General RADIUS FAQ for ZipDial

Last update: 11/12/2002

RADIUS FAQ Index

  1. One (or more) of my customers can't authenticate through ZipDial. Please help!
  2. How do I setup Livingston RADIUS (or Livingston derived code like Ascend freeware) for use with ZipDial?
  3. How do I setup MERIT RADIUS servers for use with ZipDial?
  4. I'm running something besides Livingston or Merit. How do I setup ZipDial access?
  5. What type of RADIUS servers will work with ZipDial?
  6. What type of RADIUS server does ZipLink use?
  7. Can I have a firewall between my RADIUS server and the ZipLink network?
  8. Please provide me with an example users file entry.
  9. Please provide me with a dictionary file for use with your equipment.
  10. What do I need to know about RADIUS in order to successfully deploy ZipDial?
  11. Can I use any other sort of authentication (like TAC/ACS or LDAP) rather than RADIUS?
  12. Can I obtain proxy RADIUS accounting records in real time from ZipLink?
  13. What information do I need to provide to the NOC or account manager in order to change RADIUS servers?
  14. What is the difference between a RADIUS realm and a domain registered with the InterNIC?
  15. What is the format of a VPHos realm?
  16. What authentication protocols must I run on my RADIUS server?
  17. What valid characters are there in RADIUS usernames?
  18. Where can I find out more information about RADIUS on the web?
  19. What is the breakdown of the fields in RADIUS accounting packet "Connect-Info"?
  20. I am a port customer and would like to know what ports I am using?

  1. One (or more) of my customers can't authenticate through ZipDial. Please help!

    Use the following procedure to determine what to do:

    1. Obtain the username (with realm) and password of the user.
    2. Login to a ZipDial access number with username/realm and password
      --or--
      try this online authentication tool (still under construction)
    3. If it authenticates, then it is likely a problem at the client (user) end.
    4. If it doesn't authenticate, verify you have added ZipLink's RADIUS servers -- zeus and athena -- for client proxy access to your servers. How this is done is dependent upon what RADIUS server software you are running. See the rest of this FAQ for more information.

    If you do not come to a solution based upon these steps, ask the following questions:

    1. Has anything changed recently in your RADIUS setup (server IP address, shared secret, RADIUS server software)? If so, contact your account manager or ZipLink's NOC with this information.
    2. Is more than one user affected? If not, then it is likely not a RADIUS problem but one from the client (user) end.
    3. Is the user authenticating but unable to access the Internet? If so, verify the user's RADIUS file entry is correct. See "Please provide me with an example users file entry". This can also be the symptom of problems from the client (user's) end. Please try to verify this is not the case before contacting ZipLink.

    If you cannot determine the problem and must contact ZipLink, try to provide the following:

    • ID's of 3 users that fail to authenticate.
    • A username/password that can be used for testing.
    • Name and phone number for your RADIUS contact.
    • Detailed description of the problem.


  2. How do I setup Livingston RADIUS (or Livingston derived code like Ascend freeware) for use with ZipDial?

    Add the following to your clients file (by default in /etc/raddb): 

    206.15.168.72   [sharedsecret]
206.15.158.137   [sharedsecret]
    where [sharedsecret] is the shared secret on your RADIUS setup form. Please note that the default RADIUS auth. TCP/IP port is udp/1645.


  3. How do I setup MERIT RADIUS servers for use with ZipDial?

    Add the following to your clients file (by default located in /usr/private/etc/raddb): 

    206.15.168.72   [sharedsecret]  type = proxy
206.15.158.137   [sharedsecret]  type = proxy
    where [sharedsecret] is the shared secret on your RADIUS setup form. Please note that the default RADIUS auth. TCP/IP port is udp/1645.


  4. I'm running something besides Livingston or Merit. How do I setup ZipDial access?

    You must consult the documentation that came with your RADIUS software or contact your RADIUS vendor. The important information you need is:

    Primary RADIUS server is 206.15.168.72 (zeus.ziplink.net)
    Secondary RADIUS server is 206.15.158.137 (athena.ziplink.net)
    Shared secret is an arbitrary string of 5-15 non-blank characters

    Note that the default RADIUS auth. TCP/IP port is udp/1645.


  5. What type of RADIUS servers will work with ZipDial?

    Any RADIUS server that conforms to RFC2138/2139 should work without a problem. We use Cisco's Access Registrar product, and Cisco has tested Access Registrar with both Merit and Livingston, and of course, Access Registrar.


  6. What type of RADIUS server does ZipLink use?

    ZipLink uses Access Registrar from Cisco. Cisco does not appear to have sales information available online for Access Registrar; however, information on contacting Cisco is available on Cisco's Web site.

  7. Can I have a firewall between my RADIUS server and the ZipLink network?

    We don't recommend that ZipDial customers have a firewall. However, it can work, so long as you allow through the RADIUS ports (typically 1645 for authorizations and 1646 if you want accounting). Please note that if a firewall (or upstream router) on your network is blocking port 1645, RADIUS authentications will not work.


  8. Please provide me with an example users file entry. 

    username Password = "pass"
     User-Service = Framed-User,
     Framed-Protocol = PPP,
     Framed-MTU = 1500,
     Idle-Limit = 900

    You would, of course, replace "username" and "pass" (the password should be kept in quotes) with the account's username and password. Also, you can add other attributes as you see fit. ZipLink currently does not do attribute filtering. Note that we may begin filtering attributes if certain conditions arise in the future that require us to do so.

    Please note: the example user profile is the only one supported by ZipLink. Other configurations/attributes may work, but we cannot offer help in applying them to your user profiles.


  9. Please provide me with a dictionary file for use with your equipment.

    The Assured Access/Alcatel equipment currently uses all non-proprietary attributes, so no special dictionary is required.

    *The Bay 5399 dictionary is based on Merit syntax, and is Bay specific!


  10. What do I need to know about RADIUS in order to successfully deploy ZipDial?

    1. Do you have a RADIUS infrastructure set up and working? Is the person who setup your RADIUS infrastructure available for assistance should you need it?
    2. Do you have someone on staff who is RADIUS knowledgeable and whose responsibility it is to support RADIUS?
    3. Have you successfully added a user and authenticated that user via your RADIUS infrastructure?
    4. Do you know how to add a client (ie, another RADIUS server) to your RADIUS infrastructure?
    5. Is your RADIUS server on a full time, dedicated LAN/WAN (not dial-up) connection in a secure area (not a garage or basement)?


  11. Can I use any other sort of authentication (like TAC/ACS or LDAP) rather than RADIUS?

    We are investigating ways of supporting LDAP authentication through our RADIUS infrastructure, but cannot offer it at this time. We do not have any plans at this time to support TAC/ACS.


  12. Can I obtain proxy RADIUS accounting records in real time from ZipLink?

    Yes, our default service offering includes RADIUS accounting records in near real time. If you do not wish to receive these accounting records, please contact your account manager or ZipLink's NOC.


  13. What information do I need to provide to ZipLink's NOC or my account manager in order to change RADIUS servers?

    1. Name of new RADIUS server.
    2. IP address of new RADIUS server.
    3. Realm(s) server should be activated on.
    4. Access method (round robin or failover).
    5. Shared secret of new RADIUS server.
    6. Whether or not to leave your old RADIUS server in our configuration.

    We cannot properly configure additional customer RADIUS servers without this information.


  14. What is the difference between a RADIUS realm and a domain registered with the InterNIC?

    With RADIUS, a realm is used to separate one name space from another. This allows there to be a login known as user@dom1.com and a login known as user@dom2.com. Under ZipDial, it also allows us to segment customer logins, so authentications go to the approriate RADIUS server(s). A domain is registered with the InterNIC, and used for mapping servers and services to IP addresses, such as Web, e-mail, etc.

    A domain has no real relationship to a RADIUS realm except in that a ZipDial realm is often the same as a ZipDial customer's domain. However, there is no requirement for this, and in fact we often assign realms with no top level domain (user@dom1 -- so no ".com") or through an acronym or some modification of service name (user@isp). A realm can also be prefixed to usernames by using a "/" (so one would use ISP/user).

    Whether to use a full domain or abbreviated form of one for a realm, or to have a prefixed or suffixed realm, is up to the ZipDial customer.


  15. What is the format of a VPHos realm?

    Due to how the VPHos application works, there is a restriction where the RADIUS realm must be a domain registered through the InterNIC. In other words, the realm must always end with a .com, .net, .org or other valid top level domain. Note that this restriction only applies to ZipDial customers using VPHos.


  16. What authentication protocols must I run on my RADIUS server?

    ZipDial Customer's must run both PAP and CHAP enabled on proxy RADIUS servers. Typically, if CHAP fails, the retry, which is PAP, will succeed. This behavior only occurs on our Alcatel/Assured Access equipment; the Nortel/Bay equipment at some of our POPs only supports PAP.


  17. What valid characters are there in RADIUS usernames?

    Any printable non-control character except for "/" and "@" are valid characters in a RADIUS user name. "/" and "@" are not allowed, as they are used as separators between the login and realm.


  18. Where can I find out more information about RADIUS on the web?

    STANDARDS
    rfc2138 and rfc2139 (the RADIUS associated standards) can be found by clicking on the appropriate link.

    FREE RADIUS SOURCE CODE
    Livingston (now Lucent) sources [NOTE -- only version 1.x sources are free].
    Cistron information.
    Merit information.

    COMMERCIAL RADIUS PRODUCTS
    Microsoft has an easy to configure and use free RADIUS server that runs under NT.
    Access Registrar, a Cisco product.
    Steel-Belted RADIUS, a Funk product.
    Radiator, a RADIUS server written in Perl.

    There are many other commercial RADIUS servers, including (but not limited to): Lucent/Ascend.

  19. What is the breakdown of the fields in RADIUS accounting packet "Connect-Info"?

    An example of a Connect-Info accounting packet is as follows: 

    Field number        1            2      3      4     5    6    7       ====8===
Connect-Info = Mo.1.14.1.1.52   50667 26400 DYNAMIC PPP  PAP  V90     LAPM    V42BIS

    The field definitions are as follows, starting from the right of the equal sign: 

    1 modem
2 user speed (Internet to subscriber)
3 Alcatel speed (subscriber to Internet)
4 "DYNAMIC" or "STATIC"
5 connection type
6 auth protocol
7 modem protocol
8 modem options

  20. I am a port customer and would like to know what ports I am using?

    Here are the steps:

    1. Point your browser to https://atlas.ziplink.net
    2. Login with the username and password given to you buy your sales rep

    If you have active sessions, the display will be something like the following: 

    
[12 hour graph]
[48 hour graph]
[links to 7-day and 30-day graphs]

NAS       NAS-Port   User-Name     Duration
1.2.3.4    798726  user@isp.net    04:59:43  
4.5.6.7    274438  user2@isp.net   04:59:11
    The above fields have the following meanings: 
    
NAS       The IP address of the Network Access Server the subscriber is logged into
NAS-Port  The NAS port the subscriber is logged into 
User-Name The user name of the subscriber
Duration  The duration of the session in hours:minutes:seconds
    NOTES:

    • A multi channel connection will show up with 1 port per connection. IE, a dual channel ISDN will show a user logged in twice
    • The graphs are updated more often than the actual port counts are for performance reasons