Manual Tekradius

TekRADIUS
Installation & Configuration Guide Version 4.1
TekRADIUS Version 4.1 - Installation & Configuration Guide
Document Revision 7.8 http://www.tekradius.com/ TekRADIUS is built by Yasin KAPLAN Read Readme.txt for last minute changes and updates which can be found under application directory.
Copyright 2007-2011 Yasin KAPLAN. All Rights Reserved. This document is supplied by Yasin KAPLAN. No part of this document may be reproduced, republished or retransmitted in any form or by any means whatsoever, whether electronically or mechanically, including, but not limited to, by way of photocopying, recording, information recording or through retrieval systems, without the written permission of Yasin KAPLAN. If you would like permission to use any of this material, please contact Yasin KAPLAN. Yasin KAPLAN reserves the right to revise this document and make changes at any time without prior notice. Specifications contained in this document are subject to change without notice. Please send your comments by email to [email protected]. TekRADIUS contains code derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm. Microsoft, Microsoft SQL Server, Win32, Windows 2000, Windows, Windows NT and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Cisco is Registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
Table of Contents
Table of Contents .................................................................................................................................................. 3 Introduction ........................................................................................................................................................... 4 System Requirements ............................................................................................................................................ 4 Installation............................................................................................................................................................. 4 Configuration ........................................................................................................................................................ 4 Settings Tab ...................................................................................................................................................... 5 SQL Connection ............................................................................................................................................... 5 Database Tables ................................................................................................................................................ 6 Accounting Table ............................................................................................................................................. 9 Service Parameters ......................................................................................................................................... 10 Alerting ........................................................................................................................................................... 12 Clients ............................................................................................................................................................. 13 Groups ............................................................................................................................................................ 14 Users ............................................................................................................................................................... 15 Dictionary Editor ............................................................................................................................................ 17 Reporting............................................................................................................................................................. 17 Starting TekRADIUS .......................................................................................................................................... 18 Monitoring .......................................................................................................................................................... 18 TekRADIUS Log File .................................................................................................................................... 19 TekRADIUS Specific Attributes (RADIUS Check Items) ................................................................................. 20 TekRADIUS-Status ........................................................................................................................................ 20 Simultaneous-Use ........................................................................................................................................... 20 Expire-Date..................................................................................................................................................... 20 User-Credit ..................................................................................................................................................... 20 Credit-Unit ...................................................................................................................................................... 20 Authentication-Method................................................................................................................................... 21 TLS-Server-Certificate (TLS-Certificate prior to version 4.0) ....................................................................... 21 TLS-Client-Certificate .................................................................................................................................... 21 Windows-Domain........................................................................................................................................... 21 Active-Directory ............................................................................................................................................. 22 Active-Directory-Group ................................................................................................................................. 22 Time-Limit ..................................................................................................................................................... 22 First-Logon ..................................................................................................................................................... 22 Login-Time ..................................................................................................................................................... 23 Generate-MS-MPPE-Keys ............................................................................................................................. 23 Next-Group ..................................................................................................................................................... 24 Failure-Reply-Type ........................................................................................................................................ 24 Tunnel-Tag ..................................................................................................................................................... 24 Credit-Period .................................................................................................................................................. 24 Credit-Per-Period ............................................................................................................................................ 25 External-Executable........................................................................................................................................ 25 Troubleshooting .................................................................................................................................................. 26 TekRADIUS Service Messages (TekRADIUS log file) ..................................................................................... 27 TekRADIUS Command Line Interface - TRCLI.exe ......................................................................................... 31 Creating and Installing a Self Signed Certificate for PEAP/EAP-TLS Authentication ...................................... 34 Creation of Self Signed Certificate ................................................................................................................. 34 Certificate Deployment at Client Side ............................................................................................................ 35 Client PEAP Configuration ............................................................................................................................ 36 Client EAP-TLS Configuration ...................................................................................................................... 37 SQL Server Configuration .................................................................................................................................. 39 Connecting to SQL Express Using TCP/IP .................................................................................................... 39 SQL Express Authentication Configuration ................................................................................................... 40 Encoding of Attribute 144 in RFC 4679 (ADSL-Forum Access-Loop-Encapsulation) ..................................... 41
2007-2011 Yasin KAPLAN - http://www.tekradius.com/
Introduction
TekRADIUS is an RADIUS AAA server (Based on RFC 2865, RFC 2866) runs under Microsoft Windows (XP, Vista, 7, 2003-2008 Server) operating system. Visit http://www.tekradius.com/ regularly for updates. Following authentication methods are supported by TekRADIUS;
PAP [RFC 2865] CHAP [RFC 2865] MS-CHAP v1 [RFC 2548, RFC 2759] MS-CHAP v2 [RFC 2548, RFC 2759] EAP-MD5 [RFC 2284, RFC 2869] EAP-MS-CHAP v2 [draft-kamath-pppext-eap-mschapv2-02.txt] EAP-TLS [RFC 2716] PEAPv0-EAP-MS-CHAP v2 [draft-kamath-pppext-peapv0-00.txt] (As implemented in Windows XP SP1) Digest [draft-sterman-aaa-sip-00.txt] (SIP Authentication)
TekRADIUS also supports RFC 2868 - RADIUS Attributes for Tunnel Protocol Support and RFC 3079 - Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE). You can authenticate and authorize PPTP/L2TP connections using TekRADIUS. EAP-TLS is supported only in commercial edition of TekRADIUS.
System Requirements
TekRADIUS requires Microsoft SQL Server. You can use 2000 or 2005 versions. Edition selection and required disk space depends on your application. Please see section titled SQL Server Configuration for configuring SQL Server to use with TekRADIUS. You need also Microsoft .NET Framework 4.0 Client Profile installed with the latest patches. TekRADIUS supports only Microsoft SQL Server editions as database currently. Although an sa equivalent SQL user needed to create the database and the tables, users can set a less privileged SQL user for regular operation after creating the database and the tables. Consider using TekRADIUS LT edition if you do not want to use Microsoft SQL server. Pentium IV class CPU with 1 GB of RAM is ideal for most configurations.
Installation
Unzip TekRADIUS.zip and click Setup.exe comes with the distribution. Follow the instruction of setup wizard. Setup will install TekRADIUS Manager and TekRADIUS Service, add a shortcut for TekRADIUS Manager to desktop and the start menu.
Configuration
Run TekRADIUS Manager clicking on the desktop shortcut or selecting TekRADIUS Manager from Start/Programs/TekRADIUS/TekRADIUS Manager. You need to have Administrative privileges on the computer youve installed TekRADIUS (That means either you must be logged in 4
as Administrator user or as a user in built-in Administrator group). You can not access settings parameters without Administrative privileges. If you log in with an ordinary user account, TekRADIUS Manager will run in Operator mode which just provides; Changing existing user profiles Monitoring active sessions Generating usage reports (Please see related section on generating usage reports) You need to configure initialization parameters before running TekRADIUS Service. Save configuration changes and restart after changing configuration.
Settings Tab
Click Settings Tab to start configuration.
SQL Connection
You must configure SQL Connection first. Enter following information:
Figure - 1. SQL Connection settings
SQL Server: You can enter IP address or FQDN of the server running SQL server. You can select detected SQL servers from the list. Click refresh button to re-detect SQL servers on local machine and local network. If you SQL server installed on the same server you can also enter Localhost (Without quotes). Username: Enter SQL username to connect SQL server. If your SQL server configured to support local Windows Integrated Authentication, you need to change configuration to support username/password based authentication. You can change default authentication
mode using SQL Server Management Studio for SQL Server 2005 (Right click registered SQL Server instance, select Properties then Security). For the SQL Server 2000 consult http://support.microsoft.com/kb/285097. Please see the section titled SQL Server Configuration for configuring SQL Server to use with TekRADIUS. Password: Enter password of the SQL user. Timeout: Enter connection timeout (in seconds) for SQL Server. Default value is 30 seconds. Use Default Authentication Key: If you plan to use a different RADIUS attribute (CallingStation-Id attribute in place of User-Name attribute for example) for matching user profiles with RADIUS Authentication request, uncheck this option. Key: If you uncheck Use Default Authentication Key option, select which RADIUS attribute to be used for matching user profiles with RADIUS Authentication request. Use Default Authorization Query: You can specify alternative query to select authorization parameters from Users table which will be returned to access server for the user. Use always AttrType=1 to get success-reply attributes. Authz. Query: If you checked Use Def. Authorization Query option you can enter your alternative query. Delimiter Character: Specify delimiter character to be used to enter string type multiple instance reply attributes in user or group profiles. Its default value is semi-colon ;. Encrypt Passwords: You can optionally keep passwords configured for user and group profiles encrypted in the TekRADIUS database.
Attribute, Val from <users_table> where UserName='%Key%' and AttrType = 1 query to fetch success-reply attributes from Users table. Select Attribute, Val from <users_table> where UserName='%Key%' and AttrType = 0 query is used to fetch check attributes from
TekRADIUS
uses
Select
Users table. You can test your settings before saving; click [Test Connection]. If you get Connection Successful but database not exists or Connection Successful but there was missing table(s) response means your configuration is valid. You can create database and required database tables in Database Tables tabs. If you wish to create database and all database tables manually you can find SQL scripts for creating TekRADIUS database and TekRADIUS tables in the installation directory (TekRADIUS.sql for database, Users.sql, Groups.sql, Acconting.sql and Session.sql for the tables).
Database Tables
If you can access SQL Server, you can create database and tables needed by TekRADIUS. If TekRADIUS finds previously created table automatically unchecks those tables entries. Enter following information: Create Database / Database Name: Enter database name to create. Default is TekRADIUS. Click [Create Database] to create database. Following SQL clause is executed to create database:
CREATE DATABASE [TekRADIUS] GO
If database is created successfully you will get Database created and connection settings are updated message.
Figure - 2. Database tables configuration
Create Tables / Users Table: Users table contains user definitions, check and reply RADIUS attributes for the users. Uncheck checkbox on left hand side of the text box if you do not want to create Users table. Following SQL clause is executed to create Users table:
USE [TekRADIUS] GO CREATE TABLE [dbo].[Users]( [UserName] [nchar](64) NOT NULL, [Attribute] [nchar](16) NULL, [AttrType] [int] NULL, [Val] [nchar](64) NULL ) ON [PRIMARY] GO CREATE NONCLUSTERED INDEX [IX_Users] ON [dbo].[Users] ( [UserName] ASC ) GO
Create Tables / Accounting Table: Accounting table stores RADIUS accounting messages. Uncheck checkbox on left hand side of the text box if you do not want to create Accounting table. Following SQL clause is executed to create Users table (Indexes are vital for high performance!):
USE [TekRADIUS] GO CREATE TABLE [dbo].[Accounting]( [SessionID] [nchar](255) NOT NULL, [StatusType] [nchar](30) NULL, [InputOcts] [int] NULL CONSTRAINT [DF_Accounting_InputOcts] DEFAULT ((0)), [OutOcts] [int] NULL CONSTRAINT [DF_Accounting_OutOcts] DEFAULT ((0)), [UserName] [nchar](128) NULL,

[NasIPAddr] [nchar](15) NULL, [NasIdentifier] [nchar](255) NULL, [NasPort] [nchar](40) NULL, [NasPortId] [nchar](255) NULL, [NasPortType] [nchar](40) NULL, [ServiceType] [nchar](40) NULL, [FramedIPAddr] [nchar](15) NULL, [CallingStationId] [nchar](64) NULL, [CalledStationId] [nchar](64) NULL, [AcctSessTime] [int] NULL, [DisconnectCause] [nchar] (128), [TimeStamp] [datetime] NOT NULL, [Amount] [int] NULL) GO CREATE NONCLUSTERED INDEX ( [TimeStamp] ASC ) GO CREATE NONCLUSTERED INDEX ( [SessionID] ASC ) GO CREATE NONCLUSTERED INDEX ( [UserName] ASC ) GO CREATE NONCLUSTERED INDEX ( [NasIPAddr] ASC ) GO [IX_Accounting_1] ON [dbo].[Accounting]
[IX_Accounting_2] ON [dbo].[Accounting]
Create Tables / Groups Table: Groups table contains common check and reply RADIUS attributes for the users. Uncheck checkbox on left hand side of the text box if you do not want to create Groups table. Following SQL clause is executed to create Groups table:
USE [TekRADIUS] GO CREATE TABLE [dbo].[Groups]( [GroupID] [nchar](64) NULL, [Attribute] [nchar](64) NULL, [AttrType] [int] NULL, [Val] [nchar](128) NULL ) ON [PRIMARY] GO CREATE NONCLUSTERED INDEX [IX_Groups] ON [dbo].[Groups] ( [GroupID] ASC ) GO
Create Tables / Sessions Table: TekRADIUS stores active session in the Sessions table. When a RADIUS accounting start message is received a record for that session will be added to Session table. TekRADIUS will remove that record as soon as it receives RADIUS accounting stop message for that session. TekRADIUS clears Sessions table every time service starts. Sessions displayed in the Active Sessions tab are fetched from the Sessions table. Uncheck checkbox on left hand side of the text box if you do not want to create Sessions table. Following SQL clause is executed to create Sessions table:
USE [TekRADIUS] GO CREATE TABLE [dbo].[Sessions](

[TimeStamp] [datetime] NOT NULL, [SessionID] [nchar](255) NULL, [UserName] [nchar](128) NULL, [GroupName] [nchar](128) NULL, [NasIPAddr] [nchar](15) NULL, [NasIdentifier] [nchar](255) NULL, [NasPort] [nchar](40) NULL, [NasPortType] [nchar](40) NULL, [NasPortId] [nchar](255) NULL, [ServiceType] [nchar](40) NULL, [FramedIPAddr] [nchar](15) NULL, [CallingStationID] [nchar](64) NULL, [CalledStationID] [nchar](64) NULL) GO
CREATE NONCLUSTERED INDEX [IX_Sessions] ON [dbo].[Sessions] ( [TimeStamp] ASC ) GO
Click [Create Tables] to create selected tables. If tables are created successfully you will get Table(s) created and connection settings are updated message. AttrType field is set 0 for RADIUS check attributes, 1 for success-reply attributes and 2 for failure-reply attributes in Users and Groups tables.
Accounting Table
You can define which RADIUS accounting attribute received in RADIUS Accounting messages will be stored in which field of Accounting table created on SQL database. There are two list boxes. On the left hand side you can select accounting table field, on the right hand side you can select matching RADIUS attribute. Click [Add Pair] to add you pair or click [Delete Pair] to delete previously added pair.
Figure - 3. Accounting table field selection 2007-2011 Yasin KAPLAN - http://www.tekradius.com/
There is a special consideration for Cisco-AVPair attribute; you have to manually enter CiscoAVPair key to Radius Attribute. For instance your Cisco access server sends Cisco-AVPair = "connect-progress=LAN Ses Up" you would enter connect-progress as RADIUS Attribute. You can use this feature for Cisco like vendor dictionaries. If you can not find a valid entry in Acct. Table Columns for the desired Accounting attribute, you need to add a new field to Accounting table using Microsoft SQL Manager.
Service Parameters
Enter following information to configure service specific parameters: Listen IP Address: Select IP address to be listened by TekRADIUS server. The list contains all IP addresses associated to all enabled network interfaces. If you change or remove listened IP address in your Windows Network configuration, TekRADIUS automatically selects first available IPv4 address in your network settings at startup. Startup: Select startup mode of TekRADIUS service. Default startup mode is Manual. You have to click [Save Settings] to make selected mode active. Secure Shutdown: If selected, TekRADIUS will insert artificial Stop records for the active sessions while shutdown. TekRADIUS will update artificial stop record with the received one if a valid Stop message received after restarting TekRADIUS. Enabling this option is useless if you receive only RADIUS Accounting-Stop messages from your access server.
Figure - 4. Service parameters configuration
Logging: Select logging level of TekRADIUS service. Select None if you do not want logging, select Errors to log errors and select Sessions to log session information and 10
errors. Debug option provides more details on errors and gives packet decodes for PEAP negotiations. Log files are located under <Application Directory>\Logs directory. PEAP Inner Auth. Method: You can set primary PEAP inner authentication method. TekRADIUS supports EAP-MD5 and EAP-MS-CHAP-v2 as inner authentication methods. Default inner authentication method is EAP-MS-CHAP v2. SSCC (Self Signed Certificate Creation): TekRADIUS can create server certificate dynamically for every PEAP authentication request so you do not have configure a server certificate using TLS-Server-Certificate attribute if you set this option. You must disable server certificate validation when you set this option. This option is only available in commercial edition of TekRADIUS. Authentication Port: Enter UDP RADIUS authentication port (Default 1812). If you do not enter a numeric value between 1- 65535 the default value will be used. If selected port is used by another program, TekRADIUS will disable RADIUS Authentication thread and add an event entry to Windows Event Log: Unable to initialize TekRADIUS Authentication thread. Authorization Only: Check it if you plan just to authorize requests from RADIUS clients. If you configure TekRADIUS to run in "Authorization Only" mode there must be at least one success-reply attribute configured for the users to be authorized. Otherwise users will get Access-Reject. Use this option with care; if a username found matching authentication request, TekRADIUS will reply with Access-Accept message regardless the User-Password in the request. If you select Authorize Only option, TekRADIUS will not process check attributes configured for the user in personal and group profile. If TekRADIUS finds a valid user entry in Users table, simply success-reply attributes will be returned in an Access-Accept message. Keep Domain Name: TekRADIUS automatically removes characters before \ character in User-Name attribute received in access and accounting requests. In order to change this behavior, check this option. Failure Count: TekRADIUS can disable user profile after user configurable number of unsuccessful login attempts. If you have enabled Mail Alerting you can get a notification when user profile is automatically disabled. Entering 0 disables this feature. Accounting Enabled: Check it if you plan to collect accounting packets from RADIUS clients. When an Accounting-Checkpoint message received for an un-started session, first checkpoint message is assumed as an accounting session start (Sessions table entry will also be added). When an Accounting Stop message received for an already stopped session, session's stop record is updated with received one if previously received Accounting-Stop of the session has no Acct-Session-Time attribute (Acct-Session-Time=NULL). When an Accounting-Off message received from a NAS, all active sessions from that NAS will be stopped with Acct-Session-Time=NULL. Also session entries will be cleared in the Sessions table. When TekRADIUS Service is stopped, all active sessions will be stopped with AcctSession-Time=NULL. Also session entries will be cleared in Sessions table. Accounting Port: Enter UDP RADIUS authentication port (Default 1813). If you do not enter a numeric value between 1- 65535 the default value will be used. If you enter the same port number with authentication, accounting will be disabled.
11
If selected port is used by another program, TekRADIUS will disable RADIUS Accounting thread and add an event entry to Windows Event Log: Unable to initialize TekRADIUS Accounting thread. If TekRADIUS can not initialize both Authentication and Accounting threads stops execution of startup sequence and add an event entry to Windows Event Log: Could not start any of TekRADIUS threads; exiting... Windows Authentication Proxy: TekRADIUS can act as a proxy for the user accounts defined in local Windows Domain / Server. Click to enable it. If TekRADIUS can not find a valid entry in Users table and Windows Authentication Proxy is enabled then checks username/password on local Windows machine. Success-Reply Attributes are fetched from Default user group if username/password is valid in Windows domain. If you plan to define specific RADIUS check and reply attributes for the users, create an user profile entry using TekRADIUS Manager for the particular user without a UserPassword attribute, and add Authentication-Type attribute as a check item with Windows value in the users profile. Active Directory Proxy: TekRADIUS can act as a proxy for the user accounts defined in local Active Directory Domain / Server. Click to enable it. If TekRADIUS can not find a valid entry in Users table and Active Directory Proxy is enabled then checks username/password on Active Directory. Success-Reply Attributes are fetched from Default user group if username/password is valid in Active Directory Domain. If you plan to define specific RADIUS check and reply attributes for the users, create an user profile entry using TekRADIUS Manager for the particular user without a UserPassword attribute, and add Authentication-Type attribute as a check item with LDAP value in the users profile.
Alerting
TekRADIUS can be configured to send e-mail alerts if an error condition occurs in specified number and period of times. Enter following information to configure alerting:
Figure - 5. Alerting configuration
12
Mail Alerting Enabled: Click to enable Mail Alerting. SMTP Server: Enter IP address or FQDN of the SMTP server. Mail To: Enter e-mail address which alerts to be sent. Mail From: Enter e-mail address which will be shown as sender address. Authentication Required: Check it if your SMTP server requires user authentication. SMTP Username: Enter SMTP username. Password: Enter password of SMTP user. Error Duration (Sec): Enter minimum error duration before sending an e-mail alert in seconds (Default 60 seconds). Mail Period (Min): Enter minimum duration before sending next e-mail alert in minutes (Default 15 minutes). Click [Test Alerting] to test E-Mail Alerting Configuration. If your configuration is valid, you must receive a test message sent by TekRADIUS.
Clients
You can define RADIUS clients in Clients tab. Enter IP address and shared RADIUS secret key for each RADIUS client. Client data is stored Clients table in TekRADIUS.mdb file under installation directory. When you add, edit or delete a client, change in Client data will be immediately written to the Clients table. You have to enter a valid IP address and you can not enter a blank secret.
Figure - 6. RADIUS clients
In order to edit a client entry, select client entry and click [Edit] or double click client entry. Selected record will be fetched from client list. Make necessary change(s) and click [Save] button.
13
Similarly click [Delete] button to delete a client entry after selecting it. If you do not know your access servers vendor or its not listed select ietf as Vendor value. You can add a default RADIUS client entry in version 2.5 so TekRADIUS can accept RADIUS request from unlisted RADIUS clients with correct shared key. You can define a Kill command to drop user sessions through Active Sessions tab if you have a command line utility to send a signal to disconnect a particular user session. You can use following parameters with you Kill command;
$NASIPAddress $SessID $UserName $NasPort $NasPortId $Calling-Station-Id
Some NAS devices support SNMP which can be used to disconnect users. You can use a command line SNMP set utility to disconnect users. Please sonsult your NAS documentation to find out whether it supports this, and which MIB to use. This is an example to clear TTY sessions on a Cisco device;
c:\util\snmpset $NASIPAddress public .1.3.6.1.4.1.9.2.9.10.0 integer $NasPort
You can also use other type of utilities which are supported by your access server
Groups
Defining user groups for common RADIUS attributes for a group of users is a good idea. Default user group is added automatically when you create database tables. You can not delete Default user group through TekRADIUS Manager and it is needed by TekRADIUS for proper operation.
Figure - 7. Groups tab
14
In order to add a Group, enter group name to the Group: text box (Bottom left) and click [Add]. You can not enter a blank group name. If you whish to change a groups name, select group, enter new name to Group: text box and click [Modify]. Similarly click [Delete] button to delete a group entry after selecting it. You can not modify or delete default user group. If you delete a group, group members are automatically moved to Default group. You can browse groups clicking [Search] button. This will retrieve all groups in the database. In order to search for a particular group, enter first letters of the group and click [Search] button. Matching group names will be listed in group list box. You can add or delete check and reply attributes for the groups from Group Details section. If you would like to provide restricted access to unauthenticated users, add Failure-Reply attributes to user or group profiles. TekRADIUS will reply with Access-Accept message containing FailureReply attributes if user or group profile has Failure-Reply attributes when authentication fails. If user or group profile has not Failure-Reply attributes, TekRADIUS will reply with Access-Reject message. (This feature is not available for PEAP authentication, VPN authentication and when authentication failure caused by invalid authentication method). Use this feature with extreme care; if Default user group has Failure-Reply attributes, all failed authentication attempts will be replied by Access-Accept messages containing Failure-Reply attributes. When a user is authorized with Failure-Reply Simultaneous-Use, Expire-Date, Login-Time, TekRADIUSStatus and Quota check will not be done. If you wish to send Failure-Reply attributes in an Access-Reject message, add Failure-ReplyType attribute as a check attribute to user or group profile with value of Reject. Check items will be listed in dark red, success-reply items will be listed in dark blue and successreply items will be listed in turquoise. If you try to add previously defined attribute, TekRADIUS updates previously one with the new one. If you need to add a reply attribute more than one instance in a user profile, you can enter values separated with ; (semicolon). Multiple value entry supported only for string type attributes. You can enter hexadecimal strings with 0x prefix (You can enter 0x54656B524144495553 for string TekRADIUS). You can add Informational type attributes to user or group profiles. You can add your own vendor to TekRADIUS dictionary to store user or group specific data like address and phone numbers. Informational type attributes are not used while authenticating or authorizing users. Informational type attributes displayed in dark green color. User attributes override Group attributes!
Users
In order to add a user, enter username to the User: text box (Bottom left), select user group and click [Add/Update]. Follow the same instructions in the Groups tab for other operations. UserPassword attribute is stored encrypted in Users and Groups tables. You can define a default user profile to be used when a matching user profile cannot be found for an incoming RADIUS authentication request. If Windows Authentication Proxy (WAP) or Active Directory Proxy (ADP) is enabled TekRADIUS will try WAP and then ADP and finally existence of default user profile will be checked. Simultaneous-Use, User-Credit, Credit-Unit, First-Logon, Credit-Period, Credit-Per-Period attributes have no function for "default" user profile. "Default" username is reserved for the default user profile.
15
Figure - 8. Users tab
Attributes defined in user profiles have precedence over group attributes. If you define same attribute in user and group profile, attribute in user profile will be preferred. You can not define an attribute more than one row in reply items.
Figure - 9. Dictionary Editor
16
Dictionary Editor
You can edit RADIUS dictionary entries using Dictionary Editor. RADIUS dictionary entries (Vendors, Attributes and Values) and client definitions are stored in TekRADIUS.mdb which can be found in the application directory. Dictionary consists of Vendors, Attributes and Values tables. If a valid entry for a vendor could not be found, when you disable or delete a vendor or an attribute, VSAs from that vendor are ignored when authenticating the user. Also reply attributes configured for a vendor are not sent to the NAS if vendor does not have an entry in the TekRADIUS.mdb/Vendors table. Attribute name is automatically added in Cisco and Quintum VSA replies (Except Cisco AV-Pair attribute). Quintum-h323-preferred-lang reply attribute will be send as Quintum-h323-preferredlang = H323-preferred-lang=TR for instance. Attributes in received RADIUS packets which are not in the dictionary are ignored. Only first attribute is processed if there are duplicate attributes in request packets except Cisco and Quintum AVPs (Cisco & Quintum VSA 1). You can consider disabling unnecessary vendors for better performance.
Reporting
TekRADIUS provides a simple interface for browsing RADIUS Accounting record stored in Accounting table. You can have reports for a selected user or whole users in a group for a specified interval of dates. Select User or Group, enter a few letters beginning of the user name or group name and click Select button. If you do not enter anything to Query parameter text box, all users in TekRADIUS database will be listed if you have selected User. If you select Group and enter nothing, clicking Select button will list all groups defined in TekRADIUS database.
Figure - 10. Reporting tab 2007-2011 Yasin KAPLAN - http://www.tekradius.com/
17
You can optionally select dates which accounting events take place. If you do not specify dates, all session entries will be listed for the selected user(s). Click Report button to list accounting entries. You can print query result or save as a CSV file.
Starting TekRADIUS
Click Service menu and select Start to run TekRADIUS after making necessary configuration and saving configuration. If service starts successfully you will see TekRADIUS Service is Running message at bottom left message section of TekRADIUS Manager. Optionally you can start/stop TekRADIUS using the button on let hand side of [Save Settings] button. When you make any change(s) in configuration, TekRADIUS will ask you if you wish to restart TekRADIUS to make settings changes active if TekRADIUS service is running. If TekRADIUS service can not start please examine Application Log tab as well as TekRADIUS log file under <Application Directory>\Logs if you were enabled logging in Settings/Service Parameters.
Monitoring
You can see Application Log entries added by TekRADIUS in Application Log tab. If you choose Enable Auto Refresh the list will be automatically refreshed otherwise you can manually refresh clicking [Refresh Button]. You can delete all log entries clicking [Clear Log] button. You need to have Administrative privileges to read from and write to event log in Microsoft Vista.
Figure - 11. Application Log tab
You can also monitor active sessions from [Active Sessions] tab. The list is not refreshed automatically. You can refresh the list clicking [refresh] button. There are some hidden columns; click Show Detail to unhide them. TekRADIUS clear all entries in the Sessions table when it is restarted. 18
Figure - 12. Active Sessions tab
In order to see active session your RADIUS client must send RADIUS accounting Start/Stop packets to TekRADIUS. Most of RADIUS clients supports Stop-Only mode; if you configured your access server to send only RADIUS Accounting-Stop packets, you can not see active sessions. Clear, Kill and Disconnect functions are added to Active Sessions tab in version 3.2. Clear function only clears entry in the Sessions table and inserts an artificial stop record for the session, does not disconnects user session or decrements simultaneous session counter (You still need to re-start TekRADIUS Server to reset simultaneous session counters). If user has time based credit limit, clearing user session will also update user credit. If you define data volume based credit or session is a VoIP call use Kill or Disconnect functions. Kill function executes user defined function in the client entry. Clicking Disconnect sends RADIUS Disconnect-Message (or Packet of Disconnect, PoD) to the remote access server. You need to configure your access server to accept PoD messages from TekRADIUS.
TekRADIUS Log File

You can log Sessions details and errors occurred in TekRADIUS log file. Log files are located under <Application Directory>\Logs directory. You can specify logging detail level from Settings/Service Parameters tab. TekRADIUS log file is rotated daily. You can also open log file from the file menu of TekRADIUS Manager.
19
TekRADIUS Specific Attributes (RADIUS Check Items)

TekRADIUS provides a series of special attributes. Their names and functions described below. These attributes can be added to user or group profiles only as check attributes.
TekRADIUS-Status
TekRADIUS will reject the authentication requests if TekRADIUS-Status attribute exists in user or group profiles and its value set to Disabled. If this attribute does not exist in the user or group profiles TekRADIUS will assume that user or group is enabled state. User will receive a failurereply if the user profile has Failure-Reply attributes when user profile disabled.
Simultaneous-Use
In order to use Simultaneous-Use attribute you must enable Accounting on TekRADIUS, otherwise not fulfill these requirements, users with Simultaneous-Use attribute set will receive Access-Reject. Most of RADIUS clients supports Stop-Only mode; if you configured your access server to send only RADIUS Accounting-Stop packets, this feature will not function. In order to set simultaneous session limit for a user, either add Simultaneous-Use attribute as a Check attribute in users profile. If you add this attribute to a group profile, you can limit number of total sessions for a group. TekRADIUS checks if Groups limit has been reached first and then checks Users limit.
Expire-Date
You can specify an Expire-Date in user or group profiles. When specified date expires, TekRADIUS does not allow logins of user or group members. You can enter Expire-Date as a check item in user or group profiles. Use system locale format to enter Expire-Date.
User-Credit
You can specify time quota for a user (Only in user profiles!) in minutes. You can add User-Credit as a check item in the users profile. In order to use User-Credit attribute you must enable Accounting on TekRADIUS; otherwise users with User-Quota attribute set, will receive AccessReject. TekRADIUS updates value in the User-Credit attribute when an Accounting-Stop or Checkpoint received for the user session. TekRADIUS uses Acct-Session-Time attribute in Accounting-Stop or Checkpoint messages to update User-Credit value. If TekRADIUS can not find Acct-Session-Time attribute Accounting-Stop or Checkpoint messages, [Accounting Stop Time] [Accounting Start Time] value is used in place of Acct-Session-Time.
Credit-Unit
You can select unit of accounting data using Credit-Unit. If you add this attribute to user or group profile and set its value to Seconds TekRADIUS will make accounting based on Seconds. If you set Credit-Unit attribute value to Bytes, Kbytes or Mbytes accounting will be made based on data usage (Acct-Input-Octets) not the Acct-Session-Time. If this attribute does not exit in user or
20
group profile, Seconds will be selected as default unit. This attributes also specifies the unit of the value in User-Credit attribute.
Authentication-Method
You can use user Authentication method as a RADIUS check item with TekRADIUS. If a user is just granted to login using PAP, that user can not login using CHAP protocol for instance. In order to authenticate users with PEAP or EAP-TLS, you must add TLS-Server-Certificate attribute to user or to group profile. You cannot use Windows Authentication Proxy feature with CHAP, EAP-MD5 authentication methods as TekRADIUS cannot retrieve Windows user's clear text password using Windows Authentication Proxy feature. Windows Authentication with MS-CHAP-v1, MS-CHAP-v2 EAP-MS-CHAP v2 and PEAPv0-EAP-MS-CHAP-v2 are supported in only commercial editions. TekRADIUS supports PAP, CHAP, MS-CHAP-v1, MS-CHAP-v2, EAP-MD5, EAP-MS-CHAP v2 and PEAPv0-EAP-MS-CHAP-v2 (As implemented in Windows XP SP1), Digest (draft-stermanaaa-sip-00.txt) authentication methods.
TLS-Server-Certificate (TLS-Certificate prior to version 4.0)

If TekRADIUS receives a PEAP or EAP-TLS authentication request, it looks for TLS-ServerCertificate attribute in user profile and then group profile. TLS-Server-Certificate holds server certificate name configured for PEAP or EAP-TLS session. If TekRADIUS can not find TLSServer-Certificate in user or group profile for a PEAP or EAP-TLS authentication request, access request will be rejected. Server Certificates must be installed with their private keys in Windows Certificate Store. Please see document titled Creating and Installing a Self Signed Certificate for PEAP/EAP-TLS Authentication in this manual for installing certificates. TekRADIUS distinguish certificates using CN property of Subject field of the certificates.
TLS-Client-Certificate
If TekRADIUS receives an EAP-TLS authentication request, it looks for TLS-Client-Certificate attribute in user profile and then group profile. TLS-Server-Certificate holds client certificate name configured for EAP-TLS session. If TekRADIUS can not find TLS-Client-Certificate in user or group profile for an EAP-TLS authentication request, access request will be rejected. Client Certificates must be installed in Windows Certificate Store. Please see document titled Creating and Installing a Self Signed Certificate for PEAP/EAP-TLS Authentication in this manual for installing certificates. TekRADIUS distinguish certificates using CN property of Subject field of the certificates.
Windows-Domain
If you add Authentication-Method (Check) attribute to a users or groups profile and set Windows as Authentication-Method there are two options to specify which Windows Domain holds user account. You can specify Windows Domain globally in Configuration / Server Settings tab or you can add specific Windows-Domain attribute to users or groups profile.
21
If you set Windows Domain parameter in Settings / Server Settings tab, enter . as parameter value local domain will be used by TekRADIUS. Enter domain name or domain server IP address without \\ double back slash. Windows-Domain is a string type attribute and can exist in just as a check attribute only in user or group profiles.
Active-Directory
If you add Authentication-Method (Check) attribute to a users or groups profile and set LDAP as Authentication-Method there are two options to specify which Active Directory holds user account. You can specify Active Directory globally in Configuration / Server Settings tab or you can add specific Active-Directory attribute to users or groups profile. Enter domain name or Active Directory IP address without \\ double back slash. Active-Directory is a string type attribute and can exist in just as a check attribute only in user or group profiles.
Active-Directory-Group
If you implement Active Directory authentication, you can also validate users active directory group membership by adding Active-Directory-Group attribute as a check attribute to user or group profile. Active-Directory-Group is a string type attribute and can exist in just as a check attribute only in user or group profiles.
Time-Limit
If you add Time-Limit (Check) attribute to a users or groups profile, TekRADIUS will check if specified time (Minutes) is not elapsed since the first logon specified using First-Logon attribute. If First-Logon attribute is not found, TekRADIUS assumes that current login attempt as first login attempt then adds First-Login attribute to the users profile as a check attribute with current date and time as its value. Time-Limit is an integer type attribute and can exist in just as a check attribute in user or group profiles.
First-Logon
This attribute is automatically added to user profiles at first login attempt by TekRADIUS if user or group profile has Time-Limit attribute. You can manually update this attribute using TekRADIUS Manager or trcli.exe. First-Logon is a string type attribute and can exist in just as a check attribute only in user profiles.
22
Login-Time
You can limit a users allowed login days and hours by adding Login-Time as a check attribute to user or group profile. When you add this attribute to user or group profiles default action will be reject if authentication request is not received in an allowed time slot. The syntax of Login-Time attribute;
[Su|Mo|Tu|We|Th|Fr|Sa|Wk|Hd|Al]<Begin Hour>-<End Hour>
Where; Wk Hd Al : Week days from Monday to Friday : Weekend Saturday and Sunday : All week days from Sunday to Saturday.
Hours must be in 24 hours format (22:55 e.g.). You can define more than one time slot joining them with commas ,. You can only define one time slot per day. More specific time slot definition supersedes less specific time slot definition. Specific day has precedence over Hd or Wk, Hd or Wk has precedence over Al. Example; 1. Wk09:00-18:00,Hd12:00-16:00 will allow logins from 09:00 to 18:00 in week days and from 12:00 to 16:00 at weekends. 2. Mo10:00-23:50,We10:00-23:50,Hd11:00-17:00 will allow logins from 10:00 to 23:50 on Monday and Wednesday and from 11:00 to 17:00 at weekends. 3. Al09:00-18:00,Fr10:00-17:00 will allow logins from 09:00 to 18:00 for all days except Friday. Logins are allowed from 10:00 to 17:00 on Fridays. Login-Time is an integer type attribute and can exist in just as a check attribute in user or group profiles. Upper and lower time can span to another day. Al22:00-01:30 is valid for instance. If you set allowed total session time using Session-Timeout attribute and remaining time for the allowed time span for the user is less than Session-Timeout value, TekRADIUS will set SessionTimeout value to remaining time for the allowed period.
Generate-MS-MPPE-Keys
TekRADIUS automatically generates Encryption Keys for authenticated L2TP and PPTP sessions when incoming RADIUS Access-Request has Tunnel-Type (64) attribute with value PPTP or L2TP. You can alter this behavior by adding Generate-MS-MPPE-Keys attribute to user or group profiles as a check attribute. If this attribute exists in user or group profiles and its value set to NOT-Generate TekRADIUS will not generate encryption keys. If this attribute exists in user or group profile and its value set to VPN-Generate, even TekRADIUS does not receive Tunnel-Type attribute in Access-Request, TekRADIUS will generate encryption keys if user is authenticated via Microsoft authentication methods. TekRADIUS also automatically generates WPA encryption keys and sends them in final AccessAccept packet after a successful PEAP authentication session for a wireless connection. But some access points do not report port type as wireless so in some cases you need to force TekRADIUS to generate encryption keys. If you need this, add Generate-MS-MPEE-Keys attribute as a check attribute to user or group profiles with its value set to WPA-Generate.
23
First-Logon is an integer type attribute and can exist in just as a check attribute only in user profiles.
Next-Group
You can use this attribute to chain group profiles. If you would like to authenticate a session according to NAS-IP-Address but NAS-IP-Address could have three different values, you can create three different group profiles for each NAS-IP-Address value and chain them using NextGroup parameter. Next-Group attribute can be used in just group profiles as a check attribute. Please note that attributes in user profiles overrides group attributes so do not use attributes in chained groups in user profiles. TekRADIUS will try to authenticate incoming access-request with user attributes and primary group attributes first and if it fails, TekRADIUS will try to authenticate again with user attributes and next groups attributes. Next-Group is a string type attribute and can exist only as a check attribute in group profiles. Next Group is not supported with PEAP authentication.
Failure-Reply-Type
You can add Failure-Reply-Type attribute as a check attribute to user or group profiles. This attribute alter behavior of TekRADIUS when Failure-Reply attributes exists in user or group profile. You can set its value to Accept or Reject. When you set its value to Accept, Failure-Reply attributes are sent in an Access-Accept and if you set its value to Reject, Failure-Reply attributes are sent in an Access-Reject message. If this attribute does not exist in user or group profile and Failure-Reply attributes are configured, TekRADIUS will send Failure-Reply attributes in an Accepts-Accept message. Failure-Reply-Type is an integer type attribute and can exist only as a check attribute in user profiles.
Tunnel-Tag
You can add Tunnel-Tag attribute as a check attribute to user or group profiles. You can use this attribute to set tag value of Tunnel attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-ClientEndpoint, Tunnel-Server-Endpoint, Tunnel-Password, Tunnel-Private-Group-ID, TunnelAssignment-ID, Tunnel-Preference, Tunnel-Client-Auth-ID and Tunnel-Server-Auth-ID) to be sent in RADIUS replies. If this attribute does not exist in user or group profile TekRADIUS assumes tag value as 1. This attribute can have a value between 0-15 inclusive. Tunnel-Tag is an integer type attribute and can exist only as a check attribute in user or group profiles.
Credit-Period
You can add Credit-Period attribute as a check attribute to user or group profiles. You can use this attribute to set a period which specifies a time span for user credit. For instance, users can have daily, weekly or monthly credits by adding this attribute to user or group profiles. You must use this attribute in conjunction with Credit-Per-Period and User-Credit attributes.
24
Credit-Period is an integer type attribute and can exist only as a check attribute in user or group profiles.
Credit-Per-Period
You can add Credit-Per-Period attribute as a check attribute to user or group profiles. You can use this attribute to set a credit-limit for a period which is specified by Credit-Period attribute. If user or group profile does not have Credit-Period attribute, default period will be Daily. You must use this attribute in conjunction with User-Credit attribute. If this attribute is added to user or group profile, First-Logon attribute will be automatically added to the user profile after users first successful logon. TekRADIUS will set User-Credit attribute value to the value defined in CreditPer-Period attribute after every Credit-Period expiry. Sample user profile; User has 2 hours credit per day;
User-Credit = 7200 (Check) Credit-Unit = Seconds (Check) Credit-Period = Daily (Check) Credit-Per-Period = 7200 (Check) Session-Timeout = 7200 (Reply)
Credit-Per-Period is an integer type attribute and can exist only as a check attribute in user or group profiles.
External-Executable
You can add Credit-Per-Period attribute as a check attribute to user or group profiles. You can run and check result of an external executable as a check item by adding this attribute to user or group profiles. Enter full path of the executable as the value of External-Executable. Return code 0 is assumed success and return codes other than 1 are assumed failure. Here is a typical valid examples can be used in user or group profiles;
External-Executable = C:\Test.bat %ietf|1% %ietf|2% External-Executable = "C:\Program Files\My App\test.exe" -log %ietf|1% %ietf|2% External-Executable = "C:\Progra~1\multiotp\multiotp.exe" %ietf|1% %ietf|2%
You can specify constant and variable parameters for the executable. Use %% if you would like to use received RADIUS attributes in Access-Request messages. User-Name (Standard RADIUS attribute #1) and User-Password (Standard RADIUS attribute #2) are used in the example above. Examine RADIUS dictionary for the other attributes. If execution fails for any reason, itll be assumed as a failure and authentication will be failed. External-Executable is a string type attribute and can exist only as a check attribute in user or group profiles. Use double quotes ( ) if path contains space characters.
25
Troubleshooting
TekRADIUS provides many messages when problems occur. You can see error messages on TekRADIUS Manager Status bar or in log file of TekRADIUS service. You can enable logging in Settings Tab/Service Parameters section. There are three levels of logging; None, Errors, Sessions. If you select Errors TekRADIUS logs just error messages. If you select Sessions both Session (Authentication and Accounting) and Error messages will be logged. You have to restart TekRADIUS Service if you change logging level setting. Log files are located under <Application Directory>\Logs directory. Use logging only when its needed; it has a negative impact on performance. You can also see startup errors and warnings in Application Log of Windows Event Viewer. TekRADIUS related Application Log entries can be viewed in Application Log tab of TekRADIUS Manager. The list in the Application Log tab is not refreshed automatically if you do not click Enable Auto Refresh. You can refresh the list manually by clicking Refresh Log button. Clear Log button clears logging messages but use it with care; it also clears all Application Log entries in Windows Event Viewer. TekRADIUS also utilizes Windows Performance Monitor providing one counter for number active sessions. You can add and monitor them using Windows Performance Monitor (Perfmon.exe).
Figure - 13. TekRADIUS counters on Windows Performance Monitor
26
TekRADIUS Service Messages (TekRADIUS log file)

TekRADIUS Service is being started.
This message notifies that TekRADIUS service is being started.

Settings could not be loaded. Please reconfigure.
Settings file (TekRADIUS.ini in the application directory) can not be found or corrupted. Examine the file for corruption or reconfigure TekRADIUS.
Create missing tables on SQL Server, exiting.
TekRADIUS needs at least Users and Groups tables created in TekRADIUS database. If TekRADIUS can not finds one these tables terminates startup.
Accounting or Sessions table missing, disabling Accounting...
TekRADIUS Accounting implementation needs both Accounting and Sessions tables created in TekRADIUS database. If TekRADIUS can not finds one these tables disables Accounting.
No client defined, check 'Clients' table in TekRADIUS.mdb.
TekRADIUSs RADIUS protocol implementation requires client IP addresses and corresponding secret keys listed in Clients table in TekRADIUS.mdb file in the application directory. This is an automatically generated file by TekRADIUS Manager when you define RADIUS clients. TekRADIUS can not authenticates incoming request without Clients secret keys; if this file can not be found or read at startup, TekRADIUS terminates startup.
TekRADIUS Service is being stopped.
This message notifies that TekRADIUS service is being stopped.

No vendor defined, check 'Vendors' table.
TekRADIUS reads vendor IDs form Vendors table in TekRADIUS.mdb file in the application directory. If a valid entry for a vendor could not be found in Vendors table, VSAs from that vendor are ignored when authenticating the user. Also reply attributes configured for a vendor are not send to the NAS if vendor does not have an entry in the Vendors table. Similarly unknown vendor attributes in RADIUS Accounting messages are simply ignored. If you configure a VSA for particular user and you remove vendor ID from Vendors, TekRADIUS Manager does not display that VSA and automatically delete from users profile when the user is selected.
No Attributes defined, check 'Attributes' table in TekRADIUS.mdb. No value defined, check 'Values' table in TekRADIUS.mdb.
TekRADIUS can not be run without reading Dictionary tables in TekRADIUS.mdb file in the application directory at startup.
27
Could not connect to SQL Server.
This is a general error message indicating that SQL server can not be reached. If this happens at startup, TekRADIUS continues to startup process but you need to check whats going wrong. Please see SQL Server Configuration section of this manual. Users generally forget to enable TCP/IP transport of SQL server or Mixed Mode Authentication.
Unable to initialize TekRADIUS Authentication thread.
Check if there is another application uses the same UDP port with TekRADIUS Authentication thread (Default is 1812).
Unable to initialize TekRADIUS Accounting thread.
Check if there is another application uses the same UDP port with TekRADIUS Accounting thread (Default is 1813).
Invalid Accounting data insert configuration, using default
You can configure which attributes in incoming RADIUS Accounting messages are inserted to Accounting table. But if you try to manually change you configuration in TekRADIUS.ini and make mistakes, TekRADIUS ignores you configuration and uses default query string:
INSERT INTO Accounting (SessionID, StatusType, UserName, NASIPAddr)
TekRADIUS Service is listening on: x.x.x.x
This message notifies that TekRADIUS service is successfully started.

Stopping active sessions.
If Accounting is enabled and Active user sessions found, TekRADIUS automatically inserts artificial RADIUS Accounting stop records for the active user sessions. You can distinguish such stop records which have AcctSessionTime=NULL.
All active sessions stopped.
After successfully inserting all artificial stop records for active user sessions, TekRADIUS provides this notification.
Authorization successfull for user x
If you configure TekRADIUS to run in Authorization only mode, TekRADIUS notifies every successful user Authorization with this message.
Authorization failed for user x
If you configure TekRADIUS to run in "Authorization Only" mode there must be at least one success-reply attribute configured for the users to be authorized. Otherwise users will get Access-Reject.
28
Authentication failed for user x. Simultaneous limit has been set but accounting is not enabled...
In order to use Simultaneous-Use attribute you must enable Accounting on TekRADIUS otherwise users with Simultaneous-Use attribute set will receive Access-Reject.
Authentication failed for user x
Either user password or one of check items configured in users or users group profile is not matched with the received attributes in the RADIUS Access-Request message. Check also if you configure a valid RADIUS secret key for the RADIUS Authentication client (Network Access Server, NAS for instance).
No such user : x
TekRADIUS can not find a valid user profile for incoming RADIUS Authentication-Request packet.
Unsupported Cipher Suite, TLS Session has been aborted, sending Handshake Failure.
TekRADIUS TLS implementation supports just TLS_RSA_WITH_ARC4_128_MD5 and TLS_RSA_WITH_ARC4_128_SHA1. A Handshake Failure Alert will be also send.
TLS Session has failed. Sending TLS Alert.
You get this message when TekRADIUS can not verify client TLS Finished message.
PEAP Authentication failed. A valid certificate could not be found for user x
A valid certificate can not be found while authenticating the user using PEAP. Verify that if user has a TLS-Certificate attribute in his/her user or group profile and certificate is stored in Windows Certificate Store.
Authentication method. failed for user 'x'. Unsupported EAP authentication
Invalid Auth. packet received from : x.x.x.x
RADIUS client requested an authentication method that is not configured for the user. Check if value of Authentication-Method attribute configured for the user matches with the authentication method requested. Either you got an incoming RADIUS Authentication message from a RADIUS client not listed in Clients table, specified size of RADIUS packet is not matched with the actual size or a duplicate packet.
Debug Message : (Radius Authentication)
You can get Debug messages when socket and SQL connection errors occur. Take necessary actions according to the message.
Acct. packet with invalid secret received from : x.x.x.x
Either you are receiving a RADIUS Accounting packet from a RADIUS client not listed in Clients table or RADIUS secret key configured for the x.x.x.x is invalid.
29
Debug Message : (Radius Accounting)
You can get Debug messages when socket and SQL connection errors occur. Take necessary actions according to the message.
30
TekRADIUS Command Line Interface - TRCLI.exe

TekRADIUS comes with a command line utility which can be used batch user processing and web based applications. You can add, delete or modify users in TekRADIUS database. This utility,, TRCLI.exe, can be found TekRADIUS application directory. TRCLI looks for TekRADIUS.ini when executed. TekRADIUS.ini stores database connection information and can be found under TekRADIUS application directory. If you plan to run TRCLI in another directory, add TekRADIUS installation directory to Environment variable %PATH%. When you add a new user, users group will be Default user group. You can change a users group using Attribute ietf|0. Here is output of TRCLI when executed without any parameter:
C:\Program Files\TekRADIUS>trcli TekRADIUS CLI - (c) 2010 Yasin KAPLAN, All rights reserved. Add User : TRCLI -u user password group Add Group : TRCLI -g group Delete User/Group : TRCLI -[d|dg] [user/group] Add Attribute : TRCLI -[a|ag] [user/group] "attribute" value [check|sreply|freply|inf] Delete Attribute : TRCLI -[m|mg] [user/group] "attribute" [check|sreply|freply|inf] Retrieve Attributes : TRCLI -[r|rg] [user/group] Service Operations : TRCLI -s [start|stop|query] Client Operations : TRCLI -c [add|delete|list] "Client IP Address" secret Help : TRCLI -h Service & Client Operations require administrative privileges.
Samples; Add a user. You need to supply a username and password;

C:\Program Files\TekRADIUS>trcli -u test test123 User 'test' has been added. Configure attributes for the user.
Delete a user;
C:\Program Files\TekRADIUS>trcli -d test User 'test' deleted...
Add an attribute to an existing profile user (You can add attributes to only existing users). Please note that TekRADIUS uses a special notation for storing attributes in user profiles. IETF ServiceType (7) attribute with value ARAP (3) is added as shown below;
31
TekRADIUS Version 4.1 - Installation & Configuration Guide C:\Program Files\TekRADIUS>trcli -a kaplan "ietf|7" 3 check Attribute 'ietf|7' for the user 'kaplan' has been added...
For Microsoft MS-Primary-DNS-Server attribute, example notation will be trcli a kaplan msoft|28 192.168.10.1. Please check notation for other vendors and attributes in TekRADIUS Dictionary Editor. Delete an attribute from a user profile;
C:\Program Files\TekRADIUS>trcli -m kaplan "ietf|7" check Attribute 'ietf|7' for the user 'kaplan' has been deleted...
Retrieve attributes configured for a user;

C:\Program Files\TekRADIUS>trcli -r kaplan ietf|0,sss,Check ietf|1,kaplan,Check ietf|2,deneme,Check ietf|6,2,Check ietf|8,255.255.255.254,SReply
All attributes, including check and reply ones are listed in Attribute, Value, Attribute_Type format. Change password of a user profile; You need remove and then add check attribute ietf|2 with new password value.
C:\Program Files\TekRADIUS>trcli -m kaplan "ietf|2" check Attribute 'ietf|2' for the user 'kaplan' has been deleted... C:\Program Files\TekRADIUS>trcli -a kaplan "ietf|2" 5678 check Attribute 'ietf|2' for the user 'kaplan' has been added...
Change group of a user profile; You need remove and then add check attribute ietf|0 with new group id.
C:\Program Files\TekRADIUS>trcli -m kaplan "ietf|0" check Attribute 'ietf|0' for the user 'kaplan' has been deleted... C:\Program Files\TekRADIUS>trcli -a kaplan "ietf|0" newgroup check Attribute 'ietf|0' for the user 'kaplan' has been added...
Disable a user without deleting. You need to add attribute tekradius|0 to the user profile with value of 0;
C:\Program Files\TekRADIUS>trcli -a kaplan "tekradius|0" 0 check Attribute 'tekradius|0' for the user 'kaplan' has been added...
You need remove or set value of tekradius|0 attribute to 1 for enabling the user.
32
Add a RADIUS client (NAS, Access Point) entry. You need specify IP address of NAS device and secret key.
C:\Program Files\TekRADIUS>trcli -c add 102.168.10.10 radius_secret Client 192.168.10.1 added... Restart TekRADIUS service.
You need to re-start TekRADIUS in order to receive RADIUS packets from the RADIUS client. RADIUS clients vendor type is set to ietf and its enabled by default. You can change vender type and status through TekRADIUS Manager. Delete a RADIUS client (NAS, Access Point) entry. You need specify just IP address of NAS device and secret key.
C:\Program Files\TekRADIUS>trcli -c delete 102.168.10.10 Client 192.168.10.1 deleted... Restart TekRADIUS service.
List all RADIUS client entries;

C:\Program Files\TekRADIUS>trcli -c list 127.0.0.1,test,ietf,Enabled 192.168.19.1,deneme,ietf,Disabled 192.168.10.1,test,ietf,Enabled
List active sessions;

C:\Program Files\TekRADIUS>trcli -l TimeStamp, Duration, SessionID, UserName, GroupName, NasIPAddr, NasIdentifier, NasPort, NasPortType, NasPortID, ServiceType, FramedIPAddr, CallingStationID, CalledStationID 28.12.2009 18:10:04, 1, 00092F82001, Kaplan, Default, 10.2.1.1, , , , , , , , 1210902125076969 1 active session found.
User passwords are being encrypted in Authentication and Group tables in versions 2.3 and 2.4. Encryption of passwords in Authentication and Group tables is optional in version 2.5. If you upgrade from version 2.3 and 2.4 start TekRADIUS Manager with default values. If you upgrade from versions prior to 2.3 manually edit TekRADIUS.ini which can be found under application directory, set EncryptPasswords=0 under [Database] section before starting TekRADIUS.
33
Creating and Installing a Self Signed Certificate for PEAP/EAP-TLS Authentication

A server side X.509 digital certificate is required for PEAP/EAP-TLS authentication. This certificate can be purchased from a third-party Certificate Authority such as VeriSign, or it can be issued from an organization's internal Certificate Authority. But these options may be costly for test environments.
Creation of Self Signed Certificate

You can use TekCERT to generate self signed certificates for test environments. TekCERT is a standalone executable program which requires Microsoft .NET Framework 2.0. You can download TekCERT from TekRADIUS Support site. When you run TekCERT you will see following form to create a certificate:
Figure 14. - TekCERT certificate parameters
Click Generate Certificate button to create the certificate after filling necessary fields. You need to enter at least a valid Name for the certificate.
Figure 15. - Browse certificates
You can export public key in .cer (DER encoded X.509) format after creating the certificate for client deployment. Click Browse Certificates tab, select the generated certificate and click Export button. You can also create client certificates using TekCERT. Select Client Certificate as Purpose to create Client Certificates in certificate parameters. You must export client certificate with its associated private key for client deployment in .pfx format.
34
Certificate Deployment at Client Side

You do not need to deploy a root certificate on clients as long as you require servers certificate verified by the clients. But if you require client verification of server certificate, you need to export root certificate and deploy it on the clients. Server Certificate Copy the file contains server certificate to client computer. Locate the certificate file on the client computer; right click on it than select Install Certificate. Click Next on Certificate Import Wizard dialog. Select Place all certificates in the following store than click Browse. Click Show physical stores and then select Trusted Root Certification Authorities/Local Computer, click OK to close Select Certificate Store dialog.
Figure 16. - Select Certificate Store dialog
Click Next after selecting certificate place on Certificate Import Wizard dialog and then click Finish to complete manual deployment of server root certificate.
Figure 17. - Certificate Import Wizard dialog
Client Certificate Copy the file contains client certificate to client computer. Locate the certificate file on the client computer; double click on the certificate file. Click next (Figure 19);
35
Enter private key password, select Mark this key as exportable and click Next. Select Automatically select the certificate store based on the type of certificate and click Next. Click Finish at the latest dialog.
Client PEAP Configuration

Although there are commercially and freely available PEAP supported 802.1X supplicant alternatives for Windows, Windows editions have a built-in supplicant. In order to configure PEAP (PEAPv0-EAP-MS-CHAP v2) Authentication for a Wireless Network Connection, open Network Connections (Start/Settings/Network Connections), right click on particular wireless connection and select properties.
Figure 19. - Wireless Networks Connection/Wireless Networks tab.
Figure 20. - Association parameters.
You will see detected wireless networks in Preferred networks window on Wireless Networks tab. Select wireless network which requires PEAP authentication and then click properties.
36
Configure Association parameters as shown in Figure 20. Jump to Authentication tab select Protected EAP (PEAP) as EAP Type then click Properties.
Figure 21. - EAP type selection
Figure 22. - Protected EAP Properties dialog.
Click Validate server certificate, and select installed server root certificate installed previously in the Trusted Root Certification Authorities list optionally. Set other options as shown in Figure 22. If you plan to authenticate user with a username/password pair other than the user uses to logon to Windows, click Configure button on Protected EAP Properties dialog and uncheck Automatically use my Windows logon name and password on EAP MSCHAPv2 Properties dialog and click OK.
Figure 23. - EAP MSCHAPv2 Properties dialog.
Client EAP-TLS Configuration

In order to configure EAP-TLS Authentication for a Wireless Network Connection, open Network Connections (Start/Settings/Network Connections), right click on particular wireless connection and select properties.
37
Figure 24. - Wireless Networks Connection/Wireless Networks tab.
Figure 25. - Association parameters.
You will see detected wireless networks in Preferred networks window on Wireless Networks tab. Select wireless network which requires PEAP authentication and then click properties. Configure Association parameters as shown in Figure 20. Jump to Authentication tab select Smart Card or Certificate as EAP Type then click Properties.
Figure 26. - EAP type selection
Figure 27. - Protected EAP Properties dialog.
Click Validate server certificate, and select installed server root certificate installed previously in the Trusted Root Certification Authorities list optionally. Set other options as shown in Figure 27.
38
SQL Server Configuration

Connecting to SQL Express Using TCP/IP
By default SQL Express does not accept any connections from another computer. This mean you cant remotely connect to it with SQL Management Studio, an ODBC connection, etc. To allow TCP/IP connections follow these steps:
1. Launch the SQL Server Configuration Manager from the Programs >Microsoft SQL Server 2005>Configuration Tools 2. Click on the "Protocols for SQLEXPRESS" node under SQL Server 2005 Network Configuration. 3. Double click "TCP/IP"
4. Select Yes next to Enabled and click OK button to save the changes.
39
5. On the IP Addresses tab, under the IPAll node clear the TCP Dynamic Ports field. Also enter the port number as 1433 to listen on in the TCP Port field. 6. Restart the Microsoft SQL Server Express service using either the standard service control panel or the SQL Express tools.
SQL Express Authentication Configuration

TekRADIUS requires SQL Server authentication to be enabled on the instance of SQL Express. To do this:
1. On the machine with SQL Express installed, open the SQL Server Management Studio Express tool. 2. Right-click the instance of SQL Express to configure, and select Properties. 3. Select the Security section on the left. 4. Change the Server Authentication to SQL Server and Windows Authentication mode (Select Mixed Mode in other Microsoft SQL Server Editions). 5. Restart the Microsoft SQL Server Express service using either the standard service control panel or the SQL Express tools.
40
Encoding of Attribute 144 in RFC 4679 (ADSL-Forum Access-LoopEncapsulation)

This Attribute describes the encapsulation(s) used by the subscriber on the DSL access loop. It MAY be present in both Access-Request and Accounting-Request packets. This field is a string 3 bytes in length, logically divided into three 1-byte sub-fields as shown in the following diagram:
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Link | Encaps 1 | Encaps 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Octet[0] - 0x01 AAL5 Octet[0] - 0x02 Ethernet Octet[1] - 0x00 Not Available Octet[1] - 0x01 Untagged Ethernet Octet[1] - 0x02 Single-Tagged Ethernet Octet[2] Octet[2] Octet[2] Octet[2] Octet[2] Octet[2] Octet[2] Octet[2] Octet[2] 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 Not available PPPoA LLC PPPoA Null IPoA LLC IPoA NULL Ethernet over Ethernet over Ethernet over Ethernet over
AAL5 AAL5 AAL5 AAL5
LLC with FCS LLC without FCS Null with FCS Null without FCS
41

Manual Tekradius

Uploaded by

Copyright:

Available Formats

Manual Tekradius

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Manual Tekradius

Uploaded by

Copyright:

Available Formats

TekRADIUS

Installation & Configuration Guide Version 4.1

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 1. SQL Connection settings

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 2. Database tables configuration

2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

CREATE NONCLUSTERED INDEX [IX_Sessions] ON [dbo].[Sessions] ( [TimeStamp] ASC ) GO

Figure - 3. Accounting table field selection 2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 4. Service parameters configuration

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 5. Alerting configuration

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 6. RADIUS clients

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 7. Groups tab

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 8. Users tab

Figure - 9. Dictionary Editor

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 10. Reporting tab 2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 11. Application Log tab

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 12. Active Sessions tab

TekRADIUS Log File

2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Specific Attributes (RADIUS Check Items)

TekRADIUS Version 4.1 - Installation & Configuration Guide

TLS-Server-Certificate (TLS-Certificate prior to version 4.0)

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Version 4.1 - Installation & Configuration Guide

2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

Figure - 13. TekRADIUS counters on Windows Performance Monitor

TekRADIUS Version 4.1 - Installation & Configuration Guide

TekRADIUS Service Messages (TekRADIUS log file)

This message notifies that TekRADIUS service is being started.

This message notifies that TekRADIUS service is being stopped.

2007-2011 Yasin KAPLAN - http://www.tekradius.com/

TekRADIUS Version 4.1 - Installation & Configuration Guide

Could not connect to SQL Server.

TekRADIUS Service is listening on: x.x.x.x

This message notifies that TekRADIUS service is successfully started.

TekRADIUS Version 4.1 - Installation & Configuration Guide

Invalid Auth. packet received from : x.x.x.x

Debug Message : (Radius Authentication)