Radiator Frequently Asked Questions

This does not mean that either the test suites or the dictionaries are broken. It is an unfortunate incompatibility between different vendor's dictionaries.

We recommend that you use the standard dictionary supplied with Radiator whenever possible. This will work in the vast majority of cases.

5. OK, which dictionary should I use then?

You should use the default Radiator dictionary 'dictionary' wherever possible.

6. How do I configure a Cisco NAS for Radius?

You will need something like this in your Terminal server configuration:


aaa new-model
aaa authentication login DIAL-SCRIPT-USERS radius
aaa authentication login TELNET-USERS local
aaa authentication ppp PAP-USERS if-needed radius
aaa authorization network radius
aaa accounting network start-stop radius
...
radius-server host 1.2.3.4 auth-port 1645 acct-port 1646
radius-server key blahblahblah

You will probably want to use these reply attributes in order to enable PPP sessions:


        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = None,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

There is a description of Cisco's use of Radius attributes for IOS 12 in RADIUS Attributes overview.

7. How do I use Livingston users file?

Livingston and many other Radius servers use the users file for configuring the behaviour of the server, as well as describing the users. Radiator takes a slightly different approach, where the server configuration is described in the config file, and the users file only describes the users.

You can use a Livingston users file unchanged, provided you set up your Radiator config file properly. A typical example config file is provided in goodies/livingCompat.cfg in the Radiator distribution. The principal requirements are to have a DEFAULT Realm, and an with the Identifier "System". This will cause any users with the check item Auth-Type="System" to be authenticated with UNIX Authentication (i.e. with a standard Unix password file)

See Installation and Reference manual for more details.

11. I keep getting Bad Authenticator messages when I get accounting requests from a GRIC roaming connection. Why?

A number of radius servers, such as Merit, the AimTraveler server that GRIC uses and others do not correctly compute the authenticator on accounting requests. They do not conform to the Radius specification. Radiator checks all authenticators against the specification and complains if a bad authenticator is received. It does not look like these servers are going to be repaired, so Radiator has a special flag to ignore the authenticator in incoming accounting requests. See IgnoreAcctSignature in the clause.

12. How can I authenticate against NT passwords and Groups

On NT, you can authenticate users using their NT user password and NT Global Groups. This means that you can ensure that only real NT users can log in. You can also ensure they get special NAS configurations that depend on which NT Local Group they are in.

Your configuration file should look something like this:


# put <Client ...> etc clauses here
.....
<Realm DEFAULT>
	<AuthBy FILE>
	# might want to specify the name of the users file here
	# See below for the contents of the users file
	</AuthBy>
</Realm>

# This clause says that for entries in the users file
# that specify Auth-Type=System, use the NT module to 
# authenticate them
<AuthBy NT>
	Identifier System
</AuthBy>

And your users file could be something like this


# This will match all users in the Administrators local group
DEFAULT Auth-Type=System, Group=Administrators
        reply-item = .....

# This will match all users in the User local group
DEFAULT Auth-Type=System, Group=Users
        reply-item = .....

# And this will match everyone else
DEFAULT Auth-Type=System
        reply-item = .....

This allows you to have distinct groups of users who get special checks and special reply items. A similar technique can be used with the UNIX module.

13. How are DEFAULT users entered in a DBM file?

When the DBM file is built, the first DEFAULT entry in the input file is entered as DEFAULT, the second as DEFAULT1, the third as DEFAULT2 etc. This guarantees the uniqueness and ordering of DEFAULT entries. When AuthBy DBM fails to match a user name it will then try to match DEFAULT, then DEFAULT1, DEFAULT2 etc.

14. How can I connect to Microsoft SQL from a Unix box?

As of September 2003, the best and most portable way to connect from Unix to Microsoft SQL (including MS-SQL 2000) is to use freetds 0.53 (www.freetds.org) and DBD-Sybase 0.94 (www.cpan.org) These are both freely available and work well. This will work on almost all flavours of Unix, including Linux and Solaris. There is a helpful tutorial article in 'Linux Journal' April 2002. Do not use later versions of freetds or DBD-Sybase as there have been reported instabilities.

There are a number of other ways to do it, and you may wish to choose one of these alternatives if you have special constraints within your organisation:

Use OpenLink's Multi-Tier ODBC for Unix plus DBD-ODBC. You will also need their NT server side package which includes their Request Broker. This package is good for accessing MS-SQL, MS-Access, Oracle, Sybase etc etc on NT from Unix. A nice package without license fees for some applications. We recommend this option.
Linux only: Use the free Sybase driver here, and use DBD-Sybase. Or (preferred) install Adaptive Server Enterprise then install the DBD-Sybase RPM. Works fine for MS-SQL 6.5. To work with MS-SQL 7, you will need some patches from Microsoft to permit MS-SQL 7 to work with Sybase client libraries. Does not work with MSSQL 2000.
Unix other than Linux: Purchase the the OpenClient/C Developer package for US$795.00 straight from Sybase for the CTLib, and use DBD-Sybase. Works fine for MS-SQL 6.5. To work with MS-SQL 7, you will need the SQL server 7.0 Service Pack from Microsoft to permit MS-SQL 7 to work with Sybase or FreeTDS client libraries. If you are using DBD-Sybase, you will need at least DBD-Sybase-0.22.
Use the DBI::Proxy module available in DBI-1.02.tar.gz. This module will proxy DBI requests across the network to a target box where it can be access an ODBC database. More details below.
Use the DBD-FreeTDS module from ftp://freetds.internetcds.com/pub/freetds_dbd/ which can talk to Sybase, MS-SQL 6.5 and 7.0 without the need for any proprietary client libraries. We have found that revision DBD-FreeTDS-0.02 did not work properly, but the later snapshots work fine. This is a very quick and easy solution for getting from Unix to MS-SQL or Sybase on any platform. However, the DBD-FreeTDS module is still quite immature, and we know for a fact that even the snapshots dont work properly with stored procedures (and it should therefore not be used for AuthBy RODOPI and others). You mileage may vary.
Use the Merant ODBC drivers (commercial) (www.merant.com).

Note: MSSQL 6.5 is really the same as Sybase, and Unix Sybase client libraries can happily connect to MSSQL 6.5. One gotcha: the default TCP port to connect to MSSQL is 1433 decimal, which is different to the default for Sybase, so you may have to alter your /opt/sybase/interfaces file)

Note: DBD-Sybase with the Sybase client libraries does not work with Microsoft SQL Server 2000. Microsoft have removed the Sybase compatibility from this product.

15. How do I set up anti-spoofing filters

You can set up anti-spoofing filters in NASs that support filters such as USR (3COM) Hiperarcs. In the Radiator config file put something like:


        
                UseAddressHint
                Dynamic USR-IP-Input-Filter

(you can have multiple Dynamic lines, one for each unique attribute you want % interpolation on) A typical users files entry might look like this (for a 3COM hiperarc)...

DEFAULT Auth-Type = System
        Framed-IP-Address = 255.255.255.254,
        Framed-Routing = None,
        Framed-IP-Netmask = 255.255.255.255,
        IP-Filter-In = "1 REJECT src-addr!=%a",
        Service-Type = Framed-User

(it'll work on anything, not just DEFAULT)

Which will end up authenticating the user with a reply message like... (assuming you have hint-assigned on the NAS enabled, and the address that it assigned from it's pool was 0.0.0.1)


        Framed-IP-Address = 0.0.0.1
        Framed-Routing = None
        Framed-IP-Netmask = 255.255.255.255
        IP-Filter-In = "1 REJECT src-addr!=0.0.0.1"
        Service-Type = Framed-User

So you can create ANTI-spoof filter rules that will be filled in with the right values on the fly! Cool, huh? BTW, you must use dictionary.usr, which is the one that defines IP-Filter-In.

(Thanks to Aaron Nabil for this example and the code to implement it.)

16. Why are my DBM files so big?

Radiator is shipped with the AuthBy DBFILE module using Perl's built in SDBM module. We do this because it is available built in on every platform, including Win95 and NT. The down side of SDBM is that is makes large database files.

You can get AuthBy DBFILE to use the Berkeley DB format instead by editing Radius/AuthDBFILE.pm. Change the 2 occurrences of SDBM_File to DB_File, and reinstall Radiator. Radiator will now use the Berkeley DB format for DBM files, and they will be much smaller than with SDBM.

17. Why do tests 2n, 2r, 2t, 2v and 4a fail on freebsd?

Freebsd optionally uses MD5 for encrypting passwords in crypt(3), but the example passwd file we provide for testing the AuthBy UNIX uses standard DES encryption.

You can fix this by copying passwd.md5 to passwd and rerunning make test.

18. How do I set up automatic IP address allocation

Basically, you need to do 2 things:

Add 1 or more FramedGroupBaseAddress items to each Client in your Radiator configuration file.
Add a Framed-Group reply item to each user for whom you want address allocation.

For example in the Radiator configuration file:

    
        # This is the base address for Framed-Group = 0
        FramedGroupBaseAddress	10.0.0.1
        # This is the base address for Framed-Group = 1
        FramedGroupBaseAddress	10.0.1.1
        # This is the base address for Framed-Group = 2
        FramedGroupBaseAddress	10.0.2.1
        .....

and in the users file, something like:

mikem    Password = "fred"
         Framed-Group = 1,
         Framed-Protocol = PPP,
             etc.

Now if mikem logs into the Client at port 5, he will be allocated an IP address of 10.0.1.6 (ie 10.0.1.1 + 5). If the users file said Framed-Group = 0, and he logged in on port 11, he would be allocated an IP address of 10.0.0.12 (10.0.0.1 + 11).

19. How do I make Radiator work with Emerald?

Emerald is a good ISP billing system from IEA. It uses Microsoft SQL database for user and billing data. IEA also offer an NT based radius server called RadiusNT that can authenticate from and insert accounting into Emerald.

Radiator can also authenticate from and insert accounting into Emerald, but with Radiator, you can do it from a Unix host, and with the extra features that Radiator has but RadiusNT does not.

There is an example Radiator configuration file in goodies/emerald.cfg in the Radiator distribution. Use it as a starting point for integrating with Emerald. You will need to configure some attributes like DBSource, DBUsername and DBAuth to suit your Emerald setup. You will most likely want to use ODBC to connect to the Emerald MSSQL database, but you could also use the Sybase driver, if you have that instead.

20. How do I make Radiator work with LDAP on NT?

Follow these steps:

Make sure you have installed the Perl NT binaries from Gurusamy Sarathy.

Fetch and install NETSCAPE DIRECTORY SDK 1.0 Win32 for Windows NT with SSL support (self-extracting archive)
Fetch and install the Net-LDAP Windows NT Binaries v1.40. Make sure you follow all the instructions in the Readme file.
Configure an clause in your Radiator configuration file. See the example radius.cfg in the Radiator distribution for examples.

21. How do I make Radiator work with Platypus?

Platypus is an excellent ISP billing system from Boardtown. It uses Microsoft SQL database for user and billing data.

Radiator can authenticate from and insert accounting into Platypus. This makes for seamless integration between your radius server and your customer management/billing system. Using ODBC, you can run your radius server on Unix, Win95 or NT.

There is an example Radiator configuration file in goodies/platypus.cfg in the Radiator distribution. Use it as a starting point for integrating with Platypus. You will need to configure some attributes like DBSource, DBUsername and DBAuth to suit your PLatypus setup. You will most likely want to use ODBC to connect to the Platypus MSSQL database, but you could also use the Sybase driver, if you have that instead.

22. How can I apply the same check or reply items to all the users in my SQL database?

Sometimes you need to have a common set of check or reply items for all users, but you dont want to have to put them in every user in the database. Or maybe you want to be able to tune them for all users easily. You can arrange for Radiator to cascade from SQL to a flat file or other user database.



    AuthByPolicy ContinueWhileAccept
    
	...
    
    
	...

(See goodies/common-sql.cfg for example code). You can then have a DEFAULT user in the users file specified in the AuthBy FILE with the common reply items you want:


DEFAULT Service-Type = Framed-User
        Framed-Protocol = PPP,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = None,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

Another alternative is to fall cascade from SQL to another SQL that only selects the check and reply items for a DEFAULT user:



    AuthByPolicy ContinueWhileAccept
    
	...
    
    
	AuthSelect select NULL, CHECKATTR, REPLYATTR from SUBSCRIBERS \
         where USERNAME = 'DEFAULT';

With some (but not all: mSQL does not support it) SQL servers you provide common check and reply items more easily with a special AuthSelect statement:


AuthSelect select PASSWORD, 'Service-Type = Framed-User', 
  'Framed-Protocol = PPP, etc etc etc' 
   from SUBSCRIBERS where USERNAME = '%n'

With some SQL servers (eg Oracle), you could even combine the common and per-user check and reply items by using concatenation in the select statement.

23. How can I make Radiator work with the PPTP server?

Changes are outlined in Microsoft Online Support article Q172216.

Start Regedit
Goto: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP
Click on SPAP, click Edit, and Delete. Yes to confirm deletion.
Click on CHAP, click Edit, and Delete. Yes to confirm deletion.
Close Regedit, stop and restart Routing and Remote Access Service.

(Contributed by Dalton, Robert W (Robert.Dalton@88CG.WPAFB.AF.MIL))

24. How can I connect to Microsoft SQL server from Unix using OpenLink?

The best option is to use the "Combined OpenLinkODBC/iODBC package" from OpenLink. This package (smkoxxxx.taz for Solaris) allows ODBC requests to be sent by RPC from your Unix client to (for example) an NT host running Miscrosoft SQL Server 6. It really does work.

You will also need the OpenLink request broker for NT (ntadm65x.zip) installed on the NT host where the MS-SQL server is running. This broker receives RPC calls from the iODBC package on the Unix host and translates them into MS-SQL calls. After installation, start the Oplrqb.exe program.

Further, you will have to build DBD-ODBC 0.16 or better on your Unix host to use the include files and libraries that come with the OpenLinkODBC/iODBC package (this will involve some minor changes to Makefile.PL before building DBD-ODBC. Change

my $myodbc = 'odbc';	# edit and hack to suit!
 to
my $myodbc = 'iodbc';	# edit and hack to suit!

and add a line at:

	
        print SQLH qq{#include <iodbc.h>\n}; # ADD this line
	print SQLH qq{#include <isql.h>\n};
	print SQLH qq{#include <isqlext.h>\n};

You will also need to create ~/.odbc.ini on the Unix host as descibed in the OpenLinkODBC/iODBC package, as well as create /etc/udbc.ini with something like this:

[radius_udbc]
Description 	= Sample MS SQLServer DSN
Host		= fred
ServerType	= SQLServer 6
ServerOptions	=
Database	= radius
FetchBufferSize	= 30

If your wanted to connect to a Platypus database on NT, you would put something like this in udbc.ini:

[plat_udbc]
Description 	= Sample MS SQLServer DSN
Host		= fred
ServerType	= SQLServer 6
ServerOptions	=
Database	= plat
FetchBufferSize	= 30

Finally, you would specify something like this in the Radiator config file for your AuthBy SQL:

		DBSource	dbi:ODBC:radius_udbc
		DBUsername	sa
		DBAuth		sa

25. How do I run Radiator as a service on NT?

See the reference manual for details.

26. I dont know where to get SRVANY, what can I do to run as a service on NT

Some people have had success with FireDaemon as an alternative NT Service installer.

27. How can I use Microsoft Access as my database?

We have not tested against Microsft Access, but here are some notes from the coal face by Nicholas Barrington (nbarrington@smart.net.au) and Anton Sparrius (anton@smart.net.au) who have made it work.

BC5.0 didn't work! We use the compiled version of perl, so that was ok. However, to get DBD and DBI working we had to do a few extra things. Firstly, the DBD module told us that it wanted version 0.90, and we had version 0.93, so it wouldn't work. Once we download the newer version of DBD v0.19 everything there worked OK.
BC5.0 still didn't work. Make that comes with BC5 would just bomb out, but using dmake that came with perl was much better. However, there was a cupple of .h files (sql.h and sqlext.h) that it needed that BC5 didn't have. I was able to find them on MSVC and copy those across and that seemed to work. Then, there was a cupple of libraries that were needed, once again, I had to find them in MSVC and use IMPLIB (comes with BC5) to import them. One was called odbc32.dll (which gets converted to a .lib with IMPLIB). I cant remeber if there was another one, but if there was, it was of a similar nature.
Compile worked! Simply set up an ODBC in WinNT and we were away and working. Bit of a hack really, but it runs beautifully. Running off a Cisco 5200 so we get heaps of information.
Trying to use BC5 dmake (make produces errors) causes .DEF file errors in the DBI and DBD module makes. We had to edit the .DEF and remove the quotes "" from the top line before it would continue.
We had to use the latest .19 release of the ODBC DBD instead of the .16 as specified in the notes.
We used version .93 of the DBI module, which again had the .DEF errors but were overcome.
When creating our table in MS Access, we initially tried using field names that were the same as the NAS return names. This caused us massive headaches at run time, until we figured out we had to use different field names than the NAS return names.
We also tried using a column name of Timestamp for a NAS return item called Timestamp and it failed in the same way anything did when we had column name = NAS return name. So that looks like a big no-no, too (at least with the MS Access database).

In all, we didn't really have any success at all with Sarathy's binary distribution of perl. Once we downloaded and included the latest version of the components we managed to fire it up.

28. Where can I get pmwho?

The program pmwho is used for verifying logins on Total Control NAS's. You can get it from here, amongst other places. Credit for this belongs to Johan Persson, jp@abc.se.

29. I think Im seeing a memory leak. What can I do?

First, you should note that Radiator will grow a little when it first starts up, as it finds out about the users currently logged on and the NAS's it is getting requests from. Then, as your user population settles down, the growth will slow down and stop. Depending on your configuration, you should not see Radiator grow by more than a few Mb from its initial size. Steady, continued growth in the size of the image even after a few days running indicates a problem.

Upgrade to the latest version of Perl. Perl 5.003 had a number of leaks in perl itself, mostly to do with evals.
Upgrade to the latest version of Radiator. At as of 2.12. there are no leaks that we are aware of.
If you have any local modifications to Radiator, remove them and see if it still leaks.
Try to identify what kinds of requests are causing the leak: Authentication or accounting requests, AuthBy FILE or AuthBy SQL etc?
If you are using any perl modules (DBD-*, LDAP etc), upgrade to the latest versions and see if it still leaks.
Report the problem to us, along with your configuration file (remove any secrets and passwords), and an estimate of the growth rate.

30. Where can I get a copy of snmpget?

Get Net-SNMP Don't use the CMU snmp, as its output is not understood by Radiator.

On Windows, you can use net-snmp (v5.0.8) (or ucd-snmp v4.2.3).

31. I cant build DBD-Sybase against the free Sybase client library on Linux. Why?

On some version of linux, we have observed that compiling and linking the shared Sybase library for DBD-Sybase results in compiler crashes. One way to work around this is to build a statically linked perl that includes the Sybase libraries statically linked:

Uncomment the LINKTYPE=static line in CONFIG
perl Makefile.PL
make
make perl
Install the newly created perl binary in place of your normal perl binary.

It works, weve tried it. There is a good reference to getting ctlib to work for linux here, and also about setting up DBI/DBD::Sybase on Linux here

32. My USR radius attributes dont seem to be numbered correctly. Why?

On the netservers you have control over whether certain VSAs start counting at 0 or 1 using the set format command:

Formatting connect-info message output: This command allows you to specify whether the information sent to RADIUS is 0-based or 1-based. The USR vendor-specific RADIUS attributes affected are; Connect-Speed (0x9023), Modulation-Type (0x006C), Error-Control-Type (0x0099), and Compression-Type (0x00C7). The default is to begin the slot and channel numbering at zero.

	set format connect-info <0-based | 1-based>

33. I'm having problems compiling MD5 on Rhapsody. Why

Rhapsody still has some unusual behaviour, but its basically OK.

This is the basic process on Rhapsody:

Unpack MD5 in a work directory
perl Makefile.PL
Edit Makefile and remove USE_NEXT_CTYPE
make dynamic
make test
make install
You may also need to add MD5 to the perl config file (usually /System/Library/Frameworks/Perl.framework/Config.pm)

34. I'm having problems with NT services and ODBC

When I run Radiator from line command (in foreground), everything goes well. But when I start Radiator as a service on NT, I receive the following message (I enabled "interact with desktop" for this service):

[Microsoft][ODBC Driver Manager] Data source name not found and no default
driver specified (SQL-IM002)(DBD: db_login/SQLConnect err=-1) at
c:\Perl\lib/Radius/SqlDb.pm line 99

You have probably set up your ODBC data source as a user DSN and not a System DSN (Platypus users note: Platypus may be set up this way). You will probably need to remove the existing ODBC DSN, and add it bask as a System DSN.

35. How do I make DBI::Proxy work between unix and NT?

It works fine, but it takes a little effort to get going. Heres what we did:

Active State perl running on NT (hostname romeo in our test)
MS SQL running on NT
On NT, define ODBC system DSN called 'MSSQL', with appropriate configuration to be able to conenct to your MS-SQL database
Install PlRPC module from active state on NT, using PPM
Install Net-Daemon module from active state on NT, using PPM
Install DBD-ODBC module from active state on NT, using PPM
Install DBI module from active state on NT, using PPM
Build and install Net-Daemon-0.31 or better from CPAN on Unix
Build and install PlRPC-0.2012 or better from CPAN on Unix
Build and install DBI-1.13 or better from CPAN on Unix
ON NT in dir c:\perl\bin run the proxy server with
```
	perl dbiproxy --localport 9991
```

On Unix, Radiator configured for AuthBy SQL with:

 DBSource	dbi:Proxy:hostname=romeo;port=9991;dsn=dbi:ODBC:MSSQL
 DBUsername	sa
 DBAuth		sa

Caution: be sure that you have the same version of DBI and its support modules (especially Storable) on both machines. We have seen crashes when incompatible versions of Storable are used.

36. I cant unzip the Radiator distribution on Windows. Why?

The Radiator distribution will unzip fine with recent versions of WinZip. We use WinZip 6.3 through to 9.0 here (with the classic interface). If you are using that or a later WinZip, and it still wont unzip, check these:

Some browsers will rename the file when you download it. Make sure it has a ".tgz" extension. WinZip uses the extension to determine what to do with the file. Try renaming your file so that it has a ".tgz" extension.
Some browsers will corrupt the file if they think it is a text file. Try Shift-Click on the Accept link to download the distribution.
Check that you have downloaded the whole file. Get a directory listing of the downloads areea, and check that your copy is about the same size as reported on the directory listing.
Try downloading the file again.
Try using a different browser, or a different computer to download.

37. How do I make Radiator work with Interbiller 98?

Radiator can authenticate from the Interbiller 98 user database using AuthBy SQL. There is an example configuration file in goodies/interbiller.cfg to get you started. Interbiller uses a Microsoft Access database, so on Win95 or NT, you will need to install the Perl DBI and DBD-ODBC modules, and configure a System DSN to point to the Interbiller database (usually called 'Subs.mdb').

At this time, Interbiller does not handle Radius accounting data for doing time-based billing. We will add the ability to save accounting data to Interbiller as soon as Interbiller supports it.

38. How do I make Radiator work with Freeside?

See the example freeside.cfg in the goodies directory. There is also an example hook that will allow Radaitor to work with Freeside accounting.

39. Is Radiator Y2K compliant?

See the Radiator Y2K Statement.

40. I got an error while testing perl-ldap on Linux. Is that OK?

While testing perl-ldap-0.09 on Linux, you may see this:


/usr/bin/perl -I./blib/arch -I./blib/lib -I/usr/lib/perl5/i386-linux/5.00404 
 -I/usr/lib/perl5 bin/ldapsearch.PL
[mikem@charlie perl-ldap-0.09]$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib 
 -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 -e 
 'use Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
t/00ldif-entry......ok
t/01url.............dubious
        Test returned status 0 (wstat 7, 0x7)
Undefined subroutine &Test::Harness::WCOREDUMP called at 
 /usr/lib/perl5/Test/Harness.pm line 252.
make: *** [test_dynamic] Error 2

Thats OK. The resulting module will still work fine with Radiator.

41. Does Radiator support the IETF Radius Tunnelling attributes?

Yes. There are a few tricks to using them though. The IETF standard tunnelling attributes have a "tag" that is used to group tunnelling attributes. Radiator always sets the tag to 0 for the integer attributes Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Preference and Tunnel-Password. This means that you must also set the tag to 0 in the value if you use the string attributes Tunnel-Client-Endpoint, Tunnel-Server-Endpoint, Tunnel-Private-Group-ID, or Tunnel-Assignment-ID. The easiest way to do this is with an escape sequence in the string, for example:


Tunnel-Server-Endpoint = "\000203.63.154.22 fr:20",

The \000 at the beginning specifies a tag of 0, and you musthave it at the beginning of the string attributes.

The specification for "RADIUS Attributes for Tunnel Protocol Support" can be found here

42. How do I set up Radius Tunnelling with my Bay Annex Server?

When a tunnelling user dials into the Annex, the Annex will first authenticate the user@realm with Radius and Radius must return the tunnel configuration options with Annex-Local-Username, Annex-User-Server-Location, Tunnel-Medium-Type, Tunnel-Server-Endpoint, and Tunnel-Type. This information tells the Annex how to set up the tunnel, and the name of the user to reauthenticate (with Annex-Local-Username). The Annex will then set up the tunnel and send a second Access-Request for the username specified by Annex-Local-Username. Radius should reply with the normal PPP radius reply.

There is an example Radiator configuration file in goodies/annex.cfg that shows a neat way to do this.

43. How can I do authentication from one SQL database and accounting to another?

Use something like this:


<Realm whatever>
	AuthByPolicy ContinueAlways
	<AuthBy SQL>
		DBSource	dbi:???????
		DBUsername	userfordb1
		DBAuth		authfordb1
		# an empty AuthSelect turns off auth
		AuthSelect

		AccountingTable	whatever
		etc, etc, etc.
	</AuthBy>
	<AuthBy SQL>
		DBSource	dbi:???????
		DBUsername	userfordb2
		DBAuth		authfordb2
		# an empty AccountingTable turns off accounting
	</AuthBy>
</Realm>

44. What does a "Could not find a Client" warning mean

If you see a WARNING message like:


Tue Apr 13 21:47:18 1999: WARNING: Could not find a Client for 
 NAS 168.115.29.194 to double-check Simultaneous-Use

it means that you probably have a DNS name for that client in its Client clause, but do not have a reverse DNS entry for it in your DNS. Radiator would need the reverse DNS entry so it can figure out the clause that corresponds to the NASs IP address.

You should either:

Add a reverse DNS entry for that client, or....
Change your Radiator Client clause so it uses the IP address instead of the DNS name.

45. Im having problems building MySQL

There are known problems with shared versions of libmysqlclient, at least on some Linux boxes. If you receive an error message similar to


install_driver(mysql) failed: Can't load 
'/usr/lib/perl5/site_perl/i586-linux/auto/DBD/mysql/mysql.so' 
for module DBD::mysql: File not found at 
/usr/lib/perl5/i586-linux/5.00404/DynaLoader.pm line 166

then this error message can be misleading: It's not mysql.so that fails being loaded, but libmysqlclient.so!

As a workaround, recompile the Msql-Mysql-modules with

perl Makefile.PL --static --config 
make 
make test 
make install
This option forces linkage against the static libmysqlclient.a.

46. I get a weird error message when I try to use Log SYSLOG

You might get an error message like this:


Mon Apr 19 15:45:31 1999: ERR: Could not load Log module
Radius/LogSYSLOG.pm: Can't locate syslog.ph in @INC 
(did you run h2ph?) (@INC contains: .........

This indicates that you have not yet run the h2ph perl utility to generate the syslog.ph file fopr your system. More details in the Radiator reference manual, and see also "man h2ph". We usually just do:


cd /usr/include; h2ph * sys/*

47. Im having problems compiling MD5 on SCO Open Server

I get this error:


	gcc: -fPIC is only valid with -melf

After doing perl Makefile.PL, you will need to edit Makefile and alter CCCDLFLAGS to read like this:


CCCDLFLAGS = -fPIC -melf

48. Im getting 'Expiration date has passed' from Platypus

and Im sure that the expiration date has not passed.

Some versions of the Platypus RadiusNT-compatibility files use 1/1/2050 as the default expiration date. Versions of Radiator up to and including 2.13.1 had problems with Platypus expiration dates later than Dec 31 2037. If you have this problem, you will need to alter your RadiusNT views MasterAccounts and SubAccounts so the expireDates are no later than 2037.

49. On my BSDI box, I'm getting "Out of memory!" messages

By default, BSDI has fairly strict limits on the maximum data size permitted to a process. If you have a fairly large password file or users filem Radiator may need a larger data space. See goodies/bsdi-memory.txt in your distribution for detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul@dove.mtx.net.au). Thanks Paul.

Alternatively you could just wrap a script around radius like this:

#!/bin/sh
# Increase data size limit to 32M
limit datasize 32000k
/usr/local/bin/radiusd &

We have also seen memory problems when using dbi:proxy SQL transport from a BSDI system to NT, and where the BSDI has an old version of the perl Storable module (say 0.5, compared to 0.66 on the NT box). The fix is to build and install a more recent Storable on the BSDI.

50. I have problems with MyODBC on NT

When I use AuthBy SQL and MyODBC on NT or Win 95 I see "send failed: unknown error", when Radiator tries to send its first reply to a NAS. Then Radiator goes into a hard infintie loop.

This is cause by a problem with myodbc-2.50.22. You should downgrade to myodbc-2.50.19 instead, see the ODBC download dir

51. How can I poll Radiator with MRTG?

Contributed by Stephen Roderick (steve@proaxis.com):

Well, this is what I do (via a cron job every 5 minutes):

#!/usr/local/bin/perl

$total = 0;
$accttotal = 0;

open(FD, "/usr/local/bin/snmpwalk host community .1.3.6.1.3.79.1.1.1.6.1.4  |") or die;
while(<FD>)
{
    $total += $1    if (/.* = (\d+)/);
}
close(FD);

open(FD, "/usr/local/bin/snmpwalk host community .1.3.6.1.3.79.1.1.1.6.1.12  |") or die;
while(<FD>)
{
    $accttotal += $1    if (/.* = (\d+)/);
}
close(FD);

$total *= 8;
$accttotal *= 8;

open(FD, ">/stats/radius.stats");
print FD "$total\n$total\n";
close(FD);

open(FD, ">/stats/radiusacct.stats");
print FD "$accttotal\n$accttotal\n";
close(FD);

exit 0;
-----------------------------------------------------------

Then I have the following config for MRTG:

Target[radiator]: `/bin/cat /stats/radius.stats`
MaxBytes[radiator]: 2000
Options[radiator]: nopercent
Title[radiator]: Radius Statistics
PageTop[radiator]: Radius Statistics
WithPeak[radiator]: dwmy
YLegend[radiator]: No. of queries
ShortLegend[radiator]: queries
LegendI[radiator]:  Authentication:
LegendO[radiator]:

#.....................................................................

Target[radacct]: `/bin/cat /stats/radiusacct.stats`
MaxBytes[radacct]: 2000
Options[radacct]: nopercent
Title[radacct]: Radius Statistics
PageTop[radacct]: Radius Statistics
WithPeak[radacct]: dwmy
YLegend[radacct]: No. of queries
ShortLegend[radacct]: queries
LegendI[radacct]:  Accounting:
LegendO[radacct]:

I'm sure there is a better way but at some point you get tired of trying to find it and just do something that works.

52. I get errors when I try to run radiusd as a SUID program

If you run radiusd as a SUID program on some platforms, you may get an error message like this:


Cannot get host name of local machine at ./radiusd line 106

This is due to perls strict checking when running a SUID program. You can fix it by uncommenting this line near in the BEGIN near the top of the radiusd file:


	$ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin';

The path you use should include the path to your hostname(1) or uname(1) programs.

53. I get an error when testing or running IpssPerl

On some Unix systems, you might get this error when compiling and testing IpassPerl:


[mikem@charlie IpassPerl-1.3]$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib 
 -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 test.pl
1..6
Can't load './blib/arch/auto/Ipass/Ipass.so' for module Ipass: 
 ./blib/arch/auto/Ipass/Ipass.so: undefined symbol: 
 RSAPrivateDecrypt at /usr/lib/perl5/i386-linux/5.00404/DynaLoader.pm 
 line 168.

This can be fixed by editing Makefile.pl, and changing the LIBS line to read:


    'LIBS'	   => ["-L$ipass_lib -lip -lssl -lcrypto -lrsaref"],

54. Radiator keeps reporting "Bad Password", and I don't know why

In decreasing order of probability:

The shared secret configured into Radiator for that client is not the same as the one in the NAS. If the secret is wrong, Radiator will decrypt the password to nonsense, and you will be able to see this if you log passwords with PasswordLogFileName.
Your shared secret contains special characters that your NAS doesn't like. Some NASs have problems with non alphanumeric characters. Trying changing the shared secret in your NAS and Radiator to be just alphanumeric characters.
If you are using SQL authentication, make sure you specify EncryptedPassword only if the password column contains a Unix crypt(2) encrypted password.
The password is really wrong.

55. Im using DBD-Sybase on Unix, and my accounting data is not being saved

Make sure you are using at least DBD-Sybase-0.19. Some earlier versions (notably DBD-Sybase-0.18) had problems with table locks.

56. I get "unblessed reference" errors in my Hook

Contrary to the documentation published with version 2.13.x, you need to access $_[0] and $_[1] by dereferencing them:


 PreAuthHook sub { ${$_[0]}->add_attr('test-attr', 'test-value'); }

57. How do I make RAS send the correct parameters to Radius?

you must remove two keys from the RRAS server's register:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\SPAP

Contributed by Michael Gatti (mike@mso.com.br). Thanks Michael.

58. How can I make a simple hook that logs authentication requests?

In your Radiator configuration file, set up a PreAuthHook, whose text is in an external file, something like this:


<Realm xxxxx>
       PreAuthHook	file:"preauthhook"
       ...
</Realm>

And in the file preauthhook:


sub
{
	my $p = ${$_[0]};

	return unless $p->code() eq 'Access-Request';

	my $username = $p->getAttrByNum($Radius::Radius::USER_NAME);
	my $nasaddress = $p->getAttrByNum($Radius::Radius::NAS_IP_ADDRESS);
	my $timestamp = time;
	# etc;

	if (open(LOGFILE, ">filename"))
	{
		print LOGFILE "$timestamp:$username:$nasaddress\n";
		close(LOGFILE);
	}
}

59. How can I authenticate using oracle on a remote machine

Where should I setup the host and port where radiator must search for Oracle?

(contributed by John Coy (jcoy@anc.net) You'll need to define the remote database in your tnsnames.ora file, like this:

-- tnsnames.ora --
remote_database=
     (DESCRIPTION=
         (ADDRESS=
             (PROTOCOL=TCP)
             (HOST=WWW.XXX.YYY.ZZZ)
             (PORT=XXXX)
         )
         (CONNECT_DATA=(SID=WG73))
     )

(replacing values as appropriate)

Then, in your radiusd.cfg, you define an clause using the "remote_database" in the connect string.

-- radiusd.cfg --
         
             DBSource dbi:Oracle:remote_database
             DBUsername USERNAME
             DBAuth PASSWORD

There's a lot more in the clause to make it work. Look at the docs for more information.

LET ME MENTION that if you do not have the correct connect string, radiator will dump core every time it tries to talk to your database. Double-check your entries and write some test perl programs using that connect string!

60. Whats the story with Session-Timeout and Cisco's

As of IOS 11.3(8)T PPP per user timeouts work on both asynchronous and synchronous (multilink ppp) interfaces. From 11.3(8.1)T these features work on non-virtualised synchronous interfaces. I have spent many hours on getting this working with Radiator successfully for both async and ISDN calls. For more info there is a document on CCO that outlines what can be done, NAS and server sample configs and a heap of debugging info.

http://www.cisco.com/warp/public/131/8.html

Contributed by Matt Nichols (matt@hunterlink.net.au)

61. I have weird problems with users on NT and Win3, but not Win95/98

Check that you are not setting the wrong name for the compression attribute. If you have inherited a users file from an older Livingston system, the spelling of Van-Jacobson-TCP-IP may be wrong. Some older systems use the incorrect spelling Van-Jacobsen-TCP-IP, and this will not work with Radiator.

Some symptoms of this problem might be inability to browse, but ping still works. VJ only affects TCP traffic, so pings (ICMP) and DNS (UDP) are unaffected when VJ is out of whack.

Contributed by Mike Biesele. Thanks Mike.

62. I am trying to compile IpassPerl version 1.4, and I get compile errors.

You need to geet the latest version of the iPASS libraries and headers. These are not yet available direct from iPASS, but we have permission to distribute them. They are available for a range of platforms at the normal Radiator download area.

63. Where can I get the iPASS libraries that IpassPerl requires?

IpassPerl 1.5 requires updated versions of the libraries and headers for interfacing with the iPASS system. You can get these upgrades directly from Open System Consultants.

Download and unpack the file for your platform. Unpack the the file in your iPASS directory (usually /usr/ipass)

Sparc Solaris
x86 Linux
x86 FreeBSD a.out format (for older versions)
x86 FreeBSD elf format (for newer versions)
Other platforms: Contact info@open.com.au

64. How do I add Radius Basic authentication to Apache?

For Apache 1 and 2, the preferred way now is to use the mod_auth_radius module from https://www.gnarst.net/authradius. You can compile this module yourself, or there are precompiled binaries and RPMs for a number of platforms available on the web. There is a detailed configuration document in goodies/apache2-radius.txt in your Radiator distribution.

Another (mostly obsolete) way is with mod_perl and Apache-AuthenRadius:

Build and install Perl 5.004 or better
Install MD5 1.7 or better from CPAN
Install IO 1.12 or better from CPAN
Install RadiusPerl 0.05 or better from CPAN
Install Apache-AuthenRadius 0.3 or better from www.apache.org
Unpack Apache 1.3.4 or better from www.apache.org
Install mod_perl 1.21 or better from CPAN (see instructions included in mod_perl
When building mod_perl, you must enable the PerlAuthenHandler command by building like this:
cd mod_perl; perl Makefile.PL USE_APACI=1 PERL_AUTHEN=1
make
make test
make install
cd ...../apache_1.3.4
make install
Put this in your httpd.conf:
PerlModule Apache::AuthenRadius

Put something like this in the .htaccess of the directory you wish to protect:

AuthName Radius
AuthType Basic
PerlAuthenHandler Apache::AuthenRadius
PerlSetVar Auth_Radius_host localhost
PerlSetVar Auth_Radius_port 1645
PerlSetVar Auth_Radius_secret mysecret
PerlSetVar Auth_Radius_timeout 5
require valid-user

65. How do I add Radius Digest authentication to Apache?

Requires plaintext passwords in the Radiator user database.

Install our patch for Apache-AuthenRadius 0.3, which adds support for Digest to Apache-AuthenRadius.
Install our patch for RadiusPerl 0.5, which adds support for long passwords and Digest::MD5 to RadiusPerl.

Put something like this in the .htaccess of the directory you wish to protect:

AuthName "Radius Test"
AuthType Digest
require valid-user
PerlAuthenHandler Apache::AuthenRadius
PerlSetVar Auth_Radius_host localhost
PerlSetVar Auth_Radius_port 1645
PerlSetVar Auth_Radius_secret mysecret
PerlSetVar Auth_Radius_timeout 5

Note: Apache-AuthenRadius-0.3 imposes rediculous limitations on the length and content of permitted user names. You might want to consider removing that code from AuthenRadius.pm.

66. Whenever my iPASS authentication starts, I get a segmentation fault, and no reason?

This can happen if you have the Debug parameter set in your AuthBy IPASS, but you do not write permission to the ipass trace file (usually /usr/ipass/logs/iprd.trace). You can either alter the permissions on /usr/ipass/logs/iprd.trace or else set a different trace file with the Trace parameter.

67. Whats an example for setting Cisco ACLs for all users in a Realm

In this example, all users are authenticated from a DBM file, and they all get the same ACL.



     RewriteUsername s/^([^@]+).*/$1/
     
        Filename /opt/local/etc/radiator/users.db
            AddToReply \
            cisco-avpair = "ip:inacl#5=permit ip any 205.32.16.0 0.0.0.255", \
            cisco-avpair = "ip:inacl#10=permit udp any any eq domain", \
            cisco-avpair = "ip:inacl#15=permit tcp any any eq domain", \
            cisco-avpair = "ip:inacl#20=permit tcp any any established", \
            cisco-avpair = "ip:inacl#25=permit udp any any range 1024 9000", \
            cisco-avpair = "ip:inacl#99=deny ip any any"

68. Why doesn't my syslog logging from Radiator work on Red Hat 6.1 and similar platforms?

Recent versions of Linux syslogd do not by default listen to the UDP port that the Perl Sys::Syslog module uses. In order to let Radiator and other Perl sysloggers work, you need to restart syslogd with the -r flag.

69. Why does my MySQL database keep crashing?

This tip was contributed by "Roy Hooper" (rhooper@eisa.com):

All of a sudden, today, Radiator kept locking up on us every 20 minutes.

Looking in the logs for MySQL and for Radiator, MySQL was crashing and restarting regularly, so I turned on -trace 9 on radiator, hoping to see if there was any relationship between radiator crashing and MySQL core dumping.

It turns out that there was no relationship between coredumps and crashes -- MySQL would continue to stay running without a recent coredump when Radiator locked up. The problem was that MySQL was locking up instead of core-dumping.

An upgrade from 3.22.25 to 3.22.30 made the problem worse! MySQL was not coredumping and locking up more regularly than before. I started to get a little worried, but then remembered isamchk.

Turns out radius/RADONLINE was corrupt! No wonder MySQL was crashing often. Our RADONLINE table has a LOT of write and read activity.

TIPS:

Run ISAMCHK to check your databases regularly.
Repair broken databases.

Information on using ISAMCHK

70. Why does Radiator with a DBM session database hang on Solaris

A number of people have reported problems with DBM session databases on Solaris. The problems seems to be in the NDBM library, so we recommend moving to the Berkeley DB library instead.

You can change the DBM library that Radiator uses by changing the $dbtype varibale at the top of SessDBM.pm

71. Why don't my Idle-Timeouts work on Cisco?

This information ws contributed by Matt Nichols (matt@hunterlink.net.au):

Idle-timeouts only worked correctly on ISDN calls after 11.3(8.1)T or later. We have these working correctly by passing something like this:

  AddToReply Service-Type = Framed-User, \
                     Framed-Protocol = PPP, \
                     Framed-Routing = None, \
                     Framed-MTU = 1500, \
                     Framed-Compression = Van-Jacobson-TCP-IP, \
                     Idle-Timeout = 300, \
                     Session-Timeout = 600

This will set an idle-timeout of 300 seconds and a maximum session time of 600 seconds.

72. Why doesnt Ascend-Idle-Limit work?

From the Lucent manual:

Ascend-Idle-Limit will be deprecated in favor of the RFC-defined attribute Idle-Timeout (28) over time. Currently, if a user profile specifies both an RFC-defined attribute and an Ascend vendor attribute that performs a similar function, the last one sent by the server is used. However, using both attributes is not reliable and is not recommended.

73. I'm getting Accounting Stops with no user name from may MAX. Why?

(Contributed by "Christopher J. Carlson" (dz@lakes.com). Thanks Christopher>


Ethernet>Mod Conf>Accounting>Allow Stop Only=No

If this "Allow Stop Only" equals yes, it sends stop records without the username if the user is not authenticated. Why they would ever need to set this to yes is beyond me.

74. My TNT sends authentication request for silly user names like "banner", "route1" etc

By Default Ascend TNT will try to configure itself at startup by asking for various configuraiton items from the Radius server.

You can turn this behaviour off with:


	read EXTERNAL-AUTH
	set rad-auth-client allow-auth-config-rqsts = no

To turn off the Remote config for a Max it's the following


 Ethernet->Mod Config->TServ options->Remote Conf=No

75. How do I make the Cisco h323 VOIP attributes work

Contributed by Vincent Torres (vincent@junroo.net):

First, you need the h323 attributes in your dictionary (they will be included in the standard dictionary in Radiator 2.16 onwards, patch available for 2.15)

Anyway, aside from the dictionary, you will have to tweak the h323 AV pair you gave the Cisco VoIP server. As an example, if you define a user in a flat file the reply items should look like this:


1234	User-Password = "567899"
	h323-credit-amount = "h323-credit-amount=123.45",
	h323-credit-time = "h323-credit-time=900"

basically the ascii value that you send back has to be prepended with the attribute so in the perspective of radiator it sends back attribute = "attribute=value". but the 5300 will be able to recognize this...as long as it's the correct h323 attribute prepended.

so far this is the only value the Router/IVR will recognize. And according to Cisco it isnt going to change soon ("It's a feature, not a bug"). In any case it worked and the IVR was able to break down those values into appropriate audio prompts...

The accounting requests you receive from the Cisco will look something like this:


    h323-gw-id = "h323-gw-id=LA_XYZZY_AS5300_2.bigco.net"
    h323-conf-id = "h323-conf-id=5733C4FA 393500DB 0 DA629C"
    h323-call-origin = "h323-call-origin=answer"
    h323-call-type = "h323-call-type=Telephony"
    h323-setup-time = "h323-setup-time=21:10:31.090 UTC Mon Mar 6 2000"

i.e, the Radius value includes the Cisco attribute name.

More details at Cisco RADIUS Vendor-Specific Attributes for VoIP Call Authorization

76. Im not able to connect to Microsoft SQL 7.0 using DBD-Sybase or DBD-FreeTDS from Unix

Microsoft SQL version 7.0 broke Sybase and TDS connectivity. There is a patch available from Microsoft to fix this. If you are using DBD-Sybase, you will need at least DBD-Sybase-0.22.

77. Im having problems authenticating from my Tigris running 11.5.x

Apparently 11.5.x software has some changes that they say are due to changes in the Radius protocol, and they imply that its a problem with the radius server. This is completely incorrect. Nevertheless, here is an extract fomr their documentation:

Radius Update from 11.5.x
*As of Tigris Software Version 11.5.x there are some RADIUS Modifications that have been made to allow the Tigris to support new RADIUS standards. This will cause the Tigris not to be able to see some RADIUS Servers because it cannot file particular RADIUS Attributes that it needs to be able to perform RADIUS Authentication. the Tell Tale sign of this error in 11.5.x code is This error Message in the TRAP via telnet or Console.

*** TRAP from local agent at 31-Aug-1999 11:05:09 uptime 0 Days, 00:00:03 
*** RADIUS (Auth-1): Access denied for user "ACC_DEFAULT"

OR / AND

*** TRAP from local agent at 31-Aug-1999 10:15:02 uptime 0 Days, 00:00:00 
*** RADIUS (Auth-1): Operational state changed from DISABLED to UNKNOWN

The Work Around :
*Add a Radius user entry by the name of "ACC_DEFAULT". The password for this user account is the same as the shared secret for the Radius Authentication server entry. Note that the authentication is sent using PAP. Set the return list attributes to those values which will be used as default by your user base.


ACC_DEFAULT   Password = "secret" 
                Framed-Protocol = PPP, 
                Service-Type = Framed-User, 
                Framed-IP-Address = 255.255.255.254, 
                Framed-Compression = Van-Jacobson-TCP-IP

*This should allow RADIUS to work perfectly with Tigris software 11.5.x and beyond..

78. How do I integrate Radiator with iPASS outbound roaming

As of April 2000, the preferred method of interoperating with iPASS is to proxy outbound requests from Radiator to the iPASS radius server, using AuthBy RADIUS. This means that you must configure and run the iPASS radius server. If the iPASS radius server is running on the same host as Radiator, it must be configured to listen to different server must be configured to listen to different ports to Radiator.

79. Radiator is accepting requests, but dialup users still can't connect to my Cisco

If debug is turned on in the Cisco, you might also see something like this:


	16:18:51: RADIUS: no appropriate authorization type for user.
	16:18:51: AAA/AUTHOR (1723208106): Post authorization status = FAIL
	16:18:51: As33 AAA/AUTHOR/LCP: Denied
	16:18:51: As33 PAP: O AUTH-NAK id 1 len 25 msg is "Authorization failed"

Cisco NASs are very picky about radius replies, and usually require at least a Service-Type in the reply. The easist way to set this up is to add something like this to your AuthBy:


	AddToReply Service-Type=Framed-User,Framed-Protocol=PPP

80. I cant connect to my database using DBD-FreeTDS

Some versions of the DBD-FreeTDS snapshot were released with incorrect build information. The result is that DBD-FreeTDS builds, tests and installs correctly, but Radiator fails to load it, resulting in error messages similar to:


Can't read $DBI::errstr, last handle unknown or destroyed at 
 Radius/SqlDb.pm line 130, <FILE> chunk 48.

This is because the DBD-FreeTDS is configured for static linking, and the loadable module for DBD-FReeTDS is never built and installed.

To fix this, edit Makefile.PL, alter the LINKTYPE line to be 'dynamic'. Then 'perl Makefile.PL', 'make', and 'make install'.

81. When using DBD-Sybase on RedHat 6.1, I get a segmentation fault

On that platform, your environment variables must be set like:


SYBASE=/opt/sybase; export SYBASE
LANG=; export LANG
LC_ALL=; export LC_ALL

82. Using Informix with AuthBy SQL sometimes doesnt work properly

We have had reports that some versions of DBD-Informix cause Radiator to go into an infinite loop, looking for DEFAULT username. The fix for this is to use the NoDefault parameter to prevent looking up DEFAULT users.

83. How do I authenticate using Secure ID

Radiator supports direct interfaces to the SecureID ACE security system (with AuthBy ACE), and it also supports proxying to the SecurID ACE/Radius radius server.

84. I am using AuthBy ACE on Solaris, but Radiator hangs when it authenticates

You are probably using SecurID ACE Agent version 4, which has a bug that prevents AceCloseAuth completing (see the INSTALL file in Authen-ACE4). You will need to get a patched version of libaceclnt.a from RSA Security, or Open System Consultants, else upgrade to version 5.

85. How do I configure Cisco IOS 12.1 for PreAuthentication with Radiator?

Cisco has recently released additional Radius functionality in IOS 12.1. Cisco NAS equipment is now able to issue an initial Radius Access-Request before answering a call, allowing Radiator to enforce PORTLIMITCHECK's for example, prior to answering the call. See the following URL's for details: Preauthentication with ISDN PRI Preauthentication with ISDN PRI and Channel-Associated Signalling

86. Where can I find a Radius packet decoder?

See Radical

87. Where can I fond general introduction and tutorial matarial about Radius?

Getting Acquainted with RADIUS

88. Can I use Oracle stored procedures for AuthSelect in AuthBy SQL?

No, but there is a contributed module in goodies/AuthPLSQL.pm that will allow that. See also the sample config file plsql.cfg. This code was contributed by Pavel A. Crasotin (pavel@ctk.ru). Thanks Pavel.

89. My DBD-Oracle with Oracle 8 crashes, both on the DBD-Oracle test, and in Radiator

You need to enable thread support during your perl build.

90. I cant make AuthBy LDAP in 2.16.2 or earlier work with perl-ldap-0.20

Some recent incompatible changes to perl-ldap means that you should use an earlier version, such as perl-ldap-0.13 instead.

91. How do I make my perl CGI scripts run properly on IIS on NT?

See this for some assistance.

92. How do I use PAM to authenticate to Radius?

See pam_radius_auth: The PAM RADIUS authentication module for code and installation hints. See also goodies/pam-radius.txt in your Radiator distribution.

93. Where can I find a Radius packet analyser

Radstock

94. I cant get snmpwalk for my IBM AIX system

See goodies/ibm-snmp.txt for some hints contributed by Dave Close

95. How can I force my TNT to use PAP using Radius?

A detailed discussion on this topic is included in goodies/tnt-pap.txt in the distribution, contributed by Aaron Bailey (abailey@comtech.com.au).

96. How do I set up vpdn tunnelling on a Cisco?

Contributed by Alex S. Burba (burba@iite.ru).

Add this to your Cisco configuration:

vpdn enable

And set up a user in your Radiator to authenticate and configure your end of the tunnel. The user name is exactly the same as the domain or realm that is to be tunnelled:


{DOMAIN} Password="cisco", Service-Type = Outbound-User
	cisco-avpair = "vpdn:tunnel-id={NAS name}",    
	cisco-avpair = "vpdn:ip-addresses={GW ip}",
	cisco-avpair = "vpdn:nas-password={password}", 
	cisco-avpair = "vpdn:gw-password={password}"

where {DOMAIN} is the domain or realm to be tunnelled, {NAS name} is conventionally the name of the router at the other end of the tunnel. The other end of the tunnel needs to be set up with complementary attributes.

97. How do I use Disconnect-Request

The first thing to understand is that, as always, the Radius protocol is implemented in a client/server architecture, in which the client sends requests to the server. Note that there is no mechanism in the protocol for a server to send a request to a client.

This is important to understand, because for a "Disconnect-Request" to be handled by a NAS, the NAS itself must be configured to act as a Radius server for the purposes of this request at least (as well as being a Radius client in the usual sense). Now clearly, in more common utilisation, the NAS is the client and Radiator is the server, so for this to be supported by the NAS, it is the NAS software that must support the function. Further, the exact syntax to specify which session to terminate is also NAS dependent.

So what does this mean for Radiator? Well, firstly, Radiator itself does not necessarily need to be involved at all (unless you want to log these requests, which is probably a good idea). If you do want the "Disconnect-Request" packets to transit Radiator, you will need to set up at the very least an AuthBy RADIUS proxy clause to forward the request to the NAS. You may also want to configure a special Realm or Handler which will limit what system hosts are allowed to send "Disconnect-Requests" at all.

Note that all of the above does not say anything about what software you need to actually generate the "Disconnect-Request" packet. As I have mentioned previously, you can use the latest version of "radpwtst" with the "-code Disconnect-Request" parameter, however please understand that the exact syntax of the rest of the packet is NAS dependent, and you will need to get the details from your vendor.

More information at Dynamic Authorization

98. Why do I get 'SQL Timeouts' when I use AuthBy SQL with Sybase ODBC libraries?

The Sybase ODBC libraries (which are the ones you get if you use DBD-ODBC with Sybase) on Unix use ALRM signals, which breaks Radiator's independent use of alarms to detect SQL timeouts.

With versions of Radiator post 2.17.1, you can set Timeout to 0 in any SQL clause, which stops Radiator from implementing any alarms. It will then rely on the underlying SQL library to time out if there is an SQL problem. We recommend you do this for any Sybase ODBC connections.

99. I get an unknown socket error on Windows 2000 or NT

On Windows 2000 Server or NT, you might see an error like:


Could not bind authentication socket: unknown error at ./radiusd line 336.

This usually means that there is already a radius server running in that machine. It is likely to be the Microsoft IIS radius server that is enabled by default on Windows 2000 Server. In that case the solution is to edit the Services on that machine and set the 'Internet Authentication' service to 'Manual'.

This error is sometimes seen if any radius server has recently been shut down on that host. The operating sysyem takes a little time to make the socket available again. In that case, waiting for a few minutes will allow the server to be restarted.

100. How do I make Radiator work with Optigold ISP?

Optigold ISP Is a mature and capable ISP billing package that runs on Windows.

Optigold works interoperates with Radiator through flat files: There is a flat users file that is generated with Maintenance->Server Stuff->Generate RADIUS file. This file is created by default in c:\Program Files\Optigold ISP\authent.txt. This config file is designed to use that file in the standard place. Note that you can also get Optigold to FTP this users file to a different Radius server host. Thta host could also be a Unix or Windows host running Radiator.

In order the get Optigold to generate a correct users file for Radiator 2.18 or later, you will need to slightly alter the default Radius configuration provided with Optigold. Click the 'Config' button next to "Generate RADIUS File" on the Maintenance->Server Stuff. The first line in column 2 reads: Password = "", Delete the comma from the end so it reads: Password = "" and then click back.

If you are using a version of Radiator earlier than 2.18, you will need to make some more extensive changes to the default Optigold Radius configuration, since it uses non-standard names for some Radius attribtues. You will need to edit the RADIUS File Config page so it looks like this:

Column 1                       Column 2
                        User-Password=""
                               Service-Type=Framed-User,
                               Framed-Protocol=,
                               Filter-Id=,
                               Framed-IP-Address=,
                               Framed-IP-Netmask=255.255.255.255,
                               Framed-Routing=,
                               Framed-Compression=Van-Jacobson-TCP-IP,
                               Framed-MTU=1500
#

Radius accounting data must be preprocessed before importing into Optigold. The Radius_Parse by Stathy Touloumis, provided on the Optigold web site support area (www.digitalpoint.com/support) can parse the Radius detail file produced by Radiator. This config file will log accounting to c:\Program Files\Optigold ISP\radius. Stathy's scripts can read, parse and rotate that file to produce amn Optigold import file. You may need to alter the usrmon.cf file provided with Stathy's scripts in order to point it at the right files.

There is a sample Radiator configuration file in goodies/optigold.cfg in Radiator 2.18 and later distributions. OptiGold can only use filemaker as its main database, although FM can be hosted on Windows or remotely on Unix.

You can configure OptiGold so that it issues configurable SQL queries to any other ODBC SQL database when certain events happen in OptiGold. For example, when you add a new user to OptiGold, it could trigger the insertion of the identical user details into a mysql database, possibly running on a remote Unix machine.

In this way, you can arrange to keep a mysql database in sync with the OptiGold user data in the main OptiGold database. Therefore you could configure OptiGold to work with the simple database schema that comes with Radiator, or the RAdmin more advanced schema that comes with our RAdmin product (or almost any other schema)

There is apparently no easy way to get OptiGold to import accounting data from a remote SQL database, but you can configure Optigold to query an external database when generating usage statistics.

101. I get an error when I try to install MD5 with PPM from ActiveState

The recent 6xx versions of ActivePerl for Windows from ActiveState include both MD5 and Digest-MD5 in the base package. There is no need to explicitly install MD5. The instructions will be removed in the documentation for the next release.

102. Does Radiator work with SAP?

Yes. Here are some hints from "Gordon Smith" (gordons@morenet.net.nz).

So far, we've found a bug in [the DBD-SAP] perl install script that doesn't check for the DBD directory before installing the driver. This causes the driver to be called DBD....

Creating the tables is a bit involved. The sql commandline interface expects statements to be prefixed by sql_execute, and cannot span multiple lines. We're now writing a perl script to handle database creation instead.

The good thing about the database is the handling of backups and replication - online backups are supported.

BTW, once the DBD driver is installed correctly, DBI works just fine.

Source is available from http://www.sapdb.org

103. How do I authenticate from Active Directory

Active Directory is Microsofts new way of storing user information in Windows 2000. The easiest way is to use AuthBy LSA when Radiator is running on a Windows platform.

It is also possible to use AuthBy ADSI for PAP and TTLS-PAP when running Radiator on Windows.

The most important part of setting up AuthBy ADSI is setting the right BindString, whcih specifies how to query Active Directory for user information. Its not possible here to exhaustively list all the ways to use Active Directory, but the simplest case is where AD provides details for a single domain, and has the default setup of AD. For example, consider an singel AD domain, open.com.au, with its users grouped in a single container called Users (ie the most commojn and standard way of organising users in AD). In that case, your BindString would be:

BindString LDAP://cn=%n,cn=Users,dc=open,dc=com,dc=au

Which means, find users in the Users container for the open.com.au domain.

104. How can I do Active Directory authentication from Unix

The AuthBy ADSI module is only available on Windows platforms. In order to authenticate from Active Directory (AD) with Radiator running on a Unix host, you need to use the AuthBy LDAP2 module with something like this:



	
		Host		your.ad.server.name.com
		AuthDN cn=Administrator,cn=Users,dc=open,dc=com,dc=au
		AuthPassword	admin
		BaseDN		cn=Users,dc=open,dc=com,dc=au
		ServerChecksPassword
		UsernameAttr cn

Note that you need to provide the host name of your Active Directory server, as well as the (AD) name of the AD Administrator in AuthDN, and their password in AuthPassword (or some other suitably priveleged user). This works fine with the standard vanilla type of AD setup, where all the users are in the Users container. If you are using organisational units etc, you may need to change your BaseDN.

This mechanism only works with authentication methods that deliver a plaintext password to Radiator, such as PAP and TTLS-PAP. If you wish to authenticate CHAP, MSCHAP, MSCHAPV2, PEAP-MSCHAPV2, TTLS-MSCHAPV2 etc, you must use AuthBy LSA, which in turn limits you to running Radiator on Windows.

105. I have problems with Long Session-Timeout values on my Cisco

Contributed by Tommy Mazejian (tommy@dcsoftintl.com):

Recently I have discovered some limitations on router/PPP protocol, that I want to share with you.

As you know, the Radiator will read the session timeout from the database and send it to the router as attribute Session-Timeout. However, if the session time out is a number bigger than 35790 minutes (which will be converted to seconds by Radiator), the router (in my case Cisco 7200 series) will not accept it. Radiator will authenticate the user, send the session time out, but on the router/NAS, PPP session will not be completed, and on the client side will give an error 'PPP Link terminated'.

What I have done is that now I am checking the session time out, if it is bigger than 35790, then I am sending 35790. If less, then send as it is.

106. I have installed Digest-MD5 2.13, but get an error at startup

Unfortunately, Digest-MD5 2.13 changed the module sthat were packaged with it. It will usually result in an error with Radiator versions prior to 2.19 when you start Radiator like this when you do perl Makefile.PL


Warning: prerequisite MD5 1.7 not found at (eval 1) line 220.

or perhaps a runtime error when Radiator starts up.

To fix this, you will need to install Digest-MD5 2.12.

Radiator version 2.19 and later works fine with any version of Digest-MD5.

107. How can I improve performance of RADPOOL allocation with Oracle?

Contributed by "Paul O'Shea" (paul@genieinternet.com).

Our pool allocation query is: FindQuery select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from RADPOOL_VW where POOL='%0' and STATE=0 and rownum=1 order by TIME_STAMP asc However you can't use the RADPOOL table directly for this, so what we have done is created a 'view' of the table (thus RADPOOL_VW above in the query).

108. How can I make users goto a particular URL after they have been authenticated?

Contributed by Viraj Alankar (valankar@ifxcorp.com) Depending on your RAS, you may be able to redirect users ALWAYS to a web page, but as far as just doing that initially, and then letting them browse elsewhere, I don't think it's possible. We have implemented simple redirects for Ascend/Lucent devices. Our solution involves sending DNS attributes in the radius response, and running a bogus DNS server that always returns one IP. For example, say I have a bogus DNS setup as 1.2.3.4, that always returns the IP 5.6.7.8. This means any user using this DNS will get redirected to 5.6.7..8 no matter where they browse. I send back in the radius reply the following to enforce this DNS restriction as well as IP filters to block them from using another DNS or going to other hosts:

        Ascend-Client-Primary-DNS = 1.2.3.4,
        Ascend-Client-Secondary-DNS = 1.2.3.4,
        Ascend-Client-Assign-DNS = DNS-Assign-Yes,
        Ascend-Data-Filter = "ip in forward dstip 1.2.3.4/32 udp dstport =
 53", Ascend-Data-Filter = "ip in forward dstip 5.6.7.8/32 tcp dstport = 80",
 Ascend-Data-Filter = "ip in drop",
        Ascend-Data-Filter = "ip out forward"

We then use BIND 8 and a config similar to:

zone "." {
        type master;
        file "named.redirect.hosts";
};

and named.redirect.hosts containing something like:

$TTL 1D
@       IN      SOA     .       hostmaster.mydomain.com. (
        5
        8H
        2H
        1W
        1D )

        IN      NS      1.2.3.4

*.      IN      A       5.6.7.8

4.3.2.1.in-addr.arpa.           IN      PTR     mydns.mydomain.com.

109. How do I set up Oracle so that it authenticates from Radius

Oracle 8 can be configured so that Oracle users have their username and password validated by Radius before they can connect to an Oracle server.

You can find detailed instructions on the Oracle web site (eg here, but briefly:

Use $ORACLE_HOME/bin/netasst on the Oracle server to configure the server to use Radius: choose local->Profile, Oracle Adbanced Security, enable RADIUS, then edit Other Params and enter radius server details.
Create the secret file that you named in the previous step \ (defaults to $ORACLE_HOME/network/security/radius.key). It should contain exactly one line with the shared secret used to communicate with the Radius server.
Use $ORACLE_HOME/bin/netasst on the Oracle client to configure the client to use Radius: choose local->Profile, Oracle Adbanced Security, enable RADIUS, then edit Other Params and enter radius server details.

Tell SQL server to use external authentication for certain users:

sqlplus system/manager
SQL> CREATE USER fred IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO fred;
SQL> EXIT

Add the desired Oracle users to the Radiator user database. Note that Oracle upper-cases user names, so you need to either add your users in UPPERCASE, or add a RewriteUsername to convert all user names to upper case.

110. I'm getting "Bad EAP Message-Authenticator" messages from my Bay 5399

Some versions of Bay 5399 firmware implement an incorrect Message-Authenticator in Access-Request messages. You will need to set IgnoreAcctSignature in the Client clause for that NAS.

111. With PLatypus, how can I have some users with DNIS restrictions and some without?

You can use DNISGroupQuery to customise the query used in AuthBy EMERALD when HonourDNISGroups is set.

Contributed by "Leigh Spiegel" (leigh@winshop.com.au):

This appears to work, I tried using just '0' however it didn't seem to work.. So I'm using the '00000000' so any DNIS group in Platypus set with the 00000000 phone number will basicly disable DNIS checking for that group.

DNISGroupQuery select dn.DNISNumber from AccountTypes a, DNISNumbers dn where a.AccountType='%0' and a.DNISGroupID=dn.DNISGroupID and (dn.DNISNumber='%1' or dn.DNISNumber='00000000')

I would have liked to use "*" as the DNIS for "anything" however Platypus does a sanity check on the input, therefore the 8 zeros being an unlikely phone number therefore ideal to use as a wildcard.

112. Where can I get the Win32-RasAdmin package?

ActiveState does not provide this package any more. The source is from Dave Roth at www.roth.net, but its not available there in PPD format. We have built a ppd package for NT suitable for ActivePerl 5.6.1. To install it with PPM, run this command on your NT host:


ppm install http://www.open.com.au/radiator/free-downloads/Win32-RasAdmin.ppd

Full source is available from http://www.open.com.au/radiator/free-downloads

113. How do I configure for Cisco PPTP VPNs?

Using Radiator 2.19 or later, you can configure to automatically generate the MPPE Keys that Cisco require for encryption, and also to sign the reply with something like this (contributed by "Andre D. Henry" (andre@go-net.com)):


        <AuthBy whatever>

                # Generate MPPE keys to encrypt pptp vpns
                AutoMPPEKeys    Yes

                AddToReply  Service-Type = Framed,\
                        Framed-Protocol = PPP,\
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-MTU = 1500,\
                        Framed-Compression = Van-Jacobson-TCP-IP,\
                        Message-Authenticator = 0000000000000000,\
                        MS-MPPE-Encryption-Policy = Encryption-Allowed,\
                        MS-MPPE-Encryption-Types = Encryption-Any
	</AuthBy>

114. How can I assure high availability for Radiator?

Radiator is extremely reliable as it comes out of the box, but if you wish to guard against unexpected shutdowns or host failures, here are some options:

consider using restartWrapper (provided with Radiator) to restart Radiator automatically (and email you) if there is a problem with the process.
run multiple instances of Radiator on different hosts, and arrange your NASs to use one as primary and another as secondary radius servers. If you have more that 2 servers, arrange the NASs in overlapping groups of primary/secondary pairs.
See goodies/highavail.txt for a discussion about how to use "daemontools" (http://cr.yp.to/daemontools.html) with Radiator.

115. Does Radiator support Cisco Aironet with LEAP?

Yes, Radiator provides LEAP-compatible EAP support. Available as a patch for Radiator version 3.6 and standard for later versions. See the example configuration file in goodies/eap_leap.cfg in your distribution.

116. How does Cisco VOIP accounting work

There is a long discussion about how this works in the goodies/voip.txt file in your distribution. Contributed by Simon Hackett (simon@internode.com.au).

117. Why dont I get Framed-IP-Address in Accounting from my Cisco?

(contributed by Chris M (chrism@peakpeak.com))

I was having trouble getting Framed-IP-Address to update in the Session database and couldn't figure out why. I got the following response from Cisco and thought I'd post it in case it helps anyone else.

I see that you are having difficulty with the aaa accounting on PPP connections.

The problem you describe is the result of ther router sending the accounting START record BEFORE the IPCP negotiation is complete.

There are two ways to change this. The recommended way is to tell the router to send accounting UPDATEs when there is new information. This will accomplish what you are after -- getting the Framed-IP-Address sent to the Radius server. This is accomplished through this global configuration mode:

aaa accounting update newinfo

If, however, your accounting software cannot deal with START, UPDATE, and STOP records, there is another option, though it is officially not supported:

aaa accounting delay-start

Either of these should accomplish what you are after

118. How do I get SNMPAgent to work on NT or Windows?

SNMPAgent requires the SNMP_Session perl module, from here. SNMP_Session can be installed on Unix in the usual way for perl packages.

Unfortunately, this package is not currently available as a PPM package from ActiveState for Windows. However, on Windows you can install this package by hand by unzipping it and copying the three *.pm files it contains to c:\perl\site\lib.

119. How do I build Digest-MD5 on Solaris

If you try to use the perl that is installed with Solaris, it will be hard. You will probably find various compilation problems when you try to compile Digest-MD5. This is due to the fact that this version of perl was compiled with the sun C compiler, and unless you have the Sun C compiler installed, its hard to convince it to use gcc.

We prefer to install the (more recent) perl and gcc binary packages from www.sunfreeware.com. Then building Digest-MD5 will work with the usual perl Makefile.PL;make;make install

120. How can I work with Windows EAP TLS clients

EAP (Extensible Authentication Protocol) TLS (Transport Layer Seecurity) is a secure, mutual authenticaton protocol supported by Windows XP, Linux and some other operating systems. It works with 802.1x wireless and dialup authenticaiton. TLS requires that a certificate be issued to each user. A certificate is a file that contains a public key and a digital signature. Certificates can be created with openssl on Unix or Windows, or with the Windows 2000 Certification Authority software. With TLS, Radiator checks that the client computer contains a valid certificate and that the certificate is for a valid user in a Radiator user database. The client computer can optionally check that the Radiator server is the one they are expecting to connect to (ie this is _mutual_ authentication). TLS authentication can be added to almost any Radiator authentication module. See the example in goodies/eap_tls.cfg in your distribution. EAP TLS authentication is available out of the box for Windows XP. You can add it to Linux with the free Xsupplicant applicaiton. Helpful documentation on how to create test certificates, configure the AP and client software for EAP TLS is available for Linux and Windows XP There is a lengthy discussion of Enterprise deployment of EAP for Windows XP including certificate requirements here See also the Microsoft WiFi Troubleshooting doc Information about enabling 802.1x on Windows 2000 can be found here.

121. Does radpwtst -gui work on Mac OS X (Darwin)

Yes, and so does Radiator and Radar.

Perl 5.6.0 comes with Darwin, but to use radpwtst -gui, you will need to build and install Tk 800.023 or later. You must follow these instruction to build Perl TK successfully. Note especially the need to alter the perl optimise level.

122. How do I get Radiator to work with SCO Open Server?

The default installation of OpenServer does not include perl or a C compiler. Although there is a version of Perl 5.005_03 precompiled in the SCO skunkware FTP area, it cant be used to build Digest-MD5 out of the box. Instead, we recommend that you install gcc from the skunkware area, then build and install perl (say, version 5.6.1) from scratch. then build and install Digest-MD5 2.13 or later in the usual way. With those installed, Radiator will 'make test' fine. Tested on OpenServer 5.0.4 with rs504c and oss601a supplements installed.

If you have problems with link errors concerning fsync when make test ing Digest-MD5, follow the instructions from Andrew Hamm and recompile and reinstall perl.

123. How can I force SQL username comparison to be case-sensitive

By default, many SQL servers do case-insensitive string comparison. This means that AuthBy SQL, AuthBy RADMIN etc would match, for example mikem, MIKEM and MiKeM as being the same user.

Some SQL databases allow you to force case-sensitive comparisons. For example, In the case of MySQL, the 'BINARY' keyword forces the following comparison to be case-sensitive. Therefore you could force case-sensitive user names in an AuthSQL for MySQL with something like:

AuthSelect select PASSWORD from SUBSCRIBERS where BINARY USERNAME=%0

124. How do I configure an Orinoco wireless Access Point for Dynamic WEP

We recommend the use of Dynamic WEP for encryption of all wireless links. Its more secure and easier to manage than static WEP keys. Radiator supports Dynamic WEP for EAP TLS, EAP TTLS and PEAP authentication.

You must have the latest version of the Access Point firmware installed, otherwise you may get unexplained authentication or operation failures. At the time of writing (Sep 2002), the latest version for the AP-2000 is v2.0.0(266)

Configure the wireless client for 802.1x authentication, and dynamic WEP. On Windows XP, this means configuring the 'Wireless Networks' tab in the 'Wireless Netowrk Connection Properties' dialog. Under the 'Association' tab, select 'Data encryption (WEP enabled)' and 'The key is provided for me automatically'. Deselect 'NEtwork authentication (Shared mode)'. Under the 'Authentication' tab, select 'Enable IEEE 802.1x authentication for this network'. Select the EAP type you wish to use (needs to match the EAPType setting in Radiator).
Configure the Access Point. Select 'Configure' then 'Security'. Under the 'RADIUS' tab, deselect 'Enable RADIUS MAC Access Control'. Select 'Enable Primary RADIUS Server'. In 'Authorization Lifetime (seconds)', enter '9000' (the default is too short). In 'IP Address', enter the IP address of your Radiator radius server. Enter a "Shared Secret' (must match the 'Secret' entry in the matching Client clause in your Radiator configuration.). In 'Destination Port', enter the authentication port number of your Radiator (Radiator defaults this to 1645, but can be changed with AuthPort in your Radiator configuration). Under the 'Encryption' tab, select 'Enable Encryption (WEP) for Slot A'. You do not need to enter any WEP keys. Under the '802.1x' tab, set '802.1X Security Mode' to '802.1x'. Set 'Encryption Key Length - Wireless Slot A' to '128 bits' (if your wireless card all support 128 bit WEP keys). Reboot the access point.
Configure your Radiator. Ensure there is a Client clause for the IP address of the Access Point, and ensure the Secret matches the 'Shared Secert' enter in the Access Point configuration. IN the AuthBy clause, ensure EAPType is set to a type matching the types selected in the client (typically 'TLS' or 'TTLS'). Ensure all the other EAP paramters are configured to suit the location of your certificates etc (See the example configuraiton files goodies/eap_tls.cfg and eap_ttls.cfg). Ensure the AutoMPPEKeys paramter is set in the AuthBy clause. Restart Radiator.

125. Im getting a strange error when using DBD-Oracle on Solaris

resulting in an error like:


ld: fatal: file /ora00/app/oracle/product/9.2.0/rdbms/lib/defopt.o:
 wrong ELF class: ELFCLASS64

You're attempting to link a 64-bit Oracle against a 32-bit Perl. The best solution is to edit the Makefile generated by Makefile.PL and change all references to ORACLE_HOME/lib to ORACLE_HOME/lib32. This will get it to use the 32-bit Oracle libraries instead.

126. Does Radiator work with Jet ISP billing

Yes. Radiator works with Jet ISP billing.

Jet is a user management and billing system, specifically designed and created for ISPs. Written in python and Zope, it is highly flexible, and has a modular construction allowing for additional modules to support a customers specific needs. It comes with full source code, and Obsidian's development team is available to produce extensions as required.

There is an example Radiator configuration file in goodies/jet.cfg in the Radiator distribution.

127. I am having trouble running Radiator on RedHat 8.0 and RedHat 9.0. It works fine on RedHat 7.3

I get an error message like this on RH 8.0:


Malformed UTF-8 character (unexpected end of string) at 
 /usr/lib/perl5/site_perl/5.8.0/Radius/Radius.pm line 642.

or like this on RH 9.0:


Bad attribute=value pair: Realm=DEFAULT

This can be due to the LANG environment variable. Try this:


echo $LANG

and you will see: en_US.UTF-8 then try this :


export LANG=en_US

and restart radiator. It should work now, but only in this terminal. If it works, do this for permanent change:

edit /etc/sysconfig/i18n
change the line
LANG="en_US.UTF-8"
to
LANG="en_US"

This will also solve Acrobat Reader problems

128. How do I configure an Apple AirPort Base Station for Radius authentication

The easiest way to configure an AirPort Base Station is using the Apple utility Applications->Utilities->AirPort Admin Utility. It is reported to be possible to use other tools but we have not tested them.

Recent versions of Apple AirPort Base Stations do support 802.1x wireless authentication and EAP, but older versions do not. If your Airport does not support 802.1x, then the only type of Radius authentication supported is MAC address, which requires you to configure the MAC address of all permitted wireless clients into your Radius user database.

Start with a simple Radiator configuration file based on goodies/simple.cfg
In AirPort Admin Utility, select the AirPort tab.
Ensire 'Enable Encryption' is set. Select 'Change Password...'. Choose a WEP key length of 128 bits. Choose and remember a long string as your wireless network access password. Enter it into New Password and Verify. Click OK. (Note. All Apple clients will need to be configured to use the same network password to access your wireless network).
In AirPort Admin Utility, select the Authentication tab.
Select Radius: Alternate. This will cause Radius authentication to use the MAC address of the wireless client as both the User-Name and the User-Password
In IP Address: enter the IP address of your Radiator server host.
Select Port: 1645. This is the default authentication port number that Radiator uses.
In Shared Secret: enter the shared secret configured into your Radiator client. If you are using the example goodies/simple.cfg, the shared secret is mysecret.
Click on 'Update' to save the new configuration to the Base Station. The Base Station will restart.
Add an entry to your Radiator user database for each wireless client who will be permitted to use your wireless network. If you are using the example goodies/simple.cfg, add them to the 'users' file named in the Filename parameter. Each entry has the MAC address of the client ads the username and also as the USer-PAssword. For example here are two user database entries for 2 wireless clients with the MAC addresses 00:40:96:35:6e:ae and 00:30:65:14:82:1c. 004096356eae User-Password=004096356eae 00306514821c User-Password=00306514821c
Run your Radiator at trace level 4 to ensure that authentication is working correctly: perl radiusd -config_file goodies/simple.cfg -trace 4

129. How do I configure a non-Apple wireless client to connect to an Apple AirPort Base Station

At this writing, Apple AirPort Base Stations do not support general 802.1x EAP authentication, only MAC authenticaiotn as described above. Configure your wireless client software so that it does not use EAP or 802.1x authentication.

At this writing, Apple AirPort Base Stations do not support dynamic WEP keys, but only 40 bit or 128 bit static WEP keys (which Apple calls a 'Network Password'). For non-Apple clients, You can find out the static WEP key to use to connect to an AirPort Base Station by selecting the Password icon at the top of the AirPort Admin Utility. The WEP key will be shown as a hex string, for example a 40 bit WEP key would look like 6f636723ac, and a 128 bit WEP key would loook like: 6f636723acdfa687fcd3aa1b81. Enter the static WEP key into your wireless client configuration software. If necessary, configure your wireless client software to use the WEP key for both authentication and data privacy.

130. I cant get PEAP to work with Windows XP SP1

There are a number of things that must be set up correctly before PEAP will work on XP. Here are some of them:

You must have the Windows XP service pack 1 (SP1) installed.
You must have a server certificate installed on your Radiator host, and the Radiator configuration file properly configured. See the goodies/eap_peap.cfg for an example.
The server certificate must have the special Microsoft 'Extended Key Usage' for server authentication. The OID is 1.3.6.1.5.5.7.3.1. See goodies/mkcertificate.sh and goodies/xpextensions for an example of how to make XP compliant certificates with OpenSSL.
The root certificate for the server certificate must be installed on the XP client machine. This is especially important if you are using private certificates. The root certificate for your private server certificate will be required, so that the client can confirm the authenticity of the server certificate.

Note that if Radiator is having problems with PEAP authentication, it will usually announce what the problem is in the log file as an ERR (level 0) or a WARNING (level 1). Its usually a good idea to set the trace level to 4 and have a close look at the output, looking especially for ERR and WARNING messages.

However, if the problem is in the XP client, by default XP does not produce any useful error or log messages, but....

If you still can't get it to work and can't figure out why, you can enable tracing of the EAP TLS module in XP:

Run the registry editor regedit.
In \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS, set the EnableFileTracing flag to 1.
Now, when any EAP PEAP authentication is attempted, XP will append debugging information to \WINDOWS\tracing\RASTLS.

When you have finished troubleshooting the problem on XP, dont forget to disable the tracing by turning off the EnableFileTracing registry flag.

You can also enable and disable the file tracing flag with these commands:

netsh ras set tracing rastls enabled
netsh ras set tracing rastls disabled

These comands can be used with any other traceable components, like EAPOL, RASCHAP etc.

P.S. If you find any other good tricks for troubleshooting XP PEAP, please let us know.

131. There seems to be a problem with my certificates with my Windows PEAP or TTLS client

When using PEAP or TTLS, Windows has very specific requirements for Radius Server certificates. If the server certificate installed in your Radiator does not meet those requirements, the TLS handshaking phase of the PEAP or TTLS authentication will terminate before the completion of authentication. Sometimes the client will send a TLS alert to the Radius server (which Radiator will log at ERR level), but it is often hard to find out why the client does not com,plete the authentication without enabling logging on the client as described in the previous FAQ item.

The most common causes of failure to complete TLS handshaking during PEAP or TTLS authentication are:

The root certificate corresponding to the Radius server certificate is not installed on the client. This is posible if you are using certificates from a private Certificate Authority, such as the sample certificates provided in the certificates directory of your Radiator distribution.
The validity dates of the root certificate or the server certificate are out of range according to the clock on the client.
The server certificate does not have the 'Web Server' extended usage key (OID 1.3.6.1.5.5.7.3.1)

132. Where can I find information about Cisco disconnection types

See here and here

133. How do I configure a 3COM 4400 SuperStack 3 switch for Radius authentication

These instructions will allow you to configure your 3COM 4400 SuperStack 3 switch and similar devices so that the device administrator is authenticated by Radiator. Any attempt to log in to the switch by telnet, web browser or serial port will then be authenticated by Radius.

Configure the Radius authentication parameters for the switch. Using the web interface, choose Device View-Security-Radius-Authentication-Modify. Using the telnet or serial interface, choose security-radius-authentication-modify. Enter the Radiator server IP address and port . (Caution: the default port for Radiator is 1645, but the default port for the switch is 1812, so you will probably want to change the port number to 1645).
Configure the switch to use Radius authentication for device logins. Using the web interface, choose Device View-Security-Device-Authentication-System Mode. Using the telnet or serial interface, choose security-device-authentication-systemMode. Select RADIUS.
Ensure you have a suitable Radiator dictionary, containing definitions of the 3COM vendor-specific attribute 3COM-User-Access-Level. If you have Radiator version 3.5 or earlier, download the latest dictionary from the 3.5 patches area. If you have Radiator version later than 3.5, the dictionary is OK.
Configure Radiator user database. You will need to add a user entry for each user who needs permission to log in to the switch. Each user must have a 3COM-User-Access-Level reply item. In the example below, the user admin has Administrator privilege (can access and change all managable parameters in the switch), and user mikem has Monitor privilege (can view all manageable parameters except special/security features, but cannot change any manageable parameters). Caution: if you do not have a 3COM-User-Access-Level for device users, they will not be able to log in to the device.
From now on, any attempt to log in to the device will result in a RADIUS request to authenticate the user and to get their device access level.


# Example users who can log into 3COM SuperStack
admin	User-Password=admin
	3COM-User-Access-Level=Administrator
mikem   User-Password=fred,
	3COM-User-Access-Level=Monitor

134. I have upgraded my ActivePerl on Windows 2000 to 5.8, and now AuthBy NT does not work

ActivePerl 5.8 does not include a module required by AuthBy NT. Win32::AuthenticateUser was included in previous versions of ActivePerl. We have also observed other problems with ActivePerl 5.8 build 805 involving AuthenticateUser and PPM. You should downgrade to ActivePerl 5.6.1.

135. How do I get IEEE 802.1x authentication for Windows 2000?

Radiator supports a wide range of 802.1x authenticaiton methods, including those supported on Windows 2000 and XP.

You can enable 802.1x authentication for wireless and network cards on Windos 2000 by installing the Windows 2000 '802.1x Patch for Service Pack 3', available from Microsoft. After installing the 802.1x patch, you should see 'Authentication' tabs on your 'Local area connection Properties' and 'Wireless connection properties' windows, allowing you to select and configure 802.1x authentication methods for network and wireless connections.

If you have installed the patch and the 'Authenticaiton' tabls still dont appear, you may need to start the 'Wirelss configuration properties' Service by hand. Choose Start-Settings-Control Panel-Administrative Tools-Services-Wirelss Configuration and ensure the service has been started.

136. How do I run Radiator on Solaris 9?

We tested by installing the precompiled Solaris 8 Perl 5.8.0 binary from SunFreeware. It includes Digest-MD5 already built so there is no compiling to be done for basic use. You just have to make sure that /usr/local/bin is in your path before /usr/bin so you get Perl 5.8.0 instead of the Perl 5.6.1 included by default with Solaris 9.

If you need to compile other Perl modules, we recommend that you get the precompiled gcc for Solaris 9 from SunFreeware and compile with that, so the resulting modules are compatible with Perl 5.8.0 from SunFreeware.

137. I cant get 802.1x MD5-Challenge to work with my wired network on XP

You must have the 'Show icon in notificaiton area when connected' option enabled in the Local Area Connection Properties dialog. If this is not set, then XP is unable to show the username/password dialog, and the 802.1x authentication never starts. A similar problem will be observed with PEAP-MSCHAPV2 if you deselect the "Automatically use my Windows login name and password" in the MSCHAPV2 Configure dialog.

138. Where are my free EAP Test Certificates?

Radiator version 3.6 and later includes free private client and server test certificates suitable for use with Radiator and Windows clients in the certificates directory of the distribution. See certificates/README for a detailed description of what is included and how to use them. The example goodies/eap_* configuration files are all set up to use these test certificates.

Registered customers with Radiator version 3.5 or earlier can find the certificates in the Radiator 3.5 patches area (username and password required).

Evaluators with Radiator version 3.5 or earlier should contact us

Caution: None of these certificates should be considered to be secure, and they should NOT be used in a production environment, but only for testing and proof-of-concept for your project. You should use a reputable Certificate Authority package such as CAtool to generate your production certificates.

139. Can you test Radiator with NTRadPing

Yes, but you must be sure that the Radiator replies contain Service-Type=Framed-User.

140. How can I use the Class attribute to hold multiple data items

The radius Class attribute can be returned in a radius access accept for a session, and the subsequent accounting requests for the session will contain the Class attribute unchanged. This is extremely useful, particularly when sophisticated billing prcedures are required.

It is sometimes desirable to be able to use the Class attribute to store multiple pieces of data for use in the accounting process, and this is a handy way to flexibly deal with this data without having to write a hook.

Radiator supports the AddToRequest parameter which is used to add arbitrary attribute=value pairs to the incoming request (which is used as a scratch-pad area for temporary storage). What this means is that multiple attribute=value pairs can be listed in the Class attribute, which can then be expanded by AddToRequest (AddToRequest can be used in this way in the Client clause, Realm or Handler clause, and AuthBy GROUP clause).

Here is an example:


# define Handlers

<Handler Request-Type = Accounting-Request>
        .....
	# This will convert all the attr=val strings in the Class attribute
	# into new attr=val attributes in the curent request. They are then 
	# available to be logged with the other accounting attibutes to SQL
	# or a flat file
        AddToRequest %{Class}
        .....
</Handler>

<Handler>
        .....
	# This Class attritbute will be unpacked when it received later in an
	# accounting request
        AddToReply Class = \
                Some-Attribute = SomeValue, \
                Another-Attribute = AnotherValue
        .....
</Handler>

This will result in the following attributes being added to the accounting requests by Radiator:


        ....
        Some-Attribute = SomeValue,
        Another-Attribute = AnotherValue

Note that the attributes do not need to be defined in the Radiator dictionary to be used in this way. They can be attributes that you invent for your own purposes and with your own special meanings.

141. What do I have to install on Windows for Radiator to authenticate TLS, TTLS and PEAP

Radiator requires OpenSSL and the perl Net::SSLeay module to be installed on the radius server in order to support EAP TLS, TTLS or PEAP. All these modules are freely available.

OSC has made available pre-compiled versions of Net::SSLeay with OpenSSL for Linux and Windows x86 platforms. The OpenSSL includes the TLS extensions by Jouni Malinen required for EAP-FAST support.

Install ActivePerl 5.8.8 from ActiveState

Install the Net::SSLeay module using PPM included with ActivePerl:


ppm install http://www.open.com.au/radiator/free-downloads/Net-SSLeay.ppd

142. Can I use Radiator with Cygwin to authenticate EAP-TLS on Windows?

Yes, although you can use Radiator and EAP-TLS without Cygwin (see the previous FAQ item).

Radiator requires OpenSSL and the perl Net::SSLeay module to be installed on the radius server in order to support EAP TLS, TTLS or PEAP. On Windows, you can support these EAP authentication protocols in the Windows Cygwin environment, which is a complete Unix-like environment for Windows.

First install Cygwin, including perl and the devel tools, and then (using Cygwin) to build and install:

OpenSSL 0.9.7g or later, available from OpenSSL
Net_SSLeay.pm-1.30 or later, available from CPAN
Digest-HMAC-1.01 or later, available from CPAN
Digest-SHA1-2.01 or later, available from CPAN

143. How do I carry PoolHint information in standard radius requests or replies between radius servers?

RFC 2869 defines Framed-Pool (attribute 88) for this purpose, so AddToReply or AddToRequest can be used together with a PoolHint definition in an AuthBy DYNADDRESS like this:

     PoolHint %{Framed-Pool}
or
     PoolHint %{Reply:Framed-Pool}

144. How can I build Tk800.024 on RedHat 9.0. I get all sorts of errors during the build

This can happen when the LANG environment variable is set to a UTF character set. You can fix it during the build by building Tk with command like this:


export LANG=en_US
perl Makefile.PL
make
make test

For a permanent fix for LANG problems on RH 9.0,

edit /etc/sysconfig/i18n
change the line
LANG="en_US.UTF-8"
to
LANG="en_US"

This will also solve Acrobat Reader problems

145. I cant make DBD-Sybase and freetds work on RedHat 9

You will need to downgrade to DBD-Sybase-0.94 and FreeTDS-0.53

146. I cant get my Cisco Aironet 340 PCMCIA card to work with Aegis MDC 1.2.0beta clients on RedHat Linux version 8

Cisco Aironet 340 PCMCIA cards will work with RedHat Linux version 8 out of the box. You do not need to install the Cisco drivers, but you do need to make sure the card firmware is version 4.25.23, and not the later 5.20.17. It is safe to downgrade the card firmware. With firmware version 5.20.17, or with the Cisco Linux drivers installed, you will observe various errors in /var/log/messages when the wireless card is inserted.

With the correct wireless card firmware and RH 8.0 out of the box, the Aegis MDC Linux client works fine. You will need to install the j2re Java Runtime Environment in order to run the Aegis client configuration utility. You may also need to configure your wirelss card in order to set the SSID and to configure the encryption to Open (if your AP is set for Open):


/sbin/iwconfig eth1 ssid myssid key open
/sbin/ifconfig eth1 up

The Aegis Linux client client has been tested against Radiator with all EAP authentication types, and with the test certificates supplied with Radiator. The Root certificate was installed like this:

 
cp certificates/demoCA/cacert.pem /usr/share/ssl/certs/osc-test-root.pem 
/usr/local/aegisc/bin/addRootCA osc-test-root.pem

We observed that the client daemon would crash during authentication with TTLS-MSCHAPV2 and TTLS-EAP-MD5. This is diagnosed as due to a problem in the Aegis beta client. See the Aegis client documentation in /usr/local/aegisc/doc/help

147. Can you give me complete instructions on how to install and configure Radiator on a secure firewall?

Bret Jordan provides a lengthy example, including installing and configuring Radiator on RedHat 9, setting up iptables etc here.

148. I cant install some PPM packages with ActivePerl 5.8.0

Some PPM packages (including some that are required by various modules of Radiator) are not available for ActivePerl 5.8.0. You might see an error message like:


Error: no suitable installation target found for package Win32-RasAdmin.

The answer is to downgrade you ActivePerl to 5.6.1. Versions of Authen-ACE4 and Win32-Lsa for ActivePerl 5.6, 5.8 and 5.10 are available in the Radiator free downloads area. You can install them with:


ppm install http://www.open.com.au/radiator/free-downloads/Authen-ACE4.ppd
ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd

149. How does EAP work?

There is a good overview here Also there is a good refernece about how to choose what type of EAP authenticaiton you should use here.

150. How do I configure a Dlink DWL-900AP+ for EAP authenticaiton

Starting from the default (factory) configuration:

Install firmware 2.57 or later
Under Advanced/802.1x, set Encryption key length = 128, and set Radius server 1 IP address, port and secret. Setting Radius server 2 details is optional.

Note that under Home/Wireless, WEP should be set to disabled (the default), and under Advanced/Performance, Authentication should be set to Auto (the default), but Open is acceptable.

151. I have installed the Cisco ACU client utilities on my XP SP1 client, but I cant configure PEAP-MSCHAPV2

When you install the Cisco ACU client utilities on Windows XP SP!, it overwrites the standard Microsoft PEAP support (which includes support for MSCHAPV2) with the Cisco PEAP suport (whioch does not include support for MSCHAPV2). If you have installed the Cisco ACU package but you really want to use PEAP-MSCHAPV2 for password based authenticaiton, you will need to reinstall XP SP1.

152. I changed my Windows XP SP1 client from PEAP-MSCHAPV2 to PEAP-Certificate and back to PEAP-MSCHAPV2 and now I cant authenticate

We have noticed that the Windows client can get pretty confused when changing between authentication types. We recommend rebooting the Windows client after changing EAP client authentication setup on Windows.

153. My NAS always reports wireless connections as NAS-Port=9, which breaks my SQL session database

Som NASs report that all wireless connections have the same NAS-Port. This is legal RADIUS, but unusual and not very helpful. The best solution is to change the SQL Session Database queries in the way described by Andrea Brancatelli:

.. What I did was to replace the NAS-Port definition in the SESSION database from Integer to Char(22) and replace the Session Add and Session Delete SQL query to use the remote peer MAC Address to fake out an unique NAS-Port. It works.

154. How can I make TTLS-PAP work on MAC-OS Panther?

Terry Simons has posted a Panther 802.1X configuration for TTLS->PAP on the MAC laptop webpage

155. Is there any tutorial material about how to deploy Wireless networks?

Try these:
Tech Guide: Wi-Fi: Security For The Masses
802.1X Port Access Control for WLANs
Deploying 802.1X for WLANs: EAP Types
Wireless on Linux, Part 1
Useful links from open1x.org
Seletcting An Appropriate Eap Method For Your Wireless Lan
Evolution of WLAN Security
Alvarion Broadband Wireless Access WISP Cookbook
Security for (Wireless) LANs Overview of the 802.1X framework in Windows 802.1X Configuration Hands-on exercises and solutions (section to learn how to set up 802.1X using Radiator)

156. I can't install Digest::MD4 with ActiveState perl 5.6.1 PPM

As at October 31 2003, there seems to be a temporary problem with availability of the ActiveState Digest-MD4 packages.

In the meantime you can find the Digest-MD4 package for ActiveState 5.6.1 at: a href=http://ppm.activestate.com/PPMPackages/zips/6xx-builds-only/Digest-MD4.zip>Digest-MD4.zip

You will need to download this package, unzip it to a working directory, change directories to that working directory, then run the command:

ppm install digest-md4.ppd

157. Why can't I get AuthBy LSA to work with CHAP against an NT4 domain controller?

This is a problem in Microsoft IAS software. See http://support.microsoft.com/default.aspx?scid=kb;en-us;197506

158. How can I install the Win32-Lsa package using PPM on Windows if I have a HTTP proxy

Configure PPM to use your proxy, by setting the appropriate environment variables. See the discussion in the ActivePerl FAQ pages.

159. How do I configure the HP 420 AP for Radiator and 802.1X?

Contributed by Terry Simons: See 802.1x Authenticator Playground. Other devices are expected to be documented there as time goes by.

160. Where can I get a copy of NTRadping?

NTRadping is a GUI Radius test program for Windows. Its freely available from Mastersoft-USA

161. Where can I find some information on Open1X?

Open1x at Sourceforge and an areticle about the authors.

162. What do I have to do to allow me to use AuthBy DIGIPASS

AuthBy DIGIPASS requires the Authen-Digipass module, which is provided as a precompiled binary for Solaris Sparc, Linux x86 and Windows.

See the detailed instructions in goodies/digipass-install.txt in your Radiator distribution. Requires Radiator 3.10 or later.

163. When using CheckPOint FW-1 with one-time passswords such as AuthByOPIE, how can I be sure the user will see the challenge message?

FW-1 requires that an arbitrary "State" attribute be returned by the RADIUS server if it is to display a challenge returned by the server. Add this to the "AuthBy OPIE" stanza:

AddToReplyIfNotExist State="0"

164. How do I use RSA tokens to generate passwords for AuthBy ACE?

RSA Security produce 2 main types of hardware tokens. 'Standard cards' and 'key fobs' tokens have an LCD display that changes every 60 seconds, but no other buttons or switches. 'Pinpad' cards have an LCD display, and also 0-9 keys, a diamond button and a P button. The way you generate your password depends on the type of token you have.

In RSA terminology, the number displayed by a token is called the 'tokencode' The number is typically 6 digits long and changes every 60 seconds. The 'PIN' is a secret 4 digit number that you will be assigned (or may have sletected) and which you must remember. The 'passcode' is what you use as your password to log in, and consists of the PIN followed by the tokencode.

For standard tokens, the passcode is formed from the PIN followed by the tokencode displayed on the token. So, for example, if the PIN you have remembered that was assigned to you is 1234, and the token is currently displaying the tokencode '627351', then the passcode that you will use as your password is '1234627351' (thats 10 digits).

For Pinpad tokens, you have to enter the PIN into the token to generate the passcode. If for example, your remembered PIN is 1234, enter the PIN into the Pinpad one digit at a time (press 1 - 2 - 3 - 4), then press the diamond button. The token will then display a new tokencode, say '736284'. You would then use 736284 (thats only 6 digits) as your password.

Note that some types of tokens display an 8 digit tokencode, rather than a 6 digit tokencode.

165. How do I use Digipass tokens to generate passwords for AuthBy DIGIPASS?

Vasco produce a number of different tokens, some which require PINS to be entered into the token, some which support user selected PINs and some which do not support PINs. All tokens display a 'tokencode', usually in response to pressing a button on the face of the token. The different types of token are described below.

The simplest Digipass tokens include the Go-3, and which have an LCD display and a single button (but no keypad). For these tokens, you just use the tokencode displayed on the token as your password. Note that any attempt to use the same tokencode to log in twice will result in a rejection (th error message on the Raditor log will say 'Code Replay Attempt'): you must wait for the next token code to be displayed by the token.

Go-1 tokens support user-selected static PINs, and also support the ability to change PIN dynamically. Your initial PIN may have been selected by your administrator and given to you with your token. In any case, you if you have a PIN, the password is made from the PIN followed by the tokencode dispalyed on the Go-1 token. For example, if your PIN is 1234, and the token displays 89574526, then your password is '123489574526'. If you have not been assigned a PIN for your Go-1, just use the tokencode displayed on the token as your password: '89574526'.

Go-1 tokens also suport the ability to change your PIN. To change your pin, you form the password from your current PIN, followed by the tokencode, followed by the new PIN, followed by the new PIN again. For ecample, if your current PIN is 1234, and you wish to change the PIN to 9876, and the token is displaying 89574526, then you use the password 12348957452698769876. After this password has been accepted, your new PIN will be active, and you must enter the new PIN at the beginning of each password.

Some Digipass tokens have a keypad, which requires the tokens PIN to be entered, and which also support Challenge-Response (CR). In Challenge-Response, when you first attempt to log in, Radiator sends a 'Challenge' (a sequence of digits) that you must enter into the token in order to generate the correct Response, which is then used as your password.

The first step is to attempt to log in with an empty password (ie a password with nothing in it). If the user's token supports CR, Radiator AuthBy DIGIPASS will send a challenge of (typically) 4 digits:


Digipass Challenge: 8077

You will use this challenge shortly.

Now start the token by pressing the arrow button. The token will ask for your PIN. Enter the 4 digit PIN (eg1 - 2 - 3 - 4). The token will then display 'APPL1'. Press '3' to request Challenge-Response. The token will display '----'. Enter the Digipass Challenge sent to you by Radiator (eg 8 - 0 - 7 - 7). The token will then display a tokencode of 7 digits. Use the tokencode as your password.

166. How can I enroll a private root certificate on Pocket PC 2003?

Make sure the root certificate is in DER format and has a filename extension 'cer' or 'crt'. Then tap on the certificate and Pocket PC will offer to enroll the certificate.

More information and helpful hints here

167. I get an error when I try to use MySQL 4.1

If you try to use a pre 4.1 MySQL client with MySQL 4.1, you may get a connection error:


Client does not support authentication protocol requested by server; 
 consider upgrading MySQL client

This due to the fact that MySQL 4.1 introduced a new form of MySQL client authentication that is not suported by older MySQL clients, such as the 2.9002 and 2.9003 DBD-mysql clients from ActiveState. Solutions and suggestions can be found here

168. Can I install a Radiator RPM file on Debian without rpm?

Yes, you can use the Debian 'alien' command to install Radiator RPM files like this:


alien -i Radiator-3.12-1.noarch.rpm

You can remove the package with


dpkg -r radiator

169. Why do I have problems when I proxy to IAS on Windows Server 2003 with SP1?

The usual symptoms of this are failure to complete authentications that require multiple round trips, such as PEAP, LEAP, TTLS etc. IAS will not reply to the second request of a sequence proxied to it. The IAS log file IASSM.LOG will contain the message "State attribute is present, but unrecognized.". This only occurs after installing SP1 on Server 2003.

This problem was fixed by a change to the dictionary in Radiator 3.13. You should upgrade to Radiator 3.13. If the problem persists, make sure that the new Radiator 3.13 dictionary file is being used by your configuration.

170. How can I enable debug logging of a Funk Odyssey client on Windows

If there is a problem with authenticating your Funk Odyssey client, it is sometimes helpful to enable logging from within the Odyssey client: it may help you discover what the problem is with the client.

To enable logging, add the following string value to the registry:

HKLM\Software\Funk Software, Inc.\odyssey\client\configuration\console\loglevel

and set its value to the string '5' which means detailed logging. For more detailed logging add another string value to the registry:

HKLM\Software\Funk Software, Inc.\odyssey\client\configuration\console\maxlines

and set its value to the string '100' which means up to 100 lines of hex dump per log entry.

Now when the Odyssey Client service starts it will create a console window that displays detailed logs of its internal operations. After you have debugged the problem, change the console\loglevel registry entry back to the string '0', and the debug logging will stop, and the log console window will disappear.

171. I get a WARNING message about "Net::SSLeay to 1.30 or later" when I try to use EAPTLS_CRLCheck to verify certificates against a CRL

Earlier versions of Net::SSLeay do not support the X509_STORE_set_flags function required to check CRLs. In order to enable this functionalilty, as well as to address some memory leakage issues, you should download, build and and install Net::SSLeay 1.30 from CPAN.

Correct operation of CRLs also requires Radiator 3.13 + patches or later.

172. Im having problems installing Socket6 using PPM on Windows

Socket6 is required if you wish to use IPV6 support in Radiator. A number of versions of the Socket6 PPM at ActiveState have not compiled properly and do not install correctly.

We have made precompiled binary versions of Socket6 PPM packages available for Windows. Install with:

ppm install http://www.open.com.au/radiator/free-downloads/Socket6.ppd

173. How can I export the root certificate from Microsoft CertificateAuthority

Run MMC on the CA server.
File, Add/Remove Snap-in.
Add... select Certification Authority, and select Local Computer.
Finish, Close, OK.
In MMC, right-click the CA, select Properties. View Certificate, go to Details tab, select Copy to File...
Next, make sure DER encoded binary is selected, Next, put something like "c:\rootcert".

The exported certificate will be in DER format. It can be converted to PEM format for easy use with Radiator by using openssl, with a command like:


openssl x509 -inform DER -in rootcert.cer -out rootcert.pem

174. I have downloaded the Radiator distribution, but WinZip wont openit

Some web browsers, notably Windows Internet Explorer, change the filename extension of the downloaded file for example from Radiator-3.13.tgz to Radiator-3.13.tar. This changed filename extension confuses WinZip. The solution is to rename the downloaded file back to have the '.tgz' extension for example Radiator-3.13.tgz and then unpack it with WinZip.

175. Are there any tools for linking usernames, MAC and IPaddresses?

See UserTracking UserTracking is a GPL tool that allows network administrators to make a logical connection between 802.1x layer 2 authentication and layer 3 IP addresses. Uses MySQL and integrates with Radiator. Web interface.

176. Is it possible to implement dead-realm detection instead of dead-hostdetection?

Jan Tomasek has contributed this:

past few months I was experimenting with Radiator setup. My problem was how to configure it to be able fall back to backup server, when I can not rely on timeout on responses. Timeout can be caused by some dead server behind proxy servers I'm communicating with and that does not mean my closest peer is dead.

I developed configuration which implements dead-realm instead of dead-host marking. This feature can be useful for any admin running network of RADIUS proxy servers which are proxying EAP sessions. I care about this problem, because I'm admin of eduroam in Czech Republic.

More info about my motivation, about implementation and test I did is on page here

177. Why doesn't AuthBy RODOPIAAA work with TTLS and PEAP

The version of AuthRODOPIAAA.pm supplied by Rodopi in the Rodopi-5.5-Radiator-3.15-1.0.exe package has problems with TTLS and PEAP support. Until Rodopi update their software, we can send you a fixed version of AuthRODOPIAAA.pm that works with PAP, CHAP, TTLS and PEAP.

178. Where do I get Authen-Digipass for Windows, so I can suport Vasco Digipasstokens?

Prebuilt PPD modules for ActivePerl are available from the OSC web site for Perl 5.6, 5.7, 5.8 and 5.10. Install with:


ppm install http://www.open.com.au/radiator/free-downloads/Authen-Digipass.ppd

179. How do I install a root certificate on Windows Mobile 5

If you intend to use 802.1X authentication with PEAP, TTLS or TLS, you will need to install (also called enroll) the root certificate of the CA that issues the Radius server certificate onto the mobile device.

Radiator comes with a sample server certificate and corresponding root certificate in the certificates directory of your distribution.

In order to install the root certificate on Windows Mobile 5 and other similar devices, copy certificates/root.der to the mobile device, and change its name to root.cer. Then open File Explorer, find the file and double-click on it. The Windows certificate enroller will then import the certificate.

180. Where does the RPM install the doc and goodies?

The RPM package installs these by default in /usr/share/doc/packages/Radiator/

181. Are there a precompiled Net-SSLeay packages for Linux?

Yes, OSC provides a precompiled RPMs of Net-SSLeay. The RPM includes Net::SSLeay, OpenSSL 0.9.8e libraries plus the TLS extensions by Jouni Malinen required for EAP-FAST support.

For i386 32 bit and Perl 5.8.7, compiled with GCC 4.1 on OpenSuSE 10.0, get http://www.open.com.au/radiator/free-downloads/Net-SSLeay-1.32-1.i386.rpm.

For i586 32 bit and Perl 5.8.8, compiled with GCC 4.2 on OpenSuSE 10.3, get http://www.open.com.au/radiator/free-downloads/Net-SSLeay-1.35-1.i586.rpm

For x86 64 bit and Perl 5.8.8, compiled with GCC 4.1 on RHEL5, get http://www.open.com.au/radiator/free-downloads/Net-SSLeay-1.35-1.x86_64.rpm

The bundle will not interfere with any preexisting OpenSSL installation.

Install it in the usual way, eg:


rpm -Uvh Net-SSLeay-1.32-1.i386.rpm

182. How do I fix "wrong ELF class: ELFCLASS64" error with DBD::Oracle on Solaris?

See Fixing the dreaded "wrong ELF class: ELFCLASS64" error with DBD::Oracle on Solaris

183. Im having problems getting DIGIPASS or other token authentication working with a Cisco VPN?

Some models of Cisco VPN incorrectly send a password with a single space (' ') when the user enters an empty password (''). A description and solution for this Cisco fault is provided in goodies/ciscovpn.txt in the Radiator distribution.

184. Why do I get SOAP errors from AuthBy RSAAM?

Youmay see errors reported something like this:


RSA AM failure: 
SOAP Fault soapenv:Server.userException: 
org.xml.sax.SAXParseException: 
An invalid XML character (Unicode: 0xf) was found in the element content of the document.

If the shared secret between Radiator and the RADIUS clinet do not match. This causes the password or tokencode to be incorrectly decrypted, causing authentication failure with the error above.