
		RADIUS 2.01 for OpenVMS porting notes

-------------------
Features
-------------------
	- Full support of Livingston's RADIUS 2.0 specification
	- SYSUAF based authenitication
	- AUDIT + OPCOM messaging
	- Highest security based on VMS INTRUSION DETECTION
	- Using of right id's for additional authorization
	- Session limit checking support
	- Connection speed checking support
	- Accounting based on the VMS ACCOUNTING with full
	..tracking of users/nas/port activities
	- Work in cluster environment with shared data files
	- Flexible maintenace procedures for non-stop operation
	- High perfomance with large USERS file
	- Caching of IP names for reverse lookuping
	- All files produced by RADIUS are full documented for
	..writting your own utilities

	- This port is supported by author for reasonable fee
	- Any new features can be added by your request ASAP

-------------------
Requirements
-------------------
	OS:		oVMS 6.1 or Later (VAX/Alpha)

	Priv:		SECURITY - for Scan Intrusion detection
			SYSPRV -  for access to SYSUAF.DAT
			NETMBX,TMPMBX - usual
			OPER,WORLD - for sending to OPCOM

	TCP/IP support:	UCX (tested), TCPWare-TCP (tested).

	Compiler:	DEC C 5.0 or later

-------------------
Installation
-------------------
 * I.	Put distribution kit (Zip-file) in the special directory for the 
	RADIUS, unpack & build executable image of the RADIUS server.

 * II.	Revise & edit RADIUS_STARTUP.COM & RADIUS_START.COM from distribution kit.

 * III.	Create special account entry in SYSUAF for RADIUS as follows:
	Username: INET_RADIUS                      Owner:  RADIUS Server
	Account:  TCP-IP                           UIC:    [375,302] ([INET,INET_RADIUS])
	CLI:      DCL                              Tables: DCLTABLES
	Default:  INET$ROOT:[RADIUS]
	LGICMD:   LOGIN
	Flags:  Restricted
	Primary days:   Mon Tue Wed Thu Fri
	Secondary days:                     Sat Sun
	Primary   000000000011111111112222  Secondary 000000000011111111112222
	Day Hours 012345678901234567890123  Day Hours 012345678901234567890123
	Network:  ##### Full access ######            ##### Full access ######
	Batch:    -----  No access  ------            -----  No access  ------
	Local:    -----  No access  ------            -----  No access  ------
	Dialup:   -----  No access  ------            -----  No access  ------
	Remote:   -----  No access  ------            -----  No access  ------
	Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
	Pwdlifetime:           (none)    Pwdchange:      (pre-expired)     (pre-expired)
	Last Login:            (none) (interactive), 29-OCT-1998 11:50 (non-interactive)
	Maxjobs:         0  Fillm:       300  Bytlm:        32768
	Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
	Maxdetach:       0  BIOlm:        40  JTquota:       4096
	Prclm:           8  DIOlm:        40  WSdef:          256
	Prio:            6  ASTlm:        40  WSquo:          256
	Queprio:         0  TQElm:        40  WSextent:       512
	CPU:        (none)  Enqlm:      2000  Pgflquo:      32768
	Authorized Privileges:
	  NETMBX       SECURITY     SYSPRV       TMPMBX
	  OPER         WORLD
	Default Privileges:
	  NETMBX       SECURITY     SYSPRV       TMPMBX
	  OPER         WORLD

 * IV.	Optionaly, add two entry in the SERVICES file, example for TCPWare-TCP 
	follows:
	...
	radius          1645/udp
	radact          1646/udp
	...

 * V.	Edit CLIENTS file from RADIUS distribution kit for adding IP names of your Network
	Access Servers and "shared secret" (don't forget that maximum length of 
	"shared secret" can't be more that 8 bytes.

 * VI.	Start RADIUS server by RADIUS_STARTUP.COM as detached process, or for debuging
	purpose run RADIUS_START.COM from command line.

 * VII	Use RT.EXE utility for ensure that RADIUS can see USERS/CLIENTS/DICTIONARY files.

-------------------
Changes & Additions
-------------------
 * I.	This version of the RADIUS can use SYSUAF to authentication and  
	authorization task by using of sys$getuai system service.  This
	feature of the server can be activated by parameters in the RADIUS's
	USERS. file as follows:

	...
	rrl	Auth-Type = System
	...

	or

	...
	DEFAULT	Password = "UNIX" ( Password = "VMS" can be used also)
	...

	During authentication phase of login procedure server performs of 
	checking follows SYSUAF parameters: /FLAG=(DISUSER,RESTRICTED),
	/EXPIRATION=time,/DIALUP=range,/PRIMEDAYS=([NO]day[,...]),/PASSWORD.

	If login is not allowed by UAF then Intrusion information is stored for 
	the using at a next time. At successful end of this phase 
	"last login: non-interactive field" will be updated for this user in 
	the SYSUAF. All logins failure are stored in VMS AUDUT's database, you can 
	use ANALYZE/ADUIT utility for searching & retriving this information.

	*NOTE:	- There is some natural limitation of parameters length: 
		..username <= 12, 
		..password <= 32 bytes.
		- Using of username with space or tab is not allowed.

 * II.	Three special SYSUAF's rights identifier can be used  for additonal 
	authorization of users:

	56K - for users with connection speed in range 33600 < 56K=(56*1024)
	ISDN - for users with ISDN type of connection (eq. NAS-Port-Type)
	DUALPORT - eq. "MAX-Session-Limit = 2" in the RADIUS's USERS file.

	*NOTE:  - If not IDs are defined in SYSUAF-checking is not preformed!!
		- This checking is perfomed for SYSUAF users only!!!
		- Value of speed connection is gived from "Connect-Info" 
		..attribute, check documentation of your equipment for 
		..of ability of getting this information!!!
		- DUALPORT override MAX-Session-Limit in the RADIUS's USERS.

 * III.	This server also store an accounting information in additional file
	which can be readed by VMS ACCOUNTING utility as usual. Accounting
	record is created at end of session (see "Acct-Status-Type = Stop"
	in the DETAIL file).

	*NOTE:	- Session with zero elapsed time is recorded as LOGIN FAILURE,
		..with elapsed time 0 00:00:00.95!!!
		- Don't try to put information to VMS System Accounting file by
		..defining of radius_accounting as sys$manager:accountng.dat!!!

 * IV.	VMS Accounting
	This is an example of an account record in the RADIUS_ACCOUNTING file:
	NETWORK Process Termination
	---------------------------
	Username:          CC_RRL            UIC:               [PUBLIC,CC_RRL]
	Account:                             Finish time:       29-JAN-1999 00:02:23.94
	Process ID:        32015396          Start time:        28-JAN-1999 23:56:58.94
	Owner ID:                            Elapsed time:                0 00:05:25.00
	Terminal name:     ISDN              Processor time:              0 00:00:00.00
	Remote node addr:                    Priority:          0
	Remote node name:                    Privilege <31-00>: 00000000
	Remote ID:                           Privilege <63-32>: 00000000
	Remote full name:  modem106.somewhere.net
	Queue entry:       18                Final status code: 00000001
	Queue name:        nas806.somewhere.net
	Job name:          PPP
	Final status text: %SYSTEM-S-NORMAL, normal successful completion

	Page faults:            38400        Direct IO:                404
	Page fault reads:           0        Buffered IO:              363
	Peak working set:           0        Volumes mounted:            0
	Peak page file:             0        Images executed:            0

	This is a record which had been putted in the .DETAIL file:
	Fri Jan 29 00:02:23 1999
        	Acct-Session-Id = "32015396"
	        User-Name = "CC_RRL"
	        NAS-IP-Address = 172.16.1.30
	        NAS-Port = 18
	        NAS-Port-Type = ISDN
	        Acct-Status-Type = Stop
	        Acct-Session-Time = 325
	        Acct-Authentic = RADIUS
	        Acct-Input-Octets = 404
	        Acct-Output-Octets = 363
        	Acct-Terminate-Cause = User-Request
		Connection-Info = "38400/V42bis"
	        Vendor-Specific = 307
	        Service-Type = Framed-User
	        Framed-Protocol = PPP
	        Framed-IP-Address = 172.17.1.32
	        Acct-Delay-Time = 0
	        Timestamp = 917589743
	        Request-Authenticator = Unverified

	----------------------------------------------------------------------
	VMS Accounting field 	|.EQ.|	RADIUS Accounting
	----------------------------------------------------------------------
	Username		  |	User-Name
	Account (from SYSUAF)     |
	UIC (from SYSUAF)         |
	Process ID		  |	Acct-Session-Id
	Page faults		  !	Connection-Info
	Direct IO		  |	Acct-Input-Octets
	Buffered IO		  |	Acct-Output-Octets
	Remote full name	  |	Framed-IP-Address (resolved)
	Queue entry		  |	NAS-Port
	Queue name		  |	NAS-IP-Address (resolved)
	Job name		  |	Framed-Protocol
	Finish time		  |	Date of record
	Start time		  |	Date of record - Acct-Session-Time
	Final status code	  |	Acct-Termination-Cause
	----------------------------------------------------------------------

	*NOTE:	- Session with zero elapsed time will be recorded in 
		..ACCOUNTING as a login attempt failed.
		- Don't use preffixes in the USERS file.
		- The RADIUS_ACCOUNTING file reopening at 24:00:00 every calendar day,
		..you can use this for recreating of RADIUS_ACCOUNTING.

 * V.	This version is not allow of password changing by RADPASS or by something 
	like it facilities.

 * VI.	This port can check maximum session limit if in USERS. file take
	place MAX-Session-Limit parameter as "Check Item" for particulary user.
	This checking is perfomed by using information from the RADIUS_CURRENT 
	file. Please, work with this feature with attention: because session
	is "started" when "Start" accounting packet is received from NAS, and 
	session is closed when "Stop" packed is received from NAS. An equipment of
	some vendors send these packet with big delaying, for example: 3Com/USR TC.
	There is several reasons for this: high CPU and I/O load on the system
	where is live RADIUS/ACCT; and incorrect behaviour of NAS's emmbending 
	software.

 * VII.	Optimizations issue
	All critical file I/O  is rewritted with  RMS I/O, in particulary,
	access to USERS. file controled by discipline:
	USERS. file opening at start of server; during run of server USERS. file
	stay open; for each 10 minutes (0 00:10:00.00) this file is marked as 
	expired by setting of special flag; when a next request is arrived the
	file is reopened again and expiration flag is cleared.

	This discipline reduces overhead for opening of the file during 
	processing of each authentication request, and take advantages of 
	buffered I/O with big numbers of RMS buffers.

	All requestes to IP to NAME (reverse resolving) translation use caching.
	
-------------------
Logicals
-------------------
	RADIUS_DIR - where is root RADIUS's directory
	RADACCT_DIR - where will be placed .DETAIL files
	RADIUS_ACCOUNTING  - accounting file in VMS ACCOUNTING format
	RADIUS_DICTIONARY - RADIUS's dictionary file
	RADIUS_CLIENTS - RADIUS's clients file
	RADIUS_USERS - RADIUS's users file
	RADIUS_LOGFILE - RADIUS's log file
	RADIUS_DEBUG - put debug information in the log file
	RADIUS_DISABLE_RIGHTSCHECK - Existing of this logical cause
		to disable checking of all ID in SYSUAF	
	RADIUS_DISABLE_SESSIONLIMIT - Existing of this logical cause
		to disable checking for session limit
	RADIUS_CURRENT - file which contain "show session"-like 
		information, about user activities on  NASes' port.
	RADIUS_NODETAIL - disable putting accounting information to .DETAIL
		files

-------------------
Appendix
-------------------
 * A.	Authentication flow (USERS. : Auth-Type = System, or Password = "UNIX",
	or Password = "VMS")

	Perfomed by vms_stuff/vms_login():
	*NOTE: 	- Password & Username pair is NO-case-sensivity during checking.
		- Type of login is DIAULUP.
	
	Step 0.0:IF NO_USER in SYSUAF
		- put user in intruders list with No Such User status,
			alarm event, 
				reject.

	Step 0.1:IF (DISUSER or RESTRICTED ) or (EXPIRATION  < current time)
		- put user in intruders list with Invalid Login status,
			audit+alarm events,
				reject.

	Step 0.2:IF (PASSWORD is INVALID)
		- put user in intruders list with Authentication Fail status,
			audit+alarm events,
				reject.

	Step 0.3:IF (USER in INTRUDER LIST)
		- reject

	Step 0.4:IF (DIALUP login is not allowed at this time)
		- put user in intruders list with Invalid Login Time  status,
			audit+alarm events,
				reject.

	Step 0.5: You Are Welcome!!!
		- modifying in SYSUAF.DAT "Last login: non-interactive" field 
		..for this user, this fact is registered by AUDIT, also. :)

	Performed by vms_stuff/vms_right():
	Step 2.0:IF (USERS connection speed < 33600)
		- skip to Step 3.0

	Step 2.1:IF (USER connection speed within [33600 ... 56*1024]) &&
			(USER haven't 56K)
		- Send message to OPCOM;
			reject.

	Step 2.2:IF (USER connection type > 1) &&
			(USER haven't ISDN right id)
		- Send message to OPCOM;
			reject.

	Step 3.0 - IF (USER have DUALPORT right id)
		- set for this users MAX-Sessino-Limit = 2.
	*NOTE:	- IF no IDs are defined in right list, result of checking by
		..vms_right() is TRUE!!!

	Performed by vms_stuff/vms_get_stat():
	Step 4.0 - IF (USER try to get sessions > MAX-Session-Limit)
		- Send message to OPCOM;
			reject.

-------------------
Limitations
-------------------
 * A.	Using of the RAIDUS preffixes, are is not allowed !!! Suffixes must be 
	starting with characters '%' !!!

 * B.	There is some natural limitation of parameters length: username <= 12, 
	password <= 32 bytes.
	Using of username with space or tab is not allowed and will cause to
	authentication error.


-------------------
FAQ
-------------------

 * Q1.	Why cannot we allow password change by RADPASS ?
   A1.	This functionality probably will be added later.

 * Q2.	Are we recording login failures somewhere ?
   A2.	This information recordes in the AUDIT's SECURITY journal, you can 
	search & retrive this information by VMS ANALYZE/AUDIT facility. In 
	addition, session with zero elapsed time will be recorded in ACCOUNTING 
	as a login attempt failed.
	For retriving information use ACCOUNTING /TYPE=LOGFAIL ...

 * Q3.	How easy will it be to install, maintain  ?
   A3.	As well as RADIUS 1.16. In addition read this notes with attention, in
	other case don't hesitate to call to support.:))

 * Q4.	Will there be any way to see who is  currently  online or lookup an 
	individual  user and figure out  what his IP address is ? (Then we 
	can do some cool CGI stuff for them i.e. say "You've got mail", when 
	he opens our  homepage.
   A4.	This functionality is not present in original RADIUS at all. There is
	not simple and dependable way to keep and maintain this information.
	But it's functionality is presented in this version. Information is stored
	in the file RADIUS_CURRENT, which you can display by TYPE, or write a 
	small DCL procedure if you need periodicaly displaying NAS/Port usage.

	Format of RADIUS_CURRENT file:
	Offset	Length		Name		Description
	0	15		NAS_ip		NAS's IP address
	16	3		NAS_port	NAS's port number
	20	32		NAS_ipname	NAS's IP name if resolved,
						in other case ip address.
	54	12		User		Username
	67	15		Frammed-IP	Frammed IP address (not resolved)
						which assigned to client during
						login.
	Use RADIUS_LOOKUP.C program as example for using information from 
	RADIUS_CURRENT file.
 
-------------------
TroubleShuting
-------------------
 * 11-JAN-1999	Fixed bug with /EXPIRATION date checking

 * accounting: could not append to file radacct_dir:<nas_ip_name>.detail
 * 19-JAN-1999	Fixed some incorrectness in ACCT.C module: if .DETAIL file was locked,
		accounting was not written at all. This caused: to accumulation of "busy"
		line, and to exceeding of session limit.

		Add GBC file attribute to radius_current for improving of access speed.

 * 22-JAN-1999	Added logicals to disabling of writting information to the 
		radacct_dir:<nas_ip_name>.detail - files.

 * "-ACC-W-INVTIME, record XXX has time in the future" 
 * 29-JAN-1999	Fixed bug with buffer overflow during copying username in ACCT.C, this
		overflow cause to "-ACC-W-INVTIME, record XXX has time in the future" 
		error message when VMS ACCOUNTING utility is used with radius_accounting.dat
		file.

		Some modifications in VMS_STUFF.C/vms_accounting(), now all information from
		.DETAIL file gathered to separate fields. This is more useful for selection.

		Some modifications in the RADIUS.C module for DEC C 6.0/VAX compiler compatibility.

 *  1-FEB-1999	Disable reverse lookuping  in ACCT.C module for Frammed-IP-address
		and NAS-Address, gethostbyaddr() executing very long time, this enough for
		losing of accounting information. A yet another reason of session information
		loosing is DNS inaccesibility (during restart, crach etc), because RADIUS use
		reverse lookuping for IP to NAME translation, and use NAME for retrive of 
		"shared secret" from CLIENTS file.

 *  2-FEB-1999	vms_stuff.c/vms_get_stat() - If user/nas_ip/port is equaly to the same parameters to
		checking then a count of sessions is not incremented.

 *  3-FEB-1999	radiusd.c/rad_authenticate() - fixed bug with auth packet which no contain
		NAS-Port attrubute, this cause to ACCVIO error at line 10480.

 *  5-FEB-1999	Some modifications in UTIL.C/ip_hostname(), VMS_STUFF.C/vms_alarm(),LOG.C/log_msg().
		DNS cache capability.

 * 19-FEB-1999	Creating two version of RADIUS: basic and enhanced.

		BASIC version:
		- SYSUAF based authenitication
		- AUDIT + OPCOM messaging
		- Highest security based on VMS INTRUSION DETECTION
		- Accounting based on the VMS ACCOUNTING with full
		..tracking of users/nas/port activities

		ENHANCED version:
		- Using of right id's for additional authorization
		- Session limit checking support
		- Connection speed checking support

 * 28-FEB-1999	Some changes in radiusd.c/rad_authenticate () - to prevent session limit
		checking if in received auth packet not contain port type. This fix allow
		using of Linux PAM mudule which doing of authenication of local users 
		by requestes to RADIUS server.

-------------------
To Do
-------------------
 * I.	Resting...

C U SysMan (MailTo:"Ruslan R. Laishev" <Laishev@SMTP.DeltaTel.RU>).
