs.mdb').

At this time, Interbiller does not handle Radius accounting data for doing time-based billing. We will add the ability to save accounting data to Interbiller as soon as Interbiller supports it.

38. How do I make Radiator work with Freeside?

See the example freeside.cfg in the goodies directory. There is also an example hook that will allow Radaitor to work with Freeside accounting.

39. Is Radiator Y2K compliant?

See the Radiator Y2K Statement.

40. I got an error while testing perl-ldap on Linux. Is that OK?

While testing perl-ldap-0.09 on Linux, you may see this:


/usr/bin/perl -I./blib/arch -I./blib/lib -I/usr/lib/perl5/i386-linux/5.00404 
 -I/usr/lib/perl5 bin/ldapsearch.PL
[mikem@charlie perl-ldap-0.09]$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib 
 -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 -e 
 'use Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
t/00ldif-entry......ok
t/01url.............dubious
        Test returned status 0 (wstat 7, 0x7)
Undefined subroutine &Test::Harness::WCOREDUMP called at 
 /usr/lib/perl5/Test/Harness.pm line 252.
make: *** [test_dynamic] Error 2

Thats OK. The resulting module will still work fine with Radiator.

41. Does Radiator support the IETF Radius Tunnelling attributes?

Yes. There are a few tricks to using them though. The IETF standard tunnelling attributes have a "tag" that is used to group tunnelling attributes. Radiator always sets the tag to 0 for the integer attributes Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Preference and Tunnel-Password. This means that you must also set the tag to 0 in the value if you use the string attributes Tunnel-Client-Endpoint, Tunnel-Server-Endpoint, Tunnel-Private-Group-ID, or Tunnel-Assignment-ID. The easiest way to do this is with an escape sequence in the string, for example:


Tunnel-Server-Endpoint = "\000203.63.154.22 fr:20",

The \000 at the beginning specifies a tag of 0, and you musthave it at the beginning of the string attributes.

The specification for "RADIUS Attributes for Tunnel Protocol Support" can be found here

42. How do I set up Radius Tunnelling with my Bay Annex Server?

When a tunnelling user dials into the Annex, the Annex will first authenticate the user@realm with Radius and Radius must return the tunnel configuration options with Annex-Local-Username, Annex-User-Server-Location, Tunnel-Medium-Type, Tunnel-Server-Endpoint, and Tunnel-Type. This information tells the Annex how to set up the tunnel, and the name of the user to reauthenticate (with Annex-Local-Username). The Annex will then set up the tunnel and send a second Access-Request for the username specified by Annex-Local-Username. Radius should reply with the normal PPP radius reply.

There is an example Radiator configuration file in goodies/annex.cfg that shows a neat way to do this.

43. How can I do authentication from one SQL database and accounting to another?

Use something like this:


<Realm whatever>
	AuthByPolicy ContinueAlways
	<AuthBy SQL>
		DBSource	dbi:???????
		DBUsername	userfordb1
		DBAuth		authfordb1
		# an empty AuthSelect turns off auth
		AuthSelect

		AccountingTable	whatever
		etc, etc, etc.
	</AuthBy>
	<AuthBy SQL>
		DBSource	dbi:???????
		DBUsername	userfordb2
		DBAuth		authfordb2
		# an empty AccountingTable turns off accounting
	</AuthBy>
</Realm>

44. What does a "Could not find a Client" warning mean

If you see a WARNING message like:


Tue Apr 13 21:47:18 1999: WARNING: Could not find a Client for 
 NAS 168.115.29.194 to double-check Simultaneous-Use

it means that you probably have a DNS name for that client in its Client clause, but do not have a reverse DNS entry for it in your DNS. Radiator would need the reverse DNS entry so it can figure out the clause that corresponds to the NASs IP address.

You should either:

Add a reverse DNS entry for that client, or....
Change your Radiator Client clause so it uses the IP address instead of the DNS name.

45. Im having problems building MySQL

There are known problems with shared versions of libmysqlclient, at least on some Linux boxes. If you receive an error message similar to


install_driver(mysql) failed: Can't load 
'/usr/lib/perl5/site_perl/i586-linux/auto/DBD/mysql/mysql.so' 
for module DBD::mysql: File not found at 
/usr/lib/perl5/i586-linux/5.00404/DynaLoader.pm line 166

then this error message can be misleading: It's not mysql.so that fails being loaded, but libmysqlclient.so!

As a workaround, recompile the Msql-Mysql-modules with

perl Makefile.PL --static --config 
make 
make test 
make install
This option forces linkage against the static libmysqlclient.a.

46. I get a weird error message when I try to use Log SYSLOG

You might get an error message like this:


Mon Apr 19 15:45:31 1999: ERR: Could not load Log module
Radius/LogSYSLOG.pm: Can't locate syslog.ph in @INC 
(did you run h2ph?) (@INC contains: .........

This indicates that you have not yet run the h2ph perl utility to generate the syslog.ph file fopr your system. More details in the Radiator reference manual, and see also "man h2ph". We usually just do:


cd /usr/include; h2ph * sys/*

47. Im having problems compiling MD5 on SCO Open Server

I get this error:


	gcc: -fPIC is only valid with -melf

After doing perl Makefile.PL, you will need to edit Makefile and alter CCCDLFLAGS to read like this:


CCCDLFLAGS = -fPIC -melf

48. Im getting 'Expiration date has passed' from Platypus

and Im sure that the expiration date has not passed.

Some versions of the Platypus RadiusNT-compatibility files use 1/1/2050 as the default expiration date. Versions of Radiator up to and including 2.13.1 had problems with Platypus expiration dates later than Dec 31 2037. If you have this problem, you will need to alter your RadiusNT views MasterAccounts and SubAccounts so the expireDates are no later than 2037.

49. On my BSDI box, I'm getting "Out of memory!" messages

By default, BSDI has fairly strict limits on the maximum data size permitted to a process. If you have a fairly large password file or users filem Radiator may need a larger data space. See goodies/bsdi-memory.txt in your distribution for detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul@dove.mtx.net.au). Thanks Paul.

Alternatively you could just wrap a script around radius like this:

#!/bin/sh
# Increase data size limit to 32M
limit datasize 32000k
/usr/local/bin/radiusd &

We have also seen memory problems when using dbi:proxy SQL transport from a BSDI system to NT, and where the BSDI has an old version of the perl Storable module (say 0.5, compared to 0.66 on the NT box). The fix is to build and install a more recent Storable on the BSDI.

50. I have problems with MyODBC on NT

When I use AuthBy SQL and MyODBC on NT or Win 95 I see "send failed: unknown error", when Radiator tries to send its first reply to a NAS. Then Radiator goes into a hard infintie loop.

This is cause by a problem with myodbc-2.50.22. You should downgrade to myodbc-2.50.19 instead, see the ODBC download dir

51. How can I poll Radiator with MRTG?

Contributed by Stephen Roderick (steve@proaxis.com):

Well, this is what I do (via a cron job every 5 minutes):

#!/usr/local/bin/perl

$total = 0;
$accttotal = 0;

open(FD, "/usr/local/bin/snmpwalk host community .1.3.6.1.3.79.1.1.1.6.1.4  |") or die;
while(<FD>)
{
    $total += $1    if (/.* = (\d+)/);
}
close(FD);

open(FD, "/usr/local/bin/snmpwalk host community .1.3.6.1.3.79.1.1.1.6.1.12  |") or die;
while(<FD>)
{
    $accttotal += $1    if (/.* = (\d+)/);
}
close(FD);

$total *= 8;
$accttotal *= 8;

open(FD, ">/stats/radius.stats");
print FD "$total\n$total\n";
close(FD);

open(FD, ">/stats/radiusacct.stats");
print FD "$accttotal\n$accttotal\n";
close(FD);

exit 0;
-----------------------------------------------------------

Then I have the following config for MRTG:

Target[radiator]: `/bin/cat /stats/radius.stats`
MaxBytes[radiator]: 2000
Options[radiator]: nopercent
Title[radiator]: Radius Statistics
PageTop[radiator]: Radius Statistics
WithPeak[radiator]: dwmy
YLegend[radiator]: No. of queries
ShortLegend[radiator]: queries
LegendI[radiator]:  Authentication:
LegendO[radiator]:

#.....................................................................

Target[radacct]: `/bin/cat /stats/radiusacct.stats`
MaxBytes[radacct]: 2000
Options[radacct]: nopercent
Title[radacct]: Radius Statistics
PageTop[radacct]: Radius Statistics
WithPeak[radacct]: dwmy
YLegend[radacct]: No. of queries
ShortLegend[radacct]: queries
LegendI[radacct]:  Accounting:
LegendO[radacct]:

I'm sure there is a better way but at some point you get tired of trying to find it and just do something that works.

52. I get errors when I try to run radiusd as a SUID program

If you run radiusd as a SUID program on some platforms, you may get an error message like this:


Cannot get host name of local machine at ./radiusd line 106

This is due to perls strict checking when running a SUID program. You can fix it by uncommenting this line near in the BEGIN near the top of the radiusd file:


	$ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin';

The path you use should include the path to your hostname(1) or uname(1) programs.

53. I get an error when testing or running IpssPerl

On some Unix systems, you might get this error when compiling and testing IpassPerl:


[mikem@charlie IpassPerl-1.3]$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib 
 -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 test.pl
1..6
Can't load './blib/arch/auto/Ipass/Ipass.so' for module Ipass: 
 ./blib/arch/auto/Ipass/Ipass.so: undefined symbol: 
 RSAPrivateDecrypt at /usr/lib/perl5/i386-linux/5.00404/DynaLoader.pm 
 line 168.

This can be fixed by editing Makefile.pl, and changing the LIBS line to read:


    'LIBS'	   => ["-L$ipass_lib -lip -lssl -lcrypto -lrsaref"],

54. Radiator keeps reporting "Bad Password", and I don't know why

In decreasing order of probability:

The shared secret configured into Radiator for that client is not the same as the one in the NAS. If the secret is wrong, Radiator will decrypt the password to nonsense, and you will be able to see this if you log passwords with PasswordLogFileName.
Your shared secret contains special characters that your NAS doesn't like. Some NASs have problems with non alphanumeric characters. Trying changing the shared secret in your NAS and Radiator to be just alphanumeric characters.
If you are using SQL authentication, make sure you specify EncryptedPassword only if the password column contains a Unix crypt(2) encrypted password.
The password is really wrong.

55. Im using DBD-Sybase on Unix, and my accounting data is not being saved

Make sure you are using at least DBD-Sybase-0.19. Some earlier versions (notably DBD-Sybase-0.18) had problems with table locks.

56. I get "unblessed reference" errors in my Hook

Contrary to the documentation published with version 2.13.x, you need to access $_[0] and $_[1] by dereferencing them:


 PreAuthHook sub { ${$_[0]}->add_attr('test-attr', 'test-value'); }

57. How do I make RAS send the correct parameters to Radius?

you must remove two keys from the RRAS server's register:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\SPAP

Contributed by Michael Gatti (mike@mso.com.br). Thanks Michael.

58. How can I make a simple hook that logs authentication requests?

In your Radiator configuration file, set up a PreAuthHook, whose text is in an external file, something like this:


<Realm xxxxx>
       PreAuthHook	file:"preauthhook"
       ...
</Realm>

And in the file preauthhook:


sub
{
	my $p = ${$_[0]};

	return unless $p->code() eq 'Access-Request';

	my $username = $p->getAttrByNum($Radius::Radius::USER_NAME);
	my $nasaddress = $p->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
	my $timestamp = time;
	# etc;

	if (open(LOGFILE, ">filename"))
	{
		print LOGFILE "$timestamp:$username:$nasaddress\n";
		close(LOGFILE);
	}
}

59. How can I authenticate using oracle on a remote machine

Where should I setup the host and port where radiator must search for Oracle?

(contributed by John Coy (jcoy@anc.net) You'll need to define the remote database in your tnsnames.ora file, like this:

-- tnsnames.ora --
remote_database=
     (DESCRIPTION=
         (ADDRESS=
             (PROTOCOL=TCP)
             (HOST=WWW.XXX.YYY.ZZZ)
             (PORT=XXXX)
         )
         (CONNECT_DATA=(SID=WG73))
     )

(replacing values as appropriate)

Then, in your radiusd.cfg, you define an clause using the "remote_database" in the connect string.

-- radiusd.cfg --
         
             DBSource dbi:Oracle:remote_database
             DBUsername USERNAME
             DBAuth PASSWORD

There's a lot more in the clause to make it work. Look at the docs for more information.

LET ME MENTION that if you do not have the correct connect string, radiator will dump core every time it tries to talk to your database. Double-check your entries and write some test perl programs using that connect string!

60. Whats the story with Session-Timeout and Cisco's

As of IOS 11.3(8)T PPP per user timeouts work on both asynchronous and synchronous (multilink ppp) interfaces. From 11.3(8.1)T these features work on non-virtualised synchronous interfaces. I have spent many hours on getting this working with Radiator successfully for both async and ISDN calls. For more info there is a document on CCO that outlines what can be done, NAS and server sample configs and a heap of debugging info.

http://www.cisco.com/warp/public/131/8.html

Contributed by Matt Nichols (matt@hunterlink.net.au)

61. I have weird problems with users on NT and Win3, but not Win95/98

Check that you are not setting the wrong name for the compression attribute. If you have inherited a users file from an older Livingston system, the spelling of Van-Jacobson-TCP-IP may be wrong. Some older systems use the incorrect spelling Van-Jacobsen-TCP-IP, and this will not work with Radiator.

Some symptoms of this problem might be inability to browse, but ping still works. VJ only affects TCP traffic, so pings (ICMP) and DNS (UDP) are unaffected when VJ is out of whack.

Contributed by Mike Biesele. Thanks Mike.

62. I am trying to compile IpassPerl version 1.4, and I get compile errors.

You need to geet the latest version of the iPASS libraries and headers. These are not yet available direct from iPASS, but we have permission to distribute them. They are available for a range of platforms at the normal Radiator download area.

63. Where can I get the iPASS libraries that IpassPerl requires?

IpassPerl 1.5 requires updated versions of the libraries and headers for interfacing with the iPASS system. You can get these upgrades directly from Open System Consultants.

Download and unpack the file for your platform. Unpack the the file in your iPASS directory (usually /usr/ipass)

Sparc Solaris
x86 Linux
x86 FreeBSD a.out format (for older versions)
x86 FreeBSD elf format (for newer versions)
Other platforms: Contact info@open.com.au

64. How do I add Radius Basic authentication to Apache?

For Apache 1 and 2, the preferred way now is to use the mod_auth_radius module from https://www.gnarst.net/authradius. You can compile this module yourself, or there are precompiled binaries and RPMs for a number of platforms available on the web. There is a detailed configuration document in goodies/apache2-radius.txt in your Radiator distribution.

Another (mostly obsolete) way is with mod_perl and Apache-AuthenRadius:

Build and install Perl 5.004 or better
Install MD5 1.7 or better from CPAN
Install IO 1.12 or better from CPAN
Install RadiusPerl 0.05 or better from CPAN
Install Apache-AuthenRadius 0.3 or better from www.apache.org
Unpack Apache 1.3.4 or better from www.apache.org
Install mod_perl 1.21 or better from CPAN (see instructions included in mod_perl
When building mod_perl, you must enable the PerlAuthenHandler command by building like this:
cd mod_perl; perl Makefile.PL USE_APACI=1 PERL_AUTHEN=1
make
make test
make install
cd ...../apache_1.3.4
make install
Put this in your httpd.conf:
PerlModule Apache::AuthenRadius

Put something like this in the .htaccess of the directory you wish to protect:

AuthName Radius
AuthType Basic
PerlAuthenHandler Apache::AuthenRadius
PerlSetVar Auth_Radius_host localhost
PerlSetVar Auth_Radius_port 1645
PerlSetVar Auth_Radius_secret mysecret
PerlSetVar Auth_Radius_timeout 5
require valid-user

65. How do I add Radius Digest authentication to Apache?

Requires plaintext passwords in the Radiator user database.

Install our patch for Apache-AuthenRadius 0.3, which adds support for Digest to Apache-AuthenRadius.
Install our patch for RadiusPerl 0.5, which adds support for long passwords and Digest::MD5 to RadiusPerl.

Put something like this in the .htaccess of the directory you wish to protect:

AuthName "Radius Test"
AuthType Digest
require valid-user
PerlAuthenHandler Apache::AuthenRadius
PerlSetVar Auth_Radius_host localhost
PerlSetVar Auth_Radius_port 1645
PerlSetVar Auth_Radius_secret mysecret
PerlSetVar Auth_Radius_timeout 5

Note: Apache-AuthenRadius-0.3 imposes rediculous limitations on the length and content of permitted user names. You might want to consider removing that code from AuthenRadius.pm.

66. Whenever my iPASS authentication starts, I get a segmentation fault, and no reason?

This can happen if you have the Debug parameter set in your AuthBy IPASS, but you do not write permission to the ipass trace file (usually /usr/ipass/logs/iprd.trace). You can either alter the permissions on /usr/ipass/logs/iprd.trace or else set a different trace file with the Trace parameter.

67. Whats an example for setting Cisco ACLs for all users in a Realm

In this example, all users are authenticated from a DBM file, and they all get the same ACL.



     RewriteUsername s/^([^@]+).*/$1/
     
        Filename /opt/local/etc/radiator/users.db
            AddToReply \
            cisco-avpair = "ip:inacl#5=permit ip any 205.32.16.0 0.0.0.255", \
            cisco-avpair = "ip:inacl#10=permit udp any any eq domain", \
            cisco-avpair = "ip:inacl#15=permit tcp any any eq domain", \
            cisco-avpair = "ip:inacl#20=permit tcp any any established", \
            cisco-avpair = "ip:inacl#25=permit udp any any range 1024 9000", \
            cisco-avpair = "ip:inacl#99=deny ip any any"

68. Why doesn't my syslog logging from Radiator work on Red Hat 6.1 and similar platforms?

Recent versions of Linux syslogd do not by default listen to the UDP port that the Perl Sys::Syslog module uses. In order to let Radiator and other Perl sysloggers work, you need to restart syslogd with the -r flag.

69. Why does my MySQL database keep crashing?

This tip was contributed by "Roy Hooper" (rhooper@eisa.com):

All of a sudden, today, Radiator kept locking up on us every 20 minutes.

Looking in the logs for MySQL and for Radiator, MySQL was crashing and restarting regularly, so I turned on -trace 9 on radiator, hoping to see if there was any relationship between radiator crashing and MySQL core dumping.

It turns out that there was no relationship between coredumps and crashes -- MySQL would continue to stay running without a recent coredump when Radiator locked up. The problem was that MySQL was locking up instead of core-dumping.

An upgrade from 3.22.25 to 3.22.30 made the problem worse! MySQL was not coredumping and locking up more regularly than before. I started to get a little worried, but then remembered isamchk.

Turns out radius/RADONLINE was corrupt! No wonder MySQL was crashing often. Our RADONLINE table has a LOT of write and read activity.

TIPS:

Run ISAMCHK to check your databases regularly.
Repair broken databases.

Information on using ISAMCHK

70. Why does Radiator with a DBM session database hang on Solaris

A number of people have reported problems with DBM session databases on Solaris. The problems seems to be in the NDBM library, so we recommend moving to the Berkeley DB library instead.

You can change the DBM library that Radiator uses by changing the $dbtype varibale at the top of SessDBM.pm

71. Why don't my Idle-Timeouts work on Cisco?

This information ws contributed by Matt Nichols (matt@hunterlink.net.au):

Idle-timeouts only worked correctly on ISDN calls after 11.3(8.1)T or later. We have these working correctly by passing something like this:

  AddToReply Service-Type = Framed-User, \
                     Framed-Protocol = PPP, \
                     Framed-Routing = None, \
                     Framed-MTU = 1500, \
                     Framed-Compression = Van-Jacobson-TCP-IP, \
                     Idle-Timeout = 300, \
                     Session-Timeout = 600

This will set an idle-timeout of 300 seconds and a maximum session time of 600 seconds.

72. Why doesnt Ascend-Idle-Limit work?

From the Lucent manual:

Ascend-Idle-Limit will be deprecated in favor of the RFC-defined attribute Idle-Timeout (28) over time. Currently, if a user profile specifies both an RFC-defined attribute and an Ascend vendor attribute that performs a similar function, the last one sent by the server is used. However, using both attributes is not reliable and is not recommended.

73. I'm getting Accounting Stops with no user name from may MAX. Why?

(Contributed by "Christopher J. Carlson" (dz@lakes.com). Thanks Christopher>


Ethernet>Mod Conf>Accounting>Allow Stop Only=No

If this "Allow Stop Only" equals yes, it sends stop records without the username if the user is not authenticated. Why they would ever need to set this to yes is beyond me.

74. My TNT sends authentication request for silly user names like "banner", "route1" etc

By Default Ascend TNT will try to configure itself at startup by asking for various configuraiton items from the Radius server.

You can turn this behaviour off with:


	read EXTERNAL-AUTH
	set rad-auth-client allow-auth-config-rqsts = no

To turn off the Remote config for a Max it's the following


 Ethernet->Mod Config->TServ options->Remote Conf=No

75. How do I make the Cisco h323 VOIP attributes work

Contributed by Vincent Torres (vincent@junroo.net):

First, you need the h323 attributes in your dictionary (they will be included in the standard dictionary in Radiator 2.16 onwards, patch available for 2.15)

Anyway, aside from the dictionary, you will have to tweak the h323 AV pair you gave the Cisco VoIP server. As an example, if you define a user in a flat file the reply items should look like this:


1234	User-Password = "567899"
	h323-credit-amount = "h323-credit-amount=123.45",
	h323-credit-time = "h323-credit-time=900"

basically the ascii value that you send back has to be prepended with the attribute so in the perspective of radiator it sends back attribute = "attribute=value". but the 5300 will be able to recognize this...as long as it's the correct h323 attribute prepended.

so far this is the only value the Router/IVR will recognize. And according to Cisco it isnt going to change soon ("It's a feature, not a bug"). In any case it worked and the IVR was able to break down those values into appropriate audio prompts...

The accounting requests you receive from the Cisco will look something like this:


    h323-gw-id = "h323-gw-id=LA_XYZZY_AS5300_2.bigco.net"
    h323-conf-id = "h323-conf-id=5733C4FA 393500DB 0 DA629C"
    h323-call-origin = "h323-call-origin=answer"
    h323-call-type = "h323-call-type=Telephony"
    h323-setup-time = "h323-setup-time=21:10:31.090 UTC Mon Mar 6 2000"

i.e, the Radius value includes the Cisco attribute name.

More details at Cisco RADIUS Vendor-Specific Attributes for VoIP Call Authorization

76. Im not able to connect to Microsoft SQL 7.0 using DBD-Sybase or DBD-FreeTDS from Unix

Microsoft SQL version 7.0 broke Sybase and TDS connectivity. There is a patch available from Microsoft to fix this. If you are using DBD-Sybase, you will need at least DBD-Sybase-0.22.

77. Im having problems authenticating from my Tigris running 11.5.x

Apparently 11.5.x software has some changes that they say are due to changes in the Radius protocol, and they imply that its a problem with the radius server. This is completely incorrect. Nevertheless, here is an extract fomr their documentation:

Radius Update from 11.5.x
*As of Tigris Software Version 11.5.x there are some RADIUS Modifications that have been made to allow the Tigris to support new RADIUS standards. This will cause the Tigris not to be able to see some RADIUS Servers because it cannot file particular RADIUS Attributes that it needs to be able to perform RADIUS Authentication. the Tell Tale sign of this error in 11.5.x code is This error Message in the TRAP via telnet or Console.

*** TRAP from local agent at 31-Aug-1999 11:05:09 uptime 0 Days, 00:00:03 
*** RADIUS (Auth-1): Access denied for user "ACC_DEFAULT"

OR / AND

*** TRAP from local agent at 31-Aug-1999 10:15:02 uptime 0 Days, 00:00:00 
*** RADIUS (Auth-1): Operational state changed from DISABLED to UNKNOWN

The Work Around :
*Add a Radius user entry by the name of "ACC_DEFAULT". The password for this user account is the same as the shared secret for the Radius Authentication server entry. Note that the authentication is sent using PAP. Set the return list attributes to those values which will be used as default by your user base.


ACC_DEFAULT   Password = "secret" 
                Framed-Protocol = PPP, 
                Service-Type = Framed-User, 
                Framed-IP-Address = 255.255.255.254, 
                Framed-Compression = Van-Jacobson-TCP-IP

*This should allow RADIUS to work perfectly with Tigris software 11.5.x and beyond..

78. How do I integrate Radiator with iPASS outbound roaming

As of April 2000, the preferred method of interoperating with iPASS is to proxy outbound requests from Radiator to the iPASS radius server, using AuthBy RADIUS. This means that you must configure and run the iPASS radius server. If the iPASS radius server is running on the same host as Radiator, it must be configured to listen to different server must be configured to listen to different ports to Radiator.

79. Radiator is accepting requests, but dialup users still can't connect to my Cisco

If debug is turned on in the Cisco, you might also see something like this:


	16:18:51: RADIUS: no appropriate authorization type for user.
	16:18:51: AAA/AUTHOR (1723208106): Post authorization status = FAIL
	16:18:51: As33 AAA/AUTHOR/LCP: Denied
	16:18:51: As33 PAP: O AUTH-NAK id 1 len 25 msg is "Authorization failed"

Cisco NASs are very picky about radius replies, and usually require at least a Service-Type in the reply. The easist way to set this up is to add something like this to your AuthBy:


	AddToReply Service-Type=Framed-User,Framed-Protocol=PPP

80. I cant connect to my database using DBD-FreeTDS

Some versions of the DBD-FreeTDS snapshot were released with incorrect build information. The result is that DBD-FreeTDS builds, tests and installs correctly, but Radiator fails to load it, resulting in error messages similar to:


Can't read $DBI::errstr, last handle unknown or destroyed at 
 Radius/SqlDb.pm line 130, <FILE> chunk 48.

This is because the DBD-FreeTDS is configured for static linking, and the loadable module for DBD-FReeTDS is never built and installed.

To fix this, edit Makefile.PL, alter the LINKTYPE line to be 'dynamic'. Then 'perl Makefile.PL', 'make', and 'make install'.

81. When using DBD-Sybase on RedHat 6.1, I get a segmentation fault

On that platform, your environment variables must be set like:


SYBASE=/opt/sybase; export SYBASE
LANG=; export LANG
LC_ALL=; export LC_ALL

82. Using Informix with AuthBy SQL sometimes doesnt work properly

We have had reports that some versions of DBD-Informix cause Radiator to go into an infinite loop, looking for DEFAULT username. The fix for this is to use the NoDefault parameter to prevent looking up DEFAULT users.

83. How do I authenticate using Secure ID

Radiator supports direct interfaces to the SecureID ACE security system (with AuthBy ACE), and it also supports proxying to the SecurID ACE/Radius radius server.

84. I am using AuthBy ACE on Solaris, but Radiator hangs when it authenticates

You are probably using SecurID ACE Agent version 4, which has a bug that prevents AceCloseAuth completing (see the INSTALL file in Authen-ACE4). You will need to get a patched version of libaceclnt.a from RSA Security, or Open System Consultants, else upgrade to version 5.

85. How do I configure Cisco IOS 12.1 for PreAuthentication with Radiator?

Cisco has recently released additional Radius functionality in IOS 12.1. Cisco NAS equipment is now able to issue an initial Radius Access-Request before answering a call, allowing Radiator to enforce PORTLIMITCHECK's for example, prior to answering the call. See the following URL's for details: Preauthentication with ISDN PRI Preauthentication with ISDN PRI and Channel-Associated Signalling

86. Where can I find a Radius packet decoder?

See Radical

87. Where can I fond general introduction and tutorial matarial about Radius?

Getting Acquainted with RADIUS

88. Can I use Oracle stored procedures for AuthSelect in AuthBy SQL?

No, but there is a contributed module in goodies/AuthPLSQL.pm that will allow that. See also the sample config file plsql.cfg. This code was contributed by Pavel A. Crasotin (pavel@ctk.ru). Thanks Pavel.

89. My DBD-Oracle with Oracle 8 crashes, both on the DBD-Oracle test, and in Radiator

You need to enable thread support during your perl build.

90. I cant make AuthBy LDAP in 2.16.2 or earlier work with perl-ldap-0.20

Some recent incompatible changes to perl-ldap means that you should use an earlier version, such as perl-ldap-0.13 instead.

91. How do I make my perl CGI scripts run properly on IIS on NT?

See this for some assistance.

92. How do I use PAM to authenticate to Radius?

See pam_radius_auth: The PAM RADIUS authentication module for code and installation hints. See also goodies/pam-radius.txt in your Radiator distribution.

93. Where can I find a Radius packet analyser

Radstock

94. I cant get snmpwalk for my IBM AIX system

See goodies/ibm-snmp.txt for some hints contributed by Dave Close

95. How can I force my TNT to use PAP using Radius?

A detailed discussion on this topic is included in goodies/tnt-pap.txt in the distribution, contributed by Aaron Bailey (abailey@comtech.com.au).

96. How do I set up vpdn tunnelling on a Cisco?

Contributed by Alex S. Burba (burba@iite.ru).

Add this to your Cisco configuration:

vpdn enable

And set up a user in your Radiator to authenticate and configure your end of the tunnel. The user name is exactly the same as the domain or realm that is to be tunnelled:


{DOMAIN} Password="cisco", Service-Type = Outbound-User
	cisco-avpair = "vpdn:tunnel-id={NAS name}",    
	cisco-avpair = "vpdn:ip-addresses={GW ip}",
	cisco-avpair = "vpdn:nas-password={password}", 
	cisco-avpair = "vpdn:gw-password={password}"

where {DOMAIN} is the domain or realm to be tunnelled, {NAS name} is conventionally the name of the router at the other end of the tunnel. The other end of the tunnel needs to be set up with complementary attributes.

97. How do I use Disconnect-Request

The first thing to understand is that, as always, the Radius protocol is implemented in a client/server architecture, in which the client sends requests to the server. Note that there is no mechanism in the protocol for a server to send a request to a client.

This is important to understand, because for a "Disconnect-Request" to be handled by a NAS, the NAS itself must be configured to act as a Radius server for the purposes of this request at least (as well as being a Radius client in the usual sense). Now clearly, in more common utilisation, the NAS is the client and Radiator is the server, so for this to be supported by the NAS, it is the NAS software that must support the function. Further, the exact syntax to specify which session to terminate is also NAS dependent.

So what does this mean for Radiator? Well, firstly, Radiator itself does not necessarily need to be involved at all (unless you want to log these requests, which is probably a good idea). If you do want the "Disconnect-Request" packets to transit Radiator, you will need to set up at the very least an AuthBy RADIUS proxy clause to forward the request to the NAS. You may also want to configure a special Realm or Handler which will limit what system hosts are allowed to send "Disconnect-Requests" at all.

Note that all of the above does not say anything about what software you need to actually generate the "Disconnect-Request" packet. As I have mentioned previously, you can use the latest version of "radpwtst" with the "-code Disconnect-Request" parameter, however please understand that the exact syntax of the rest of the packet is NAS dependent, and you will need to get the details from your vendor.

More information at Dynamic Authorization

98. Why do I get 'SQL Timeouts' when I use AuthBy SQL with Sybase ODBC libraries?

The Sybase ODBC libraries (which are the ones you get if you use DBD-ODBC with Sybase) on Unix use ALRM signals, which breaks Radiator's independent use of alarms to detect SQL timeouts.

With versions of Radiator post 2.17.1, you can set Timeout to 0 in any SQL clause, which stops Radiator from implementing any alarms. It will then rely on the underlying SQL library to time out if there is an SQL problem. We recommend you do this for any Sybase ODBC connections.

99. I get an unknown socket error on Windows 2000 or NT

On Windows 2000 Server or NT, you might see an error like:


Could not bind authentication socket: unknown error at ./radiusd line 336.

This usually means that there is already a radius server running in that machine. It is likely to be the Microsoft IIS radius server that is enabled by default on Windows 2000 Server. In that case the solution is to edit the Services on that machine and set the 'Internet Authentication' service to 'Manual'.

This error is sometimes seen if any radius server has recently been shut down on that host. The operating sysyem takes a little time to make the socket available again. In that case, waiting for a few minutes will allow the server to be restarted.

100. How do I make Radiator work with Optigold ISP?

Optigold ISP Is a mature and capable ISP billing package that runs on Windows.

Optigold works interoperates with Radiator through flat files: There is a flat users file that is generated with Maintenance->Server Stuff->Generate RADIUS file. This file is created by default in c:\Program Files\Optigold ISP\authent.txt. This config file is designed to use that file in the standard place. Note that you can also get Optigold to FTP this users file to a different Radius server host. Thta host could also be a Unix or Windows host running Radiator.

In order the get Optigold to generate a correct users file for Radiator 2.18 or later, you will need to slightly alter the default Radius configuration provided with Optigold. Click the 'Config' button next to "Generate RADIUS File" on the Maintenance->Server Stuff. The first line in column 2 reads: Password = "", Delete the comma from the end so it reads: Password = "" and then click back.

If you are using a version of Radiator earlier than 2.18, you will need to make some more extensive changes to the default Optigold Radius configuration, since it uses non-standard names for some Radius attribtues. You will need to edit the RADIUS File Config page so it looks like this:

Column 1                       Column 2
                        User-Password=""
                               Service-Type=Framed-User,
                               Framed-Protocol=,
                               Filter-Id=,
                               Framed-IP-Address=,
                               Framed-IP-Netmask=255.255.255.255,
                               Framed-Routing=,
                               Framed-Compression=Van-Jacobson-TCP-IP,
                               Framed-MTU=1500
#

Radius accounting data must be preprocessed before importing into Optigold. The Radius_Parse by Stathy Touloumis, provided on the Optigold web site support area (www.digitalpoint.com/support) can parse the Radius detail file produced by Radiator. This config file will log accounting to c:\Program Files\Optigold ISP\radius. Stathy's scripts can read, parse and rotate that file to produce amn Optigold import file. You may need to alter the usrmon.cf file provided with Stathy's scripts in order to point it at the right files.

There is a sample Radiator configuration file in goodies/optigold.cfg in Radiator 2.18 and later distributions. OptiGold can only use filemaker as its main database, although FM can be hosted on Windows or remotely on Unix.

You can configure OptiGold so that it issues configurable SQL queries to any other ODBC SQL database when certain events happen in OptiGold. For example, when you add a new user to OptiGold, it could trigger the insertion of the identical user details into a mysql database, possibly running on a remote Unix machine.

In this way, you can arrange to keep a mysql database in sync with the OptiGold user data in the main OptiGold database. Therefore you could configure OptiGold to work with the simple database schema that comes with Radiator, or the RAdmin more advanced schema that comes with our RAdmin product (or almost any other schema)

There is apparently no easy way to get OptiGold to import accounting data from a remote SQL database, but you can configure Optigold to query an external database when generating usage statistics.

101. I get an error when I try to install MD5 with PPM from ActiveState

The recent 6xx versions of ActivePerl for Windows from ActiveState include both MD5 and Digest-MD5 in the base package. There is no need to explicitly install MD5. The instructions will be removed in the documentation for the next release.

102. Does Radiator work with SAP?

Yes. Here are some hints from "Gordon Smith" (gordons@morenet.net.nz).

So far, we've found a bug in [the DBD-SAP] perl install script that doesn't check for the DBD directory before installing the driver. This causes the driver to be called DBD....

Creating the tables is a bit involved. The sql commandline interface expects statements to be prefixed by sql_execute, and cannot span multiple lines. We're now writing a perl script to handle database creation instead.

The good thing about the database is the handling of backups and replication - online backups are supported.

BTW, once the DBD driver is installed correctly, DBI works just fine.

Source is available from http://www.sapdb.org

103. How do I authenticate from Active Directory

Active Directory is Microsofts new way of storing user information in Windows 2000. The easiest way is to use AuthBy LSA when Radiator is running on a Windows platform.

It is also possible to use AuthBy ADSI for PAP and TTLS-PAP when running Radiator on Windows.

The most important part of setting up AuthBy ADSI is setting the right BindString, whcih specifies how to query Active Directory for user information. Its not possible here to exhaustively list all the ways to use Active Directory, but the simplest case is where AD provides details for a single domain, and has the default setup of AD. For example, consider an singel AD domain, open.com.au, with its users grouped in a single container called Users (ie the most commojn and standard way of organising users in AD). In that case, your BindString would be:

BindString LDAP://cn=%n,cn=Users,dc=open,dc=com,dc=au

Which means, find users in the Users container for the open.com.au domain.

104. How can I do Active Directory authentication from Unix

The AuthBy ADSI module is only available on Windows platforms. In order to authenticate from Active Directory (AD) with Radiator running on a Unix host, you need to use the AuthBy LDAP2 module with something like this:



	
		Host		your.ad.server.name.com
		AuthDN cn=Administrator,cn=Users,dc=open,dc=com,dc=au
		AuthPassword	admin
		BaseDN		cn=Users,dc=open,dc=com,dc=au
		ServerChecksPassword
		UsernameAttr cn

Note that you need to provide the host name of your Active Directory server, as well as the (AD) name of the AD Administrator in AuthDN, and their password in AuthPassword (or some other suitably priveleged user). This works fine with the standard vanilla type of AD setup, where all the users are in the Users container. If you are using organisational units etc, you may need to change your BaseDN.

This mechanism only works with authentication methods that deliver a plaintext password to Radiator, such as PAP and TTLS-PAP. If you wish to authenticate CHAP, MSCHAP, MSCHAPV2, PEAP-MSCHAPV2, TTLS-MSCHAPV2 etc, you must use AuthBy LSA, which in turn limits you to running Radiator on Windows.

105. I have problems with Long Session-Timeout values on my Cisco

Contributed by Tommy Mazejian (tommy@dcsoftintl.com):

Recently I have discovered some limitations on router/PPP protocol, that I want to share with you.

As you know, the Radiator will read the session timeout from the database and send it to the router as attribute Session-Timeout. However, if the session time out is a number bigger than 35790 minutes (which will be converted to seconds by Radiator), the router (in my case Cisco 7200 series) will not accept it. Radiator will authenticate the user, send the session time out, but on the router/NAS, PPP session will not be completed, and on the client side will give an error 'PPP Link terminated'.

What I have done is that now I am checking the session time out, if it is bigger than 35790, then I am sending 35790. If less, then send as it is.

106. I have installed Digest-MD5 2.13, but get an error at startup

Unfortunately, Digest-MD5 2.13 changed the module sthat were packaged with it. It will usually result in an error with Radiator versions prior to 2.19 when you start Radiator like this when you do perl Makefile.PL


Warning: prerequisite MD5 1.7 not found at (eval 1) line 220.

or perhaps a runtime error when Radiator starts up.

To fix this, you will need to install Digest-MD5 2.12.

Radiator version 2.19 and later works fine with any version of Digest-MD5.

107. How can I improve performance of RADPOOL allocation with Oracle?

Contributed by "Paul O'Shea" (paul@genieinternet.com).

Our pool allocation query is: FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from RADPOOL_VW where POOL='%0' and STATE=0 and rownum=1 order by TIME_STAMP asc However you can't use the RADPOOL table directly for this, so what we have done is created a 'view' of the table (thus RADPOOL_VW above in the query).

108. How can I make users goto a particular URL after they have been authenticated?

Contributed by Viraj Alankar (valankar@ifxcorp.com) Depending on your RAS, you may be able to redirect users ALWAYS to a web page, but as far as just doing that initially, and then letting them browse elsewhere, I don't think it's possible. We have implemented simple redirects for Ascend/Lucent devices. Our solution involves sending DNS attributes in the radius response, and running a bogus DNS server that always returns one IP. For example, say I have a bogus DNS setup as 1.2.3.4, that always returns the IP 5.6.7.8. This means any user using this DNS will get redirected to 5.6.7..8 no matter where they browse. I send back in the radius reply the following to enforce this DNS restriction as well as IP filters to block them from using another DNS or going to other hosts:

        Ascend-Client-Primary-DNS = 1.2.3.4,
        Ascend-Client-Secondary-DNS = 1.2.3.4,
        Ascend-Client-Assign-DNS = DNS-Assign-Yes,
        Ascend-Data-Filter = "ip in forward dstip 1.2.3.4/32 udp dstport =
 53", Ascend-Data-Filter = "ip in forward dstip 5.6.7.8/32 tcp dstport = 80",
 Ascend-Data-Filter = "ip in drop",
        Ascend-Data-Filter = "ip out forward"

We then use BIND 8 and a config similar to:

zone "." {
        type master;
        file "named.redirect.hosts";
};

and named.redirect.hosts containing something like:

$TTL 1D
@       IN      SOA     .       hostmaster.mydomain.com. (
        5
        8H
        2H
        1W
        1D )

        IN      NS      1.2.3.4

*.      IN      A       5.6.7.8

4.3.2.1.in-addr.arpa.           IN      PTR     mydns.mydomain.com.

109. How do I set up Oracle so that it authenticates from Radius

Oracle 8 can be configured so that Oracle users have their username and password validated by Radius before they can connect to an Oracle server.

You can find detailed instructions on the Oracle web site (eg here, but briefly:

Use $ORACLE_HOME/bin/netasst on the Oracle server to configure the server to use Radius: choose local->Profile, Oracle Adbanced Security, enable RADIUS, then edit Other Params and enter radius server details.
Create the secret file that you named in the previous step \ (defaults to $ORACLE_HOME/network/security/radius.key). It should contain exactly one line with the shared secret used to communicate with the Radius server.
Use $ORACLE_HOME/bin/netasst on the Oracle client to configure the client to use Radius: choose local->Profile, Oracle Adbanced Security, enable RADIUS, then edit Other Params and enter radius server details.

Tell SQL server to use external authentication for certain users:

sqlplus system/manager
SQL> CREATE USER fred IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO fred;
SQL> EXIT

Add the desired Oracle users to the Radiator user database. Note that Oracle upper-cases user names, so you need to either add your users in UPPERCASE, or add a RewriteUsername to convert all user names to upper case.

110. I'm getting "Bad EAP Message-Authenticator" messages from my Bay 5399

Some versions of Bay 5399 firmware implement an incorrect Message-Authenticator in Access-Request messages. You will need to set IgnoreAcctSignature in the Client clause for that NAS.

111. With PLatypus, how can I have some users with DNIS restrictions and some without?

You can use DNISGroupQuery to customise the query used in AuthBy EMERALD when HonourDNISGroups is set.

Contributed by "Leigh Spiegel" (leigh@winshop.com.au):

This appears to work, I tried using just '0' however it didn't seem to work.. So I'm using the '00000000' so any DNIS group in Platypus set with the 00000000 phone number will basicly disable DNIS checking for that group.

DNISGroupQuery select dn.DNISNumber from AccountTypes a, DNISNumbers dn where a.AccountType='%0' and a.DNISGroupID=dn.DNISGroupID and (dn.DNISNumber='%1' or dn.DNISNumber='00000000')

I would have liked to use "*" as the DNIS for "anything" however Platypus does a sanity check on the input, therefore the 8 zeros being an unlikely phone number therefore ideal to use as a wildcard.

112. Where can I get the Win32-RasAdmin package?

ActiveState does not provide this package any more. The source is from Dave Roth at www.roth.net, but its not available there in PPD format. We have built a ppd package for NT suitable for ActivePerl 5.6.1. To install it with PPM, run this command on your NT host:


ppm install http://www.open.com.au/radiator/free-downloads/Win32-RasAdmin.ppd

Full source is available from http://www.open.com.au/radiator/free-downloads

113. How do I configure for Cisco PPTP VPNs?

Using Radiator 2.19 or later, you can configure to automatically generate the MPPE Keys that Cisco require for encryption, and also to sign the reply with something like this (contributed by "Andre D. Henry" (andre@go-net.com)):


        <AuthBy whatever>

                # Generate MPPE keys to encrypt pptp vpns
                AutoMPPEKeys    Yes

                AddToReply  Service-Type = Framed,\
                        Framed-Protocol = PPP,\
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-MTU = 1500,\
                        Framed-Compression = Van-Jacobson-TCP-IP,\
                        Message-Authenticator = 0000000000000000,\
                        MS-MPPE-Encryption-Policy = Encryption-Allowed,\
                        MS-MPPE-Encryption-Types = Encryption-Any
	</AuthBy>

114. How can I assure high availability for Radiator?

Radiator is extremely reliable as it comes out of the box, but if you wish to guard against unexpected shutdowns or host failures, here are some options:

consider using restartWrapper (provided with Radiator) to restart Radiator automatically (and email you) if there is a problem with the process.
run multiple instances of Radiator on different hosts, and arrange your NASs to use one as primary and another as secondary radius servers. If you have more that 2 servers, arrange the NASs in overlapping groups of primary/secondary pairs.
See goodies/highavail.txt for a discussion about how to use "daemontools" (http://cr.yp.to/daemontools.html) with Radiator.

115. Does Radiator support Cisco Aironet with LEAP?

Yes, Radiator provides LEAP-compatible EAP support. Available as a patch for Radiator version 3.6 and standard for later versions. See the example configuration file in goodies/eap_leap.cfg in your distribution.

116. How does Cisco VOIP accounting work

There is a long discussion about how this works in the goodies/voip.txt file in your distribution. Contributed by Simon Hackett (simon@internode.com.au).

117. Why dont I get Framed-IP-Address in Accounting from my Cisco?

(contributed by Chris M (chrism@peakpeak.com))

I was having trouble getting Framed-IP-Address to update in the Session database and couldn't figure out why. I got the following response from Cisco and thought I'd post it in case it helps anyone else.

I see that you are having difficulty with the aaa accounting on PPP connections.

The problem you describe is the result of ther router sending the accounting START record BEFORE the IPCP negotiation is complete.

There are two ways to change this. The recommended way is to tell the router to send accounting UPDATEs when there is new information. This will accomplish what you are after -- getting the Framed-IP-Address sent to the Radius server. This is accomplished through this global configuration mode:

aaa accounting update newinfo

If, however, your accounting software cannot deal with START, UPDATE, and STOP records, there is another option, though it is officially not supported:

aaa accounting delay-start

Either of these should accomplish what you are after

118. How do I get SNMPAgent to work on NT or Windows?

SNMPAgent requires the SNMP_Session perl module, from here. SNMP_Session can be installed on Unix in the usual way for perl packages.

Unfortunately, this package is not currently available as a PPM package from ActiveState for Windows. However, on Windows you can install this package by hand by unzipping it and copying the three *.pm files it contains to c:\perl\site\lib.

119. How do I build Digest-MD5 on Solaris

If you try to use the perl that is installed with Solaris, it will be hard. You will probably find various compilation problem when you try to compile Digest-MD5. This is due to the fact that this version of perl was compiled with the sun C compiler, and unless you have the Sun C compiler installed, its hard to convince it to use gcc.

We prefer to install the (more recent) perl and gcc binary packages from www.sunfreeware.com. Then building Digest-MD5 will work with the usual perl Makefile.PL;make;make install

120. How can I work with Windows EAP TLS clients

EAP (Extensible Authentication Protocol) TLS (Transport Layer Seecurity) is a secure, mutual authenticaton protocol supported by Windows XP, Linux and some other operating systems. It works with 802.1x wireless and dialup authenticaiton. TLS requires that a certificate be issued to each user. A certificate is a file that contains a public key and a digital signature. Certificates can be created with openssl on Unix or Windows, or with the Windows 2000 Certification Authority software. With TLS, Radiator checks that the client computer contains a valid certificate and that the certificate is for a valid user in a Radiator user database. The client computer can optionally check that the Radiator server is the one they are expecting to connect to (ie this is _mutual_ authentication). TLS authentication can be added to almost any Radiator authentication module. See the example in goodies/eap_tls.cfg in your distribution. EAP TLS authentication is available out of the box for Windows XP. You can add it to Linux with the free Xsupplicant applicaiton. Helpful documentation on how to create test certificates, configure the AP and client software for EAP TLS is available for Linux and Windows XP There is a lengthy discussion of Enterprise deployment of EAP for Windows XP including certificate requirements here See also the Microsoft WiFi Troubleshooting doc Information about enabling 802.1x on Windows 2000 can be found here.

121. Does radpwtst -gui work on Mac OS X (Darwin)

Yes, and so does Radiator and Radar.

Perl 5.6.0 comes with Darwin, but to use radpwtst -gui, you will need to build and install Tk 800.023 or later. You must follow these instruction to build Perl TK successfully. Note especially the need to alter the perl optimise level.

122. How do I get Radiator to work with SCO Open Server?

The default installation of OpenServer does not include perl or a C compiler. Although there is a version of Perl 5.005_03 precompiled in the SCO skunkware FTP area, it cant be used to build Digest-MD5 out of the box. Instead, we recommend that you install gcc from the skunkware area, then build and install perl (say, version 5.6.1) from scratch. then build and install Digest-MD5 2.13 or later in the usual way. With those installed, Radiator will 'make test' fine. Tested on OpenServer 5.0.4 with rs504c and oss601a supplements installed.

If you have problems with link errors concerning fsync when make test ing Digest-MD5, follow the instructions from Andrew Hamm and recompile and reinstall perl.

123. How can I force SQL username comparison to be case-sensitive

By default, many SQL servers do case-insensitive string comparison. This means that AuthBy SQL, AuthBy RADMIN etc would match, for example mikem, MIKEM and MiKeM as being the same user.

Some SQL databases allow you to force case-sensitive comparisons. For example, In the case of MySQL, the 'BINARY' keyword forces the following comparison to be case-sensitive. Therefore you could force case-sensitive user names in an AuthSQL for MySQL with something like:

AuthSelect select PASSWORD from SUBSCRIBERS where BINARY USERNAME=%0

124. How do I configure an Orinoco wireless Access Point for Dynamic WEP

We recommend the use of Dynamic WEP for encryption of all wireless links. Its more secure and easier to manage than static WEP keys. Radiator supports Dynamic WEP for EAP TLS, EAP TTLS and PEAP authentication.

You must have the latest version of the Access Point firmware installed, otherwise you may get unexplained authentication or operation failures. At the time of writing (Sep 2002), the latest version for the AP-2000 is v2.0.0(266)

Configure the wireless client for 802.1x authentication, and dynamic WEP. On Windows XP, this means configuring the 'Wireless Networks' tab in the 'Wireless Netowrk Connection Properties' dialog. Under the 'Association' tab, select 'Data encryption (WEP enabled)' and 'The key is provided for me automatically'. Deselect 'NEtwork authentication (Shared mode)'. Under the 'Authentication' tab, select 'Enable IEEE 802.1x authentication for this network'. Select the EAP type you wish to use (needs to match the EAPType setting in Radiator).
Configure the Access Point. Select 'Configure' then 'Security'. Under the 'RADIUS' tab, deselect 'Enable RADIUS MAC Access Control'. Select 'Enable Primary RADIUS Server'. In 'Authorization Lifetime (seconds)', enter '9000' (the default is too short). In 'IP Address', enter the IP address of your Radiator radius server. Enter a "Shared Secret' (must match the 'Secret' entry in the matching Client clause in your Radiator configuration.). In 'Destination Port', enter the authentication port number of your Radiator (Radiator defaults this to 1645, but can be changed with AuthPort in your Radiator configuration). Under the 'Encryption' tab, select 'Enable Encryption (WEP) for Slot A'. You do not need to enter any WEP keys. Under the '802.1x' tab, set '802.1X Security Mode' to '802.1x'. Set 'Encryption Key Length - Wireless Slot A' to '128 bits' (if your wireless card all support 128 bit WEP keys). Reboot the access point.
Configure your Radiator. Ensure there is a Client clause for the IP address of the Access Point, and ensure the Secret matches the 'Shared Secert' enter in the Access Point configuration. IN the AuthBy clause, ensure EAPType is set to a type matching the types selected in the client (typically 'TLS' or 'TTLS'). Ensure all the other EAP paramters are configured to suit the location of your certificates etc (See the example configuraiton files goodies/eap_tls.cfg and eap_ttls.cfg). Ensure the AutoMPPEKeys paramter is set in the AuthBy clause. Restart Radiator.

125. Im getting a strange error when using DBD-Oracle on Solaris

resulting in an error like:


ld: fatal: file /ora00/app/oracle/product/9.2.0/rdbms/lib/defopt.o:
 wrong ELF class: ELFCLASS64

You're attempting to link a 64-bit Oracle against a 32-bit Perl. The best solution is to edit the Makefile generated by Makefile.PL and change all references to ORACLE_HOME/lib to ORACLE_HOME/lib32. This will get it to use the 32-bit Oracle libraries instead.

126. Does Radiator work with Jet ISP billing

Yes. Radiator works with Jet ISP billing.

Jet is a user management and billing system, specifically designed and created for ISPs. Written in python and Zope, it is highly flexible, and has a modular construction allowing for additional modules to support a customers specific needs. It comes with full source code, and Obsidian's development team is available to produce extensions as required.

There is an example Radiator configuration file in goodies/jet.cfg in the Radiator distribution.

127. I am having trouble running Radiator on RedHat 8.0 and RedHat 9.0. It works fine on RedHat 7.3

I get an error message like this on RH 8.0:


Malformed UTF-8 character (unexpected end of string) at 
 /usr/lib/perl5/site_perl/5.8.0/Radius/Radius.pm line 642.

or like this on RH 9.0:


Bad attribute=value pair: Realm=DEFAULT

This can be due to the LANG environment variable. Try this:


echo $LANG

and you will see: en_US.UTF-8 then try this :


export LANG=en_US

and restart radiator. It should work now, but only in this terminal. If it works, do this for permanent change:

edit /etc/sysconfig/i18n
change the line
LANG="en_US.UTF-8"
to
LANG="en_US"

This will also solve Acrobat Reader problems

128. How do I configure an Apple AirPort Base Station for Radius authentication

The easiest way to configure an AirPort Base Station is using the Apple utility Applications->Utilities->AirPort Admin Utility. It is reported to be possible to use other tools but we have not tested them.

Recent versions of Apple AirPort Base Stations do support 802.1x wireless authentication and EAP, but older versions do not. If your Airport does not support 802.1x, then the only type of Radius authentication supported is MAC address, which requires you to configure the MAC address of all permitted wireless clients into your Radius user database.

Start with a simple Radiator configuration file based on goodies/simple.cfg
In AirPort Admin Utility, select the AirPort tab.
Ensire 'Enable Encryption' is set. Select 'Change Password...'. Choose a WEP key length of 128 bits. Choose and remember a long string as your wireless network access password. Enter it into New Password and Verify. Click OK. (Note. All Apple clients will need to be configured to use the same network password to access your wireless network).
In AirPort Admin Utility, select the Authentication tab.
Select Radius: Alternate. T