This manual contains product documentation for RADIUS-VMS, RFC2865/RFC2866 (RFC2138/2139) compliant RADIUS Server software for VMS systems.
Trademarks info
VMS, OpenVMS, VAX, Alpha, DEC, DEC Server, DEC DATATRIEVE, Digital are trademarks of Digital Equipment Corporation.
Process Software TCPWare-TCP, Multinet (TM) are trademark of Process Software Corporation.
MadGoat, Message Exchange, and MX are trademarks of MadGoat Software.
Contents |
RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting client-server protocol. RADIUS is the de facto industry standard for remote access AAA, as well as an IETF standard. In general, it's a network daemon (network process) which performs authentication, authorization and accounting actions when someone login to Network Access Server with a dial-up client or logout from it. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks. But frequently, it's useful in a case when your need to provide any kind of controlled dial-up access. Technical specification of the basic features which are supported by all radius servers you can find in RFC 2138 (ftp://ftp.isi.edu/in-notes/rfc2138.txt). Accounting information is specified in RFC 2139 (ftp://ftp.isi.edu/in-notes/rfc2139.txt). Follows some simple explanation about main work phases which are illustrated functionality of a RADIUS server:
RADIUS-VMS project was started as port of the Livingston RADIUS 2.01 server to OpenVMS with introducing of a lot of VMS-specific features. This project has been sponsored by DLS Internet Service Inc. and performed by Ruslan R. Laishev (http://www.levitte.org/~rlaishev). RADIUS-VMS - it's multithreaded by DEC Threads RADIUS server, which was fully rewritten from original sources and have been stayed under active development for implementation of new features. The main features follows:
RADIUS-VMS requires VMS version V6.1 or later to run.
TCP/IP package, tested with TCPWare TCP 5.3-3, 5.4-3 (Alpha/VMS), Multinet 4.1,4.2A (Alpha/VMS), DEC TCP/IP Service (UCX) 4.1,4.2,5.0 (VAX/VMS)
Optional MX 5.1 or later
RADIUS-VMS uses VMSINSTAL for installation. If you do not know how to
use VMSINSTAL, you should first read the chapter on installing software
in the VMS System Manager's Manual. For the installation, you
should be logged into the SYSTEM account, or another suitably
privileged account.
2.1 Invoking VMSINSTAL.
Invoke VMSINSTAL to install RADIUS-VMS.
$ @sys$update:vmsinstal RADIUSVMSvvn DDCU: |
Substitute the appropriate values for vvn and ddcu.
OpenVMS VAX Software Product Installation Procedure V6.2 It is 29-JAN-2000 at 02:58. Enter a question mark (?) at any time for help. %VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account. %VMSINSTAL-W-ACTIVE, The following processes are still active: UCX$NTPD MONITOR_SERVER * Do you want to continue anyway [NO]? y * Are you satisfied with the backup of your system disk [YES]? The following products will be processed: RADIUSVMS V2.0 Beginning installation of RADIUSVMS V2.0 at 02:58 %VMSINSTAL-I-RESTORE, Restoring product save set A ... RADIUS-VMS Installation Procedure Copyright © 1998-2000, Ruslan R. Laishev. All Rights Reserved. * Where should the RADIUS-VMS top directory be located? [$1$DUA1130:[RADIUS]]: %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists * Do you want to purge files replaced by this installation [YES]? %VMSINSTAL-I-RESTORE, Restoring product save set D ... %VMSINSTAL-I-RESTORE, Restoring product save set E ... %VMSINSTAL-I-RESTORE, Restoring product save set F ... %RADIUSVMS-I-LINKING, Linking image RADIUS_SERVER.EXE ... %RADIUSVMS-I-LINKING, Linking image RT.EXE ... %RADIUSVMS-I-LINKING, Linking image LGI$CALLOUT_RADIUS.EXE ... %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.VAX_EXE] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.UTILS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.DOCS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.TEMPLATES] already exists ************************************************************* The RADIUS-VMS software is installed at your system!!! NOTE 1 RADIUS-VMS must be installed twice on a mixed-VMScluster: once on a VAX system and once on an Alpha system. This is necessary because the RADIUS-VMS executables are linked during the installation. Installing RADIUS-VMS on a VAX produces the VAX executable images and installing it on an Alpha produces the Alpha images. NOTE 2 For the first time installation refer to RADIUS-VMS documentation for postinstallation tasks. NOTE 3 For start RADIUS-VMS at system boot time you can add into SYS$STARTUP:SYSTARTUP_VMS.COM the follows line: $ @SYS$STARTUP:RADIUSVMS_STARTUP.COM ************************************************************* %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... Installation of RADIUSVMS V2.0 completed at 03:01 VMSINSTAL procedure done at 03:01 |
Before start RADIUS-VMS server, you need to prepare configuration files. If you have not your own variant of the RADIUS_DICTIONARY file you can just copy RAD_DICTIONARY.TEMPLATE to the RADIUS.DICTIONARY file. Also you can use RAD_USERS.TEMPLATE for creating your own RADIUS.USERS file, and RAD_CONFIG.TEMPLATE for creating a RADIUS.CONFIG file.
All site specific logicals must be kept in RADIUS_LOGICALS.COM, template for this file is provided also.
Read carefully Chapter 3 for rules of configuration.
You can add follows line in the your LOGIN.COM (or SYS$MANAGER:SYLOGIN.COM), it will define some useful commands.
$ @radius_dir:radius_commands.com |
This Product Documentation is not a study how RADIUS work at all, or
how to get started with RADIUS, this documentation describe only
specific features of the server. It will also describes steps which
your probably need to get for fulfilling a particularly task. For
beginners and admins, at Livingston's site lives good "old" RADIUS
Administrator's Guide which will help you to get first steps to
configuration and users management, you can download this manual from
http://www.livingston.com/tech/docs/pdf/radius.pdf.
3.1 Server logicals.
There is a number of logicals which is used for configuration of the RADIUS-VMS Server, good place for its is a RADIUS_LOGICALS.COM.
RADIUS_DIR | RADIUS home directory. |
RADIUS_ACCOUNTING | accounting file in VMS ACCOUNTING format. |
RADIUS_DICTIONARY | RADIUS dictionary file. |
RADIUS_CONFIG | RADIUS clients & realms & homes configuration file. |
RADIUS_DETAIL | RADIUS detail file. |
RADIUS_USERS | RADIUS users file. |
RADIUS_CURRENT | File which contains "show session"-like information. |
RADIUS_DEBUG | Turn on debug output. |
RADIUS_DISABLE_SESSIONLIMIT | Turn off checking for session limit, it's global flag which override option in a RADIUS_CONFIG file, Check-Item MAX-Session-Limit in a RADIUS_USERS file. |
RADIUS_NODETAIL | Stop output accounting to RADIUS_DETAIL file. |
RADIUS_DNS_LOOKUP | Enable of reverse DNS lookup. |
RADIUS_NUMTHREADS | It's number of accounting and authentication execution threads, 3 accounting thread and 3 authentication thread are default values. Maximum number of threads for each "home" is 128. |
RADIUS_OPCOMLVL | This logical define a minimal severity level (it's VMS severity level) of message send to OPCOM. Value greater than 4 stop sending to OPCOM any messages |
RADIUS_SESSIONTMO | Existing of this logical control a value for the Session-Timeout attribute which will be added to an ACK packets during authentication/authorization phase. |
RADIUS_PWD_EXPIRED | If this logical is defined RADIUS-VMS check the SYSUAF's /FLAG=PWD_EXPIRED, and will reject a login if this flag is set. |
RADIUS-VMS use compatible with Livingston RADIUS dictionary file as well as the users file format. You can keep in the RADIUS_USERS file only one DEFAULT entry, other authorization task you can performs in SYSUAF database only. The main attribute of authentication/authorization procedure is username. Username - is a string in form:
[<domain>\]<username>[['%'<suffix>]['@'<realm>]] |
See examples: .
ZyzOp%PPP@DeltaTel.RU | It expected a SYSUAF user ZyzOp, and assumed that in RADIUS_USERS file exist entry with a check item Suffix = "PPP". For an additional authorization will be checked entry for the "DeltaTel.RU" realm in the RADIUS_CONFIG file. |
C00lZyZop@RadiusVMS.COM | It expected a SYSUAF user C00lZyZop. For an additional authorization it will be checked entry for the "RadiusVMS.COM" realm in the RADIUS_CONFIG file. |
SysMan%TELNET | SYSUAF user SysMan, it's expected that this user want to automatically open TELNET session after login at NAS. It assumed that in RADIUS_USERS file exist entry with Check-Item Suffix = "%TELNET". |
M$SOFT\ZyzOp | User (ZyzOp) from domain M$SOFT, it's expected that this user will authenticating against remote PDC/BDC hosts |
You can use wilcards in usernames the RADIUS_USERS file. |
During authentication phase of login procedure server performs checking follows SYSUAF parameters:
If login is failed by SYSUAF an Intrusion information is stored for the using at a next time. At successful end of login phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDIT database, you can use ANALYZE/AUDIT utility for searching & retrieving this information.
There is some natural limitation of parameters length:
Using of usernames with space or tab and other control characters is not allowed. |
This feature can be turned on as default for all accounts or for a particular account only. For activate this features you can use an Auth-Type check item which must have value "System". See examples of the entry in the RADIUS_USERS file:
... #It assumed that all users will be authenticate against SYSUAF DEFAULT Auth-Type = System ... |
or
... #only SYSUAF SysMan will by authenticate against SYSUAF SysMan Auth-Type = System #password for ZyzOp stored in the RADIUS_USERS file ZyZop Password = "Zadnica" # All other logins will be rejected w/o any checking DEFAULT Auth-Type = Reject ... |
You can control an ability of a dial-in logins for particular user by /DIALUP option in the SYSUAF, you can also specify time range for additional control of allowed login time. RADIUS-VMS use a time range defined by /NETWORK or /DIALUP options for computing an allowed session time if RADIUS_SESSIONTMO logical is defined. For network users you can use /NETWORK SYSUAF's option. A difference between Dial-In logins and NETWORK logins is defined by presence of NAS-Port-Id & NAS-Port-Type attributes in authentication request which send (or don't send) by NAS or by Linux box (when a RADIUS PAM module is used for authentication/authorization local users by RADIUS). Check your System Managers utilities guide for additional information about of AUTHORIZE utility and SYSUAF database. The SYSUAF /EXPIRATION option can be used for control of expiration time for particular user. The /FLAG=RESTRICTED SYSUAF option is equally to /FLAG=DISUSER only for Dial-In users.
A some type of NAS(s) don't send NAS-Port-Type attribute at all, for example: DEC Server 90M. In this case you should use /NAS option in client definition entry for this NAS, it will force writing info records into a RADIUS_CURRENT file, and will allow to performs "Session-Limits" checking. |
There are three predefined special right id(s) which controls of an allowed connection type, it's intend only for Dial-In connections, and if these identifiers are presented in RIGHTSLIST.DAT:
56K | Allow connection speed with < 56*1024 bps.A connection speed information must be present in the "Connect-Info" attribute in an incoming authentication request. Check out a documentation for your NAS to ability to get connection information. In the fact, "Connect-Info" attribute contains answer from a modem like "19200 /ZyX ...". |
DUALPORT | Allow to use MultiLink PPP at NAS(s), this feature typically used by ISDN users. In the fact, this right id allows two session at one time (see Section 3.2.4 for additional information). |
ISDN | Allow only ISDN connections (ISDN-V110, ISDN-V120), it denied analog connections on port with type Async or Sync. |
By default connection speed is not allowed more than 33600 bps. |
Use GRANT/ID or REVOKE/ID commands of VMS AUTHORIZE utility to granting or revoking these right id:
$ mcr authorize grant/id ISDN SysMan |
or
$ mcr authorize revoke/id 56k SysMan |
RADIUS-VMS have an ability to change SYSUAF password by using of RFC compliant and vedors independent method. It's implementing by using incapsulation a new password in the User-Password attribute. The syntax of the password follows:
password[,newpassword,verification] |
where password - is the real password of a user in SYSUAF, newpassword and verification - the new password entered twice.
When RADIUS-VMS get request with password in the showed form - it performs extracting old and new password, authenticate a user as usual, check options /FLAGS=(NOLOCKPWD,NOGENPWD), check length of a new password against /PWDMINIMUM SYSUAF parameter,hash new password, update password in the SYSUAF and "Pwdchange:" field by current system time.
You can use RT utility to change of a password, see example:
$ rt Usage: rt username passwd servername portno secretkey [port] Check account:$ rt ZyZop SuperPass Radius.ZZ.Top.NET 1 kalamala Set password :$ rt ZyZop "SuperPass,newzuper13,newzuper13" Radius.ZZ.Top.NET 1 kalamala $ |
If any described checks of the new password fail - password will not be changed. But login will be accepted. |
You can use Auth-Type = Accept or Auth-Type = Reject to accept all logins without real checking username/password pair, or reject any logins respectively. See example of entries below:
... #Accept all logins w/o authentication by RADIUS DEFAULT1 Auth-Type = Accept, NAS-IP-Address = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net #Reject all other logins by default DEFAULT Auth-Type = Reject ... |
This feature give your an ability to control a number of sessions allowed for all or for particulars user(s) at the one time. It's builtin functionality of the RADIUS-VMS server. It can be defined by a MAX-Session-Limit Check-Item in the RADIUS_USERS file. DUALPORT right id automatically allow to have two concurrent session, it can be overrode by MAX-Session-Limit.
Keep in mind that sessions with one IP address (Frammed-IP-Address) is equally to one session, typically this situation is take place when users use MultiLink PPP. |
Follows example of entries in the RADIUS_USERS file:
... #It assumed that all users will be authenticate against SYSUAF, #by default all users can have 33 sessions at the one time DEFAULT Auth-Type = System , MAX-Session-Limit = 33 |
or
#Only SYSUAF user SysMan can have 3 concurrent sessions SysMan Auth-Type = System , MAX-Session-Limit = 3 #Who login at NAS with IP address = 172.16.1.30 #have 5 sessions are allowed DEFAULT1 Auth-Type=System, NAS-IP-Address=172.16.1.30, MAX-Session-Limit = 5 #All other users can have only 1 session (it's default value) DEFAULT Auth-Type = System |
Next | Contents |