Configuring User Information   4

  This chapter includes the following topics:

•  "User Profile Format" on page 4-2
•  "Matching User Profiles" on page 4-3
•  "Editing User Profiles" on page 4-4
•  "Default User Profiles" on page 4-4
•  "Check Items" on page 4-6
•  "Reply Items" on page 4-19
•  "Using RADIUS with PAP and CHAP" on page 4-38
•  "Configuring Database Caching of User Profiles" on page 4-40
•  "Example PPP User Profile" on page 4-40

  The RADIUS users  file is a flat text file on the RADIUS server. The users  file stores authentication and authorization information for all users authenticated with RADIUS. Each user must be represented by a profile  that consists of three parts: the username , a list of check items , and a list of reply items . Figure 4-1 displays an example.

  Figure 4-1 User Profile

  Note ¯ Lucent InterNetworking Systems recommends that you create a single user profile and test RADIUS authentication and authorization for that user. If the test is successful, create and test profiles representative of other user types before proceeding to create all your user profiles.

       User Profile Format

  User profiles must be separated from each other by an empty line. The first line of a user profile consists of the username followed by the check items. The username is separated from the check items by spaces or tabs. This first line must not exceed 255 characters. All subsequent lines of the profile are individual reply items. Each reply item line must begin with a space or tab. Each reply item, except for the final line in the profile, must end with a comma.

  You can add comments to the users  file by beginning comment lines with a number sign (# ).

  Caution ¯ Do not place comments within a user profile. Comments in a user profile prevent any reply item following the comment from being processed and sent to the client. Place comments either before or after the user profile.

  The contents of each user profile are case-sensitive. Definitions for all attributes and values are in the dictionary file and can be viewed with any text editor.

  Caution ¯ Modifying the contents of the dictionary file incorrectly can cause RADIUS to fail to authenticate users correctly or cause other problems.

  See "Default User Profiles" on page 4-4 for information on the special profile, DEFAULT. Several common user profiles are listed in "Example PPP User Profile" on page 4-40. All check items are summarized in Table 4-1 on page 4-7. All reply items are summarized in Table 4-2 on page 4-19. Attributes and values used to create user profiles are defined in the dictionary.

  Username.  The username is the first part of each user profile and must start in the first column. Usernames consist of up to 63 printable, nonspace, ASCII characters. If ActivCard, SecurID, or a system password file is used for authentication, the username must conform to any limitations imposed on the username by the host.

  Caution ¯ Do not use white space within a username. In RADIUS 2.1, access-requests are rejected if the username contains a space or tab. If a user enters a username with trailing spaces or tabs, the access-request is rejected.

  Check Items.  Check items are listed on the first line of a user profile, following the username and separated from it by white space. The line in the user profile that contains the username and check items must not exceed 255 characters. Check items must be separated by commas. Do not place a comma after the final check item. For an access-request (see "How RADIUS Works" on page 1-2) to succeed, all check items in the user profile must be satisfied by information from the access-request or by related information from the local system, such as group membership in the access-request.

  In Figure 4-1, bob's password is the only check item. To successfully authenticate bob, the RADIUS server must receive this password in bob's access-request.

  The following example shows the first line of a user profile. To successfully authenticate ann, the RADIUS server must receive the specified password, ann must be logging in on port 23 of the NAS, and she must be a member of the engineer group.

  ann Password = "8f4kv$s", NAS-Port = 23, Group = "engineer"

  Note ¯ If no check items are included in the user profile, the user is rejected.

  Reply Items.  Reply items are placed one per line. Each line begins with white space. Each line ends with a comma, except for the final reply item. Reply items give the PortMaster authorization information about the user's connection--for example, whether PPP or SLIP is used or whether the user's IP address is negotiated. In Figure 4-1, Framed-Protocol is a reply item. The value of Framed-Protocol is PPP, indicating that bob uses PPP for his connection.

  If all check items in the user profile are satisfied by the access-request, the RADIUS server sends the reply items to the PortMaster to configure the connection.

       Matching User Profiles

  When a user logs in, the RADIUS server searches the users  file for a matching profile. The following components of a profile must match the access-request for authentication to occur:

  1. username

  2. password check item

  3. other check items

  The username matches if any  of the following conditions are met:

•  The username in the profile is identical to the login name in the access-request.
•  The username in the profile is DEFAULT  or DEFAULT #, where # is any integer. See "Default User Profiles" on page 4-4 for more information.

  The password matches if it is identical to that entered by the user. The password can be stored locally in the profile or remotely in a separate file. If you use an additional level of password security, you can specify the additional password authentication step in the profile.

  All check items specified in a profile also must be present in the access-request packet or satisfied by local system information, for a match to occur.

       Editing User Profiles

  User profiles are maintained in the users  file. On a UNIX host, use any text editor to edit the /etc/raddb/users  file.

       Default User Profiles

  When the RADIUS server receives a login name from a PortMaster, the server scans the users  file for a matching username, starting from the top of the file. If a match is located, RADIUS attempts to authenticate the user with the information in that user profile. If a matching user profile is not found during the scan, but a DEFAULT profile is located, RADIUS attempts to use the DEFAULT profile for authentication. The DEFAULT profile is typically used when the Auth-Type is System, SecurID, or ActivCard.

  Caution ¯ You must place DEFAULT profiles at the end of the users  file. RADIUS stops scanning profiles when a matching DEFAULT profile is found and ignores any user profiles located after a DEFAULT user profile.

  In the following example, user bob's password is stored in a system password file. When he attempts to connect to the network, RADIUS scans the users  file to determine if it contains a matching user profile. If a matching profile is not found before the DEFAULT profile is found, the DEFAULT profile is used. Because the DEFAULT profile includes Framed-Protocol = PPP  as a reply item, PPP is used for bob's connection

  DEFAULT Auth-Type = System

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 255.255.255.254,

  Framed-MTU = 1500

  RADIUS for UNIX 2.0 and later versions permit multiple DEFAULT user profiles. In place of a username, the first line of DEFAULT profiles start as follows:

•  DEFAULT , with all capital letters. You can use this for multiple DEFAULT profiles if the profiles include different check items.
•  If there are multiple default profiles you can append a number to the end of the profile name--for example, DEFAULT1, DEFAULT2, and so on:

    DEFAULT1 Auth-Type = System, Called-Station-Id = 9255551234

    (reply items)

   

    DEFAULT2 Auth-Type = System, Called-Station-Id = 9255554971

    (reply items)

  In the following example, the Prefix  and Suffix  check items distinguish between the DEFAULT profiles. See "Username Prefixes and Suffixes" on page 4-12 for more information on using prefixes and suffixes. When users add the prefix or suffix to their username, the RADIUS server matches them to the corresponding DEFAULT profile.

  In the example shown on the next page, assume that user bob's password is stored in a system password file and that there is no profile with a username of bob  in the RADIUS users  file.

  Suppose bob logs in as Pbob . When the first DEFAULT profile is found by RADIUS, the server strips the initial P  from Pbob  and looks in the system password file for a password associated with bob . If the password matches the one user bob entered, then he is authenticated as a PPP user.

  DEFAULT Auth-Type = System, Prefix = "P"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 255.255.255.254,

  Framed-MTU = 1500

 

  DEFAULT Auth-Type = System, Suffix = "%S"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = SLIP,

  Framed-IP-Address = 255.255.255.254,

  Framed-Compression = None,

  Framed-MTU = 1006

 

  DEFAULT Auth-Type = System

  Service-Type = Login-User,

  Login-IP-Host = 172.16.1.4

  Login-Service = Telnet

  If bob logs in as bob%S , the first DEFAULT profile is not used because there is no initial P  present in the login name. When the second DEFAULT profile is found by RADIUS, the server strips the ending %S  from bob%S  and looks in the system password file for a password associated with bob . If the password matches the one user bob entered, then he is authenticated as a SLIP user.

  If bob logs in as bob , the first two DEFAULT profiles are not used because the Prefix and Suffix check items do not match. When the third DEFAULT profile is found by RADIUS, the server looks in the system password file for a password associated with bob . If the password matches the one user bob entered, then he is authenticated as a Telnet user.

       Check Items

  Check items are used to authenticate the user. Table 4-1 describes all check items that can be used in RADIUS user profiles. Called-Station-Id, Calling-Station-Id, and Connect-Rate can be used as check items only if the RADIUS client is capable of sending them in an access-request. Called-Station-Id and Calling-Station-Id are supported over an ISDN Primary Rate Interface (PRI) on a PortMaster 3 running ComOS 3.7 or later and on a PortMaster 4 running ComOS 4.0 or later, and over an ISDN Basic Rate Interface (BRI) on other PortMaster products running ComOS 3.7 or later. Connect-Rate is supported only on a PortMaster 4 running ComOS 4.0 or later or a PortMaster 3 running ComOS 3.7 or later.

  Note ¯ Although it is not considered a check item, be sure that the username appears as the first item on the first, or check item, line of the user profile.

 

  Table 4-1 User Profile Check Items  

 

Item	Options	Explanation
Auth-Type	Local	User's password is stored in the RADIUS users file. Default.
	System	User's password is stored in a system password file.
	ActivCard	User is authenticated via ActivEngine software
	SecurID	User is authenticated via ACE/Server software.
	Reject	User always fails authentication.
Called-Station-Id	String of numerals	Telephone number called by user. Available in ComOS 3.7 for ISDN BRI and PortMaster 3 ISDN PRI. Available in ComOS 4.0 for PortMaster 4 ISDN PRI.
Calling-Station-Id	String of numerals	Telephone number user is calling from. Available in ComOS 3.7 for ISDN BRI and PortMaster 3 ISDN PRI. Available in ComOS 4.0 for PortMaster 4 ISDN PRI.
Connect-Rate	String of numerals	Maximum connection rate permitted, in bps. Available for the PortMaster 3 running ComOS 3.7 or later or the PortMaster 4 running ComOS 4.0 or later.
Crypt-Password	User's password	User's password is stored in UNIX crypt format. CHAP authentication attempts fail if Crypt-Password is used, even if the password is correct.
Expiration	Must be specified in "Mmm dd yyyy" format	Date that user's password expires.
Framed-Protocol	PPP	PPP is used for the connection.  Can also be used as a reply item.
Group	String of characters in double quotation marks (" ")	Groups that user belongs to.
NAS-IP-Address	IP address	PortMaster IP address.
NAS-Port	Number	The PortMaster port number that the user is dialed in to (for example, NAS-Port = S2).
NAS-Port-Type	ISDN	ISDN port.
	Async	Asynchronous port.
	Sync	Synchronous port.
	ISDN-V120	ISDN in V.120 mode.
	ISDN-V110	ISDN in V.110 mode.
Password	String of characters in double quotation marks (" ")	User's password.
Prefix	String of characters in double quotation marks (" ")	Removed from beginning of username before checking password.
Service-Type	Call-Check	Authenticates the user at the point of entry on a NAS before answering the call. The NAS must support an ISDN Primary Rate Interface (PRI). You must also configure the call-check feature on the NAS.
	Framed-User	User uses PPP or SLIP for the connection.  Can also be used as a reply item.
	Outbound-User	User makes outbound connections via Telnet.  Can also be used as a reply item.
Suffix	String of characters in double quotation marks (" ")	Removed from end of username before checking password.

       Passwords

  If you are using ComOS 3.5 or later, the user's local password can be up to 48 printable, nonspace, ASCII characters. If you are using an earlier version of ComOS, the password must not exceed 16 characters. The password check item must be contained within double quotation marks. In addition to the password itself, you can specify two different password characteristics in a user profile: the password's location and its expiration date.

 

Password Locations

  Use the Auth-Type check item to specify the type of authentication to use for a particular user. Auth-Type can be set to one of the following: Local, System, Reject, ActivCard, or SecurID. If this check item is omitted from the user profile, Local is used.

•  Local

    To indicate that a user's password is stored in the RADIUS users  file, use the Local  Auth-Type.

    To set the user's password, use the Password check item as shown in the following example line from a user profile:

    bob Auth-Type = Local, Password = "ge55ep"

    Note ¯ If no Auth-Type is specified in a profile, then the RADIUS server assumes Auth-Type = Local. Typically, you include the Password check item. If you do not include the Password item--that is, if no check items are specified in the profile--then the user is rejected.

•  System

    To indicate that a user's password is stored in a system password file, use the System Auth-Type:

    bob Auth-Type = System

    System can be a password file in UNIX, such as /etc/passwd , /etc/shadow , or a password map in NIS or NIS+. When the RADIUS server receives a username-password pair from the client and the Auth-Type = System, the server queries the operating system to determine if there is a matching username-password pair.

    The System Auth-Type is equivalent to the Password = "UNIX"  check item in RADIUS server version 1.16, which is also permitted in RADIUS server versions 2.0 and 2.1 for backward compatibility:

    bob Password = "UNIX"

•  ActivCard

    To specify that the user's password is to be authenticated by ActivCard, use the ActivCard Auth-Type:

    bob Auth-Type = ActivCard

    See Chapter 6, "Installing and Configuring ActivCard," for instructions.

•  SecurID

    To specify that the user's password is to be authenticated by a SecurID ACE/Server, use the SecurID Auth-Type:

    bob Auth-Type = SecurID

    To use a SecurID passcode, the RADIUS server must be configured as an ACE/Client and you must have an ACE/Server configured--either on the same or a different host. See Chapter 7, "Installing and Configuring SecurID," for instructions.

•  Reject

    To reject the user's authentication attempt without having to delete the user profile from the users  file, use the Reject Auth-Type:

    bob Auth-Type = Reject

    The Reject Auth-Type feature enables you to disable the user account temporarily.

    Note ¯ The RADIUS server rejects any access-request with an unknown Auth-Type and logs an error message.

 

Password Expiration Date

  To disable logins after a particular date, complete the following steps:

  1. Specify the date of expiration using the Expiration check item.

  The date must be specified in " Mmm dd yyyy"  format, as in the following example:

  bob Password = "ge55gep", Expiration = "Dec 04 1996"

  2. Edit the Password-Expiration and Password-Warning values in the dictionary to meet your security needs.

  For example

  VALUE Server-Config Password-Expiration 30

  VALUE Server-Config Password-Warning 5

  The first parameter, Password-Expiration, turns on expiration if the value is greater than 0 (zero), but has no other effect.

  Password-Warning controls when users are notified that their accounts are about to expire. In the example above, users receive warning messages when they log in, starting 5 days before their password expiration date.

  You can turn account expiration off by making these two lines in the RADIUS dictionary into comments.

  Note ¯ A mechanism to permit users to change their passwords is outside the scope of RADIUS.

  3. If you modified the dictionary file, stop and restart the radiusd daemon.

       Password Encryption

•  Use the Crypt-Password check item if you store the user's password in UNIX crypt format:

    bob Crypt-Password = "ijFYNcSNctBYg"

  The PortMaster RADIUS client encrypts the password that the user enters at login and sends the encrypted password to the RADIUS server. The server compares this password with the encrypted password stored in one of the following locations:

•  The user profile in /etc/raddb/users , if Auth-Type = Local
•  A system password file, such as /etc/passwd  or /etc/shadow , if Auth-Type = System

  The encrypted password in this example corresponds to a password of abcdefgh. You must use the UNIX crypt  command to encrypt user passwords to store in the user profile. The UNIX passwd  command encrypts passwords and stores them in the system password file.

  Note ¯ Crypt-Password can be used with scripted logins or with PAP. It cannot be used with CHAP.

       Username Prefixes and Suffixes

  Use the Prefix and Suffix check items to allow a network user to access multiple services by adding a series of characters to the beginning or end of his username. Prefix and suffix strings must consist of 16 or fewer printable, nonspace, ASCII characters. The prefix and suffix strings must be contained within double quotation marks.

  When a user logs in, the RADIUS server searches through the users  file for a profile that matches the login. If a profile has a Prefix or Suffix check item, the server strips away the specified prefix or suffix character(s) from the login name before checking the password. If the server does not find a profile that matches the login, the RADIUS server tries to match the login against a DEFAULT user profile.

  Consider the following example users  file:

  Pliesel Auth-Type = System, Prefix = "P"

  Framed-Protocol = PPP,

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-IP-Address = 255.255.255.254,

  Filter-Id = "firewall",

  Framed-MTU = 1500

  DEFAULT Auth-Type = System, Suffix = "%slip"

  Framed-Protocol = SLIP,

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-IP-Address = 255.255.255.254,

  Filter-Id = "firewall",

  Framed-MTU = 1500

  In this example, liesel's username and password are stored in a system password file. If liesel specifies a username of Pliesel  when attempting to connect to the PortMaster, the RADIUS server looks up the username. When the profile for Pliesel  is found, the Prefix check item matches because the login name begins with a P . This cues the server to strip away the specified prefix character and check the system password file for liesel's password. If a password match is found, Pliesel  is connected as a PPP user.

  If liesel specifies a username of liesel%slip  when she logs in, the RADIUS server finds no match until it gets to the DEFAULT entry. The Suffix check item matches because the login name ends with %slip . This cues the server to strip away the specified suffix characters and check the system password file for liesel's password. The server next checks the system password for liesel. If a password match is found for liesel, liesel%slip  is connected as a SLIP user.

  In the next example, the users  file has no provision for username prefixes:

  liesel Auth-Type = System

  Framed-Protocol = PPP,

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-IP-Address = 255.255.255.254,

  Filter-Id = "firewall",

  Framed-MTU = 1500

 

  DEFAULT Auth-Type = System, Suffix = "%slip"

  Framed-Protocol = SLIP,

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-IP-Address = 255.255.255.254,

  Filter-Id = "firewall",

  Framed-MTU = 1500

  Again, liesel's username and password are stored in a system password file. Suppose liesel logs in as Pliesel . There are no profiles with a username of Pliesel  or a Prefix check item specifying P . The RADIUS server cannot find a matching user profile and rejects the connection attempt.

  Prefixes and suffixes are most useful when defined in a DEFAULT user profile. See "Default User Profiles" on page 4-4 for information on using prefixes and suffixes in a DEFAULT profile.

       Called-Station-Id

  You can use the number that the user is calling as a check item. Suppose user mario calls in using your toll-free access number, 1-800-555-4973. With the user profile shown in the following example, mario fails authentication. He can only be authenticated if he calls in to 510-555-1234.

  mario Password = "ge55gep", Called-Station-Id = "5105551234"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP

  Note ¯ Use of the Called-Station-Id check item requires that the Called-Station-Id attribute be included in the access-request. A PortMaster 4 running ComOS 4.0 or later and a PortMaster 3 running ComOS 3.7 or later send this attribute--if it is available--to the RADIUS server as part of the access-request. Other PortMaster products running ComOS 3.7 or later send this information as part of the access-request over ISDN Basic Rate Interfaces (BRIs). If the Called-Station-Id attribute is not sent, the Called-Station-Id check item fails to match and the user is rejected.

       Calling-Station-Id

  You can use the number that the user is calling from as a check item. In the following example, cissy is authenticated if she calls from 209-555-5678. If she calls from any other number, she fails authentication.

  cissy Password = "ge55gep", Calling-Station-Id = "2095555678"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP

  Note ¯ Use of the Calling-Station-Id check item requires that the Calling-Station-Id attribute be included in the access-request. A PortMaster 4 running ComOS 4.0 or later and a PortMaster 3 running ComOS 3.7 or later send this attribute--if it is available--to the RADIUS server as part of the access-request. Other PortMaster products running ComOS 3.7 or later send this information as part of the access-request if the user is connecting to an ISDN BRI port. If the Calling-Station-Id attribute is not sent, the Called-Station-Id check item fails to match and the user is rejected.

       Client Information

  Use the NAS-IP-Address check item to specify the IP address of a particular PortMaster. When this setting is used as a check item in a user profile, the user must be attempting to start a connection on the specified PortMaster for the connection to succeed.

  Use the NAS-Port check item to specify a particular PortMaster port. To be successfully authenticated, the user must be attempting to log in to this port:

  bob Password = "ge55gep", NAS-Port = 23

  Use the NAS-Port-Type check item to specify the type of port. Options for the NAS-Port-Type are as follows: Analog , Async , Sync , ISDN , ISDN-V120 , or ISDN-V110 . The PortMaster must run ComOS release 3.3.1 or later to support NAS-Port-Type.

  The following example displays a user profile containing the NAS-IP-Address and NAS-Port-Type settings:

  bob Password = "ge55gep", NAS-IP-Address = 192.168.1.54, NAS-Port-Type = ISDN

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP

       Connect-Rate

  The Connect-Rate check item can be used with PortMaster 3 and PortMaster 4 clients. Use this to specify the maximum connection rate permitted for a user.

  In the following example, with a connection rate of 28800bps, babar fails authentication if he attempts to connect to the PortMaster 3 at a higher rate--for example, 33600bps or 56000bps:

  babar Auth-Type = System, Connect-Rate = 28800

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP

  You can use this check item to restrict access to users of low-speed modems. In the following example, any user dialing in with a connection rate less than or equal to 14399bps is rejected:

  DEFAULT Auth-Type = Reject, Connect-Rate = 14399

  Service-Type = Framed-User

  Note ¯ Use of the Connect-Rate check item requires that the Connect-Info attribute be included in the access-request. The PortMaster 4 running ComOS 4.0 or later and the PortMaster 3 running ComOS 3.7 or later send the Connect-Info attribute as part of the access-request. If Connect-Info is not sent, the Connect-Rate check item is ignored.

       Framed-Protocol

  Framed-Protocol is primarily used as a reply item, but you can also use the Framed-Protocol check item in the user profile for PPP autodetection by the PortMaster:

  bob Auth-Type = System, Framed-Protocol = PPP

  See "Configuring a PPP or SLIP User" on page 4-25 for more information.

       Group

  You can define a group  of users to restrict authentication when specifying Auth-Type = System. If a user profile contains the Group check item, only users that are defined as members of the specified group are authenticated.

  The Group string consists of up to 63 printable, nonspace, ASCII characters. The group must be contained within double quotation marks.

  If you specify multiple groups in a user profile, the user must be a member of every group specified to be authenticated. In the following example, user ann is authenticated only if ann is a member of both the engineer group and the hardware group:

  ann Auth-Type = System, Group = "engineer", Group = "hardware"

  On UNIX hosts, groups are defined in /etc/group  or via NIS. Refer to your system documentation for instructions on creating groups and adding members to groups.

       Service-Type

  Service-Type is generally used as a reply item, but it can be used with either of the following values as a check item. See "Specifying the Type of Service" on page 4-22 for more information on the Service-Type reply item.

 

Call-Check

  You can authenticate a user before the NAS accepts the call by specifying the Call-Check value for Service-Type.

  5105551234 Service-Type = Call-Check, Calling-Station-Id = "5105551234"

  You can determine whether to answer a call based upon the values for the Calling-Station-Id or the Called-Station-Id check items. Some example uses of Call-Check are the following:

•  Service class support

    ¯ For example, a service provider can offer toll-free dial-up service and minimize toll charges incurred over the toll-free number. Call-Check allows the service provider to answer the call based upon the Calling-Station-Id (the number from which the call originated). If a call does not come from a calling station assigned to the toll-free service, the PortMaster returns a busy signal rather than accepting the call. The service provider avoids incurring charges associated with answering the call if the caller (calling station) is not defined for this service. This service also provides an additional means of security by ensuring that a user dials in from a specified number, removing the need for dialback users.

    ¯ Another example of a service class support is guest dial-up, where a service provider allows guests to dial up via a specified called number--Called-Station-Id.

•  TCP-Clear tunneling

    TCP-Clear tunnels are similar to Layer 2 Tunneling Protocol (L2TP) tunnels, but are available only on PortMaster products. TCP-clear tunnels can be established for SLIP, asynchronous, and PPP connections.

  You can enable the call-check feature on a PortMaster supporting an ISDN Primary Rate Interface (PRI), such as the PortMaster 3 or PortMaster 4. The setup packet sent by the telephone company or line provisioner to the NAS includes the Called-Station-Id (the number dialed), Calling-Station-Id (the number the user is dialing from), or both. These numbers are available over the D channel of a PRI. The PortMaster sends a RADIUS access-request to the server for any incoming call before accepting the call. The access-request packet includes the following:

•  Attribute User-Name set to the value of the Calling-Station-Id, if known, or to "No-Call-Id".
•  Attribute Service-Type set to Call-Check
•  Attribute Called-Station-Id set to the number called

  For example, a PortMaster 3 supports call-check and expects to receive one of the following replies to an access-request:

•  RADIUS access-accept with the reply items to configure the session, such as connecting the user via a netdata  connection to a given host and TCP port.
•  RADIUS access-accept with no reply items. This reply instructs the NAS to accept the call and apply the usual RADIUS authentication process to the login.
•  RADIUS access-reject to reject the call.

 

Framed-User

  You can use the Service-Type = Framed-User check item to authenticate users who make their connections using PPP.

 

Outbound-User

  Use the Service-Type = Outbound-User check item to restrict a user to outbound accesses to network device ports. You must use the same attribute and value-- Service-Type = Outbound-User--as a reply item in the user profile. See "Granting a User Outbound Telnet Access" on page 4-34 for more information.

       Reply Items

  Reply items can authorize or apply any of the following: type of service provided, callback information, routing information, connection protocol, timeouts, port limits, menus, maximum MTU, filters, remote login information, and termination menus. Table 4-2 summarizes the reply items you can include in user profiles.

  Table 4-2 User Profile Reply Items  

 

Item	Options	Explanation
Callback-Id	Location name in double quotation marks (" ")	Specify only for Service-Type = Callback-Framed-User. Location must be in PortMaster location table.
Callback-Number	Phone number in double quotation marks (" ")	Specify only for Service-Type = Callback-Login-User.
Filter-Id	Filter name	Filter name to be used for packet or access filtering on the interface.
Framed-Compression	None	If this reply item is omitted, Van Jacobson TCP/IP header compression is used.
	Van-Jacobson-TCP-IP	Van Jacobson TCP/IP header compression is used for the connection. Default.
Framed-IP-Address	IP Address	The user's IP address.
Framed-IP-Netmask	Netmask	The user's netmask.
Framed-IPX-Network	Dotted decimal IPX network number	IPX network number.
Framed-MTU	Number	Number of bytes in maximum transmission unit (MTU).
Framed-Protocol	PPP	PPP is used for the connection.  Can also be used as a check item.
	SLIP	SLIP is used for the connection.
Framed-Route	Destination IP address	The IP address of the destination network.
	Gateway IP address	The IP address of the gateway to the destination network.
	Metric	The number of routing hops to the destination network. Also known as the hop count.
Framed-Routing	None	Disables RIP on the interface.
	Broadcast	The interface sends RIP updates.
	Listen	The interface listens for RIP updates.
	Broadcast-Listen	The interface sends and listens for RIP updates.
Idle-Timeout	In seconds	Specifies the idle time limit for a session.
Login-IP-Host	IP address	Address of the remote host.
Login-Service	Telnet	Establishes a Telnet connection to the remote host.
	Rlogin	Establishes an rlogin connection to the remote host.
	TCP-Clear	Establishes a TCP clear connection to the remote host.
	PortMaster	Establishes a connection to the remote host using the PortMaster login service.
Login-TCP-Port	TCP port number	TCP port number of the Login-Service.
Menu	Menu name in double quotation marks (" ")	Defines a menu in a user record. See Chapter 5, "Configuring RADIUS Menus."
Port-Limit	Number of B channels for ISDN Multilink PPP or Multilink V.120	Specifies the maximum number of B channels a user can use.
Session-Timeout	In seconds	Specifies the time limit for a session.
Service-Type	Administrative-User	Grants user full access to all configuration commands.
	Callback-Login-User	Calls user back and connects via Telnet, rlogin , PortMaster, or TCP-Clear login service.
	Callback-Framed-User	Calls user back and establishes a framed connection (PPP or SLIP). Location must be specified in PortMaster location table.
	Framed-User	User uses PPP or SLIP for the connection.  Can also be used as a check item.
	Login-User	User connects via Telnet, rlogin , PortMaster, or TCP-Clear login service.
	NAS-Prompt-User	Grants user limited access to commands (nonconfiguration only).
	Outbound-User	User makes outbound connections via Telnet.  Can also be used as a check item.
Termination-Menu	Menu name in double quotation marks (" ")	Menu to display after service is terminated.

       Specifying the Type of Service

  You must specify characteristics of the service that is provided to the user by specifying the desired Service-Type in each user profile. The reply items in each user profile determine how the user's session is configured on the PortMaster. Table 4-3 defines each Service-Type value. Refer to the sections following the table for information on how and why you would use each one.

  Table 4-3 Service-Type  

 

Service-Type	Explanation
Administrative-User	The PortMaster grants the user a full administrative login--as if the user had logged in using !root . The user has full configuration ability and access to all operating system commands.  This Service-Type is available only with ComOS 3.5 or later versions. for more information about this value, see "Granting a User Administrative Rights" on page 4-24.
Callback-Framed-User	The PortMaster verifies the user's identity by disconnecting the port and dialing the user back using a specified location table entry. When the user's identity is verified, PPP or SLIP is used for the connection.  To specify the callback location, see "Using Callback to Authenticate a User" on page 4-24.
Callback-Login-User	The PortMaster verifies the user's identity by disconnecting the port and dialing the user back at a specified number. The user's identity must be verified before the connection is permitted.  To specify the callback location, see "Using Callback to Authenticate a User" on page 4-24.
Call-Check	You can enable services without authenticating the user at the point of entry on a PortMaster that supports an ISDN Primary Rate Interface (PRI), such as the PortMaster 3. You must also configure the call-check feature on the PortMaster.  For more information on this value, see "Call-Check" on page 4-17.
Framed-User	The user makes a connection via PPP or SLIP. See "Configuring a PPP or SLIP User" on page 4-25.
Login-User	The user connects via the Telnet, rlogin , or PortMaster service (in.pmd ), or via TCP-Clear (netdata ). See "Configuring a Login User" on page 4-31
NAS-Prompt-User	The PortMaster grants the user a limited administrative login. A PortMaster user can use the following commands: ifconfig , ping , ptrace , reboot , reset , set  console , set  debug , show , traceroute , and any nonconfiguration commands.  The following commands are not permitted on a PortMaster: add , delete , erase , save , tftp , and any set  commands except set  console  or set  debug .  This Service-Type is available only with ComOS 3.5 or later versions. See "Granting a User Administrative Rights" on page 4-24.
Outbound-User	The user uses Telnet for outbound connections. See "Granting a User Outbound Telnet Access" on page 4-34.

  Note ¯ If the RADIUS for UNIX server is used with a NAS other than a PortMaster product, the Administrative-User and NAS-Prompt-User Service-Types must not be used unless the other vendor's implementation of these types is compatible with the Lucent InterNetworking Systems implementation. The remainder of this appendix explains how to set reply items on a PortMaster NAS. Remember, you must  own at least one PortMaster product to legally use Lucent RADIUS.

 

Granting a User Administrative Rights

  You can grant a user administrative access to a PortMaster running ComOS 3.5 or later by specifying either of the following values for Service-Type:

•  Administrative-User
•  NAS-Prompt-User

  Administrative-User . You can grant a user full PortMaster administrative ability by specifying Service-Type = Administrative-User. The user can configure the PortMaster client and can use all PortMaster commands.

  bob Password = "ge55gep"

  Service-Type = Administrative-User

  NAS-Prompt-User . You can grant a user limited PortMaster administrative ability by specifying Service-Type = NAS-Prompt-User value. The user can use the following commands: ifconfig , ping , ptrace , reboot , reset , set  console , set  debug , show , and traceroute .

  bob Password = "ge55gep"

  Service-Type = NAS-Prompt-User

  The user cannot configure the PortMaster client and cannot use these commands: add , delete , erase , save , tftp , and any set  commands except set console  or set debug .

 

Using Callback to Authenticate a User

  You can authenticate a user with callback by specifying either of the following values for Service-Type:

•  Callback-Framed-User
•  Callback-Login-User

  Callback-Framed-User . When a user's Service-Type is Callback-Framed-User, you must specify a location using the Callback-Id reply item.

  elfego Password = "ke$&54su"

  Service-Type = Callback-Framed-User,

  Callback-Id = "elfego_home"

  After the RADIUS server authenticates elfego, it sends an access-accept message including the Callback-Id to the PortMaster. The PortMaster checks its local location table; if there is a matching location name, it makes the connection using that location's settings.

  Note ¯ To create location table entries, see the information on configuring dial-out locations in the PortMaster Configuration Guide. 

  Callback-Login-User.  When a user's Service-Type is Callback-Login-User, you must specify a telephone number using the Callback-Number reply item.

  elfego Password = "ke$&54su"

  Service-Type = Callback-Login-User,

  Callback-Number = "9,1-800-555-1234"

  After the RADIUS server authenticates the user, it sends an access-accept message including the Callback-Number to the PortMaster. The PortMaster calls the user back at the specified number. The PortMaster follows the ATDT command set. It ignores hyphens in the number received from RADIUS and treats commas as pauses. If the user is reached successfully, the PortMaster prompts the user to reenter the password and then sets up the connection.

  When a user's Service-Type is Callback-Login-User or Login-User, you can supply additional information:

•  Service used to connect to the host--See "Configuring a Login User" on page 4-31.
•  Name or IP address of the remote host--See "Login-IP-Host" on page 4-32.
•  TCP port number--See "Login-TCP-Port" on page 4-33.

 

Configuring a PPP or SLIP User

  Specify Service-Type = Framed-User if the user is making the connection via PPP or SLIP. You must add the Framed-Protocol reply item to the user profile and specify whether PPP or SLIP is used.

  jake Auth-Type = System

  Service-Type = Framed-User,

  Framed-Protocol = SLIP,

  Framed-MTU = 1006,

  Filter-Id = "firewall"

  Framed-Protocol can also be used as a check item for PPP autodetection by the PortMaster. See "Framed-Protocol" on page 4-16 for more information on the Framed-Protocol check item.

  You can specify a packet filter to be used for each PPP or SLIP session, as shown here. See "Applying Packet Filters" on page 4-30 for more information. Access filters are applied to login users; see "Applying Access Filters" on page 4-34 for information.

  Use the Framed-MTU reply item to configure the number of bytes in the maximum transmission unit (MTU) for a user's connection. Framed-MTU is used only for PPP and SLIP connections. For PPP connections, Framed-MTU can be between 100 and 1520 bytes. SLIP connections can have an MTU between 100 and 1006 bytes. On IPX networks, set Framed-MTU to at least 600 bytes.

  Note ¯ If PPP negotiates an MTU for the connection, the Framed-MTU setting is ignored.

       Enabling and Disabling Compression

  Van Jacobson TCP/IP header compression is enabled by default. To disable compression, set the Framed-Compression value to None .

  Framed-Compression = None

  To reenable compression, set the Framed-Compression value to Van-Jacobson-TCP-IP .

  Framed-Compression = Van-Jacobson-TCP-IP

       Specifying an IP Address for the User

  Use the Framed-IP-Address reply item to specify the user's IP address:

  jake Auth-Type = System

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 172.28.1.1

  When Framed-IP-Address is set to 255.255.255.255, the PortMaster negotiates the address with the end node (dial-in user). When it is set to 255.255.255.254 (or omitted), the PortMaster assigns an IP address to the dial-in user from the assigned address pool.

  Note ¯ To create an assigned address pool for the PortMaster, use the set assigned_address  Ipaddress command on the PortMaster, where Ipaddress is the first IP address in the address pool. See the PortMaster Configuration Guide for more information on assigned address pools.

       Applying a Subnet Mask to the Address

  Use the Framed-IP-Netmask reply item as follows to specify a subnet mask. The subnet mask is applied to the address specified for the user in the Framed-IP-Address reply item. The PortMaster uses the specified value to update its routing table when the user logs in.

  jake Auth-Type = System

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 192.168.10.232,

  Framed-IP-Netmask = 255.255.255.192

  In this example, a netmask of 255.255.255.192 is used. The user is allocated a 64-host subnet. The subnet allocated to jake includes hosts with addresses from 192.168.10.193 through 192.168.10.255.

  If this reply item is omitted, the default subnet mask of 255.255.255.255 is used. Use the Framed-IP-Netmask reply item with caution because it affects both routing and Proxy Address Resolution Protocol (Proxy ARP) on the PortMaster. Using Framed-IP-Netmask adds a temporary route to the routing table on the PortMaster. See the PortMaster Routing Guide for more information.

  Note ¯ This reply item requires ComOS 3.5 or later. You must use the set user-netmask on  command to enable the PortMaster to use the netmask value. If the command set user-netmask off  has been issued on the PortMaster, the default subnet mask of 255.255.255.255 is applied to all connections regardless of what the RADIUS server returns. Before using this reply item, read about the set user-netmask  command in the PortMaster Configuration Guide or the PortMaster Command Line Reference.

       Adding a Route to the PortMaster Routing Table

  Use the Framed-Route reply item to add a route to the PortMaster routing table when service to the user begins. Three pieces of information are required: the destination IP address, gateway IP address, and metric (hop count).

  jake Auth-Type = System

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 172.28.1.1,

  Framed-Route = "172.28.1.0 172.28.1.1 1"

  In this example, 172.28.1.0 is the IP address of a destination network, 172.28.1.1 is the IP address of the gateway for this network, and 1 is the metric.

  If 0.0.0.0 is specified as the gateway IP address, the user's specific IP address is substituted for the gateway.

  In ComOS 3.5 or later, you can use the classless interdomain routing (CIDR) format for the Framed-Route, which identifies the number of high-order bits in the destination IP address, as shown in the following example.

  jake Auth-Type = System

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 172.28.1.1,

  Framed-Route = "172.28.1.0/28 172.28.1.1 1"

  See the PortMaster Configuration Guide for more information on CIDR.

       Configuring RIP on the User's Interface

  Use the Framed-Routing reply item to control how Routing Information Protocol (RIP) is used on the user's interface. Table 4-4explains RIP options.

  Table 4-4 Framed-Routing Options 

 

Option	Explanation
None	Disables RIP on the interface.
Broadcast	The interface sends RIP updates.
Listen	The interface listens for RIP updates.
Broadcast-Listen	The interface sends and listens for RIP updates.

  In the following example, Framed-Routing is set to None  so that the interface neither sends nor listens for RIP updates.

  sri Password = "4r2tkgbp"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP

  The usefulness of the Idle-Timeout reply item is reduced if RIP is active on the user's interface because updates are sent every 30 seconds, keeping the port active rather than idle. See "Idle-Timeout" on page 4-36 for information on the Idle-Timeout reply item.

  Typically, Framed-Routing is set to None  for user connections, and is set to Broadcast  or Broadcast-Listen  for connections to routers that require routing updates via RIP. See the PortMaster Routing Guide and the PortMaster Command Line Reference for more information.

       Configuring an IPX Network Connection

  When an IPX network is used for a particular user's connection, you must include the Framed-IPX-Network reply item in the user profile. The PortMaster supports IPX over PPP.

  Specify Framed-IPX-Network in dotted decimal notation (xx.xx.xx.xx). For example, the hexadecimal network number 123456 must be expressed as 0.18.52.86.

  ajit Password = "testing"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IPX-Network = 0.18.52.86

  On a UNIX system, the following Perl script converts an IPX hexadecimal network number to dotted decimal notation:

  #!/usr/local/bin/perl

  # hex - convert ip addresses to hexadecimal and vice versa

  for (@ARGV) {

  if (/\./) { # convert . to hex

  @octets = split(/\./,$_);

  for $octet (@octets) {

  printf "%02X",$octet;

  }

  print "\n";

  } else { # convert hex to .

  $buf = '';

  while (s/\w\w//) {

  $buf .= hex($&).'.';

  }

  $buf =~ s/\.$/\n/;

  print $buf;

  }

  }

       Applying Packet Filters

  Use the Filter-Id reply item to associate packet filters with each PPP or SLIP user authenticated with RADIUS. In the following example, the firewall  filter is used during a connection:

  rakshah Password = "yj8hg355"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Filter-Id = "firewall"

  For the Filter-Id attribute to initiate filtering, the filter must be previously defined on the PortMaster and the rule set must contain at least one rule. If you specify a Filter-Id in the user profile, but do not define the filter, then no filtering is performed. If you define the filter, but do not create any rules in the filter, then no filtering is performed.

  You must define filters in the filter table on each PortMaster that the user accesses, unless you are using ChoiceNet. See the ChoiceNet Administrator's Guide for information on ChoiceNet and how it provides storage for filters in a central site.

  To control whether the filter restricts incoming or outgoing traffic, the filter defined on the PortMaster must have an .in  or .out  suffix attached to its name. In the previous example, the filter firewall.in  is used as a filter for packets entering the PortMaster via the interface, and firewall.out  is used as an output filter for packets leaving the PortMaster via the interface.

  Do not specify the .in  and .out  suffixes in the user profile. When a user dials in to the PortMaster, the .in  or .out  suffix is automatically appended to the filter name provided by RADIUS for UNIX.

  Note ¯ To configure filters on a PortMaster, see the information on configuring filters in the PortMaster Configuration Guide. Filters specified in RADIUS for UNIX can also be dynamically loaded via ChoiceNet. For more information see the ChoiceNet Administrator's Guide.

       Configuring a Login User

  If the user is logging in to your system, specify either of the following values for Service-Type:

•  Callback-Login-User 

    Specify Callback-Login-User when you want to call the user back to at a specified telephone number before authorizing service. See "Using Callback to Authenticate a User" on page 4-24.

•  Login-User 

    Specify Login-User for all other login connections:

    sri Auth-Type = System

    Service-Type = Login-User

  You can specify an access filter to be used for each login session. See "Applying Access Filters" on page 4-34.

  When a user's Service-Type is Callback-Login-User or Login-User, you can supply additional information:

•  Service used to connect to the host
•  Name or IP address of the remote host
•  TCP port number.

 

Login-Service

  When a user's Service-Type is Login-User or Callback-Login-User, you can use the Login-Service reply item to specify the service used to connect to the host.

  If you do not use this reply item, the PortMaster login service is used by default. Table 4-5 describes all Login-Service values.

  Table 4-5 Login-Service 

 

Login-Service	Description
Telnet	Establishes a Telnet connection to the remote host. Port 23 is the default.
Rlogin	Establishes an rlogin  connection to the remote host.
TCP-Clear	Establishes a TCP clear connection to the remote host. 8-bit data is passed through this connection without interpretation. This option is the equivalent of the netdata  login service on the PortMaster. Port 6000 is the default.
PortMaster	Establishes a connection to the remote host using the PortMaster login service. To use this setting with UNIX versions of RADIUS, you must install the in.pmd  daemon on the remote host.

 

Login-IP-Host

  When a user's Service-Type is Login-User or Callback-Login-User, you can use the Login-IP-Host reply item to specify the name or IP address of the remote host. You can specify more than one host by using multiple Login-IP-host attributes.

  If you do not use this reply item to specify a remote host, the PortMaster default host is used. See the PortMaster Command Line Reference for information on setting the default host.

  In following example, the user is authenticated and then called back at the Callback-Number. If this call is successfully authenticated, a Telnet connection to host 192.168.1.76 is established.

  uma Password = "gk4u4p"

  Service-Type = Callback-Login-User,

  Login-IP-Host = 192.168.1.76,

  Login-Service = Telnet,

  Callback-Number = "9,1-800-555-1234"

  If Login-IP-Host is set to 0.0.0.0 or omitted, the host defined for the port in the PortMaster is used. If Login-IP-Host is set to 255.255.255.255, the user must enter the hostname or the host's IP address at the host:  prompt that appears.

  If the user is to log in to a particular TCP port on the remote host, specify the port number with the Login-TCP-Port reply item. See "Login-TCP-Port" on page 4-33.

 

Login-TCP-Port

  When a user's Service-Type is Login-User or Callback-Login-User, you can use the Login-TCP-Port reply item to specify the port number if the user is to log in to a particular TCP port on the remote host. This reply item is often used with the Outbound-User reply item (see "Granting a User Outbound Telnet Access" on page 4-34) and the Login-IP-Host reply item (see "Login-IP-Host" on page 4-32).

  In following example, the user is authenticated and then called back at the Callback-Number. If authentication is successful, a Telnet connection to port 6220 on host 192.168.1.76 is established.

  uma Password = "gk4u4p"

  Service-Type = Callback-Login-User,

  Login-IP-Host = 192.168.1.76,

  Login-Service = Telnet,

  Login-TCP-Port = 6220,

  Callback-Number = "9,1-800-555-1234"

  If Login-TCP-Port is omitted, the port defined for Telnet service on the PortMaster is used. The default port number for Telnet is 23.

 

Applying Access Filters

  An access filter is a filter associated with a login user. Use the Filter-Id reply item to associate an access filter with a host prompt login user authenticated with RADIUS for UNIX. In the following example, the restricthost  filter is used to restrict the hosts that the user can access during a connection:

  sunil Password = "76patel5rj"

  Service-Type = Login-User,

  Login-IP-Host = 255.255.255.255,

  Login-Service = Telnet,

  Login-TCP-Port = 23,

  Filter-Id = "restricthost"

  Note ¯ Access filters only restrict the host(s) a user can access. They do not restrict what the user can access from that host.

  For the Filter-Id attribute to initiate filtering, the filter must be previously defined and the rule set must contain at least one rule. If you specify a Filter-Id in the user profile, but do not define the filter, then no filtering is performed. If you define the filter, but do not create any rules in the filter, then no filtering is performed.

  You must define access filters in the filter table on each PortMaster the user accesses, using the same name as the Filter-Id. The access filter name defined in the user profile must be exactly the same as the filter name defined on the PortMaster. The PortMaster does not append an extension to the name of an access filter, unlike packet filters.

  Note ¯ ChoiceNet cannot be used with access filters.

       Granting a User Outbound Telnet Access

  Specify Service-Type = Outbound-User to enable a user to gain outbound access to network device ports using Telnet. This feature is supported in ComOS version 3.3.2 or later. To use this feature, you must set the relevant asynchronous ports on your PortMaster as either host-controlled devices, using the command set  S0 device  Device network  Mode, or as devices capable of two-way operation, using the command set  S0 twoway  Device network  Mode. See the PortMaster Command Line Reference for more information on setting the PortMaster port type.

  To restrict users to outbound access, the user profile must include this same attribute and value--Service-Type = Outbound-User--as a check item. The Login-TCP-Port setting can be used to specify the TCP port for the connection; the port number must be between 10000 and 10100 inclusive.

  roxy Password = "ge55gep", Service-Type = Outbound-User

  Service-Type = Outbound-User,

  Login-Service = Telnet,

  Login-TCP-Port = 10000

  In this example, when roxy attempts an outbound connection, the PortMaster client checks its local user table for an entry for the user. If roxy is not found in the user table, the PortMaster sends an access-request to the RADIUS server indicating that roxy is an Outbound-User.

  The RADIUS for UNIX server examines roxy's profile in the users  file. If Outbound-User is included as a reply item, the PortMaster is notified to permit the connection.

  Configure the PortMaster as shown in the following example. This example configures port S1; however, you can configure multiple ports to listen at different TCP port numbers or at the same TCP port number to create a pool of devices.

  Command> set s1 device /dev/network 

  Command> set s1 service_device telnet 10000 

  Command> set s1 modem off 

       Setting Timeouts

  You can apply the following two kinds of timeouts to any session:

•  Idle-Timeout
•  Session-Timeout

    Note ¯ Idle-Timeout and Session-Timeout values are specified in seconds  in the RADIUS user profiles. Timeout values set directly on the PortMaster using the PortMaster command line interface or the PMVision^TM graphical user interface (GUI) are specified in minutes , by default.

 

Idle-Timeout

  Use Idle-Timeout to specify the number of seconds a session can be idle before it is disconnected. Idle-Timeout can range from 2 seconds to 14400 seconds (4 hours) and is rounded down to a multiple of 60 if greater than 240.

  Note ¯ An Idle-Timeout value of 0  in the user profile is overridden by the Idle-Timeout setting configured on the PortMaster. Any Idle-Timeout value in the user profile greater than zero overrides the Idle-Timeout setting configured on the PortMaster.

  In this example, if the session is inactive longer than 600 seconds (10 minutes), greta is disconnected.

  greta Password = "ge55gep"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Idle-Timeout = 600

  Note ¯ The effectiveness of the Idle-Timeout reply item can be reduced if RIP is active on the user's interface because updates are sent every 30 seconds, keeping the port active rather than idle. See "Configuring RIP on the User's Interface" on page 4-29 for information on using the RIP reply item.

 

Session-Timeout

  Use Session-Timeout to specify the time limit for a session. If this reply item appears in a user profile, the user is disconnected when the time limit is reached. Session-Timeout is specified as a particular number of seconds, up to a maximum of 31536000 (1 year).

  In the following example, adil is automatically disconnected after 7200 seconds (2 hours):

  adil Password = "khan235f3"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Session-Timeout = 7200

  Suppose you want to impose a time limit on connections to a particular port. For example, you want to provide a means for users to only check their email (using a filter) and don't want the users tying up the port. In the following example, users connected on port 10 of NAS 10.10.10.1 are automatically disconnected after 600 seconds (10 minutes):

  DEFAULT Auth-Type = System, NAS-IP-Address = 10.10.10.1, NAS-Port = 10

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Session-Timeout = 600,

  Filter-Id = "emailonly"

       Using Menus

  You can specify menus to be used when the user is authenticated or when the user ends a session. See Chapter 5, "Configuring RADIUS Menus," for more information.

 

Menu

  Use the Menu reply item to call a menu by reference. The Menu reply item is the only reply item in the user profile when a menu is referenced.

  DEFAULT Auth-Type = System

  Menu = "menu1"

  In this example, after the user is authenticated, the menu1  menu  is displayed and the user is prompted to make a selection. When the user selects a menu option, the corresponding service is provided.

 

Termination-Menu

  Use Termination-Menu to present a menu to the user when the service ends. If a Termination-Menu reply item is not included in the user profile, the user is disconnected immediately after a SLIP, PPP, or login session.

  mia Password = "soon86yee"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Termination-Menu = "mainmenu"

  Note ¯ If you want to disconnect the line when the service ends, do not use the Termination-Menu attribute.

       Controlling the Number of Available Ports

  Use the Port-Limit reply item to control the maximum number of ports available for a Multilink PPP or Multilink V.120 connection. Port-Limit applies only to ISDN and (with ComOS 3.8 or later) asynchronous connections; other connection types are not affected.

  The Port-Limit value can be as high as the maximum number of B channels available for the ISDN ports. For example, if a PortMaster has 15 ISDN BRI ports, the Port-Limit value can be as high as 30.

  In the following example, red's connection can use only one B channel:

  red Password = "9pg$lac", NAS-Port-Type = ISDN

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Port-Limit = 1

  Note ¯ The Port-Limit reply item only limits multilink connections. It does not prevent simultaneous logins.

       Using RADIUS with PAP and CHAP

  You can use RADIUS with Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).

       PAP

  The PortMaster sends the PAP ID and password to the RADIUS server in an access-request packet as the User-Name and User-Password. The PortMaster includes the Service-Type = Framed-User and Framed-Protocol = PPP attributes in the request as a hint to the RADIUS server that PPP service is expected.

  To authenticate a user with PAP, user profiles can include Auth-Type = Local, Auth-Type = System, or Auth-Type = SecurID.

       CHAP

  For CHAP, the PortMaster generates a random challenge and sends it to the user. The user returns a CHAP response, CHAP ID, and CHAP username. The PortMaster then sends an access-request packet to the RADIUS server with the CHAP username as the User-Name and with the CHAP ID and CHAP response as the CHAP-Password. The random challenge can either be included in the CHAP-Challenge attribute or, if it is 16 octets long, it can be placed in the Request Authenticator field of the access-request packet. The PortMaster includes the attributes Service-Type = Framed-User and Framed-Protocol = PPP as a hint to the RADIUS server that PPP service is expected.

  The RADIUS server does the following:

  1. Looks up a password based on the User-Name.

  2. Uses MD5 to encrypt the password, the CHAP ID octet, and the CHAP challenge.

  3. Compares the result to the CHAP-Password.

  4. If the items in Steps 2 and 3 match, the server sends an access-accept packet to the PortMaster. If there is no match, the server sends back an access-reject packet.

  CHAP requires that the user's password be available on the RADIUS host in unencrypted (clear text) format so that the server can encrypt the CHAP challenge and compare the result to the CHAP response. If the password is not available in clear text, the server sends an access-reject to the client.

  To force all PPP communication to use CHAP authentication, do the following:

  1. Set the Auth-Type = Local. 

  This is the default value.

  2. Set passwords in clear text; they must not be encrypted.

  3. Turn off PAP and turn on CHAP by using the following commands on the PortMaster:

  Command> set pap off 

  Command> set chap on 

       Configuring Database Caching of User Profiles

  RADIUS offers database support for caching user profiles to increase the speed and efficiency of user lookups. Lucent InterNetworking Systems recommends caching user profiles when the users  file contains more than 500 users.

  The builddbm  utility included with RADIUS for UNIX converts the users  text file to the UNIX DBM format, which increases the speed of user lookups.

  To run builddbm , use the following commands:

  cd /etc/raddb 

  ./builddbm 

  RADIUS uses the new database when it receives its next authentication request.

  To run the radiusd  daemon after the users file is converted to DBM, run radiusd  with the -b  option:

  /etc/radiusd -b 

  The builddbm  utility generates users.dir  and users.pag  files that are used by the radiusd  daemon. On some versions of UNIX a single users.db  file is created instead. If duplicate users  file profiles are present, builddbm  prints the number of profiles and identifies the line number of the duplicate profiles.

  Note ¯ After the users  file has been converted to the .dbm  format, you must run builddbm  again if you make any changes to the user profiles.

       Example PPP User Profile

  User profiles can be configured in a number of ways to fit network security requirements. The following example illustrates a typical RADIUS profile for a PPP user:

  masha Password = "ge55gep"

  Service-Type = Framed-User,

  Framed-Routing = None,

  Framed-Protocol = PPP,

  Framed-IP-Address = 255.255.255.254,

  Framed-Compression = Van-Jacobson-TCP-IP,

  Framed-MTU = 1500,

  Filter-Id = "firewall"

  In this example, user masha has password ge55gep . She is a Framed-User, which indicates that she uses SLIP or PPP for her connections. In the following line, Framed-Protocol is specified as PPP.

  An IP address of 255.255.255.254 is specified, indicating that an IP address is assigned to masha from the PortMaster assigned address pool.

  Note ¯ To create an assigned address pool, see the PortMaster Configuration Guide.

  Framed-Routing is set to None , which disables RIP for masha's interface. RIP packets are not sent or listened for. Van Jacobson TCP/IP compression is used for the connection, and the MTU is set to 1500 bytes.

  The Filter-Id identifies the packet filter(s) used for the connection if any are defined on the PortMaster or in ChoiceNet; firewall.in  is used as an input filter and firewall.out  is used as an output filter.