TITLE:      IC-RADIUS README
PURPOSE:    IC-RADIUS Installation and Setup Procedures
AUTHORS:    James Banks jbanks@sonet.net (original document) 
            Brad Rathbun brad@computechnv.com
MAINTAINER: Brad Rathbun 
COPYRIGHT:  GFDL (GNU Free Documentation License)
REVISED:    June 11, 2001


COPYRIGHT NOTICE
----------------
Copyright (c) 2001 JAMES BANKS, BRAD RATHBUN
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.1 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover Texts, and with no Back-Cover
Texts. The license is located at http://www.gnu.org/copyleft/fdl.html
if you would like to read through it (yawn).


IMPORTANT NOTE 
--------------
Read this entire document and the FAQ completely before posting any
questions to the mailing list. There is also a searchable FAQ online
at http://radius.innercite.com/cgi-bin/faqdb.cgi and the mailing list
archives are at http://radius.innercite.com/htdig/search.html.
Most questions posted to the list each day have been asked repeatedly
and are in the archives or in the FAQ. You stand a much better chance
of getting an answer quickly if you give everyone on the list the
courtesy of at least trying to find the answer yourself before posting.
Remember, IC-RADIUS is user-supported software. That means that nobody
is obligated to help you, they are doing it as a favor. You can join
the IC-RADIUS mail list, icradius-list@innercite.com, by sending a
message to 'icradius-list-request@innercite.com' with 'subscribe
icradius-list' in the body.

This document is constantly changing so please re-read this document
after each new release to find out about any new changes and how they
affect the rest of the server. Please don't email the authors or
maintainers directly with your questions unless you have already posted
your question to the list! We are busy with our paying jobs and your
email will generally end up in the bit bucket if you ask us before you
ask the list. Lack of planning on your part does not constitute an
emergency on our part!


HELP MAINTAIN THIS DOCUMENT
---------------------------
This document did not create itself. It took a lot of time from not just
the people who are credited as the authors at the top, but from many other
people who have contributed greatly to the mailing list and directly to
this document. Your help is needed, too! If you see something in this
document that is incorrect, could be explained better, works differently
on your platform, etc., you can help the IC-RADIUS community by sending your
revisions to the document maintainer. In particular, this document is
currently heavily weighted toward an installation on RedHat and more
documentation on other distributions would be a very nice addition. I prefer
to receive your updates in ASCII text format if at all possible, but I'll
take it any way you want to send it. If you are modifying sections of the
existing document, please include a short note telling me what section you
changed so that I can more easily locate it. The snippet you are looking at
probably makes perfect sense to you, but it might not to me.


INTRODUCTION
------------
In the past, many people have written scripts or small programs to
manipulate and extract various types of information from the standard
RADIUS detail files.  Users total online time, bandwidth usage, etc.
that are available from analyzing the RADIUS detail file can prove
valuable in almost every aspect of business.  However, most of these
scripts slow down exponentially as the size of the detail file increases.

This need for fast and efficient data management was the motivator for
InnerCite to develop IC-RADIUS.  The whole RADIUS system is basically in
tabular format, and what better way to view tabular data than in a
database. IC-RADIUS uses a MySQL database to store all of its essential
information such as the users file and the dictionary files, and also
sends the accounting information to the database.  This, in turn, allows
for extremely fast and efficient data manipulation and extraction with
the ease and flexibility offered by MySQL. IC-RADIUS is completely free (GPL)
and is available for download from ftp://ftp.innercite.com/pub/icradius/.

In the following sections you will find information on setting up IC-RADIUS
as well as the general procedures for installing MySQL and the Perl DBI
and MySQL DBD modules, all of which are required for IC-RADIUS to operate
properly.


AUDIENCE
--------
This guide is designed to be used by qualified system administrators and
network managers. Knowledge of Linux (and/or other *NIX systems) and basic
networking concepts is required to successfully install IC-RADIUS. Because
IC-RADIUS and the support scripts included with it make use of MySQL, Perl,
SNMP, and other resources, you must also be somewhat familiar with them
as well. However, this guide has been designed to help even beginners. Be
warned that if you do not at least understand the basics of Linux system
administration, you will probably have a very difficult time with IC-RADIUS.


ABOUT THIS DOCUMENT
-------------------
This is not intended to be a complete reference on MySQL, Perl, or RADIUS,
but hopefully enough information will be provided to get you through the
installation and have IC-RADIUS up and running as quickly and painlessly as
possible. Please note that unless you are pretty familiar with Linux, you
should be prepared to do a lot of reading! Installing this or any other
RADIUS package is not exactly a job for a beginner and certainly not
something you should undertake if you need it yesterday. However, every
effort has been made to insure that as much information as possible has
been included in this document so that you will have a smooth installation
on your first try. In spite of the warning under the section entitled
"Audience", this document assumes only that you can read and follow
instructions and have at least a basic understanding of how Linux works.
The more you know, obviously, the easier the whole process will be.


PREREQUISITES
-------------
In order to use IC-RADIUS, you must first have MySQL installed. This is
covered in the MySQL INSTALLATION section below.  You will also need the
Perl DBI and MySQL DBD modules. You must also have a version of Perl that
is compatible with these modules. The latest DBI and DBD modules, as well
as MySQL can be found at http://www.mysql.net/. Of course you can always go
to http://www.perl.com to get the modules, but some people like the one-stop
convenience of using the MySQL homepage.  Both the DBI and DBD installations
will be covered in their respective sections below.


RADIUS
------
RADIUS is an acronym which stands for "Remote Authentication Dial In User
Service". This is defined as a protocol for carrying authentication,
authorization, and configuration information between a Network Access
Server (NAS) desiring to authenticate its links and a shared Authentication
Server (IC-RADIUS). This standard is described in great detail in RFC 2138
and 2139 available at http://www.freeRADIUS.org. It is strongly recommended
that you read these along with all of the documentation provided in each
directory.  About 90% of the questions that come across the mail lists can
be answered by simply taking the time to read the documentation.

To quote Lucent/Livingston (the creators of RADIUS): "The Remote
Authentication Dial-In User Service (RADIUS) is a client/server security
protocol created by Lucent InterNetworking Systems. RADIUS is an Internet
draft standard protocol. See RFCs 2138 and 2139 for more information on
RADIUS.  User profiles are stored in a central location, known as the RADIUS
server. RADIUS clients (such as a PortMaster communications server)
communicate with the RADIUS server to authenticate users. The server
specifies back to the client what the authenticated user is authorized to
do. Although the term RADIUS  refers to the network protocol that the client
and server use to communicate, it is often used to refer to the entire
client/server system."

How does RADIUS work? Basically the process can be broken down into 4 steps.
First, the user dials into the NAS.  Next, the NAS sends a request to the
authentication server (IC-RADIUS) via a standard set of attribute/value
(a/v) pairs.  Then, RADIUS checks to see if that user exists and if so, can
they log on. Finally, the RADIUS server sends either an "accept" or a
"reject" back to the NAS, which determines whether or not the user is
allowed access. That should give a very basic understanding of how the
authentication system works.

That's what RADIUS does. Let's spend a moment and talk about what RADIUS
does not do. Remember that the job of RADIUS is to do authentication and
accounting for a NAS. It is not the job of RADIUS to your billing. It is
not a word processor. It is not a spreadsheet. Many requests come across
the mailing list for this feature or that feature. Unfortunately, most of
these misguided requests don't have the basic understanding of what RADIUS
is for and are thus ignored and occasionally ridiculed. In other words,
if you want to request a feature, please make sure that feature is
reasonable in the context of what RADIUS is supposed to do!

Now lets move on and see what IC-RADIUS needs to operate properly. Many of
the steps below may be skipped, as they are included only in the interest
of being thorough and over-explaining rather than under-explaining the
installation process. In all cases, I assume installation will occur from
source code distributions instead of RPMs. I chose this method because it
applies to the widest variety of distributions, offers the most flexibility
and security, and it seems to work better in most cases (at least for me).
If you prefer to use RPMs, feel free - they will probably work just fine
for you. Just don't be surprised if you have trouble with the rest of the
instructions below as they all tie together. It should also be pointed out
that you have greater flexibility and security when installing from source.


PERL INSTALLATION
-----------------
Most, if not all, of the scripts that come with IC-RADIUS are written in Perl.
This, of course, means that you must have Perl installed in order to use
them. Most Linux distributions already have Perl installed, so you probably
can skip this step if you want to. This section describes how to install or
upgrade to Perl 5.6.0, the latest stable release as of this writing. There is
nothing about IC-RADIUS or the support scripts that come with it that would
require you to perform this upgrade. 


1.  Download the Perl distribution to /usr/local/src. You can get the latest
    Perl distribution from http://www.perl.com.
2.  Expand the archive: tar -zxvf perl5.6.0.tar.gz
3.  Optional step. Delete the archive to save space: rm -f perl5.6.0.tar.gz
4.  Move to source directory: cd /usr/local/src/perl5.6.0
5.  Read the installation instructions: pico -w INSTALL
6.  rm -f config.sh Policy.sh
7.  sh Configure -de
8.  make
9.  make test
10. make install
11. If it installed correctly, you can confirm the correct version: perl -v


BERKLEY SOCKETS INSTALLATION
----------------------------
This step is completely optional. The only good reason to do this is if you
intend to use MySQL database replication now or at some point in the future.
It doesn't hurt anything to install it even if you don't know what
replication is, so if you are unsure, go ahead and do it. There is absolutely
nothing about IC-RADIUS or it's support scripts that require this step to be 
performed and IC-RADIUS won't care one way or the other if Berkley Sockets
are installed or not. My personal recommendation is that you install them
now to save yourself the hassle later when you discover that MySQL
replication is a good thing to have (because replication really is a good
thing to have, trust me).


1. Download the Berkley Sockets distribution to /usr/local/src. You can get
   the latest distribution from http://www.sleepycat.com/.
2. Expand the archive: tar -zxvf Berkleydb-3.2.9a.tar.gz
3. Optional step. Delete the archive to save space:
   rm -f Berkleydb-3.2.9a.tar.gz
4. Move to source directory: cd /usr/local/src/db-3.2.9a
5. ./configure
6. make
7. make install


MySQL INSTALLATION PROCEDURE
----------------------------
This step is NOT optional unless you know what you are doing, in which case
you probably wouldn't be reading this document. You must have MySQL
installed and running on your system in order to use IC-RADIUS. It could be
running on a separate host than the one you are putting IC-RADIUS on, but
that is a more advanced installation and is not how most first time
installations are done. There is nothing in IC-RADIUS or any of the support
scripts that requires you to have MySQL running on the same host with
IC-RADIUS. Many advanced installations (mine included) have a separate host
for the database for increased security and performance. Either way will
work fine and you can always change it later if you need to.

You will need at least version 3.22, but if you install the newer versions,
replication will be supported. As of this writing, version 3.23.33 was the
latest release. Remember, it's just as easy to install the current version
as an obsolete one. The upgrade you do now is one you don't have to do later
when you have the system in production.

There are a lot of steps here and most of them are pretty critical, so
please follow them carefully. Most of the problems I had when installing
my own system came from problems with the MySQL installation. These steps
may be overkill, but they work.

1.  Download the latest MySQL distribution to /usr/local/src. You can get the
    latest distribution from http://www.mysql.com.
2.  Expand the archive: tar -zxvf mysql-3.23.33
3.  Optional step. Delete the archive to save space:
    rm -f mysql-3.23.33.tar.gz
4.  Move to source directory: cd /usr/local/src/mysql-3.23.33
5.  Add the group mysql: groupadd mysql
6.  Add the user mysql: useradd -g mysql mysql
7.  ./configure -prefix=/usr/local/mysql
8.  make
9.  NOTE: On my installation, there was an error on the next step, which was
    caused by make writing an error into the Makefile. You can fix this bug
    if you edit the Makefile: pico -w Makefile and do a search for the
    offending line, "install: all". This line has a comment that says
    something to the effect of "#Modified by MySQL". Remove this
    comment and keep deleting until the next line is on the same line with
    the "install: all" so that it reads something like this: 
    "install: all install_include uninstall_include install_documents
    uninstall_documents". In other words, it should all be on one line with
    a space separating each of the commands. 
10. make install
11. scripts/mysql-install-db  Note: This will install the databases and at
    the end it will tell you to change the root password. The way suggested
    never works for me and I have a different method listed below. Your
    mileage may vary.
12. Make sure libraries are visible to other programs: 
    A. Pico -w /etc/ld.so.conf
    B. Add a line to the file pointing to the libs:
       /usr/local/mysql/lib/mysql
    C. Reload with update: ldconfig 
    D. Copy the server init file:
       cp support-files/mysql.server /etc/rc.d/init.d
13. Make startup file executable: chmod 755 /etc/rc.d/init.d/mysql.server
14. chown -R root /usr/local/bin/mysql
15. chgrp -R mysql /usr/local/mysql
16. Put mysql command in path: cp /usr/bin/mysql /usr/bin
17. Copy config file: cp support-files/my-medium.cnf /etc/my.cnf
18. Edit config file: pico -w /etc/my.cnf
    A. Under [client] section:
       1.  Leave password blank for now
       2.  user = root
19. Secure the MySQL config file: chmod 600 /etc/my.cnf
20. Start MySQL: /etc/rc.d/init.d/mysql.server start
21. See if it works: mysql
22. Change root password:
    A.  use mysql;
    B.  update user set password = PASSWORD('your-new-password')
        where user='root';
    C.  flush privileges;
    D.  exit
23. Optional step for replication. If you think you might want this
    server to be the master database for future replication, you can set
    it up now. To do so:
    A.  Pico -w /etc/my.cnf
    B.  Under [mysqld] section:
        1.  log-bin
        2.  server-id = 1 (must be unique from all other MySQL servers)
24. You can use root as the main user, but I highly recommend adding another
    username and password, such as "radius".  
    A.  This can be done by typing: 
        INSERT INTO users' 'VALUES ('host','user','password','y','y','y','y',
        'y','y','y','y','y','y','y','y','y','y');
    B. "Host" should be the machine that is running IC-RADIUS. Most likely
       this will be the same one that MySQL is running on. In that case,
       you can put "localhost" here.
    C.  "User" should be a username, such as radius.
    D.  "Password" should be your password.
    E.  That should get you going as far as MySQL is concerned. If you have
        any problems, check out the MySQL documentation found on their homepage
        at http://www.mysql.com.
25. Make sure that you update /etc/raddb/radius.conf to reflect this same
    host, username, and password.


INSTALL DATA-DUMPER
-------------------
This module is not required by IC-RADIUS or any of it's scripts, so you may
skip this section if you want to. However, I find that life is generally
easier when using Perl with MySQL if this module is installed. And it's an
easy one to install.

1.  Download the Data-Dumper distribution to /usr/local/src. You can get
    the latest distribution from http://search.cpan.org.
2.  Expand the archive: tar -zxvf Data-Dumper-2.101
3.  Optional step. Delete the archive to save space:
    rm -f Data-Dumper-2.101.tar.gz
4.  Move to source directory: cd /usr/local/src/Data-Dumper-2.101
5.  perl Makefile.PL
6.  make
7.  Note: Do not run make test. The test suite is broken.
8.  make install


INSTALL DATA-SHOWTABLE
----------------------
This module is not required by IC-RADIUS or any of the scripts, so you may skip
this section if you want to. However, I find that life is generally easier
when using Perl with MySQL if this module is installed. And, except for
fixing a bug in the install script, it's an easy one to install.

1.  Download the Data-ShowTable distribution to /usr/local/src.
    You can get the latest distribution from http://search.cpan.org.
2.  Expand the archive: tar -zxvf Data-ShowTable-3.3.tar.gz
3.  Optional step. Delete the archive to save space:
    rm -f Data-ShowTable-3.3.tar.gz
4.  Move to source directory: cd /usr/local/src/Data-ShowTable-3.3
5.  perl Makefile.PL
6.  make
7.  Note: There is a bug in the Makefile after this runs. If you want to see
    it, continue on. If you want to fix it before continuing, edit the
    Makefile and go to line 724, which contains a long string of stuff like
    I< , I<, and so on. Notice that the first two I< are not terminated with
    matching >. Insert the closing > marks and it will install perfectly.
    Sometimes, it is helpful to run the make install just to see the error
    so you know what you are looking for. Couldn't understand what I just
    explained? Don't worry about it, you don't really need this module to
    make IC-RADIUS run, anway. Come back to this later when you get around
    to it.
8.  make test
9.  make install


ABOUT THE DBI & DBD
-------------------
Lets start with a brief overview of what these modules are, and why we need
them. The DBI is a database interface module for Perl. It defines a set of
methods, variables and conventions that provide a consistent database
interface independent of the actual database being used. The MySQL DBD is
the actual driver that is used to access a MySQL database and run queries on
it from Perl. It is important that you install the DBI first because the
DBD will not work, or even install without it.


INSTALLING THE DBI
------------------
1.  Download the DBI distribution to /usr/local/src. You can get the latest
    distribution from http://search.cpan.org.
2.  Expand the archive: tar -zxvf DBI-1.14.tar.gz
3.  Optional step. Delete the archive to save space: rm -f DBI-1.14.tar.gz
4.  Move to source directory: cd /usr/local/src/DBI-1.14
5.  perl Makefile.PL
6.  make test Note: if you don't see "All tests successful", backtrack and
    figure out what you did wrong, because nothing is going to work right.
    Don't cross your fingers and think you will get lucky if you just keep
    installing stuff, because you won't. Trust me. 
7.  make install


INSTALLING THE DBD
------------------
If you are going to have a problem, you will probably have it here. This
module is always difficult (at least for me). One thing to check before you
start this procedure is that you have a valid MySQL username and password
setup and that this username and password is defined in the /etc/my.cnf
file. Double check this before you start this installation and you'll save
yourself some headaches.

1.  Download the DBD distribution to /usr/local/src. You can get the latest
    distribution from http://search.cpan.org. By the way, just to confuse
    things, it's not named DBD - it's named Msql-Mysql-Modules! Makes
    perfect sense if you already know what you are looking for, but for
    newbies it can be quite confusing.
2.  Expand the archive: tar -zxvf Msql-Mysql-1.2215.tar.gz
3.  Optional step. Delete the archive to save space:
    rm -f Msql-Mysql-1.2215.tar.gz
4.  Move to source directory: cd /usr/local/src/Msql-Mysql-1.2215
5.  perl Makefile.PL  Note: the defaults are right for most of the questions.
    Be sure to give the username and password you defined for MySQL when
    asked or the tests will all fail!
8.  make test 


INSTALL SNMP
------------
This is usually an optional step, but one you might wish to perform. There
are certain portions of IC-RADIUS that use SNMP (to verify if a user is on
with more than one connection, for example). However, SNMP is also probably
already on your system. If you think it's already installed, you can skip
this step. Otherwise, just do it and you'll have the latest version. It's
usually a pretty painless installation. 

1.  Download the SNMP distribution to /usr/local/src. You can get the latest
    distribution from http://search.cpan.org. 
2.  Expand the archive: tar -zxvf ucd-snmp-4.1.tar.gz
3.  Optional step. Delete the archive to save space: rm -f ucd-snmp.tar.gz
4.  Move to source directory: cd /usr/local/src/ucd-snmp-4.1
5.  ./configure
6.  make
7.  make test
8.  make install


IC-RADIUS INSTALLATION
---------------------
Finally!  Once the above items have been properly installed, you can install
IC-RADIUS. It takes a lot of other things to make IC-RADIUS work, but it's
worth it when you finally get there.

1.  Download the IC-RADIUS distribution to /usr/local/src. You can get the
    latest distribution from ftp://ftp.innercite.com/pub/icradius/. 
2.  Expand the archive: tar -zxvf icradius-0.18.tar.gz
3.  Optional step. Delete the archive to save space:
    rm -f icradius-0.18.tar.gz
4.  Move to source directory: cd /usr/local/src/icradius-0.18
5.  cp Makefile.lnx Makefile  Note: if you use something other than Linux,
    be sure to copy the Makefile that is appropriate for your distribution.
6.  The Redhat startup files are broken. Fix them by editing:
    A.  pico -w redhat/rc.radiusd-redhat
    B.  Near the top, you will see a line that says,
        "RADIUSD=/usr/bin/radiusd". Change it so it says,
        "RADIUSD=/usr/sbin/radiusd" instead.
7.  Copy the startup files:
    cp redhat/rc.radiusd-redhat /etc/rc.d/init.d/radiusd
8.  make
9.  make install
10. Copy the radius.conf file: 
    A.  Make sure directory exists: mkdir /etc/raddb
    B.  Copy file: cp raddb/radius.conf /etc/raddb
    C.  Secure the file: chmod 600 /etc/raddb/radius.conf
11. After copying the .cgi files they need to be set to executable:
    chmod 755 *.cgi.
12. Create a radacct directory: mkdir /var/log/radacct
13. Create a radsess file: touch /usr/local/apache/cgi-bin/radsess


INSTALLATION PROBLEMS
---------------------
This section more rightly belongs in the FAQ (and is undoubtedly there as
well), but it is important enough for proper installation that it is going
to be covered here anyway. Here are some of the more common problems you
will face when compiling IC-RADIUS along with a solution for the problem.

Problem:   This compiler error occurs frequently on BSD systems:
           "acct.c: In function `rad_accounting_sql':
           "acct.c:223: `SQL_LOCK_EX' undeclared (first use this function)"
Solution:  Replace  SQL_LOCK_EX with LOCK_EX in acct.c and mysql.c

Problem:   Time values are either null or wrong in the accounting data.
Solution:  Edit the src/sysdep.h file:
	   #include <time.h>
	   #include <sys/time.h>

Problem:   When compiling, you get this sort of error:
	   "In file included from /usr/include/sys/socket.h:34, from
           radiusd.c:35: /usr/include/bits/socket.h:295: asm/socket.h:
           No such file or directory
           In file included from /usr/include/signal.h:300, from radiusd.c:47:
           /usr/include/bits/sigcontext.h:28: asm/sigcontext.h: No such file or directory
           In file included from /usr/include/bits/errno.h:25, from 
           /usr/include/errno.h:36, from radiusd.c:48: /usr/include/linux/errno.h:4:                       asm/errno.h: 
           No such file or directory"
Solution:  Add these symbolic links if they don't exist:
           ln -s /usr/src/linux/include/linux /usr/include/linux
           ln -s /usr/src/linux/include/asm /usr/include/asm
           ln -s /usr/src/linux/include/asm-i386 /usr/src/linux/include/asm


CREATE THE DATABASE
-------------------
To be able to use IC-RADIUS you must now create a database in MySQL, which is
named RADIUS. Most of the installation can be done from a script, but you
must create the initial database from within MySQL.

1.	Start MySQL:  mysql
2.	Create the database: CREATE DATABASE RADIUS;
3.	Exit MySQL: exit;


CREATE THE TABLES
-----------------
Next, we must create all of the tables that IC-RADIUS will need. Fortunately,
these have already been defined in the file "scripts/RADIUS.db". This makes it very easy to import the table 
structures into MySQL from the command line.

1.  Enter this command from the shell prompt:  mysql RADIUS < RADIUS.db
    A.  Note: MySQL is quiet, so if it worked, you'll get no messages.
2.  Test to see if it worked:
    A.  Start MySQL: mysql
    B.  Select the RADIUS database: use radius;
    C.  Look at the tables: show tables;
    D.  Exit MySQL: exit;


LOAD THE DICTIONARY FILES
-------------------------
Now you will need to load the dictionary file found in the raddb subdirectory
into MySQL as well as the dictionary that matches your NAS. The dictionaries
are located in the raddb directory. These dictionaries are stored with a
format of "dictionary.NAS", where NAS is the type of NAS equipment you are
supporting. For example, if you use Livingston PM3's, you would select
dictionary.livingston. If you have a variety of equipment, load each
dictionary that IC-RADIUS will be providing RADIUS for. I recommend you
make a quick list of the dictionaries you need to load before proceeding
to the next step.

1.  Move to the scripts directory: cd scripts 
2.  Edit the script: pico -w dictimport.pl
    A.  Change $dbusername to match your MySQL username
    B.  Change $dbpassword to match your MySQL password
3.  Run the script: ./dictimport.pl ../raddb/dictionary 
4.  At a minimum, be sure to run step 3 exactly as shown to get the generic
    dictionary loaded and then repeat step 3 as needed for each NAS specific
    dictionary you need.

Note: A very common problem seen on the mailing list concerns failure to
load the proper dictionaries for your NAS equipment. Make sure you are
thorough with this step and you will save yourself a lot of headaches and
generate a lot less newbie noise on the list!


A QUICK NOTE ABOUT WEBMIN
-------------------------
>From this point forward, we will be editing several different MySQL tables.
For simplicity's sake, this document explains how to edit MySQL tables with
what you have already installed in previous steps. However, if you really
want to make this and future steps easy on yourself, I highly recommend you
take a look at Webmin. Webmin is a product that lets you manage your server
(including MySQL) from a web browser. Webmin can be downloaded from
http://www.webmin.com. In no way does IC-RADIUS require Webmin and you can
certainly get along fine without it if you choose to do so. However, for
beginners it is really a very nice tool and the installation is quick and
easy.


DEFINE YOUR NAS HARDWARE
------------------------
You will need to manually add entries for your NAS hardware into the nas
table. This table replaces the need for both the naslist and the clients
file standard Cistron used. This is done by inserting records directly
into the MySQL table.

1.  See what columns are required for this table:
    A.  Start MySQL: mysql
    B.  Show the table structure: desc nas
2.  You should see (at least as of version 0.18) the following columns: 
    id, nasname, shortname, Ipaddr, type, ports, secret, and community.
3.  Add your nas: 
    insert into nas values('', 'nas1.domain.com', 'nas1', '192.168.1.1',
    'livingston', '48', 'mysecret', 'public', 'on');
4.  Repeat step 3 as needed to add all your NAS to the table, substituting
    your own settings for the values in the example.
5.  Important Note: Make sure the secret in your NAS matches the entry for
    that NAS in the nas table. This is one of the most common problems as
    to why you can't authenticate a user when setting IC-RADIUS up and one
    of the most frequently asked newbie questions on the mailing list.
6.  Important Note #2: Make sure that you set up the IC-RADIUS server's IP
    address as the authentication and/or accounting server on your NAS.
    Also make sure that you have turned SNMP on, made the IC-RADIUS server
    an snmp reader, and that the SNMP community string is the same as what
    you defined in the NAS table. Needless to say, anything SNMP related
    (like controlling multiple logins) won't work if you don't do this.
7.  When you have finished setting all of your NAS entries up, restart
    IC-RADIUS. Changes don't take effect until you do so as this table is
    read only upon initialization.

Here's a sample of what your nas table might look like. Notice that I have
added my webserver as a nas in the third entry. This is so that I can run
utilities such as the checkrad script from the web server. It's optional,
but highly recommended. Also note that I listed the type as Linux, which
means nothing. I just wanted to put something in that field. You can put
just about anything you want there, but try not to use something that
might be a valid NAS type as it may cause problems with checkrad or other
scripts (translation: I have no idea if it will or not).

+--+---------------+---------+-----------+----------+-----+--------+---------+----+
|id|Nasname        |shortname|Ipaddr     |type      |ports|secret  |community|snmp|
+--+---------------+---------+-----------+----------+-----+--------+---------+----+
|1 |nas1.domain.com|nas1     |192.168.1.1|livingston|48   |mysecret|public   |on  |
+--+---------------+---------+-----------+----------+-----+--------+---------+----+
|2 |nas2.domain.com|nas2     |192.168.1.2|livingston|48   |mysecret|public   |on  |
+--+---------------+---------+-----------+----------+-----+--------+---------+----+
|3 |www.domain.com |web      |192.168.1.3|linux     | 0	  |mysecret|         |off |
+--+---------------+---------+-----------+----------+-----+--------+---------+----+

Notice also that type is set to lowercase on the NAS equipment. It seems to
make a difference, at least in my installation, so this is something you
might want to watch out for. If it doesn't make a difference, no harm done.
If it does make a difference, then you'll have done it right.


STARTING IC-RADIUS
-----------------
If you have installed IC-RADIUS correctly, it should start automatically when
your server reboots. However, since we don't want to reboot the computer just
to start IC-RADIUS, we can just run it from the init script we installed
earlier. Remember, a prerequisite for IC-RADIUS to work is that MySQL must
be running first.

1.  Start MySQL: /etc/rc.d/init.d/mysql.server start
2.  Verify that it's running: ps -A | grep mysql
3.  Start IC-RADIUS: /etc/rc.d/init.d/icradius start
4.  See if it's working properly: cat /var/log/radius.log  - you should see
    something like the following:
      Starting - reading configuration files ...
      SQL: Attempting to connect to radius@localhost:radius
      Ready to process requests.


IC-RADIUS STARTUP OPTIONS
------------------------
You can affect how IC-RADIUS runs and outputs various things with command line
switches. You can put these switches after the start command in your
/etc/rc.d/init.d/radiusd file.
+----------+-------------------------------------------------+--------------------+
|Switch    |Description                                      |Default             |
+----------+-------------------------------------------------+--------------------+
|-a <dir>  |Accounting directory. Where to place detail files|/var/log/radacct    |
+----------+-------------------------------------------------+--------------------+
|-d <dir>  |Directory where hints, huntgroups and radius.conf|/etc                |
|          |are located.                                     |                    |
+----------+-------------------------------------------------+--------------------+
|-i <IP>   |IP to bind to.                                   |INADDR_ANY          |
+----------+-------------------------------------------------+--------------------+
|-l <dir>  |Logs directory.                                  |[/var/log           |
+----------+-------------------------------------------------+--------------------+
|-f        |Don't fork from the console to become a deamon   |fork and be a daemon|
+----------+-------------------------------------------------+--------------------+
|-m <flags>|Accounting method. s = SQL accounting,           |S                   |
|          |f = file accounting. Can combine into 'sf' for   |                    |
|          |both SQL and file accounting.                    |                    |
+----------+-------------------------------------------------+--------------------+
|-S        |Log stripped names. Only affects setups with     |                    |
|          |Strip-Username                                   |                    |
+----------+-------------------------------------------------+--------------------+
|-p <port> |Port IC-RADIUS will listen for auth requests.     |                    |
|          |Accounting will be auth port + 1. Looks for      |                    |
|          |/etc/services entry and then fails over to 1645  |                    |
|          |if no entry found.                               |                    |
+----------+-------------------------------------------------+--------------------+
|-r <dir>  |Directory to chroot() to before handling requests|                    |
+----------+-------------------------------------------------+--------------------+
|-t        |Use trusted proxies, eg all attributes from proxy|no trusted proxies  |
|          |will be passed through.                          |                    |
+----------+-------------------------------------------------+--------------------+
|-u <user> |User to set user and group permissions to before |current user        |
|          |accepting connections                            |                    |
+----------+-------------------------------------------------+--------------------+
|-v        |Print version and exit                           |                    |
+----------+-------------------------------------------------+--------------------+
|-x        |Enable debugging. Use -xx for even more debugging|no debugging        |
|          |Turns on -f                                      |                    |
+----------+-------------------------------------------------+--------------------+
|-y        |Print message for each auth request, and password|don't log           |
|          |attempt for invalid logins.                      |                    |
+----------+-------------------------------------------------+--------------------+
|-z        |Print message for each auth request including    |                    |
|          |password (even for correct passwords!). Only     |                    |
|          |takes affect with -y                             |                    |
+----------+-------------------------------------------------+--------------------+


INSTALLING THE CGI SCRIPTS
--------------------------
RADIUS.cgi is a complete web administration and reporting tool that accesses
the RADIUS database. You will need to add a user manually first before you
can use the web interface.

1.  Start MySQL: mysql
2.  Insert the user records:
    A.  INSERT INTO radcheck VALUES ("","username","Password","yourpassword"); 
    B.  INSERT INTO radcheck VALUES ("","username","RADIUS-Operator","Yes"); 
3.  Copy the RADIUS.cgi and usage.cgi files into the cgi-bin directory of
    your web server. On a standard installation it would look like this:
    cp *.cgi /usr/local/apache/cgi-bin
4.  Edit both of these so that the $dbusername and $dbpassword are the same
    as the one setup for the MySQL server.  Also change $cookiedomain to
    your domain name. For example: $cookiedomain = domain.com  If you don't
    have a domain or you are working on a machine that is not listed in
    your DNS, you can set it to null (i.e. "")  You can also edit some
    other features such as the log directory and the background color.


SETTING UP USERS
----------------
Since the whole point of IC-RADIUS is to authenticate users, setting up those
users is a pretty important thing. You can use the supplied CGI web interface,
you can edit directly from MySQL, you can use a third party web interface
such as Webmin, or you can write your own. As of this writing, several third
parties are working on fairly robust alternatives to the CGI that comes with
IC-RADIUS. I wouldn't be too surprised to see one of these make an appearance
in the distribution soon. Meanwhile, though let's look at how we might set
up a user. I'll show you the hard way first, then the easy way. Read ahead
a few pages before you waste your time typing any of this stuff in so you
don't waste your time.

RADREPLY TABLE
+--+--------+------------------+-------------------+
|id|UserName|Attribute         |Value              |
+--+--------+------------------+-------------------+
|1 |alpha   |Framed-Compression|Van-Jacobson-TCP-IP|
+--+--------+------------------+-------------------+
|2 |alpha   |Framed-IP-Address |255.255.255.254    |
+--+--------+------------------+-------------------+
|3 |alpha   |Framed-Protocol   |PPP                |
+--+--------+------------------+-------------------+
|4 |alpha   |Idle-Timeout      |1800               |
+--+--------+------------------+-------------------+
|5 |alpha   |Port-Limit        |1                  |
+--+--------+------------------+-------------------+
|6 |alpha   |Service-Type      |Framed-User        |
+--+--------+------------------+-------------------+
|7 |alpha   |Session-Timeout   |28800              |
+--+--------+------------------+-------------------+

RADCHECK TABLE
+--+--------+------------------+-----+
|id|UserName|Attribute         |Value|
+--+--------+------------------+-----+
|1 |alpha   |Simultaneous-Use  |1    |
+--+--------+------------------+-----+
|2 |alpha   |Monthly-Time-Limit|36000|
+--+--------+------------------+-----+

That is a total of nine entries per user. And that's without all the possible
attributes that you might want to use. Multiply that times 5000 customers
and you have a real maintenance headache on your hands. Multiply it times
25000 customers and you have a nightmare. There is an easier way,
fortunately.

SETTING UP GROUPS
-----------------
One common use for groups is to set up the attributes of a specific dialup
plan such as Simultaneous-Use, Framed-Protocol, Total-Time-Limit, etc. in a
group setting and then add a user to the usergroup table. This effectively
makes the user inherit all of the attributes of the group while only having
to making a few entries for that user. It also makes it easy to change the
attributes of an entire group without having to edit each member of the group.
Consider the following example:


RADGROUPCHECK TABLE
+--+---------+------------------+------+
|id|GroupName|Attribute         |Value |
+--+---------+------------------+------+
|1 |PLAN1    |Simultaneous-Use  |1     |
+--+---------+------------------+------+
|2 |PLAN2    |Simultaneous-Use  |1     |
+--+---------+------------------+------+
|3 |PLAN1    |Monthly-Time-Limit|36000 |
+--+---------+------------------+------+
|4 |PLAN2    |Monthly-Time-Limit|720000|
+--+---------+------------------+------+

Here's how our example works. You define the characteristics of the groups
(some ISP's call these plans) you want in the radgroupcheck and
radgroupreply tables. This is done only once for each group you wish to
define. Notice that we have defined two groups: PLAN1 and PLAN2.Any check
items which we wish to define for all members of this group are defined in
radgroupcheck (above). Any reply items which we wish to define for all
members of this group are defined in radgroupreply (below).


RADGROUPREPLY TABLE
+--+---------+------------------+-------------------+
|id|GroupName|Attribute         |Value              |
+--+---------+------------------+-------------------+
|1 |PLAN1    |Framed-Compression|Van-Jacobson-TCP-IP|
+--+---------+------------------+-------------------+
|2 |PLAN1    |Framed-IP-Address |255.255.255.254    |
+--+---------+------------------+-------------------+
|3 |PLAN1    |Framed-Protocol   |PPP                |
+--+---------+------------------+-------------------+
|4 |PLAN1    |Idle-Timeout      |1800               |
+--+---------+------------------+-------------------+
|5 |PLAN1    |Port-Limit        |1                  |
+--+---------+------------------+-------------------+
|6 |PLAN1    |Service-Type      |Framed-User        |
+--+---------+------------------+-------------------+
|7 |PLAN1    |Session-Timeout   |28800              |
+--+---------+------------------+-------------------+
|8 |PLAN2    |Framed-Compression|Van-Jacobson-TCP-IP|
+--+---------+------------------+-------------------+
|9 |PLAN2    |Framed-IP-Address |255.255.255.254    |
+--+---------+------------------+-------------------+
|10|PLAN2    |Framed-Protocol   |PPP                |
+--+---------+------------------+-------------------+
|11|PLAN2    |Idle-Timeout      |1800               |
+--+---------+------------------+-------------------+
|12|PLAN2    |Port-Limit        |1                  |
+--+---------+------------------+-------------------+
|13|PLAN2    |Service-Type      |Framed-User        |
+--+---------+------------------+-------------------+
|14|PLAN2    |Session-Timeout   |28800              |
+--+---------+------------------+-------------------+

Then, we add the user to the group (or, as an ISP, sell them a dialing
plan) by associating the username to the groups we created. We do this by
making an entry for each user we want in a group to the usergroup table
(below).

USERGROUP TABLE
+--+--------+---------+
|id|UserName|GroupName|
+--+--------+---------+
|1 |alpha   |PLAN1    |
+--+--------+---------+
|2 |beta    |PLAN2    |
+--+--------+---------+


RADCHECK TABLE
+--+--------+---------+-------------+
|id|UserName|Attribute|Value        |
+--+--------+---------+-------------+
|1 |alpha   |Password |Alphapasswd  |
+--+--------+---------+-------------+
|2 |beta    |Password |Betapasswd   |
+--+--------+---------+-------------+

We set the items which are specific to the user in either the radcheck
table (above) or the radreply table (below). Very little actually goes in
either of these tables normally because most of the settings are inherited
from the group tables. In our example, we only set up a password for the
user and in the case of username alpha, we gave them a fixed IP address.
Notice that by defining the same attribute in radreply as they user
inherited from radgroupreply, we have overridden the group values. In other
words, the attribute of Framed-IP-Address that was defined in the group was
ignored because we defined the same value for the specific user. This is
useful for things like overriding the number of logins for a specific user,
assigning fixed IP addresses, etc. 


RADREPLY TABLE
+--+--------+-----------------+-------------+
|id|UserName|Attribute        |Value        |
+--+--------+-----------------+-------------+
|1 |Alpha   |Framed-IP-Address|192.168.1.200|
+--+--------+-----------------+-------------+


IC-RADIUS currently supports a single DEFAULT entry. To use the DEFAULT
feature, create a group in radgroupcheck and radgroupreply with the items
you wish to use. Then add an entry into usergroup with the username DEFAULT
and the groupname of the group you just created. Be sure to have an
Auth-Type as a check item for the group so it knows how to authenticate 
the user, such as Auth-Type=System.


THE WEB INTERFACE
-----------------
The web interface is self-explanatory to anyone who has worked with the
old Livingston RADIUS users file.  The biggest addition is groups. Groups,
like users have check and reply pairs.  When you assign a user to a group,
they inherit the pairs from the group as well. Any pairs that exist in both
the user and the group will be overridden by the one assigned specifically
to the user.

Many reports can be run from within the web interface. Some of these include
when any user was on by date/time, username, IP address and several other
useful fields. A basic graph of port utilization is also available. There is
no longer the need to give everyone access to your server to view the log
files. You can continuously view the log from within the web administrator
by clicking auto scroll. Use the web interface to add entries for all of
your NAS hardware. When the web interface is complete there will be a manual
of its own. And it's a good thing, too, because there are many options in it
that I am not familiar with.


SUPPORT SCRIPTS
---------------
There are several useful scripts in the script sub directory such as one for
loading an existing Livingston style users file or to dump your IC-RADIUS
database to such a file. In each of these scripts, you will need to change
the $dbusername and $dbpassword as described above. These scripts all have
comment headers in them which documents what they do and usually how to use
them. If you write a useful script which might be beneficial to others,
please submit it and it will be considered for possible inclusion in future
releases.


ATTRIBUTES (A/V PAIRS)
----------------------
There are two new attributes; Monthly-Time-Limit and Total-Time-Limit. These
attributes take a integer as an argument and limit the user to that number
of seconds. Monthly-Time-Limit is reset every month. When the user gets
close to their limit it will readjust their session-timeout to the remaining
time they have left. This prevents the user from being able to use time over
their allowance without any intervention by you.

Attribute        Type    Description 
---------------- ------- -------------------------------------------------------------------
Simultaneous-Use integer Max # of concurrent logins

Exec-Program     string  Program to execute after authentication. Can take arguments. You 
                         can use macros in the arguments:
 
                           Taken from the original request:
                           %p   Port number
                           %n   NAS IP address
                           %u   User name
                           %a   Protocol (SLIP/PPP)
                           %s   Speed (connect string - eg: 28800/V42.BIS)
                           %i   Calling Station ID
 
                           Taken from the reply as defined thus far:
                           %f   Framed IP address
                           %c   Callback-Number
                           %t   MTU

Exec-Program-Wait string   Same as Exec-Program, but wait for program to finish before 
                           sending back reply to NAS.  The output from Exec-Program-Wait is 
                           parsed by the RADIUS server. If it looks like Attribute/Value pairs, 
                           they are decoded and added to the reply sent to the NAS. This way, 
                           you can for example set Session-Timeout. For backwards 
                           compatibility, if the output doesn't look like valid RADIUS A/V pairs, 
                           the output is taken as a message and added to the reply sent to the 
                           NAS as Port-Message. If Exec-Program-Wait returns a non-zero 
                           exit status, access will be denied to the user. With a zero-exit 
                           status, access is granted.

Login-Time         string  Defines the time span a user may login to the system. The format of 
                           a time string is like the format used by UUCP.  A time string may be 
                           a list of simple time strings separated by "|" or ",". Each simple 
                           time string must begin with a day definition. That can be just one 
                           day, multiple days, or a range of days separated by a hyphen. A day 
                           is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" means 
                           all days. After that a range of hours follows in hhmm-hhmm format. 
                           For example, "Wk2305-0855,Sa,Su2305-1655". RADIUSd calculates the 
                           number of seconds left in the time span, and sets the Session-Timeout
                           to that number of seconds. So if someone's Login-Time is 
                           "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 
                           1800 seconds so that she is kicked off at 18:00. 

Monthly-Time-Limit integer Number of seconds a user may use within the current month. 
                           Resets on the 1st of each month. adjust the Session-Timeout when 
                           the user approachs the end of their time.

Total-Time-Limit   integer Total number of seconds a user may use. Never resets. Adjusts the 
                           Session-Timeout when the user approachs the end of their time.

Activation         date    Date account becomes active. The format of the Activation attribute 
                           is the same as the expiration. Three letter month, two digit day and 
                           four digit year. Ex: 'Apr 26 2000'.

Expiration         date    Date account becomes inactive.
  			
	
EXAMPLES OF A/V PAIRS
---------------------
Here's an example of how you might use Exec-Program:
Use the following entry for someone who has BSMTP (queued SMTP) service.
"brunq" is the program that runs the SMTP queue.
 
RADCHECK TABLE
+--+--------+------------+---------------------------------+
|id|UserName|Attribute   |Value                            |
+--+--------+------------+---------------------------------+
|1 |Robert  |Service-Type|Framed-User                      |
+--+--------+------------+---------------------------------+
|2 |Robert  |Exec-Program|/usr/local/sbin/brunq -h %f delta|
+--+--------+------------+---------------------------------+


TABLE DEFINITIONS
------------------
Following is a list of what specific fields are used for in some of the
tables IC-RADIUS uses.

RADACCT TABLE
+------------------+-----------+--------------------------------------------------------------+
|Field Name        |Type       |Description                                                   |
+------------------+-----------+--------------------------------------------------------------+
|RadAcctId         |bigint(21) |                                                              |
+------------------+-----------+--------------------------------------------------------------+
|AcctSessionId     |varchar(32)|Unique number assigned to eliminate duplicate records. This is|
|                  |           |supplied by the NAS. It is a string consisting of 8 uppercase |
|                  |           |hexadecimal digits. The first two digits increment each time  |
|                  |           |the NAS is rebooted. The next 6 digits begin at 0 (for the    |
|                  |           |first user login after a reboot) and increment up to          |
|                  |           |approximately 16 million logins. This is equal to one user    |
|                  |           |logging into each port of a 30-port unit every minute for an  |
|                  |           |entire year.                                                  |
+------------------+-----------+--------------------------------------------------------------+
|UserName          |varchar(32)|                                                              | 
+------------------+-----------+--------------------------------------------------------------+
|Realm             |varchar(30)|                                                              |
+------------------+-----------+--------------------------------------------------------------+
|NASIPAddress      |varchar(15)|The IP of the NAS that has sent the Accounting packets        |
+------------------+-----------+--------------------------------------------------------------+
|NASPortId         |int(12)    |The port ID as supplyed by the NAS                            |
+------------------+-----------+--------------------------------------------------------------+
|NASPortType       |varchar(32)|NAS-Port-Type records the type of port used in the connection.|
|                  |           |The port type may be any of the following: Async, Sync, ISDN, |
|                  |           |ISDN-V120, or ISDN-V110.                                      |
+------------------+-----------+--------------------------------------------------------------+
|AcctStartTime     |datetime   |Date & Time session started                                   |
+------------------+-----------+--------------------------------------------------------------+
|AcctStopTime      |datetime   |Date & Time session ended                                     |
+------------------+-----------+--------------------------------------------------------------+
|AcctSessionTime   |int(12)    |The Acct-Session-Time records the user's connection time in   |
|                  |           |seconds. This information is only included in Stop records.   |
+------------------+-----------+--------------------------------------------------------------+
|AcctAuthentic     |varchar(32)|Acct-Authentic records whether the user was authenticated via |
|                  |           |RADIUS or by the NAS User Table. Accounting records are not   |
|                  |           |generated for passthrough users, as those users are           |
|                  |           |authenticated by the destination host.                        |
+------------------+-----------+--------------------------------------------------------------+
|ConnectInfo       |varchar(32)|                                                              |
+------------------+-----------+--------------------------------------------------------------+
|AcctInputOctets   |int(12)    |Records the number of bytes received (Acct-Input-Octets)      |
|                  |           |during a session.                                             |
+------------------+-----------+--------------------------------------------------------------+
|AcctOutputOctets  |int(12)    |Records the number of bytes sent (Acct-Output-Octets) during a|
|                  |           |session.                                                      |
+------------------+-----------+--------------------------------------------------------------+
|CalledStationId   |varchar(10)|On ISDN dial-up connections (where provided by the ISDN       |
|                  |           |carrier) these attributes can be used to track physical       |
|                  |           |origination of ISDN calls.                                    |
+------------------+-----------+--------------------------------------------------------------+
|CallingStationId  |varchar(10)|On ISDN dial-up connections (where provided by the ISDN       |
|                  |           |carrier) these attributes can be used to track physical       |
|                  |           |origination of ISDN calls.                                    |
+------------------+-----------+--------------------------------------------------------------+
|AcctTerminateCause|varchar(32)|The Acct-Terminate-Cause indicates the cause of a session's   |
|                  |           |termination. This information only appears in Stop records.   | 
|                  |           |Admin-Resest: Port was reset by an administrator.             |
|                  |           |Host-Request: Session was disconnected or logged out by the   |
|                  |           |  Login-IP-Host. This can indicate normal termination of a    |
|                  |           |  login session or that the remote host has crashed or become |
|                  |           |  unreachable.                                                |
|                  |           |Idle-Timeout: Idle timer expired for user or port.            |
|                  |           |Lost-Carrier: Session terminated when the modem dropped DCD.  |
|                  |           |  This can indicate any of the following: the user or his     |
|                  |           |  modem hung up the phone from their end (in which case there |
|                  |           |  is no problem), the line was dropped, the line took a noise |
|                  |           |  hit too severe for the modem to recover from, or the local  |
|                  |           |  modem dropped DCD for some other reason.                    |
|                  |           |  Port-Error: PortMaster had to reset the port. Most commonly |
|                  |           |  occurs when a device attached to the port caused too many   |
|                  |           |  interrupts.                                                 |
|                  |           |Session-Timeout: Session timer expired for user.              |
|                  |           |User-Error: PortMaster received a PPP Configuration Request or|
|                  |           |  ACK when a session was already established, so it terminated|
|                  |           |  the session. This is caused by a PPP implementation error in|
|                  |           |  the dial-in client.                                         |
|                  |           |User-Request: Dial-in PPP client requested that we terminate  |
|                  |           |  the connection. This message is expected from a proper PPP  |
|                  |           |  client termination.                                         |
+------------------+-----------+--------------------------------------------------------------+
|ServiceType       |varchar(32)|                                                              | 
+------------------+-----------+--------------------------------------------------------------+
|FramedProtocol    |varchar(32)|                                                              |
+------------------+-----------+--------------------------------------------------------------+
|FramedIPAddress   |varchar(15)|                                                              |
+------------------+-----------+--------------------------------------------------------------+
|AcctStartDelay    |int(12)    |The number of seconds that have passed between the event and  |
|                  |           |the current attempt to send the record, this number is the    |
|                  |           |Acct-Delay-Time value. The approximate time of an event can be|
|                  |           |determined by subtracting the Acct-Delay-Time from the time of|
|                  |           |the record's arrival on the RADIUS accounting server.         |
+------------------+-----------+--------------------------------------------------------------+
|AcctStopDelay     |int(12)    |Same as AcctStartDelay, except applies to Stop record.        |
+------------------+-----------+--------------------------------------------------------------+
 

OTHER RESOURCES
---------------
Here are links to other things that might help you if you run into problems.
These are provided because there is no way we can include a thorough
explanation of how to install everything you need to make IC-RADIUS run.
Hopefully, if we didn't give you what you needed in this document,
you can at least get some help on these sites. If you know of a good
resource not listed here, let us know about it and we'll add it to the list.

PERL
----
http://www.perl.com/CPAN-local/modules/01modules.index.html
http://search.cpan.org/
http://www.switch.ch/misc/leinen/snmp/perl/
http://www.iserver.com/support/virtual/perl/mod/install.html

MYSQL
-----
http://www.mysql.com/documentation/index.html
http://www.mysql.com/doc/R/e/Replication_FAQ.html

DBI
---
http://www.mysqlwebring.com/faq.php?user_action=view_detail&faq_id=90&category_id=22
http://www.wizdom.org.uk/linux/mysql.shtml

RADIUS
------
http://www.freeradius.org/rfc/rfc2138.txt
http://www.freeradius.org/rfc/rfc2139.txt
http://www.livingston.com/tech/docs/radius/RADIUSTOC.html
http://www.miquels.cistron.nl/radius/README
http://icradius.hislora.com.au/

IC-RADIUS
--------
ftp://ftp.cheapnet.net/pub/icradius/README
http://www.kopower.com/pipermail/icradius-archive/
http://radius.innercite.com/cgi-bin/faqdb.cgi
http://www.lib.uaa.alaska.edu/icradius/
http://radius.innercite.com/htdig/search.html

RFC'S
-----
http://www.ietf.org/


DISCLAIMER
----------
IC-RADIUS is not supported by InnerCite. InnerCite does not claim
responsibility of any kind for IC-RADIUS. IC-RADIUS is provided AS IS with
no warranty of any kind. The authors and document maintainer make no
claims as to the accuracy of this document. Any information contained herein
is to be used at your own risk.


InnerCite Inc.
http://www.innercite.com/
http://RADIUS.innercite.com
