This manual contains product documentation for RADIUS-VMS, RFC2865/RFC2866 (RFC2138/2139) compliant RADIUS Server software for VMS systems.

Copyright © 1998-2000 Ruslan R. Laishev & StarLet Group.

Trademarks info

VMS, OpenVMS, VAX, Alpha, DEC, DEC Server, DEC DATATRIEVE, Digital are trademarks of Digital Equipment Corporation.

Process Software TCPWare-TCP, Multinet (TM) are trademark of Process Software Corporation.

MadGoat, Message Exchange, and MX are trademarks of MadGoat Software.

Contents

RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting client-server protocol. RADIUS is the de facto industry standard for remote access AAA, as well as an IETF standard. In general, it's a network daemon (network process) which performs authentication, authorization and accounting actions when someone login to Network Access Server with a dial-up client or logout from it. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks. But frequently, it's useful in a case when your need to provide any kind of controlled dial-up access. Technical specification of the basic features which are supported by all radius servers you can find in RFC 2138 (ftp://ftp.isi.edu/in-notes/rfc2138.txt). Accounting information is specified in RFC 2139 (ftp://ftp.isi.edu/in-notes/rfc2139.txt). Follows some simple explanation about main work phases which are illustrated functionality of a RADIUS server:

1. Authentication phase - NAS gets username/password pair from user input, crypts this information with shared between NAS and RADIUS Server "secret key" and transfers the request to a RADIUS server. RADIUS server receive this information extract username/password and validate it against a local username/password database.
2. Authorization phase - if user is valid then RADIUS server gets from special database some information and send it to NAS . For example: IP number which assigned for this Dial-Up client, network mask, allowed session time, default router, access control lists ID, etc.
3. Accounting phase - when NAS gets the acknowledgement from RADIUS during the previous phase, NAS send "Start session" packet to RADIUS server, and "Stop session" when clients disconnected from NAS. The "Stop session" packet contains accounting information like: session time, amount of input/output traffic etc.

RADIUS-VMS project was started as port of the Livingston RADIUS 2.01 server to OpenVMS with introducing of a lot of VMS-specific features. This project has been sponsored by DLS Internet Service Inc. and performed by Ruslan R. Laishev (http://www.levitte.org/~rlaishev). RADIUS-VMS - it's multithreaded by DEC Threads RADIUS server, which was fully rewritten from original sources and have been stayed under active development for implementation of new features. The main features follows:

• Support the most features of Livingston's RADIUS 2.1
• SYSUAF based authentication, using flat USERS file as well
• SYSUAF password changing
• Security based on VMS facilities (AUDIT, Intrusion detection)
• Session limit checking & authorization
• Connection speed authorization by right id(s)
• NAS(s) & Realm(s) access authorization by right id(s)
• MultiLink PPP at ISDN authorization by right id
• Accounting of users/NAS/port activities in the VMS ACCOUNTING format as well as in the traditional .DETAIL format
• Work in mixed-cluster environment sharing data files
• High performance with large USERS file
• File I/O using RMS
• Network I/O using $QIO
• MultiHOME support
• Multithreaded by DEC Threads (up to 128 concurrent threads for every "Home"), using kernel threads under VMS/Alpha >7.x
• Realms policy authentication, and an additional authorization by right id(s)
• Full VSA support
• Proxy/Forwarding capabilities support
• External authorization and accounting callouts (ORACLE examples is provided.)
• Integration with MX by MadGoat Software

RADIUS-VMS requires VMS version V6.1 or later to run.

TCP/IP package, tested with TCPWare TCP 5.3-3, 5.4-3 (Alpha/VMS), Multinet 4.1,4.2A (Alpha/VMS), DEC TCP/IP Service (UCX) 4.1,4.2,5.0 (VAX/VMS)

Optional MX 5.1 or later

RADIUS-VMS uses VMSINSTAL for installation. If you do not know how to use VMSINSTAL, you should first read the chapter on installing software in the VMS System Manager's Manual. For the installation, you should be logged into the SYSTEM account, or another suitably privileged account.

2.1 Invoking VMSINSTAL.

Invoke VMSINSTAL to install RADIUS-VMS.

$ @sys$update:vmsinstal RADIUSVMSvvn DDCU:

Substitute the appropriate values for vvn and ddcu.

OpenVMS VAX Software Product Installation Procedure V6.2 It is 29-JAN-2000 at 02:58. Enter a question mark (?) at any time for help. %VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account. %VMSINSTAL-W-ACTIVE, The following processes are still active: UCX$NTPD MONITOR_SERVER * Do you want to continue anyway [NO]? y * Are you satisfied with the backup of your system disk [YES]? The following products will be processed: RADIUSVMS V2.0 Beginning installation of RADIUSVMS V2.0 at 02:58 %VMSINSTAL-I-RESTORE, Restoring product save set A ... RADIUS-VMS Installation Procedure Copyright © 1998-2000, Ruslan R. Laishev. All Rights Reserved. * Where should the RADIUS-VMS top directory be located? [$1$DUA1130:[RADIUS]]: %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists * Do you want to purge files replaced by this installation [YES]? %VMSINSTAL-I-RESTORE, Restoring product save set D ... %VMSINSTAL-I-RESTORE, Restoring product save set E ... %VMSINSTAL-I-RESTORE, Restoring product save set F ... %RADIUSVMS-I-LINKING, Linking image RADIUS_SERVER.EXE ... %RADIUSVMS-I-LINKING, Linking image RT.EXE ... %RADIUSVMS-I-LINKING, Linking image LGI$CALLOUT_RADIUS.EXE ... %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.VAX_EXE] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.UTILS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.DOCS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.TEMPLATES] already exists ************************************************************* The RADIUS-VMS software is installed at your system!!! NOTE 1 RADIUS-VMS must be installed twice on a mixed-VMScluster: once on a VAX system and once on an Alpha system. This is necessary because the RADIUS-VMS executables are linked during the installation. Installing RADIUS-VMS on a VAX produces the VAX executable images and installing it on an Alpha produces the Alpha images. NOTE 2 For the first time installation refer to RADIUS-VMS documentation for postinstallation tasks. NOTE 3 For start RADIUS-VMS at system boot time you can add into SYS$STARTUP:SYSTARTUP_VMS.COM the follows line: $ @SYS$STARTUP:RADIUSVMS_STARTUP.COM ************************************************************* %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... Installation of RADIUSVMS V2.0 completed at 03:01 VMSINSTAL procedure done at 03:01

Before start RADIUS-VMS server, you need to prepare configuration files. If you have not your own variant of the RADIUS_DICTIONARY file you can just copy RAD_DICTIONARY.TEMPLATE to the RADIUS.DICTIONARY file. Also you can use RAD_USERS.TEMPLATE for creating your own RADIUS.USERS file, and RAD_CONFIG.TEMPLATE for creating a RADIUS.CONFIG file.

All site specific logicals must be kept in RADIUS_LOGICALS.COM, template for this file is provided also.

Read carefully Chapter 3 for rules of configuration.

You can add follows line in the your LOGIN.COM (or SYS$MANAGER:SYLOGIN.COM), it will define some useful commands.

$ @radius_dir:radius_commands.com

This Product Documentation is not a study how RADIUS work at all, or how to get started with RADIUS, this documentation describe only specific features of the server. It will also describes steps which your probably need to get for fulfilling a particularly task. For beginners and admins, at Livingston's site lives good "old" RADIUS Administrator's Guide which will help you to get first steps to configuration and users management, you can download this manual from http://www.livingston.com/tech/docs/pdf/radius.pdf.

3.1 Server logicals.

There is a number of logicals which is used for configuration of the RADIUS-VMS Server, good place for its is a RADIUS_LOGICALS.COM.

RADIUS_DIR	RADIUS home directory.
RADIUS_ACCOUNTING	accounting file in VMS ACCOUNTING format.
RADIUS_DICTIONARY	RADIUS dictionary file.
RADIUS_CONFIG	RADIUS clients & realms & homes configuration file.
RADIUS_DETAIL	RADIUS detail file.
RADIUS_USERS	RADIUS users file.
RADIUS_CURRENT	File which contains "show session"-like information.
RADIUS_DEBUG	Turn on debug output.
RADIUS_DISABLE_SESSIONLIMIT	Turn off checking for session limit, it's global flag which override option in a RADIUS_CONFIG file, Check-Item MAX-Session-Limit in a RADIUS_USERS file.
RADIUS_NODETAIL	Stop output accounting to RADIUS_DETAIL file.
RADIUS_DNS_LOOKUP	Enable of reverse DNS lookup.
RADIUS_NUMTHREADS	It's number of accounting and authentication execution threads, 3 accounting thread and 3 authentication thread are default values. Maximum number of threads for each "home" is 128.
RADIUS_OPCOMLVL	This logical define a minimal severity level (it's VMS severity level) of message send to OPCOM. Value greater than 4 stop sending to OPCOM any messages
RADIUS_SESSIONTMO	Existing of this logical control a value for the Session-Timeout attribute which will be added to an ACK packets during authentication/authorization phase.
RADIUS_PWD_EXPIRED	If this logical is defined RADIUS-VMS check the SYSUAF's /FLAG=PWD_EXPIRED, and will reject a login if this flag is set.

3.2 Users management.

RADIUS-VMS use compatible with Livingston RADIUS dictionary file as well as the users file format. You can keep in the RADIUS_USERS file only one DEFAULT entry, other authorization task you can performs in SYSUAF database only. The main attribute of authentication/authorization procedure is username. Username - is a string in form:

[<domain>\]<username>[['%'<suffix>]['@'<realm>]]

See examples: .

ZyzOp%PPP@DeltaTel.RU	It expected a SYSUAF user ZyzOp, and assumed that in RADIUS_USERS file exist entry with a check item Suffix = "PPP". For an additional authorization will be checked entry for the "DeltaTel.RU" realm in the RADIUS_CONFIG file.
C00lZyZop@RadiusVMS.COM	It expected a SYSUAF user C00lZyZop. For an additional authorization it will be checked entry for the "RadiusVMS.COM" realm in the RADIUS_CONFIG file.
SysMan%TELNET	SYSUAF user SysMan, it's expected that this user want to automatically open TELNET session after login at NAS. It assumed that in RADIUS_USERS file exist entry with Check-Item Suffix = "%TELNET".
M$SOFT\ZyzOp	User (ZyzOp) from domain M$SOFT, it's expected that this user will authenticating against remote PDC/BDC hosts

During authentication phase of login procedure server performs checking follows SYSUAF parameters:

• /FLAG=(DISUSER,RESTRICTED,PWDEXPIRED)
• /EXPIRATION=time
• /NETWORK=range
• /DIALUP=range
• /PRIMEDAYS=([NO]day[,...])
• /PASSWORD
• /FLAG=PWD_EXPIRED

If login is failed by SYSUAF an Intrusion information is stored for the using at a next time. At successful end of login phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDIT database, you can use ANALYZE/AUDIT utility for searching & retrieving this information.

This feature can be turned on as default for all accounts or for a particular account only. For activate this features you can use an Auth-Type check item which must have value "System". See examples of the entry in the RADIUS_USERS file:

... #It assumed that all users will be authenticate against SYSUAF DEFAULT Auth-Type = System ...

or

... #only SYSUAF SysMan will by authenticate against SYSUAF SysMan Auth-Type = System #password for ZyzOp stored in the RADIUS_USERS file ZyZop Password = "Zadnica" # All other logins will be rejected w/o any checking DEFAULT Auth-Type = Reject ...

You can control an ability of a dial-in logins for particular user by /DIALUP option in the SYSUAF, you can also specify time range for additional control of allowed login time. RADIUS-VMS use a time range defined by /NETWORK or /DIALUP options for computing an allowed session time if RADIUS_SESSIONTMO logical is defined. For network users you can use /NETWORK SYSUAF's option. A difference between Dial-In logins and NETWORK logins is defined by presence of NAS-Port-Id & NAS-Port-Type attributes in authentication request which send (or don't send) by NAS or by Linux box (when a RADIUS PAM module is used for authentication/authorization local users by RADIUS). Check your System Managers utilities guide for additional information about of AUTHORIZE utility and SYSUAF database. The SYSUAF /EXPIRATION option can be used for control of expiration time for particular user. The /FLAG=RESTRICTED SYSUAF option is equally to /FLAG=DISUSER only for Dial-In users.

There are three predefined special right id(s) which controls of an allowed connection type, it's intend only for Dial-In connections, and if these identifiers are presented in RIGHTSLIST.DAT:

56K	Allow connection speed with < 56*1024 bps.A connection speed information must be present in the "Connect-Info" attribute in an incoming authentication request. Check out a documentation for your NAS to ability to get connection information. In the fact, "Connect-Info" attribute contains answer from a modem like "19200 /ZyX ...".
DUALPORT	Allow to use MultiLink PPP at NAS(s), this feature typically used by ISDN users. In the fact, this right id allows two session at one time (see Section 3.2.4 for additional information).
ISDN	Allow only ISDN connections (ISDN-V110, ISDN-V120), it denied analog connections on port with type Async or Sync.

Use GRANT/ID or REVOKE/ID commands of VMS AUTHORIZE utility to granting or revoking these right id:

$ mcr authorize grant/id ISDN SysMan

or

$ mcr authorize revoke/id 56k SysMan

3.2.2 SYSUAF password change.

RADIUS-VMS have an ability to change SYSUAF password by using of RFC compliant and vedors independent method. It's implementing by using incapsulation a new password in the User-Password attribute. The syntax of the password follows:

password[,newpassword,verification]

where password - is the real password of a user in SYSUAF, newpassword and verification - the new password entered twice.

When RADIUS-VMS get request with password in the showed form - it performs extracting old and new password, authenticate a user as usual, check options /FLAGS=(NOLOCKPWD,NOGENPWD), check length of a new password against /PWDMINIMUM SYSUAF parameter,hash new password, update password in the SYSUAF and "Pwdchange:" field by current system time.

You can use RT utility to change of a password, see example:

$ rt Usage: rt username passwd servername portno secretkey [port] Check account:$ rt ZyZop SuperPass Radius.ZZ.Top.NET 1 kalamala Set password :$ rt ZyZop "SuperPass,newzuper13,newzuper13" Radius.ZZ.Top.NET 1 kalamala $

You can use Auth-Type = Accept or Auth-Type = Reject to accept all logins without real checking username/password pair, or reject any logins respectively. See example of entries below:

... #Accept all logins w/o authentication by RADIUS DEFAULT1 Auth-Type = Accept, NAS-IP-Address = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net #Reject all other logins by default DEFAULT Auth-Type = Reject ...

3.2.4 Session limit checking.

This feature give your an ability to control a number of sessions allowed for all or for particulars user(s) at the one time. It's builtin functionality of the RADIUS-VMS server. It can be defined by a MAX-Session-Limit Check-Item in the RADIUS_USERS file. DUALPORT right id automatically allow to have two concurrent session, it can be overrode by MAX-Session-Limit.

Follows example of entries in the RADIUS_USERS file:

... #It assumed that all users will be authenticate against SYSUAF, #by default all users can have 33 sessions at the one time DEFAULT Auth-Type = System , MAX-Session-Limit = 33

or

#Only SYSUAF user SysMan can have 3 concurrent sessions SysMan Auth-Type = System , MAX-Session-Limit = 3 #Who login at NAS with IP address = 172.16.1.30 #have 5 sessions are allowed DEFAULT1 Auth-Type=System, NAS-IP-Address=172.16.1.30, MAX-Session-Limit = 5 #All other users can have only 1 session (it's default value) DEFAULT Auth-Type = System