TekRADIUS Version 3.

8 Readme File
© Copyright 2007-2010 Yasin KAPLAN

0. Contents:

1. Introduction
2. Major features
3. System requirements
4. Installing and Uninstalling
5. Configuration and running
6. Carrier Mode
7. Release notes
8. Trademarks

1. Introduction

TekRADIUS is an AAA server (Based on RFC 2865, RFC 2866) runs under Microsoft Windows (XP, Vista, 2003
Server) operating system. Visit http://www.tekradius.com/ regularly for updates.

2. Major features

• Supports features described in RFC 2865 and RFC 2866 (RADIUS protocol).
• Logs system messages, errors and session information to a log file and limit number of simultaneous
sessions (See notes).
• All parameters can be configured and RADIUS Dictionary can be edited through TRManager GUI.
• Authentication and Accounting ports are user selectable.
• You can create SQL database and tables through TRManager GUI.
• You can map RADIUS Accounting attributes to Accounting table fields.
• You can run TekRADIUS in Authentication only or Authorization only mode.
• You can define which RADIUS attribute will be used for User-Name substitute.
• You can define own Authorization query string.
• PAP, CHAP, MS-CHAP v1, MS-CHAP v2, EAP-MD5, EAP-MS-CHAP v2 and PEAPv0-EAP-MS-
CHAP v2 (As implemented in Windows XP SP1), Digest (draft-sterman-aaa-sip-00.txt) authentication
methods are supported.
• Generates MS-MPPE Keys.
• You can specify an Expire-Date and User-Credit for the users and use Authentication method as a
RADIUS check item.
• You can specify how much time user account will be valid after the first logon (Time-Limit) and you
can specify allowed logon days and hours (Login-Time).
• You can authenticate users against Windows Domain or Active Directory.
• Command line utility for adding, deleting and modifying user profiles and RADIUS clients. You can
start/stop and query status of TekRADIUS service using the command line utility (trcli.exe).
• User level restrictions to GUI access. Windows users in "Administrators" group can access to all
functions on TekRADIUS Manager GUI but Windows users in built-in "Users" group can access
restricted set of functions on TekRADIUS Manager GUI.
• Simple reporting interface for browsing Accounting records.
• Disconnects users with Packet of Disconnect (Pod) or user defined kill command.
• TekRADIUS can disable user profile after user configurable number of unsuccessful login attempts.
• You can specify credit limits for daily, weekly or monthly periods.
• You can run and check result of an external executable as a check item.
• Quick and easy installation.

1
3. System requirements

• Any edition of Microsoft SQL server.

• A Windows system with at least 1024 MB of RAM.
• Microsoft.NET Framework v2.0.50727 (Min.)
• 5 MB of disk space for installation. Disk space required for TekRADIUS database depends on your usage.
• Administrative privileges.
• Although an “sa” equivalent SQL user needed to create the database and the tables, users can set a less
privileged SQL user for regular operation after creating the database and the tables.

4. Installing and Uninstalling

• To install TekRADIUS, extract contents of TekRADIUS.zip to a temporary directory, run Setup.exe from
the distribution. Uninstall previous version if you upgrade from an earlier version.
• To uninstall TekRADIUS, double click TekRADIUS icon at “Add or Remove Programs” from Control
Panel.

5. Configuration and running

Please see Installation Manual which can be found in the application directory for configuration details and
operation. You can download the latest revision of the manual from TekRADIUS support page.

Drop all active sessions properly (There should be regular functions on your access servers to do this) on your
access server before shutting down TekRADIUS for proper operations if you use RADIUS Accounting.

6. Carrier Mode

Carrier Mode provides performance needed in carrier environments for CDR generation under high load. Carrier
Mode can be used when access servers configured to run in RADIUS Accounting Stop-Only mode. Following
features are disabled in Carrier Mode:

- Simultaneous-Login Check
- Quota Control (User-Credit)
- Periodic Credit Update
- Accounting-Checkpoint message processing

There is no option to enable Carrier Mode in TekRADIUS Manager. You need to add CarrierMode=1 line under
[Server] section in TekRADIUS.ini which can be found TekRADIUS application directory. You must re-start
TekRADIUS service after adding this parameter. Carrier Mode is available in only TekRADIUS SQL Edition.

7. Release notes

• Secondary-Group attribute removed from TekRADIUS dictionary. A new attribute called Next-
Group is added. You can use this attribute to chain group profiles. If you would like to authenticate a
session according to NAS-IP-Address but NAS-IP-Address could have three different values, you can
create three different group profiles for each NAS-IP-Address value and chain them using Next-
Group parameter. Next-Group attribute can be used in just group profiles as a check attribute. Please
note that attributes in user profiles overrides group attributes so do not use attributes in chained
groups in user profiles. (3.8).
• A new attribute type, “Informational” is added. You can add your own vendor to TekRADIUS
dictionary to store user or group specific data like address or phone numbers. Informational type
attributes are not used while authenticating or authorizing users (3.8).
• Log files are kept in <Application Directory>\Logs directory and rotated daily (3.7).
• You can define a “default” user profile to be used when a matching user profile cannot be found
for an incoming RADIUS authentication request. TekRADIUS manual for configuring this
feature (3.7).
• You can specify credit limits for daily, weekly or monthly periods and you can run and check
result of an external executable (External-Executable) as a check item. See TekRADIUS manual
for configuring these features (3.6).

2
• Generate-MS-MPPE-Keys usage has been changed in version 3.5. See TekRADIUS manual for
details.
Version 3.5 introduces two new attributes; Failure-Reply-Type and Secondary-Group. You can
have a secondary group membership for a user other than user's default group. If you add this
attribute to user's profile, TekRADIUS will try to authenticate incoming access-request with
user attributes and primary group attributes first and if it fails, TekRADIUS will try to
authenticate again with user attributes and secondary group attributes. Secondary-Group is a
string type attribute and can exist only as a check attribute in user profiles. Secondary-Group is
not supported with PEAP authentication.
You can add Failure-Reply-Type attribute as a check attribute to user or group profiles. This
attribute alter behavior of TekRADIUS when Failure-Reply attributes exists in user or group
profile. You can set its value to Accept or Reject. When you set its value to Accept, Failure-Reply
attributes are sent in an Access-Accept and if you set its value to Reject, Failure-Reply attributes
are sent in an Access-Reject message. If this attribute does not exist in user or group profile and
Failure-Reply attributes are configured, TekRADIUS will send Failure-Reply attributes in an
Accepts-Accept message. Failure-Reply-Type is a integer type attribute and can exist only as a
check attribute in user profiles.
• You can also specify your own delimiter character to be used to enter string type multiple
instance reply attributes in user or group profiles. Its default value is semi-colon “;”. You can set
it Settings / SQL Connection tab.
• A new reply type is introduced in version 3.4. If you would like to provide restricted access to
unauthenticated users add Failure-Reply attributes to user or group profiles. TekRADIUS will
reply with Access-Accept containing Failure-Reply attributes if user or group profile has
Failure-Reply attributes when authentication fails. If user or group profile has not Failure-Reply
attributes, TekRADIUS will reply with Access-Reject message (This feature is not available for
PEAP authentication, VPN authentication and when authentication failure caused by invalid
authentication method).
Use this feature with extreme care; if Default user group has Failure-Reply attributes, all failed
authentication attempts will be replied by Access-Accept messages containing Failure-Reply
attributes. When a user is authorized with Failure-Reply Simultaneous-Use, Expire-Date, Login-
Time, TekRADIUS-Status and Quota check will not be done.
• TekRADIUS can disable user profile after user configurable number of unsuccessful login
attempts. If you have enabled Mail Alerting you can get a notification when user profile is
automatically disabled. Set Failure count parameter at Settings / Service Parameters tab.
• TekRADIUS automatically removes characters before “\” character in User-Name attribute
received in access and accounting requests. In order to change this behavior check “Keep
Domain Name” option at Settings / Service Parameters.
• You can set primary PEAP inner authentication method in version 3.3. TekRADIUS supports
EAP-MD5 and EAP-MS-CHAP-v2 as inner authentication methods. Default inner
authentication method is EAP-MS-CHAP v2.
• Clear, Kill and Disconnect functions are added to Active Sessions tab in version 3.2. Clear
function only clears entry in the Sessions table, does not disconnects user session or decrements
simultaneous session counter (You still need to re-start TekRADIUS Server to reset simultaneous
session counters). Kill function executes user defined function in the client entry. Clicking
Disconnect sends RADIUS Disconnect-Message (or Packet of Disconnect, PoD) to the remote
access server. See manual for the details.
• Early builds of TekRADIUS version 3.0 and earlier versions are vulnerable for SQL injection
attacks. There is no individual patch available for version 3.0 and earlier. Users are advised to
upgrade existing versions to 3.1 and later.
• Previous versions assume CHAP-Challenge length fixed at 16 octest. This behavior corrected in
version 3.1.
• Version 3.1 adds Active Directory support.
• Version 3.1 includes CoovaChilli and Ascend attributes.
• Time-Limit, First-Logon and Login-Time VSAs has been added (Version 3.0).
• Supported maximum length of Tunnel-Password is 15 characters.

3
 • TekRADIUS uses “client EAP encryption” phrase to generate encryption key when PEAP
authentication takes place. Built-in Windows supplicant requires using this phrase. Please check
if your 802.1X supplicants support encryption keys generated using this method.
• Version 2.8 includes Mikrotik dictionary.
• Version 2.8 has a TekRADIUS VSA called Credit-Unit. If you add this attribute to user or group
profile and set its value to “Seconds” TekRADIUS will make accounting based on “Seconds”. If
you set Credit-Unit attribute value to Bytes, Kbytes or Mbytes accounting will be made based on
data usage (Acct-Output-Octets) not the Acct-Session-Time.
• TRCLI.exe had bug prior to version 2.8. Case of passwords had been lowered before entering to
the database. It has been fixed in version 2.8.
• If received Accounting-Stop packet does not contain Acct-Session-Time attribute, TekRADIUS
automatically adds Acct-Session-Time attribute to received attributes and calculates its value as
difference between timestamp of the received Accounting-Stop packet and timestamp of the
Accounting-Start packet.
• You can authenticate and authorize incoming PPTP and L2TP connection requests. Supported
key-strength for tunnel session keys is only 128 bits. You can use CHAP, MS-CHAP v1, MS-
CHAP v2, EAP-MD5 and PEAPv0-EAP-MS-CHAP v2 authentication methods on client side.
• You can browse SQL servers in your LAN and local machine at Settings / SQL Connection tab
in TekRADIUS Manager Version 2.7.
• If you need to add a reply attribute more than one instance in a user profile, you can enter values
separated with “;” (Semicolon without quotes). Multiple value entry supported only for string
type attributes. This feature is not implemented for check attributes.
• Encryption of passwords in Authentication and Group tables is optional in version 2.5. If you
upgrade from version 2.3 and 2.4 start TekRADIUS Manager with default values. If you
upgrade from versions prior to 2.3 manually edit TekRADIUS.ini which can be found under
application directory, set EncryptPasswords=0 under [Database] section before starting
TekRADIUS.
• You can add a default RADIUS client entry in version 2.5 so TekRADIUS can accept RADIUS
request from unlisted RADIUS clients with correct shared key.
• There are changes in structure of Accounting table in version 2.4. Please examine Accounting.sql
script in TekRADIUS installation directory for changes.
• All password values stored in TekRADIUS.ini are encrypted in versions >= 2.3. If you upgrade from
previous versions you need to reset password values.
• RADIUS client shared secret keys stored in TekRADIUS.mdb are encrypted in versions >= 2.3. If you
upgrade from previous versions you need to reset RADIUS client shared secret keys.
• “Clients” table format has been changed. If you upgrade from previous versions you have to change
TekRADIUS.mdb file with new one and reset RADIUS client entries.
• “Sessions” and “Accounting” table formats has been changed in version 1.8. If you upgrade from
previous versions delete and recreate “Sessions” and “Accounting” tables on TekRADIUS database for
proper operation.
• Session reusing is not supported in TekRADIUS's TLS ver 1.0 implementation.
• Tag parameter for IETF Tunnel attributes is 0x01 by default and can not be changed.
• When an EAP/PEAP session fails, cached session information is cleared. If a valid response can not be
received in 30 seconds (Default, can not be configured by the user) for a EAP/PEAP request, cached
session information is cleared.

8. Trademarks

TekRADIUS contains code derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm.

Microsoft, Microsoft SQL Server, Win32, Windows 2000, Windows, Windows NT and Windows Vista are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Join TekRADIUS forums at http://forums.tekradius.com/