TekRADIUS LT Version 4.9 Readme File Copyright 2007-2015 KaplanSoft0. Contents:1. Introduction2 .Major features3. System requirements4. Installing and Uninstalling5. Configuration and running6. Release notes7. Trademarks1. IntroductionTekRADIUS LT is an RADIUS AAA server (Based on RFC 2865, RFC 2866) runs under Microsoft Windows (XP/Vista/7/8, 2003/2008/2012 Server) operating system. Visit http://www.tekradius.com/ regularly for updates.2. Major featuresSupports features described in RFC 2865 and RFC 2866 (RADIUS protocol). Supports TCP (RFC 6613) and TLS (RFC 6614-RadSec) transportsLogs system messages, errors and session information to a log file and limit number of simultaneous sessions (See notes).All parameters can be configured and RADIUS Dictionary can be edited through TRManager GUI.Authentication and Accounting ports are user selectable.Uses SQLite database and does not require an external database server.You can map RADIUS Accounting attributes to Accounting table fields.You can run TekRADIUS in Authentication only or Authorization only mode.You can define which RADIUS attribute will be used for User-Name substitute.You can define own Authorization query string.PAP, CHAP, MS-CHAP v1, MS-CHAP v2, EAP-MD5, EAP-MS-CHAP v2, EAP-SIM, EAP-TLS and PEAPv0-EAP-MS-CHAP v2 (As implemented in Windows XP SP1), Digest (draft-sterman-aaa-sip-00.txt) authentication methods are supported. EAP-TLS and EAP-SIM are available in commercial editions only.Built-in DHCP server which allows you to assign IP addresses to wireless clients based on their usernames entered in PEAP authentication not just based on their MAC addresses.Generates MS-MPPE Keys for VPN connections.Supports OTP (One Time Password) authentication based RFC 2289.You can specify an Expire-Date and User-Credit for the users and use Authentication method as a RADIUS check item.You can specify how much time user account will be valid after the first logon (Time-Limit) and you can specify allowed logon days and hours (Login-Time).TekRADIUS can send Packet of Disconnect (PoD) or execute user defined session kill command when a user consumes all his or her credit (SP Edition only).You can authenticate users against Windows Domain or Active Directory.Command line utility for adding, deleting and modifying user profiles and RADIUS clients. You can start/stop and query status of TekRADIUS service using the command line utility (trcli.exe).User level restrictions to GUI access. Windows users in "Administrators" group can access to all functions on TekRADIUS Manager GUI but Windows users in built-in "Users" group can access restricted set of functions on TekRADIUS Manager GUI.Simple reporting interface for browsing Accounting records.Disconnects users with Packet of Disconnect (Pod) or user defined kill command.TekRADIUS can disable user profile after user configurable number of unsuccessful login attempts.You can specify credit limits for daily, weekly or monthly periods.You can run and check result of an external executable as a check item.Quick and easy installation.3. System requirements A Windows system with at least 2048 MB of RAM. Microsoft.NET Framework v4.0 Client Profile. 5 MBytes of disk space for installation. Disk space required for TekRADIUS database depends on your usage. Administrative privileges. PC/SC compatible smart card reader for importing SIM triplets.4. Installing and UninstallingTo install TekRADIUS LT, extract contents of TekRADIUSLT.zip to a temporary directory, run Setup.exe from the distribution. Uninstall previous version if you upgrade from an earlier version.To uninstall TekRADIUS LT, double click TekRADIUS LT icon at Add or Remove Programs from Control Panel.You can use your old configuration file TekRADIUSLT.ini with the new installations. New versions of TekRADIUS LT may introduce new attributes in the dictionary file TekRADIUS.db so please delete old file in the installation directory. You will need to add your custom attributes to the new TekRADIUS.db manually after installing the new version5. Configuration and runningPlease see Installation Manual which can be found in the application directory for configuration details and operation. You can download the latest revision of the manual from TekRADIUS support page.Drop all active sessions properly (There should be proper functions on your access servers to do this) on your access server before shutting down TekRADIUS for proper operations if you use RADIUS Accounting.6. Release notesYou can enable user profile editing functions for non-admin users in commercial editions. (Version 4.9.7).You can set TLS server certificate from also Settings / Service Parameters / Server Certificate (Version 4.9.7).You can specify an alternative authorization query (Version 4.9.7).You can specify an alternative authentication query (Version 4.9.6).Password change functions implemented for MS-CHAP authentication methods for use with Windows Authentication Proxy (Version 4.9.5).EAP-TTLS support in commercial editions. TekRADIUS supports PAP, CHAP, MS-CHAPv1/v2 with EAP-TTLS (Version 4.9.2).TekRADIUS was encrypting RADIUS client secrets by default. Encrypt Passwords option functionality is extended to cover also RADIUS client secrets. If you have already disabled Encrypt Passwords option you will probably need to redefine RADIUS client entries (Version 4.9.1).TCP (RFC 6613) and TLS (RFC 6612-RadSec) transport support (Version 4.9.0).Failed Accounting insert queries can be saved to daily rotated log files by setting Save Failed Accounting Inserts parameter in Settings / SQL Connection (Version 4.9.0).TekRADIUS supports OTP with CHAP, MS-CHAP-v1/v2 authentication methods. (Version 4.8.8).Logout function for HTTP report forms. TekRADIUS accepts reply attributes from the console output of external executable. (Version 4.8.8).HTTP Reporting interface (Version 4.8.7).EAP-SIM support (Version 4.8.6).Client entries are kept in TekRADIUS database not in TekRADIUS.db (Version 4.8.1).Generate-MS-MPPE-Keys usage has been changed in version 4.7. See TekRADIUS manual for details.TekRADIUS can run in 64 bits mode in 64 bits systems. (Version 4.7).TekRADIUS uses TekRADIUS.db in place of TekRADIUS.mdb. You can convert old TekRADIUS.mdb to TekRADIUS.db using DBConverter.exe which can downloaded from TekRADIUS web site. (Version 4.7).OTP (One Time Password) authentication support has been added (Version 4.5.6).Alphanumeric client entry in SP edition. (Version 4.5.3). Reporting functions enhanced (Version 4.4.5). TekRADIUS can send Packet of Disconnect (PoD) or execute user defined session kill command when a user consumes all his or her credit (Version 4.4.4). DHCP Server functionality added. DHCP server allows you to assign IP addresses to wireless clients based on their usernames entered in PEAP authentication not just based on their MAC addresses. DHCP server is available in both free and commercial editions of TekRADIUS but IP address assignment to wireless users based on their usernames feature is available only in commercial editions of TekRADIUS (Version 4.4). Usage of Login-Time attribute has been changed. Please see TekRADIUS manual for details (Version 4.3).If you enable RegExp matching you can enter check attribute values in Regular Expression format. Called-Station-Id = 1234\d* will match all numbers start with 1234 prefix. This feature is available in only commercial editions (Version 4.3).You can configure Interim Update Period parameter if your RADIUS client supports sending Interim Accounting Messages If TekRADIUS does not receive an update in specified period, active session and simultaneous session entries will be cleared (Version 4.3).Memory Leak problem has been solved (Version 4.3).New performance counter added. Please see TekRADIUS Manual for details. TekRADIUS Manager has a new tab to monitor these counters (Version 4.2).RFC 5997 "Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol" is implemented (Version 4.1).Search as you type feature has been added for TekRADIUS Manager (Version 4.1).Windows Authentication with MS-CHAP-v1, MS-CHAP-v2 EAP-MS-CHAP v2 and PEAPv0-EAP-MS-CHAP-v2 support has been added and available in only commercial editions (Version 4.1).You do not have restart after modifying RADIUS client entries in version 4.0.You can enter hexadecimal strings with 0x prefix (You can enter 0x54656B524144495553 for string TekRADIUS) in version 4.0.Version 4.0 adds EAP-TLS support. EAP-TLS is available in commercial edition only. A new attribute called TLS-Client-Certificate is added. You must add this attribute to user or group profiles for EAP-TLS authentication. When you select TLS-Client-Certificate, certificates with private keys and enhanced key usage set to "Client Authentication" type certificates will be listed.TLS-Certificate attribute's name has been changed to TLS-Server-Certificate in version 4.0. You do not need to make any configuration change. When you select TLS-Server-Certificate, certificates with private keys and enhanced key usage set to "Server Authentication" type certificates will be listed.You can add Active Directory group as a check item in user and group profiles in version 4.0.Secondary-Group attribute removed from TekRADIUS dictionary. A new attribute called Next-Group is added. You can use this attribute to chain group profiles. If you would like to authenticate a session according to NAS-IP-Address but NAS-IP-Address could have three different values, you can create three different group profiles for each NAS-IP-Address value and chain them using Next-Group parameter. Next-Group attribute can be used in just group profiles as a check attribute. Please note that attributes in user profiles overrides group attributes so do not use attributes in chained groups in user profiles (Version 3.8).A new attribute type, Informational is added. You can add your own vendor to TekRADIUS dictionary to store user or group specific data like address or phone numbers. Informational type attributes are not used while authenticating or authorizing users (Version 3.8).Version 3.7 is the first release of TekRADIUS LT edition.Log files are kept in \Logs directory and rotated daily.7. TrademarksTekRADIUS contains code derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm.Microsoft, Win32, Windows 2000, Windows, Windows NT and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.KaplanSoft is registered trademark of Kaplan Bilisim Teknolojileri Yazlm ve Ticaret Ltd.Join TekRADIUS forums at http://forums.tekradius.com/