File: RADIUS_DOC.SDML Abstract: VAX DOCUMENT source for _RADIUS_VMS_Product_Documentation_ Author: Ruslan R. Laishev Copyright © 1998-2005, Ruslan R. Laishev. Modified by: 20-JAN-2000 RRL Initial rewriting from HTML source. 26-JAN-2000 RRL Some corrections. 2-FEB-2000 RRL Add /NAS client definition description. 6-APR-2000 RRL RADCP, VSA. 7-APR-2000 RRL RADCP clause. 28-APR-2000 RRL /AUHT_HOST corrections. 1-JUL-2000 RRL ISDN right id. 8-JUL-2000 RRL Password change. 5-AUG-2000 RRL RADIUS_OPCOMLVL comments. 20-SEP-2000 RRL RADIUS_PWD_EXPIRED, DOMAIN Authentication 7-OCT-2000 RRL /CONNECTION_INFO, Right-Id 3-NOV-2000 RRL RADIUS_ALLOW_RECTRICTED logical. 10-NOV-2000 RRL /BDC_HOST 13-JAN-2001 RRL /RECEIVE_BUFFER_SIZE 1-MAR-2002 RRL Configuration logicals - /SYSTEM/EXECUTE, Ascend filters support. 3-MAR-2002 RRL Revised due 2.5x 19-AUG-2002 RRL Added words about backup/load balancing support. 1-SEP-2002 RRL 2.6, Added some words about IMSI realms support. 20-MAR-2003 RRL 2.7, Some optimization of RMS I/O, added /APPEND option to RADACC utility. 4-JUN-2003 RRL 2.7A, Added a couple words about of Client-IP 7-OCT-2003 RRL 2.7C, Added Auth-Type = Digest, 1645 -> 1812, 1646 -> 1813 ports. 23-OCT-2003 RRL 2.7D, Added client's options: /ACCEPT_REALM and /REJECT_REALM 6-NOV-2003 RRL 2,7E, RESET command. 19-FEB-2004 RRL 2,7J, Too many changes.... 31-MAY-2004 RRL 2.7K, Added INCLUDE directive. 26-AUG-2004 RRL 3.0A, Removed ISDN,56K,DUAL port authorization. 1-OCT-2004 RRL 3.0B, Added Calling-Station-Id to responses. 13-APR-2005 RRL 3.1A, Added 1xEV-DO A12 authentication support. 20-MAY-2004 RRL 3.1B, Added Client Group ID handling (RADIUSVMS_DOC_1) (RADIUS-VMS\product documentation) <ABSTRACT> <p>This manual contains product documentation for RADIUS-VMS, RFC2865/RFC2866 (RFC2138/2139) compliant RADIUS Server software for VMS systems. <ENDABSTRACT> <ENDTITLE_PAGE> <COPYRIGHT_PAGE> <COPYRIGHT_DATE>( 1998-2005 Ruslan R. Laishev & StarLet Group.) <p>Trademarks info <p>VMS, OpenVMS, VAX, Alpha, DEC, DEC Server, DEC DATATRIEVE, Digital are trademarks of Digital Equipment Corporation. <p>Process Software TCPWare-TCP, Multinet (TM) are trademark of Process Software LLC. <p>MadGoat, Message Exchange, and MX are trademarks of MadGoat Software. <ENDCOPYRIGHT_PAGE> <LINE> <CONTENTS_FILE> <ENDFRONT_MATTER> <LINE> <CHAPTER>(Introduction to the RADIUS.\RADIUSVMS_DOC_6) <head1>(What is RADIUS?\RADIUSVMS_DOC_6_1) <p>RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting client-server protocol. RADIUS is the de facto industry standard for remote access AAA, as well as an IETF standard. In general, it's a network daemon (network process) which performs authentication, authorization and accounting actions when someone login to Network Access Server with a dial-up client or logout from it. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks. But frequently, it's useful in a case when your need to provide any kind of controlled dial-up access. Technical specification of the basic features which are supported by all RADIUS servers you can find in RFC 2138 (ftp://ftp.isi.edu/in-notes/rfc2138.txt). Accounting information is specified in RFC 2139 (ftp://ftp.isi.edu/in-notes/rfc2139.txt). Follows some simple explanation about main work phases which are illustrated functionality of a RADIUS server: <list>(numbered) <le>Authentication phase - Network Access Server (NAS) get an username/password pair from user input, crypts this information with shared between NAS and RADIUS Server a "secret key" and transfers the request to a RADIUS server. RADIUS server receive this information extract the username and password and validate it against a local username and password database. <le>Authorization phase - if user is valid then RADIUS server gets from special database some information and send it to NAS. For example: IP number is assigned for this Dial-Up client, network mask, allowed session time, default router, access control lists ID, etc. <le>Accounting phase - when NAS gets the acknowledgement from RADIUS during the previous phase, NAS send a "Start session" packet to RADIUS server, and a "Stop session" packet when client is disconnected from NAS. The "Stop session" packet contains accounting information like: session time, amount of input/output traffic etc. <endlist> <head1>(What is RADIUS-VMS?\RADIUSVMS_DOC_6_2) <p>RADIUS-VMS project was started at 1998 yer as port of the Livingston RADIUS 2.x server to OpenVMS with introducing a lot of VMS-specific features. This project was sponsored by DLS Internet Service Inc. and performed by Ruslan R. Laishev (http://www.starlet.spb.ru). RADIUS-VMS - it's multithreaded by DEC Threads the RADIUS server, which was <U>(fully rewritten from the original sources and has been stayed under active development for implementation of new features). The main features follows: <list>(unnumbered) <le>SYSUAF based authentication, using flat USERS file as well <le>SYSUAF password changing <le>Security based on VMS facilities (AUDIT, Intrusion detection) <le>Session limit checking & authorization <le>Connection speed authorization by VMS SYSUAF right id(s) <le>NAS(s) & Realm(s) access authorization by right id(s) <le>MultiLink PPP at ISDN authorization by right id <le>Accounting of users/NAS/port activities in the VMS ACCOUNTING format as well as in the traditional .DETAIL format <le>Work in mixed-cluster environment sharing data files <le>High performance with large USERS file <le>File I/O using RMS <le>Network I/O using $QIO <le>MultiHOME support <le>Multithreaded by DEC Threads (up to 128 concurrent threads for every "Home"), using kernel threads under VMS/Alpha >7.x <le>Realm policy authentication, and an additional authorization by right id(s) <le>VMS Right Id policy authentication <le>Full VSA support <le>NT domain authentication support <le>Internet Roaming (Proxy/Forwarding) capabilities support with domain-realm or IMSI-realm <le>External authorization and accounting callouts (examples for ORACLE Server is provided.) <le>Integration with MX 5.x by MadGoat Software (www.madgoat.com) <le>Integration with X-Stop hardware and software (www.xstop.com) <le>Support Ascend's filters. <le>Support IMSI (Internatinal Mobile Station Identity) realms carried by 3GPP2-IMSI or Calling-Staion-Id. <le>Support Digest authentication (draft-sterman-sip-radius-00.txt, draft-sterman-aaa-sip-00.txt) <le>Support A12 authentication for IMT-MC-450i (1xEV-DO) <endlist> <head1>(Prerequisites.\RADIUSVMS_DOC_6_3) <p>RADIUS-VMS requires VMS version V7.1 or later to run. <p>TCP/IP package, it's tested with TCPWare-TCP 5.5-3 (Alpha/VMS), Multinet 4.3 (Alpha/VMS), DEC TCP/IP Service (UCX) 4.2, 5.x <p>Optional MadGoat's MX 5.1 or later <CHAPTER>(RADIUS-VMS installation.\RADIUSVMS_DOC_7) <p>RADIUS-VMS uses VMSINSTAL for installation. If you do not know how to use VMSINSTAL, you should first read the chapter on installing software in the <emphasis>(VMS System Manager's Manual). For the installation, you should be logged into the SYSTEM account, or another suitably privileged account. <head1>(Invoking VMSINSTAL.\RADIUSVMS_DOC_7_1) <p>Invoke VMSINSTAL to install RADIUS-VMS. <interactive> <s>($ )<u>(@sys$update:vmsinstal RADIUSVMSvvn DDCU:) <endinteractive> <p>Substitute the appropriate values for <emphasis>(vvn) and <emphasis>(ddcu). <interactive> OpenVMS VAX Software Product Installation Procedure V7.1 It is 29-JAN-2000 at 02:58. Enter a question mark (?) at any time for help. %VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account. %VMSINSTAL-W-ACTIVE, The following processes are still active: UCX$NTPD MONITOR_SERVER * Do you want to continue anyway [NO]? y * Are you satisfied with the backup of your system disk [YES]? The following products will be processed: RADIUSVMS V2.0 Beginning installation of RADIUSVMS V2.0 at 02:58 %VMSINSTAL-I-RESTORE, Restoring product save set A ... RADIUS-VMS Installation Procedure Copyright © 1998-2003, Ruslan R. Laishev. All Rights Reserved. * Where should the RADIUS-VMS top directory be located? [$1$DUA1130:[RADIUS]]: %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists * Do you want to purge files replaced by this installation [YES]? %VMSINSTAL-I-RESTORE, Restoring product save set D ... %VMSINSTAL-I-RESTORE, Restoring product save set E ... %VMSINSTAL-I-RESTORE, Restoring product save set F ... %RADIUSVMS-I-LINKING, Linking image RADIUS_SERVER.EXE ... %RADIUSVMS-I-LINKING, Linking image RT.EXE ... %RADIUSVMS-I-LINKING, Linking image LGI$CALLOUT_RADIUS.EXE ... %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.VAX_EXE] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.UTILS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.DOCS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.TEMPLATES] already exists ************************************************************* The RADIUS-VMS software is installed at your system!!! NOTE 1 RADIUS-VMS must be installed twice on a mixed-VMScluster: once on a VAX system and once on an Alpha system. This is necessary because the RADIUS-VMS executables are linked during the installation. Installing RADIUS-VMS on a VAX produces the VAX executable images and installing it on an Alpha produces the Alpha images. NOTE 2 For the first time installation refer to RADIUS-VMS documentation for postinstallation tasks. NOTE 3 For start RADIUS-VMS at system boot time you can add into SYS$STARTUP:SYSTARTUP_VMS.COM the follows line: $ @SYS$STARTUP:RADIUSVMS_STARTUP.COM ************************************************************* %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... Installation of RADIUSVMS V2.0 completed at 03:01 VMSINSTAL procedure done at 03:01 <endinteractive> <p>Before first start of RADIUS-VMS server, you need to preparing configuration files. If you have not your own variant of the RADIUS_DICTIONARY file you can just copy RAD_DICTIONARY.TEMPLATE to the RADIUS.DICTIONARY file. Also you can use RAD_USERS.TEMPLATE for creating your own RADIUS.USERS file, and RAD_CONFIG.TEMPLATE for creating a RADIUS.CONFIG file. <p>All site specific logicals must be kept in RADIUS_LOGICALS.COM, a template for this file is provided also. <p>Read carefully <reference>(RADIUSVMS_DOC_8) for rules of configuration. <p>You can add follows line in the your LOGIN.COM (or SYS$MANAGER:SYLOGIN.COM), it will define some useful RADIUS related commands. <interactive> <s>($ )<u>(@radius_dir:radius_commands.com) <endinteractive> <CHAPTER>(Configuration & Management.\RADIUSVMS_DOC_8) <p>This Product Documentation is not a study how RADIUS work at all, or how to get started with RADIUS, this documentation describes only specific features of the server. It will also describes steps which your probably need to get for fulfilling a particularly task. For beginners and admins, at Livingston's site lives good "old" <emphasis>(RADIUS Administrator's Guide) which will help you to get first steps to configuration and users management, you can download this manual from http://www.livingston.com/tech/docs/pdf/radius.pdf. <head1>(Server logicals.\RADIUSVMS_DOC_8_1) <p>There is a number of logicals which are used for configuration of the RADIUS-VMS Server, good place for its is a RADIUS_LOGICALS.COM. <table> <table_setup>(2\24) <table_row>(RADIUS_DIR\Point to RADIUS's home directory.) <table_row>(RADIUS_ACCOUNTING\Point to an accounting file in VMS ACCOUNTING format, if this logical is defined as NL: it will stop writting accounting records at all.) <table_row>(RADIUS_DICTIONARY\Point to RADIUS dictionary file.) <table_row>(RADIUS_CONFIG\Point to RADIUS clients & realms & homes configuration file.) <table_row>(RADIUS_USERS\Point to RADIUS users file.) <table_row>(RADIUS_CURRENT\File which contains "show session"-like information.) <table_row>(RADIUS_ACCBIN\Starting 2.5x RADIUS-VMS store an original accounting information in the binary file which is supposed to be processed by RADACC utility to generating reports.) <endtable> <p>Follows logicals must be defined with /SYSTEM and /EXECUTIVE_MODE qualifiers. <table> <table_setup>(2\24) <table_row>(RADIUS_DEBUG\Enables a debug output.) <table_row>(RADIUS_DISABLE_SESSIONLIMIT\Turns "off" a session limit checking, it's global flag which override options in a RADIUS_CONFIG file and a check item MAX-Session-Limit in a RADIUS_USERS file.) <table_row>(RADIUS_DNS_LOOKUP\Enables a reverse DNS lookup.) <table_row>(RADIUS_NUMTHREADS\It's a number of accounting and authentication execution threads, 3 accounting threads and 3 authentication threads are default values. Maximum number of threads for each "home" is 128.) <table_row>(RADIUS_OPCOMLVL\This logical definea a minimal severity level (it's VMS severity level) of message sent to OPCOM. Value greater than 4 cause to stop sending to OPCOM any messages) <table_row>(RADIUS_SESSIONTMO\Existing of this logical controling a sending of a value for the Session-Timeout attribute which will be added to an ACK packets during authentication/authorization phase.) <table_row>(RADIUS_PWD_EXPIRED\If this logical is defined the RADIUS-VMS checks the SYSUAF's /FLAG=PWD_EXPIRED, and will rejects logins if this flag is set.) <table_row>(RADIUS_ALLOW_RECTRICTED\If this logical is defined RADIUS-VMS ignores a checking of SYSUAF's /FLAG=RESTRICED.) <table_row>(RADIUS_THSTACKSZ\This logical defines a thread stack size, the default and minimum size is 48000 bytes.) <table_row>(RADIUS_SYSLOG\This logical defines a SYSLOG server host IP address or name and UDP port number. Format is "host:port"). <endtable> <NOTE> <p>Be advised that the packet dump activated by RADIUS_DEBUG logical shows a plain-text password. <ENDNOTE> <head1>(Users management.\RADIUSVMS_DOC_8_2) <p>RADIUS-VMS use compatible with Livingston RADIUS dictionary file as well as the users file format. You can keep in the RADIUS_USERS file only one DEFAULT entry, other authorization task you can performs in SYSUAF database only. The main attribute of authentication and authorization procedures is username. Username - is a string in form: <syntax> [<domain>\]<username>[['%'<suffix>]['@'<realm>]] <endsyntax> <p>See examples: <table> <table_setup>(2\24) <table_row>(ZyzOp%PPP@DeltaTel.RU\It's expected a SYSUAF user ZyzOp, and assumed that in RADIUS_USERS file exist entry with a check item Suffix = "PPP". For an additional authorization will be checked entry for the "DeltaTel.RU" realm in the RADIUS_CONFIG file.) <table_row>(C00lZyZop@RadiusVMS.COM\It's expected a SYSUAF user C00lZyZop. For an additional authorization it will be checked entry for the "RadiusVMS.COM" realm in the RADIUS_CONFIG file.) <table_row>(SysMan%TELNET\SYSUAF user SysMan, it's expected that this user want to automatically open TELNET session after login at NAS. It's assumed that in RADIUS_USERS file exist entry with Check-Item Suffix = "%TELNET".) <table_row>(M$SOFT<BACKSLASH>ZyzOp\User (ZyzOp) from domain M$SOFT, it's expected that this user will authenticating against remote PDC/BDC hosts). <endtable> <NOTE><p>You can use wilcards mask in usernames in the RADIUS_USERS file. <ENDNOTE> <p>During authentication phase of login procedure server performs checking follows SYSUAF parameters: <list>(unnumbered) <le>/FLAG=(DISUSER,RESTRICTED,PWDEXPIRED) <le>/EXPIRATION=time <le>/NETWORK=range <le>/DIALUP=range <le>/PRIMEDAYS=([NO]day[,...]) <le>/PASSWORD <le>/FLAG=PWD_EXPIRED <endlist> <p>If login is failed by SYSUAF then an Intrusion information is stored for the using at a next time. At successful end of login phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDIT database, you can use ANALYZE/AUDIT utility for searching & retrieving this information. <NOTE>There is some natural limitation of parameters length: <table> <table_setup>(2\16) <table_row>(username\12 bytes) <table_row>(password\96 bytes) <table_row>(suffix\15 bytes) <table_row>(realm\63 bytes) <endtable> <p>Using of usernames with space or tab and other control characters is not allowed. <ENDNOTE> <head2>(SYSUAF based authentication & authorization.\RADIUSVMD_DOC_8_2) <p>This feature can be turned on as default for all accounts or for a particular account only. For activate this features you can use an Auth-Type check item which must have value "System". See examples of so entry in the RADIUS_USERS file: <interactive> ... #It's assumed that all users will be authenticate against SYSUAF DEFAULT Auth-Type = System ... <endinteractive> <p>or <interactive> ... #SYSUAF SysMan will by authenticate against SYSUAF SysMan Auth-Type = System #password for ZyzOp stored in the RADIUS_USERS file ZyZop Password = "Zadnica" # All other logins will be rejected w/o any checking DEFAULT Auth-Type = Reject ... <endinteractive> <p>You can control an ability of a dial-in login for particular user by using /DIALUP option of the AUTHORIZE, you can also specify time range for additional control of allowed login time. RADIUS-VMS use a time range defined by /NETWORK or /DIALUP options for computing an allowed session time if RADIUS_SESSIONTMO logical is defined. For network users you can use /NETWORK SYSUAF's option. A difference between <u>(Dial-In) logins and <u>(NETWORK) logins are <u>(defined by presence of NAS-Port-Id and NAS-Port-Type attributes) in authentication request are sent (or are not sent) by NAS or by *nix box (when a RADIUS PAM module is used for authentication and authorization of local users by RADIUS). Check your <emphasis>(System Managers utilities guide) for additional information about of AUTHORIZE utility and SYSUAF database. The SYSUAF /EXPIRATION option can be used for control of expiration time for particular user. The /FLAG=RESTRICTED SYSUAF option is equally to /FLAG=DISUSER only for Dial-In users (see synopsis of the RADIUS_ALLOW_RECTRICTED logical also). <NOTE> Some models of NAS(s) don't sending NAS-Port-Type attribute at all, for example: DEC Server 90M. In this case you should use /NAS option in client definition entry for this NAS, it will force writing info records into a RADIUS_CURRENT file, and it will allow to performs "Session-Limits" checking. <ENDNOTE> <head2>(SYSUAF password change.\RADIUSVMD_DOC_8_2_111) <p>RADIUS-VMS have an ability to change SYSUAF password by using of RFC compliant and vedors independent method. It's implementing by using encapsulation a new password in the User-Password attribute. The syntax of the password follows: <syntax> password[,newpassword,verification] <endsyntax> <p>where password - is the real password of a user in SYSUAF, newpassword and verification - the new password entered twice. <p>When RADIUS-VMS get request with password in the showed form - it performs extracting old and new password, authenticate a user as usual, check options /FLAGS=(NOLOCKPWD,NOGENPWD), check length of a new password against /PWDMINIMUM SYSUAF parameter, hash a new password, update password in the SYSUAF and "Pwdchange:" field by current system time. <p>You can use also a RT utility to change of the password, see example: <interactive> $ rt Usage: rt username passwd servername portno secretkey [port] Check account:$ rt ZyZop SuperPass Radius.ZZ.Top.NET 1 kalamala Set password :$ rt ZyZop "SuperPass,newzuper13,newzuper13" Radius.ZZ.Top.NET 1 kalamala $ <endinteractive> <NOTE> If any described checks of a new password fail - password will not be changed. But login will be accepted. <ENDNOTE> <head2>(Accept or Reject all logins without real authentication.\RADIUSVMD_DOC_8_2_1) <p>You can use Auth-Type = Accept or Auth-Type = Reject to accept all logins without real checking username/password pair, or reject any logins respectively. See example of entries below: <interactive> ... #Accept all logins w/o authentication by RADIUS from this NAS DEFAULT1 Auth-Type = Accept, NAS-IP-Address = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net ... # #Accept all logins w/o authentication by RADIUS from this RADIUS/NAS server # DEFAULT2 Auth-Type = Accept, Client-IP = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net ... # # A special default entry for a SIP Express Router/SER # mobile Client-IP = 172.16.0.133, Auth-Type = Digest, Password = "kalamala" Sip-Rpid = "222" #Reject all other logins by default DEFAULT Auth-Type = Reject ... <endinteractive> <head2>(Session limit checking.\RADIUSVMD_DOC_8_3) <p>This feature give your an ability to control a number of sessions allowed for all or for particulars user(s) at the one time. It's builtin functionality of the RADIUS-VMS server. It can be defined by a MAX-Session-Limit Check-Item in the RADIUS_USERS file. <NOTE> Keep in mind that sessions with one IP address (Frammed-IP-Address) is equally to one session, typically this situation is take place when users use MultiLink PPP. <ENDNOTE> <p>Follows example of entries in the RADIUS_USERS file: <interactive> ... #It assumed that all users will be authenticate against SYSUAF, #by default all users can have 33 sessions at the one time DEFAULT Auth-Type = System , MAX-Session-Limit = 33 <endinteractive> <p>or <interactive> #Only SYSUAF user SysMan can have 3 concurrent sessions SysMan Auth-Type = System , MAX-Session-Limit = 3 #Who login at NAS with IP address = 172.16.1.30 #have 5 sessions are allowed DEFAULT1 Auth-Type=System, NAS-IP-Address=172.16.1.30, MAX-Session-Limit = 5 #All other users can have only 1 session (it's default value) DEFAULT Auth-Type = System <endinteractive> <head2>(Realms based policy.\RADIUSVMD_DOC_8_3_1) <p>This feature give an ability to implement authentication and authorization policy based on a realm coming in the request with username. You can perform an additional authorization of realm by right id(s) in RADIUS_CONFIG file. <p>Follows example of entry in the RADIUS_USERS file: <interactive> ... #It assumed that all users with "@zz.top" will be authenticate against SYSUAF, #by default all users can have 33 sessions at the one time DEFAULT1 Auth-Type = System, Auth-Realm = "zz.top" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 #All other users DEFAULT Auth-Type = System, MAX-Session-Limit = 1 <endinteractive> <head2>(VMS Right Id based policy.\RADIUSVMD_DOC_8_3_1_2) <p>This feature gives an ability to implement authentication and authorization policy based on a VMS right id. The VMS right id is used as the check item in the RADIUS_USERS file. <p>Follows example of entry in the RADIUS_USERS file: <interactive> ... #Follows entry for the users with NET$MANAGE right id is granted #in RIGHT list DEFAULT1 Auth-Type = System, Right-Id = "NET$MANAGE" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 DEFAULT2 Auth-Type = System, Right-Id = "NET$MANAGE", Right-Id = "NET$SECURITY" Service-Type = Framed-User, Class = "xstop: R PORN I", Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 #All other users DEFAULT Auth-Type = System, MAX-Session-Limit = 1 <endinteractive> <head2>(Authenticaion on LANMAN or Windows NT domains.\RADIUSVMD_DOC_8_3_2) <p>RADIUS-VMS can use users database on LANMAN or Windows NT hosts to performs authentication of dialup users. This is implemented by using NETBIOS over TCP/IP protocol described in RFC(s) 1001/1002 and are widely used by SAMBA package (www.samba.org). As an authentication host you can use: <list>(unnumbered) <le> OpenVMS PathWorks 6.x or later <le> OpenVMS Advanced Server 7.x <le> SAMBA server <le> IBM OS/2 LAN Manager 2.x <le> Windows NT Server (3.51,4.0), PDC/BDC or standalone server <endlist> <p>Rules of configuration: in the RADIUS_CONFIG file you need to add a domain definition entry which use to find a authentication host for a particulary domain. <syntax> !++ ! ! define domain <domain_name> - ! /dc_host=<ip_name_or_address> - ! /bdc_host=<ip_name_or_address> ! !-- <endsyntax> <interactive> ! ! Follows entry for users from M$SFOT Windows NT domain ! ! define domain M$SOFT - /DC_HOST=pdc.zztop.net /BDC_HOST=bdc.zztop.net ! ! Follows entry for users from domain BSOD ! define domain BSOD - /DC_HOST=172.16.0.3 <endinteractive> <p>In the RADIUS_USERS file you need to define special entries for these domains, see example of entries in the RADIUS_USERS file (note that wildcards characters can be used): <interactive> M$SOFT\*_%%% Auth-Type = Domain ... M$SOFT\* Auth-Type = Domain, Auth-Realm = "zztop.net" ... BSOD\cc_%%% Auth-Type = Domain, Suffix = "%telnet" ... BSOD\* Auth-Type = Domain <endinteractive> <NOTE> The RADIUS-VMS don't support a CHAP or MS CHAP authentication of domain users. The RADIUS-VMS can't perform a checking of users's group on domain. <ENDNOTe> <head1>(Clients management.\RADIUSVMD_DOC_8_4) <p>RADIUS_CONFIG file must contains the entry for every NAS and for every Remote RADIUS Server (see <reference>(RADIUSVMD_DOC_8_6) clause) which will interoperate with your RADIUS. An every entry consist by NAS or Remote RADIUS server IP name (or IP address), a shared secret key, and optional right id lists. The right id can be used for additional authorization of user(s) access to particular NAS. If this right id is take place in the entry for NAS then user will have access to the this NAS if this right id is granted in SYSUAF. Follows the syntax of the entry definition and example entry in the RADIUS_CONFIG: <syntax> !++ ! ! define client <client_name> - ! /secret="<secret_key>" ! /reject_id=( < id list > ) ! /accept_id=( < id list > ) ! /[no]session_limit_check ! /NAS ! /connection_info=<offset> ! /reject_realm=( <DEFAULT | realm list > ) ! /accept_realm=( <DEFAULT | realm list > ) ! /group=<group_id> ! !-- <endsyntax> <table> <table_attributes>(wide) <table_setup>(2\24) <table_heads>(Option\Description) <table_heads>(SECRET=quoted_string\It's a shared secret used for "encrypting" password transffered over network between NAS and a RADIUS server.) <table_row>(REJECT_ID=(id0,id1,...)\This option define a list of rights id which is used for reject logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.) <table_row>(ACCEPT_ID=(id0,id1,...)\This option define a list of rights id which is used for accept logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.) <table_row>([NO]SESSION_LIMIT_CHECK\Enable or disable checks of allowed concurrent sessions at particulary NAS, see also <emphasis>(Clients management) clause.) <table_row>(NAS\Treate client as NAS, see also <emphasis>(Clients management) clause.) <table_row>(CONNECTION_INFO\Accept a decimal value which define an offset to speed of connection in the Connection-Info attribute value.) <table_row>(ACCEPT_REALM=(realm,...)\This option allows to server proxy/forwarding request from the client for a specified realm suffix list.) <table_row>(REJECT_REALM=(realm,...)\This option define a list of realms rejected for logins at the client.) <table_row>(GROUP=number\This parameter allow to grouping clients, see using of Client-Group-Id check item.) <endtable> <interactive> define client NAS.SomeWhere.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access) define client NEWS.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out)- /nosession_limit_check ! ! Follow entry for my good old DEC Server 90M ! define client TSrv.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) - /session_limit_check - /NAS ! ! Allow logins only for specified realm suffix ! define client AS3640.ZZtop.NET - /secret="01234567" - /accept_realm=(DEFAULT, SkyLink.SPb.RU) ! ! Reject logins with specified realm suffixes and allow all other ! define client PDSN.ZZtop.NET - /secret="01234567" - /reject_realm=(SkyLink.MSK.RU, BelCel.BY) ! ! ! My NAS send connection info in the form: ! Connect-Info = "Mo.1.9.2.1.6 46667 28800 DYNAMIC PPP CHAP V90 LAPM V42BIS " ! |------------^ ! 14 is the offset to the first space of the speed of connection parameter ! ! define client TSrv.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) - /session_limit_check - /NAS - /connection_info=14 ! ! Our partners: MCC AAA, coupling all AAA into the single group with id = 73 ! define client aaa1.zz.ru /secret="secret"/nonas/group=73 define client aaa2.zz.ru /secret="secret"/nonas/group=73 define client aaa3.zz.ru /secret="secret"/nonas/group=73 ! ! Delta Telecom/SkyLink PDSN, RNC, coupling it into the single group with id = 1 ! define client pdsn1.d-t.ru /secret="secret"/nonas/group=1 define client pdsn2.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-1x-1.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-1x-2.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-do-1.d-t.ru /secret="secret"/nonas/group=2 define client rnc-1.d-t.ru /secret="secret"/nonas/group=2 <endinteractive> <p>Follows example of using group and Client-Group-Id check item for entries in the RADIUS_USERS file: <interactive> ... # # Enrty for MCC logins # mobile Auth-Type = Accept, Client-Group-Id = 73 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 default_ev1x Auth-Type = Accept, Client-Group-Id = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 default_evdo Auth-Type = A12, Client-Group-Id = 2 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 <endinteractive> <NOTE> <p>A maximum number of identifiers for reject or accept qualifiers can't be more than 15. <p>The qualifier /NOSESSION_LIMIT_CHECK is default. <ENDNOTE> <head1>(Realms management.\RADIUSVMD_DOC_8_5) <p>A RADIUS_CONFIG file must contains entry for each realm which must be processed during authorization of users. It consist realm name, optionally right id lists, remote radius authentication server IP name and UDP port, remote radius accounting server and UDP port, optional account name field. The right id (if any) can be used for authorization of local users by the same manner as was described in the <emphasis>(Clients management) clause. Account name field can be used when it need to consolidate all accounting information for particular realm account, which can be associated with partners for example. For provide accounting information it can be used /ACCOUNT option of the VMS ACCOUNTING utility (refer to <emphasis>(System Manager utilities) for information about of producing reports with VMS ACCOUNTING utility). See syntax of the entry definition and example of entries below: <syntax> !++ ! define realm default<VBAR><realm_name> - ! /IMSI - ! /reject_id=( < id list > ) ! /accept_id=( < id list > ) ! /auth_host="<ip_name_or_address>:<port>" ! /acct_host="<ip_name_or_address>:<port>" ! /bauth_host="<ip_name_or_address>:<port>" ! /bacct_host="<ip_name_or_address>:<port>" ! /account=<account> - ! /session_limit=<number> ! !-- <endsyntax> <table> <table_attributes>(wide) <table_setup>(2\24) <table_heads>(Option\Description) <table_row>(REJECT_ID=(id0,id1,...)\This option define a list of rights id which is used for reject logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.) <table_row>(ACCEPT_ID=(id0,id1,...)\This option define a list of rights id which is used for accept logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.) <table_row>(AUTH_HOST=quoted_string\Define a remote RADIUS server IP address and UDP port to forward authentication requests.) <table_row>(ACCT_HOST=quoted_string\Define a remote RADIUS server IP address and UDP port to forward accounting requests.) <table_row>(AUTH_HOST=quoted_string\Define a backup remote RADIUS server IP address and UDP port to forward authentication requests.) <table_row>(ACCT_HOST=quoted_string\Define a backup remote RADIUS server IP address and UDP port to forward accounting requests.) <table_row>(ACCOUNT\Define a account name for storing accounting information for a realm in the local database (RADIUS_ACCOUNTING).) <table_row>(SESSION_LIMIT\Define a maximum concurrent sessions for an user from a particular realm.) <table_row>(IMSI\Defines a realm name as an IMSI prefix.) <endtable> <interactive> define realm news.zz.top - /reject_id=(mx_mail_access,ftp_inc) - /accept_id=(news_access) ! !All request for this realm will be forwarded, all !accounting information will be accumulated on !account named "SYSMAN" ! define realm zz2.top - /auth_host="dtv3:1645" - /acct_host="dtv4:1646" - /account=sysman ! ! Forward all authentication request of Moscow Cell. Company roamers ! to MCC's home RADIUS. ! define realm 25014 /IMSI - /auth_host="radius.mcc.ru:1645" - /acct_host="radius.mcc.ru:1646" - /account=MCC ! ! Romanian ZAPP subscribers ! define realm 22604 /IMSI - /auth_host="radius.zapp.ro:1645" - /acct_host="radius.zapp.ro:1646" - /account=ZAPP ! ! The First Russian mobile operator, Delta Telecom Inc, IMT-MC-450 (CDMA200) ! define realm 25009 /IMSI - /auth_host="StarLet.DeltaTelecom.RU:1645" - /acct_host="StarLet.DeltaTelecom.RU:1646" - /account=DELTATEL ! !Forward all request from users which have not a realm suffix in username, !allow to have two concurrent sessions for an user fro this realm. ! define realm default - /auth_host="dtv3:1812" - /acct_host="dtv4:1813" - /bauth_host="StarLet:1645" - /bacct_host="StarLet.ZZTop.NET:1646" - /account=sysman - /session_limit=2 <endinteractive> <NOTE> <p>An every remote RADIUS server host must be described as a client in the RADIUS_CONFIG file (see <reference>(RADIUSVMD_DOC_8_4) clause) <p>A realm name DEFAULT can be used when you need to involve a realm processing for users logins which have not a realm suffix in username. <ENDNOTE> <head1>(Proxy/Forwarding capabilities.\RADIUSVMD_DOC_8_6) <p>RADIUS-VMS can act as a PROXY server which performs a transparent forwarding of requests from NAS(s) to Remote RADIUS Server and of answers from Remote RADIUS Server(s) to NAS. It give an ability to implement a Internet global roaming concept. RADIUS-VMS Server use the Proxy-State attribute for keeping a special information which is attached to all forwarded requests. An attached information is removed from the packet when a request is returned back. RADIUS-VMS remove only own Proxy-State attributes, all other Proxy-State attributes rest in the packet w/o any changes or reordering. The Proxy/Forwarding capability is a built-in functionality of the RADIUS-VMS. Use the RADIUS_CONFIG file entries for PROXY/FORWARDING management. <p>RADIUS-VMS shares a work load between primaries and backups authentication/authorization and accounting remote RADIUS(es) by maintaning some kind of "load factor" for RADIUS hosts defined for the realm. This "load factor" is computed as difference between sent and received requests. RADIUS-VMS selects a host with smallest "load factor". <NOTE> <p>Remote RADIUS server must be fully RFC2138 compliant. <p>Keep in your mind that current implementation of the forwarding in the RADIUS-VMS can't performs any validation of the values which returned in the answer packets, it's mean that if in an answer packet contains a static IP address in Frammed-IP-Address attribute it can cause the problem with routing. <ENDNOTE> <head1>(MultiHome configuration\RADIUSVMD_DOC_8_7) <p>RADIUS-VMS can support additional (secondary) ip addresses have bound to the primary physical inerface. For example, under PSC TCPWare-TCP 5.4-3 you can add secondary interface: <interactive> <s>($ )<u>(netcu start/ip psd-0 172.16.0.45 255.255.0.0 ewa-0) <endinteractive> <p>In RADIUS_CONFIG file you must add definition of the additional "home" for get it available for processing of requests coming to the this address. For an every "home" RADIUS-VMS start how many threads how many is defined by RADIUS_NUMTHREADS logical. Follows are syntax and examples of definitons: <syntax> !++ ! ! define home <ip_name_or_ip_address> - ! /auth_port=<port_number> - ! /acct_port=<port_number> - ! /receive_buffer_size=<receive_buffer_size_in_bytes> ! !-- <endsyntax> <table> <table_attributes>(wide) <table_setup>(2\24) <table_heads>(Option\Description) <table_row>(AUTH_PORT\Define an UDP port number for the home used for receiving authentication requests.) <table_row>(ACCT_PORT\Define an UDP port number for the home used for receiving accounting requests.) <table_row>(RECEIVE_BUFFER_SIZE\Define a receive buffer size for every network device linked with the IP address and the UDP ports. A maximum values for the buffer is 65535 bytes) <endtable> <interactive> define home 172.16.0.45 - /auth_port=1645 - /acct_port=1646 define home 172.16.0.44 - /auth_port=1812 define home 172.16.0.45 - /acct_port=1813 - /receive_buffer_size=16384 <endinteractive> <NOTE> <p>The maximum number of homes is 8, including default home.<p> <ENDNOTE> <CHAPTER>(RADIUS-VMS control.\RADIUSVMS_DOC_89) <p>You can use RADCP utility for control by RADIUS-VMS server, follows an explanation and syntax of the RADCP command. <table> <table_attributes>(wide) <table_setup>(2\24) <table_heads>(RADCP command\Description) <table_row>(HELP\Help on RADCP utility commands.) <table_row>(SHUTDOWN\This command SHUTDOWN server.) <table_row>(RESET\This command force reopening RADIUS_USERS,RADIUS_ACCOUNTING, , RADIUS_ACCBIN files.) <table_row>(RESTART\This option request full restart of RADIUS-VMS server.) <table_row>(/NODE=(node,...)\Sending command to RADIUS-VMS server on the specified node(s).) <table_row>(/CLUSTER\It performs notifying all servers on a cluster.) <table_row>(LOOP\Performs a sending of test auth-request.) <endtable> <p>Example: <interactive> <s>($ )<u>(radcp shutdown) ... <s>($ )<u>(radcp reset/cluster) <endinteractive> <CHAPTER>(Accounting.\RADIUSVMS_DOC_9) <p>RADIUS-VMS provide accounting in two formats, the first one is the traditional VMS ACCOUNTING format, and the second one is the traditional .DETAIL format which was inherited from Livingston RADIUS server. Starting 2.5x the accounting in .DETAIL format is not provided anymore, you can use RADACC utility to generating the .DETAIL format files. <NOTE> <p>Don't forget that under some circumstance duplicates can take place in the both accounting files. <ENDNOTE> <p>Examples of the accounting record for user session follows: <interactive> <s>($ )<u>(acc radius_accounting/id=32015396/full) NETWORK Process Termination --------------------------- Username: CC_RRL UIC: [PUBLIC,CC_RRL] Account: Finish time: 29-JAN-1999 00:02:23.94 Process ID: 32015396 Start time: 28-JAN-1999 23:56:58.94 Owner ID: Elapsed time: 0 00:05:25.00 Terminal name: ISDN Processor time: 0 00:00:00.00 Remote node addr: Priority: 0 Remote node name: Privilege <31-00>: 00000000 Remote ID: Privilege <63-32>: 00000000 Remote full name: modem106.somewhere.net Queue entry: 18 Final status code: 00000001 Queue name: nas806.somewhere.net Job name: PPP Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 38400 Direct IO: 404 Page fault reads: 0 Buffered IO: 363 Peak working set: 0 Volumes mounted: 0 Peak page file: 0 Images executed: 0 <endinteractive> <p>Follows an original set of attributes. <interactive> ... Fri Jan 29 00:02:23 1999 Acct-Session-Id = "32015396" User-Name = "CC_RRL" NAS-IP-Address = 172.16.1.30 NAS-Port = 18 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 325 Acct-Authentic = RADIUS Acct-Input-Octets = 404 Acct-Output-Octets = 363 Acct-Terminate-Cause = User-Request Connection-Info = "38400/V42bis" Vendor-Specific = 307 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.17.1.32 Acct-Delay-Time = 0 Timestamp = 917589743 <endinteractive> <p>In the follows table it presented fields equivalence and source of the information, you can producing reports by VMS ACCOUNTING utility, or by using DEC DATATRIEVE (see RADIUS_ACCOUNTING.DTR) report generator. <table> <table_attributes>(wide) <table_setup>(2\24) <table_heads>(RADIUS_ACCOUNTING\RADIUS_DETAIL) <table_row>(Username\User-Name) <table_row>(Account (from SYSUAF or RADIUS_REALMS)\ ) <table_row>(UIC (from SYSUAF)\ ) <table_row>(Process ID\Acct-Session-Id) <table_row>(Page faults\Connection-Speed) <table_row>(Direct IO\Acct-Input-Octets) <table_row>(Buffered IO\Acct-Output-Octets) <table_row>(Remote full name\Framed-IP-Address or Login-Host) <table_row>(Queue entry\NAS-Port) <table_row>(Queue name\Client name from RADIUS_CONFIG) <table_row>(Job name\Framed-Protocol or Login-Service) <table_row>(Finish time\Date of record) <table_row>(Start time\Computed as Date of record - Acct-Session-Time - Acct-Delay-Time) <table_row>(Final status code\Acct-Termination-Cause) <endtable> <NOTE> <p>Session with zero elapsed time will be recorded in ACCOUNTING as a login attempt failed. Use /TYPE=LOGFAIL an ACCOUNTING option for selecting these records. <ENDNOTE> <head1>(A RADIUS-VMS Accounting utility - RADACC.EXE\RADIUSVMS_DOC_9_1) <p>Starting RADIUS-VMS version 2.5B the RADIUS_DETAIL file is not generating anymore, instead of this all accounting information is stored in a binary format into the RADIUS_ACCBIN file. The binary format get an ability to speed-up processing of accounting information as well as increasing RADIUS-VMS throughput. Follows RADACC utility options descriptions: <table> <table_attributes>(wide) <table_setup>(2\24) <table_heads>(RADACC option\Description) <table_row>(/SINCE[=time]\Selects all records time-stamped at or after the specified time.) <table_row>(/BEFORE[=time]\Selects all records time-stamped before the specified time.) <table_row>(/ALL\Shows all attributes of selected records.) <table_row>(/CLIENT_IP_ADRESS\Selects all records for specified client IP address.) <table_row>(/STRIP_REALM=(<realm_list>)\Strips specified realms from usernames.) <table_row>(/OUTPUT[=filespec]\Specifies the output file.) <table_row>(/APPEND\Appends selected records to existen file.) <endtable> <CHAPTER>(An additional information and apendixes.\RADIUSVMS_DOC_ZZ) <APPENDIX>(RADIUS-VMS Messaging & Troubleshooting.\RADIUSVMS_DOC_B) <p>RADIUS-VMS provide a lot of diagnostic messages which help to admins to performs management & maintenance task. <p> <INCLUDE>(RADIUS_MSG.SDML) <ENDAPPENDIX> <APPENDIX>(Contact information.\RADIUSVMS_DOC_C) <table> <table_setup>(2\24) <table_row>(Author:\Ruslan R. Laishev, Laishev@StarLet.SPb.RU) <table_row>(Phone:\Mobile:+7 (812) 716-3222) <table_row>(Web Site:\http://www.StarLet.SPb.RU/RadiusVMS/) <endtable> <ENDAPPENDIX> <APPENDIX>(RADIUS-VMS files created during installation.\RADIUSVMS_DOC_D) <table> <table_attributes>(WIDE) <table_setup>(2\32) <table_heads>(File name\Description) <table_unit> <table_unit_heads>(<span>(2)Files in RADIUS_DIR:) <table_row>([.<VAX<VBAR>ALPHA>_EXE]RADIUS_SERVER.EXE\RADIUS-VMS Server.) <table_row>([.<VAX<VBAR>ALPHA>_EXE]RT.EXE\RADIUS Test utility.) <table_row>([.<VAX<VBAR>ALPHA>_EXE]LGI$CALLOUT_RADIUS.EXE\RADIUS-VMS LGI$ callouts.) <table_row>([.<VAX<VBAR>ALPHA>_EXE]RAD_MX_LOCAL_NET_CHECK.EXE\Callout module for performing "inside_address" by MX SMTP server against RADIUS-VMS Server "hot" database.) <table_row>([.<VAX<VBAR>ALPHA>_EXE]RADACC.EXE\RADIUS-VMS Accounting utility.) <table_row>([.UTILS]LGI$CALLOUT_RADIUS.COM\RADIUS-VMS LGI$ callouts startup procedure.) <table_row>([.UTILS]RADIUS_ACCOUNTING.DTR\DEC DATATRIEVE definitions.) <table_row>([.UTILS]RADIUS_ACCOUNTING.RRD\A Rdb/VMS Record Definition file.) <table_row>([.UTILS]RADIUS_ACCOUNTING.RDB_SQL\A Rdb/VMS Script for initial creating a database.) <table_row>([.UTILS]RAD_EXT_AUTH.C\An example of external authorization module.) <table_row>([.UTILS]RAD_EXT_ACCT.C\An example of external accounting module.) <table_row>([.UTILS]RAD_EXT_AUTH2ORA.*\An example of external authorization module which work with Oracle Server.) <table_row>([.UTILS]RAD_EXT_ACCT2ORA.*\An example of external accounting module which work with Oracle Server.) <table_row>([.UTILS]VOIP_AUTH.TCL\An example of TCL (version 1.0) procedure for Cisco VoIP platforms to implementing authentication of subscribers against RADIUS Server database.) <table_row>(RADIUS_STARTUP.COM\A RADIUS-VMS main startup procedure.) <table_row>(RADIUS_COMMANDS.COM\A RADIUS-VMS commands definitions.) <table_row>([.TEMPLATES]RAD_*.TEMPLATE\Templates RADIUS.USERS,RADIUS.CONFIG, RADIUS.DICTIONARY,RADIUS_LOGICALS.COM.) <table_row>(RADIUS_SHOW.COM\Utility to display currently logged users.) <table_row>(RADIUS_CURRENT_RESET.COM\DCL script for reseting records in a RADIUS_CURRENT file.) <table_row>(RADIUS_CURRENT_CHECK.COM\Batch utility to check consistence of a RADIUS_CURRENT file.) <table_row>([.DOCS]RADIUS_DOC.TXT\Documentation in TEXT format.) <table_row>([.DOCS]RADIUS_DOC.DECW*\Documentation in DECWindows BookReader format.) <table_row>([.DOCS]RADIUS_DOC*.HTML\Documentation in HTML format.) <table_row>([.DOCS]RADIUS_MSG.MSGHLP$DATA\RADIUS-VMS HELP/MESSAGE Library.) <table_row>([.DOCS]RAD_CP_HELP.HLB\RADCP utility help library.) <endtable_unit> <table_unit> <table_unit_heads>(<span>(2)Files in SYS$STARTUP:) <table_row>(RADIUSVMS_STARTUP.COM\RADIUS-VMS Startup procedure.) <table_row>(RADIUSVMS_SHUTDOWN.COM\RADIUS-VMS Shutdown procedure.) <endtable_unit> <endtable> <ENDAPPENDIX> <APPENDIX>(RADIUS-VMS Modification history.\RADIUSVMS_DOC_E) <interactive> ** 4-OCT-1999 RRL Version 2.0.31 which performs a session limit ** check per client basis. ** 2-NOV-1999 RRL Version 2.0.32, added aditional key for ** using with conjuction with MX for real-time ** relay allowed checking for roaming users. ** 6-DEC-1999 RRL Version 2.0.33 - internal release, added login time timestamp ** in the RADIUS_CURRENT file. ** 6-DEC-1999 RRL Version 2.0.34 ** 6-DEC-1999 RRL Add RADIUS_OPCOMLVL logical name, which control ** by severity level of message sending to OPCOM ** 20-DEC-1999 RRL Add multiHOME support. ** 19-JAN-2000 RRL Fixed problem with threads cancelation. ** 24-JAN-2000 RRL Version 2.0.35 ** 1-FEB-2000 RRL Version 2.0.36 ** 11-FEB-2000 RRL Add external AAA callouts support. ** 21-MAR-2000 RRL Add RADIUS_SESSIONTMO. ** 21-FEB-2000 RRL Version 2.0.37 ** 27-FEB-2000 RRL Version 2.10 (VSA support) ** 5-APR-2000 RRL Version 2.11 (RADCP) ** 7-APR-2000 RRL Move RADCP to RAD_CP.C ** 24-APR-2000 RRL Version 2.12 ** 17-MAY-2000 RRL Version 2.13 ** 15-JUN-2000 RRL Version 2.14 ** 18-JUN-2000 RRL Fix for using TCPIP$INET_HOSTADDR ** 15-JUN-2000 RRL Version 2.15, SYSUAF password change ** 5-AUG-2000 RRL Increased a thread stack size. ** 5-AUG-2000 RRL Version 2.16 ** 12-AUG-2000 RRL Version 2.17, maintenace update. ** 27-AUG-2000 RRL Version 2.3, NT Domain authentication. ** 6-SEP-2000 RRL /FLAG=PWD_EXPIRED ** 18-SEP-2000 RRL Version 2.31,/FLAG=PWD_EXPIRED. ** 21-SEP-2000 RRL Version 2.32,maintenace update. ** 30-SEP-2000 RRL Version 2.33,no case sensivity wild cards comparing, ** global buffering option for RADIUS_USERS. ** 2-NOV-2000 RRL Version 2.34,RADIUS_ALLOW_RECTRICTED ** 10-NOV-2000 RRL Version 2.35 ** 23-NOV-2000 RRL Version 2.36, realm checking in the RADIUS_CURRENT file. ** 6-JAN-2001 RRL Version 2.4 - USR VSA support. ** 16-JAN-2001 RRL Fixed a problem with SS$_DUPLNAME. ** 18-FEB-2001 RRL Version 2.4, release. ** 19-MAR-2001 RRL Version 2.4A, cosmetic changes for an external accounting. ** 30-MAR-2001 RRL Version 2.4B, disable file I/O operations if RADIUS_ACCCOUNTING ** file cannot be oppened. ** 11-APR-2001 RRL Version 2.4C, fixed bug in the put_attribute() and incorrect truncation of the ** AVP list in reply. ** 4-AUG-2001 RRL Added a specfic handling of an USR VSA to provide a speed of ** connection authorization and accounting. ** 28-DEC-2001 RRL Some fixes in the RAD_ACCT.C ** 11-JAN-2002 RRL Some fixes in the RAD_UTIL.C ** 18-JAN-2002 RRL Version 2.5A, added Ascend IP-filters support. ** 28-FEB-2002 RRL Version 2.5B, all configuration logicals must be defined with ** /SYSTEM/EXEC. ** 20-MAR-2002 RRL Added an additional checking of used buffers. ** 5-JUN-2002 RRL Some optimization:update last-login date after accept is sent. ** 11-JUN-2002 RRL Some other optimization. ** 9-AUG-2002 RRL Added backup host for realms support. ** 2-SEP-2002 RRL Version 2.6A, Added IMSI realms support. ** 13-NOV-2002 RRL Version 2.6B, fixed problem with threads exit, it cause ** a hunging server in HIB state. ** 20-JAN-2003 RRL Version 2.6C, Some changes of the threads cancelation. ** 19-FEB-2003 RRL Version 2.6D, Fixed a bug with reseting of the server. ** 14-MAR-2003 RRL Version 2.6E, RESET & RESTART -> RESTART. ** 17-MAR-2003 RRL Version 2.7, Now it's just full-function version. ** 4-JUN-2003 RRL Version 2.7A, Now Client-Id is a special non-protocol attribute. ** 18-AUG-2003 RRL Version 2.7B, fixed bug in the RAD_UTIL.C. ** 30-SEP-2003 RRL Version 2.7C, added Auth-Type = Digest support. ** 23-OCT-2003 RRL Version 2.7D, added client's /ACCEPT_REALM and /REJECT_REALM options. ** 6-NOV-2003 RRL Version 2.7E, restore RESET functionality. ** 25-NOV-2003 RRL Version 2.7G, backup/proxy/forwarding. ** 12-FEB-2003 RRL Version 2.7H, Calling Station Id = IMSI. ** 16-FEB-2004 RRL Version 2.7I, Added loging to SYSLOG ** 19-FEB-2004 RRL Version 2.7I, Added RADIUS_THSTACKSZ logicals. ** 31-MAY-2004 RRL Version 2.7K, Added INCLUDE directive in the ** RADIUS_CONFIG file syntax. ** 26-AUG-2004 RRL Version 3.0A, Removed RAD$DUALPORT, RAD$56K, RAD$ISDN rights id ** and corresp. code. ** 1-OCT-2004 RRL Version 3.0B, Added Calling-Station-Id to responses to help Cisco CSG ** traks users session. ** 13-APR-2005 RRL Version 3.1A, Added A12 support. ** 20-MAY-2004 RRL Version 3.1B, Added Client Group ID handling <endinteractive> <ENDAPPENDIX>