RADIUS-VMS product documentation This manual contains product documentation for RADIUS- VMS, RFC2865/RFC2866 (RFC2138/2139) compliant RADIUS Server software for VMS systems. __________ Copyright © 1998-2009 Ruslan R. Laishev & StarLet Group. Trademarks info VMS, OpenVMS, VAX, Alpha, Integrity, DEC, DEC Server, DEC DATATRIEVE, Digital are trademarks of Digital Equipment Corporation. Process Software TCPWare-TCP, Multinet (TM) are trademark of Process Software LLC. MadGoat, Message Exchange, and MX are trademarks of MadGoat Software. iii _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 INTRODUCTION TO THE RADIUS. 1-1 _________________________________________________ 1.1 WHAT IS RADIUS? 1-1 _________________________________________________ 1.2 WHAT IS RADIUS-VMS? 1-2 _________________________________________________ 1.3 PREREQUISITES. 1-4 _______________________________________________________ CHAPTER 2 RADIUS-VMS INSTALLATION. 2-1 _________________________________________________ 2.1 INVOKING VMSINSTAL. 2-1 _______________________________________________________ CHAPTER 3 CONFIGURATION & MANAGEMENT. 3-1 _________________________________________________ 3.1 SERVER LOGICALS. 3-1 _________________________________________________ 3.2 USERS MANAGEMENT. 3-3 3.2.1 SYSUAF based authentication & authorization. ________________ 3-5 3.2.2 Accept or Reject all logins without real authentication. __ 3-7 3.2.3 Realms based policy. __________ 3-7 iii Contents 3.2.4 VMS Right Id based policy. ____ 3-8 3.2.5 Authenticaion on LANMAN or Windows NT domains. ___________ 3-9 _________________________________________________ 3.3 CLIENTS MANAGEMENT. 3-11 _________________________________________________ 3.4 REALMS MANAGEMENT. 3-15 _________________________________________________ 3.5 PROXY/FORWARDING CAPABILITIES. 3-19 _________________________________________________ 3.6 MULTIHOME CONFIGURATION 3-20 _______________________________________________________ CHAPTER 4 RADIUS-VMS CONTROL. 4-1 _______________________________________________________ CHAPTER 5 ACCOUNTING. 5-1 _________________________________________________ 5.1 A RADIUS-VMS ACCOUNTING UTILITY - RADACC.EXE 5-3 _______________________________________________________ CHAPTER 6 AN ADDITIONAL INFORMATION AND APPENDIXES. 6-1 iv Contents _______________________________________________________ APPENDIX A RADIUS-VMS MESSAGING & TROUBLESHOOTING. A-1 _______________________________________________________ APPENDIX B CONTACT INFORMATION. B-1 _______________________________________________________ APPENDIX C RADIUS-VMS FILES CREATED DURING INSTALLATION. C-1 _______________________________________________________ APPENDIX D RADIUS-VMS MODIFICATION HISTORY. D-1 v 1 _______________________________________________________ 1 Introduction to the RADIUS. __________________________________________________________________ 1.1 What is RADIUS? RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting client-server protocol. RADIUS is the de facto industry standard for remote access AAA, as well as an IETF standard. In general, it's a network daemon (network process) which performs authentication, authorization and accounting actions when someone login to Network Access Server with a dial-up (CDMA, GRPS, etc...) client or logout from it. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks (Billing , Prepayed access, VoIP, and so on...). But frequently, it's useful in a case when your need to provide any kind of controlled access to Internet connectivity. Technical specification of the basic features which are supported by all RADIUS servers you can find in RFC 2138 (ftp://ftp.isi.edu/in-notes/rfc2138.txt). Accounting information is specified in RFC 2139 (ftp://ftp.isi.edu/in-notes/rfc2139.txt). Follows some simple explanation about main work phases which are illustrated functionality of a RADIUS server: 1 Authentication phase - Network Access Server (NAS, PDSN, Access Server) get an username/password pair from user input, crypts this information with shared between NAS and RADIUS Server a "secret key" and transfers the request to a RADIUS server. RADIUS server receive this information extract the username and password and validate it against a local username and password database. 1-1 Introduction to the RADIUS. 2 Authorization phase - if user is valid then RADIUS server gets from special database some information and send it to NAS. For example: IP number is assigned for this Dial-Up client, network mask, allowed session time, default router, access control lists ID, etc. 3 Accounting phase - when NAS gets the acknowledgement from RADIUS during the previous phase, NAS send a "Start session" packet to RADIUS server, and a "Stop session" packet when client is disconnected from NAS. The "Stop session" packet contains accounting information like: session time, amount of input/output traffic etc. __________________________________________________________________ 1.2 What is RADIUS-VMS? RADIUS-VMS project was started at 1998 yer as port of the Livingston RADIUS 2.x server to OpenVMS with introducing a lot of VMS-specific features. This project was sponsored by DLS Internet Service Inc. and performed by Ruslan R. Laishev (http://www.starlet.spb.ru). RADIUS-VMS - it's multithreaded by DEC Threads the RADIUS server, which was fully rewritten from the original sources and has been stayed under active development for implementation of new features. The main features follows: o SYSUAF based authentication, using flat USERS file as well o RADIUS DB support o Security based on VMS facilities (AUDIT, Intrusion detection) o NAS(s) & Realm(s) access authorization by right id(s) 1-2 Introduction to the RADIUS. o Accounting of users/NAS/port activities in the VMS ACCOUNTING format as well as in the traditional .DETAIL format o Work in mixed-cluster environment sharing data files o High performance with large USERS file o File I/O using RMS o Network I/O using $QIO o MultiHOME support o Multithreaded by DEC Threads (up to 128 concurrent threads for every "Home"), using kernel threads under VMS/Alpha/IA64 o Realm policy authentication, and an additional authorization by right id(s) o VMS Right Id policy authorization o Full VSA (Vendor Specific Attributes) support o IBM LanMan/M$ Windoze NT domain authentication support o Internet Roaming (Proxy/Forwarding) capabilities support with domain-realm or IMSI-realm o External authorization and accounting callouts (examples for ORACLE Server is provided.) o Integration with MX 5.x by MadGoat Software (www.madgoat.com) o Integration with X-Stop hardware and software (www.xstop.com) o Support Ascend's filters. o Support IMSI (Internatinal Mobile Station Identity) realms carried by 3GPP2-IMSI or Calling-Staion-Id. o Support Digest authentication (draft-sterman-sip- radius-00.txt, draft-sterman-aaa-sip-00.txt) 1-3 Introduction to the RADIUS. o Support A12 authentication for IMT-MC-450i (CDMA 1x, EV-DO, Rev A. & B.) __________________________________________________________________ 1.3 Prerequisites. RADIUS-VMS requires VMS version V7.1 or later to run. TCP/IP package, it's tested with TCPWare-TCP 5.5- 3 (Alpha/VMS), Multinet 4.3 (Alpha/VMS), DEC TCP/IP Service (UCX) 4.2, 5.x Optional MadGoat's MX 5.1 or later 1-4 _______________________________________________________ 2 RADIUS-VMS installation. RADIUS-VMS uses VMSINSTAL for installation. If you do not know how to use VMSINSTAL, you should first read the chapter on installing software in the VMS System Manager's Manual. For the installation, you should be logged into the SYSTEM account, or another suitably privileged account. __________________________________________________________________ 2.1 Invoking VMSINSTAL. Invoke VMSINSTAL to install RADIUS-VMS. $ @sys$update:vmsinstal RADIUSVMSvvn DDCU: Substitute the appropriate values for vvn and ddcu. OpenVMS VAX Software Product Installation Procedure V7.1 It is 29-JAN-2000 at 02:58. Enter a question mark (?) at any time for help. %VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account. %VMSINSTAL-W-ACTIVE, The following processes are still active: UCX$NTPD MONITOR_SERVER * Do you want to continue anyway [NO]? y * Are you satisfied with the backup of your system disk [YES]? The following products will be processed: RADIUSVMS V2.0 Beginning installation of RADIUSVMS V2.0 at 02:58 %VMSINSTAL-I-RESTORE, Restoring product save set A ... 2-1 RADIUS-VMS installation. RADIUS-VMS Installation Procedure Copyright © 1998-2003, Ruslan R. Laishev. All Rights Reserved. * Where should the RADIUS-VMS top directory be located? [$1$DUA1130:[RADIUS]]: %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists * Do you want to purge files replaced by this installation [YES]? %VMSINSTAL-I-RESTORE, Restoring product save set D ... %VMSINSTAL-I-RESTORE, Restoring product save set E ... %VMSINSTAL-I-RESTORE, Restoring product save set F ... %RADIUSVMS-I-LINKING, Linking image RADIUS_SERVER.EXE ... %RADIUSVMS-I-LINKING, Linking image RT.EXE ... %RADIUSVMS-I-LINKING, Linking image LGI$CALLOUT_RADIUS.EXE ... %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.VAX_EXE] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.UTILS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.DOCS] already exists %CREATE-I-EXISTS, $1$DUA1130:[RADIUS.TEMPLATES] already exists ************************************************************* The RADIUS-VMS software is installed at your system!!! NOTE 1 RADIUS-VMS must be installed twice on a mixed-VMScluster: once on a IA64 system and once on an Alpha system. This is necessary because the RADIUS-VMS executables are linked during the installation. Installing RADIUS-VMS on a IA64 produces the IA64 executable images and installing it on an Alpha produces the Alpha images. NOTE 2 For the first time installation refer to RADIUS-VMS documentation for postinstallation tasks. NOTE 3 For start RADIUS-VMS at system boot time you can add into SYS$STARTUP:SYSTARTUP_VMS.COM the follows line: $ @SYS$STARTUP:RADIUSVMS_STARTUP.COM ************************************************************* %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... 2-2 RADIUS-VMS installation. Installation of RADIUSVMS V2.0 completed at 03:01 VMSINSTAL procedure done at 03:01 Before first start of RADIUS-VMS server, you need to preparing configuration files. If you have not your own variant of the RADIUS_DICTIONARY file you can just copy RAD_DICTIONARY.TEMPLATE to the RADIUS.DICTIONARY file. Also you can use RAD_USERS.TEMPLATE for creating your own RADIUS.USERS file, and RAD_CONFIG.TEMPLATE for creating a RADIUS.CONFIG file. All site specific logicals must be kept in RADIUS_ LOGICALS.COM, a template for this file is provided also. Read carefully Chapter 3 for rules of configuration. You can add follows line in the your LOGIN.COM (or SYS$MANAGER:SYLOGIN.COM), it will define some useful RADIUS related commands. $ @radius_dir:radius_commands.com 2-3 _______________________________________________________ 3 Configuration & Management. This Product Documentation is not a study how RADIUS work at all, or how to get started with RADIUS, this documentation describes only specific features of the server. It will also describes steps which your probably need to get for fulfilling a particularly task. For beginners and admins, at Livingston's site lives good "old" RADIUS Administrator's Guide which will help you to get first steps to configuration and users management, you can download this manual from http://www.livingston.com/tech/docs/pdf/radius.pdf. __________________________________________________________________ 3.1 Server logicals. There is a number of logicals which are used for configuration of the RADIUS-VMS Server, good place for its is a RADIUS_LOGICALS.COM. RADIUS_DIR Point to RADIUS's home directory. RADIUS_ACCOUNTING Point to an accounting file in VMS ACCOUNTING format, if this logical is defined as NL: it will stop writting accounting records at all. RADIUS_DICTIONARY Point to RADIUS dictionary file. RADIUS_CONFIG Point to RADIUS clients & realms & homes configuration file. RADIUS_USERS Point to RADIUS users file. 3-1 Configuration & Management. RADIUS_ACCBIN Starting 2.5x RADIUS-VMS store an original accounting information in the binary file which is supposed to be processed by RADACC utility to generating reports. Follows logicals must be defined with /SYSTEM and /EXECUTIVE_MODE qualifiers. RADIUS_DEBUG Enables a debug output. RADIUS_DNS_LOOKUP Enables a reverse DNS lookup. RADIUS_NUMTHREADS It's a number of accounting and authentication execution threads, 3 accounting threads and 3 authentication threads are default values. Maximum number of threads for each "home" is 128. RADIUS_OPCOMLVL This logical definea a minimal severity level (it's VMS severity level) of message sent to OPCOM. Value greater than 4 cause to stop sending to OPCOM any messages RADIUS_SESSIONTMO Existing of this logical controling a sending of a value for the Session-Timeout attribute which will be added to an ACK packets during authentication/authorization phase. 3-2 Configuration & Management. RADIUS_PWD_EXPIRED If this logical is defined the RADIUS-VMS checks the SYSUAF's /FLAG=PWD_EXPIRED, and will rejects logins if this flag is set. RADIUS_ALLOW_ If this logical is defined RECTRICTED RADIUS-VMS ignores a checking of SYSUAF's /FLAG=RESTRICED. RADIUS_THSTACKSZ This logical defines a thread stack size, the default and minimum size is 48000 bytes. RADIUS_SYSLOG This logical defines a SYSLOG server host IP address or name and UDP port number. Format is "host:port" . Note: Be advised that the packet dump activated by RADIUS_ DEBUG logical shows a plain-text password. __________________________________________________________________ 3.2 Users management. RADIUS-VMS use compatible with Livingston RADIUS dictionary file as well as the users file format. You can keep in the RADIUS_USERS file only one DEFAULT entry, other authorization task you can performs in SYSUAF or RADIUS databases only. The main attribute of authentication and authorization procedures is username. Username - is a string in form: [\][['%']['@']] 3-3 Configuration & Management. See examples: ZyzOp%PPP@DeltaTel.RU It's expected a SYSUAF user ZyzOp, and assumed that in RADIUS_USERS file exist entry with a check item Suffix = "PPP". For an additional authorization will be checked entry for the "DeltaTel.RU" realm in the RADIUS_CONFIG file. C00lZyZop@RadiusVMS.COMIt's expected a SYSUAF user C00lZyZop. For an additional authorization it will be checked entry for the "RadiusVMS.COM" realm in the RADIUS_CONFIG file. SysMan%TELNET SYSUAF user SysMan, it's expected that this user want to automatically open TELNET session after login at NAS. It's assumed that in RADIUS_USERS file exist entry with Check-Item Suffix = "%TELNET". M$SOFT\ZyzOp User (ZyzOp) from domain M$SOFT, it's expected that this user will authenticating against remote PDC/BDC hosts . Note: You can use wilcards mask in usernames in the RADIUS_ USERS file. During authentication phase of login procedure server performs checking follows SYSUAF parameters: o /FLAG=(DISUSER,RESTRICTED,PWDEXPIRED) o /EXPIRATION=time o /NETWORK=range 3-4 Configuration & Management. o /DIALUP=range o /PRIMEDAYS=([NO]day[,...]) o /PASSWORD o /FLAG=PWD_EXPIRED If login is failed by SYSUAF then an Intrusion information is stored for the using at a next time. At successful end of login phase "last login: non- interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDIT database, you can use ANALYZE/AUDIT utility for searching & retrieving this information. Note: There is some natural limitation of parameters length: username 12 bytes password 96 bytes suffix 15 bytes realm 63 bytes Using of usernames with space or tab and other control characters is not allowed. ___________________________ 3.2.1 SYSUAF based authentication & authorization. This feature can be turned on as default for all accounts or for a particular account only. For activate this features you can use an Auth-Type check item which must have value "System". See examples of so entry in the RADIUS_USERS file: ... #It's assumed that all users will be authenticate against SYSUAF DEFAULT Auth-Type = System ... 3-5 Configuration & Management. or ... #SYSUAF SysMan will by authenticate against SYSUAF SysMan Auth-Type = System #password for ZyzOp stored in the RADIUS_USERS file ZyZop Password = "Zadnica" # All other logins will be rejected w/o any checking DEFAULT Auth-Type = Reject ... You can control an ability of a dial-in login for particular user by using /DIALUP option of the AUTHORIZE, you can also specify time range for additional control of allowed login time. RADIUS- VMS use a time range defined by /NETWORK or /DIALUP options for computing an allowed session time if RADIUS_SESSIONTMO logical is defined. For network users you can use /NETWORK SYSUAF's option. A difference between Dial-In logins and NETWORK logins are defined by presence of NAS-Port-Id and NAS- Port-Type attributes in authentication request are sent (or are not sent) by NAS or by *nix box (when a RADIUS PAM module is used for authentication and authorization of local users by RADIUS). Check your System Managers utilities guide for additional information about of AUTHORIZE utility and SYSUAF database. The SYSUAF /EXPIRATION option can be used for control of expiration time for particular user. The /FLAG=RESTRICTED SYSUAF option is equally to /FLAG=DISUSER only for Dial-In users (see synopsis of the RADIUS_ALLOW_RECTRICTED logical also). 3-6 Configuration & Management. ___________________________ 3.2.2 Accept or Reject all logins without real authentication. You can use Auth-Type = Accept or Auth-Type = Reject to accept all logins without real checking username/password pair, or reject any logins respectively. See example of entries below: ... #Accept all logins w/o authentication by RADIUS from this NAS DEFAULT1 Auth-Type = Accept, NAS-IP-Address = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net ... # #Accept all logins w/o authentication by RADIUS from this RADIUS/NAS server # DEFAULT2 Auth-Type = Accept, Client-IP = 172.16.0.35 Service-Type = Login-User, Login-Service = Telnet, Login-TCP-Port = 23, Login-IP-Host = StarLet.ZZTop.net ... # # A special default entry for a SIP Express Router/SER # mobile Client-IP = 172.16.0.133, Auth-Type = Digest, Password = "kalamala" Sip-Rpid = "222" #Reject all other logins by default DEFAULT Auth-Type = Reject ... ___________________________ 3.2.3 Realms based policy. This feature give an ability to implement authentication and authorization policy based on a realm coming in the request with username. You can perform an additional authorization of realm by right id(s) in RADIUS_CONFIG file. 3-7 Configuration & Management. Follows example of entry in the RADIUS_USERS file: ... !++ ! ! It assumed that all users with "@zz.top" will be authenticate against SYSUAF, ! by default all users can have 33 sessions at the one time !-- DEFAULT1 Auth-Type = System, Auth-Realm = "zz.top" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 ! All other users DEFAULT Auth-Type = System ___________________________ 3.2.4 VMS Right Id based policy. This feature gives an ability to implement authentication and authorization policy based on a VMS right id. The VMS right id is used as the check item in the RADIUS_USERS file. Follows example of entry in the RADIUS_USERS file: ... #Follows entry for the users with NET$MANAGE right id is granted #in RIGHT list DEFAULT1 Auth-Type = System, Right-Id = "NET$MANAGE" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 DEFAULT2 Auth-Type = System, Right-Id = "NET$MANAGE", Right-Id = "NET$SECURITY" Service-Type = Framed-User, Class = "xstop: R PORN I", Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500 3-8 Configuration & Management. #All other users DEFAULT Auth-Type = System ___________________________ 3.2.5 Authenticaion on LANMAN or Windows NT domains. RADIUS-VMS can use users database on LANMAN or Windows NT hosts to performs authentication of dialup users. This is implemented by using NETBIOS over TCP/IP protocol described in RFC(s) 1001/1002 and are widely used by SAMBA package (www.samba.org). As an authentication host you can use: o OpenVMS PathWorks 6.x or later o OpenVMS Advanced Server 7.x o SAMBA server o IBM OS/2 LAN Manager 2.x o Windows NT Server (3.51,4.0), PDC/BDC or standalone server Rules of configuration: in the RADIUS_CONFIG file you need to add a domain definition entry which use to find a authentication host for a particulary domain. 3-9 Configuration & Management. !++ ! ! define domain - ! /dc_host= - ! /bdc_host= ! !- ! ! Follows entry for users from M$SFOT Windows NT domain ! ! define domain M$SOFT - /DC_HOST=pdc.zztop.net /BDC_HOST=bdc.zztop.net ! ! Follows entry for users from domain BSOD ! define domain BSOD - /DC_HOST=172.16.0.3 In the RADIUS_USERS file you need to define special entries for these domains, see example of entries in the RADIUS_USERS file (note that wildcards characters can be used): M$SOFT\*_%%% Auth-Type = Domain ... M$SOFT\* Auth-Type = Domain, Auth-Realm = "zztop.net" ... BSOD\cc_%%% Auth-Type = Domain, Suffix = "%telnet" ... BSOD\* Auth-Type = Domain Note: The RADIUS-VMS don't support a CHAP or MS CHAP authentication of domain users. The RADIUS-VMS can't perform a checking of users's group on domain. 3-10 Configuration & Management. __________________________________________________________________ 3.3 Clients management. RADIUS_CONFIG file must contains the entry for every NAS and for every Remote RADIUS Server (see Section 3.5 clause) which will interoperate with your RADIUS. An every entry consist by NAS or Remote RADIUS server IP name (or IP address), a shared secret key, and optional right id lists. The right id can be used for additional authorization of user(s) access to particular NAS. If this right id is take place in the entry for NAS then user will have access to the this NAS if this right id is granted in SYSUAF. Follows the syntax of the entry definition and example entry in the RADIUS_CONFIG: !++ ! ! define client - ! /secret="" ! /reject_id=( < id list > ) ! /accept_id=( < id list > ) ! /NAS ! /connection_info= ! /reject_realm=( ) ! /accept_realm=( ) ! /group= ! !- 3-11 Configuration & Management. _______________________________________________________ Option Description It's a shared secret used for "encrypting" password transffered over network between SECRET=quoted_string___NAS_and_a_RADIUS_server.________ REJECT_ This option define a list of ID=(id0,id1,...) rights id which is used for reject logins for users which have any right id from this list in SYSUAF/RIGHTSLIST. ACCEPT_ This option define a list of ID=(id0,id1,...) rights id which is used for accept logins for users which have any right id from this list in SYSUAF/RIGHTSLIST. NAS Treate client as NAS, see also Clients management clause. ACCEPT_ This option allows to server REALM=(realm,...) proxy/forwarding request from the client for a specified realm suffix list. REJECT_ This option define a list of REALM=(realm,...) realms rejected for logins at the client. GROUP=number This parameter allow to grouping clients, see using of Client- _______________________Group-Id_check_item.____________ define client NAS.SomeWhere.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access) 3-12 Configuration & Management. define client NEWS.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) ! ! Follow entry for my good old DEC Server 90M ! define client TSrv.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) /NAS ! ! Allow logins only for specified realm suffix ! define client AS3640.ZZtop.NET - /secret="01234567" - /accept_realm=(DEFAULT, SkyLink.SPb.RU) ! ! Reject logins with specified realm suffixes and allow all other ! define client PDSN.ZZtop.NET - /secret="01234567" - /reject_realm=(SkyLink.MSK.RU, BelCel.BY) ! ! ! My NAS send connection info in the form: ! Connect-Info = "Mo.1.9.2.1.6 46667 28800 DYNAMIC PPP CHAP V90 LAPM V42BIS " ! |------------^ ! 14 is the offset to the first space of the speed of connection parameter ! ! define client TSrv.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) /NAS - /connection_info=14 3-13 Configuration & Management. ! ! Our partners: MCC AAA, coupling all AAA into the single group with id = 73 ! define client aaa1.zz.ru /secret="secret"/nonas/group=73 define client aaa2.zz.ru /secret="secret"/nonas/group=73 define client aaa3.zz.ru /secret="secret"/nonas/group=73 ! ! Delta Telecom/SkyLink PDSN, RNC, coupling it into the single group with id = 1 ! define client pdsn1.d-t.ru /secret="secret"/nonas/group=1 define client pdsn2.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-1x-1.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-1x-2.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-do-1.d-t.ru /secret="secret"/nonas/group=2 define client rnc-1.d-t.ru /secret="secret"/nonas/group=2 Follows example of using group and Client-Group-Id check item for entries in the RADIUS_USERS file: ... # # Enrty for MCC logins # mobile Auth-Type = Accept, Client-Group-Id = 73 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 default_ev1x Auth-Type = Accept, Client-Group-Id = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 default_evdo Auth-Type = A12, Client-Group-Id = 2 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 Note: 3-14 Configuration & Management. A maximum number of identifiers for reject or accept qualifiers can't be more than 15. __________________________________________________________________ 3.4 Realms management. A RADIUS_CONFIG file must contains entry for each realm which must be processed during authorization of users. It consist realm name, optionally right id lists, remote radius authentication server IP name and UDP port, remote radius accounting server and UDP port, optional account name field. The right id (if any) can be used for authorization of local users by the same manner as was described in the Clients management clause. Account name field can be used when it need to consolidate all accounting information for particular realm account, which can be associated with partners for example. For provide accounting information it can be used /ACCOUNT option of the VMS ACCOUNTING utility (refer to System Manager utilities for information about of producing reports with VMS ACCOUNTING utility). See syntax of the entry definition and example of entries below: 3-15 Configuration & Management. !++ ! define realm default| - ! /IMSI - ! /reject_id=( < id list > ) ! /accept_id=( < id list > ) ! /auth_host=":" ! /acct_host=":" ! /bauth_host=":" ! /bacct_host=":" ! /account= ! !- _______________________________________________________ Option_________________Description_____________________ REJECT_ This option define a list of ID=(id0,id1,...) rights id which is used for reject logins for users which have any right id from this list in SYSUAF/RIGHTSLIST. ACCEPT_ This option define a list of ID=(id0,id1,...) rights id which is used for accept logins for users which have any right id from this list in SYSUAF/RIGHTSLIST. AUTH_HOST=quoted_ Define a remote RADIUS server IP string address and UDP port to forward authentication requests. ACCT_HOST=quoted_ Define a remote RADIUS server IP string address and UDP port to forward accounting requests. AUTH_HOST=quoted_ Define a backup remote RADIUS string server IP address and UDP port to forward authentication requests. 3-16 Configuration & Management. _______________________________________________________ Option_________________Description_____________________ ACCT_HOST=quoted_ Define a backup remote RADIUS string server IP address and UDP port to forward accounting requests. ACCOUNT Define a account name for storing accounting information for a realm in the local database (RADIUS_ACCOUNTING). IMSI Defines a realm name as an IMSI _______________________prefix._________________________ define realm news.zz.top - /reject_id=(mx_mail_access,ftp_inc) - /accept_id=(news_access) ! !All request for this realm will be forwarded, all !accounting information will be accumulated on !account named "SYSMAN" ! define realm zz2.top - /auth_host="dtv3:1645" - /acct_host="dtv4:1646" - /account=sysman ! ! Forward all authentication request of Moscow Cell. Company roamers ! to MCC's home RADIUS. ! define realm 25014 /IMSI - /auth_host="radius.mcc.ru:1645" - /acct_host="radius.mcc.ru:1646" - /account=MCC 3-17 Configuration & Management. ! ! Romanian ZAPP subscribers ! define realm 22604 /IMSI - /auth_host="radius.zapp.ro:1645" - /acct_host="radius.zapp.ro:1646" - /account=ZAPP ! ! The First Russian mobile operator, Delta Telecom JSC, IMT-MC-450 (CDMA2000) ! define realm 25009 /IMSI - /auth_host="StarLet.DeltaTelecom.RU:1645" - /acct_host="StarLet.DeltaTelecom.RU:1646" - /account=DELTATEL ! !Forward all request from users which have not a realm suffix in username, !allow to have two concurrent sessions for an user fro this realm. ! define realm default - /auth_host="dtv3:1812" - /acct_host="dtv4:1813" - /bauth_host="StarLet:1645" - /bacct_host="StarLet.ZZTop.NET:1646" - /account=sysman Note: An every remote RADIUS server host must be described as a client in the RADIUS_CONFIG file (see Section 3.3 clause) A realm name DEFAULT can be used when you need to involve a realm processing for users logins which have not a realm suffix in username. 3-18 Configuration & Management. __________________________________________________________________ 3.5 Proxy/Forwarding capabilities. RADIUS-VMS can act as a PROXY server which performs a transparent forwarding of requests from NAS(s) to Remote RADIUS Server and of answers from Remote RADIUS Server(s) to NAS. It give an ability to implement a Internet global roaming concept. RADIUS-VMS Server use the Proxy-State attribute for keeping a special information which is attached to all forwarded requests. An attached information is removed from the packet when a request is returned back. RADIUS- VMS remove only own Proxy-State attributes, all other Proxy-State attributes rest in the packet w/o any changes or reordering. The Proxy/Forwarding capability is a built-in functionality of the RADIUS-VMS. Use the RADIUS_CONFIG file entries for PROXY/FORWARDING management. RADIUS-VMS shares a work load between primaries and backups authentication/authorization and accounting remote RADIUS(es) by maintaning some kind of "load factor" for RADIUS hosts defined for the realm. This "load factor" is computed as difference between sent and received requests. RADIUS-VMS selects a host with smallest "load factor". Note: Remote RADIUS server must be fully RFC2138 compliant. Keep in your mind that current implementation of the forwarding in the RADIUS-VMS can't performs any validation of the values which returned in the answer packets, it's mean that if in an answer packet contains a static IP address in Frammed-IP-Address attribute it can cause the problem with routing. 3-19 Configuration & Management. __________________________________________________________________ 3.6 MultiHome configuration RADIUS-VMS can support additional (secondary) ip addresses have bound to the primary physical inerface. For example, under PSC TCPWare-TCP 5.4-3 you can add secondary interface: $ netcu start/ip psd-0 172.16.0.45 255.255.0.0 ewa-0 In RADIUS_CONFIG file you must add definition of the additional "home" for get it available for processing of requests coming to the this address. For an every "home" RADIUS-VMS start how many threads how many is defined by RADIUS_NUMTHREADS logical. Follows are syntax and examples of definitons: !++ ! ! define home - ! /auth_port= - ! /acct_port= - ! /receive_buffer_size= ! !- _______________________________________________________ Option_________________Description_____________________ AUTH_PORT Define an UDP port number for the home used for receiving authentication requests. ACCT_PORT Define an UDP port number for the home used for receiving accounting requests. RECEIVE_BUFFER_SIZE Define a receive buffer size for every network device linked with the IP address and the UDP ports. A maximum values for the _______________________buffer_is_65535_bytes___________ 3-20 Configuration & Management. define home 172.16.0.45 - /auth_port=1645 - /acct_port=1646 define home 172.16.0.44 - /auth_port=1812 define home 172.16.0.45 - /acct_port=1813 - /receive_buffer_size=16384 Note: The maximum number of homes is 8, including default home. 3-21 _______________________________________________________ 4 RADIUS-VMS control. You can use RADCP utility for control by RADIUS-VMS server, follows an explanation and syntax of the RADCP command. _______________________________________________________ RADCP_command__________Description_____________________ HELP Help on RADCP utility commands. SHUTDOWN This command SHUTDOWN server. RESET This command force reopening RADIUS_USERS,RADIUS_ACCOUNTING, , RADIUS_ACCBIN files. RESTART This option request full restart of RADIUS-VMS server. /NODE=(node,...) Sending command to RADIUS-VMS server on the specified node(s). /CLUSTER It performs notifying all servers on a cluster. LOOP Performs a sending of test auth- _______________________request.________________________ Example: $ radcp shutdown ... $ radcp reset/cluster 4-1 _______________________________________________________ 5 Accounting. RADIUS-VMS provide accounting in two formats, the first one is the traditional VMS ACCOUNTING format, and the second one is the traditional .DETAIL format which was inherited from Livingston RADIUS server. Starting 2.5x the accounting in .DETAIL format is not provided anymore, you can use RADACC utility to generating the .DETAIL format files. Note: Don't forget that under some circumstance duplicates can take place in the both accounting files. Examples of the accounting record for user session follows: $ acc radius_accounting/id=32015396/full NETWORK Process Termination --------------------------- Username: CC_RRL UIC: [PUBLIC,CC_RRL] Account: Finish time: 29-JAN-1999 00:02:23.94 Process ID: 32015396 Start time: 28-JAN-1999 23:56:58.94 Owner ID: Elapsed time: 0 00:05:25.00 Terminal name: ISDN Processor time: 0 00:00:00.00 Remote node addr: Priority: 0 Remote node name: Privilege <31-00>: 00000000 Remote ID: Privilege <63-32>: 00000000 Remote full name: modem106.somewhere.net Queue entry: 18 Final status code: 00000001 Queue name: nas806.somewhere.net Job name: PPP Final status text: %SYSTEM-S-NORMAL, normal successful completion 5-1 Accounting. Page faults: 38400 Direct IO: 404 Page fault reads: 0 Buffered IO: 363 Peak working set: 0 Volumes mounted: 0 Peak page file: 0 Images executed: 0 Follows an original set of attributes. ... Fri Jan 29 00:02:23 1999 Acct-Session-Id = "32015396" User-Name = "CC_RRL" NAS-IP-Address = 172.16.1.30 NAS-Port = 18 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 325 Acct-Authentic = RADIUS Acct-Input-Octets = 404 Acct-Output-Octets = 363 Acct-Terminate-Cause = User-Request Connection-Info = "38400/V42bis" Vendor-Specific = 307 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.17.1.32 Acct-Delay-Time = 0 Timestamp = 917589743 In the follows table it presented fields equivalence and source of the information, you can producing reports by VMS ACCOUNTING utility, or by using DEC DATATRIEVE (see RADIUS_ACCOUNTING.DTR) report generator. _______________________________________________________ RADIUS_ACCOUNTING______RADIUS_DETAIL___________________ Username User-Name Account (from SYSUAF or RADIUS_REALMS) 5-2 Accounting. _______________________________________________________ RADIUS_ACCOUNTING______RADIUS_DETAIL___________________ UIC (from SYSUAF) Process ID Acct-Session-Id Page faults Connection-Speed Direct IO Acct-Input-Octets Buffered IO Acct-Output-Octets Remote full name Framed-IP-Address or Login-Host Queue entry NAS-Port Queue name Client name from RADIUS_CONFIG Job name Framed-Protocol or Login-Service Finish time Date of record Start time Computed as Date of record - Acct-Session-Time - Acct-Delay- Time Final_status_code______Acct-Termination-Cause__________ Note: Session with zero elapsed time will be recorded in ACCOUNTING as a login attempt failed. Use /TYPE=LOGFAIL an ACCOUNTING option for selecting these records. __________________________________________________________________ 5.1 A RADIUS-VMS Accounting utility - RADACC.EXE Starting RADIUS-VMS version 2.5B the RADIUS_DETAIL file is not generating anymore, instead of this all accounting information is stored in a binary format into the RADIUS_ACCBIN file. The binary format get an ability to speed-up processing of accounting information as well as increasing RADIUS- VMS throughput. Follows RADACC utility options descriptions: 5-3 Accounting. _______________________________________________________ RADACC_option_________________Description______________ /SINCE[=time] Selects all records time- stamped at or after the specified time. /BEFORE[=time] Selects all records time-stamped before the specified time. /ALL Shows all attributes of selected records. /CLIENT_IP_ADRESS= for specified client IP address. /STRIP_REALM= Strips specified realms from usernames. /OUTPUT[=filespec] Specifies the output file. /APPEND Appends selected records to existen file. /CLID= Select recordds with specified Calling Id. /FORMAT= Select comma-separated list or traditional ______________________________format.__________________ 5-4 _______________________________________________________ 6 An additional information and appendixes. 6-1 _______________________________________________________ A RADIUS-VMS Messaging & Troubleshooting. RADIUS-VMS provide a lot of diagnostic messages which help to admins to performs management & maintenance task. RADIUS-I-main_CMD_SHUT, MAIN:Shutdown is requested. Severity: INFORMATIONAL Explanation: Informational message. User Action: None. RADIUS-I-main_CMD_RSET, MAIN:Reset is requested. Severity: INFORMATIONAL Explanation: Informational message. User Action: None. RADIUS-I-main_CMD_RSTA, MAIN:Full restart is requested. Severity: INFORMATIONAL Explanation: Informational message. User Action: None. RADIUS-I-main_NETOPEN, MAIN:Started listener on ip address !AZ/udp port !UW Severity: INFORMATIONAL Explanation: Informational message. User Action: None. A-1 RADIUS-VMS Messaging & Troubleshooting. RADIUS-I-main_VERSION, MAIN:!AZ/!AZ Server, Was built at !AZ Severity: INFORMATIONAL Explanation: Informational message. User Action: None. RADIUS-I-main_NTFSTS, Command (!XL) has been sent to !AS (!XL),status=%x!XL Severity: INFORMATIONAL Explanation: User Action: RADIUS-E-main_ERRNETOPEN, MAIN:Error open network device with ip address !AZ/udp port !UW,status=%x!XL Severity: ERROR Explanation: RADIUS-VMS at startup time experienced problem with network stuff. User Action: Ensuring that TCP/IP support installed, configured , and started. Check using of this UDP port by other application. An additional information can be obtained by status code, it's result of $QIO calls. RADIUS-E-main_ERREXTINIT, MAIN:External INIT routine return status=%x!XL, external module will be not used Severity: ERROR Explanation: An external routine from external module return error VMS condition code. RADIUS-VMS will call othre routines from the external module. User Action: Investigate a situation by condition code. A-2 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-main_ERREXTCLEANUP, MAIN:External CLEANUP routine return status=%x!XL Severity: ERROR Explanation: An external routine from external module return error VMS condition code. User Action: Investigate a situation by condition code. RADIUS-E-main_INVNODE, Invalid node name !AS Severity: ERROR Explanation: A node name has been specified by the /NODE option is invalid or not present in the cluster. User Action: Check typos or cluster members by SHOW CLUSTER command. RADIUS-F-dict_CNTREAD, DICT:Could not read file RADIUS_ DICTIONARY,status=%x!XL Severity: FATAL Explanation: RADIUS-VMS can't open RADIUS_DICTIONARY file at startup time. User Action: Check the RADIUS_DICTIONARY logical, also check out a reason by examination of the status code. RADIUS-VMS can't work w/o RADIUS_DICTIONARY file. RADIUS-F-dict_INSFMEM, DICT:Ran out of memory after reading line !UL,status=%x!XL Severity: FATAL Explanation: RADIUS-VMS experienced a memory allocation problem, it possible a quota problem for this process. User Action: Check out SYSGEN's PQL group of parameters. An additional information can be obtained from VMS ACCOUNTING by ACC /SINCE/IMAGE=RADIUS_ A-3 RADIUS-VMS Messaging & Troubleshooting. SERVER.EXE. The status code is a result of calling lib$get_vm(). RADIUS-E-dict_INVATTR, DICT:Invalid attribute on line !UL Severity: ERROR Explanation: RADIUS-VMS during startup time performs parsing of the RADIUS_DICTIONARY file, load it into memory for fastest access. User Action: Check RADIUS_DICTIONARY file at line showed in the error message. RADIUS-E-dict_INVVENDOR, DICT:Invalid vendor attribute on line !UL Severity: ERROR Explanation: RADIUS-VMS during startup time performs parsing of the RADIUS_DICTIONARY file, load it into memory for fastest access. User Action: Check RADIUS_DICTIONARY file at line showed in the error message, restart RADIUS-VMS server. RADIUS-E-dict_VNTOOLONG, DICT:Vendor name is too long on line !UL Severity: ERROR Explanation: Name of VENDOR can't be more 31 characters of length. User Action: Revise RADIUS_DICTIONARY file and reduce length of the vendor name, or use reduced form for the vendor. A-4 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-dict_ATOOLONG, DICT:Attribute name too long on line !UL Severity: ERROR Explanation: Name of ATTRIBUTE can't be more 31 characters of length. User Action: Revise RADIUS_DICTIONARY file and reduce length of the attribute name, or use reduced form for the attribute name. For example: ATTRIBUTE Speed_of_ Async_connections_at_DECServer_90M ... can be change to: ATTRIBUTE SpeedDS90M ... RADIUS-E-dict_VNNODIGIT, DICT:Vendor attribute has not a numeric value on line !UL Severity: ERROR Explanation: RADIUS-VMS can't interpret given value as numeric. Any VENDOR attribute in RADIUS_DICTIONARY file must be represented by numeric value. User Action: Check out VENDOR entry at line number is showed in error message; use decimal notation for value. RADIUS-E-dict_ANODIGIT, DICT:Attribute has not a numeric value on line !UL Severity: ERROR Explanation: RADIUS-VMS can't interpret given value as numeric. Any ATTRIBUTE in RADIUS_DICTIONARY file must be represented by numeric value. User Action: Check out ATTRIBUTE entry at line number is showed in error message; use decimal notation for value. A-5 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-dict_INVALUE, DICT:Invalid value entry on line !UL Severity: ERROR Explanation: RADIUS-VMS can't interpret the VALUE definition in the RADIUS_DICTIONARY file. User Action: A VALUE entry must contains 4 fields, check out syntax for entry at line number showed in error message. RADIUS-E-dict_VTOOLONG, DICT:Value name is too long on line !UL Severity: ERROR Explanation: VALUE entry parsing problem. Name of VALUE can't be more 31 characters of length. User Action: Revise RADIUS_DICTIONARY file and reduce length of the value name, or use reduced form for the value name. RADIUS-E-dict_VNONDIGIT, DICT:Value has non-numeric value on line !UL Severity: ERROR Explanation: VALUE entry parsing problem. Any VALUE entry in RADIUS_DICTIONARY file must be represented by numeric value. User Action: Check out VALUE entry at line number showed in error message; use decimal notation for value. A-6 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-dict_NOVENDOR, DICT:VENDOR '!AZ' not found, bad ATTRIBUTE line !UL Severity: ERROR Explanation: A VENDOR specific ATTRIBUTE entry in RADIUS_DICTIONARY file must be placed after related VENDOR entry. User Action: Examine dictionary file at line number showed in error message. Put the ATTRIBUTE entry after related VENDOR entry in the RADIUS_DICTIONARY file. RADIUS-E-dict_NOATTR, DICT:Attribute '!AZ' not found, bad VALUE line !UL Severity: ERROR Explanation: A VALUE entry in RADIUS_DICTIONARY file must be placed after related ATTRIBUTE entry. User Action: Examine dictionary file at line number showed in error message. Put the VALUE entry after related ATTRIBUTE entry in the RADIUS_DICTIONARY file. RADIUS-E-user_ZERONAME, USER:Zero length username has been rejected Severity: ERROR Explanation: Incoming authentication request not contains username, or length of the username string is zero. Commonly, it's user's typos. User Action: Contact user, and check user input for correctness. Also it can be of a remote RADIUS server problem in case a roaming user. A-7 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-user_CNTPARSE, USER:Unable to parse check-items '!AZ' for user '!AD' Severity: ERROR Explanation: RADIUS-VMS server can't parse Check-Item data from RADIUS_USERS file during processing have gotten an authentication request. It can be of result of typos in RADIUS_USERS; also RADIUS_DICTIONARY file may not contains ATTRIBUTE entry for this Check-Item. User Action: Check that all ATTRIBUTE(s) which are used in the RADIUS_USERS file has been defined in the RADIUS_DICTIONARY file. Also check case of ATTRIBUTE items in the RADIUS_USERS file. After any corrections you need to restart RADIUS-VMS server. RADIUS-E-user_ERRPARSE, USER:Unable to parse reply-items '!AZ' for user '!AD' Severity: ERROR Explanation: RADIUS-VMS server can't parse Reply-Item data from RADIUS_USERS file during processing have gotten an authentication request. It can be of result of typos in RADIUS_USERS; also RADIUS_DICTIONARY file may not contains ATTRIBUTE entry for this Reply-Item. User Action: Check that all ATTRIBUTE(s) which are used in the RADIUS_USERS file has been defined in the RADIUS_DICTIONARY file. Also check case of ATTRIBUTE items in the RADIUS_USERS file. After any corrections you need to restart RADIUS-VMS server. RADIUS-E-user_INSFMEM, USER:Ran out of memory,status=%x!XL Severity: ERROR Explanation: RADIUS-VMS experienced a memory allocation problem, it possible a quota problem for this process. User Action: Check out SYSGEN's PQL group of A-8 RADIUS-VMS Messaging & Troubleshooting. parameters. An additional information can be obtained from VMS ACCOUNTING by ACC /SINCE/IMAGE=RADIUS_ SERVER.EXE. RADIUS-E-user_BADTIME, USER:Can't parse date format '!AZ',status=%x!XL Severity: ERROR Explanation: Check out date format, date must present in VMS specification. An additional information can be obtained from status code, it's result of $BINTIM system service. User Action: Study of a VMS date & time format by HELP Specify Date_Time. RADIUS-F-user_CNTOPEN, USER:Could not open RADIUS_USERS file, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS could not open RADIUS_USERS file. User Action: Investigate a reason by examination of status and stv codes, it's result of the RMS's $OPEN calls. After corrections you need restart RADIUS-VMS server. RADIUS-F-user_CNTOPENS, USER:Could not open RADIUS_ USERS file stream, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS could not open stream to RADIUS_USERS file. User Action: Investigate a reason by examination of status and stv codes, it's result of the RMS's $CONNECT calls. A-9 RADIUS-VMS Messaging & Troubleshooting. RADIUS-F-user_CNTREAD, USER:Could not read RADIUS_USERS file, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS experienced an error during read from RADIUS_USERS file, investigate a reason by examination of status and stv codes, it's result of the RMS' $GET calls. User Action: Check access mode of the account runing the RADUS-VMS. RADIUS-F-acct_ERRTHREAD, ACCT:Could not create thread #!UL,errno=!AZ Severity: FATAL Explanation: RADIUS-VMS could not create a thread for accounting requests, errno string provides an additional information about of reason. User Action: You can increase quotas for the process, or reducing a number of threads (see purpose of the RADIUS_NUMTHREADS logicals). RADIUS-F-acct_NETIOERR, ACCT:Network I/O error,status=%x!XL Severity: FATAL Explanation: A network I/O error is occurred in an accounting thread, investigate a reason by examination of the status code, it's result of the $QIO system calls. User Action: Check using of this UDP port by other programs on the same node. A-10 RADIUS-VMS Messaging & Troubleshooting. RADIUS-F-acct_BCNTOPEN, ACCT:Could not open RADIUS_ACCBIN file, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS's could not open RADIUS_ACCBIN file, investigate a reason by examination of status code, it's result of the RMS $OPEN calls. RADIUS-VMS will continue work after this error. User Action: Check an accessibility of the file pointed by RADIUS_ACCBIN file. RADIUS-F-acct_ERRPUTBIN, ACCT:Can't write detail record status=%x!XL,stv=%x!XL Severity: FATAL Explanation: RADIUS server can't write a detail accounting record to the RADIUS_ACCTBIN file. User Action: Investigate a situation with status & stv codes, it was a result of $PUT or $FLUSH RMS calls. RADIUS-E-acct_ACNTOPEN, ACCT:Could not open RADIUS_ ACCOUNTING file, status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS's could not open RADIUS_ ACCOUNTING file, investigate a reason by examination of status code, it's result of the RMS $OPEN calls. RADIUS-VMS will continue work after this error. User Action: Check an accessibility of the file pointed by RADIUS_ACCOUNTING file. A-11 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-acct_ACNTOPENS, ACCT:Could not open stream to RADIUS_ACCOUNTING file, status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not open stream to RADIUS_ACCOUNTING file. RADIUS-VMS will continue work after this error. User Action: Investigate a reason by examination of status code, it's result of the RMS $CONNECT calls. RADIUS-E-acct_BCNTOPENS, ACCT:Could not open stream to RADIUS_ACCBIN file, status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not open stream to RADIUS_ACCBIN file. RADIUS-VMS will continue work after this error. User Action: Investigate a reason by examination of status code, it's result of the RMS $CONNECT calls. RADIUS-E-acct_CCNTREADS, ACCT:Could not read RADIUS_ CURRENT record,status=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not read a record from RADIUS_CURRENT file. User Action: Investigate a reason by examination of status code, it's result of the RMS $GET calls. A-12 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-acct_ERRPUTDETAL, ACCT:Can't write detail record status=%x!XL,stv=%x!XL Severity: ERROR Explanation: RADIUS server can't write a detail accounting record to the RADIUS_DETAIL file. User Action: Investigate a situation with status & stv codes, it was a result of $PUT or $FLUSH RMS calls. RADIUS-E-acct_ERREXTACCT, ACCT:External ACCOUNTING routine return status=%x!XL Severity: ERROR Explanation: An external routine from external module return error VMS condition code. User Action: Investigate a situation by condition code. RADIUS-E-acct_UNKNCLNT, ACCT:Unknown client !AZ (!AZ),ignore request Severity: ERROR Explanation: RADIUS-VMS got and dropped accounting request from client wich had been not defined in a RADIUS_CONFIG. User Action: Investigate a situation by looking to IP address of incoming request, it's possible a setup problem at remote site. RADIUS-E-acct_CANTDLENTRY, ACCT:Can't delete entry in RADIUS_CURRENT for '!AZ' at !AZ;status=%x!XL,stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS can't delete user's record from RADIUS_CURRENT due a some problem. User Action: Investigate a status & stv code it's result of RMS's $DELETE call. A-13 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-acct_CCNTOPEN, ACCT:Could not open RADIUS_ CURRENT file,status=%x!XL Severity: ERROR Explanation: RADIUS-VMS's could not open RADIUS_ CURRENT file. User Action: Investigate a reason by examination of status code, it's result of the RMS $OPEN calls. RADIUS-W-acct_UNKNREALM, ACCT:Unknown realm in '!AF', possible request droping from !AC Severity: WARNING Explanation: An username in accounting request contains realm suffix has been not defined in the RADIUS_CONFIG file. User Action: Investigate situation and take appropriate actions. RADIUS-W-acct_CCNTOPENS, ACCT:Could not open RADIUS_ CURRENT stream,status=%x!XL Severity: WARNING Explanation: RADIUS-VMS could not open stream to RADIUS_CURRENT file. User Action: Investigate a reason by examination of status code, it's result of the RMS $CONNECT calls. RADIUS-W-acct_INVAUTH, ACCT:Client !AC sent request with invalid digest Severity: WARNING Explanation: An accounting request is contains an invalid digest. User Action: Check out a shared secret in the RADIUS_ CONFIG file and on the NAS for matching. In some case A-14 RADIUS-VMS Messaging & Troubleshooting. wrong digest is result of using old NAS(s) like DEC Server 90M or USR Total Control. RADIUS-W-acct_NOENTRY, ACCT:No entry in RADIUS_CURRENT for '!AZ' at !AZ Severity: WARNING Explanation: RADIUS-VMS tried to delete user's record from the RADIUS_CURRENT file, after user logout. User Action: It's can be result of the network or performance problem. RADIUS-W-acct_BUSYENTRY, ACCT:Can't delete entry in RADIUS_CURRENT for '!AZ' at !AZ;there is user = '!AD' Severity: WARNING Explanation: RADIUS-VMS don't delete user's record if in a RADIUS_CURRENT exist a record with other username with the same NAS/Port pair. User Action: None. RADIUS-W-acct_CNTENTRY, ACCT:Error write entry in RADIUS_CURRENT for '!AD' at !AD, status=%x!XL, stv=%x!XL Severity: WARNING Explanation: RADIUS-VMS can't write status record to the RADIUS_CURRENT file. User Action: Investigate a reason by examination of status and stv codes, it's a result of the RMS's $PUT calls. Check access to the RADIUS_CURRENT file by custom applications. Stop RADIUS-VMS, delete RADIUS_ CURRENT file, and restart RADIUS-VMS. A-15 RADIUS-VMS Messaging & Troubleshooting. RADIUS-W-acct_NOUSERNM, ACCT:Request from client !AC contains no user name Severity: WARNING Explanation: Incoming accounting request has not an username. Or length of the username string is zero. Commonly, it's user's typos. User Action: Contact user for ensuring that user input right value for username. RADIUS-F-recv_INSFMEM, RECV:Ran out of memory,status=%x!XL Severity: FATAL Explanation: RADIUS-VMS can't processing incoming request due problem with memory allocation. User Action: Investigate a reason by examination of the status code, it's result of the LIB$GET_VM system calls. Increase process memory quotas. RADIUS-F-recv_TOOSHORT, RECV:Request from node !AZ:!UW is too short to be real (!UW bytes) Severity: FATAL Explanation: Request was dropped due consistence control. User Action: Network problem ? Hacker attack ? Keep your eyes open! RADIUS-F-recv_INVLEN, RECV:Request from node !AZ:!UW claimed length !UW, only !UW bytes found Severity: FATAL Explanation: Request was dropped due consistence control. User Action: Network problem ? Hacker attack ? Keep your eyes open! A-16 RADIUS-VMS Messaging & Troubleshooting. RADIUS-F-recv_ATTRTOLONG, RECV:Received attribute !UB from node !AZ:!UW is too long, length of !UB exceed !UW Severity: FATAL Explanation: An attribute length is exceed a real data length in the buffer or internal limit. A paring is stopped and rest of attribute/value pairs will not be processed. The packet will be silently droped. User Action: Network problem ? Hacker attack ? Keep your eyes open! RADIUS-F-recv_UNKNTYPE, RECV:Unknown request code !UB from node !AZ:!UW Severity: FATAL Explanation: Request was dropped due consistence control. Network problem ? Hacker attack ? Keep your eyes open! User Action: Contact support staff for investigate of the reason for this request, ask Radius-VMS support group for additional explanation. RADIUS-W-recv_INVATTR, RECV:Received unknown attribute !UL (vendor=!UL) from node !AZ:!UW, attribute is ignored Severity: WARNING Explanation: RADIUS-VMS received request which contains unknown attribute. User Action: You can manually add entry for this ATTRIBUTE into a RADIUS_DINCTIONARY, or download latest dictionary file from a support site. Check out docs for your equipment for obtaining correct definition of the ATTRIBUTE. A-17 RADIUS-VMS Messaging & Troubleshooting. RADIUS-F-auth_UCNTOPENS, AUTH:Could not open RADIUS_USERS stream,status=%x!XL Severity: FATAL Explanation: RADIUS-VMS could not open stream to RADIUS_USERS file at startup time or during self restart of authentication threads. User Action: Investigate a reason by examination of status code, it's result of the RMS $CONNECT calls. Check process quota, reduce number of threads. RADIUS-F-auth_CCNTOPENS, AUTH:Could not open RADIUS_ CURRENT stream,status=%x!XL Severity: FATAL Explanation: RADIUS-VMS could not open stream to RADIUS_CURRENT file. User Action: Investigate a reason by examination of status code, it's result of the RMS $CONNECT calls. RADIUS-F-auth_ERRTHREAD, AUTH:Could not create thread #!UL,errno=!AZ Severity: FATAL Explanation: RADIUS-VMS could not create a thread for authentication requests, errno string provides an additional information about of reason. User Action: You can increase quotas for the process, or reducing a number of total threads (see purpose of RADIUS_NUMTHREADS logical). A-18 RADIUS-VMS Messaging & Troubleshooting. RADIUS-F-auth_NETIOERR, AUTH:Network I/O error,status=%x!XL Severity: FATAL Explanation: A network I/O error is occurred in an authentication thread. User Action: Investigate a reason by examination of the status code, it's result of the $QIO system calls. Check using of this UDP port by other programs on the same node. RADIUS-E-auth_UNDEFDOM, AUTH:Undefined domain preffix in username '!AF' Severity: ERROR Explanation: Domain is not defined in RADIUS_CONFIG. User Action: Check RADIUS_CONFIG file, add domain definition entry. RADIUS-E-auth_ERRAUTHDOM, AUTH:Error authenticate user '!AF' in domain '!AC' Severity: ERROR Explanation: Error authenticate a user on DC, it's possible a network problem. User Action: Investigate a situation with a status code, it can be a network problem. Reboot DC, install a latest SP, kick ass BG, and reboot again the DC. RADIUS-E-auth_NOEXTERN, AUTH:Can't authenticate, external procedure is not defined Severity: ERROR Explanation: RADIUS-VMS can't performs authentication forced by Auth-Type = Extern in the RADIUS_USERS file. User Action: Check RADIUS_USERS file, check RADIUS' server log file for possible intialization errors. A-19 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-auth_INVREQST, AUTH:Unknown request type !UB from !AZ (!AZ),request ignored Severity: ERROR Explanation: RADIUS-VMS received request with code which is not supported. User Action: Contact Radius-VMS support group. RADIUS-E-auth_UNKNCLNT, AUTH:Unknown client !AZ (!AZ), request ignored Severity: ERROR Explanation: RADIUS-VMS dropped request from unknown client. User Action: Investigate situation, add CLIENT entry for given in error message IP name/address into the RADIUS_CONFIG file, and restart RADIUS-VMS server. RADIUS-E-auth_NOUSERNM, AUTH:Request from !AC (CLID='!AD') is rejected - no user name Severity: ERROR Explanation: A received request not contains username, or username have zero length. User Action: None. RADIUS-E-auth_BADCHAR, AUTH:Request from !AC is rejected;bad characters in username '!AF' Severity: ERROR Explanation: RADIUS-VMS send reject to the client due presence in username of invalid characters. User Action: Refer to RADIUS-VMS documentaion about of allowed characters for username. A-20 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-auth_NOPASSW, AUTH:Request from !AC (CLID='!AD') for '!AD' is rejected;no password or CHAP password is used Severity: ERROR Explanation: RADIUS-VMS reject any authentication request w/o password. It can't performs authentication for SYSUAF users by CHAP, because SYSUAF keep one-way hashed passwords only. User Action: Contact user and ensure that it have entered password, take advice do not use CHAP, or add entry for this user into the RADIUS_USERS file. RADIUS-E-auth_NOACCESS, AUTH:Request from !AC denied for unknown user '!AZ' Severity: ERROR Explanation: RADIUS-VMS can't find user in the RADIUS_ USERS file, and in SYSUAF. User Action: Check an existence of the account by using the AUTHORIZE utility, remove all spaces and tabs before username in a RADIUS_USERS file. RADIUS-E-auth_NO56K, AUTH:Connection speed=!UL;56K access not authorized - connection denied for '!AD' Severity: ERROR Explanation: User have not authorized high speed dial- in access. User Action: Refer to RADIUS-VMS docs for using of 56K right id. A-21 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-auth_NOISDN, AUTH:Connection type=!UL;ISDN access not authorized - connection denied for '!AD' Severity: ERROR Explanation: User have not authorized high speed ISDN access. User Action: Refer to RADIUS-VMS docs for using of ISDN right id. RADIUS-E-auth_DISAISDN, AUTH:Analog connection type=!UL denied for '!AD' with ISDN right id Severity: ERROR Explanation: User with ISDN right id can't use analog type of connection. User Action: Refer to RADIUS-VMS docs for using of ISDN right id. RADIUS-E-auth_NOID, AUTH:Access to NAS !AC is not authorized by !AC;connection denied for '!AD' Severity: ERROR Explanation: ID showed in error message is required for access to showed NAS. These restrictions is configured in the RADIUS_CONFIG file. User Action: None. RADIUS-E-auth_NOBYID, AUTH:Access to NAS !AC is rejected by !AC;connection denied for '!AD' Severity: ERROR Explanation: Presence of ID showed in message denied access for this user to the NAS. User Action: None. A-22 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-auth_LIMRATE, AUTH:Connection rate with !UL is not allowed for '!AD' Severity: ERROR Explanation: None. User Action: None. RADIUS-E-auth_NOACCREAL, AUTH:Login from realm '!AC' is not authorized by '!AC' for '!AD' Severity: ERROR Explanation: None. RADIUS-E-auth_NOBYACCREAL, AUTH:Login from realm '!AC' is rejected by '!AC' for '!AD' Severity: ERROR Explanation: None. User Action: None. RADIUS-E-auth_UNKNREALM, AUTH:Unknown realm in '!AF',ignore request from !AC Severity: ERROR Explanation: In authentication request present realm suffix which is not defined in the RADIUS_CONFIG file. It's can be user's typos. User Action: None. RADIUS-E-auth_ILLREALM, AUTH:Request for user '!AF' is rejected due to realm block for client '!AC' Severity: ERROR Explanation: In authentication request present realm suffix which is not allowed for the client with A-23 RADIUS-VMS Messaging & Troubleshooting. /ACCEPT_REALM or blocked with /REJECT_REALM. User Action: None. RADIUS-I-auth_PWDCHNG, AUTH:Change password request for '!AF'@'!AC', CLID='!AD','!AD' Severity: INFORMATIONAL Explanation: A request contains a password change option. User Action: None. RADIUS-E-proxy_NOSIG, PROXY:ACK/REJECT Packet from server '!AC' is ignored;no RADIUS-VMS PROXY-STATE attribute Severity: ERROR Explanation: RADIUS-VMS drop packets with missing of PROXY-STATE attrubutes which has been attached when request is forwarded to remote RADIUS server. Remote RADIUS server must be fully RFC-compliant. User Action: Contact remote RADIUS support representative, performs additional testing in DEBUG mode. RADIUS-E-proxy_BADSIG, PROXY:ACK/REJECT Packet from server '!AC' is ignored;RADIUS- VMS PROXY-STATE attribute is not valid Severity: ERROR Explanation: RADIUS-VMS performs additional checking for validity of the packets comming from remote RADIUS server and drop invalid packets. User Action: Contact remote RADIUS support representative, performs additional testing in DEBUG mode. A-24 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-proxy_INVAUTH, PROXY:Packet from server '!AC' (Id=!UB,Code=!UB) sent with invalid digest Severity: ERROR Explanation: RADIUS-VMS can't validate digest for packets arrived from remote RADIUS. User Action: Check out shared secret key for the remote RADIUS server, contact remote RADIUS support representative. RADIUS-E-proxy_UNKNCLNT, PROXY:Packet for unknown client !AZ (!AZ,Id=!UB,Code=!UB), request ignored Severity: ERROR Explanation: RADIUS-VMS got&drop a packet for unknown client, hackers attack? User Action: Investigate situation, contact RADIUS-VMS support staff. RADIUS-E-proxy_LOOP, PROXY:Can't forward packet from client !AC (Id=!UB,Code=!UB) to itself, request ignored Severity: ERROR Explanation: RADIUS-VMS prevent to loop packets to itself. User Action: Check entries in the RADIUS_CONFIG file. RADIUS-W-proxy_FWDREQ, Forwarding REQuest (Id=!UB,Code=!UB,NAI='!AD',CLID='!AD') from !AC to !AC (Realm=!AC, LF=!SW) Severity: WARNING Explanation: RADIUS-VMS has resent a request to a subscriber's 'Home AAA', the 'Home AAA' has been A-25 RADIUS-VMS Messaging & Troubleshooting. matched by using realm 'domain' suffix or the CLID/IMSI prefix. User Action: None. RADIUS-W-proxy_FWDANS, Forwarding ANSwer (Id=!UB,Code=!UB,NAI='!AD',CLID='!AD') from !AC (LF=!SW) to !AC Severity: WARNING Explanation: None. User Action: None. RADIUS-F-conf_CNTREAD, CONF:Could not read file RADIUS_ CONFIG, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS experienced an error during read from RADIUS_CONFIG file, investigate a reason by examination of status and stv codes, it's result of the RMS $GET calls. User Action: Check access mode of custom programs to this file. RADIUS-F-conf_CNTOPEN, CONF:Could not open file RADIUS_ CONFIG,status=%x!XL Severity: FATAL Explanation: RADIUS-VMS could not open RADIUS_CONFIG file at startup time. User Action: Investigate a reason by examination of status and stv codes, it's result of the RMS $OPEN calls. After corrections start RADIUS-VMS server. A-26 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-conf_NOCLNTENT, CONF:Server(s) with IP addr '!AZ' has been not defined as CLIENT,entry ignored Severity: ERROR Explanation: Destination remote host for forwared request is not defined as CLIENT. User Action: Add CLIENT entry into the RADIUS_CONFIG file. RADIUS-E-conf_INVID, CONF:Can't translate !AC right id to binary format,status=%x!XL Severity: ERROR Explanation: Non-existen Right ID take place in RADIUS_CONFIG. An additional information can be obtained from status code, it's result of $ASCTOID system calls. User Action: Ensure that this right id present in the RIGHTSLIST.DAT file by MCR AUTHORIZE SHOW /ID id. Add this right id into the RIGHTSLIST.DAT by MCR AUTHORIZE ADD/ID id, and start RADIUS-VMS server. RADIUS-E-conf_INVCLNM, CONF:Client IP name '!AZ' can't be resolved Severity: ERROR Explanation: RADIUS-VMS can't resolve IP name given in CLIENT entry. User Action: Check IP name in the RADIUS_CONFIG file, check ability to resolve this name by NSLOOKUP utility, or replace IP name by IP address. A-27 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-conf_NOKEY, CONF:No secret key present for client '!AC' Severity: ERROR Explanation: CLIENT entry must containg shared secret to performs request processing from/to client. User Action: Revise syntax, of CLIENT entries in the RADIUS_CONFIG file. Add /SECRET=quoted_string option to a CLIENT definition. RADIUS-E-conf_INVHOME, CONF:Invalid IP name/address for home '!AS' Severity: ERROR Explanation: RADIUS-VMS can't interpret a IP address or resolve IP name given in the HOME entry. User Action: Check RADIUS_CONFIG file, correct problem. RADIUS-E-conf_INVDCIP, CONF:Domain Controller IP name '!AZ' can't be resolved Severity: ERROR Explanation: RADIUS-VMS can't resolve IP name given in DOMAIN entry. User Action: Check IP name in the RADIUS_CONFIG file, check ability to resolve this name by NSLOOKUP utility, don't use an IP address notation because RADIUS server generation a NETBISO name by using the IP name. A-28 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-conf_INVINCL, CONF:INCLIDE directive is not allowed is in included file Severity: ERROR Explanation: INCLIDE directive is not allowed is in included file, configuration parser will skip this directive. User Action: Find and remove INCLUDE directive, reorganize RADIUS's configuration files. RADIUS-E-dom_ERRCONN, DOM:Unable to connect to '!AC' DC,status=%x!XL. Severity: ERROR Explanation: RADIUS-VMS can't open TCP-connection to SMB server on the DC host defined in the RADIUS_ CONFIG. User Action: Contact remote DC support representative, performs additional testing in DEBUG mode. RADIUS-E-dom_REJSESSN, DOM:'!AC' DC rejected the session setup,status=%x!XL.!/SMB specific error = !AZ Severity: ERROR Explanation: RADIUS-VMS can't open session to SMB server on the DC host defined in the RADIUS_CONFIG. User Action: Contact remote DC support representative, performs additional testing in DEBUG mode. RADIUS-E-dom_REJPROTNEG, DOM:'!AC' DC rejected the negotiate protocol,status=%x!XL.!/SMB specific error = !AZ Severity: ERROR Explanation: RADIUS-VMS can't negotiate a protocol to SMB server on the DC host defined in the RADIUS_ A-29 RADIUS-VMS Messaging & Troubleshooting. CONFIG. User Action: Contact remote DC support representative, performs additional testing in DEBUG mode. RADIUS-E-dom_REJSESSNST, DOM:'!AC' DC rejected the session setup,status=%x!XL.!/SMB specific error = !AZ Severity: ERROR Explanation: RADIUS-VMS can't negotiate a protocol to SMB server on the DC host defined in the RADIUS_ CONFIG. User Action: Contact remote DC support representative, performs additional testing in DEBUG mode. RADIUS-E-dom_ERRSEND, DOM:Error send a SMB message to '!AC' DC host,status=%x!XL Severity: ERROR Explanation: Error sending a packet to the DC. User Action: Check matching NETBIOS name and Internet name of the DC without a internet domain suffix. For example DC internet full domainname - sysman.deltatel.ru NETBIOS name must be SYSMAN. RADIUS-I-loop_REQ, Sent REQuest (Code=!UB) ID #!UB to !AZ:!UW Severity: INFORMATIONAL Explanation: User Action: RADIUS-I-loop_ANS, Received ANSwer (Code=!UB) ID #!UB from !AZ:!UW Severity: INFORMATIONAL Explanation: User Action: A-30 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-loop_IPMATCH, IP (!AZ) server in response is not match IP in request (!AZ) Severity: ERROR Explanation: User Action: RADIUS-E-loop_PORTMATCH, Got response from UDP Port (!UW), expected from UDP Port !UW Severity: ERROR Explanation: User Action: RADIUS-E-loop_IDMATCH, Got response with ID #!UB, expected ID #!UB Severity: ERROR Explanation: User Action: RADIUS-E-loop_TIMEOUT, Receive timeout (!%T) Severity: ERROR Explanation: User Action: RADIUS-E-loop_DIGEST, Bad digest Severity: ERROR Explanation: User Action: RADIUS-S-REQRECV, Got request ID #!UB, Code = !UB, from !AZ:!UW Severity: SUCCESS A-31 RADIUS-VMS Messaging & Troubleshooting. RADIUS-S-REQSENT, Sent answer ID #!UB, Code = !UB, to !AZ:!UW Severity: SUCCESS RADIUS-S-AUTHSTATUS, Request #!UB, Code = !UB, from !AZ:!UW, Username = !AD Severity: SUCCESS RADIUS-F-db_OPEN, DB:Could not open RADIUS_DB file, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS's could not open RADIUS_DB file, investigate a reason by examination of status code, it's result of the RMS $OPEN/$CONNECT calls. RADIUS-VMS will continue work after this error. User Action: Check an accessibility of the file pointed by RADIUS_DB logical. RADIUS-F-db_CLOSE, DB:Error closing RADIUS_DB file, status=%x!XL, stv=%x!XL Severity: FATAL Explanation: RADIUS-VMS's get error status duting closing RADIUS_DB file, investigate a reason by examination of status code, it's result of the RMS $CLOSE calls. RADIUS-VMS will continue work after this error. User Action: Check an accessibility of the file pointed by RADIUS_DB logical. RADIUS-W-db_MISSPWD, DB:Password attribute is missing in entry at !AS:!UL, Username/NAI='!AC' Severity: WARNING Explanation: The Password attribute is missing in the user's entry. User Action: Add the Password field into the entry. A-32 RADIUS-VMS Messaging & Troubleshooting. RADIUS-W-db_AUTHVMS, DB:SYSUAF flag is enforced for Username/NAI='!AC' (!AS:!UL) Severity: WARNING Explanation: If user's entry in the source file is contains Auth-Type = System and there is not Password attribute then SYSUAF flag will be set for user entry. It's meant that Authentication/Authorization will be performed against VMS SYSUAF. Only PAP can be used for VMS's SYSUAF accounts. User Action: Add the Password field into the entry. RADIUS-E-db_SKIP, DB:Skip entry at !AS:!UL Severity: ERROR Explanation: None. User Action: None. RADIUS-E-db_ERRPARSE, DB:Unable to parse Check/Reply- Items at !AS:!UL Severity: ERROR Explanation: RADIUS-VMS server can't parse Check/Reply-Item data from file in the RADIUS_USERS format during loading record from the plain-text file. It can be of result of typos in source file; also RADIUS_DICTIONARY file may not contains ATTRIBUTE entry for this Check/Reply-Item. User Action: Check that all ATTRIBUTE(s) which are used in the RADIUS_USERS file has been defined in the RADIUS_DICTIONARY file. Also check case of ATTRIBUTE items in the RADIUS_USERS file. After any corrections you need to restart RADIUS-VMS server. A-33 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-db_CNTREAD, DB:Could not read !AS file, status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS experienced an error during read from RADIUS_USERS file, investigate a reason by examination of status and stv codes, it's result of the RMS calls. User Action: Check access mode of the account running the RADUS-VMS. RADIUS-E-db_SAVE, DB:Could not write record for the '!AC', status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not update a record for the user in the RADIUS_DB file. RADIUS-VMS will continue work after this error. User Action: Investigate a reason by examination of status code, it's result of the RMS $PUT calls. RADIUS-E-db_GET, DB:Could not get record for the '!AS' (at '!AS',CLID='!AD'), status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not find/get a record for the user in the RADIUS_DB file. RADIUS-VMS will continue work after this error. User Action: Investigate a reason by examination of status code, it's result of the RMS $GET/$FIND calls. A-34 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-db_NILCLID, DB:Calling station id is missing in request for '!AS' (at '!AS') Severity: ERROR Explanation: RADIUS-VMS cannot performs an authentication of a request because the Calling- station-Id attribute is missing but required by RADDB$V_CLID entry's option. User Action: Remove the RADDB$V_CLID from the entry record or check an originator of the request. RADIUS-E-db_UPD, DB:Could not update record for the '!AC', status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not update a record for the user in the RADIUS_DB file. RADIUS-VMS will continue work after this error. User Action: Investigate a reason by examination of status code, it's result of the RMS $UPDATE calls. RADIUS-E-db_NOPWD, DB:Request for the '!AS' (at '!AS',CLID='!AD') no contains CHAP- Password Severity: ERROR Explanation: DB authentication cannot be performed without CHAP-Password. User Action: Check for possible general network problem, or intruder/hacker attacks. A-35 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-db_DELT, DB:Could not delete record for the '!AC', status=%x!XL, stv=%x!XL Severity: ERROR Explanation: RADIUS-VMS could not delete a record for the user in the RADIUS_DB file. RADIUS-VMS will continue work after this error. User Action: Investigate a reason by examination of status code, it's result of the RMS $DELETE calls. RADIUS-W-db_NOCBA12, DB:No MN ID(IMSI) has been configured for '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: WARNING Explanation: A Mobile Network Id (IMSI, MN ID) must be returned on successful authentication, this information should be stored in the profile as value of the Callback-Id attribute. An accept of the login will be sent. User Action: Add a Callback-Id attribute & value pair into the user's profile. RADIUS-S-db_SUCCESS, DB:The subscriber '!AS' (at '!AS',CLID='!AD',REALM='!AC') has been authenticated Severity: SUCCESS Explanation: None. User Action: None. RADIUS-S-db__LOAD, DB:!AS, !UL records, entries: total = !UL, skiped = !UL, stored = !UL Severity: SUCCESS Explanation: None. User Action: None. A-36 RADIUS-VMS Messaging & Troubleshooting. RADIUS-S-db_ACCEPT, DB:Accept login for '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: SUCCESS RADIUS-S-db_LOGGED, DB:'!AS' has been logged (at '!AS',CLID='!AD',REALM='!AC') Severity: SUCCESS RADIUS-E-db_BADHOUR, DB:Login at this time has not been authorized for '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: ERROR RADIUS-E-db_REJECT, DB:Reject login for '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: ERROR RADIUS-E-db_INVPWD, DB:Wrong CHAP-Password in access- request for the '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: ERROR RADIUS-E-db_DISUSER, DB:The subscriber '!AS' (at '!AS',CLID='!AD',REALM='!AC') has been disabled Severity: ERROR RADIUS-E-db_NOIROAM, DB:International Roaming has not allowed for '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: ERROR RADIUS-E-db_NONROAM, DB:National Roaming has not allowed for '!AS' (at '!AS',CLID='!AD',REALM='!AC') Severity: ERROR A-37 RADIUS-VMS Messaging & Troubleshooting. RADIUS-E-db_CHAPLEN, DB:Request for the '!AS' (at '!AS') contains invalid CHAP-Password length(!UL) Severity: ERROR Explanation: RADIUS-VMS checked that CHAP-Password length is invalid, RADIUS-VMS will continue work after this error. User Action: Check for possible general network problem, or intruder/hacker attacks. A-38 _______________________________________________________ B Contact information. Author: Ruslan R. Laishev - Lai- shev@StarLet.SPb.RU, Lai- shev@DeltaTelecom.RU Phone: Mobile:+7 (812) 716- 3222 Web Site: http://www.StarLet.SPb.RU/RadiusVMS/ B-1 _______________________________________________________ C RADIUS-VMS files created during installation. _______________________________________________________ File_name_____________________Description______________ __________________Files_in_RADIUS_DIR:_________________ [._EXE]RADIUS_ RADIUS-VMS Server. SERVER.EXE [._EXE]RADCP.EXE RADIUS Control Program. [._EXE]RADIUS_ RADIUS VMS Sharaeable SHR.EXE Image. [._ RADIUS-VMS Accounting EXE]RADACC.EXE utility. [.UTILS]PMAS_RADIUS.C Authentication module for PMAS. [.UTILS]PMAS_RADIUS_ Authentication module for STARTUP.COM PMAS startup procedure. [.UTILS]RADIUS_ DEC DATATRIEVE ACCOUNTING.DTR definitions. [.UTILS]RADIUS_ A Rdb/VMS Record ACCOUNTING.RRD Definition file. [.UTILS]RADIUS_ A Rdb/VMS Script for ACCOUNTING.RDB_SQL initial creating a database. [.UTILS]RAD_EXT_AUTH.C An example of external authorization module. [.UTILS]RAD_EXT_ACCT.C An example of external accounting module. C-1 RADIUS-VMS files created during installation. _______________________________________________________ File_name_____________________Description______________ __________________Files_in_RADIUS_DIR:_________________ [.UTILS]RAD_EXT_AUTH2ORA.* An example of external authorization module which work with Oracle Server. [.UTILS]RAD_EXT_ACCT2ORA.* An example of external accounting module which work with Oracle Server. [.UTILS]VOIP_AUTH.TCL An example of TCL (version 1.0) procedure for Cisco VoIP platforms to implementing authentication of subscribers against RADIUS Server database. RADIUS_STARTUP.COM A RADIUS-VMS main startup procedure. RADIUS_COMMANDS.COM A RADIUS-VMS commands definitions. [.TEMPLATES]RAD_*.TEMPLATE Templates RADIUS.USERS,RADIUS.CONFIG, RADIUS.DICTIONARY,RADIUS_ LOGICALS.COM. [.DOCS]RADIUS_DOC.TXT Documentation in TEXT format. [.DOCS]RADIUS_DOC.DECW* Documentation in DECWindows BookReader format. [.DOCS]RADIUS_DOC*.HTML Documentation in HTML format. [.DOCS]RADIUS_ RADIUS-VMS HELP/MESSAGE MSG.MSGHLP$DATA Library. [.DOCS]RAD_CP_HELP.HLB RADCP utility help library. C-2 RADIUS-VMS files created during installation. _______________________________________________________ File_name_____________________Description______________ _________________Files_in_SYS$STARTUP:_________________ RADIUSVMS_STARTUP.COM RADIUS-VMS Startup procedure. RADIUSVMS_SHUTDOWN.COM RADIUS-VMS Shutdown ______________________________procedure._______________ C-3 _______________________________________________________ D RADIUS-VMS Modification history. ** 4-OCT-1999 RRL Version 2.0.31 which performs a session limit ** check per client basis. ** 2-NOV-1999 RRL Version 2.0.32, added aditional key for ** using with conjuction with MX for real- time ** relay allowed checking for roaming users. ** 6-DEC- 1999 RRL Version 2.0.33 - internal release, added login time timestamp ** in the RADIUS_ CURRENT file. ** 6-DEC- 1999 RRL Version 2.0.34 ** 6- DEC-1999 RRL Add RADIUS_ OPCOMLVL logical name, which control ** by severity level of message sending to OPCOM ** 20-DEC- 1999 RRL Add multiHOME support. ** 19-JAN-2000 RRL Fixed problem with threads cancelation. ** 24-JAN- 2000 RRL Version 2.0.35 ** 1-FEB- 2000 RRL Version 2.0.36 ** 11-FEB- 2000 RRL Add external AAA callouts support. ** 21-MAR- 2000 RRL Add RADIUS_SESSIONTMO. ** 21-FEB- 2000 RRL Version 2.0.37 ** 27-FEB- 2000 RRL Version 2.10 (VSA support) ** 5-APR- D-1 RADIUS-VMS Modification history. 2000 RRL Version 2.11 (RADCP) ** 7-APR- 2000 RRL Move RADCP to RAD_CP.C ** 24-APR- 2000 RRL Version 2.12 ** 17-MAY- 2000 RRL Version 2.13 ** 15-JUN- 2000 RRL Version 2.14 ** 18-JUN- 2000 RRL Fix for using TCPIP$INET_HOSTADDR ** 15-JUN- 2000 RRL Version 2.15, SYSUAF password change ** 5-AUG- 2000 RRL Increased a thread stack size. ** 5-AUG- 2000 RRL Version 2.16 ** 12-AUG- 2000 RRL Version 2.17, maintenace update. ** 27-AUG-2000 RRL Version 2.3, NT Domain authentication. ** 6-SEP- 2000 RRL /FLAG=PWD_EXPIRED ** 18-SEP- 2000 RRL Version 2.31,/FLAG=PWD_EXPIRED. ** 21-SEP- 2000 RRL Version 2.32,maintenace update. ** 30-SEP-2000 RRL Version 2.33,no case sensivity wild cards comparing, ** global buffering option for RADIUS_ USERS. ** 2-NOV- 2000 RRL Version 2.34,RADIUS_ALLOW_RECTRICTED ** 10-NOV- 2000 RRL Version 2.35 ** 23-NOV-2000 RRL Version 2.36, realm checking in the RADIUS_ CURRENT file. ** 6-JAN- 2001 RRL Version 2.4 - USR VSA support. ** 16-JAN- 2001 RRL Fixed a problem with SS$_DUPLNAME. ** 18-FEB- D-2 RADIUS-VMS Modification history. 2001 RRL Version 2.4, release. ** 19-MAR-2001 RRL Version 2.4A, cosmetic changes for an external accounting. ** 30-MAR-2001 RRL Version 2.4B, disable file I/O operations if RADIUS_ ACCCOUNTING ** file cannot be oppened. ** 11-APR- 2001 RRL Version 2.4C, fixed bug in the put_ attribute() and incorrect truncation of the ** AVP list in reply. ** 4-AUG-2001 RRL Added a specfic handling of an USR VSA to provide a speed of ** connection authorization and accounting. ** 28-DEC- 2001 RRL Some fixes in the RAD_ACCT.C ** 11-JAN- 2002 RRL Some fixes in the RAD_UTIL.C ** 18-JAN- 2002 RRL Version 2.5A, added Ascend IP- filters support. ** 28-FEB-2002 RRL Version 2.5B, all configuration logicals must be defined with ** /SYSTEM/EXEC. ** 20-MAR-2002 RRL Added an additional checking of used buffers. ** 5-JUN- 2002 RRL Some optimization:update last- login date after accept is sent. ** 11-JUN- 2002 RRL Some other optimization. ** 9-AUG- 2002 RRL Added backup host for realms support. ** 2-SEP-2002 RRL Version 2.6A, Added IMSI realms support. ** 13-NOV-2002 RRL Version 2.6B, fixed problem with threads exit, it cause ** a hunging server in HIB state. ** 20-JAN-2003 RRL Version 2.6C, Some changes of the threads cancelation. ** 19-FEB-2003 RRL Version 2.6D, Fixed a bug with reseting of the server. ** 14-MAR- 2003 RRL Version 2.6E, RESET & RESTART - > RESTART. ** 17-MAR- 2003 RRL Version 2.7, Now it's just full- function version. ** 4-JUN- D-3 RADIUS-VMS Modification history. 2003 RRL Version 2.7A, Now Client- Id is a special non-protocol attribute. ** 18-AUG- 2003 RRL Version 2.7B, fixed bug in the RAD_ UTIL.C. ** 30-SEP- 2003 RRL Version 2.7C, added Auth- Type = Digest support. ** 23-OCT- 2003 RRL Version 2.7D, added client's /ACCEPT_ REALM and /REJECT_REALM options. ** 6-NOV-2003 RRL Version 2.7E, restore RESET functionality. ** 25-NOV-2003 RRL Version 2.7G, backup/proxy/forwarding. ** 12-FEB-2003 RRL Version 2.7H, Calling Station Id = IMSI. ** 16-FEB- 2004 RRL Version 2.7I, Added loging to SYSLOG ** 19-FEB- 2004 RRL Version 2.7I, Added RADIUS_ THSTACKSZ logicals. ** 31-MAY-2004 RRL Version 2.7K, Added INCLUDE directive in the ** RADIUS_ CONFIG file syntax. ** 26-AUG-2004 RRL Version 3.0A, Removed RAD$DUALPORT, RAD$56K, RAD$ISDN rights id ** and corresp. code. ** 1-OCT- 2004 RRL Version 3.0B, Added Calling-Station- Id to responses to help Cisco CSG ** tracks users' session. ** 13-APR- 2005 RRL Version 3.1A, Added A12 support. ** 20-MAY-2004 RRL Version 3.1B, Added Client Group ID handling D-4