2 Configuring a ChoiceNet Server       

This chapter includes the following topics:

•   "Getting Started" on page 2-1
•   "Installing ChoiceNet Server Software" on page 2-2
•   "Configuring Client Information on the ChoiceNet Server" on page 2-5
•   "Starting ChoiceNet" on page 2-7
•   "Restarting the filterd Process" on page 2-8

  To configure ChoiceNet client information on a PortMaster, see Chapter 3, "Configuring a ChoiceNet Client."

  To install access-denied notification windows on users' computers, see Chapter 4, "Installing User Notification."

Getting Started

• Secure physical location
• Root access limited to the security officer or system administrator
• Limited number of user accounts, preferably none

  If you are using RADIUS, the UNIX host where the RADIUS server resides is a good choice.

  You must configure a shared secret on the ChoiceNet server for each client. The shared secret is an authentication key of up to 15 printable, nonspace, ASCII characters. It is stored as clear text in the /etc/choicenet/clients file on the ChoiceNet server and in the nonvolatile memory of the PortMaster. Each PortMaster can share a different secret with the ChoiceNet server, or multiple PortMasters can share the same secret. See "Configuring Client Information on the ChoiceNet Server" on page 2-5 for more information.

  If you plan to use the ChoiceNet server with a RADIUS server, install and configure the RADIUS server first. See the RADIUS Administrator's Guide for instructions.

  Lucent suggests that the host for the ChoiceNet server meet the following conditions:

• The host is accessible from outside your local network.
• The host does not run any public network services such as email, FTP, HTTP, or Telnet.

  Appendix D, "Preconfiguration Worksheets," has blank worksheets you can use to collect server and client information you will need to install and configure ChoiceNet.

Installing ChoiceNet Server Software

• Install ChoiceNet server software with the pminstall utility shipped on the PortMaster Software CD.
• Install ChoiceNet server software without pminstall.

Always use the latest version of pminstall, available by anonymous FTP from ftp://ftp.livingston.com/pub/le/software.

Installing with pminstall

1. Log in to the selected ChoiceNet server as root.

2. Mount the CD using the instructions in the CD booklet.

3. Install the PortMaster software by one of the following methods:

• Run /cdrom/unix/setup.
• Follow the instructions in the CD booklet.

4. Enter the /usr/portmaster/pminstall command at the UNIX prompt.

The following list of choices appears:

% /usr/portmaster/pminstall   1. PortMaster Internet Address Setup 2. Host Installation 3. PortMaster Upgrade 4. Host Upgrade 5. Install RADIUS 6. Install ChoiceNet 7. Exit   Please select an option from above:

5. Choose the Install ChoiceNet option to install all ChoiceNet files.

• The server prompts you for a directory name:

  Directory to install ChoiceNet (/etc/choicenet):

6. Provide directory information for ChoiceNet files by one of the following methods:

• Enter the appropriate directory.
• Select the default directory (shown in parentheses) by pressing the Return or Enter key.

7. When ChoiceNet installation is complete, select the Exit option to quit pminstall.

8. Go to "Configuring Client Information on the ChoiceNet Server" on page 2-5.  

Installing without pminstall

1. Log in to the selected ChoiceNet server as root.

2. Mount the CD on the /cdrom directory using the instructions in the CD booklet.

3. If you are running the Network Information Service (NIS) or NIS+, add the following line to the services NIS map on your NIS master and push the maps:

choicenet 1647/udp filterd

Use the make mapname command on the NIS master to push the maps. This action updates the NIS database to include recently entered information. For details, consult your UNIX system documentation.

4. If you are not running NIS or NIS+, add the following line to the /etc/services file:

choicenet 1647/udp filterd

5. As root, enter the following commands on the ChoiceNet server:

umask 022 mkdir /etc/choicenet chmod 700 /etc/choicenet

All ChoiceNet files are stored in the /etc/choicenet directory.

The umask and chmod commands affect the choicenet directory permissions; root access is required for read, write, and execute privileges.

6. Copy all files in the /cdrom/unix/choicenet directory to the /etc/choicenet directory:

cp -r /cdrom/unix/choicenet/* /etc/choicenet

The choicenet directory contains the four subdirectories clients, filters, lists, and lists.dbm, and the file logfile.

7. Copy the filterd file to the /etc/choicenet directory or to another directory such as /usr/sbin:

cp /cdrom/unix/platform/filterd /etc/choicenet/filterd

Replace platform with the name of your operating system-for example, sun4_4.1.

8. Copy the buildlist utility to /etc/choicenet/buildlist:

cp /cdrom/unix/platform/buildlist /etc/choicenet/buildlist

Replace platform with the name of your operating system-for example, sun4_4.1.

9. Go to "Configuring Client Information on the ChoiceNet Server" on page 2-5.

Configuring Client Information on the ChoiceNet Server

1. To add a client, edit the text file and enter the client's name or IP address and the shared secret.

Shared secrets must consist of 15 or fewer printable, nonspace, ASCII characters. Control characters must not be used. You can add any number of clients to this file.

Lines starting with the number sign (#) are ignored as comments.

Examples of client names and shared secrets are displayed in Figure 2-1.

2. Verify that only root users have read and write access to the clients file.

As root, enter the following commands on the ChoiceNet server:

umask 077 chmod 600 /etc/choicenet/clients

This is an important security precaution because the clients file contains the shared secrets for ChoiceNet clients. Figure 2-2 shows the correct permission setting for the clients file.

3. Go to "Starting ChoiceNet" on page 2-7.  

Starting ChoiceNet

1. Enter the following command to start the ChoiceNet server:

/etc/choicenet/filterd

You can use filterd with any of the options shown in Table 2-1.

2. To start the filterd daemon each time the ChoiceNet server is booted, modify the /etc/rc.local file as shown in Figure 2-3.

filterd is a standalone process; it must not be run from /etc/inetd.conf.

The name of the appropriate file might be different depending on your system. On some systems the file is named /etc/rc2.d/S99choicenet. Consult your UNIX system documentation for more information.

3. Go to Chapter 3, "Configuring a ChoiceNet Client."

Restarting the filterd Process

The syntax for the ps command can vary depending on your operating system. Consult your system documentation for more information.

1. Determine the UNIX process:

ps -ax | grep filterd

2. USe the kill command to stop the process:

kill ProcessID

ProcessID is taken from the output of ps in step 1.

3. Restart the process:

/etc/filterd