RADIUS_CONFIG file must contains the entry for every NAS and for every Remote RADIUS Server (see Section 3.5 clause) which will interoperate with your RADIUS. An every entry consist by NAS or Remote RADIUS server IP name (or IP address), a shared secret key, and optional right id lists. The right id can be used for additional authorization of user(s) access to particular NAS. If this right id is take place in the entry for NAS then user will have access to the this NAS if this right id is granted in SYSUAF. Follows the syntax of the entry definition and example entry in the RADIUS_CONFIG:

!++ ! ! define client <client_name> - ! /secret="<secret_key>" ! /reject_id=( < id list > ) ! /accept_id=( < id list > ) ! /NAS ! /connection_info=<offset> ! /reject_realm=( <DEFAULT | realm list > ) ! /accept_realm=( <DEFAULT | realm list > ) ! /group=<group_id> ! !--

Option	Description
SECRET=quoted_string	It's a shared secret used for "encrypting" password transffered over network between NAS and a RADIUS server.
REJECT_ID=(id0,id1,...)	This option define a list of rights id which is used for reject logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.
ACCEPT_ID=(id0,id1,...)	This option define a list of rights id which is used for accept logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.
NAS	Treate client as NAS, see also Clients management clause.
ACCEPT_REALM=(realm,...)	This option allows to server proxy/forwarding request from the client for a specified realm suffix list.
REJECT_REALM=(realm,...)	This option define a list of realms rejected for logins at the client.
GROUP=number	This parameter allow to grouping clients, see using of Client-Group-Id check item.

define client NAS.SomeWhere.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access) define client NEWS.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) ! ! Follow entry for my good old DEC Server 90M ! define client TSrv.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) /NAS ! ! Allow logins only for specified realm suffix ! define client AS3640.ZZtop.NET - /secret="01234567" - /accept_realm=(DEFAULT, SkyLink.SPb.RU) ! ! Reject logins with specified realm suffixes and allow all other ! define client PDSN.ZZtop.NET - /secret="01234567" - /reject_realm=(SkyLink.MSK.RU, BelCel.BY) ! ! ! My NAS send connection info in the form: ! Connect-Info = "Mo.1.9.2.1.6 46667 28800 DYNAMIC PPP CHAP V90 LAPM V42BIS " ! |------------^ ! 14 is the offset to the first space of the speed of connection parameter ! ! define client TSrv.ZZtop.NET - /secret="01234567" - /accept_id=(nas$_access,mx_mail_access,ftp_out) /NAS - /connection_info=14 ! ! Our partners: MCC AAA, coupling all AAA into the single group with id = 73 ! define client aaa1.zz.ru /secret="secret"/nonas/group=73 define client aaa2.zz.ru /secret="secret"/nonas/group=73 define client aaa3.zz.ru /secret="secret"/nonas/group=73 ! ! Delta Telecom/SkyLink PDSN, RNC, coupling it into the single group with id = 1 ! define client pdsn1.d-t.ru /secret="secret"/nonas/group=1 define client pdsn2.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-1x-1.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-1x-2.d-t.ru /secret="secret"/nonas/group=1 define client pdsn-ev-do-1.d-t.ru /secret="secret"/nonas/group=2 define client rnc-1.d-t.ru /secret="secret"/nonas/group=2

Follows example of using group and Client-Group-Id check item for entries in the RADIUS_USERS file:

... # # Enrty for MCC logins # mobile Auth-Type = Accept, Client-Group-Id = 73 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 default_ev1x Auth-Type = Accept, Client-Group-Id = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255 default_evdo Auth-Type = A12, Client-Group-Id = 2 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.253, Framed-Netmask = 255.255.255.255

A RADIUS_CONFIG file must contains entry for each realm which must be processed during authorization of users. It consist realm name, optionally right id lists, remote radius authentication server IP name and UDP port, remote radius accounting server and UDP port, optional account name field. The right id (if any) can be used for authorization of local users by the same manner as was described in the Clients management clause. Account name field can be used when it need to consolidate all accounting information for particular realm account, which can be associated with partners for example. For provide accounting information it can be used /ACCOUNT option of the VMS ACCOUNTING utility (refer to System Manager utilities for information about of producing reports with VMS ACCOUNTING utility). See syntax of the entry definition and example of entries below:

!++ ! define realm default|<realm_name> - ! /IMSI - ! /reject_id=( < id list > ) ! /accept_id=( < id list > ) ! /auth_host="<ip_name_or_address>:<port>" ! /acct_host="<ip_name_or_address>:<port>" ! /bauth_host="<ip_name_or_address>:<port>" ! /bacct_host="<ip_name_or_address>:<port>" ! /account=<account> ! !--

Option	Description
REJECT_ID=(id0,id1,...)	This option define a list of rights id which is used for reject logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.
ACCEPT_ID=(id0,id1,...)	This option define a list of rights id which is used for accept logins for users which have any right id from this list in SYSUAF/RIGHTSLIST.
AUTH_HOST=quoted_string	Define a remote RADIUS server IP address and UDP port to forward authentication requests.
ACCT_HOST=quoted_string	Define a remote RADIUS server IP address and UDP port to forward accounting requests.
AUTH_HOST=quoted_string	Define a backup remote RADIUS server IP address and UDP port to forward authentication requests.
ACCT_HOST=quoted_string	Define a backup remote RADIUS server IP address and UDP port to forward accounting requests.
ACCOUNT	Define a account name for storing accounting information for a realm in the local database (RADIUS_ACCOUNTING).
IMSI	Defines a realm name as an IMSI prefix.

define realm news.zz.top - /reject_id=(mx_mail_access,ftp_inc) - /accept_id=(news_access) ! !All request for this realm will be forwarded, all !accounting information will be accumulated on !account named "SYSMAN" ! define realm zz2.top - /auth_host="dtv3:1645" - /acct_host="dtv4:1646" - /account=sysman ! ! Forward all authentication request of Moscow Cell. Company roamers ! to MCC's home RADIUS. ! define realm 25014 /IMSI - /auth_host="radius.mcc.ru:1645" - /acct_host="radius.mcc.ru:1646" - /account=MCC ! ! Romanian ZAPP subscribers ! define realm 22604 /IMSI - /auth_host="radius.zapp.ro:1645" - /acct_host="radius.zapp.ro:1646" - /account=ZAPP ! ! The First Russian mobile operator, Delta Telecom JSC, IMT-MC-450 (CDMA2000) ! define realm 25009 /IMSI - /auth_host="StarLet.DeltaTelecom.RU:1645" - /acct_host="StarLet.DeltaTelecom.RU:1646" - /account=DELTATEL ! !Forward all request from users which have not a realm suffix in username, !allow to have two concurrent sessions for an user fro this realm. ! define realm default - /auth_host="dtv3:1812" - /acct_host="dtv4:1813" - /bauth_host="StarLet:1645" - /bacct_host="StarLet.ZZTop.NET:1646" - /account=sysman

RADIUS-VMS can act as a PROXY server which performs a transparent forwarding of requests from NAS(s) to Remote RADIUS Server and of answers from Remote RADIUS Server(s) to NAS. It give an ability to implement a Internet global roaming concept. RADIUS-VMS Server use the Proxy-State attribute for keeping a special information which is attached to all forwarded requests. An attached information is removed from the packet when a request is returned back. RADIUS-VMS remove only own Proxy-State attributes, all other Proxy-State attributes rest in the packet w/o any changes or reordering. The Proxy/Forwarding capability is a built-in functionality of the RADIUS-VMS. Use the RADIUS_CONFIG file entries for PROXY/FORWARDING management.

RADIUS-VMS shares a work load between primaries and backups authentication/authorization and accounting remote RADIUS(es) by maintaning some kind of "load factor" for RADIUS hosts defined for the realm. This "load factor" is computed as difference between sent and received requests. RADIUS-VMS selects a host with smallest "load factor".

RADIUS-VMS can support additional (secondary) ip addresses have bound to the primary physical inerface. For example, under PSC TCPWare-TCP 5.4-3 you can add secondary interface:

$ netcu start/ip psd-0 172.16.0.45 255.255.0.0 ewa-0

In RADIUS_CONFIG file you must add definition of the additional "home" for get it available for processing of requests coming to the this address. For an every "home" RADIUS-VMS start how many threads how many is defined by RADIUS_NUMTHREADS logical. Follows are syntax and examples of definitons:

!++ ! ! define home <ip_name_or_ip_address> - ! /auth_port=<port_number> - ! /acct_port=<port_number> - ! /receive_buffer_size=<receive_buffer_size_in_bytes> ! !--

Option	Description
AUTH_PORT	Define an UDP port number for the home used for receiving authentication requests.
ACCT_PORT	Define an UDP port number for the home used for receiving accounting requests.
RECEIVE_BUFFER_SIZE	Define a receive buffer size for every network device linked with the IP address and the UDP ports. A maximum values for the buffer is 65535 bytes

define home 172.16.0.45 - /auth_port=1645 - /acct_port=1646 define home 172.16.0.44 - /auth_port=1812 define home 172.16.0.45 - /acct_port=1813 - /receive_buffer_size=16384

You can use RADCP utility for control by RADIUS-VMS server, follows an explanation and syntax of the RADCP command.

RADCP command	Description
HELP	Help on RADCP utility commands.
SHUTDOWN	This command SHUTDOWN server.
RESET	This command force reopening RADIUS_USERS,RADIUS_ACCOUNTING, , RADIUS_ACCBIN files.
RESTART	This option request full restart of RADIUS-VMS server.
/NODE=(node,...)	Sending command to RADIUS-VMS server on the specified node(s).
/CLUSTER	It performs notifying all servers on a cluster.
LOOP	Performs a sending of test auth-request.

Example:

$ radcp shutdown ... $ radcp reset/cluster

RADIUS-VMS provide accounting in two formats, the first one is the traditional VMS ACCOUNTING format, and the second one is the traditional .DETAIL format which was inherited from Livingston RADIUS server. Starting 2.5x the accounting in .DETAIL format is not provided anymore, you can use RADACC utility to generating the .DETAIL format files.

Examples of the accounting record for user session follows:

$ acc radius_accounting/id=32015396/full NETWORK Process Termination --------------------------- Username: CC_RRL UIC: [PUBLIC,CC_RRL] Account: Finish time: 29-JAN-1999 00:02:23.94 Process ID: 32015396 Start time: 28-JAN-1999 23:56:58.94 Owner ID: Elapsed time: 0 00:05:25.00 Terminal name: ISDN Processor time: 0 00:00:00.00 Remote node addr: Priority: 0 Remote node name: Privilege <31-00>: 00000000 Remote ID: Privilege <63-32>: 00000000 Remote full name: modem106.somewhere.net Queue entry: 18 Final status code: 00000001 Queue name: nas806.somewhere.net Job name: PPP Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 38400 Direct IO: 404 Page fault reads: 0 Buffered IO: 363 Peak working set: 0 Volumes mounted: 0 Peak page file: 0 Images executed: 0

Follows an original set of attributes.

... Fri Jan 29 00:02:23 1999 Acct-Session-Id = "32015396" User-Name = "CC_RRL" NAS-IP-Address = 172.16.1.30 NAS-Port = 18 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 325 Acct-Authentic = RADIUS Acct-Input-Octets = 404 Acct-Output-Octets = 363 Acct-Terminate-Cause = User-Request Connection-Info = "38400/V42bis" Vendor-Specific = 307 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.17.1.32 Acct-Delay-Time = 0 Timestamp = 917589743

In the follows table it presented fields equivalence and source of the information, you can producing reports by VMS ACCOUNTING utility, or by using DEC DATATRIEVE (see RADIUS_ACCOUNTING.DTR) report generator.

RADIUS_ACCOUNTING	RADIUS_DETAIL
Username	User-Name
Account (from SYSUAF or RADIUS_REALMS)
UIC (from SYSUAF)
Process ID	Acct-Session-Id
Page faults	Connection-Speed
Direct IO	Acct-Input-Octets
Buffered IO	Acct-Output-Octets
Remote full name	Framed-IP-Address or Login-Host
Queue entry	NAS-Port
Queue name	Client name from RADIUS_CONFIG
Job name	Framed-Protocol or Login-Service
Finish time	Date of record
Start time	Computed as Date of record - Acct-Session-Time - Acct-Delay-Time
Final status code	Acct-Termination-Cause

Starting RADIUS-VMS version 2.5B the RADIUS_DETAIL file is not generating anymore, instead of this all accounting information is stored in a binary format into the RADIUS_ACCBIN file. The binary format get an ability to speed-up processing of accounting information as well as increasing RADIUS-VMS throughput. Follows RADACC utility options descriptions:

RADACC option	Description
/SINCE[=time]	Selects all records time-stamped at or after the specified time.
/BEFORE[=time]	Selects all records time-stamped before the specified time.
/ALL	Shows all attributes of selected records.
/CLIENT_IP_ADRESS=<ip_address_list>	Selects all records for specified client IP address.
/STRIP_REALM=<realm_list>	Strips specified realms from usernames.
/OUTPUT[=filespec]	Specifies the output file.
/APPEND	Appends selected records to existen file.
/CLID=<Calling Id>	Select recordds with specified Calling Id.
/FORMAT=<CSL|TRADITIONAL>	Select comma-separated list or traditional format.