The IC-RADIUS Brief FAQ Chris Joyce chris@pccentre.com.au V0.16f, Aug 30, 2000 Intro: -------------------------------------------------------------------------------- Welcome to the brief IC-RADIUS FAQ. This document contains a list of some frequently asked IC-RADIUS questions and their answers. It is meant to provide general help to IC-RADIUS users. I invite you to modify and add to this list but if you do so please be sure to mail me so that I can include your changes in future releases. Finally, I hope that this document will prove helpful to all IC-RADIUS users, new users especially. Current releases of this document can be found at: - htp://icradius.hislora.com.au/FAQ.txt -------------------------------------------------------------------------------- 1: Background 1.01 Q: What is IC-RADIUS? 1.02 Q: Basically how does it work? 1.03 Q: What do I need to run IC-RADIUS? 1.04 Q: What is the history of IC-RADIUS? 1.05 Q: How many users can I have per machine/database? 1.06 Q: Will it work on freebsd? 1.07 Q: What encryption does IC-RADIUS use if I want to have encrypted passwords in the radius database ??? (MD5, DES, etc) 1.08 Q: Can I use IC-RADIUS with Microsoft SQL server? 2: Set-up 2.01 Q: I have installed Mysql successfully, but I get a segmentation fault when I try to run IC-RADIUS. 2.02 Q: When I run IC-RADIUS I get the following error. "could not find libmysqlclient.so.6" 2.03 Q: What ports can IC-RADIUS use? 2.04 Q: Is anyone currently working on a perl script (or other) to import existing radius accounting data into the radacct table ? 2.05 Q: Anyone know how to use the accimport.pl 2.06 Q: Can anyone tell me the exact name of the DBD modules file for mySQL that I need and the whereabouts of the same file please? 2.07 Q: After killing the last of my non IC-RADIUS servers I'm trying to do a bit it of house keeping , it seems that I've lost some stop times in the import of data ! being as new as I am to sql and trying a few combos odd DATE_ADD () 2.08 Q: Excuse my ignorance, what dictionary(s) do I use for portslaves running on the same box (minimal test case) ? 2.09 Q: I've been trying to get more debug info from IC-RADIUS does it offer any logging of failed connect attempts ( any form ) ? 2.10 Q: I have a little problem with IC-RADIUS I have two group configured and I must 2 different address pool, can someone help me ? 2.11 Q: How do I set-up proxy radius ? 2.12 Q: I got this error message when I was trying to use the perl scripts to convert my /etc/raddb/dictionary to mysql database. 2.13 Q: How do I set-up the NAS tables ? 2.14 Q: How do I intsll IC-RADIUS 3: Configuration 3.01 Q: How do I go about adding a user manually in the radius database so that he will be authenticated with the encrypted password he has in the database ? 3.02 Q: Is there a simple example of a user set-up? 3.03 Q: Is there a simple example of a user and group set-up? 3.04 Q: I need to be able to basically let anybody in, now matter what username/password pair has been given, but still keep all the Accounting and whatever coming into the database. 3.05 Q: Exec-Program, what does it do? 3.06 Q: Will IC-RADIUS pass all arguments to my program (Exec-Program/Wait)? 3.07 Q: When using Exec-Program-Wait and Exec-Program can I get any debug information? 3.08 Q: Is it possible to have IC-RADIUS execute a script when a user logs out? 3.09 Q: Can IC-RADIUS send Vendor-Specific encoding box to send details of the DNS servers it will assign by encoding a Cisco-avpair attribute 3.10 Q: If I wanted a type of account that was only allowed to log in say Monday to Friday between 9:00 and 17:00 3.11 Q: I have read all the documentation and I still cannot get DEFAULT entries to work. 3.12 Q: We host a few visps on our lan my question is in my users table how can I have entries for say me@domain1.com different to me@domain2.com with out having seperate tables for each realm? 3.13 Q: How do I limit users to 300 Meg download Maximum? 3.14 Q: IC-RADIUS uses some attributes that I'm not use to, what are they for? 3.15 Q: Does IC-RADIUS log the errors during authentication? 3.16 Q: I have an IBM 2212 access server. What should I specify in "type" in my nas table? 3.17 Q: My IC-RADIUS keeps on logging this message, Error: Acct: Invalid STOP record. [] STOP record but zero session length 3.18 Q: Are both secrets in IC-RADIUS and client equal? 3.19 Q: My log says 'No username []' and users cannot authenticate. 3.20 Q: I was just curious if there is a way to ID users into different groups 3.21 Q: I've setup encrypted passwords in the mysql db (as per FAQ 3.01), but users can't login? 4: CGI 4.01 Q: After I login to the radius.cgi/usage.cgi it tells me 'session expired' , what's the problem? 4.02 Q: usage.cgi doesn't seem to be working for me. I keep getting "Internal Server Error" messages. 4.03 Q: It seems that I'm having trouble viewing usage.cgi and this are the error logs that I'm getting from apache. 4.04 Q: Why can I not add NAS or realm definitions with the radius.cgi? 4.05 Q: I am getting the following error message in my error.log from Apache: Can't locate Authen/Radius.pm in @INC (@INC contains 4.06 Q: Where are the images for the cgi interface ? 5: General 5.01 Q: Can someone (un)subscribe me from IC-RADIUS mailing list? 5.02 Q: Is there an archive of the mailing list anywhere? 5.03 Q: radwho, radlast, radzap, radtest, testrad or raduse are not in the in src, what happened to them? 5.04 Q: Whenever I do a radtest from localhost, my log complains of a security. 5.05 Q: I noticed there was a script to sysnc up that radacct table if you are using a portmaster. Has anyone written a generic one to use for other nas's? 5.06 Q: Can anyone tell me how to configure the IC-RADIUS to log the accouting information to /var/log/radacct directory as "detail" file ? 5.07 Q: Are proxy users logged locally? 5.08 Q: Are there any Billing & Administration systems that work with IC-RADIUS? 5.09 Q: Is there any URL's that have more information 5.10 Q: Please tell me how I can download the whole website ? 5.11 Q: Has anybody come up with a patch to allow the system to verify or extracts the users mail details from IC-RADIUS including authentication using IC-RADIUS ? 5.12 Q: How can I test my new installation of IC-RADIUS without using NAS ? 5.13 Q: Can I keep up to date using CVS ? 5.14 Q: What are the future plans for IC-RADIUS, epecially now with FreeRADIUS 6: Pre v.14 6.01 Q: When I upgraded from 0.8 to 0.9 I get a segmentation fault. 7: Credits 7.01 Q: Did you write all the questions and answers yourself ? 7.02 Q: Who writes code for IC-RADIUS ? -------------------------------------------------------------------------------- 1: Background 1.01 Q: What is IC-RADIUS? A: RADIUS - Remote Authentication Dial In User Service This is defined as a protocol for carrying authentication, authorization, and configuration information between a Network Access Server (NAS) that desires to authenticate its links and a shared Authentication Server (IC-RADIUS). This standard is described in great detail in RFC 2138 and 2139 available at http://www.freeradius.org. 1.02 Q: Basically who does it work? A: Basically the process can be broken down into 4 steps. First, the user dials into the NAS. Next, the NAS sends a request to the authentication server (IC-RADIUS) via a standard set of attribute/value (a/v) pairs. Then, radius checks to see if that user exists and if so, can they log on. Lastly, the radius server sends either an accept or a reject back to the NAS, which determines whether or not the user is allowed access. 1.03 Q: What do I need to run IC-RADIUS? A: A Unix machine (Linux tested most), a MySQL database (http://www.mysql.com) and some SQL knowledge 1.04 Q: What is the history of IC-RADIUS? A: IC-RADIUS was started because there were no free radius servers which could do both authentication and accounting. It started as just a patch to Cistron RADIUS (now FreeRADIUS), and has evolved into a full SQL enabled RADIUS server. 1.05 Q: How many users can I have per machine/database? A: IC-RADIUS can scale quite large. Due to the nature of a direct SQL interface, as opposed to memory caching, it is a bit slower than RADIUS servers like Cistron. On a single processor machine, with 256M RAM, running the database on the same machine, and no bandwidth limits, it could probably take about 80 - 100 queries per second. Now, by increasing max_sql_socks you can get more out of it, by having more connections to the database. 80 - 100 queries, calculates out to about 250,000 users on a avarage server. Another way to improve performance is to seperate the database machine from the RADIUS daemon, maybe even putting a isolated network between the two. Needless to say, there are a lot of things to do to increase IC-RADIUS performance. 1.06 Q: Will it work on freebsd? A: Should work just fine. If anything it would be related to time. If it does fail post the error message to the mailing list. 1.07 Q: What encryption does IC-RADIUS use if I want to have encrypted passwords in the radius database ??? (MD5, DES, etc) A: If you use Auth-Type = Crypt-Local it just calls the systems crypt() function. On newer Redhat systems you have the option of choosing if you want MD5 or DES. I reccomend MD5 if you have the option. 1.08 Q: Can I use IC-RADIUS with Microsoft SQL server? A: Not currently, but the SQL interface has been designed to allow for plugins for other database types . If someonw where to write a ODBC plugin, it might work. -------------------------------------------------------------------------------- 2: Set-up 2.01 Q: I have installed Mysql successfully, but I get a segmentation fault when I try to run IC-RADIUS. A: This is most likely a problem with the dictionary.usr file.If you use your NAS's, and then you must do the following to correct the problem: BEFORE you try to load dictionary.usr execute the following queries. NOTE: If you have already loaded the file, then do this. DELETE FROM dictionary; This will remove everything from the table. insert into dictionary values ('','VENDOR','USR','429','',''); Then run the dictimport on dictionary.usr Then execute the following sql queries: update dictionary set vendor = "USR" where type = "ATTRIB_NMC"; update dictionary set type = "ATTRIBUTE" where type = "ATTRIB_NMC"; Now go ahead and run dictimport on dictionary. 2.02 Q: When I run IC-RADIUS I get the following error. "could not find libmysqlclient.so.6" A: This is a problem with /etc/ld.so.conf to fix it, you must add a line to this file that specifies the path to libmysqlclient.so.6 Then run ldconfig as root. 2.03 Q: What ports can IC-RADIUS use? A: The defaults are 1645 for auth and 1646 for accounting, you can change theses in your /etc/services by search for 'radius' and when you find it just change the ports and restart radiusd. If you don't use a /etc/services you can hard code them. /icradius-0.1*/src/radius.h:48: #define PW_AUTH_UDP_PORT 1645 /icradius-0.1*/src/radius.h:49: #define PW_ACCT_UDP_PORT 1646 2.04 Q: Is anyone currently working on a perl script (or other) to import existing radius accounting data into the radacct table ? A: yes , use accimport.pl found in the scripts dir 2.05 Q: Anyone know how to use the accimport.pl A: Make sure that you change the usr/pass settings in accimport.pl then accimport.pl deatil.file or 'acctimport.pl < detail' 2.06 Q: Can anyone tell me the exact name of the DBD modules file for mySQL that I need and the whereabouts of the same file please? A: They are called mSQL-mySQL_modules. You should be able to get them from the mySQL web site. If not, cpan.org/pub/CPAN/modules/by-module/DBD (or close) 2.07 Q: After killing the last of my non IC-RADIUS servers I'm trying to do a bit of house keeping , it seems that I've lost some stop times in the import of data ! being as new as I am to sql and trying a few combos odd DATE_ADD () . A: How did you get a session time but no stop? They come in the same packet :). Any way this will fix you up UPDATE radacct SET AcctStopTime = from_unixtime(unix_timestamp(AcctStartTime) + AcctSessionTime) WHERE AcctStopTime = 0 and AcctSessionTime != 0; 2.08 Q: Excuse my ignorance, what dictionary(s) do I use for portslaves running on the same box (minimal test case) ? A: You should be able to get away with just the standard 'dictionary' file 2.09 Q: I've been trying to get more debug info from IC-RADIUS does it offer any logging of failed connect attempts ( any form ) ? A: Yes it logs failed attempts to /var/log/radius.log by default. If you turn on -y it logs all connects and -yz logs all connects AND the passwords. 2.10 Q: I have a little problem with IC-RADIUS I have two group configured and I must 2 different address pool, can someone help me ? A: IC-RADIUS does not support address pools yet . 2.11 Q: How do I set-up proxy radius ? A: Insert an entry into the nas table for the proxy and then an entry into the realm table defining the nas to use and what the realm will be. Then your users use user@other.net 2.12 Q: I got this error message when I was trying to use the perl scripts to convert my /etc/raddb/dictionary to mysql database. DBI- connect failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111) at ./dictimport.pl line 26 Cound not connect to radius database As but I'm sure mysql server daemon is running and root password is correct.. What could it be ? A: It looks like $dbusername and $dbpassword are not set. At least the error message 'Cound not connect to radius database as' should have the value of $dbusername after it. Setting it to '' will NOT assume the current user. You need to exclusivly set this to 'root' in the script. 2.13 Q: How do I set-up the NAS tables ? A: The NAS tables should hold information about your NAS as an example mysql> SELECT * from NAS ; +----+------------------+-----------+---------------+ | id | nasname | shortname | ipaddr | +----+------------------+-----------+---------------+ | 1 | ppp-1.domian.com | ppp-1 | 192.168.110.1 | +----+------------------+-----------+---------------+ +------------+-------+-----------+-----------+------+ | type | ports | secret | community | snmp | +------------+-------+-----------+-----------+------+ | livingston | 30 | the-key | public | on | +------------+-------+-----------+-----------+------+ 2.14 Q: How do I intstall IC-RADIUS A: Down load the latest version form ftp://ftp.cheapnet.net/pub/icradius bash$ tar zxvf icradius-[version].tar.gz bash$ cd icradius-[version]/src copy the appropriate Makefile.xxx for your OS to Makefile look through the Makefile to make sure everything sutes your system and change in needed ( most things will be ok ) bash$ make bash$ su - root bash# make install And don't forget to read supplied documentation first it can be found in the icradius-[version]/doc dir. -------------------------------------------------------------------------------- 3: Configuration 3.01 Q: How do I go about adding a user manually in the radius database so that he will be authenticated with the encrypted password he has in the database ? Could you give me an example of such a user with entries in the appropriate tables in the radius database ? A: insert into radcheck values ('','user1','Auth-Type','Crypt-Local'); insert into radcheck values ('','user1','Password',ENCRYPT('somepass')); 3.02 Q: Is there a simple example of a user set-up? A: A simple set-up for a user will change form NAS to NAS but in most cases you will get a away with the following. radcheck +----+----------+-----------------+-----------+ | id | UserName | Attribute | Value | +----+----------+-----------------+-----------+ | 1 | someuser | Password | dont_tell | +----+----------+-----------------+-----------+ radreply +----+----------+-------------------+---------------------+ | id | UserName | Attribute | Value | +----+----------+-------------------+---------------------+ | 1 | someuser | Framed-IP-Address | 255.255.255.254 | | 2 | someuser | Framed-IP-Netmask | 255.255.255.0 | +----+----------+-------------------+---------------------+ The above uses a password set by in IC-RADIUS, if you are using the system password then you could replace the Password attribute with Auth-Type +----+----------+-----------------+-----------+ | id | UserName | Attribute | Value | +----+----------+-----------------+-----------+ | 1 | someuser | Auth-Type | System | +----+----------+-----------------+-----------+ You should make sure that your NAS does not require any more than this and remember to make sure that you use the correct magic number so you NAS will assign a Framed-IP-Address (magic number is one taken form the assigned pool). 3.03 Q: Is there a simple example of a user and group set-up? A: If you are using groups you should place all common items in the group and add the user to this group, as any attributes set for the user will over-ride any group settings radcheck +-----+----------+-----------+--------+ | id | UserName | Attribute | Value | +-----+----------+-----------+--------+ | 1 | someuser | Password | xxxx | +-----+----------+-----------+--------+ usergroup +-----+----------+--------------+ | id | UserName | GroupName | +-----+----------+--------------+ | 1 | someuser | this_group | +-----+----------+--------------+ radgroupcheck +----+--------------+------------------+-------+ | id | GroupName | Attribute | Value | +----+--------------+------------------+-------+ | 1 | this_group | Simultaneous-Use | 1 | +----+--------------+------------------+-------+ radgroupreply +----+--------------+--------------------+---------------------+ | id | GroupName | Attribute | Value | +----+--------------+--------------------+---------------------+ | 1 | this_group | Filter-Id | proxy.ppp | | 2 | this_group | Session-Timeout | 11600 | | 3 | this_group | Port-Limit | 1 | | 4 | this_group | Service-Type | Framed-User | | 5 | this_group | Framed-IP-Address | 255.255.255.254 | | 6 | this_group | Framed-Compression | Van-Jacobson-TCP-IP | | 7 | this_group | Framed-Protocol | PPP | | 8 | this_group | Idle-Timeout | 11600 | | 9 | this_group | Framed-IP-Netmask | 255.255.255.0 | +----+--------------+--------------------+---------------------+ Once again if you are using the system password then you could replace the Password attribute with auth-Type or place the auth-type in the radgroupcheck if it applies to the group. If you are using the radius.cgi then its very easy to add users and create groups, a user can be more than one group at a time if needed. 3.04 Q: I need to be able to basically let anybody in, now matter what username/password pair has been given, but still keep all the Accounting and whatever coming into the database. Anybody know if this is possible, and if so, how? A: This is possible with the 0.10pre1 release. In usergroup: insert into usergroup values ('','DEFAULT','AllowAll'); insert into radgroupreply values ('','AllowAll','Auth-Type','Accept'); In radgroupreply insert your normal reply items such as a dynamic IP and framed-protocol PPP. Now any user not matched on the system will fall to this default entry that says allow all without doing any checks So, if I wanted to stop people using guest/guest then theoretically I can just put an entry in as username guest with password of 'goawayyoupeskykids' or whatever, Or a check item of Auth-Type = Reject 3.05 Q: Exec-Program, what does it do? A: make sure that the radiusd can exec the programs you use for Exec-Program and Exec-Program-Wait. Exec-Program will execute a program when the user log's in if the auth is passed, it passes values to the program. Example, To send a user an email to let them know what connection speed they have just made and the number they called from. Add to reply table (or group) mysql> INSERT INTO radreply VALUES ('','username','Exec-Program','/tmp/mail_speed %u %s %i') ; /tmp/mail_speed #!/bin/sh /bin/echo "$1 connected at $2 from $3" | /bin/mail $1@somedomain.com -s "connection speed" exit Exec-Program-Wait can be used as part of the auth for the user. Example, A user is not allowed to connect to port 10 Add to reply table (or group) mysql> INSERT INTO radreply VALUES ('','username','Exec-Program-Wait','/tmp/should_we %p') ; /tmp/should_we Shell Script example #!/bin/sh if [ $1 == "10" ] ; then exit -1 ; # fail fi exit 0 ; # pass C++ Example // IC-RADIUS // Exec-Program Authentication program // If the first argument is equal to 10 then fail them, // Otherwise pass the authentication. #include #include int main(int argc,char *argv[]) { if(argc<2) // if no arguments are passed // to the program return(-1); // fail the authentication else { if(!strcmp(argv[1],"10")) // check to see if argument 1 // is 10 return(-1); // and fail authentication else return(0); // otherwise pass authentication } } Or if they connect on ports greater then 10 and we want to add more reply items, remember only to use REPLY items, /tmp/should_we Shell script example #!/bin/sh if [ $1 > "10" ] ; then echo "Framed-AppleTalk-Zone = MyZone" echo "Framed-AppleTalk-Network = 10" fi exit 0 ; C++ Example // IC-RADIUS // Exec-Program Authentication program // If they connect on a port greater then port 10 // Then add some more reply items. // Remember to only use Reply Items! #include #include #include int main(int argc, char *argv[]) { int argument1; if(argc<2) //if no arguments are passed return(-1); // fail the authentication else { argument1=atoi(argv[1]); // convert the argument to an // integer, // So that we can perform // mathematical // Comparisons. if(argument1>10) // if they are, then output // the following reply items: printf("Framed-AppleTalk-Zone = MyZone\nFramed-AppleTalk-Network ="10"); } return 0; // and pass the authentication } If your program takes time to return your auth my time out so keep things quick or have them fork and return -1 on fail or 0 or non-zero exit status for pass. Reply items (if any) that are returned by Exec-Program-Wait do NOT replace reply items that IC-RADIUS already has set. 3.06 Q: Will IC-RADIUS pass all arguments to my program? A: Yes, you can use the following arguments with your program. Taken from the original request: %p Port number %n NAS IP address %u User name %a Protocol (SLIP/PPP) %s Speed (connect string - eg "28800/V42.BIS") %i Calling Station ID Taken from the reply as defined thus far: %f Framed IP address %c Callback-Number %t MTU 3.07 Q: When using Exec-Program-Wait and Exec-Program can I get any debug information? A: You can use the radius.log for debugging or the radius.cgi, if you started radiusd with -z (debug) 3.08 Q: Is it possible to have IC-RADIUS execute a script when a user logs out? A: No 3.09 Q: Can IC-RADIUS send Vendor-Specific encoding box to send details of the DNS servers it will assign by encoding a Cisco-avpair attribute A: Vendor-Specific encoding and be done using the vendor dictionary or by making manual entries. mysql> INSERT INTO dictionary VALUES ('','VENDOR','CISCO',9,'',''); mysql> INSERT INTO dictionary VALUES ('','ATTRIBUTE','Cisco-AVPair',1,'string','CISCO'); Or import the Cisco dictionary. Then setting the radreply INSERT INTO radreply VALUES ('','someuser','Service-Type','Framed-User'); INSERT INTO radreply VALUES ('','someuser','Framed-Protocol','PPP'); INSERT INTO radreply VALUES ('','someuser','Framed-IP-Address','192.168.2.254'); INSERT INTO radreply VALUES ('','someuser','Cisco-AVPair', 'ip:dns-servers=www.xxx.yyy.zzz iii.jjj.kkk.lll'); INSERT INTO radreply VALUES ('','someuser','Cisco-AVPair', 'ip:route=192.168.2.0 255.255.255.0 192.168.2.254'); 3.10 Q: If I wanted a type of account that was only allowed to log in say Monday to Friday between 9:00 and 17:00, is there already a way using radgroups? A: Yes you can using Login-Time, it could be used for a single user buy placing it in the radcheck table or if for a group in the radgroupcheck table. Login-Time defines the time span a user may login to the system. The format of a so-called time string is like the format used by UUCP. A time string may be a list of simple time strings separated by "|" or ",". Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen. A day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" means all days. After that a range of hours follows in hhmm-hhmm format. For example, in the radcheck table +----+----------+--------------+----------------------------+ | id | UserName | Attribute | Value | +----+----------+--------------+----------------------------+ | 1 | someuser | Login-Time | Wk2305-0855,Sa,Su2305-1655 | +----+----------+--------------+----------------------------+ This will allow a user to connect weekdays 23:05 till 8:55, all day Sat and Sun 23:05 till 16:55. IC-RADIUS calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someone's Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00. 3.11 Q: I have read all the documentation and I still cannot get DEFAULT entries to work. A: Below is an example of what a set-up using DEFAULT looks like: radgroupcheck +------+------------+-------------------+---------------+ | id | GroupName | Attribute | Value | +------+------------+-------------------+---------------+ | 1 | DEFGROUP | Auth-Type | System | | 2 | DEFGROUP | Simultaneous-Use | 1 | +------+------------+-------------------+---------------+ radgroupreply +------+------------+-------------------+---------------+ | id | GroupName | Attribute | Value | +------+------------+-------------------+---------------+ | 1 | DEFGROUP | Framed-IP-Address | 1.2.3.4 | | 2 | DEFGROUP | Framed-IP-NetMask | 255.255.255.0 | +------+------------+-------------------+---------------+ usergroup +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 1 | DEFAULT | DEFGROUP | +----+----------+-----------+ This will check the system /etc/passwd for the user and if they authenticate will use the entries from radgroupreply as the reply items to the NAS. 3.12 Q: we host a few visps on our lan my question is in my users table how can I have entries for say me@domain1.com different to me@domain2.com with out having seperate tables for each realm, or do I put each realm in it's own table? A: You might be able to get away with putting the realm as LOCAL and add the option nostrip and the define each user in radcheck with the @domain.com as part of the username. If that does not work, then you will have to have it so user names are unique across all domains. 3.13 Q: How do I limit users to 300 Meg download Maximum? A: See Exec-Program-Wait at this time there is no data limit check items. 3.14 Q: IC-RADIUS uses some attributes that I'm not use to, what are they for? A: You should read the full RFC www.freeradius.org/rfc/ Name Type Descr. ---- ---- ------ Simultaneous-Use integer Max. number of concurrent logins Exec-Program string program to execute after authentication Exec-Program-Wait string ditto, but wait for program to finish before sending back auth. reply Login-Time string Defines when user may login. Monthly-Time-Limit integer Number of seconds a user may use within the current month. Resets on the 1st Total-Time-Limit integer Total number of seconds a user may use. Never resets Activation date Date account becomes active 3.15 Q: Does IC-RADIUS log the errors during authentication? A: Yes if you still are using radius.log, include options when starting radiusd see the man page radiusd [-A] [-S] [-a accounting_directory] [-b] [-c] [-d config_directory] [-f] [-i ip-address] [-l log_directory] [-p port] [-s] [-v] [-x] [-y] [-z] OPTIONS -A Write a file detail.auth in addition to the standard detail file in the same directory. This file will contain all the authentication-request records. This can be useful for debugging, but not for normal operation. -y Write details about every authentication request in the radius.log file. -z Include the password in the radius.log file even for successful logins. Remember this is very insecure! 3.16 Q: I have an IBM 2212 access server. What should I specify in "type" in my nas table? A: Just put 'other'. This is only used when doing the Simultaneous-Use stuff. I do not know if that NAS type is supported by checkrad. 3.17 Q: My IC-RADIUS keeps on logging this massage, Error: Acct: Invalid STOP record. [] STOP record but zero session length A: Your nas isn't giving the session time to the radius, so it is 0. You should make sure your NAS is set-up correctly. 3.18 Q: Are both secrets in IC-RADIUS and client equal? A: Yes, they are all the same, each NAS can have its own key! 3.19 Q: My log says 'No username []' and users cannot authenticate. A: You probably forgot to load the dictionary files into the database. Use the supplied script dictimport.pl to load the necessary dictionary files. 3.20 Q: I was just curious if there is a way to ID users into different groups. For example, we have multiple pops. We would like for users from any given pop to be able to dial in to any of our other pops, but, still have a unique field showing what town/POP they belong to. The reason for this is flexability as users travel around the area, but, we want to make sure that we are meeting user/modem ratios in their "hometown POP". Is there a way to show this already, or is this something that would have to be coded in? A: You can add entries into the usergroup table even if the group does not exist. This will have no effect on their check/reply items, but could be used for analysis. I hope this is what you were asking. 3.21 Q: I've setup encrypted passwords in the mysql db (as per FAQ 3.01), but users can't login? A: You can't configure your NAS to use CHAP and also use encrypted passwords. Use PAP on your NAS if you wish to story encrypted passwords in your mysql db, or store plaintext passwords in your mysql db and use CHAP. Here's a blurb from the freeradius.org FAQ that explains it, >You have 2 choices: > >1. You allow CHAP and store all the passwords plaintext. > Advantage: passwords don't go cleartext over the phone line between > the user and the terminal server. Disadvantage: You have to > store the passwords in cleartext on the server. > >2. You don't allow CHAP, just PAP. Advantage: you don't store > cleartext passwords on your system. Disadvantage: passwords go > in cleartext over the phone line between the user and the > terminal server. > >Now, people say CHAP is more secure. > Now you decide which is more likely: > >- the phone line between the user and the terminal server gets sniffed > and a cracker (a GOOD one) intercepts just one password >- your radius server is hacked into and a cracker gets ALL passwords > of ALL users. > >Right. Still think CHAP is more secure ? I thought so. > >This is a limitation of the CHAP protocol itself, not the RADIUS >protocol. The CHAP protocol *requires* that you store the passwords in >plain-text format. -------------------------------------------------------------------------------- 4: CGI 4.01 Q: After I login to the radius.cgi/usage.cgi it tells me 'sessionexpired', what's the problem? A: The cookie is failing to be set in your browser. Make sure $cookiedomain is set to the domain of your web server. Ex: $cookiedomain = ".mydomin.com"; Also make sure your browser is set to accept cookies. 4.02 Q: usage.cgi doesn't seem to be working for me. I keep getting "Internal Server Error" messages. A: If the error_log gives a message like "Can't locate Authen/Radius.pm" you are probably missing the Radius.pm to get it try ftp.cpan.org under the modules directory and look for Authen::RADIUS. You will have to make sure your path is correct and rember capilization counts here ! If you use CPAN it will install it where it wants it to be. If you want usage.cgi/radius.cgi to send a radius query to authenticate it, you need these modules. If you just want it to do a local lookup (only works with non crypted passwords) then you can just set authtype to local (0). 4.03 Q: It seems that I'm having trouble viewing usage.cgi and this are the error logs that I'm getting from apache. mv: cannot move `/tmp/radsess.7001' to `/usr/local/apache/cgi-bin/radsess': Inva lid cross-device link A: Make the $tmpdir point to a directory on the same partition as the $sessfile. Be sure $tmpdir is also writable. 4.04 Q: Why can I not add NAS or realm definitions with the radius.cgi? A: Because I have not had a chance to write this code yet! Hopefully it will be done soon! 4.05 Q: I am getting the following error message in my error.log from Apache: Can't locate Authen/Radius.pm in @INC (@INC contains A: see answer for 4.02 4.06 Q: Where are the images for the cgi interface ? A: You'll find them in the scripts/images dir. -------------------------------------------------------------------------------- 5: General 5.01 Q: Can someone (un)subscribe me from IC-RADIUS mailing list? A: You can by sending a message to majordomo@innercite.com with the text 'subscribe' or 'unsubscribe' in the body 5.02 Q: Is there an archive of the mailing list anywhere? A: YES! It's at: http://radius.innercite.com/archive/ 5.03 Q: radwho, radlast, radzap, radtest, testrad or raduse are not in the in src, what happened to them? A: They are now in the scripts directory, you would see they are now written in perl. The new versions are now database aware. I still have to write radzap, and raduse, which I am not in a hurry because radzap is easy with an sql command, and raduse is obsolete by the web interface. 5.04 Q: Whenever I do a radtest from localhost, my log complains of a security breach. localhost is in there as both the hostname, localhost and with IP addresses as the proper interface address and also as 127.0.0.1 but it still seems to complain. A: Try adding the IP of your ethernet to the nas table and do the radtest to that IP. Also it would really help if you could try it from another machine 5.05 Q: I noticed there was a script to sysnc up that radacct table if you are using a portmaster. Has anyone written a generic one to use for other nas's? A: To fix your particular problem issue the following query via mysql and it should fill in the start times based on stoptime - session length. UPDATE radacct SET AcctStartTime = from_unixtime(unix_timestamp(AcctStopTime) - AcctSessionTime) WHERE AcctStartTime = 0; 5.06 Q: Can anyone tell me how to configure the IC-RADIUS to log the accouting information to /var/log/radacct directory as "detail" file ? A: there is a script to do this with /scripts/acctexport.pl 5.07 Q: Are proxy users logged locally? A: Indeed it does keep a local log. It even sets the 'realm' field to the realm of the proxied user. 5.08 Q: Are there any Billing & Administration systems that work with IC-RADIUS? A: None just for IC-RADIUS but try the following links http://casablanca.thenet.co.nz/thenet/admin/ InnerCite is developing their entire billing and customer management system wrapped around IC-RADIUS, which someday may turn into a commercial product, and will obviously support IC-RADIUS 100% 5.09 Q: Is there any URL's that have more information A: Yes http://www.miquels.cistron.nl/radius/README http://radius.innercite.com/FAQ.txt http://www.freeradius.org 5.10 Q: Please tell me how I can download the whole website ? A: No , as the site is database driven . 5.11 Q: Has anybody come up with a patch to allow the system to verify or extracts the users mail details from icradius including authentication using IC-RADIUS ? A: Not as such but you can use others that use MYSql tables for user and password infomation look at http://www.inet-interactive.com/sendmail/ and http://www.riverstyx.net/qpopmysql/ 5.12 Q: How can I test my new installation of IC-RADIUS without using NAS ? A: Use radtest ( in the script's directory ) radtest user password icradius.server.com testport(number) access.key 5.13 Q: Can I keep up to date using CVS ? A: Check out the web interface at http://anoncvs.innercite.com/cgi-bin/cvsweb.cgi or CVSROOT :pserver:anonymous@anoncvs.innercite.com:/var/cvsroot Password: 5.14 Q: What are the future plans for IC-RADIUS, especially now with FreeRADIUS A: The code used for IC-RADIUS is the same code thats going into the rlm_sql FreeRADIUS module. The current module scheme for FreeRADIUS does not give quite the flexability as IC-RADIUS. Not only that, but FreeRADIUS is still a ways off production quality. For these reasons IC-RADIUS will continue to be developed for the foreseeable future. -------------------------------------------------------------------------------- 6: Pre v.14 6.01 Q: When I upgraded from 0.8 to 0.9 I get a segmentation fault. A: First if you use USR equipment, check 6.1 above. This could also be cause by an old table nas table definition. Execute these queries to fix the problem. This will also update the radacct table, since it has changed as well. alter table nas add column community varchar(50); alter table nas add column snmp varchar(10); update nas set community = 'public', snmp = 'on'; Fix radacct table: alter table radacct change column AcctDelayTime AcctStartDelay int(12); alter table radacct add column -------------------------------------------------------------------------------- 7: Credits 7.01 Q: Did you write all the questions and answers yourself ? A: No , some have come from the mailing list , and from the original FAQ writen by Mike Machado , mike@innercite.com 7.02 Q: Who writes code for IC-RADIUS ? A: Mike Machado , mike@innercite.com -------------------------------------------------------------------------------- Chris Joyce. chris@pccentre.com.au This document may be distributed under the terms set forth in the LDP license at http://www.linuxdoc.org/COPYRIGHT.html