This manual contains product documentation for RADIUS-VMS, RFC2865/RFC2866 (RFC2138/2139) compliant RADIUS Server software for VMS systems.

Copyright © 1998-2009 Ruslan R. Laishev & StarLet Group.

Trademarks info

VMS, OpenVMS, VAX, Alpha, Integrity, DEC, DEC Server, DEC DATATRIEVE, Digital are trademarks of Digital Equipment Corporation.

Process Software TCPWare-TCP, Multinet (TM) are trademark of Process Software LLC.

MadGoat, Message Exchange, and MX are trademarks of MadGoat Software.

Contents

RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting client-server protocol. RADIUS is the de facto industry standard for remote access AAA, as well as an IETF standard. In general, it's a network daemon (network process) which performs authentication, authorization and accounting actions when someone login to Network Access Server with a dial-up (CDMA, GRPS, etc...) client or logout from it. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks (Billing , Prepayed access, VoIP, and so on...). But frequently, it's useful in a case when your need to provide any kind of controlled access to Internet connectivity. Technical specification of the basic features which are supported by all RADIUS servers you can find in RFC 2138 (ftp://ftp.isi.edu/in-notes/rfc2138.txt). Accounting information is specified in RFC 2139 (ftp://ftp.isi.edu/in-notes/rfc2139.txt). Follows some simple explanation about main work phases which are illustrated functionality of a RADIUS server:

1. Authentication phase - Network Access Server (NAS, PDSN, Access Server) get an username/password pair from user input, crypts this information with shared between NAS and RADIUS Server a "secret key" and transfers the request to a RADIUS server. RADIUS server receive this information extract the username and password and validate it against a local username and password database.
2. Authorization phase - if user is valid then RADIUS server gets from special database some information and send it to NAS. For example: IP number is assigned for this Dial-Up client, network mask, allowed session time, default router, access control lists ID, etc.
3. Accounting phase - when NAS gets the acknowledgement from RADIUS during the previous phase, NAS send a "Start session" packet to RADIUS server, and a "Stop session" packet when client is disconnected from NAS. The "Stop session" packet contains accounting information like: session time, amount of input/output traffic etc.

RADIUS-VMS project was started at 1998 yer as port of the Livingston RADIUS 2.x server to OpenVMS with introducing a lot of VMS-specific features. This project was sponsored by DLS Internet Service Inc. and performed by Ruslan R. Laishev (http://www.starlet.spb.ru). RADIUS-VMS - it's multithreaded by DEC Threads the RADIUS server, which was fully rewritten from the original sources and has been stayed under active development for implementation of new features. The main features follows:

• SYSUAF based authentication, using flat USERS file as well
• RADIUS DB support
• Security based on VMS facilities (AUDIT, Intrusion detection)
• NAS(s) & Realm(s) access authorization by right id(s)
• Accounting of users/NAS/port activities in the VMS ACCOUNTING format as well as in the traditional .DETAIL format
• Work in mixed-cluster environment sharing data files
• High performance with large USERS file
• File I/O using RMS
• Network I/O using $QIO
• MultiHOME support
• Multithreaded by DEC Threads (up to 128 concurrent threads for every "Home"), using kernel threads under VMS/Alpha/IA64
• Realm policy authentication, and an additional authorization by right id(s)
• VMS Right Id policy authorization
• Full VSA (Vendor Specific Attributes) support
• IBM LanMan/M$ Windoze NT domain authentication support
• Internet Roaming (Proxy/Forwarding) capabilities support with domain-realm or IMSI-realm
• External authorization and accounting callouts (examples for ORACLE Server is provided.)
• Integration with MX 5.x by MadGoat Software (www.madgoat.com)
• Integration with X-Stop hardware and software (www.xstop.com)
• Support Ascend's filters.
• Support IMSI (Internatinal Mobile Station Identity) realms carried by 3GPP2-IMSI or Calling-Staion-Id.
• Support Digest authentication (draft-sterman-sip-radius-00.txt, draft-sterman-aaa-sip-00.txt)
• Support A12 authentication for IMT-MC-450i (CDMA 1x, EV-DO, Rev A. & B.)

RADIUS-VMS requires VMS version V7.1 or later to run.

TCP/IP package, it's tested with TCPWare-TCP 5.5-3 (Alpha/VMS), Multinet 4.3 (Alpha/VMS), DEC TCP/IP Service (UCX) 4.2, 5.x

Optional MadGoat's MX 5.1 or later

RADIUS-VMS uses VMSINSTAL for installation. If you do not know how to use VMSINSTAL, you should first read the chapter on installing software in the VMS System Manager's Manual. For the installation, you should be logged into the SYSTEM account, or another suitably privileged account.

2.1 Invoking VMSINSTAL.

Invoke VMSINSTAL to install RADIUS-VMS.

$ @sys$update:vmsinstal RADIUSVMSvvn DDCU:

Substitute the appropriate values for vvn and ddcu.

OpenVMS VAX Software Product Installation Procedure V7.1 It is 29-JAN-2000 at 02:58. Enter a question mark (?) at any time for help. %VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account. %VMSINSTAL-W-ACTIVE, The following processes are still active: UCX$NTPD MONITOR_SERVER * Do you want to continue anyway [NO]? y * Are you satisfied with the backup of your system disk [YES]? The following products will be processed: RADIUSVMS V2.0 Beginning installation of RADIUSVMS V2.0 at 02:58 %VMSINSTAL-I-RESTORE, Restoring product save set A ... RADIUS-VMS Installation Procedure Copyright © 1998-2003, Ruslan R. Laishev. All Rights Reserved. * Where should the RADIUS-VMS top directory be located? [$1$DUA1130:[RADIUS]]: %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists * Do you want to purge files replaced by this installation [YES]? %VMSINSTAL-I-RESTORE, Restoring product save set D ... %VMSINSTAL-I-RESTORE, Restoring product save set E ... %VMSINSTAL-I-RESTORE, Restoring product save set F ... %RADIUSVMS-I-LINKING, Linking image RADIUS_SERVER.EXE ... %RADIUSVMS-I-LINKING, Linking image RT.EXE ... %RADIUSVMS-I-LINKING, Linking image LGI$CALLOUT_RADIUS.EXE ... %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.VAX_EXE] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.UTILS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.DOCS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.TEMPLATES] already exists ************************************************************* The RADIUS-VMS software is installed at your system!!! NOTE 1 RADIUS-VMS must be installed twice on a mixed-VMScluster: once on a IA64 system and once on an Alpha system. This is necessary because the RADIUS-VMS executables are linked during the installation. Installing RADIUS-VMS on a IA64 produces the IA64 executable images and installing it on an Alpha produces the Alpha images. NOTE 2 For the first time installation refer to RADIUS-VMS documentation for postinstallation tasks. NOTE 3 For start RADIUS-VMS at system boot time you can add into SYS$STARTUP:SYSTARTUP_VMS.COM the follows line: $ @SYS$STARTUP:RADIUSVMS_STARTUP.COM ************************************************************* %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... Installation of RADIUSVMS V2.0 completed at 03:01 VMSINSTAL procedure done at 03:01

Before first start of RADIUS-VMS server, you need to preparing configuration files. If you have not your own variant of the RADIUS_DICTIONARY file you can just copy RAD_DICTIONARY.TEMPLATE to the RADIUS.DICTIONARY file. Also you can use RAD_USERS.TEMPLATE for creating your own RADIUS.USERS file, and RAD_CONFIG.TEMPLATE for creating a RADIUS.CONFIG file.

All site specific logicals must be kept in RADIUS_LOGICALS.COM, a template for this file is provided also.

Read carefully Chapter 3 for rules of configuration.

You can add follows line in the your LOGIN.COM (or SYS$MANAGER:SYLOGIN.COM), it will define some useful RADIUS related commands.

$ @radius_dir:radius_commands.com

This Product Documentation is not a study how RADIUS work at all, or how to get started with RADIUS, this documentation describes only specific features of the server. It will also describes steps which your probably need to get for fulfilling a particularly task. For beginners and admins, at Livingston's site lives good "old" RADIUS Administrator's Guide which will help you to get first steps to configuration and users management, you can download this manual from http://www.livingston.com/tech/docs/pdf/radius.pdf.

3.1 Server logicals.

There is a number of logicals which are used for configuration of the RADIUS-VMS Server, good place for its is a RADIUS_LOGICALS.COM.

RADIUS_DIR	Point to RADIUS's home directory.
RADIUS_ACCOUNTING	Point to an accounting file in VMS ACCOUNTING format, if this logical is defined as NL: it will stop writting accounting records at all.
RADIUS_DICTIONARY	Point to RADIUS dictionary file.
RADIUS_CONFIG	Point to RADIUS clients & realms & homes configuration file.
RADIUS_USERS	Point to RADIUS users file.
RADIUS_ACCBIN	Starting 2.5x RADIUS-VMS store an original accounting information in the binary file which is supposed to be processed by RADACC utility to generating reports.

Follows logicals must be defined with /SYSTEM and /EXECUTIVE_MODE qualifiers. .

RADIUS_DEBUG	Enables a debug output.
RADIUS_DNS_LOOKUP	Enables a reverse DNS lookup.
RADIUS_NUMTHREADS	It's a number of accounting and authentication execution threads, 3 accounting threads and 3 authentication threads are default values. Maximum number of threads for each "home" is 128.
RADIUS_OPCOMLVL	This logical definea a minimal severity level (it's VMS severity level) of message sent to OPCOM. Value greater than 4 cause to stop sending to OPCOM any messages
RADIUS_SESSIONTMO	Existing of this logical controling a sending of a value for the Session-Timeout attribute which will be added to an ACK packets during authentication/authorization phase.
RADIUS_PWD_EXPIRED	If this logical is defined the RADIUS-VMS checks the SYSUAF's /FLAG=PWD_EXPIRED, and will rejects logins if this flag is set.
RADIUS_ALLOW_RECTRICTED	If this logical is defined RADIUS-VMS ignores a checking of SYSUAF's /FLAG=RESTRICED.
RADIUS_THSTACKSZ	This logical defines a thread stack size, the default and minimum size is 48000 bytes.
RADIUS_SYSLOG	This logical defines a SYSLOG server host IP address or name and UDP port number. Format is "host:port"

RADIUS-VMS use compatible with Livingston RADIUS dictionary file as well as the users file format. You can keep in the RADIUS_USERS file only one DEFAULT entry, other authorization task you can performs in SYSUAF or RADIUS databases only. The main attribute of authentication and authorization procedures is username. Username - is a string in form:

[<domain>\]<username>[['%'<suffix>]['@'<realm>]]

See examples: .

ZyzOp%PPP@DeltaTel.RU	It's expected a SYSUAF user ZyzOp, and assumed that in RADIUS_USERS file exist entry with a check item Suffix = "PPP". For an additional authorization will be checked entry for the "DeltaTel.RU" realm in the RADIUS_CONFIG file.
C00lZyZop@RadiusVMS.COM	It's expected a SYSUAF user C00lZyZop. For an additional authorization it will be checked entry for the "RadiusVMS.COM" realm in the RADIUS_CONFIG file.
SysMan%TELNET	SYSUAF user SysMan, it's expected that this user want to automatically open TELNET session after login at NAS. It's assumed that in RADIUS_USERS file exist entry with Check-Item Suffix = "%TELNET".
M$SOFT\ZyzOp	User (ZyzOp) from domain M$SOFT, it's expected that this user will authenticating against remote PDC/BDC hosts

During authentication phase of login procedure server performs checking follows SYSUAF parameters:

• /FLAG=(DISUSER,RESTRICTED,PWDEXPIRED)
• /EXPIRATION=time
• /NETWORK=range
• /DIALUP=range
• /PRIMEDAYS=([NO]day[,...])
• /PASSWORD
• /FLAG=PWD_EXPIRED

If login is failed by SYSUAF then an Intrusion information is stored for the using at a next time. At successful end of login phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDIT database, you can use ANALYZE/AUDIT utility for searching & retrieving this information.

This feature can be turned on as default for all accounts or for a particular account only. For activate this features you can use an Auth-Type check item which must have value "System". See examples of so entry in the RADIUS_USERS file:

... #It's assumed that all users will be authenticate against SYSUAF DEFAULT Auth-Type = System ...

or

... #SYSUAF SysMan will by authenticate against SYSUAF SysMan Auth-Type = System #password for ZyzOp stored in the RADIUS_USERS file ZyZop Password = "Zadnica" # All other logins will be rejected w/o any checking DEFAULT Auth-Type = Reject ...

You can control an ability of a dial-in login for particular user by using /DIALUP option of the AUTHORIZE, you can also specify time range for additional control of allowed login time. RADIUS-VMS use a time range defined by /NETWORK or /DIALUP options for computing an allowed session time if RADIUS_SESSIONTMO logical is defined. For network users you can use /NETWORK SYSUAF's option. A difference between Dial-In logins and NETWORK logins are defined by presence of NAS-Port-Id and NAS-Port-Type attributes in authentication request are sent (or are not sent) by NAS or by *nix box (when a RADIUS PAM module is used for authentication and authorization of local users by RADIUS). Check your System Managers utilities guide for additional information about of AUTHORIZE utility and SYSUAF database. The SYSUAF /EXPIRATION option can be used for control of expiration time for particular user. The /FLAG=RESTRICTED SYSUAF option is equally to /FLAG=DISUSER only for Dial-In users (see synopsis of the RADIUS_ALLOW_RECTRICTED logical also).

3.2.2 Accept or Reject all logins without real authentication.

You can use Auth-Type = Accept or Auth-Type = Reject to accept all logins without real checking username/password pair, or reject any logins respectively. See example of entries below:

... #Accept all logins w/o authentication by RADIUS from this NAS DEFAULT1 Auth-Type = Accept, NAS-IP-Address = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net ... # #Accept all logins w/o authentication by RADIUS from this RADIUS/NAS server # DEFAULT2 Auth-Type = Accept, Client-IP = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net ... # # A special default entry for a SIP Express Router/SER # mobile Client-IP = 172.16.0.133, Auth-Type = Digest, Password = "kalamala" Sip-Rpid = "222" #Reject all other logins by default DEFAULT Auth-Type = Reject ...

3.2.3 Realms based policy.

This feature give an ability to implement authentication and authorization policy based on a realm coming in the request with username. You can perform an additional authorization of realm by right id(s) in RADIUS_CONFIG file.

Follows example of entry in the RADIUS_USERS file:

... !++ ! ! It assumed that all users with "@zz.top" will be authenticate against SYSUAF, ! by default all users can have 33 sessions at the one time !-- DEFAULT1 Auth-Type = System, Auth-Realm = "zz.top" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 ! All other users DEFAULT Auth-Type = System

3.2.4 VMS Right Id based policy.

This feature gives an ability to implement authentication and authorization policy based on a VMS right id. The VMS right id is used as the check item in the RADIUS_USERS file.

Follows example of entry in the RADIUS_USERS file:

... #Follows entry for the users with NET$MANAGE right id is granted #in RIGHT list DEFAULT1 Auth-Type = System, Right-Id = "NET$MANAGE" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 DEFAULT2 Auth-Type = System, Right-Id = "NET$MANAGE", Right-Id = "NET$SECURITY" Service-Type = Framed-User, Class = "xstop: R PORN I", Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 #All other users DEFAULT Auth-Type = System

3.2.5 Authenticaion on LANMAN or Windows NT domains.

RADIUS-VMS can use users database on LANMAN or Windows NT hosts to performs authentication of dialup users. This is implemented by using NETBIOS over TCP/IP protocol described in RFC(s) 1001/1002 and are widely used by SAMBA package (www.samba.org). As an authentication host you can use:

• OpenVMS PathWorks 6.x or later
• OpenVMS Advanced Server 7.x
• SAMBA server
• IBM OS/2 LAN Manager 2.x
• Windows NT Server (3.51,4.0), PDC/BDC or standalone server

Rules of configuration: in the RADIUS_CONFIG file you need to add a domain definition entry which use to find a authentication host for a particulary domain.

!++ ! ! define domain <domain_name> - ! /dc_host=<ip_name_or_address> - ! /bdc_host=<ip_name_or_address> ! !--

! ! Follows entry for users from M$SFOT Windows NT domain ! ! define domain M$SOFT - /DC_HOST=pdc.zztop.net /BDC_HOST=bdc.zztop.net ! ! Follows entry for users from domain BSOD ! define domain BSOD - /DC_HOST=172.16.0.3

In the RADIUS_USERS file you need to define special entries for these domains, see example of entries in the RADIUS_USERS file (note that wildcards characters can be used):

M$SOFT\*_%%% Auth-Type = Domain ... M$SOFT\* Auth-Type = Domain, Auth-Realm = "zztop.net" ... BSOD\cc_%%% Auth-Type = Domain, Suffix = "%telnet" ... BSOD\* Auth-Type = Domain