TekRADIUS LT Version 4.

9 Readme File
Copyright 2007-2015 KaplanSoft
0. Contents:
1. Introduction
2 .Major features
3. System requirements
4. Installing and Uninstalling
5. Configuration and running
6. Release notes
7. Trademarks
1. Introduction
TekRADIUS LT is an RADIUS AAA server (Based on RFC 2865, RFC 2866) runs under Microsoft
Windows
(XP/Vista/7/8,
2003/2008/2012
Server)
operating
system.
Visit
http://www.tekradius.com/ regularly for updates.
2. Major features
Supports features described in RFC 2865 and RFC 2866 (RADIUS protocol).
Supports TCP (RFC 6613) and TLS (RFC 6614-RadSec) transports
Logs system messages, errors and session information to a log file and limit number of simultaneous
sessions (See notes).
All parameters can be configured and RADIUS Dictionary can be edited through TRManager GUI.
Authentication and Accounting ports are user selectable.
Uses SQLite database and does not require an external database server.
You can map RADIUS Accounting attributes to Accounting table fields.
You can run TekRADIUS in Authentication only or Authorization only mode.
You can define which RADIUS attribute will be used for User-Name substitute.
You can define own Authorization query string.
PAP, CHAP, MS-CHAP v1, MS-CHAP v2, EAP-MD5, EAP-MS-CHAP v2, EAP-SIM, EAP-TLS
and PEAPv0-EAP-MS-CHAP v2 (As implemented in Windows XP SP1), Digest (draft-sterman-aaasip-00.txt) authentication methods are supported. EAP-TLS and EAP-SIM are available in
commercial editions only.
Built-in DHCP server which allows you to assign IP addresses to wireless clients based on their
usernames entered in PEAP authentication not just based on their MAC addresses.
Generates MS-MPPE Keys for VPN connections.
Supports OTP (One Time Password) authentication based RFC 2289.
You can specify an Expire-Date and User-Credit for the users and use Authentication method as a
RADIUS check item.
You can specify how much time user account will be valid after the first logon (Time-Limit) and you
can specify allowed logon days and hours (Login-Time).
TekRADIUS can send Packet of Disconnect (PoD) or execute user defined session kill command
when a user consumes all his or her credit (SP Edition only).
You can authenticate users against Windows Domain or Active Directory.
Command line utility for adding, deleting and modifying user profiles and RADIUS clients. You can
start/stop and query status of TekRADIUS service using the command line utility (trcli.exe).
User level restrictions to GUI access. Windows users in "Administrators" group can access to all
functions on TekRADIUS Manager GUI but Windows users in built-in "Users" group can access

restricted set of functions on TekRADIUS Manager GUI.

Simple reporting interface for browsing Accounting records.
Disconnects users with Packet of Disconnect (Pod) or user defined kill command.
TekRADIUS can disable user profile after user configurable number of unsuccessful login attempts.
You can specify credit limits for daily, weekly or monthly periods.
You can run and check result of an external executable as a check item.
Quick and easy installation.

3. System requirements
A Windows system with at least 2048 MB of RAM.
Microsoft.NET Framework v4.0 Client Profile.
5 MBytes of disk space for installation. Disk space required for TekRADIUS database depends on
your usage.
Administrative privileges.
PC/SC compatible smart card reader for importing SIM triplets.
4. Installing and Uninstalling
To install TekRADIUS LT, extract contents of TekRADIUSLT.zip to a temporary directory, run
Setup.exe from the distribution. Uninstall previous version if you upgrade from an earlier
version.
To uninstall TekRADIUS LT, double click TekRADIUS LT icon at Add or Remove Programs
from Control Panel.
You can use your old configuration file TekRADIUSLT.ini with the new installations. New
versions of TekRADIUS LT may introduce new attributes in the dictionary file TekRADIUS.db
so please delete old file in the installation directory. You will need to add your custom attributes
to the new TekRADIUS.db manually after installing the new version
5. Configuration and running
Please see Installation Manual which can be found in the application directory for configuration
details and operation. You can download the latest revision of the manual from TekRADIUS support
page.
Drop all active sessions properly (There should be proper functions on your access servers to do
this) on your access server before shutting down TekRADIUS for proper operations if you use
RADIUS Accounting.
6. Release notes
You can enable user profile editing functions for non-admin users in commercial editions.
(Version 4.9.7).
You can set TLS server certificate from also Settings / Service Parameters / Server Certificate
(Version 4.9.7).
You can specify an alternative authorization query (Version 4.9.7).
You can specify an alternative authentication query (Version 4.9.6).
Password change functions implemented for MS-CHAP authentication methods for use with
Windows Authentication Proxy (Version 4.9.5).
EAP-TTLS support in commercial editions. TekRADIUS supports PAP, CHAP, MSCHAPv1/v2 with EAP-TTLS (Version 4.9.2).
TekRADIUS was encrypting RADIUS client secrets by default. Encrypt Passwords option

functionality is extended to cover also RADIUS client secrets. If you have already disabled
Encrypt Passwords option you will probably need to redefine RADIUS client entries (Version
4.9.1).
TCP (RFC 6613) and TLS (RFC 6612-RadSec) transport support (Version 4.9.0).
Failed Accounting insert queries can be saved to daily rotated log files by setting Save Failed
Accounting Inserts parameter in Settings / SQL Connection (Version 4.9.0).
TekRADIUS supports OTP with CHAP, MS-CHAP-v1/v2 authentication methods. (Version
4.8.8).
Logout function for HTTP report forms. TekRADIUS accepts reply attributes from the
console output of external executable. (Version 4.8.8).
HTTP Reporting interface (Version 4.8.7).
EAP-SIM support (Version 4.8.6).
Client entries are kept in TekRADIUS database not in TekRADIUS.db (Version 4.8.1).
Generate-MS-MPPE-Keys usage has been changed in version 4.7. See TekRADIUS manual for
details.
TekRADIUS can run in 64 bits mode in 64 bits systems. (Version 4.7).
TekRADIUS uses TekRADIUS.db in place of TekRADIUS.mdb. You can convert old
TekRADIUS.mdb to TekRADIUS.db using DBConverter.exe which can downloaded from
TekRADIUS web site. (Version 4.7).
OTP (One Time Password) authentication support has been added (Version 4.5.6).
Alphanumeric client entry in SP edition. (Version 4.5.3).
Reporting functions enhanced (Version 4.4.5).
TekRADIUS can send Packet of Disconnect (PoD) or execute user defined session kill command
when a user consumes all his or her credit (Version 4.4.4).
DHCP Server functionality added. DHCP server allows you to assign IP addresses to wireless clients
based on their usernames entered in PEAP authentication not just based on their MAC addresses.
DHCP server is available in both free and commercial editions of TekRADIUS but IP address
assignment to wireless users based on their usernames feature is available only in commercial
editions of TekRADIUS (Version 4.4).
Usage of Login-Time attribute has been changed. Please see TekRADIUS manual for details
(Version 4.3).
If you enable RegExp matching you can enter check attribute values in Regular Expression format.
Called-Station-Id = 1234\d* will match all numbers start with 1234 prefix. This feature is available
in only commercial editions (Version 4.3).
You can configure Interim Update Period parameter if your RADIUS client supports sending
Interim Accounting Messages If TekRADIUS does not receive an update in specified period, active
session and simultaneous session entries will be cleared (Version 4.3).
Memory Leak problem has been solved (Version 4.3).
New performance counter added. Please see TekRADIUS Manual for details. TekRADIUS Manager
has a new tab to monitor these counters (Version 4.2).
RFC 5997 "Use of Status-Server Packets in the Remote Authentication Dial In User Service
(RADIUS) Protocol" is implemented (Version 4.1).
Search as you type feature has been added for TekRADIUS Manager (Version 4.1).
Windows Authentication with MS-CHAP-v1, MS-CHAP-v2 EAP-MS-CHAP v2 and PEAPv0-EAPMS-CHAP-v2 support has been added and available in only commercial editions (Version 4.1).
You do not have restart after modifying RADIUS client entries in version 4.0.
You can enter hexadecimal strings with 0x prefix (You can enter 0x54656B524144495553 for string
TekRADIUS) in version 4.0.
Version 4.0 adds EAP-TLS support. EAP-TLS is available in commercial edition only. A new
attribute called TLS-Client-Certificate is added. You must add this attribute to user or group profiles
for EAP-TLS authentication. When you select TLS-Client-Certificate, certificates with private keys
and enhanced key usage set to "Client Authentication" type certificates will be listed.

 TLS-Certificate attribute's name has been changed to TLS-Server-Certificate in version 4.0. You do
not need to make any configuration change. When you select TLS-Server-Certificate, certificates
with private keys and enhanced key usage set to "Server Authentication" type certificates will be
listed.
You can add Active Directory group as a check item in user and group profiles in version 4.0.
Secondary-Group attribute removed from TekRADIUS dictionary. A new attribute called NextGroup is added. You can use this attribute to chain group profiles. If you would like to authenticate a
session according to NAS-IP-Address but NAS-IP-Address could have three different values, you
can create three different group profiles for each NAS-IP-Address value and chain them using NextGroup parameter. Next-Group attribute can be used in just group profiles as a check attribute. Please
note that attributes in user profiles overrides group attributes so do not use attributes in chained
groups in user profiles (Version 3.8).
A new attribute type, Informational is added. You can add your own vendor to TekRADIUS
dictionary to store user or group specific data like address or phone numbers. Informational type
attributes are not used while authenticating or authorizing users (Version 3.8).
Version 3.7 is the first release of TekRADIUS LT edition.
Log files are kept in <Application Directory>\Logs directory and rotated daily.
7. Trademarks
TekRADIUS contains code derived from the RSA Data Security, Inc. MD4 Message-Digest
Algorithm.
Microsoft, Win32, Windows 2000, Windows, Windows NT and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
KaplanSoft is registered trademark of Kaplan Bilisim Teknolojileri Yazlm ve Ticaret Ltd.
Join TekRADIUS forums at http://forums.tekradius.com/