The IC-RADIUS Brief FAQ
Chris Joyce chris@pccentre.com.au
V0.16f, Aug 30, 2000

Intro:
--------------------------------------------------------------------------------
Welcome to the brief IC-RADIUS FAQ.

This document contains a list of some frequently asked IC-RADIUS questions
and their answers. It is meant to provide general help to IC-RADIUS users. 
I invite you to modify and add to this list but if you do so please be
sure to mail me so that I can include your changes in future releases. 
Finally, I hope that this document will prove helpful to all IC-RADIUS
users, new users especially. Current releases of this document can be
found at: -  
htp://icradius.hislora.com.au/FAQ.txt

--------------------------------------------------------------------------------

1:
Background

1.01 Q:	What is IC-RADIUS?
1.02 Q:	Basically how does it work?
1.03 Q:	What do I need to run IC-RADIUS?
1.04 Q:	What is the history of IC-RADIUS?
1.05 Q:	How many users can I have per machine/database?
1.06 Q:	Will it work on freebsd?
1.07 Q:	What encryption does IC-RADIUS use if I want to have encrypted
	passwords in the radius database ??? (MD5, DES, etc)
1.08 Q:	Can I use IC-RADIUS with Microsoft SQL server?

2:
Set-up

2.01 Q:	I have installed Mysql successfully, but I get a segmentation
	fault when I try to run IC-RADIUS.
2.02 Q:	When I run IC-RADIUS I get the following error.
	"could not find libmysqlclient.so.6"
2.03 Q:	What ports can IC-RADIUS use?
2.04 Q:	Is anyone currently working on a perl script (or other) to import 
	existing radius accounting data into the radacct table ?
2.05 Q:	Anyone know how to use the accimport.pl
2.06 Q:	Can anyone tell me the exact name of the DBD modules file for
	mySQL that I need and the whereabouts of the same file please?
2.07 Q:	After killing the last of my non IC-RADIUS servers I'm trying to do
	a bit it of house keeping , it seems that I've lost some stop times in 
	the import of data ! being as new as I am to sql and trying a few
	combos odd DATE_ADD ()
2.08 Q:	Excuse my ignorance, what dictionary(s) do I use for portslaves  
	running on the same box (minimal test case) ?
2.09 Q:	I've been trying to get more debug info from IC-RADIUS does it
	offer any logging of failed connect attempts ( any form ) ?
2.10 Q:	I have a little problem with IC-RADIUS I have two group configured
	and I must 2 different address pool, can someone help me ?
2.11 Q:	How do I set-up proxy radius ?
2.12 Q:	I got this error message when I was trying to use the perl scripts
	to convert my /etc/raddb/dictionary to mysql database.
2.13 Q: How do I set-up the NAS tables ?
2.14 Q: How do I intsll IC-RADIUS

3:
Configuration

3.01 Q:	How do I go about adding a user manually in the radius database so
	that he will be authenticated with the encrypted password he has in the 
	database ?
3.02 Q:	Is there a simple example of a user set-up?
3.03 Q:	Is there a simple example of a user and group set-up?
3.04 Q:	I need to be able to basically let anybody in, now matter what 
	username/password pair has been given, but still keep all the 
	Accounting and whatever coming into the database.
3.05 Q:	Exec-Program, what does it do?
3.06 Q:	Will IC-RADIUS pass all arguments to my program
	(Exec-Program/Wait)?
3.07 Q:	When using Exec-Program-Wait and Exec-Program can I get any debug 
	information?
3.08 Q:	Is it possible to have IC-RADIUS execute a script when a user logs
	out?
3.09 Q:	Can IC-RADIUS send Vendor-Specific encoding box to send details of
	the DNS servers it will assign by encoding a Cisco-avpair attribute
3.10 Q:	If I wanted a type of account that was only allowed to log in say 
	Monday to Friday between 9:00 and 17:00
3.11 Q:	I have read all the documentation and I still cannot get DEFAULT 
	entries to work.
3.12 Q:	We host a few visps on our lan my question is in my users table
	how can	I  have entries for say me@domain1.com different to 
	me@domain2.com with out  having seperate tables for each realm?
3.13 Q:	How do I limit users to 300 Meg download Maximum?
3.14 Q:	IC-RADIUS uses some attributes that I'm not use to, what are they for?
3.15 Q:	Does IC-RADIUS log the errors during authentication?
3.16 Q:	I have an IBM 2212 access server. What should I specify in
	"type" in my nas table?
3.17 Q:	My IC-RADIUS keeps on logging this message, Error: Acct: Invalid
	STOP record. [] STOP record but zero session length
3.18 Q:	Are both secrets in IC-RADIUS and client equal?
3.19 Q:	My log says 'No username []' and users cannot authenticate.
3.20 Q:	I was just curious if there is a way to ID users into different groups
3.21 Q:	I've setup encrypted passwords in the mysql db (as per FAQ 3.01),
	but users can't login?

4:
CGI

4.01 Q:	After I login to the radius.cgi/usage.cgi it tells me 'session expired' 
	, what's the problem?
4.02 Q:	usage.cgi doesn't seem to be working for me. I keep getting
	"Internal Server Error" messages.
4.03 Q:	It seems that I'm having trouble viewing usage.cgi and this are
	the error logs that I'm getting from apache.
4.04 Q:	Why can I not add NAS or realm definitions with the radius.cgi?
4.05 Q:	I am getting the following error message in my error.log from Apache:
	Can't locate Authen/Radius.pm in @INC (@INC contains
4.06 Q:	Where are the images for the cgi interface ?

5:
General

5.01 Q:	Can someone (un)subscribe me from IC-RADIUS mailing list?
5.02 Q:	Is there an archive of the mailing list anywhere?
5.03 Q:	radwho, radlast, radzap, radtest, testrad or raduse are not in the
	in src, what happened to them?
5.04 Q:	Whenever I do a radtest from localhost, my log complains of a security.
5.05 Q:	I noticed there was a script to sysnc up that  radacct table if
	you are	using a portmaster. Has anyone written a generic  one to use for
	other nas's?
5.06 Q:	Can anyone tell me how to configure the IC-RADIUS to log the
	accouting information to /var/log/radacct directory as "detail" file ?
5.07 Q:	Are proxy users logged locally?
5.08 Q:	Are there any Billing & Administration systems that work with IC-RADIUS?
5.09 Q:	Is there any URL's that have more information
5.10 Q:	Please tell me how I can download the whole website ? 
5.11 Q:	Has anybody come up with a patch to allow the system to verify or
	extracts the users mail details from IC-RADIUS including
	authentication using IC-RADIUS ?
5.12 Q:	How can I test my new installation of IC-RADIUS without using NAS ? 
5.13 Q: Can I keep up to date using CVS ?
5.14 Q: What are the future plans for IC-RADIUS, epecially now with FreeRADIUS

6:
Pre v.14

6.01 Q:	When I upgraded from 0.8 to 0.9 I get a segmentation fault.

7:
Credits

7.01 Q:	Did you write all the questions and answers yourself ?
7.02 Q:	Who writes code for IC-RADIUS ?

--------------------------------------------------------------------------------

1:
Background

1.01
Q:	What is IC-RADIUS?
A:	RADIUS - Remote Authentication Dial In User Service
	This is defined as a protocol for carrying authentication, 
	authorization, and configuration information between a Network
	Access Server (NAS) that desires to authenticate its links and a
	shared Authentication Server (IC-RADIUS). This standard is described in
	great detail in RFC 2138 and 2139 available at
	http://www.freeradius.org.  

1.02
Q:	Basically who does it work?
A:	Basically the process can be broken down into 4 steps.
	First, the user dials into the NAS.  
	Next, the NAS sends a request to the authentication server (IC-RADIUS)
	via a standard set of attribute/value (a/v) pairs.
	Then, radius checks to see if that user exists and if so, can they log
	on.
	Lastly, the radius server sends either an accept or a reject back to 
	the NAS, which determines whether or not the user is allowed access.

1.03
Q:	What do I need to run IC-RADIUS?
A:	A Unix machine (Linux tested most), a MySQL database (http://www.mysql.com)
	and some SQL knowledge

1.04
Q:	What is the history of IC-RADIUS?
A:	IC-RADIUS was started because there were no free radius servers which could
	do both authentication and accounting. It started as just a patch to Cistron
	RADIUS (now FreeRADIUS), and has evolved into a full SQL enabled RADIUS server.
	
 
1.05
Q:	How many users can I have per machine/database? 
A:	IC-RADIUS can scale quite large. Due to the nature of a direct SQL interface,
	as opposed to memory caching, it is a bit slower than RADIUS servers like Cistron.

	On a single processor machine, with 256M RAM, running the database on the same
	machine, and no bandwidth limits, it could probably take about 80 - 100 queries
	per second. Now, by increasing max_sql_socks you can get more out of it, by
	having more connections to the database.

	80 - 100 queries, calculates out to about 250,000 users on a avarage server.

	Another way to improve performance is to seperate the database machine from the
	RADIUS daemon, maybe even putting a isolated network between the two.

	Needless to say, there are a lot of things to do to increase IC-RADIUS performance.


1.06
Q:	Will it work on freebsd?
A:	Should work just fine. If anything it would be related to time. If it 
	does fail post the error message to the mailing list.

1.07
Q:	What encryption does IC-RADIUS use if I want to have encrypted passwords
	in the radius database ??? (MD5, DES, etc) 
A:	If you use Auth-Type = Crypt-Local it just calls the systems crypt()
	function. On newer Redhat systems you have the option of choosing if
	you want MD5 or DES. I reccomend MD5 if you have the option.

1.08
Q:	Can I use IC-RADIUS with Microsoft SQL server?
A:	Not currently, but the SQL interface has been designed to allow for
	plugins for other database types . If someonw where to write a
	ODBC plugin, it might work.

--------------------------------------------------------------------------------

2:
Set-up

2.01
Q:	I have installed Mysql successfully, but I get a segmentation fault
	when I try to run IC-RADIUS.
A:	This is most likely a problem with the dictionary.usr file.If you use
	your NAS's, and then you must do the following to correct the problem:
 
        BEFORE you try to load dictionary.usr execute the following
        queries.
 
        NOTE: If you have already loaded the file, then do this.
                DELETE FROM dictionary;
                This will remove everything from the table.
 
        insert into dictionary values ('','VENDOR','USR','429','','');
 
        Then run the dictimport on dictionary.usr
 
        Then execute the following sql queries:
 
        update dictionary set vendor = "USR" where type = "ATTRIB_NMC";
        update dictionary set type = "ATTRIBUTE" where type = "ATTRIB_NMC";
 
        Now go ahead and run dictimport on dictionary.

2.02
Q:	When I run IC-RADIUS I get the following error.
	"could not find libmysqlclient.so.6"
A:	This is a problem with /etc/ld.so.conf to fix it, you must add a line
	to this file that specifies the path to libmysqlclient.so.6 Then run
	ldconfig as root.

2.03
Q:	What ports can IC-RADIUS use?
A:	The defaults are 1645 for auth and 1646 for accounting, you can change 
	theses in your  /etc/services by search for 'radius' and when you find
	it just change the ports and restart radiusd. If you don't use a 
	/etc/services you can hard code them.

	/icradius-0.1*/src/radius.h:48: #define PW_AUTH_UDP_PORT 	1645
	/icradius-0.1*/src/radius.h:49:  #define PW_ACCT_UDP_PORT	1646

2.04
Q:	Is anyone currently working on a perl script (or other) to import 
	existing radius accounting data into the radacct table ?
A:	yes , use accimport.pl found in the scripts dir

2.05
Q:	Anyone know how to use the accimport.pl 
A:	Make sure that you change the usr/pass settings in accimport.pl then 
	accimport.pl deatil.file  or 'acctimport.pl < detail'

2.06
Q:	Can anyone tell me the exact name of the DBD modules file for mySQL
	that I need and the whereabouts of the same file please?
A:	They are called mSQL-mySQL_modules. You should be able to get them from
	the mySQL web site. If not, cpan.org/pub/CPAN/modules/by-module/DBD
	(or close)

2.07
Q:	After killing the last of my non IC-RADIUS servers I'm trying to do a 
	bit of house keeping , it seems that I've lost some stop times in the
	import of data ! being as new as I am to sql and trying a few combos
	odd DATE_ADD () .
A:	How did you get a session time but no stop? They come in the same
	packet :). Any way this will fix you up 

	UPDATE radacct SET AcctStopTime = 
	from_unixtime(unix_timestamp(AcctStartTime) + AcctSessionTime)
	WHERE AcctStopTime = 0 and AcctSessionTime != 0;

2.08
Q:	Excuse my ignorance, what dictionary(s) do I use for portslaves running
	on the same box (minimal test case) ? 
A:	You should be able to get away with just the standard 'dictionary' file

2.09
Q:	I've been trying to get more debug info from IC-RADIUS does it offer any
	logging of failed connect attempts ( any form ) ? 
A:	Yes it logs failed attempts to /var/log/radius.log by default. If you 
	turn on -y it logs all connects and -yz logs all connects AND the
	passwords.

2.10
Q:	I have a little problem with IC-RADIUS I have two group configured and
	I must 2 different address pool, can someone help me ?
A:	IC-RADIUS does not support address pools yet .

2.11
Q:	How do I set-up proxy radius ?
A:	Insert an entry into the nas table for the proxy and then an entry
	into the realm table defining the nas to use and what the realm will
	be. Then your users use user@other.net

2.12
Q:	I got this error message when I was trying to use the perl scripts to 
	convert my /etc/raddb/dictionary to mysql database.
	DBI- connect failed: Can't connect to local MySQL server through socket
	'/tmp/mysql.sock' (111) at ./dictimport.pl line 26  Cound not connect 
	to radius database
	As but I'm sure mysql server daemon is running and root password is
	correct.. What could it be ? 
A:	It looks like $dbusername and $dbpassword are not set. At least the
	error message 'Cound not connect to radius database as' should
	have the value of $dbusername after it. Setting it to '' will NOT 
	assume the current user. You need to exclusivly set this to 'root'
	in the script.

2.13
Q:	How do I set-up the NAS tables ?
A:	The NAS tables should hold information about your NAS as an
	example
 
	mysql> SELECT * from NAS ;
	+----+------------------+-----------+---------------+
	| id | nasname          | shortname | ipaddr        |
	+----+------------------+-----------+---------------+
	|  1 | ppp-1.domian.com | ppp-1     | 192.168.110.1 |
	+----+------------------+-----------+---------------+
		+------------+-------+-----------+-----------+------+
		| type       | ports | secret    | community | snmp |
		+------------+-------+-----------+-----------+------+
		| livingston | 30    | the-key   | public    | on   |
		+------------+-------+-----------+-----------+------+

2.14
Q:	How do I intstall IC-RADIUS
A:	Down load the latest version form ftp://ftp.cheapnet.net/pub/icradius
	
	bash$ tar zxvf icradius-[version].tar.gz
	bash$ cd icradius-[version]/src

	copy the appropriate Makefile.xxx for your OS to Makefile
	look through the Makefile to make sure everything sutes your
	system and change in needed ( most things will be ok )

	bash$ make
	bash$ su - root
	bash# make install

	And don't forget to read supplied documentation first it can be
	found in the icradius-[version]/doc dir.

--------------------------------------------------------------------------------

3:
Configuration

3.01
Q:	How do I go about adding a user manually in the radius database so that
	he will be authenticated with the encrypted password he has in the
	database ? Could you give me an example of such a user with entries in 
	the appropriate tables in the radius database ?
A:	insert into radcheck values ('','user1','Auth-Type','Crypt-Local');
	insert into radcheck values ('','user1','Password',ENCRYPT('somepass'));

3.02
Q:	Is there a simple example of a user set-up?
A:	A simple set-up for a user will change form NAS to NAS but in most cases
	you will get a away with the following.

	radcheck
	+----+----------+-----------------+-----------+
	| id | UserName | Attribute       | Value     |
	+----+----------+-----------------+-----------+
	|  1 | someuser | Password        | dont_tell |
	+----+----------+-----------------+-----------+

	radreply 
	+----+----------+-------------------+---------------------+
	| id | UserName | Attribute         | Value               |
	+----+----------+-------------------+---------------------+
	|  1 | someuser | Framed-IP-Address | 255.255.255.254     |
	|  2 | someuser | Framed-IP-Netmask | 255.255.255.0       |  
	+----+----------+-------------------+---------------------+

	The above uses a password set by in IC-RADIUS, if you are using the
	system password then you could replace the Password attribute with
	Auth-Type 

	+----+----------+-----------------+-----------+
	| id | UserName | Attribute       | Value     |
	+----+----------+-----------------+-----------+	
	|  1 | someuser | Auth-Type       | System    |
	+----+----------+-----------------+-----------+

	You should make sure that your NAS does not require any more than this
	and remember to make sure that you use the correct magic number so you
	NAS will assign a Framed-IP-Address (magic number is one taken form the
	assigned pool).

3.03
Q:	Is there a simple example of a user and group set-up?
A:	If you are using groups you should place all common items in the group
	and add the user to this group, as any attributes set for the user will
	over-ride any group settings 

	radcheck
	+-----+----------+-----------+--------+
	| id  | UserName | Attribute | Value  |	
	+-----+----------+-----------+--------+
	|  1  | someuser | Password  | xxxx   |
	+-----+----------+-----------+--------+

	usergroup
	+-----+----------+--------------+
	| id  | UserName | GroupName    |
	+-----+----------+--------------+
	|  1  | someuser | this_group   |
	+-----+----------+--------------+

	radgroupcheck
	+----+--------------+------------------+-------+
	| id | GroupName    | Attribute        | Value |
	+----+--------------+------------------+-------+
	|  1 | this_group   | Simultaneous-Use | 1     |
	+----+--------------+------------------+-------+

	radgroupreply
	+----+--------------+--------------------+---------------------+
	| id | GroupName    | Attribute          | Value               |
	+----+--------------+--------------------+---------------------+
	|  1 | this_group   | Filter-Id          | proxy.ppp           |
	|  2 | this_group   | Session-Timeout    | 11600               |
	|  3 | this_group   | Port-Limit         | 1                   |
	|  4 | this_group   | Service-Type       | Framed-User         |
	|  5 | this_group   | Framed-IP-Address  | 255.255.255.254     |
	|  6 | this_group   | Framed-Compression | Van-Jacobson-TCP-IP |
	|  7 | this_group   | Framed-Protocol    | PPP                 |
	|  8 | this_group   | Idle-Timeout       | 11600               |
	|  9 | this_group   | Framed-IP-Netmask  | 255.255.255.0       |
	+----+--------------+--------------------+---------------------+

	Once again if you are using the system password then you could replace
	the Password attribute with auth-Type or place the auth-type in the 
	radgroupcheck if it applies to the group.

	If you are using the radius.cgi then its very easy to add users and 
	create groups, a user can be more than one group at a time if needed. 

3.04
Q:	I need to be able to basically let anybody in, now matter what 
	username/password pair has been given, but still keep all the 
	Accounting  and whatever coming into the database. Anybody know if this
	is possible,  and if so, how? 
A:	This is possible with the 0.10pre1 release. In usergroup:
	
	insert into usergroup values ('','DEFAULT','AllowAll');
	insert into radgroupreply values ('','AllowAll','Auth-Type','Accept');

	In radgroupreply insert your normal reply items such as a dynamic IP 
	and framed-protocol PPP. Now any user not matched on the system will 
	fall to this default entry that says allow all without doing any checks 
	So, if I wanted to stop people using guest/guest then theoretically I 
	can just put an entry in as username guest with password of 
	'goawayyoupeskykids' or whatever, Or a check item of Auth-Type = Reject

3.05
Q:	Exec-Program, what does it do?
A:	make sure that the radiusd can exec the programs you use for 
	Exec-Program and Exec-Program-Wait.

	Exec-Program will execute a program when the user log's in if the auth 
	is passed, it passes values to the program.
	Example,
    		To send a user an email to let them know what connection speed 
		they have just made and the number they called from.

		Add to reply table (or group)

	mysql> INSERT INTO radreply VALUES 
		('','username','Exec-Program','/tmp/mail_speed %u %s %i') ;

	/tmp/mail_speed
	#!/bin/sh
	/bin/echo "$1 connected at $2 from $3" | /bin/mail $1@somedomain.com -s "connection speed"
	exit

	Exec-Program-Wait can be used as part of the auth for the user.
		Example,
    			A user is not allowed to connect to port 10

	Add to reply table (or group)

	mysql> INSERT INTO radreply VALUES 
		('','username','Exec-Program-Wait','/tmp/should_we %p') ;

	/tmp/should_we

	Shell Script example

	#!/bin/sh
	if [ $1 == "10" ] ; then
	exit -1 ;    # fail
	fi
	exit 0 ;    # pass

	C++ Example

// IC-RADIUS
// Exec-Program Authentication program
// If the first argument is equal to 10 then fail them,
// Otherwise pass the authentication.

#include <stdio.h>
#include <string.h>

int main(int argc,char *argv[])
{
	if(argc<2)				// if no arguments are passed 
						// to the program
		return(-1);			// fail the authentication
	else
	{
		if(!strcmp(argv[1],"10"))	// check to see if argument 1 
						// is 10
			return(-1);		// and fail authentication
			else
			return(0);		// otherwise pass authentication
	}
}

	Or if they connect on ports greater then 10 and we want to add more 
	reply items, remember only to use REPLY items,

	/tmp/should_we

	Shell script example

	#!/bin/sh
	if [ $1 > "10" ] ; then
	echo "Framed-AppleTalk-Zone = MyZone"
	echo "Framed-AppleTalk-Network = 10"
	fi
	exit 0 ;

	C++ Example

// IC-RADIUS
// Exec-Program Authentication program
// If they connect on a port greater then port 10
// Then add some more reply items.
// Remember to only use Reply Items!

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
	int argument1;
	if(argc<2)				//if no arguments are passed
		return(-1);			// fail the authentication
	else
	{
		argument1=atoi(argv[1]);	// convert the argument to an 
						// integer,
						// So that we can perform 
						// mathematical
						// Comparisons.
		if(argument1>10)		// if they are, then output 
						// the following reply items:
	printf("Framed-AppleTalk-Zone = MyZone\nFramed-AppleTalk-Network ="10");
	}
	return 0;				// and pass the authentication
}

	If your program takes time to return your auth my time out so keep 
	things quick or have them fork and return -1 on fail or 0 or non-zero 
	exit status for pass.

	Reply items (if any) that are returned by Exec-Program-Wait do NOT 
	replace reply items that IC-RADIUS already has set.


3.06
Q:	Will IC-RADIUS pass all arguments to my program?
A:	Yes, you can use the following arguments with your program.

	Taken from the original request:
    	%p   Port number
    	%n   NAS IP address
   	%u   User name
    	%a   Protocol (SLIP/PPP)
    	%s   Speed (connect string - eg "28800/V42.BIS")
    	%i   Calling Station ID

	Taken from the reply as defined thus far:
    	%f   Framed IP address
    	%c   Callback-Number
    	%t   MTU

3.07
Q:	When using Exec-Program-Wait and Exec-Program can I get any debug 
	information?
A:	You can use the radius.log for debugging or the radius.cgi, if you 
	started radiusd with -z (debug)

3.08
Q:	Is it possible to have IC-RADIUS execute a script when a user logs out? 
A:	No

3.09
Q:	Can IC-RADIUS send Vendor-Specific encoding box to send details of the 
	DNS servers it will assign by encoding a Cisco-avpair attribute
A:	Vendor-Specific encoding and be done using the vendor dictionary or by
	making manual entries.

	mysql> INSERT INTO  dictionary VALUES 
		('','VENDOR','CISCO',9,'','');
	mysql> INSERT INTO  dictionary VALUES 
		('','ATTRIBUTE','Cisco-AVPair',1,'string','CISCO');

  	Or import the Cisco dictionary. Then setting the radreply

	INSERT INTO  radreply VALUES 
		('','someuser','Service-Type','Framed-User');
	INSERT INTO  radreply VALUES 
		('','someuser','Framed-Protocol','PPP');
	INSERT INTO  radreply VALUES 
		('','someuser','Framed-IP-Address','192.168.2.254');
	INSERT INTO  radreply VALUES 
		('','someuser','Cisco-AVPair',
			'ip:dns-servers=www.xxx.yyy.zzz iii.jjj.kkk.lll');
	INSERT INTO  radreply VALUES 
		('','someuser','Cisco-AVPair',
			'ip:route=192.168.2.0 255.255.255.0 192.168.2.254');

3.10
Q:	If I wanted a type of account that was only allowed to log in say 
	Monday to Friday between 9:00 and 17:00, 
	is there already a way using radgroups?
A:	Yes you can using Login-Time, it could be used for a single user buy 
	placing it in the radcheck table or if for a group in the radgroupcheck
	table.

	Login-Time defines the time span a user may login to the system. The 
	format of a so-called time string is like the format used by UUCP. A 
	time string may be a list of simple time strings separated 
	by "|" or ",".

	Each simple time string must begin with a day definition. That can be 
	just one day, multiple days, or a range of days separated by a hyphen.
	A day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" 
	means all days.

	After that a range of hours follows in hhmm-hhmm format.

	For example, in the radcheck table
	+----+----------+--------------+----------------------------+
	| id | UserName | Attribute    | Value                      |
	+----+----------+--------------+----------------------------+
	|  1 | someuser | Login-Time   | Wk2305-0855,Sa,Su2305-1655 |
	+----+----------+--------------+----------------------------+

	This will allow a user to connect weekdays 23:05 till 8:55, all day 
	Sat and Sun 23:05 till 16:55.

	IC-RADIUS calculates the number of seconds left in the time span, and 
	sets the Session-Timeout to that number of seconds. So if someone's 
	Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout 
	is set to 1800 seconds so that she is kicked off at 18:00.

3.11
Q:	I have read all the documentation and I still cannot get DEFAULT entries
	to work.
A:	Below is an example of what a set-up using DEFAULT looks like:

	radgroupcheck
	+------+------------+-------------------+---------------+
	| id   | GroupName  | Attribute         | Value         |
	+------+------------+-------------------+---------------+
	| 1    | DEFGROUP   | Auth-Type         | System        |
	| 2    | DEFGROUP   | Simultaneous-Use  | 1             |
	+------+------------+-------------------+---------------+

	radgroupreply
	+------+------------+-------------------+---------------+
	| id   | GroupName  | Attribute         | Value         |
	+------+------------+-------------------+---------------+
	| 1    | DEFGROUP   | Framed-IP-Address | 1.2.3.4       |
	| 2    | DEFGROUP   | Framed-IP-NetMask | 255.255.255.0 |
	+------+------------+-------------------+---------------+

	usergroup
	+----+----------+-----------+
	| id | UserName | GroupName |
	+----+----------+-----------+
	|  1 | DEFAULT  | DEFGROUP  |
	+----+----------+-----------+

	This will check the system /etc/passwd for the user and if they 
	authenticate will use the entries from radgroupreply as the reply items
	to the NAS.

3.12
Q:	we host a few visps on our lan my question is in my users table how 
	can I  have entries for say me@domain1.com different to me@domain2.com
	with out  having seperate tables for each realm, or do I put each 
	realm in it's own table?
A:	You might be able to get away with putting the realm as LOCAL and add 
	the option nostrip and the define each user in radcheck with the 
	@domain.com as part of the username. If that does not work, then you 
	will have to have it so user names are unique across all domains.

3.13
Q:	How do I limit users to 300 Meg download Maximum?
A:	See Exec-Program-Wait at this time there is no data limit check items.

3.14
Q:	IC-RADIUS uses some attributes that I'm not use to, what are they for?
A:	You should read the full RFC www.freeradius.org/rfc/

Name                  Type            Descr.
----                  ----            ------
Simultaneous-Use      integer   Max. number of concurrent logins
Exec-Program          string    program to execute after authentication
Exec-Program-Wait     string    ditto, but wait for program to finish before 
				sending back auth. reply
Login-Time            string    Defines when user may login.
Monthly-Time-Limit    integer	Number of seconds a user may use within the 
				current month. Resets on the 1st
Total-Time-Limit      integer	Total number of seconds a user may use. 
				Never resets
Activation            date	Date account becomes active

3.15
Q:	Does IC-RADIUS log the errors during authentication?
A:	Yes if you still are using radius.log, include options when starting 
	radiusd see the man page
	radiusd  [-A] [-S] [-a accounting_directory] [-b] [-c] 
	[-d config_directory] [-f] [-i ip-address] [-l log_directory] 
	[-p port] [-s] [-v] [-x] [-y] [-z]

	OPTIONS
       	-A	Write a file detail.auth in addition to the standard detail 
		file in the same directory. This file will contain all the 
		authentication-request records. This can be useful for 
		debugging, but not for normal operation.
	-y	Write details about every authentication request in the 
		radius.log file.
	-z	Include the password in the radius.log file even for 
		successful logins.

	Remember this is very insecure!

3.16
Q:	I have an IBM 2212 access server. What should I specify in "type" in 
	my nas table?
A:	Just put 'other'. This is only used when doing the Simultaneous-Use 
	stuff. I do not know if that NAS type is supported by checkrad.

3.17
Q:	My IC-RADIUS keeps on logging this massage, Error: Acct: Invalid STOP 
	record. [] STOP record but zero session length
A:	Your nas isn't giving the session time to the radius, so it is 0. You 
	should make sure your NAS is set-up correctly.

3.18
Q:	Are both secrets in IC-RADIUS and client equal?
A:	Yes, they are all the same, each NAS can have its own key!

3.19
Q:	My log says 'No username []' and users cannot authenticate.
A:	You probably forgot to load the dictionary files into the database. 
	Use the supplied script	dictimport.pl to load the necessary dictionary 
	files.

3.20
Q:	I was just curious if there is a way to ID users into different groups.
	For example, we have multiple pops. We would like for users from any 
	given pop to be able to dial in to any of our other pops, but, still 
	have a unique field showing what town/POP they belong to. The reason 
	for  this is flexability as users travel around the area, but, we want 
	to make sure that we are meeting user/modem ratios in their "hometown 
	POP". Is there a way to show this already, or is this something that 
	would have to be coded in? 
A:	You can add entries into the usergroup table even if the group does 
	not exist. This will have no effect on their check/reply items, but 
	could be used for analysis. I hope this is what you were asking.

3.21
Q:	I've setup encrypted passwords in the mysql db (as per FAQ 3.01),
        but users can't login? 
A:	You can't configure your NAS to use CHAP and also use encrypted 
	passwords. Use PAP on your NAS if you wish to story encrypted passwords
	in your mysql db, or store plaintext passwords in your mysql db and
	use CHAP.  Here's a blurb from the freeradius.org FAQ that explains it,

	>You have 2 choices:
	>
	>1. You allow CHAP and store all the passwords plaintext.
	>    Advantage: passwords don't go cleartext over the phone line between
	>    the user and the terminal server. Disadvantage: You have to
	>    store the passwords in cleartext on the server.
	>
	>2. You don't allow CHAP, just PAP. Advantage: you don't store
	>    cleartext passwords on your system. Disadvantage: passwords go
	>    in cleartext over the phone line between the user and the 
	>    terminal server.
	>
	>Now, people say CHAP is more secure. 
	>	Now you decide which is more likely:
	>
	>- the phone line between the user and the terminal server gets sniffed
	>   and a cracker (a GOOD one) intercepts just one password
	>- your radius server is hacked into and a cracker gets ALL passwords
	>   of ALL users.
	>
	>Right. Still think CHAP is more secure ? I thought so.
	>
	>This is a limitation of the CHAP protocol itself, not the RADIUS
	>protocol. The CHAP protocol *requires* that you store the passwords in
	>plain-text format.

--------------------------------------------------------------------------------

4:
CGI

4.01
Q:	After I login to the radius.cgi/usage.cgi it tells me 'sessionexpired',
	what's the problem?
A:	The cookie is failing to be set in your browser. Make sure 
	$cookiedomain is set to the domain of your web server. 
	Ex: $cookiedomain = ".mydomin.com";
	Also make sure your browser is set to accept cookies.

4.02
Q:	usage.cgi doesn't seem to be working for me. I keep getting 
	"Internal Server Error" messages.
A:	If the error_log gives a message like "Can't locate Authen/Radius.pm" 
	you are probably missing the Radius.pm to get it try ftp.cpan.org 
	under the modules directory and look for Authen::RADIUS. You will
	have to make sure your path is correct and rember capilization counts 
	here ! If you use CPAN it will install it where it wants it to be.
	If you want usage.cgi/radius.cgi to send a radius query to authenticate
 	it, you need these modules. If you just want it to do a local lookup
	(only works with non crypted passwords) then you can just set authtype
	to local (0).

4.03
Q:	It seems that I'm having trouble viewing usage.cgi and this are the 
	error logs that I'm getting from apache.
	mv: cannot move `/tmp/radsess.7001' to 
	`/usr/local/apache/cgi-bin/radsess': Inva lid cross-device link
A:	Make the $tmpdir point to a directory on the same partition as the 
	$sessfile. Be sure $tmpdir is also writable.

4.04
Q:	Why can I not add NAS or realm definitions with the radius.cgi? 
A:	Because I have not had a chance to write this code yet! Hopefully it 
	will be done soon!

4.05
Q:	I am getting the following error message in my error.log from Apache:
	Can't locate Authen/Radius.pm in @INC (@INC contains
A:	see answer for 4.02

4.06
Q:	Where are the images for the cgi interface ?
A:	You'll find them in the scripts/images dir.

--------------------------------------------------------------------------------

5:
General

5.01
Q:	Can someone (un)subscribe me from IC-RADIUS mailing list?
A:	You can by sending a message to majordomo@innercite.com with the 
	text 'subscribe' or 'unsubscribe' in the body  

5.02
Q:	Is there an archive of the mailing list anywhere?
A:	YES! It's at: http://radius.innercite.com/archive/

5.03
Q:	radwho, radlast, radzap, radtest, testrad or raduse are not in the in 
	src, what happened to them?
A:	They are now in the scripts directory, you would see they are now 
	written in perl. The new versions are now database aware. I still 
	have to write radzap, and raduse, which I am not in a hurry because 
	radzap is easy with an sql command, and raduse is obsolete by the web 
	interface.

5.04
Q:	Whenever I do a radtest from localhost, my log complains of a security
	breach. localhost is in there as both the hostname, localhost and with 
	IP addresses as the proper interface address and also as 127.0.0.1 but
	it still seems to complain.
A:	Try adding the IP of your ethernet to the nas table and do the radtest
	to that IP. Also it would really help if you could try it from another
	machine

5.05
Q:	I noticed there was a script to sysnc up that  radacct table if you are
	using a portmaster. Has anyone written a generic one to use for other 
	nas's? 
A:	To fix your particular problem issue the following query via mysql and
	it should fill in the start times based on stoptime - session length. 
	
	UPDATE radacct SET AcctStartTime = 
	from_unixtime(unix_timestamp(AcctStopTime) - AcctSessionTime) 
	WHERE AcctStartTime = 0;

5.06
Q:	Can anyone tell me how to configure the IC-RADIUS to log the accouting 
	information to /var/log/radacct directory as "detail" file ?
A:	there is a script to do this with /scripts/acctexport.pl

5.07
Q:	Are proxy users logged locally?
A:	Indeed it does keep a local log. It even sets the 'realm' field to the
	realm of the proxied user.

5.08
Q:	Are there any Billing & Administration systems that work with IC-RADIUS?
A:	None just for IC-RADIUS but try the following links
		http://casablanca.thenet.co.nz/thenet/admin/

	InnerCite is developing their entire billing and customer management system
	wrapped around IC-RADIUS, which someday may turn into a commercial product,
	and will obviously support IC-RADIUS 100%

5.09
Q:	Is there any URL's that have more information
A:	Yes
		http://www.miquels.cistron.nl/radius/README 
		http://radius.innercite.com/FAQ.txt
		http://www.freeradius.org

5.10
Q:	Please tell me how I can download the whole website ?
A:	No , as the site is database driven .

5.11
Q:	Has anybody come up with a patch to allow the system to verify or
	extracts the users mail details from icradius including
        authentication using IC-RADIUS ? 
A:	Not as such but you can use others that use MYSql tables for user
	and password infomation look at
	http://www.inet-interactive.com/sendmail/
	and
	http://www.riverstyx.net/qpopmysql/

5.12
Q:	How can I test my new installation of IC-RADIUS without using NAS ?
A:	Use radtest ( in the script's directory )
	radtest user password icradius.server.com testport(number) access.key

5.13
Q:	Can I keep up to date using CVS ?
A:	Check out the web interface at 
	http://anoncvs.innercite.com/cgi-bin/cvsweb.cgi

	or

	CVSROOT	:pserver:anonymous@anoncvs.innercite.com:/var/cvsroot
	Password:<blank -just hit enter >

5.14
Q:	What are the future plans for IC-RADIUS, especially now with FreeRADIUS
A:	The code used for IC-RADIUS is the same code thats going into the rlm_sql
	FreeRADIUS module. The current module scheme for FreeRADIUS does not give
	quite the flexability as IC-RADIUS. Not only that, but FreeRADIUS is still
	a ways off production quality. For these reasons IC-RADIUS will continue to
	be developed for the foreseeable future.


--------------------------------------------------------------------------------

6:
Pre v.14 

6.01
Q:	When I upgraded from 0.8 to 0.9 I get a segmentation fault.
A:	First if you use USR equipment, check 6.1 above. This could also be 
	cause by an old table nas table definition. Execute these queries
	to fix the problem. This will also update the radacct table, since
	it has changed as well.
 
        alter table nas add column community varchar(50);
        alter table nas add column snmp varchar(10);
        update nas set community = 'public', snmp = 'on';
 
Fix radacct table:
        alter table radacct change column AcctDelayTime AcctStartDelay int(12);
        alter table radacct add column

--------------------------------------------------------------------------------

7:
Credits

7.01
Q:	Did you write all the questions and answers yourself ?
A:	No , some have come from the mailing list , and from the original FAQ 
	writen by Mike Machado , mike@innercite.com
7.02
Q:	Who writes code for IC-RADIUS ?
A:	Mike Machado , mike@innercite.com

--------------------------------------------------------------------------------
Chris Joyce. chris@pccentre.com.au
This document may be distributed under the terms set forth in the LDP
license at http://www.linuxdoc.org/COPYRIGHT.html
