Radiator technical information

Radiator supports a wide range of features not found on many other RADIUS servers

Product specifications

  • Full source code provided
  • Extreme flexibility and configurability with web based GUI for configuration and monitoring
  • Over 60 different authentication methods are supported, which can be mixed and chained to suit almost any authentication need
  • Unlimited users
  • Complies with RFCs 2548, 2619, 2621, 2865, 2866, 2867, 2868, 2869, 3579, 4669, 4671, 5176, 5997
  • Dictionary or other applicable support for RFCs 4372, 4849, 4675, 4849, 5080, 5447, 5580, 5607, 5904, 6158, 6929, 6519, 6572, 6677, 7055, 7268, 8044
  • Supports RFC 6614, also known as RadSec - secure, reliable RADIUS proxying
  • Acts as a Diameter to RADIUS gateway for NAS authentication and accounting. Supports Diameter RFCs 3588, 6733, 4072, 4005, 7155. Diameter support includes TLS encryption, TCP or SCTP transport, accounting, PAP, CHAP, MSCHAP, MSCHAP-V2 and EAP types. Interoperates with Cisco, NSN, Juniper, Huawei and other vendors
  • Acts as a RADIUS to Diameter gateway for NAS authentication and accounting.
  • Supports EAP in accordance with RFC 3748
  • Supports EAP-MD-Challenge, EAP-OTP and EAP-GTC, RFC 3748
  • Supports EAP TLS, RFC 5216
  • Supports EAP TTLS, RFC 5281
  • Supports PEAP, IETF drafts and MS-PEAP
  • Supports EAP-MSCHAP-V2
  • Supports Cisco LEAP
  • Supports EAP-FAST, RFC 4851
  • Supports EAP-pwd, RFC 5931
  • Supports EAP-PSK, RFC 4764
  • Supports EAP-PAX, RFC 4746
  • EAP-SIM, EAP-AKA, EAP-AKA', 3GPP AAA Server and other related features are available through Radiator SIM Pack
  • Acts as authentication server for IEEE 802.1X with support for IEEE 802.1AE, also known as MACsec
  • Supports HOTP, RFC 4226
  • Supports TOTP, RFC 6238, sometimes referred as Google Authenticator
  • RADIUS SIP Digest authentication as per draft-sterman-aaa-sip-00.txt and RFC 5090
  • Diameter 3GPP EIR and other carrier features are available through Radiator Carrier Pack
  • Diameter 3GPP GBA/BSF support for VoLTE Supplementary Services and other related features are available through Radiator GBA/BSF Pack
  • Diameter 3GPP PCRF, PCEF, OCS, and other Diameter and RADIUS related policy and charging features are available through Radiator Telco Pack
  • Complies with 3GPP2 P.S0001-A Wireless IP Network Standard up to version 3GPP X.S0011
  • Supports iPass and GoRemote roaming services
  • Supports SIP2 - the 3M Standard Interchange Protocol (SIP) 2.0
  • Supports many ISP billing packages
  • Supports most Vendor Specific Attributes
  • Supports most SQL databases
  • Supports most platforms
  • Supports Radar monitoring for RADIUS enterprise management
  • Test command line and GUI utility allows you to test user passwords and to load test your server
  • Works with any RADIUS server and RADIUS client
  • Performance and scalability for large systems (Examples of commercial installations)
  • Integrates with complete Lawful Interception systems providing RADIUS-based triggering, traffic interception, mediation and warrant management
  • Supports IPv4 and IPv6 on RADIUS, proxy, TACACS+, SNMP connections etc. Supported RFCs include 3162 4818 4669 4671 and 6911
  • Supports VOIP authentication such as Asterisk

Technical features

  • Supports a number of EAP authentication methods as used in 802.1X wireless LANs. This means that secure wireless authentication and communication can be easily configured.
  • Free Private server and client certificates for testing 802.1X authentication included.
  • Can act as a gateway between PEAP-MSCHAPV2 clients and non-EAP RADIUS servers.
  • Interoperates with Coova - the open source captive portal for wireless hotspot management including CoovaAP - open source hotspot access point firmware.
  • Supports Novell eDirectory with universal passwords. Universal passwords can be used with PAP, CHAP, MSCHAP, MSCHAPV2, TLS, TTLS-*, PEAP, EAP-MD5, etc.
  • SNMP support for the IETF Radius Server MIB: gather server stats with SNMP.
  • Full suite of load balancing algorithms for RADIUS proxying.
  • Grouping, chaining, diverting and reusing of authentication methods is easy and means you can authenticate users even with very unusual collections of user databases.
  • Flexible and extensible event logging.
  • Utilities for creating and updating user databases in various formats are included.
  • Simultaneous-Use check item can optionally verify logins for most NASs.
  • Automatic IP address allocation from SQL database and DHCP.
  • Check items can be regular expressions.
  • Automatically choose authentication methods based on any combination of request attributes.
  • Ascend abinary Filter attributes, including generic, ip and ipx.
  • Plug-in authentication handlers.
  • Username rewriting and realm stripping.
  • Object-Oriented design and understandable code (with many comments).
  • Works with almost any SQL database schema.
  • Fault tolerant connection to your SQL server recovers when your SQL server recovers.
  • Logging to log files, STDOUT, SQL, syslog, or your your own logging system.
  • Proxy-State and Proxy-Action support.
  • Proxy to primary/secondary radius servers with multiple fallbacks and round-robin DNS.
  • Multiple DEFAULT users with optional Fall-Through.
  • Auth-Type cascades authentication to another user database of any type. Checks authentication in a multitude of ways: if user is in any database, if user is in all databases or any combination.
  • Block authentication according to time of day and day of week, and force disconnection at the end of valid time blocks.
  • Rewriting of requests and replies during forwarding and proxying.
  • Run-time variable substitution in reply items.
  • Multi-homed hosts.
  • Primary/secondary and multiple redundant servers.
  • Connect-Rate limits maximum permitted connection speed.
  • Flat file (or any other method) backup database in the case of SQL server failure.
  • Supports plaintext, Unix Crypt, MD5 crypt, Radmin RCRYPT, SHA crypt passwords in any combination.
  • Block logins based on any combination of NAS and port.
  • Ascend Tunnel-Password encryption.
  • Radiator supports Rcrypt reversibly encrypted passwords.
  • Prefix and Suffix check items.
  • Honours the "Dialin Privilege" flag on NT User Manager.
  • Easily configurable rejection messages: tell your user why they can't log in.
  • Authentication logging lets you capture plaintext passwords from legacy users.
  • Supports IETF RADIUS Tunnelling attributes.
  • Session management works even with multiple server instances, via internal, DBM or SQL session databases.
  • Supports ADSL.
  • Supports GPRS, UMTS and 4G/LTE
  • Can optionally act as a TACACS+ server, converting TACACS+ requests into RADIUS requests.
  • Optional tunnelling of Radius requests using SOAP over HTTP or HTTPS for improved security.
  • Handles special mapping of Breezecom/Alvarion accounting VSAs.
  • And much, much more.....

Supported platforms

  • Unix and Linux
  • Solaris 8, 9, 10, 11. 32-Bit or 64-Bit. SPARC or Intel
  • Windows 7/8/8.1/10 and Server 2008/2012/2016
  • Mac OS X
  • VMS

802.1X support

Radiator has strong support for a wide range of 802.1X/RADIUS devices such as Wireless LAN Access Points and wired LAN switches.

  • Radiator supports a wide range of standard EAP authentication methods, including MD5, One-Time-Password (OTP), Generic Token Card (GTC), TLS, TTLS (including PAP, CHAP, MSCHAPV1 and MSCHAPV2), PEAP and LEAP compatible.
  • EAP-SIM, EAP-AKA and EAP-AKA' authentication support for Radiator is available through Radiator SIM Pack
  • Supports IEEE 802.1AE, also known as MACsec
  • Radiator includes free private server and client certificates for testing 802.1X authentication.
Wireless Controllers and Access Points Any 802.1X Radius compatible Wireless Controllers and Access Points including:
  3Com SR AP 8000
Airborne Enterprise Wireless Device Servers and Bridges
Alcatel-Lucent ESAM
Apple Airport Base Station
Cisco WLC and Aironet APs
D-Link DWL-900AP+, D-Link DWL-1000AP+
HP 420
LANCOM - supports RADIUS and RadSec
Linksys WRT54G etc
Netgear ME103
Orinoco/Proxim AP-2000, AP-2500, AP-1000, AP-500
ZyXEL ZyAIR B-3000
Many others
Wireless Cards

Any 802.1X compatible wireless card including:

  Cisco Aironet
Apple Airport
Netgear MA401
Orinoco/Proxim PC-Card
Many others
LAN (wired) Switches Any 802.1X Radius compatible wired LAN switch including:
3Com SuperStack 3 4400 ethernet switch family
Cisco Catalyst 3550
Foundry 4802
HP Procurve 2524 and 2650 series
Many others
Clients on: Clients EAP types supported
Windows Windows Native Depends on Windows version: at least TLS, PEAP (MSCHAPV2, TLS)
Other clients Depends on the client: typically EAP-Generic-Token, TLS, PEAP (MSCHAPV2, EAP-Generic-Token), LEAP. FAST, EAP-SIM, EAP-AKA and EAP-AKA' (with Radiator add-on EAP-SIM support package)
Android Android Native TLS, PEAP (EAP-MSCHAPV2), TTLS, pwd
Windows Phone Windows Phone Native Depends on WP version: at least PEAP (EAP-MSCHAPV2)

Authentication methods

Radiator can authenticate for many different realms and clients at the same time, with different databases, options and authentication methods in each realm. Multiple proxy targets, with packet and attribute filtering allow you to service both small and large ISP and carrier environments.

Radiator can authenticate users from a wide variety of different user databases, such as

  • Flat files in standard RADIUS user database format
  • DBM files in Merit DBM file format
  • Unix password format files (including shadow files)
  • Most commercial and free SQL databases
  • Proxying to other RADIUS servers by UDP
  • Proxying to other RADIUS servers by RadSec for secure reliable delivery
  • LDAP (including Umich, iPlanet/Netscape, OpenLDAP, Open Directory). Supports SSL and TLS connections, simple and SASL binding.
  • Tacacs Plus (PAP and CHAP)
  • Native Windows NT user database and domains (even from Unix!)
  • Active Directory on Windows 2000 and later
  • AFS Kerberos
  • Heimdal Kerberos (supports PAP, EAP-MD5, EAP-MSCHAPV2, etc)
  • Microsoft Windows LSA
  • PAM, and thus any authentication method supported by PAM
  • Custom One-Time-Password systems including auto password generation and customisable back-channel password delivery such as SMS (SMS gateway not included)
  • RAdmin User Administration
  • saslauthd authentication server from Cyrus SASL
  • Your legacy user database
  • SIP2 - 3M Standard Interchange Protocol (SIP) 2.0 for authenticating and authorising library patrons
  • External programs and scripts
  • iPASS Roaming Network both inbound and outbound authentication and accounting.
  • Other methods contributed by Radiator users
  • RSA Security RSA Mobile and Authentication Manager
  • Telstra DialConnect
  • CHAP authentication
  • Apache htgroup files
  • OPIE one-time-passwords
  • MSCHAP (v1 and v2) authentication and MPPE Keys as per RFC 2548.
  • Cisco VOIP implementations
  • Works with most EAP authentication protocols
  • Compatible with MICROS-Fidelio OPERA Property Management System
  • Novell eDirectory, including support for Novell Universal Passwords and NMAS Methods such as the Vasco Digipass NMAS Method.
  • NIS+
  • CDB
  • POP3
  • IMAP
Token Based Authentication
Product Description
RSA Security SecurID

SecurID authenticators provide two-factor security access. Support for ACE/Server 5.0, 5.1 and 5.2, plus Authentication Manager (formerly ACE/Server) 6.1, RSA Authentication Manager 7.1 and 8.0.

SafeWord SafeWord PremierAccess with fixed (static) passwords and SafeWord Silver and Gold tokens.
SecureOTP SecureOTP - token-based 1 or 2 factor authentication system by SecureMetric, offering event based, time based, hybrid and CR (challenge response) Tokens.
VASCO Digipass Digipass Token-based authentication can be added to new or existing RADIUS infrastructure. Read the Radiator Digipass Support white paper for more information.
WiKID WiKID Strong Authentication System - dual-source, software-based two-factor authentication system. Available with both soft- and hardware tokens. How to use WiKID Strong Authentication with OSC's Radiator
YubiKey YubiKey - USB-key for instant access to networks and services that works on multiple platforms and does not need any client software.

SQL Databases

Radiator works with any SQL database that has Perl DBD support, including:

  • Oracle
  • Informix
  • Sybase
  • mSQL
  • MySQL
  • Microsoft SQL Server versions up to 2012
  • ODBC
  • Interbase
  • SAP
  • PostgreSQL
  • SQLite

Radiator interoperates with Continuent's uni/cluster which provides high availability, scalability and manageability services for MySQL, PostgreSQL and Sybase.

OSC can provide assistance with converting passwords from Cisco Secure ACS database dumps or Juniper Networks Steel Belted Radius RIF export files. Contact us for details


Radiator can store accounting information in a variety of formats including:

  • flat files in standard Livingston radius accounting file format
  • most free and commercial SQL databases
  • proxying to other Radius servers
  • RAdmin User Administration
  • most ISP billing packages
  • your legacy accounting database
  • wtmp files
  • proxying to a SOAP server
  • compatible with MICROS-Fidelio Opera Property Management System

ISP Billing

Radiator supports many ISP billing packages including:

NAS's (Network Access Servers) supported

Radiator has been tested with a number of clients and servers and will work with any RADIUS compliant client or server. A partial list of clients is below:

  • Alcatel DANA
  • Altiga
  • Apple AirPort
  • Ascend (all models)
  • Assured Access X1000
  • Bay including RAC8000 and Annex Server 5399
  • Breezecom
  • Cisco routers and NAS's
  • Cisco Aironet AP340 and AP350 wireless Access Points
  • Cisco SSG and SESM
  • Computone
  • Enterasys SS2200, SSR8000 SSR8600
  • Ericsson ACC
  • Ericsson GSN
  • Ericsson IMS Diameter
  • GRIC AimTraveler
  • Huawei
  • iPASS Net Server and Roam Server
  • Livingston Portmaster including 25 and 3
  • Merit proxy server 2.4 and 3.5
  • Microsoft PPTP
  • Nokia Access Controller
  • Nomadix USG II
  • Nortel including CVX
  • Orinoco/Proxim wireless Access Points
  • Portslave 1.16
  • QuarryTech
  • Ravlin RedCreek
  • Redback, including SMS and SE 800
  • SecurityDynamics ACE/Server Radius
  • Shasta
  • Shiva
  • Spring Tide
  • Tigris
  • Unisphere
  • USR/3Com Total Control (including HiPer ARC)
  • Windows RRAS
  • Xyplex
  • And any other RADIUS compatible device

VSA's (Vendor Specific Attributes)

Radiator supports standard and non standard Vendor Specific RADIUS attributes including:

  • USR/3COM
  • Cisco (including VOIP)
  • CVX 4-byte Vendor Specific Attributes, including the Vendor Specific boolean data type.
  • Ascend
  • Breezecom with broken VSA's
  • Bay
  • Shiva
  • ACC
  • Microsoft
  • Shasta
  • Springtide
  • Altiga
  • Redcreek
  • Unisphere
  • Extreme
  • KarlNet
  • Colubris
  • Level3
  • 3GPP2
  • DTag (Deutsche Telekom)
  • Nomadix
  • Redback 64bit integers
  • and many others...

Lawful Interception

Radiator interoperates with several Lawful Interception solutions including:

Minimum System Requirements

  • Unix, Linux, Windows 7/8/8.1/10, Windows Server 2008/2012/2016 or Mac OS X
  • Perl 5.8.8 or better, ActivePerl from ActiveState or Strawberry Perl on Windows.
  • 32MB of disk space for the Radiator distribution. Additional space for log files.