Franco Nogarin
Cascade-AuroraNet-WebSpinners
webmaster@auroranet.nt.ca
-----Original Message-----
From: Carl Rigney [SMTP:cdr@livingston.com]
Sent: Tuesday, May 20, 1997 6:58 PM
To: portmaster-announce@livingston.com
Subject: RADIUS NT 2.0 available for FTP
Livingston RADIUS NT 2.0 is now available for FTP!
It has everything RADIUS 2.0 has, plus these additional features.
Installation Instructions are below. Please send any questions or
problems to support@livingston.com or 800-458-9966 or 510-737-2100 and
not to me.
LIVINGSTON RADIUS NT 2.0 RELEASE NOTE
(May 20, 1997)
INTRODUCTION
Livingston RADIUS NT 2.0 is available for Microsoft Windows NT 4.0
server or workstation. This Release Note describes the RADIUS NT 2.0
features and its implementation.
Refer to the RADIUS Administrator's Guide for more details
of Livingston RADIUS 2.0 features. All Livingston manuals are
available in Postscript, Adobe Acrobat PDF, and HTML formats.
Postscript and PDF formats are available at
ftp://ftp.livingston.com/pub/le/doc/manuals/
CONTENTS
Data Access Object (DAO) database
RADIUS NT 2.0 Features
Options in RADIUS NT 2.0
RADIUS NT 2.0 Installation
Downloading RADIUS NT 2.0
Restriction in RADIUS NT 2.0
DATA ACCESS OBJECT (DAO) DATABASE
Livingston RADIUS NT 2.0 requires a database engine called DAO
for caching purposes. DAO is included with RADIUS NT 2.0 and should
be installed prior to installing RADIUS. If your NT server or workstation
doesn't have DAO, refer to the DOWNLOADING RADIUS NT 2.0 section
to install DAO.
RADIUS NT 2.0 FEATURES
RADIUS NT 2.0 includes the following features:
1. Group is supported in RADIUS NT 2.0. Group is used only when
Auth-Type = System. When Group is specified as a check-item in the
user profile, only users within that group can be authenticated.
Group can be defined as a local group (available on Windows NT
workstation) or global group (available on Windows NT server).
The Group attribute must be a string with a length of up to 63
printable ASCII characters.
If multiple Groups are defined, in order for the user to
authenticate, that user must belong to all those Groups.
The check-item line in the RADIUS user profile can have up to 255
characters.
Example of user profile with one Group:
username Auth-Type = System, Group = "Engineering"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-Compression = Van-Jacobson-TCP-IP,
Framed-MTU = 1500
Example of user profile with two Groups defined:
username Auth-Type = System, Group = "Engineering", Group = "Guests"
Service-Type = Login-User,
Login-IP-Host = 255.255.255.255,
Login-Service = Telnet,
Login-TCP-Port = 23
2. When used in conjunction with ComOS 3.5 or later, the Password
in the RADIUS user profile can be up to 48 characters long.
3. The database mode of the RADIUS users file can be enabled as
a command in DOS to build the users database. To use this feature,
enter the following command at the DOS prompt:
c:\program files\livingston\RADIUS NT\radsvc.exe -builddbm
After the above utility is executed, the number of users in the
users file is logged into the Event Log. The Event Log is located
in Start | programs | Administrator Tools | Event Viewer.
In addition to the command line, the database mode can also be
enabled in the GUI by selecting the SetupOptions panel, under Users
Cache option, click on Enable Users Cache for Authentication.
4. Every time the Updated Users Cache option is selected to refresh
the users database, the number of users and DEFAULT entries in
the users file will be displayed on the popup window.
5. Support For Administrative Logins
When used in conjunction with ComOS 3.5 or later, RADIUS NT 2.0
provides the ability to authenticate administrative logins with
two classes of users:
* administrative users with full configuration ability
(everything that !root can do)
* read-only administrative users who cannot change the
configuration, but can reset ports, reboot, set debug flags,
and show status.
With this feature, rather than requiring everyone in a Network
Operations Center (NOC) to know the global administrative passwords
on all the PortMasters, an individual account to track
access and limit configuration changes to appropriate personnel
can be created.
In ComOS 3.5 and later, if a RADIUS Access-Accept returns a
Service-Type of Administrative-User (6), the PortMaster treats it
as a !root login. If a RADIUS Access-Accept returns a Service-Type of
NAS-Prompt-User, a restricted administrative login is granted that has
permission to use the following commands:
* ifconfig
* ping
* ptrace
* reboot
* reset
* set console
* set debug
* show
* traceroute
* Any other commands that do not affect the configuration
A NAS-Prompt-User does not have access to the following commands: add,
delete, erase, save, tftp, or any set commands other than "set debug"
and "set console".
Following are two examples of NAS-Prompt-User and Administrative-User
in the users file:
!pmmon Password = "dontuseth1s"
Service-Type = NAS-Prompt-User
!pmconfig Auth-Type = System, Prefix = "!"
Service-Type = Administrative-User
Caution - If you are using your RADIUS NT server with a combination of
Livingston products and other vendors' products, confirm the following:
* Make sure that these two Service-Types are not used or
* Other vendor implementation of these two Service-Types is
compatible with Livingston's implementation
OPTIONS in RADIUS NT 2.0
RADIUS Flags Descriptions Corresponding Options for RADIUS NT
in UNIX
-b Uses the DBM version From the SetupOptions panel,
of the user file select the Users Cache option
and click on Enable Users
Cache for Authentication.
From the front panel, click
on Updated Users Cache.
-d Specifies an alternate From the SetupOptions panel,
directory for RADIUS select the Directories
configuration files option and enter the
desired path in the field.
The default RADIUS NT directory is:
c:\winnt\system32\drivers\etc\raddb
-l Specifies a RADIUS log From the SetupOptions panel,
file to use instead of select Logging option and
syslog enter desired file path in
the Log File field.
The default log file is:
c:\Temp\radius.log
-s Disables multi-task From the SetupOptions panel,
authentication select Multi-task Authentication,
and unclick the Multi-task
Authentication button. Enable
Multi-task Authentication is
a default option.
-v Displays RADIUS version From the Help panel, select
about RADIUS option.
-x Debug mode The file for the debug output is:
c:\Temp\radius.log
-a Specifies an alternate From the SetupOptions panel,
directory for RADIUS select Directories option, and
accounting enter desired directory path
in the Accounting Directory field.
The default Accounting directory is:
c:\usr\adm\radacct
RADIUS NT 2.0 INSTALLATION
If you have a previous Livingston RADIUS NT software version installed
on your NT server or workstation, before installing RADIUS 2.0,
you must uninstall the previous Livingston RADIUS NT version.
The radius.mdb file must be removed in order for the reinstall
to work properly.
In order to install and run RADIUS NT 2.0, you must login to your
NT server or workstation as an Administrator with the following
User Rights:
* Act as part of the operating system
* Increase quotas
* Replace a process level token
If the above User Rights are not configured for the Administrator
account, when starting the RADIUS service, a popup window will
display the required User Rights before RADIUS service can be started.
DOWNLOADING RADIUS NT 2.0
The default installation for RADIUS NT is c:\winnt\system32\drivers\etc\raddb.
The default installation for DAO is c:setupdao.
The RADIUS NT 2.0 and DAO must be downloaded to a directory (e.g., temp)
other than the two directories indicated above.
To download RADIUS NT 2.0 and DAO, refer to the following steps:
ftp ftp.livingston.com
(enter anonymous)
(enter your e-mail address; it will not echo)
binary
cd /pub/le/software/pc
get radiusnt.exe
get setupdao.exe
DAO must be installed before installing RADIUS NT. To install DAO, refer
to the following steps:
1. Enter setupdao.exe at the DOS prompt or double click on the
"setupdao.exe" file in the Windows NT Explorer, this self-extractable
file will generate the setup file for DAO.
2. Enter setup.exe at the DOS prompt or double click on the setup.exe file
in the Windows NT Explorer, this file will guide you through
the installation of DAO.
To install the RADIUS NT 2.0, perform the following steps:
1. Enter radiusnt.exe at the DOS prompt or double click on the
radiusnt.exe file in the Windows NT Explorer, this self-extractable
file will generate the setup files for RADIUS NT.
2. Enter setup.exe at the DOS prompt or double click on the setup.exe file
in the Windows NT Explorer, this file will guide you through
the installation of RADIUS NT.
The clients, users, and dictionary files can be edited by selecting
the Edit panel.
RESTRICTIONS IN RADIUS 2.0
Following are restrictions in Livingston RADIUS 2.0:
1. The Reply-Message attribute should not be specified longer
than 235 characters.
2. Authentication with SecurID token card is not available in this
release of RADIUS NT.
3. RADIUS NT 2.0 doesn't work on the Japanese version of NT workstation
4.0 with Service Pack 2.
___________________________________________________________________________
Copyright and Trademarks
Copyright 1996 Livingston Enterprises, Inc. All rights reserved.
The names Livingston, PortMaster, ComOS, RADIUS, ChoiceNet, PMconsole,
IRX, True Digital, and RAMP are trademarks belonging to Livingston
Enterprises, Inc. All other marks are the property of their respective
owners.
Notices
Livingston Enterprises, Inc. makes no representations or warranties
with respect to the contents or use of this manual, and specifically
disclaims any express or implied warranties of merchantability or
fitness for any particular purpose. Further, Livingston Enterprises,
Inc. reserves the right to revise this publication and to make changes
to its content, any time, without obligation to notify any person or
entity of such revisions or changes.
Contacting Livingston Technical Support
Livingston Enterprises provides technical support via voice, FAX, and
electronic mail. Technical support is available Monday through Friday
6am-5pm Pacific Time (GMT-8).
To contact Livingston Technical Support by voice, dial 1-800-458-9966
within the US or 1-510-737-2100 outside the US; by FAX, dial
1-510-737-2110; by electronic mail, send mail to
support@livingston.com; and through the World Wide Web at
http://www.livingston.com/.