DECThreads RADIUS VMS 2.01 for OpenVMS ------------------- Requirements ------------------- OS: OpenVMS 6.2 or Later (VAX/Alpha) Priv: SECURITY - for Scan Intrusion detection SYSPRV - for access to SYSUAF.DAT NETMBX,TMPMBX - usual OPER,WORLD - for sending to OPCOM TCP/IP support: UCX (tested with 4.1), TCPWare-TCP (tested with 5.3-3), Multinet (tested with 4.1B), supposed to work with any VMS TCP/IP stack which support emulation of BG device. Compiler: DEC C 5.7 or later Optional: MadGoat Make Utility (MMK) or DEC MMS ------------------- Features ------------------- - Support of main features of Livingston's RADIUS 2.01 - SYSUAF based authentication - AUDIT + OPCOM messaging - Security based on VMS facilities - Using of right id's for additional authorization - Session limit checking & authorization - Connection speed authorization by special right ID - Accounting of users/nas/port activities in VMS ACCOUNTING format and ..in the traditional RADIUS's .DETAIL format - Work in cluster environment with shared data files - High perfomance with large USERS file - File I/O using VMS RMS interface - Network I/O using VMS $QIO interface - Multithreaded using DECThreads (up to 128 concurrent threads), ..kernel threads under VMS/Alpha >7.x - Full caching of the CLIENTS and REALMS files - Realms support, and additional authorization by Right ID - iPass global internet roaming authentication support - "Proxy-State" attribute support - All files produced by RADIUS are fully documented for ..writting your own utilities - Support of user written authentication/authorization and accounting ..procedures - Any new features can be added by your request ASAP ------------------- Installation ------------------- * I. Put distribution kit (Zip-file) in the special directory for the RADIUS, unpack & build executable image of the RADIUS server. * II. Revise RADIUS_STARTUP.COM & RADIUS_START.COM from distribution kit. * III. Optionaly, add two entry in the SERVICES file, example for TCPWare-TCP follows: ... radius 1645/udp radact 1646/udp ... * IV. Edit CLIENTS file from RADIUS distribution kit for adding IP names of your Network Access Servers and "shared secret" (don't forget that maximum length of "shared secret" can't more that 8 bytes. * V. Start RADIUS server by RADIUS_STARTUP.COM as detached process, or for debuging purpose run RADIUS_START.COM from command line in the RADIUS home directory. * VI. Use RT.EXE utility for ensure that RADIUS can see USERS/CLIENTS/DICTIONARY files: $rt:==$radius_dir:rt $rt laishev kozel$mozel StarLet.RadiusVMS.COM 1 01234567 .... ------------------- Changes & Additions ------------------- * 0. Username - is character string which is expected in the form: [['%']['@']] Examples: ZyzOp%PPP@DeltaTel.RU - expected SYSUAF user ZyzOp C00lZyZop@RadiusVMS.COM - expected SYSUAF user C00lZyZop SysMan%TELNET - expected SYSUAF user SysMan * I. This version of the RADIUS use SYSUAF to authentication and authorization task by using of sys$getuai system service. This feature of the server can be activated by parameters in the RADIUS's USERS. file as follows: for particulary user: ... SysMan Auth-Type = System ... or by default for all users: ... DEFAULT Password = "VMS" ( Password = "UNIX" can be used also) ... During authentication phase of login procedure server performs of checking follows SYSUAF parameters: /FLAG=(DISUSER,RESTRICTED), /EXPIRATION=time,/NETWORK=range/DIALUP=range,/PRIMEDAYS=([NO]day[,...]), /PASSWORD. If login is not allowed by SYSUAF information then Intrusion information is stored for the using at a next time. At successful end of login phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in VMS AUDUT's database, you can use ANALYZE/ADUIT utility for searching & retriving this information. *NOTE: - There is some natural limitation of parameters length: ..username <= 12, ..password <= 32 bytes. - Using of username with space or tab and othe control characters ..is not allowed. * II. Three special SYSUAF's rights identifier can be used for additonal authorization of users: 56K - for users with connection speed in range 33600 < 56K=(56*1024) ISDN - for users with ISDN type of connection (eq. NAS-Port-Type) DUALPORT - eq. "MAX-Session-Limit = 2" in the RADIUS's USERS file. *NOTE: - If not IDs are defined in SYSUAF-checking it's equaly missing of ID! - This checking is perfomed for SYSUAF users only!!! - Value of speed connection is gived from "Connect-Info" ..attribute, check documentation of your equipment for ..of ability of getting this information!!! - DUALPORT override MAX-Session-Limit in the RADIUS's USERS. * III. VMS Accounting This is an example of an account record in the RADIUS_ACCOUNTING file: NETWORK Process Termination --------------------------- Username: CC_RRL UIC: [PUBLIC,CC_RRL] Account: Finish time: 29-JAN-1999 00:02:23.94 Process ID: 32015396 Start time: 28-JAN-1999 23:56:58.94 Owner ID: Elapsed time: 0 00:05:25.00 Terminal name: ISDN Processor time: 0 00:00:00.00 Remote node addr: Priority: 0 Remote node name: Privilege <31-00>: 00000000 Remote ID: Privilege <63-32>: 00000000 Remote full name: modem106.somewhere.net Queue entry: 18 Final status code: 00000001 Queue name: nas806.somewhere.net Job name: PPP Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 38400 Direct IO: 404 Page fault reads: 0 Buffered IO: 363 Peak working set: 0 Volumes mounted: 0 Peak page file: 0 Images executed: 0 This is a record which had been putted in the .DETAIL file: Fri Jan 29 00:02:23 1999 Acct-Session-Id = "32015396" User-Name = "CC_RRL" NAS-IP-Address = 172.16.1.30 NAS-Port = 18 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 325 Acct-Authentic = RADIUS Acct-Input-Octets = 404 Acct-Output-Octets = 363 Acct-Terminate-Cause = User-Request Connection-Info = "38400/V42bis" Vendor-Specific = 307 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.17.1.32 Acct-Delay-Time = 0 Timestamp = 917589743 Request-Authenticator = Unverified ---------------------------------------------------------------------- VMS Accounting field |.EQ.| RADIUS Accounting ---------------------------------------------------------------------- Username | User-Name Account (from SYSUAF) | UIC (from SYSUAF) | Process ID | Acct-Session-Id Page faults | Connection-Info Direct IO | Acct-Input-Octets Buffered IO | Acct-Output-Octets Remote full name | Framed-IP-Address (resolved) or Login-Host Queue entry | NAS-Port Queue name | NAS-IP-Address (resolved) Job name | Framed-Protocol or Login-Service Finish time | Date of record Start time | Date of record - Acct-Session-Time Final status code | Acct-Termination-Cause ---------------------------------------------------------------------- *NOTE: - Session with zero elapsed time will be recorded in ..ACCOUNTING as a login attempt failed. - Don't use preffixes in the USERS file. - The RADIUS_ACCOUNTING file reopening at 24:00:00 every calendar day, ..you can use this for recreating of RADIUS_ACCOUNTING. * IV. This server use NAS port ID and NAS port Type attributes in an incoming packets for solving of differences between network and dial-up login. It's useful when RADIUS VMS server is used as main authentication center for Linux (with special PAM) or M$ IIS which can use RADIUS server for authenticate of clients. This server can work with iPass authetication/autorization center, in this case you can use REALMS support for additional authorization. *NOTE: - No session limit checking is performed for network logins. * V. This version is not allows of password change by RADPASS or by something like it facilities. But I can add this feature if it will be requested. * VI. This server can check maximum session limit if in the .USERS file take place MAX-Session-Limit parameter. This checking is perfomed by using information from the RADIUS_CURRENT file. When session is started in the RADIUS_CURRENT file is putted information about "busy" port at NAS, and after end of session this record is cleared. * VII. New feature added in the last release it REALMS support, for using it you can create REALMS. file and point to it by logicals RADIUS_REALMS. Follows format of this file: # #Realm Name VMS RightID #---------------- ------------------- DeltaTel.RU DeltaTel_ID DLS.NET DLS_ID RadiusVMS.COM RADIUSVMS_ID If username comming in form ZyZop@DeltaTel.RU, "DeltaTel.RU" is used for searching of VMS right ID, if user have right ID (in this case DeltaTel_ID) granted then he/she will login. ------------------- Logicals ------------------- * A. There is a number of logicals which used for configuration of the RADIUS Server. RADIUS_DIR - where is root RADIUS's directory RADIUS_ACCOUNTING - accounting file in RADIUS ACCOUNTING format RADIUS_DICTIONARY - RADIUS's dictionary file RADIUS_CLIENTS - RADIUS's clients file RADIUS_REALMS - RADIUS's realms file RADIUS_DETAIL - RADIUS's detail file RADIUS_USERS - RADIUS's users file RADIUS_CURRENT - file which contain "show session"-like information, about user on NASes' port. RADIUS_DEBUG - Existing of this logical caused to producing of additional output for debuging purpose. RADIUS_DISABLE_SESSIONLIMIT - Existing of this logical cause to disable checking for session limit RADIUS_DISABLE_RIGHTSCHECK - Existing of this logical cause to disable checking for any right ID in for users RADIUS_NODETAIL - Existing of this logical cause to disable putting an accounting information to RADIUS_DETAIL file. RADIUS_DNS_LOOKUP - Existing of this logical cause to enable of reverse DNS lookup RADIUS_NUMTHREADS - It's number of accounting and authentication execution threads, 1 accounting threads and 1 authentication threads are default value. Maximum number of threads is 128. ------------------- Limitations ------------------- * A. Using of the RAIDUS preffixes, are is not allowed !!! Suffixes must be starting with characters '%' !!! * B. There is some natural limitation of parameters length: username <= 12, password <= 32 bytes. Using of username with space or tab is not allowed and will cause to authentication error. * C. This version not support the MENU. ------------------- Appendix ------------------- * A. Authentication flow (USERS. : Auth-Type = System, or Password = "UNIX", or Password = "VMS") Perfomed by rad_vms_stuff/vms_login(): *NOTE: - Password & Username pair is NO-case-sensivity during checking. - Type of login is DIAULUP. Step 0.0:IF NO_USER in SYSUAF - put user in intruders list with No Such User status, alarm event, reject. Step 0.1:IF (DISUSER or RESTRICTED ) or (EXPIRATION < current time) - put user in intruders list with Invalid Login status, audit+alarm events, reject. Step 0.2:IF (PASSWORD is INVALID) - put user in intruders list with Authentication Fail status, audit+alarm events, reject. Step 0.3:IF (USER in INTRUDER LIST) - reject Step 0.4:IF (DIALUP/NEWTORK login is not allowed at this time) - put user in intruders list with Invalid Login Time status, audit+alarm events, reject. Step 0.5: You Are Welcome!!! - modifying in SYSUAF.DAT "Last login: non-interactive" field ..for this user, this fact is registered by AUDIT, also. :) Performed by rad_vms_stuff/vms_right(): Step 2.0:IF (USERS connection speed < 33600) - skip to Step 3.0 Step 2.1:IF (USER connection speed within [33600 ... 56*1024]) && (USER haven't 56K) - Send message to OPCOM; reject. Step 2.2:IF (USER connection type > 1) && (USER haven't ISDN right id) - Send message to OPCOM; reject. Step 3.0 - IF (USER have DUALPORT right id) - set for this users MAX-Sessinon-Limit = 2. *NOTE: - IF no IDs are defined in right list, result of checking by ..vms_right() is FALSE!!! ------------------- FAQ ------------------- * Q1. Why cannot we allow password change by RADPASS ? A1. This functionality probably will be added later. * Q2. Are we recording login failures somewhere ? A2. This information recordes in the AUDIT's SECURITY journal, you can search & retrive this information by VMS ANALYZE/AUDIT facility. In addition, session with zero elapsed time will be recorded in ACCOUNTING as a login attempt failed. For retriving information use ACCOUNTING /TYPE=LOGFAIL ... * Q3. How easy will it be to install, maintain ? A3. As well as RADIUS 1.16. In addition read this notes with attention, in other case don't hesitate call to support.:)) * Q4. Will there be any way to see who is currently online or lookup an individual user and figure out what his IP address is ? (Then we can do some cool CGI stuff for them i.e. say "You've got mail", when he opens our homepage. A4. This functionality is not present in original RADIUS at all. There is not simple and dependable way to keep and maintain this information. But it's functionality is presented in this version. Information is stored in the file RADIUS_CURRENT, which you can display by TYPE, or write a small DCL procedure if you need periodicaly displaying NAS/Port usage. Format of RADIUS_CURRENT file: Offset Length Name Description 0 15 NAS_ip NAS's IP address 16 5 NAS_port NAS's port number 22 32 NAS_ipname NAS's IP name if resolved, in other case ip address. 56 12 User Username 69 15 Frammed-IP Frammed IP address (not resolved) which assigned to client during login. Use RADIUS_LOOKUP.C program as example for using information from RADIUS_CURRENT file. * Q5. Where i can find latest version of the RADIUS-VMS server, and how obtain support ? * A5. All latest information about of RADIUS-VMS server can be found at web site http://WWW.RadiusVMS.COM. There is RADIUS-VMS mail list which you can use for obtain support for free. ------------------- TroubleShuting ------------------- ------------------- Bug fixing and history of the project ------------------- * 11-JAN-1999 Fixed bug with /EXPIRATION date checking * accounting: could not append to file radacct_dir:.detail * 19-JAN-1999 Fixed some incorrectness in ACCT.C module: if .DETAIL file was locked, accounting was not written at all. This caused: to accumulation of "busy" line, and to exceeding of session limit. Add GBC file attribute to radius_current for improving of access speed. * 22-JAN-1999 Added logicals to disabling of writting information to the radacct_dir:.detail - files. * "-ACC-W-INVTIME, record XXX has time in the future" * 29-JAN-1999 Fixed bug with buffer overflow during copying username in ACCT.C, this overflow cause to "-ACC-W-INVTIME, record XXX has time in the future" error message when VMS ACCOUNTING utility is used with radius_accounting.dat file. Some modifications in VMS_STUFF.C/vms_accounting(), now all information from .DETAIL file gathered to separate fields. This is more useful for selection. Some modifications in the RADIUS.C module for DEC C 6.0/VAX compiler compatibility. * 1-FEB-1999 Disable reverse lookuping in ACCT.C module for Frammed-IP-address and NAS-Address, gethostbyaddr() executing very long time, this enough for losing of accounting information. A yet another reason of session information loosing is DNS inaccesibility (during restart, crach etc), because RADIUS use reverse lookuping for IP to NAME translation, and use NAME for retrive of "shared secret" from CLIENTS file. * 2-FEB-1999 vms_stuff.c/vms_get_stat() - If user/nas_ip/port is equaly to the same parameters to checking then a count of sessions is not incremented. * 3-FEB-1999 radiusd.c/rad_authenticate() - fixed bug with auth packet which no contain NAS-Port attrubute, this cause to ACCVIO error at line 10480. * 5-FEB-1999 Some modifications in UTIL.C/ip_hostname(), VMS_STUFF.C/vms_alarm(),LOG.C/log_msg(). DNS cache capability. * 26-APR-1999 Original Livinston code is full rewrited, only data files keep copyright notice of the Livingston. There is a lot of changes: Deep optimization Some huge bug in security fixed :(( Socket API -> VMS $QUI/BG Device DECThreads Realms support VMS Message facilities Accounting in VMS ACCOUNTING format is not support now, use RADACC utility * 8-MAY-1999 Restore support of accounting information in the VMS ACCOUNTING format, and generation of traditional RADIUS .DETAIL file. RADACC utility is retired :( Fixed problem with restarting threads for each 10 minutes, by using of pthread_join() in the main thread. Fixed threads stack overflows in RAD_ACCT.C/rad_put_detail(). * 11-MAY-1999 Removed global buffer aasigning from rad_user.c/user_open(). Use SET FILE file-spec /GLOBAL_BUFFERS=buffer-count! * 15-MAY-1999 Fixed problem with time format in the RADIUS_DETAIL file, pure VMS string is changed to Unix traditional format. This problem cause ingoring of accounting information by PLATYPUS 2.9. * 18-MAY-1999 Fixed problem in rad_util.c/hostname_ip():mutext unlocked before copying data from internal buffer of gethostbyname(). * 20-MAY-1999 Some cosmetic changes in rad_util.c,rad_acct.c modules, now string attrubute is displayed in quotation mark. rad_acct.c/radd_get_stat() - add read regarding lock flag in SRAB. * 22-MAY-1999 Testing with Multinet 4.1B under VMS 7.1 Added calls to external "AUTH" and "ACCT" procedures, see rad_stubs.c/rad_external_auth(),rad_external_acct(). * 24-MAY-1999 Remove using of mutexes in rad_util.c/hostname_ip(), gethostbyaddr store data in thread-specific area, I hope it's enough. "Ported" Alpha version of RADIUS to VAX. radd_acct.c/rad_put_detail() - ctime_r() changed to ctime(). * 2-JUN-1999 Catch bugs in rad_netio.c/net_open(), return success status if channel is not open actualy, it cause to exit with "NOPRIV, insufficient privilege or queue protection violation". * 29-JUN-1999 Some changes in rad_util.c/ip_hostname() due of using RADIUS_DNS_LOOKUP logicals Added RADIUS_DNS_LOOKUP which control reverse resolving of IP address to name * 10-JUL-1999 Fixed memory leak problem in rad_auth.c,rad_acct.c/radacct_stop(),radauth_stop(), added call pthread_detach after pthread_join call. This problem appeared on VAX/Alpha VMS prior to the 7.x. * 21-JUL-1999 Add additional checking for Client-Id, fixed problem with multiple DEFAULT entry. See example in USERS. file from this kit. * 22-JUL-1999 Fix port number field width in the RADIUS_CURRENT file from 3 digits to 5. This problem appeared when RADIUS work as "remote server" for MegaPOP or iPASS radius servers. * 25-JUL-1999 Add "Proxy-State" attribute support, fix version number to 2.16, change a memory discipline strategy with VMS VM Zone. * 31-JUL-1999 A lot of changes in session checking procedures, sequentel access was changed to keyed + sequnetel with limit key checking. * 15-AUG-199 rad_util.c/rad_init_vm() - Fixing memory leak problem, which is appeared under VMS < 7.0 ------------------- To Do ------------------- * I. Resting... C U SysMan (MailTo:"Ruslan R. Laishev" ). http://WWW.RadiusVMS.COM http://WWW.Levitte.ORG/~RLaishev