Level9.net radiator radius server

 

Radiator Technical

Radiator is the RADIUS server for serious ISPs and carriers who want power and flexibility to meet the needs of their changing technical environment and growing user base.

 

Product Specifications

Radiator supports a wide range of features not found on many other RADIUS servers:

  • Full source code provided
  • Extreme flexibility and configurability with web based GUI for configuration and monitoring
  • Over 60 different authentication methods are supported, which can be mixed and chained to suit almost any authentication need
  • Unlimited users
  • Complies with RFCs 2138213925482619262128652866, 28672868286946694671
  • Complies with 3GPP2 P.S0001-A Wireless IP Network Standard
  • Supports RadSec - secure, reliable RADIUS proxying
  • Acts as a Diameter to RADIUS gateway for NAS authentication and accounting. Supports Diameter RFCs 358840054072. Diameter support includes TLS encryption, TCP or SCTP transport, accounting, PAP, CHAP, MSCHAP, MSCHAPV2 and EAP types. Interoperates with OpenDiameter
  • Supports EAP TLS in accordance with RFC's 2716 and 2246
  • Supports EAP MD5-Challenge and One-Time-Password in accordance with RFC 2284
  • Supports EAP TTLS (TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPV2)
  • Supports PEAP
  • Supports Cisco LEAP
  • Supports EAP-FAST
  • Supports EAP-PSK
  • Supports EAP-PAX
  • Supports HOTP (RFC 4226)
  • Supports TOTP
  • Radius SIP Digest authentication as per draft-sterman-aaa-sip-00.txt
  • Supports iPass and GoRemote roaming services
  • Supports many ISP billing packages
  • Supports most Vendor Specific Attributes
  • Supports most SQL databases
  • Supports most platforms
  • Supports Radar monitoring for RADIUS enterprise management
  • Test GUI for Unix allows you to test user passwords and to load test your server
  • Works with any RADIUS server and RADIUS client
  • Performance and scalability for large systems (Examples of commercial installations)
  • Integrates with complete Lawful Interception systems providing RADIUS-based triggering, traffic interception, mediation and warrant management
  • Supports IPV4 and IPV6 on RADIUS, proxy, TACACS+, SNMP connections etc
  • Supports VOIP authentication: compatible with Asterisk , SIP Express Router (SER) and MVTS Pro
  • Supports multi-platform TNC with XSupplicant and libtnc. Read the whitepaper.

 

Detailed Technical features

 

  • Supports a number of EAP authentication methods as used in 802.1X wireless LANs. This means that secure wireless authentication and communication can be easily configured.
  • Free Private server and client certificates for testing 802.1X authentication included.
  • Can act as a gateway between PEAP-MSCHAPV2 clients and non-EAP RADIUS servers.
  • Interoperates with Coova - the open source captive portal for wireless hotspot management including CoovaAP - open source hotspot access point firmware.
  • Supports Novell eDirectory with universal passwords. Universal passwords can be used with PAP, CHAP, MSCHAP, MSCHAPV2, TLS, TTLS-*, PEAP, EAP-MD5, etc.
  • Easy to use Web reports for usage analysis users sessions details. Allows your administrators and customers to see usage information on a web page and drill down to connection details.
  • SNMP support for the IETF Radius Server MIB: gather server stats with SNMP.
  • Full suite of load balancing algorithms for RADIUS proxying.
  • Grouping, chaining, diverting and reusing of authentication methods is easy and means you can authenticate users even with very unusual collections of user databases.
  • Optional session database (DBM or SQL) and Web view.
  • Flexible and extensible event logging.
  • Utilities for creating and updating user databases in various formats are included.
  • Simultaneous-Use check item can optionally verify logins for most NASs.
  • Automatic IP address allocation from SQL database and DHCP.
  • Check items can be regular expressions.
  • Automatically choose authentication methods based on any combination of request attributes.
  • Ascend abinary Filter attributes, including generic, ip and ipx.
  • Plug-in authentication handlers.
  • Username rewriting and realm stripping.
  • Object-Oriented design and understandable code (with many comments).
  • Works with almost any SQL database schema.
  • Fault tolerant connection to your SQL server recovers when your SQL server recovers.
  • Logging to log files, STDOUT, SQL, syslog, or your your own logging system.
  • Proxy-State and Proxy-Action support.
  • Proxy to primary/secondary radius servers with multiple fallbacks and round-robin DNS.
  • Multiple DEFAULT users with optional Fall-Through.
  • Auth-Type cascades authentication to another user database of any type. Checks authentication in a multitude of ways: if user is in any database, if user is in all databases or any combination.
  • Block authentication according to time of day and day of week, and force disconnection at the end of valid time blocks.
  • Rewriting of requests and replies during forwarding and proxying.
  • Run-time variable substitution in reply items.
  • Multi-homed hosts.
  • Supports proxying of EAP requests per RFC 2869 and RFC 2284
  • Primary/secondary and multiple redundant servers.
  • Connect-Rate limits maximum permitted connection speed.
  • Flat file (or any other method) backup database in the case of SQL server failure.
  • Supports plaintext, Unix Crypt, MD5 crypt, Radmin RCRYPT, SHA crypt passwords in any combination.
  • Block logins based on any combination of NAS and port.
  • Ascend Tunnel-Password encryption.
  • Radiator supports Rcrypt reversibly encrypted passwords.
  • Prefix and Suffix check items.
  • Honours the "Dialin Privilege" flag on NT User Manager.
  • Easily configurable rejection messages: tell your user why they can't log in.
  • Authentication logging lets you capture plaintext passwords from legacy users.
  • Supports IETF RADIUS Tunnelling attributes.
  • Session management works even with multiple server instances, via internal, DBM or SQL session databases.
  • Supports ADSL.
  • Supports GPRS.
  • Can optionally act as a TACACS+ server, converting TACACS+ requests into RADIUS requests.
  • Optional tunnelling of Radius requests using SOAP over HTTP or HTTPS for improved security.
  • Handles special mapping of Breezecom/Alvarion accounting VSAs.
  • Works with pGina, a Radius enabled login authenticator for Windows.
  • Bundles with Arch Red Guest server for easy administration of temporary network access.
  • Interoperates with XpressConnect Network Access Wizard - for organisations where timely and secure network access is a constant demand.
  • And much, much more.....

 

Platforms supported

  • Any Unix including Linux (Red Hat, Debian, Mandrake, SuSE, Lindows, Slackware, Ubuntu etc on Intel, Sparc, PPC, HP-PA etc), FreeBSD, NetBSD, SunOS, AIX, IRIX, SCO Open Server, Digital, HP-UX, etc
  • Solaris 8, 9, 10. 32-Bit or 64-Bit. SPARC or Intel
  • Windows 95, 98, NT, 2000, ME, XP, 2003, 2008, etc
  • Mac OS9, Mac OS X
  • Novell Open Enterprise Server (NetWare) 6.5
  • VMS
  • Microsoft Mobile 6 (OS for hand held devices)

 

802.1X support

Radiator has strong support for a wide range of 802.1X/RADIUS devices such as Wireless LAN Access Points and wired LAN switches.

Radiator supports a wide range of standard EAP authentication methods, including MD5, One-Time-Password (OTP), Generic Token Card (GTC), TLS, TTLS (including PAP, CHAP, MSCHAPV1 and MSCHAPV2), PEAP and LEAP compatible. Dynamic WEP keys are supported for PEAP, TLS and TTLS.

EAP-SIM authentication support for Radiator is available through the RADIUS EAP-SIM pack

Accurate TTLS RADIUS accounting support, more details

Radiator includes Free Private server and client certificates for testing 802.1X authentication suitable for use with TLS, TTLS and PEAP. You can find out more about EAP Certificate and Encryption options here

Wireless and Access Points Any 802.1X Radius compatible Wireless and Access Points including:
  3Com SR AP 8000
Airborne Enterprise Wireless Device Servers and Bridges
Alcatel-Lucent ESAM
Apple Airport Base Station
Cisco Aironet AP340, 350/352, 1200
CoovaAP
D-Link DWL-900AP+, D-Link DWL-1000AP+
Extreme
HP 420
LANCOM - supports RADIUS and RadSec
Linksys WRT54G etc
Netgear ME103
Orinoco/Proxim AP-2000, AP-2500, AP-1000, AP-500
Trapeze
ZyXEL ZyAIR B-3000
Many others
Wireless Cards

Any 802.1X compatible wireless card including:
  Cisco Aironet
Apple Airport
Netgear MA401
Orinoco/Proxim PC-Card
Many others
LAN (wired) Switches Any 802.1X Radius compatible wired LAN switch including:
    3Com SuperStack 3 4400 ethernet switch family
Cisco Catalyst 3550
Foundry 4802
HP Procurve 2524 and 2650 series
Many others
Clients on: Clients EAP types supported
Linux, Open BSD, etc Xsupplicant MD5, TLS, TTLS (PAP, CHAP, MSCHAP, MSCHAPV2), PEAP (MSCHAPV2), EAP-SIM (with Radiator add-on EAP-SIM support package)
WPA_Supplicant TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5, PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, FAST, GTC, TLS, EAP-MSCHAPV2, MD5, PSK, PAX. EAP-SIM & EAP-AKA (with Radiator add-on EAP-SIM support package)
Windows Windows XP TLS, PEAP (MSCHAPV2, TLS)
Windows 2000 TLS, PEAP (MSCHAPV2, TLS)
Windows Vista TLS, PEAP (MSCHAPV2, TLS)
Cisco Secure Services Client TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5, PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, FAST, GTC, TLS, EAP-MSCHAPV2, MD5, EAP-SIM (with Radiator add-on EAP-SIM support package)

Alfa+Ariss SecureW2

 TTLS-PAP
Odyssey Access client MD5, TTLS (PAP, CHAP, MSCHAP, MSCHAPV2), EAP-Generic-Token, TLS, PEAP (MSCHAPV2, EAP-Generic-Token), LEAP. FAST, EAP-SIM & EAP-AKA (with Radiator add-on EAP-SIM support package)
Boingo TLS, PEAP (MSCHAPV2, TLS)
PocketPC PocketPC 2003 Native TLS, PEAP (EAP-MSCHAPV2)
Alfa+Ariss SecureW2 TTLS-PAP
Mac OSX Xsupplicant MD5, TLS, TTLS (PAP, CHAP, MSCHAP, MSCHAPV2), PEAP (MSCHAPV2), EAP-SIM
Panther Native MD5, TLS, TTLS (PAP, CHAP, MSCHAP, MSCHAPV2), PEAP (MSCHAPV2), LEAP

 

Authentication methods

Radiator can authenticate for many different realms and clients at the same time, with different databases, options and authentication methods in each realm. Multiple proxy targets, with packet and attribute filtering allow you to service both small and large ISP and carrier environments.

Radiator can authenticate users from a wide variety of different user databases, such as

  • Flat files in standard RADIUS user database format
  • DBM files in Merit DBM file format
  • Unix password format files (including shadow files)
  • Most commercial and free SQL databases
  • Proxying to other RADIUS servers by UDP
  • Proxying to other RADIUS servers by RadSec for secure reliable delivery
  • LDAP (including Umich, iPlanet/Netscape, OpenLDAP, Open Directory). Supports SSL and TLS connections, simple and SASL binding.
  • Tacacs Plus (PAP and CHAP)
  • Native Windows NT user database and domains (even from Unix!)
  • Active Directory on Windows 2000
  • NIS+
  • CDB
  • POP3
  • IMAP
  • AFS Kerberos
  • Microsoft Windows LSA
  • PAM, and thus any authentication method supported by PAM
  • Custom One-Time-Password systems including auto password generation and customisable back-channel password delivery such as SMS (SMS gateway not included)
  • RAdmin User Administration
  • saslauthd authentication server from Cyrus SASL
  • Your legacy user database
  • External programs and scripts
  • iPASS Roaming Network both inbound and outbound authentication and accounting.
  • Other methods contributed by Radiator users
  • RSA Security RSA Mobile and Authentication Manager
  • Telstra DialConnect
  • CHAP authentication
  • Apache htgroup files
  • OPIE one-time-passwords
  • MSCHAP (v1 and v2) authentication and MPPE Keys as per RFC 2548.
  • Cisco VOIP implementations
  • Works with most EAP authentication protocols
  • Compatible with MICROS-Fidelio OPERA Property Management System
  • Novell eDirectory, including support for Novell Universal Passwords and NMAS Methods such as the Vasco Digipass NMAS Method.
Token Based Authentication
Product Description From ...
RSA Security SecurID

SecurID authenticators provide two-factor security access. Support for ACE/Server 5.0, 5.1 and 5.2, plus Authentication Manager (formerly ACE/Server) 6.1 (seeImplementation Guide)and RSA Authentication Manager 7.1 (seeImplementation Guide).
SafeWord SafeWord PremierAccess with fixed (static) passwords and SafeWord Silver and Gold tokens. Aladdin
SecureOTP SecureOTP - token-based 1 or 2 factor authentication system by SecureMetric, offering event based, time based, hybrid and CR (challenge response) Tokens.
VASCO Digipass Digipass Token-based authentication can be added to new or existing RADIUS infrastructure. Read the Radiator Digipass Support white paper for more information.
WiKID WiKID Strong Authentication System - dual-source, software-based two-factor authentication system. Available with both soft- and hardware tokens. How to use WiKID Strong Authentication with OSC's Radiator  
YubiKey YubiKey - USB-key for instant access to networks and services that works on multiple platforms and does not need any client software. 
 Yubico

 

SQL Databases supported

Radiator works with any SQL database that has Perl DBD support, including:

  • Oracle
  • Informix
  • Sybase
  • mSQL
  • MySQL
  • Microsoft SQL including versions 6.5, 7, 2000 and 2005
  • ODBC
  • Interbase
  • SAP
  • PostgreSQL
  • SQLite

Radiator interoperates with Continuent's uni/cluster for MySQL which provides high availability, scalability and manageability services for MySQL, PostgreSQL and Sybase.

OSC can provide assistance with converting passwords from Cisco Secure ACS database dumps or Juniper Networks Steel Belted Radius RIF export files. Contact us for details

Accounting

Radiator can store accounting information in a variety of formats including:

  • flat files in standard Livingston radius accounting file format
  • most free and commercial SQL databases
  • proxying to other Radius servers
  • RAdmin User Administration
  • most ISP billing packages
  • your legacy accounting database
  • wtmp files
  • proxying to a SOAP server
  • compatible with MICROS-Fidelio Opera Property Management System

Radiator is compatible with UserTracking2 which is a free tool that allows network administrators to make a link between 802.1X layer 2 authentication and layer 3 IP addresses.

Billing Systems supported

Radiator supports many ISP billing packages including:

Platypus
Emerald  
EngageIP (previously Hawk-i)
Billmax  
Rodopi
Freeside  
ISPBill
Advanced ISP Billing  

Micros-Fidelio Opera
Property Management System

  
Jet ISP billing
any ISP billing package that supports Livingston standard users and accounting detail files.

 

NAS (Network Access Servers) supported

Radiator has been tested with the following clients and servers and will work with any RADIUS compliant client or server.

  • Alcatel DANA
  • Altiga
  • Apple AirPort
  • Ascend (all models)
  • Assured Access X1000
  • Bay including RAC8000 and Annex Server 5399
  • Breezecom
  • Cisco routers and NAS's
  • Cisco Aironet AP340 and AP350 wireless Access Points
  • Cisco SSG and SESM
  • Computone
  • Enterasys SS2200, SSR8000 SSR8600
  • Ericsson ACC
  • Ericsson GSN
  • Ericsson IMS Diameter
  • GRIC AimTraveler
  • Huawei
  • iPASS Net Server and Roam Server
  • Livingston Portmaster including 25 and 3
  • Merit proxy server 2.4 and 3.5
  • Microsoft PPTP
  • Nokia Access Controller
  • Nomadix USG II
  • Nortel including CVX
  • Orinoco/Proxim wireless Access Points
  • Portslave 1.16
  • QuarryTech
  • Ravlin RedCreek
  • Redback, including SMS and SE 800
  • SecurityDynamics ACE/Server Radius
  • Shasta
  • Shiva
  • Spring Tide
  • Tigris
  • Unisphere
  • USR/3Com Total Control (including HiPer ARC)
  • Windows RRAS
  • Xyplex
  • And any other RADIUS compatible device

 

Vendor Specific Attributes

Radiator supports standard and non standard Vendor Specific RADIUS attributes including:

  • USR/3COM
  • Cisco (including VOIP)
  • CVX 4-byte Vendor Specific Attributes, including the Vendor Specific boolean data type.
  • Ascend
  • Breezecom with broken VSA's
  • Bay
  • Shiva
  • ACC
  • Microsoft
  • Shasta
  • Springtide
  • Altiga
  • Redcreek
  • Unisphere
  • Extreme
  • KarlNet
  • Colubris
  • Level3
  • 3GPP2
  • DTag (Deutsche Telekom)
  • Nomadix
  • Redback 64bit integers
  • others...

Lawful Interception

Radiator interoperates with several Lawful Interception solutions including:

 

Minimum System requirements

  • Unix (including Linux, Solaris, FreeBSD, NetBSD, SunOS, AIX, IRIX, SCO Open Server, Digital, HP-UX, etc) Windows 95, 98, 2000, 2003, NT, ME, XP, 2008, Mac OS9 or OS X
  • Perl5.005 or better, ActivePerl from ActiveState on Windows.
  • Perl Digest-MD5 module version 2.12 or better
  • Approx 32MB of disk space

Useful Links

 ISP board - includes helpful information for new and existing ISP's

Wireless assistance\\Tech Guide: Wi-Fi: Security For The Masses
802.1X Port Access Control for WLANs 
Deploying 802.1X for WLANs: EAP Types 
Wireless on Linux, Part 1 and Part 2
Open1x.org - Selecting An Appropriate Eap Method For Your Wireless Lan Evolution of WLAN Security 
ISP-Planet article on ISPBill using Radiator

 

 

E-mail: [email protected]