Radiator Frequently Asked Questions

1. Is there a mailing list archive?
2. I specified dictionary.cisco in radius.cfg (or dictionary.ascend), and now the test suite fails. Why?
3. OK, which dictionary should I use then?
4. How do I configure a Cisco NAS for Radius?
5. How do I use Livingston users file?
6. Why doesn't the radpwtst GUI work properly on my PC?
7. I can't get crypt(3) for Perl working on my PC. Do I really need it?
8. Will Radiator run on Perl 5.003?
9. I keep getting Bad Authenticator messages when I get accounting requests from a GRIC roaming connection. Why?
10. How can I authenticate against NT passwords and Groups
11. How are DEFAULT users entered in a DBM file?
12. How can I connect to Microsoft SQL from a Unix box?
13. How do I set up anti-spoofing filters
14. Why are my DBM files so big?
15. Why do tests 2n and 4a fail on freebsd?
16. How do I set up automatic IP address allocation
17. How do I make Radiator work with Emerald?
18. How do I make Radiator work with LDAP on NT?
19. How do I make Radiator work with Platypus?
20. How can I apply the same check or reply items to all the users in my SQL database?
21. How can I make Radiator work with the PPTP server?
22. How can I connect to Microsoft SQL server from Unix using OpenLink?
23. How do I run Radiator as a service on NT?
24. I dont know where to get SRVANY, what can I do to run as a service on NT
25. How can I use Microsoft Access as my database?
26. Where can I get pmwho?
27. I think Im seeing a memory leak. What can I do?
28. Where can I get a copy of snmpget?
29. I cant build DBD-Sybase against the free Sybase client library on Linux. Why?
30. My USR radius attributes dont seem to be numbered correctly. Why?
31. I'm having problems compiling MD5 on Rhapsody. Why
32. I'm having problems with NT services and ODBC
33. How do I make DBI::Proxy work between unix and NT?
34. I cant unzip the Radiator distribution on Win 95. Why?
35. How do I make Radiator work with Interbiller 98?
36. How do I make Radiator work with Freeside?
37. Is Radiator Y2K compliant?
38. I got an error while testing perl-ldap on Linux. Is that OK?
39. Does Radiator support the IETF Radius Tunnelling attributes?
40. How do I set up Radius Tunnelling with my Bay Annex Server?
41. How can I do authentication from one SQL database and accounting to another?
42. What does a "Could not find a Client" warning mean
43. Im having problems building MySQL
44. I get a weird error message when I try to use Log SYSLOG
45. Im having problems compiling MD5 on SCO Open Server
46. Im getting 'Expiration date has passed' from Platypus
47. On my BSDI box, I'm getting "Out of memory!" messages
48. I have problems with MyODBC on NT
49. How can I poll Radiator with MRTG?
50. I get errors when I try to run radiusd as a SUID program
51. I get an error when testing or running IpssPerl
52. Radiator keeps reporting "Bad Password", and I don't know why
53. Im using DBD-Sybase on Unix, and my accounting data is not being saved
54. I get "unblessed reference" errors in my Hook
55. How do I make RAS send the correct parameters to Radius?
1. Is there a mailing list archive?
Yes, here, with thanks to the courtesy of Richard Uren.
2. I specified dictionary.cisco in radius.cfg (or dictionary.ascend), and now the test suite fails. Why?
The test suite uses some attributes that are defined differently by different vendors. Specifically, the values for the attribute Service-Type have different names, according to Cisco and Ascend.
This does not mean that either the test suites or the dictionaries are broken. It is an unfortunate incompatibility between different vendor's dictionaries.
We recommend that you use the standard dictionary supplied with Radiator whenever possible. This will work in the vast majority of cases.
3. OK, which dictionary should I use then?
Dictionaries are a vexed question. If you are operating with NASs from only vendor, choose the standard dictionary, or dictionary for that vendor. If you are operating in a mixed environment, use the default dictionary. If that does not work for you, try concatenating the dictionaries for the vendors you are using into one big dictionary.
4. How do I configure a Cisco NAS for Radius?
You will need something like this in your Terminal server configuration:
```
aaa new-model
aaa authentication login DIAL-SCRIPT-USERS radius
aaa authentication login TELNET-USERS local
aaa authentication ppp PAP-USERS if-needed radius
aaa authorization network radius
aaa accounting network start-stop radius
...
radius-server host 1.2.3.4 auth-port 1645 acct-port 1646
radius-server key blahblahblah
```
You will probably want to use these reply attributes in order to enable PPP sessions:
```
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = None,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP
```
5. How do I use Livingston users file?
Livingston and many other Radius servers use the users file for configuring the behaviour of the server, as well as describing the users. Radiator takes a slightly different approach, where the server configuration is described in the config file, and the users file only describes the users.
You can use a Livingston users file unchanged, provided you set up your Radiator config file properly. A typical example config file is provided in goodies/livingCompat.cfg in the Radiator distribution. The principal requirements are to have a DEFAULT Realm, and an with the Identifier "System". This will cause any users with the check item Auth-Type="System" to be authenticated with UNIX Authentication (i.e. with a standard Unix password file)
See Installation and Reference manual for more details.
6. Why doesn't the radpwtst GUI work properly on my PC?
The most commonly available binary version of Perl (from Gurusamy Sarathy, perl5.00402-bindist04-bc.tar.gz) includes Tk for Perl version 402.002. This version has problems with registering read heandlers for windows sockets, which means that the radpwtst GUI never sees replies from a radius server. If you use radpwtst without the gui (ie omit the -gui flag), it works fine on PCs.
If you are using these versions, then the radpwtst GUI wil not work correctly. We understand that a forthcoming version of the Perl binary will correct this problem.
7. I can't get crypt(3) for Perl working on my PC. Do I really need it?
Its a pain. Gurusamy Sarathy informs us that the next version of his Perl binary distribution will include crypt(3). In the meantime, you only need crypt(3) if you are using encrypted passwords in your user database (ie you have Encrypted-Password=xxxxx as a check item in your user database. If you dont use encrypted password, you can safely leave out crypt.
8. Will Radiator run on Perl 5.003?
In general, yes, but the radpwtst GUI is not supported. TkPerl requires 5.004 or better. One customer reported Radiator "freezing" until they upgraded to 5.00404. We recommend you use 5.00404 or better.
9. I keep getting Bad Authenticator messages when I get accounting requests from a GRIC roaming connection. Why?
A number of radius servers, such as Merit, the AimTraveler server that GRIC uses and others do not correctly compute the authenticator on accounting requests. They do not conform to the Radius specification. Radiator checks all authenticators against the specification and complains if a bad authenticator is received. It does not look like these servers are going to be repaired, so Radiator has a special flag to ignore the authenticator in incoming accounting requests. See IgnoreAcctSignature in the clause.
10. How can I authenticate against NT passwords and Groups
On NT, you can authenticate users using their NT user password and NT Global Groups. This means that you can ensure that only real NT users can log in. You can also ensure they get special NAS configurations that depend on which NT Local Group they are in.
Your configuration file should look something like this:
```
# put <Client ...> etc clauses here
.....
<Realm DEFAULT>
	<AuthBy FILE>
	# might want to specify the name of the users file here
	# See below for the contents of the users file
	</AuthBy>
</Realm>
<Realm thiswontmatchanything>
        # This clause says that for entries in the users file
	# that specify Auth-Type=System, use the NT module to 
	# authenticate them
	<AuthBy NT>
		Identifier System
	</AuthBy>
</Realm>
```
And your users file could be something like this
```
# This will match all users in the Administrators local group
DEFAULT Auth-Type=System, Group=Administrators
        reply-item = .....

# This will match all users in the User local group
DEFAULT Auth-Type=System, Group=Users
        reply-item = .....

# And this will match everyone else
DEFAULT Auth-Type=System
        reply-item = .....
```
This allows you to have distinct groups of users who get special checks and special reply items. A similar technique can be used with the UNIX module.
11. How are DEFAULT users entered in a DBM file?
When the DBM file is built, the first DEFAULT entry in the input file is entered as DEFAULT, the second as DEFAULT1, the third as DEFAULT2 etc. This guarantees the uniqueness and ordering of DEFAULT entries. When AuthBy DBM fails to match a user name it will then try to match DEFAULT, then DEFAULT1, DEFAULT2 etc.
Something similar happens with AuthBy FILE.
12. How can I connect to Microsoft SQL from a Unix box?
You have several options. The choice depends on money, support, and the platform you plan to run on:
1. Use OpenLink's Multi-Tier ODBC for Unix plus DBD-ODBC. You will also need tgheir NT server side package which includes their Request Broker. This package is good for accessing MS-SQL, MS-Access, Oracle, Sybase etc etc on NT from Unix. A nice package without license fees for some applications. We recommend this option.
2. Linux only: Use the free Sybase driver here, and use DBD-Sybase. Or (preferred) install Adaptive Server Enterprise then install the DBD-Sybase RPM.
3. Unix other than Linux: Purchase the the OpenClient/C Developer package for US$795.00 straight from Sybase for the CTLib, and use DBD-Sybase.
4. Use the DBI::Proxy module available in DBI-1.02.tar.gz. This module will proxy DBI requests across the network to a target box where it can be access an ODBC database. More details below.
5. Use the DBD-FreeTDS module from ftp://freetds.internetcds.com/pub/freetds_dbd/ which can talk to Sybase, MS-SQL 6.5 and 7.0 without the need for any proprietary client libraries. We have found that revision DBD-FreeTDS-0.02 did not work properly, but the later snapshots work fine. This is a very quick and easy solution for getting from Unix to MS-SQL or Sybase on any platform.
Note: MSSQL is really the same as Sybase, and Unix Sybase client libraries can happily connect to MSSQL. One gotcha: the default TCP port to connect to MSSQL is 1433 decimal, which is different to the default for Sybase, so you may have to alter your /opt/sybase/interfaces file)
13. How do I set up anti-spoofing filters
You can set up anti-spoofing filters in NASs that support filters such as USR (3COM) Hiperarcs. In the Radiator config file put something like:
```
        
                UseAddressHint
                Dynamic USR-IP-Input-Filter
        
```
(you can have multiple Dynamic lines, one for each unique attribute you want % interpolation on) A typical users files entry might look like this (for a 3COM hiperarc)...
```
DEFAULT Auth-Type = System
        Framed-IP-Address = 255.255.255.254,
        Framed-Routing = None,
        Framed-IP-Netmask = 255.255.255.255,
        IP-Filter-In = "1 REJECT src-addr!=%a",
        Service-Type = Framed-User
```
(it'll work on anything, not just DEFAULT)
Which will end up authenticating the user with a reply message like... (assuming you have hint-assigned on the NAS enabled, and the address that it assigned from it's pool was 0.0.0.1)
```
        Framed-IP-Address = 0.0.0.1
        Framed-Routing = None
        Framed-IP-Netmask = 255.255.255.255
        IP-Filter-In = "1 REJECT src-addr!=0.0.0.1"
        Service-Type = Framed-User
```
So you can create ANTI-spoof filter rules that will be filled in with the right values on the fly! Cool, huh? BTW, you must use dictionary.usr, which is the one that defines IP-Filter-In.
(Thanks to Aaron Nabil for this example and the code to implement it.)
14. Why are my DBM files so big?
Radiator is shipped with the AuthBy DBFILE module using Perl's built in SDBM module. We do this because it is available built in on every platform, including Win95 and NT. The down side of SDBM is that is makes large database files.
You can get AuthBy DBFILE to use the Berkeley DB format instead by editing Radius/AuthDBFILE.pm. Change the 2 occurrences of SDBM_File to DB_File, and reinstall Radiator. Radiator will now use the Berkeley DB format for DBM files, and they will be much smaller than with SDBM.
15. Why do tests 2n and 4a fail on freebsd?
Freebsd uses MD5 for encrypting passwords in crypt(3), but the example passwd file we provide for testing the AuthBy UNIX uses standard DES encryption.
You can fix this by copying passwd.md5 to passwd and rerunning make test.
16. How do I set up automatic IP address allocation
Basically, you need to do 2 things:
1. Add 1 or more FramedGroupBaseAddress items to each Client in your Radiator configuration file.
2. Add a Framed-Group reply item to each user for whom you want address allocation.
For example in the Radiator configuration file:
```
    
        # This is the base address for Framed-Group = 0
        FramedGroupBaseAddress	10.0.0.1
        # This is the base address for Framed-Group = 1
        FramedGroupBaseAddress	10.0.1.1
        # This is the base address for Framed-Group = 2
        FramedGroupBaseAddress	10.0.2.1
        .....
    
```
and in the users file, something like:
```
mikem    Password = "fred"
         Framed-Group = 1,
         Framed-Protocol = PPP,
             etc.
```
Now if mikem logs into the Client at port 5, he will be allocated an IP address of 10.0.1.6 (ie 10.0.1.1 + 5). If the users file said Framed-Group = 0, and he logged in on port 11, he would be allocated an IP address of 10.0.0.12 (10.0.0.1 + 11).
17. How do I make Radiator work with Emerald?
Emerald is a good ISP billing system from IEA. It uses Microsoft SQL database for user and billing data. IEA also offer an NT based radius server called RadiusNT that can authenticate from and insert accounting into Emerald.
Radiator can also authenticate from and insert accounting into Emerald, but with Radiator, you can do it from a Unix host, and with the extra features that Radiator has but RadiusNT does not.
There is an example Radiator configuration file in goodies/emerald.cfg in the Radiator distribution. Use it as a starting point for integrating with Emerald. You will need to configure some attributes like DBSource, DBUsername and DBAuth to suit your Emerald setup. You will most likely want to use ODBC to connect to the Emerald MSSQL database, but you could also use the Sybase driver, if you have that instead.
18. How do I make Radiator work with LDAP on NT?
Follow these steps:
1. Fetch and install NETSCAPE DIRECTORY SDK 1.0 Win32 for Windows NT with SSL support (self-extracting archive)
2. Fetch and install the Net-LDAP Windows NT Binaries v1.40. Make sure you follow all the instructions in the Readme file.
3. Configure an clause in your Radiator configuration file. See the example radius.cfg in the Radiator distribution for examples.
19. How do I make Radiator work with Platypus?
Platypus is an excellent ISP billing system from Boardtown. It uses Microsoft SQL database for user and billing data.
Radiator can authenticate from and insert accounting into Platypus. This makes for seamless integration between your radius server and your customer management/billing system. Using ODBC, you can run your radius server on Unix, Win95 or NT.
There is an example Radiator configuration file in goodies/platypus.cfg in the Radiator distribution. Use it as a starting point for integrating with Platypus. You will need to configure some attributes like DBSource, DBUsername and DBAuth to suit your PLatypus setup. You will most likely want to use ODBC to connect to the PlatypusMSSQL database, but you could also use the Sybase driver, if you have that instead.
20. How can I apply the same check or reply items to all the users in my SQL database?
Sometimes you need to have a common set of check or reply items for all users, but you dont want to have to put them in every user in the database. Or maybe you want to be able to tune them for all users easily. You can arrange for Radiator to cascade from SQL to a flat file or other user database. AuthByPolicy ContinueWhileAccept ... ... (See goodies/common-sql.cfg for example code). You can then have a DEFAULT user in the users file specified in the AuthBy FILE with the common reply items you want: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Another alternative is to fall cascade from SQL to another SQL that only selects the check and reply items for a DEFAULT user: AuthByPolicy ContinueWhileAccept ... AuthSelect select NULL, CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME = 'DEFAULT'; With some (but not all: mSQL does not support it) SQL servers you provide common check and reply items more easily with a special AuthSelect statement: AuthSelect select PASSWORD, 'Service-Type = Framed-User', 'Framed-Protocol = PPP, etc etc etc' from SUBSCRIBERS where USERNAME = '%n' With some SQL servers (eg Oracle), you could even combine the common and per-user check and reply items by using concatenation in the select statement.
21. How can I make Radiator work with the PPTP server?
Changes are outlined in Microsoft Online Support article Q172216.
1. Start Regedit
2. Goto: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP
3. Click on SPAP, click Edit, and Delete. Yes to confirm deletion.
4. Click on CHAP, click Edit, and Delete. Yes to confirm deletion.
5. Close Regedit, stop and restart Routing and Remote Access Service.
(Contributed by Dalton, Robert W (Robert.Dalton@88CG.WPAFB.AF.MIL))
22. How can I connect to Microsoft SQL server from Unix using OpenLink?
The best option is to use the "Combined OpenLinkODBC/iODBC package" from OpenLink. This package (smkoxxxx.taz for Solaris) allows ODBC requests to be sent by RPC from your Unix client to (for example) an NT host running Miscrosoft SQL Server 6. It really does work.
You will also need the OpenLink request broker for NT (ntadm65x.zip) installed on the NT host where the MS-SQL server is running. This broker receives RPC calls from the iODBC package on the Unix host and translates them into MS-SQL calls. After installation, start the Oplrqb.exe program.
Further, you will have to build DBD-ODBC 0.16 or better on your Unix host to use the include files and libraries that come with the OpenLinkODBC/iODBC package (this will involve some minor changes to Makefile.PL before building DBD-ODBC. Change
```
my $myodbc = 'odbc';	# edit and hack to suit!
 to
my $myodbc = 'iodbc';	# edit and hack to suit!
```
and add a line at:
```
	
        print SQLH qq{#include <iodbc.h>\n}; # ADD this line
	print SQLH qq{#include <isql.h>\n};
	print SQLH qq{#include <isqlext.h>\n};
```
You will also need to create ~/.odbc.ini on the Unix host as descibed in the OpenLinkODBC/iODBC package, as well as create /etc/udbc.ini with something like this:
```
[radius_udbc]
Description 	= Sample MS SQLServer DSN
Host		= fred
ServerType	= SQLServer 6
ServerOptions	=
Database	= radius
FetchBufferSize	= 30
```
If your wanted to connect to a Platypus database on NT, you would put something like this in udbc.ini:
```
[plat_udbc]
Description 	= Sample MS SQLServer DSN
Host		= fred
ServerType	= SQLServer 6
ServerOptions	=
Database	= plat
FetchBufferSize	= 30
```
Finally, you would specify something like this in the Radiator config file for your AuthBy SQL:
```
		DBSource	dbi:ODBC:radius_udbc
		DBUsername	sa
		DBAuth		sa
```
23. How do I run Radiator as a service on NT?
See the reference manual for details.
24. I dont know where to get SRVANY, what can I do to run as a service on NT
Some people have had success with FireDaemon as an alternative NT Service installer.
25. How can I use Microsoft Access as my database?
We have not tested against Microsft Access, but here are some notes from the coal face by Nicholas Barrington (nbarrington@smart.net.au) and Anton Sparrius (anton@smart.net.au) who have made it work.
1. BC5.0 didn't work! We use the compiled version of perl, so that was ok. However, to get DBD and DBI working we had to do a few extra things. Firstly, the DBD module told us that it wanted version 0.90, and we had version 0.93, so it wouldn't work. Once we download the newer version of DBD v0.19 everything there worked OK.
2. BC5.0 still didn't work. Make that comes with BC5 would just bomb out, but using dmake that came with perl was much better. However, there was a cupple of .h files (sql.h and sqlext.h) that it needed that BC5 didn't have. I was able to find them on MSVC and copy those across and that seemed to work. Then, there was a cupple of libraries that were needed, once again, I had to find them in MSVC and use IMPLIB (comes with BC5) to import them. One was called odbc32.dll (which gets converted to a .lib with IMPLIB). I cant remeber if there was another one, but if there was, it was of a similar nature.
3. Compile worked! Simply set up an ODBC in WinNT and we were away and working. Bit of a hack really, but it runs beautifully. Running off a Cisco 5200 so we get heaps of information.
4. Trying to use BC5 dmake (make produces errors) causes .DEF file errors in the DBI and DBD module makes. We had to edit the .DEF and remove the quotes "" from the top line before it would continue.
5. We had to use the latest .19 release of the ODBC DBD instead of the .16 as specified in the notes.
6. We used version .93 of the DBI module, which again had the .DEF errors but were overcome.
7. When creating our table in MS Access, we initially tried using field names that were the same as the NAS return names. This caused us massive headaches at run time, until we figured out we had to use different field names than the NAS return names.
8. We also tried using a column name of Timestamp for a NAS return item called Timestamp and it failed in the same way anything did when we had column name = NAS return name. So that looks like a big no-no, too (at least with the MS Access database).
In all, we didn't really have any success at all with Sarathy's binary distribution of perl. Once we downloaded and included the latest version of the components we managed to fire it up.
26. Where can I get pmwho?
The program pmwho is used for verifying logins on Total Control NAS's. You can get it from here, amongst other places. Credit for this belongs to Johan Persson, jp@abc.se.
27. I think Im seeing a memory leak. What can I do?
First, you should note that Radiator will grow a little when it first starts up, as it finds out about the users currently logged on and the NAS's it is getting requests from. Then, as your user population settles down, the growth will slow down and stop. Depending on your configuration, you should not see Radiator grow by more than a few Mb from its initial size. Steady, continued growth in the size of the image even after a few days running indicates a problem.
1. Upgrade to the latest version of Perl. Perl 5.003 had a number of leaks in perl itself, mostly to do with evals.
2. Upgrade to the latest version of Radiator. At as of 2.12. there are no leaks that we are aware of.
3. If you have any local modifications to Radiator, remove them and see if it still leaks.
4. Try to identify what kinds of requests are causing the leak: Authentication or accounting requests, AuthBy FILE or AuthBy SQL etc?
5. If you are using any perl modules (DBD-*, LDAP etc), upgrade to the latest versions and see if it still leaks.
6. Report the problem to us, along with your configuration file (remove any secrets and passwords), and an estimate of the growth rate.
28. Where can I get a copy of snmpget?
Get UCD SNMP
29. I cant build DBD-Sybase against the free Sybase client library on Linux. Why?
On some version of linux, we have observed that compiling and linking the shared Sybase library for DBD-Sybase results in compiler crashes. One way to work around this is to build a statically linked perl that includes the Sybase libraries statically linked:
- Uncomment the LINKTYPE=static line in CONFIG
- perl Makefile.PL
- make
- make perl
- Install the newly created perl binary in place of your normal perl binary.
It works, weve tried it. There is a good reference to getting ctlib to work for linux
here, and also about setting up DBI/DBD::Sybase on Linux here
30. My USR radius attributes dont seem to be numbered correctly. Why?
On the netservers you have control over whether certain VSAs start counting at 0 or 1 using the set format command:
Formatting connect-info message output: This command allows you to specify whether the information sent to RADIUS is 0-based or 1-based. The USR vendor-specific RADIUS attributes affected are; Connect-Speed (0x9023), Modulation-Type (0x006C), Error-Control-Type (0x0099), and Compression-Type (0x00C7). The default is to begin the slot and channel numbering at zero.
```
	set format connect-info <0-based | 1-based>
```
31. I'm having problems compiling MD5 on Rhapsody. Why
Rhapsody still has some unusual behaviour, but its basically OK.
This is the basic process on Rhapsody:
1. Unpack MD5 in a work directory
2. perl Makefile.PL
3. Edit Makefile and remove USE_NEXT_CTYPE
4. make dynamic
5. make test
6. make install
7. You may also need to add MD5 to the perl config file (usually /System/Library/Frameworks/Perl.framework/Config.pm)
32. I'm having problems with NT services and ODBC
When I run Radiator from line command (in foreground), everything goes well. But when I start Radiator as a service on NT, I receive the following message (I enabled "interact with desktop" for this service):
```
[Microsoft][ODBC Driver Manager] Data source name not found and no default
driver specified (SQL-IM002)(DBD: db_login/SQLConnect err=-1) at
c:\Perl\lib/Radius/SqlDb.pm line 99
```
You have probably set up your ODBC data source as a user DSN and not a System DSN (Platypus users note: Platypus may be set up this way). You will probably need to remove the existing ODBC DSN, and add it bask as a System DSN.
33. How do I make DBI::Proxy work between unix and NT?
It works fine, but it takes a little effort to get going. Heres what we did:
1. Active State perl running on NT (hostname fred)
2. MS SQL running on NT, with an ODBC system DSN called 'MSSQL'
3. Install Storable module from active state on NT, using PPM
4. Install DBD-ODBC module from active state on NT, using PPM
5. Install DBI module from active state on NT, using PPM
6. Did h2ph syslog.ph sys/syslog.ph and sys/cdefs.ph in my Cygnus include directory (to get a syslog.ph for perl)
7. Download pRPC-modules-0.1005.tar.gz from CPAN. Unpack, perl Makefile.PL, nmake, nmake install
8. ON NT in dir c:\perl\5.00502\bin run
```
	perl dbiproxy --port 9991 --nofork
```
9. On Solaris, build and install Storable, DBI-1.02 and pRPC-modules-0.1005.tar.gz from CPAN in the usual way.
10. On Solaris, Radiator configured for AuthBy SQL with:
```
 DBSource	dbi:Proxy:hostname=fred;port=9991;dsn=dbi:ODBC:MSSQL
 DBUsername	sa
 DBAuth		sa
```
34. I cant unzip the Radiator distribution on Win 95. Why?
The Radiator distribution will unzip fine with recent versions of WinZip. We use WinZip 6.3 here (with the classic interface). If you are using that or a later WinZip, and it still wont unzip, check these:
1. Some browsers will rename the file when you download it. Make sure it has a ".tgz" extension. WinZip uses the extension to determine what to do with the file. Try renaming your file so that it has a ".tgz" extension.
2. Check that you have downloaded the whole file. Get a directory listing of the downloads areea, and check that your copy is about the same size as reported on the directory listing.
3. Try downloading the file again.
4. Try using a different browser, or a different computer to download.
35. How do I make Radiator work with Interbiller 98?
Radiator can authenticate from the Interbiller 98 user database using AuthBy SQL. There is an example configuration file in goodies/interbiller.cfg to get you started. Interbiller uses a Microsoft Access database, so on Win95 or NT, you will need to install the Perl DBI and DBD-ODBC modules, and configure a System DSN to point to the Interbiller database (usually called 'Subs.mdb').
At this time, Interbiller does not handle Radius accounting data for doing time-based billing. We will add the ability to save accounting data to Interbiller as soon as Interbiller supports it.
36. How do I make Radiator work with Freeside?
See the example freeside.cfg in the goodies directory. Freeside does not (yet) support time- or volume-based billing, so that config file only authenticates from the Freeside database. It does not insert accounting.
37. Is Radiator Y2K compliant?
See the Radiator Y2K Statement.
38. I got an error while testing perl-ldap on Linux. Is that OK?
While testing perl-ldap-0.09 on Linux, you may see this:
```
/usr/bin/perl -I./blib/arch -I./blib/lib -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 bin/ldapsearch.PL
[mikem@charlie perl-ldap-0.09]$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 -e 'use Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
t/00ldif-entry......ok
t/01url.............dubious
        Test returned status 0 (wstat 7, 0x7)
Undefined subroutine &Test::Harness::WCOREDUMP called at /usr/lib/perl5/Test/Harness.pm line 252.
make: *** [test_dynamic] Error 2
```
Thats OK. The resulting module will still work fine with Radiator.
39. Does Radiator support the IETF Radius Tunnelling attributes?
Yes. There are a few tricks to using them though. The IETF standard tunnelling attributes have a "tag" that is used to group tunnelling attributes. Radiator always sets the tag to 0 for the integer attributes Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Preference and Tunnel-Password. This means that you must also set the tag to 0 in the value if you use the string attributes Tunnel-Client-Endpoint, Tunnel-Server-Endpoint, Tunnel-Private-Group-ID, or Tunnel-Assignment-ID. The easiest way to do this is with an escape sequence in the string, for example:
Tunnel-Server-Endpoint = "\000203.63.154.22 fr:20",
The \000 at the beginning specifies a tag of 0, and you musthave it at the beginning of the string attributes.
The specification for "RADIUS Attributes for Tunnel Protocol Support" can be found here
40. How do I set up Radius Tunnelling with my Bay Annex Server?
When a tunnelling user dials into the Annex, the Annex will first authenticate the user@realm with Radius and Radius must return the tunnel configuration options with Annex-Local-Username, Annex-User-Server-Location, Tunnel-Medium-Type, Tunnel-Server-Endpoint, and Tunnel-Type. This information tells the Annex how to set up the tunnel, and the name of the user to reauthenticate (with Annex-Local-Username). The Annex will then set up the tunnel and send a second Access-Request for the username specified by Annex-Local-Username. Radius should reply with the normal PPP radius reply.
There is an example Radiator configuration file in goodies/annex.cfg that shows a neat way to do this.
41. How can I do authentication from one SQL database and accounting to another?
Use something like this: <Realm whatever> AuthByPolicy ContinueAlways <AuthBy SQL> DBSource dbi:??????? DBUsername userfordb1 DBAuth authfordb1 # an empty AuthSelect turns off auth AuthSelect AccountingTable whatever etc, etc, etc. </AuthBy> <AuthBy SQL> DBSource dbi:??????? DBUsername userfordb2 DBAuth authfordb2 # an empty AccountingTable turns off accounting </AuthBy> </Realm>
42. What does a "Could not find a Client" warning mean
If you see a WARNING message like: Tue Apr 13 21:47:18 1999: WARNING: Could not find a Client for NAS 168.115.29.194 to double-check Simultaneous-Use it means that you probably have a DNS name for that client in its Client clause, but do not have a reverse DNS entry for it in your DNS. Radiator would need the reverse DNS entry so it can figure out the
clause that corresponds to the NASs IP address.
You should either:
1. Add a reverse DNS entry for that client, or....
2. Change your Radiator Client clause so it uses the IP address instead of the DNS name.
43. Im having problems building MySQL
There are known problems with shared versions of libmysqlclient, at least on some Linux boxes. If you receive an error message similar to install_driver(mysql) failed: Can't load '/usr/lib/perl5/site_perl/i586-linux/auto/DBD/mysql/mysql.so' for module DBD::mysql: File not found at /usr/lib/perl5/i586-linux/5.00404/DynaLoader.pm line 166 then this error message can be misleading: It's not mysql.so that fails being loaded, but libmysqlclient.so!
As a workaround, recompile the Msql-Mysql-modules with
```
perl Makefile.PL --static --config 
make 
make test 
make install
This option forces linkage against the static libmysqlclient.a.
```
44. I get a weird error message when I try to use Log SYSLOG
You might get an error message like this: Mon Apr 19 15:45:31 1999: ERR: Could not load Log module Radius/LogSYSLOG.pm: Can't locate syslog.ph in @INC (did you run h2ph?) (@INC contains: ......... This indicates that you have not yet run the h2ph perl utility to generate the syslog.ph file fopr your system. More details in the Radiator reference manual, and see also "man h2ph". We usually just do: cd /usr/include; h2ph * sys/*
45. Im having problems compiling MD5 on SCO Open Server
I get this error: gcc: -fPIC is only valid with -melf After doing perl Makefile.PL, you will need to edit Makefile and alter CCCDLFLAGS to read like this: CCCDLFLAGS = -fPIC -melf
46. Im getting 'Expiration date has passed' from Platypus
and Im sure that the expiration date has not passed.
Some versions of the Platypus RadiusNT-compatibility files use 1/1/2050 as the default expiration date. Versions of Radiator up to and including 2.13.1 had problems with Platypus expiration dates later than Dec 31 2037. If you have this problem, you will need to alter your RadiusNT views MasterAccounts and SubAccounts so the expireDates are no later than 2037.
47. On my BSDI box, I'm getting "Out of memory!" messages
By default, BSDI has fairly strict limits on the maximum data size permitted to a process. If you have a fairly large password file or users filem Radiator may need a larger data space. See goodies/bsdi-memory.txt in your distribution for detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul@dove.mtx.net.au). Thanks Paul.
Alternatively you could just wrap a script around radius like this:
```
#!/bin/sh
# Increase data size limit to 32M
limit datasize 32000k
/usr/local/bin/radiusd &
```
48. I have problems with MyODBC on NT
When I use AuthBy SQL and MyODBC on NT or Win 95 I see "send failed: unknown error", when Radiator tries to send its first reply to a NAS. Then Radiator goes into a hard infintie loop.
This is cause by a problem with myodbc-2.50.22. You should downgrade to myodbc-2.50.19 instead, see the ODBC download dir
49. How can I poll Radiator with MRTG?
Contributed by Stephen Roderick (steve@proaxis.com):
Well, this is what I do (via a cron job every 5 minutes):
```
#!/usr/local/bin/perl

$total = 0;
$accttotal = 0;

open(FD, "/usr/local/bin/snmpwalk host community
.1.3.6.1.3.79.1.1.1.6.1.4  |") or die;
while()
{
    $total += $1    if (/.* = (\d+)/);
}
close(FD);

open(FD, "/usr/local/bin/snmpwalk host community
.1.3.6.1.3.79.1.1.1.6.1.12  |") or die;
while()
{
    $accttotal += $1    if (/.* = (\d+)/);
}
close(FD);

$total *= 8;
$accttotal *= 8;

open(FD, ">/stats/radius.stats");
print FD "$total\n$total\n";
close(FD);

open(FD, ">/stats/radiusacct.stats");
print FD "$accttotal\n$accttotal\n";
close(FD);

exit 0;
-----------------------------------------------------------

Then I have the following config for MRTG:

Target[radiator]: `/bin/cat /stats/radius.stats`
MaxBytes[radiator]: 2000
Options[radiator]: nopercent
Title[radiator]: Radius Statistics
PageTop[radiator]: Radius Statistics
WithPeak[radiator]: dwmy
YLegend[radiator]: No. of queries
ShortLegend[radiator]: queries
LegendI[radiator]:  Authentication:
LegendO[radiator]:

#.....................................................................

Target[radacct]: `/bin/cat /stats/radiusacct.stats`
MaxBytes[radacct]: 2000
Options[radacct]: nopercent
Title[radacct]: Radius Statistics
PageTop[radacct]: Radius Statistics
WithPeak[radacct]: dwmy
YLegend[radacct]: No. of queries
ShortLegend[radacct]: queries
LegendI[radacct]:  Accounting:
LegendO[radacct]:
```
I'm sure there is a better way but at some point you get tired of trying to find it and just do something that works.
50. I get errors when I try to run radiusd as a SUID program
If you run radiusd as a SUID program on some platforms, you may get an error message like this: Cannot get host name of local machine at ./radiusd line 106 This is due to perls strict checking when running a SUID program. You can fix it by uncommenting this line near in the BEGIN near the top of the radiusd file: $ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin'; The path you use should include the path to your hostname(1) or uname(1) programs.
51. I get an error when testing or running IpssPerl
On some Unix systems, you might get this error when compiling and testing IpassPerl: [mikem@charlie IpassPerl-1.3]$ make test PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib -I/usr/lib/perl5/i386-linux/5.00404 -I/usr/lib/perl5 test.pl 1..6 Can't load './blib/arch/auto/Ipass/Ipass.so' for module Ipass: ./blib/arch/auto/Ipass/Ipass.so: undefined symbol: RSAPrivateDecrypt at /usr/lib/perl5/i386-linux/5.00404/DynaLoader.pm line 168. This can be fixed by editing Makefile.pl, and changing the LIBS line to read: 'LIBS' => ["-L$ipass_lib -lip -lssl -lcrypto -lrsaref"],
52. Radiator keeps reporting "Bad Password", and I don't know why
In decreasing order of probability:
- The shared secret configured into Radiator for that client is not the same as the one in the NAS. If the secret is wrong, Radiator will decrypt the password to nonsense, and you will be able to see this if you log passwords with PasswordLogFileName.
- Your shared secret contains special characters that your NAS doesn't like. Some NASs have problems with non alphanumeric characters. Trying changing the shared secret in your NAS and Radiator to be just alphanumeric characters.
- If you are using SQL authentication, make sure you specify EncryptedPassword only if the password column contains a Unix crypt(2) encrypted password.
- The password is really wrong.
53. Im using DBD-Sybase on Unix, and my accounting data is not being saved
Make sure you are using at least DBD-Sybase-0.19. Some earlier versions (notably DBD-Sybase-0.18) had problems with table locks.
54. I get "unblessed reference" errors in my Hook
Contrary to the documentation published with version 2.13.x, you need to access $_[0] and $_[1] by dereferencing them: PreAuthHook sub { ${$_[0]}->add_attr('test-attr', 'test-value'); }
55. How do I make RAS send the correct parameters to Radius?
you must remove two keys from the RRAS server's register:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\CHAP
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\SPAP
Contributed by Michael Gatti (mike@mso.com.br). Thanks Michael.
Copyright © 1998 by Open System Consultants Pty. Ltd.

Radiator Frequently Asked Questions

1. Is there a mailing list archive?

2. I specified dictionary.cisco in radius.cfg (or dictionary.ascend), and now the test suite fails. Why?

4. How do I configure a Cisco NAS for Radius?

5. How do I use Livingston users file?

8. Will Radiator run on Perl 5.003?

9. I keep getting Bad Authenticator messages when I get accounting requests from a GRIC roaming connection. Why?

10. How can I authenticate against NT passwords and Groups

13. How do I set up anti-spoofing filters

19. How do I make Radiator work with Platypus?

21. How can I make Radiator work with the PPTP server?

22. How can I connect to Microsoft SQL server from Unix using OpenLink?

23. How do I run Radiator as a service on NT?

24. I dont know where to get SRVANY, what can I do to run as a service on NT

25. How can I use Microsoft Access as my database?

27. I think Im seeing a memory leak. What can I do?

28. Where can I get a copy of snmpget?

29. I cant build DBD-Sybase against the free Sybase client library on Linux. Why?

30. My USR radius attributes dont seem to be numbered correctly. Why?

31. I'm having problems compiling MD5 on Rhapsody. Why

32. I'm having problems with NT services and ODBC

33. How do I make DBI::Proxy work between unix and NT?

34. I cant unzip the Radiator distribution on Win 95. Why?

35. How do I make Radiator work with Interbiller 98?

37. Is Radiator Y2K compliant?

38. I got an error while testing perl-ldap on Linux. Is that OK?

39. Does Radiator support the IETF Radius Tunnelling attributes?

42. What does a "Could not find a Client" warning mean

43. Im having problems building MySQL

44. I get a weird error message when I try to use Log SYSLOG

45. Im having problems compiling MD5 on SCO Open Server

46. Im getting 'Expiration date has passed' from Platypus

48. I have problems with MyODBC on NT

50. I get errors when I try to run radiusd as a SUID program

51. I get an error when testing or running IpssPerl

52. Radiator keeps reporting "Bad Password", and I don't know why

53. Im using DBD-Sybase on Unix, and my accounting data is not being saved

54. I get "unblessed reference" errors in my Hook

55. How do I make RAS send the correct parameters to Radius?