TekRADIUS LT Version 5.

1 Readme File
Copyright 2007-2016 KaplanSoft
0. Contents:

1.
2.
3.
4.
5.
6.
7.

Introduction
2 .Major features
System requirements
Installing and Uninstalling
Configuration and running
Release notes
Trademarks

1. Introduction
TekRADIUS LT is an RADIUS AAA server (Based on RFC 2865, RFC 2866) runs under Microsoft Windows
(XP/Vista/7/8, 2003/2008/2012 Server) operating system. Visit http://www.tekradius.com/ regularly for
updates.
2. Major features

Supports features described in RFC 2865 and RFC 2866 (RADIUS protocol).
Supports TCP (RFC 6613) and TLS (RFC 6614-RadSec) transports
Logs system messages, errors and session information to a log file and limit number of simultaneous sessions

(See notes).
All parameters can be configured and RADIUS Dictionary can be edited through TRManager GUI.
Authentication and Accounting ports are user selectable.
Uses SQLite database and does not require an external database server.
You can map RADIUS Accounting attributes to Accounting table fields.
You can run TekRADIUS in Authentication only or Authorization only mode.
You can define which RADIUS attribute will be used for User-Name substitute.
You can define own Authorization query string.
PAP, CHAP, MS-CHAP v1, MS-CHAP v2, LEAP, EAP-MD5, EAP-MS-CHAP v2, EAP-SIM, EAP-TLS and
PEAPv0-EAP-MS-CHAP v2 (As implemented in Windows XP SP1), Digest (draft-sterman-aaa-sip-00.txt)
authentication methods are supported. LEAP, EAP-TLS and EAP-SIM are available in commercial editions
only.
TekRADIUS can proxy RADIUS requests to other RADIUS servers.

TekRADIUS supports IPv6 attributes.

Built-in DHCP server which allows you to assign IP addresses to wireless clients based on their usernames
entered in PEAP authentication not just based on their MAC addresses.

Generates MS-MPPE Keys for VPN connections.

Supports OTP (One Time Password) authentication based RFC 2289.
You can specify an Expire-Date and User-Credit for the users and use Authentication method as a RADIUS

check item.
You can specify how much time user account will be valid after the first logon (Time-Limit) and you can
specify allowed logon days and hours (Login-Time).

 TekRADIUS can send Packet of Disconnect (PoD) or execute user defined session kill command when a user
consumes all his or her credit (SP Edition only).
You can authenticate users against Windows Domain or Active Directory.

Command line utility for adding, deleting and modifying user profiles and RADIUS clients. You can start/stop

and query status of TekRADIUS service using the command line utility (trcli.exe).
User level restrictions to GUI access. Windows users in "Administrators" group can access to all functions on
TekRADIUS Manager GUI but Windows users in built-in "Users" group can access restricted set of functions
on TekRADIUS Manager GUI.
Simple reporting interface for browsing Accounting records.
Disconnects users with Packet of Disconnect (Pod) or user defined kill command.
TekRADIUS can disable user profile after user configurable number of unsuccessful login attempts.
You can specify credit limits for daily, weekly or monthly periods.
You can run and check result of an external executable as a check item.
Quick and easy installation.

3. System requirements

A Windows system with at least 2048 MB of RAM.

Microsoft.NET Framework v4.0 Client Profile.
5 MBytes of disk space for installation. Disk space required for TekRADIUS database depends on your usage.
Administrative privileges.
PC/SC compatible smart card reader for importing SIM triplets.

4. Installing and Uninstalling

To install TekRADIUS LT, extract contents of TekRADIUSLT.zip to a temporary directory, run Setup.exe
from the distribution. Uninstall previous version if you upgrade from an earlier version.

To uninstall TekRADIUS LT, double click TekRADIUS LT icon at Add or Remove Programs from
Control Panel.

You can use your old configuration file TekRADIUSLT.ini with the new installations. New versions of
TekRADIUS LT may introduce new attributes in the dictionary file TekRADIUS.db so please delete old
file in the installation directory. You will need to add your custom attributes to the new TekRADIUS.db
manually after installing the new version

If TekRADIUS setup does not initialize on a 32 bit machine try to start setup;
msiexec /i TekRADIUS.msi

in the command line.

5. Configuration and running
Please see Installation Manual which can be found in the application directory for configuration details and
operation. You can download the latest revision of the manual from TekRADIUS support page.
Drop all active sessions properly (There should be proper functions on your access servers to do this) on your
access server before shutting down TekRADIUS for proper operations if you use RADIUS Accounting.
6. Release notes

HTTP interface for basic user management functions (Version 5.1.2).

New attribute Activation-Date added. You can specify an activation date for user and group profiles
(Version 5.1.1).
TekRADIUS keeps date values as integer values representing seconds since July, 1st, 1970. You can
enter dates based on your locale settings through TekRADIUS Manager (Version 5.1.0).
LEAP authentication method (Version 5.1.0).
TLS 1.1 and TLS 1.2 support for PEAP, EAP-TLS and EAP-TTLS authentication methods (Version
5.1.0).
New inner authentication method EAP-MD5 and EAP-MS-CHAP-v2 for EAP-TTLS (Version 5.1.0).
New cipher suites TLS_RSA_WITH_AES_128_CBC_SHA256 and
TLS_RSA_WITH_AES_256_CBC_SHA256 (Version 5.1.0).
Number of sessions for a group profile limited with Simultaneous-Group-Use attribute (Version 5.0.0).
Following cipher suites added for PEAP/EAP(T)TLS authentication methods (Version 5.0.0).
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
IPv6 attribute support (Version 5.0.0).
TekRADIUS can proxy incoming RADIUS requests to other RADIUS servers. See TekRADIUS Manual
for details. (Version 5.0.0).
TekRADIUS checks dial-in privilege by default in active directory authentication. This behavior can be
altered by adding Check-MS-DialinPrivilege attribute as a check attribute to user or group profiles
(Version 5.0.0).
You can enable user profile editing functions for non-admin users in commercial editions. (Version
4.9.7).
You can set TLS server certificate from also Settings / Service Parameters / Server Certificate (Version
4.9.7).
You can specify an alternative authorization query (Version 4.9.7).

You can specify an alternative authentication query (Version 4.9.6).

Password change functions implemented for MS-CHAP authentication methods for use with Windows

Authentication Proxy (Version 4.9.5).

EAP-TTLS support in commercial editions. TekRADIUS supports PAP, CHAP, MS-CHAPv1/v2 with
EAP-TTLS (Version 4.9.2).
TekRADIUS was encrypting RADIUS client secrets by default. Encrypt Passwords option functionality
is extended to cover also RADIUS client secrets. If you have already disabled Encrypt Passwords option
you will probably need to redefine RADIUS client entries (Version 4.9.1).
TCP (RFC 6613) and TLS (RFC 6612-RadSec) transport support (Version 4.9.0).

Failed Accounting insert queries can be saved to daily rotated log files by setting Save Failed
Accounting Inserts parameter in Settings / SQL Connection (Version 4.9.0).

TekRADIUS supports OTP with CHAP, MS-CHAP-v1/v2 authentication methods. (Version 4.8.8).
Logout function for HTTP report forms. TekRADIUS accepts reply attributes from the console output

of external executable. (Version 4.8.8).

HTTP Reporting interface (Version 4.8.7).
EAP-SIM support (Version 4.8.6).
Client entries are kept in TekRADIUS database not in TekRADIUS.db (Version 4.8.1).
Generate-MS-MPPE-Keys usage has been changed in version 4.7. See TekRADIUS manual for details.
TekRADIUS can run in 64 bits mode in 64 bits systems. (Version 4.7).
TekRADIUS uses TekRADIUS.db in place of TekRADIUS.mdb. You can convert old TekRADIUS.mdb to
TekRADIUS.db using DBConverter.exe which can downloaded from TekRADIUS web site. (Version 4.7).

OTP (One Time Password) authentication support has been added (Version 4.5.6).
Alphanumeric client entry in SP edition. (Version 4.5.3).
Reporting functions enhanced (Version 4.4.5).
TekRADIUS can send Packet of Disconnect (PoD) or execute user defined session kill command when a user
consumes all his or her credit (Version 4.4.4).
DHCP Server functionality added. DHCP server allows you to assign IP addresses to wireless clients based on
their usernames entered in PEAP authentication not just based on their MAC addresses. DHCP server is
available in both free and commercial editions of TekRADIUS but IP address assignment to wireless users
based on their usernames feature is available only in commercial editions of TekRADIUS (Version 4.4).
Usage of Login-Time attribute has been changed. Please see TekRADIUS manual for details (Version 4.3).

If you enable RegExp matching you can enter check attribute values in Regular Expression format. Called

Station-Id = 1234\d* will match all numbers start with 1234 prefix. This feature is available in only
commercial editions (Version 4.3).
You can configure Interim Update Period parameter if your RADIUS client supports sending Interim
Accounting Messages If TekRADIUS does not receive an update in specified period, active session and
simultaneous session entries will be cleared (Version 4.3).
Memory Leak problem has been solved (Version 4.3).

New performance counter added. Please see TekRADIUS Manual for details. TekRADIUS Manager has a
new tab to monitor these counters (Version 4.2).

RFC 5997 "Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS)
Protocol" is implemented (Version 4.1).
Search as you type feature has been added for TekRADIUS Manager (Version 4.1).

Windows Authentication with MS-CHAP-v1, MS-CHAP-v2 EAP-MS-CHAP v2 and PEAPv0-EAP-MSCHAP-v2 support has been added and available in only commercial editions (Version 4.1).
You do not have restart after modifying RADIUS client entries in version 4.0.

You can enter hexadecimal strings with 0x prefix (You can enter 0x54656B524144495553 for string
TekRADIUS) in version 4.0.

Version 4.0 adds EAP-TLS support. EAP-TLS is available in commercial edition only. A new attribute called

TLS-Client-Certificate is added. You must add this attribute to user or group profiles for EAP-TLS
authentication. When you select TLS-Client-Certificate, certificates with private keys and enhanced key usage
set to "Client Authentication" type certificates will be listed.
TLS-Certificate attribute's name has been changed to TLS-Server-Certificate in version 4.0. You do not need
to make any configuration change. When you select TLS-Server-Certificate, certificates with private keys and
enhanced key usage set to "Server Authentication" type certificates will be listed.
You can add Active Directory group as a check item in user and group profiles in version 4.0.

Secondary-Group attribute removed from TekRADIUS dictionary. A new attribute called Next-Group is

added. You can use this attribute to chain group profiles. If you would like to authenticate a session according
to NAS-IP-Address but NAS-IP-Address could have three different values, you can create three different
group profiles for each NAS-IP-Address value and chain them using Next-Group parameter. Next-Group
attribute can be used in just group profiles as a check attribute. Please note that attributes in user profiles
overrides group attributes so do not use attributes in chained groups in user profiles (Version 3.8).
A new attribute type, Informational is added. You can add your own vendor to TekRADIUS dictionary to
store user or group specific data like address or phone numbers. Informational type attributes are not used
while authenticating or authorizing users (Version 3.8).
Version 3.7 is the first release of TekRADIUS LT edition.

Log files are kept in <Application Directory>\Logs directory and rotated daily.
7. Trademarks

TekRADIUS contains code derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm.
Microsoft, Win32, Windows 2000, Windows, Windows NT and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
KaplanSoft is registered trademark of Kaplan Bilisim Teknolojileri Yazlm ve Ticaret Ltd.
Join TekRADIUS forums at http://forums.tekradius.com/