A Basic ISP Set Up ExampleThis example shows how to setup a Lucent PortMaster (TM) for the most common Internet Service Provider situation. To allow some users to go to a host where shell accounts are provided and/or other users to use Point To Point Protocol ( PPP), Serial Line Internet Protocol (SLIP) or Compressed Serial Line Internet Protocol (CSLIP). For this example you are using a Personal Computer (PC) running Linux or Berkeley Standard Distributed Operating System (BSD/OS) instead of a Sun or some other platform that supports our graphical administration tools and therefore need to do everything manually. This example assumes you have a single class C address, a handful of hosts suitable for growing to 7 PM2e-30s, for 210 ports and typically a few thousand subscribers. Individual business plans and intended growth may require adjustments on the set up example provided. This information is to be used as an example. Lucent accepts no liability for any effect using or not using this information has on your network. The addresses listed are for example only. Replace these with your actual addresses. In our example we will use rk.com. Replace that with your actual Domain from the Network Interface Card (NIC).
In the examples below assume that your Domain Name Server is also running on IP 192.168.1.2. Change the argument with Command> set nameserver if you are running it elsewhere. PHYSICAL SETUPSee the Hardware Installation Guide for details. Plug in power and your ethernet. If you are using the thin wire (10base2) Bayonet-Neill-Concelman (BNC) connector, dip switches 4 and 5 should be down. If you are using the Twisted Pair (10baseT) RJ-45 jack, dip switches 4 and 5 should be up. Note: If you are using Twisted Pair you must also have a twisted pair hub. Attach a terminal to port S0 with a null modem cable. The settings should be 9600 bps, 8 data bits, no parity, 1 stop bit, software flow control or none, put dip switch 1 up (the leftmost dip switch on the back). Turn power on. It will display the boot up sequence followed by the PortMaster console login. Login as "!root", press return for the password. Use the The first example will be : pm1.rk.com. Set the address as shown in the
example: You should now be able to flip dip switch 1 down and telnet to the PortMaster to do further configurations or continue using the console. Q. What kind of cables do I use? The PortMaster is a Data Terminal Equipment (DTE), though it has Data Circuit Terminating Equipment (DCE) connectors (like a Sun). To connect to a modem (DCE) use a male-to-male straight through cable. To connect to a terminal (DTE) use a null modem cable, typically male-to-female. When connecting a console to port S0 with the diagnostic switch up (leftmost dip switch 1) it should be at 9600 baud, 8N1, Xon/Xoff The Hardware Guide has the list of pins we use; a straight through cable uses pins 2,3,4,5,6,7,8,20. A null modem cable crosses pins 2 & 3, 4 & 5, 6 & 20 and has pins 7 and 8 straight through. If you are not using hardware flow control Request To Send/ Clear To Send (RTS/CTS) you only need pins 2, 3, 7 (and 8, if you need carrier detect). A console cable therefore only needs pin 7 (ground) and pins 2 and 3 (crossed). PHYSICAL SETUP - MODEMSPlug in your 30 USRobotics Courier modems with straight through modem cables. Any reputable brand of modem may also be used. V.34 (28.8k) is recommended. V.32bis (14.4k) is acceptable. It is not recommended to use V.FC unless all users dialing in are using the identical modem you are using. Verify that the cables are all securely fastened and the modems have adequate clearance for cooling. CONFIGURATIONCONFIGURING GLOBAL PARAMETERSUse the Command> version on the PortMaster to check the version of the Lucent ComOS (TM). Ideally you would want to run the latest ComOS version available. You will need version 3.1 to use RADIUS accounting. Commands may be abbreviated (minimum 2 letters). Command> set address 192.168.1.16 Command> set netmask 255.255.255.0 Command> set gateway 192.168.1.1 Command> set broadcast high # If you need to broadcast to 192.168.1.255 Command> set routing off # Vary accordingly Command> set default off Command> set namesvc dns # Next 3 lines not required, however, they are useful Command> set nameserver 192.168.1.2 Command> set domain rk.com Command> set sysname pm1 Command> set host 192.168.1.4 Command> set host 2 192.168.1.5 # If you want an alternate host, up to 4 Command> set loghost 192.168.1.2 # Sets the syslog host Command> set secret xxxx # Use up to 16 alpha numeric characters to set the secret Command> set authentication 192.168.1.2 # Your RADIUS server Command> set alternate 192.168.1.3 # Backup RADIUS server Command> set accounting 192.168.1.2 Command> set accounting 2 192.168.1.3 Command> set assigned_address 192.168.1.30 # Sets the base IP address of the assigned address pool. Command> save all CONFIGURING MODEMSThis example assumes V.34 modems running at 28.8k with the DTE rate locked at 115200bps. If you are using V.32bis modems running at 14.4k you may want to use 57600bps for the DTE rate. Consult the manual provided by your modem manufacturer. Note: This section assumes you are telnetting into the PortMaster and now have a modem connected to Port S0 as well as other ports. If you are still configuring from the console, be aware that the Command> reset all resets ports including S0. To configure the ports for most common usage use the following commands: Command> set all speed 115200 Command> set all speed 2 115200 Command> set all speed 3 115200 Command> set all xon/xoff off Command> set all override xon/xoff off Command> set all rts/cts on Command> set all security on Command> set all ext on Command> set all mtu on
You can set device mode to allow telnetting to a port in order to configure the modem with the following commands: Command> set all modem off Command> set s0 device /dev/network Command> set s0 service_device telnet 6000 Command> set s1 device /dev/network Command> set s1 service_device telnet 6001 Command> set s2 device /dev/network Command> set s2 service_device telnet 6002 (and so forth) Command> set s29 device /dev/network Command> set s29 service_device telnet 6029 Command> reset all From another host on the network you can "telnet pm1 6000" (if your PortMaster is called pm1) and be connected to the modem attached to port S0, and so on up to telnet pm1 6029. You can configure a USRobotics Sportster or Courier (14.4k or 28.8k) modem out of the
box using the following modem string: Different types of modems required different modem strings. For example: AT&C1&D3&K3&Q5&W. The modem needs to raise the carrier when a call comes in, reset itself when DTR is dropped, lock the DTE speed, and use hardware flow control (RTS/CTS). Consult the manual provided by your modem manufacturer. Note: If you have already configured the modem on a Personal Computer (PC) or another device connect to it via the PortMaster. Use the Command> AT&F&W to set the modem back to factory defaults (so DTE rate floats), disconnect, then reconnect and give the above string (to lock DTE rate). After you have done this for all 30 modems [if applicable], set all the ports to allow login or network users with the following commands: Command> set all login network dialin Command> set all modem on Command> set p0 modem off Command> save all Command> reset all Q. How do Assigned Addresses work? The PortMaster allocates a pool of addresses starting at the Assigned Address (set from the global menu using the Command> set assigned, counting up. The total number of addresses is equal to the number of ports where Network Dialin is configured. If someone dials in and requests an unused address from the pool, that is assigned; if someone dials in and requests any address, the next address from the pool is assigned, if someone disconnects, their address is placed at the END of the pool for re-use. Assigned addresses can be used for both SLIP and PPP. PPP also supports negotiated addresses and specified addresses, (where the same user gets the same address every time he logs in). It is recommended to use assigned addresses where possible. It is not recommended to to negotiated address. If the address of the dialin user is on the same subnet as the ethernet interface of the PortMaster, the PortMaster will do Proxy ARP on behalf of that user. For other hosts on the ethernet it will appear as though that host is on the Network. Once you go beyond seven 30-port PortMasters you will need to begin using other class C networks not covered in the introductory examples given in this section. RADIUS InstallationThe examples below assume you are putting the directory in /etc/raddb, however, you can place it anywhere if you change radius.h and recompile or use the -d flag to tell it what directory to find its configuration files in. We also assume the files we taken off of media as shipped. If you have obtained RADIUS from the FTP site, the starting location may be different. If you have pminstall and are not running Network Information Services (NIS) (Yellow Pages), run pminstall and choose "Install RADIUS", then as root run "chmod 700 /etc/raddb", then skip down to SETTING UP CLIENTS. If you do not have pminstall, do the following:Add the following 2 lines to /etc/services on your RADIUS server. If you are running NIS (Yellow Pages) add these lines to your services NIS map on your NIS master and push the maps: radius 1645/udp radiusd radacct 1646/udp Execute the following commands as root: Command> umask 22 Command> mkdir /etc/raddb /usr/adm/radacct Command> chmod 700 /etc/raddb /usr/adm/radacct Copy the contents of /usr/portmaster/radius/raddb into /etc/raddb. Compile radiusd from /usr/portmaster/radius/src and place it in /etc/radiusd, or elsewhere if you prefer. SETTING UP CLIENTSThe PortMaster hostname and the shared secret are placed in /etc/raddb/clients, separated by a tab. Your user entries are placed in /etc/raddb/users. There should be no need to change the dictionary file. Start radiusd. You may want to add this to /etc/rc.local or some other file that gets run at system boot time. /etc/radiusd 'radiusd -x' will produce debugging output which may be helpful if there are problems getting the system to work. If radiusd has problems it prints to /etc/raddb/logfile, or /dev/console if it able to. Note: Framed Compression defaults to on if you do not specify it, SLIP users who do not want VJ header compression MUST include Framed Compression = None. Configure your PortMaster so it knows which host radiusd is running on and the shared secret. On the PortMaster, set the RADIUS server and the shared secret using the Command> set authentic and the Command> set secret, or from the Edit RADIUS menu on pmconsole. The secret is case sensitive and can be up to 16 characters long. Do not use control characters in the secret. You can configure a backup RADIUS server with the Command> set alternate but it is not required. Verify that all ports have passthrough disabled with the Command> set all security on, followed by the Command> reset all (Caution! The Command> reset all will drop off anyone who is connected to a port at the moment.) On older versions of ComOS you will need to use the Command> set s0 security on, and set s1 security on, etc. followed by the Command> save all to save the changes to nonvolatile memory. The PortMaster will check its local User Table first, if it does not find the user there AND passthrough is disabled AND a RADIUS server is set, it will query the RADIUS server. Make sure your DNS has an in-addr.arpa entry for the PortMaster if you are using Rlogin to Linux. If you are using Rlogin or PortMaster service and get prompted for the password twice, you can add the PortMaster hostname to your /etc/hosts.equiv file to delete the second password prompt. Do NOT do this if you are using Passthrough and not RADIUS!!! If you are already in production with the User Table, I have found that the best way to switch over to using RADIUS is to first add a user to RADIUS that is not in the PortMaster User Table. Use this for test purposes. When everything has been tested, use pmreadpass (if on a supported platform) to copy everyone from the PortMaster to the /etc/raddb/users file, then delete the users in the PortMaster local User Table. Framed-Filter-Id = "std.ppp" means the input filter is std.ppp.in (if it exists) and the output filter is std.ppp.out (if it exists). ACCOUNTINGYou will see two radiusd processes running when you run radiusd 1.16; the child is a RADIUS accounting server. To use RADIUS accounting you must use ComOS 3.1 (or later) and RADIUS 1.16 (or later). Set up the client as described above, use Command> set accounting [address] on the PortMaster to set an accounting server, and the Command> set accounting 2 [address2] to set up an optional backup accounting server. Both local User Table entries and RADIUS entries get logged via accounting, however, passthrough entries do NOT get logged. Accounting records should show up in /usr/adm/radacct/{portmastername}/detail. Troubleshooting Checklist for RADIUS Accounting:
Password ExpirationTo enable password expiration you must uncomment the Password-Expiration line in
/etc/raddb/dictionary and give it a non-zero value. The time is checked on the host
radiusd runs on. You may also want to set Password-Warning; the user will receive warnings each time he logs in beginning on the designated number of days entered before his password expires. See the examples below: VALUE Server-Config Password-Expiration 30 VALUE Server-Config Password-Warning 5 Definition of messages in /etc/raddb/logfile
If your radiusd host is heavily loaded, consider boosting the priority for radiusd or moving it to a host that is not as heavily loaded. /etc/raddb/users FileThe users file has three fields: user check-items reply-items Check items are separated by commas. Reply items are indented by white space and separated by comma & new line. If the User Name is user, RADIUS verifies that all the check items are present. If all check items are present RADIUS returns an "accept" with the list of reply items, otherwise RADIUS returns a "reject". IPXThe Internetwork Packet eXchange (IPX) network number in the /etc/raddb/users file must be specified in quad decimal notation like an IP address. Here is a Practical Extraction and Report Language (PERL) program to make it easier to convert them. #!/usr/local/bin/perl
# hex- convert ip addresses to hexadecimal and vice versa
for (@ARGV) {
if (/\./) { # convert . to hex
@octets = split(/\./,$_);
for $octet (@octets) {
printf "%02X",$octet;
}
print "\n";
} else { # convert hex to .
$buf = '';
while (s/\w\w//) {
$buf .= hex($&).'.';
}
$buf =~ s/\.$/\n/;
print $buf;
}
}
PortingLinuxOn Linux and other systems that use :*: for shadow passwords rather than :x:. Modify line 1429 or so of radiusd.c as follows: if(strcmp(pwd->pw_passwd, "x") == 0) {
to
if((strcmp(pwd->pw_passwd, "x") == 0) ||
(strcmp(pwd->pw_passwd, "*") == 0)) {
BSDI1.16 is for BSDI 1.1. If you are running BSDI 1.0 do not define NOSHADOW, and remove the #include <machine.h> from conf.h. RADIUS should compile as is on BSD/OS 2.0. HPUXA user reports that the default compiler on HPUX 9.01 will not properly compile radiusd
v1.16 correctly, and the resulting binary sends packets that the Portmaster does not like.
The two get in a loop, eventually the Portmaster gives up. . |