RADIUS 2.01 for OpenVMS porting notes ------------------- Features ------------------- - Full support of Livingston's RADIUS 2.0 specification - SYSUAF based authenitication - AUDIT + OPCOM messaging - Highest security based on VMS INTRUSION DETECTION - Using of right id's for additional authorization - Session limit checking support - Connection speed checking support - Accounting based on the VMS ACCOUNTING with full ..tracking of users/nas/port activities - Work in cluster environment with shared data files - Flexible maintenace procedures for non-stop operation - High perfomance with large USERS file - Caching of IP names for reverse lookuping - All files produced by RADIUS are full documented for ..writting your own utilities - This port is supported by author for reasonable fee - Any new features can be added by your request ASAP ------------------- Requirements ------------------- OS: oVMS 6.1 or Later (VAX/Alpha) Priv: SECURITY - for Scan Intrusion detection SYSPRV - for access to SYSUAF.DAT NETMBX,TMPMBX - usual OPER,WORLD - for sending to OPCOM TCP/IP support: UCX (tested), TCPWare-TCP (tested). Compiler: DEC C 5.0 or later ------------------- Installation ------------------- * I. Put distribution kit (Zip-file) in the special directory for the RADIUS, unpack & build executable image of the RADIUS server. * II. Revise & edit RADIUS_STARTUP.COM & RADIUS_START.COM from distribution kit. * III. Create special account entry in SYSUAF for RADIUS as follows: Username: INET_RADIUS Owner: RADIUS Server Account: TCP-IP UIC: [375,302] ([INET,INET_RADIUS]) CLI: DCL Tables: DCLTABLES Default: INET$ROOT:[RADIUS] LGICMD: LOGIN Flags: Restricted Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ##### Full access ###### ##### Full access ###### Batch: ----- No access ------ ----- No access ------ Local: ----- No access ------ ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: ----- No access ------ ----- No access ------ Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: (none) Pwdchange: (pre-expired) (pre-expired) Last Login: (none) (interactive), 29-OCT-1998 11:50 (non-interactive) Maxjobs: 0 Fillm: 300 Bytlm: 32768 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 40 JTquota: 4096 Prclm: 8 DIOlm: 40 WSdef: 256 Prio: 6 ASTlm: 40 WSquo: 256 Queprio: 0 TQElm: 40 WSextent: 512 CPU: (none) Enqlm: 2000 Pgflquo: 32768 Authorized Privileges: NETMBX SECURITY SYSPRV TMPMBX OPER WORLD Default Privileges: NETMBX SECURITY SYSPRV TMPMBX OPER WORLD * IV. Optionaly, add two entry in the SERVICES file, example for TCPWare-TCP follows: ... radius 1645/udp radact 1646/udp ... * V. Edit CLIENTS file from RADIUS distribution kit for adding IP names of your Network Access Servers and "shared secret" (don't forget that maximum length of "shared secret" can't be more that 8 bytes. * VI. Start RADIUS server by RADIUS_STARTUP.COM as detached process, or for debuging purpose run RADIUS_START.COM from command line. * VII Use RT.EXE utility for ensure that RADIUS can see USERS/CLIENTS/DICTIONARY files. ------------------- Changes & Additions ------------------- * I. This version of the RADIUS can use SYSUAF to authentication and authorization task by using of sys$getuai system service. This feature of the server can be activated by parameters in the RADIUS's USERS. file as follows: ... rrl Auth-Type = System ... or ... DEFAULT Password = "UNIX" ( Password = "VMS" can be used also) ... During authentication phase of login procedure server performs of checking follows SYSUAF parameters: /FLAG=(DISUSER,RESTRICTED), /EXPIRATION=time,/DIALUP=range,/PRIMEDAYS=([NO]day[,...]),/PASSWORD. If login is not allowed by UAF then Intrusion information is stored for the using at a next time. At successful end of this phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDUT's database, you can use ANALYZE/ADUIT utility for searching & retriving this information. *NOTE: - There is some natural limitation of parameters length: ..username <= 12, ..password <= 32 bytes. - Using of username with space or tab is not allowed. * II. Three special SYSUAF's rights identifier can be used for additonal authorization of users: 56K - for users with connection speed in range 33600 < 56K=(56*1024) ISDN - for users with ISDN type of connection (eq. NAS-Port-Type) DUALPORT - eq. "MAX-Session-Limit = 2" in the RADIUS's USERS file. *NOTE: - If not IDs are defined in SYSUAF-checking is not preformed!! - This checking is perfomed for SYSUAF users only!!! - Value of speed connection is gived from "Connect-Info" ..attribute, check documentation of your equipment for ..of ability of getting this information!!! - DUALPORT override MAX-Session-Limit in the RADIUS's USERS. * III. This server also store an accounting information in additional file which can be readed by VMS ACCOUNTING utility as usual. Accounting record is created at end of session (see "Acct-Status-Type = Stop" in the DETAIL file). *NOTE: - Session with zero elapsed time is recorded as LOGIN FAILURE, ..with elapsed time 0 00:00:00.95!!! - Don't try to put information to VMS System Accounting file by ..defining of radius_accounting as sys$manager:accountng.dat!!! * IV. VMS Accounting This is an example of an account record in the RADIUS_ACCOUNTING file: NETWORK Process Termination --------------------------- Username: CC_RRL UIC: [PUBLIC,CC_RRL] Account: Finish time: 29-JAN-1999 00:02:23.94 Process ID: 32015396 Start time: 28-JAN-1999 23:56:58.94 Owner ID: Elapsed time: 0 00:05:25.00 Terminal name: ISDN Processor time: 0 00:00:00.00 Remote node addr: Priority: 0 Remote node name: Privilege <31-00>: 00000000 Remote ID: Privilege <63-32>: 00000000 Remote full name: modem106.somewhere.net Queue entry: 18 Final status code: 00000001 Queue name: nas806.somewhere.net Job name: PPP Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 38400 Direct IO: 404 Page fault reads: 0 Buffered IO: 363 Peak working set: 0 Volumes mounted: 0 Peak page file: 0 Images executed: 0 This is a record which had been putted in the .DETAIL file: Fri Jan 29 00:02:23 1999 Acct-Session-Id = "32015396" User-Name = "CC_RRL" NAS-IP-Address = 172.16.1.30 NAS-Port = 18 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 325 Acct-Authentic = RADIUS Acct-Input-Octets = 404 Acct-Output-Octets = 363 Acct-Terminate-Cause = User-Request Connection-Info = "38400/V42bis" Vendor-Specific = 307 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.17.1.32 Acct-Delay-Time = 0 Timestamp = 917589743 Request-Authenticator = Unverified ---------------------------------------------------------------------- VMS Accounting field |.EQ.| RADIUS Accounting ---------------------------------------------------------------------- Username | User-Name Account (from SYSUAF) | UIC (from SYSUAF) | Process ID | Acct-Session-Id Page faults ! Connection-Info Direct IO | Acct-Input-Octets Buffered IO | Acct-Output-Octets Remote full name | Framed-IP-Address (resolved) Queue entry | NAS-Port Queue name | NAS-IP-Address (resolved) Job name | Framed-Protocol Finish time | Date of record Start time | Date of record - Acct-Session-Time Final status code | Acct-Termination-Cause ---------------------------------------------------------------------- *NOTE: - Session with zero elapsed time will be recorded in ..ACCOUNTING as a login attempt failed. - Don't use preffixes in the USERS file. - The RADIUS_ACCOUNTING file reopening at 24:00:00 every calendar day, ..you can use this for recreating of RADIUS_ACCOUNTING. * V. This version is not allow of password changing by RADPASS or by something like it facilities. * VI. This port can check maximum session limit if in USERS. file take place MAX-Session-Limit parameter as "Check Item" for particulary user. This checking is perfomed by using information from the RADIUS_CURRENT file. Please, work with this feature with attention: because session is "started" when "Start" accounting packet is received from NAS, and session is closed when "Stop" packed is received from NAS. An equipment of some vendors send these packet with big delaying, for example: 3Com/USR TC. There is several reasons for this: high CPU and I/O load on the system where is live RADIUS/ACCT; and incorrect behaviour of NAS's emmbending software. * VII. Optimizations issue All critical file I/O is rewritted with RMS I/O, in particulary, access to USERS. file controled by discipline: USERS. file opening at start of server; during run of server USERS. file stay open; for each 10 minutes (0 00:10:00.00) this file is marked as expired by setting of special flag; when a next request is arrived the file is reopened again and expiration flag is cleared. This discipline reduces overhead for opening of the file during processing of each authentication request, and take advantages of buffered I/O with big numbers of RMS buffers. All requestes to IP to NAME (reverse resolving) translation use caching. ------------------- Logicals ------------------- RADIUS_DIR - where is root RADIUS's directory RADACCT_DIR - where will be placed .DETAIL files RADIUS_ACCOUNTING - accounting file in VMS ACCOUNTING format RADIUS_DICTIONARY - RADIUS's dictionary file RADIUS_CLIENTS - RADIUS's clients file RADIUS_USERS - RADIUS's users file RADIUS_LOGFILE - RADIUS's log file RADIUS_DEBUG - put debug information in the log file RADIUS_DISABLE_RIGHTSCHECK - Existing of this logical cause to disable checking of all ID in SYSUAF RADIUS_DISABLE_SESSIONLIMIT - Existing of this logical cause to disable checking for session limit RADIUS_CURRENT - file which contain "show session"-like information, about user activities on NASes' port. RADIUS_NODETAIL - disable putting accounting information to .DETAIL files ------------------- Appendix ------------------- * A. Authentication flow (USERS. : Auth-Type = System, or Password = "UNIX", or Password = "VMS") Perfomed by vms_stuff/vms_login(): *NOTE: - Password & Username pair is NO-case-sensivity during checking. - Type of login is DIAULUP. Step 0.0:IF NO_USER in SYSUAF - put user in intruders list with No Such User status, alarm event, reject. Step 0.1:IF (DISUSER or RESTRICTED ) or (EXPIRATION < current time) - put user in intruders list with Invalid Login status, audit+alarm events, reject. Step 0.2:IF (PASSWORD is INVALID) - put user in intruders list with Authentication Fail status, audit+alarm events, reject. Step 0.3:IF (USER in INTRUDER LIST) - reject Step 0.4:IF (DIALUP login is not allowed at this time) - put user in intruders list with Invalid Login Time status, audit+alarm events, reject. Step 0.5: You Are Welcome!!! - modifying in SYSUAF.DAT "Last login: non-interactive" field ..for this user, this fact is registered by AUDIT, also. :) Performed by vms_stuff/vms_right(): Step 2.0:IF (USERS connection speed < 33600) - skip to Step 3.0 Step 2.1:IF (USER connection speed within [33600 ... 56*1024]) && (USER haven't 56K) - Send message to OPCOM; reject. Step 2.2:IF (USER connection type > 1) && (USER haven't ISDN right id) - Send message to OPCOM; reject. Step 3.0 - IF (USER have DUALPORT right id) - set for this users MAX-Sessino-Limit = 2. *NOTE: - IF no IDs are defined in right list, result of checking by ..vms_right() is TRUE!!! Performed by vms_stuff/vms_get_stat(): Step 4.0 - IF (USER try to get sessions > MAX-Session-Limit) - Send message to OPCOM; reject. ------------------- Limitations ------------------- * A. Using of the RAIDUS preffixes, are is not allowed !!! Suffixes must be starting with characters '%' !!! * B. There is some natural limitation of parameters length: username <= 12, password <= 32 bytes. Using of username with space or tab is not allowed and will cause to authentication error. ------------------- FAQ ------------------- * Q1. Why cannot we allow password change by RADPASS ? A1. This functionality probably will be added later. * Q2. Are we recording login failures somewhere ? A2. This information recordes in the AUDIT's SECURITY journal, you can search & retrive this information by VMS ANALYZE/AUDIT facility. In addition, session with zero elapsed time will be recorded in ACCOUNTING as a login attempt failed. For retriving information use ACCOUNTING /TYPE=LOGFAIL ... * Q3. How easy will it be to install, maintain ? A3. As well as RADIUS 1.16. In addition read this notes with attention, in other case don't hesitate to call to support.:)) * Q4. Will there be any way to see who is currently online or lookup an individual user and figure out what his IP address is ? (Then we can do some cool CGI stuff for them i.e. say "You've got mail", when he opens our homepage. A4. This functionality is not present in original RADIUS at all. There is not simple and dependable way to keep and maintain this information. But it's functionality is presented in this version. Information is stored in the file RADIUS_CURRENT, which you can display by TYPE, or write a small DCL procedure if you need periodicaly displaying NAS/Port usage. Format of RADIUS_CURRENT file: Offset Length Name Description 0 15 NAS_ip NAS's IP address 16 3 NAS_port NAS's port number 20 32 NAS_ipname NAS's IP name if resolved, in other case ip address. 54 12 User Username 67 15 Frammed-IP Frammed IP address (not resolved) which assigned to client during login. Use RADIUS_LOOKUP.C program as example for using information from RADIUS_CURRENT file. ------------------- TroubleShuting ------------------- * 11-JAN-1999 Fixed bug with /EXPIRATION date checking * accounting: could not append to file radacct_dir:.detail * 19-JAN-1999 Fixed some incorrectness in ACCT.C module: if .DETAIL file was locked, accounting was not written at all. This caused: to accumulation of "busy" line, and to exceeding of session limit. Add GBC file attribute to radius_current for improving of access speed. * 22-JAN-1999 Added logicals to disabling of writting information to the radacct_dir:.detail - files. * "-ACC-W-INVTIME, record XXX has time in the future" * 29-JAN-1999 Fixed bug with buffer overflow during copying username in ACCT.C, this overflow cause to "-ACC-W-INVTIME, record XXX has time in the future" error message when VMS ACCOUNTING utility is used with radius_accounting.dat file. Some modifications in VMS_STUFF.C/vms_accounting(), now all information from .DETAIL file gathered to separate fields. This is more useful for selection. Some modifications in the RADIUS.C module for DEC C 6.0/VAX compiler compatibility. * 1-FEB-1999 Disable reverse lookuping in ACCT.C module for Frammed-IP-address and NAS-Address, gethostbyaddr() executing very long time, this enough for losing of accounting information. A yet another reason of session information loosing is DNS inaccesibility (during restart, crach etc), because RADIUS use reverse lookuping for IP to NAME translation, and use NAME for retrive of "shared secret" from CLIENTS file. * 2-FEB-1999 vms_stuff.c/vms_get_stat() - If user/nas_ip/port is equaly to the same parameters to checking then a count of sessions is not incremented. * 3-FEB-1999 radiusd.c/rad_authenticate() - fixed bug with auth packet which no contain NAS-Port attrubute, this cause to ACCVIO error at line 10480. * 5-FEB-1999 Some modifications in UTIL.C/ip_hostname(), VMS_STUFF.C/vms_alarm(),LOG.C/log_msg(). DNS cache capability. * 19-FEB-1999 Creating two version of RADIUS: basic and enhanced. BASIC version: - SYSUAF based authenitication - AUDIT + OPCOM messaging - Highest security based on VMS INTRUSION DETECTION - Accounting based on the VMS ACCOUNTING with full ..tracking of users/nas/port activities ENHANCED version: - Using of right id's for additional authorization - Session limit checking support - Connection speed checking support * 28-FEB-1999 Some changes in radiusd.c/rad_authenticate () - to prevent session limit checking if in received auth packet not contain port type. This fix allow using of Linux PAM mudule which doing of authenication of local users by requestes to RADIUS server. ------------------- To Do ------------------- * I. Resting... C U SysMan (MailTo:"Ruslan R. Laishev" ).