RADIUS 2.01 for OpenVMS porting notes
-------------------
Features
-------------------
- Full support of Livingston's RADIUS 2.0 specification
- SYSUAF based authenitication
- AUDIT + OPCOM messaging
- Highest security based on VMS INTRUSION DETECTION
- Using of right id's for additional authorization
- Session limit checking support
- Connection speed checking support
- Accounting based on the VMS ACCOUNTING with full
..tracking of users/nas/port activities
- Work in cluster environment with shared data files
- Flexible maintenace procedures for non-stop operation
- High perfomance with large USERS file
- Caching of IP names for reverse lookuping
- All files produced by RADIUS are full documented for
..writting your own utilities
- This port is supported by author for reasonable fee
- Any new features can be added by your request ASAP
-------------------
Requirements
-------------------
OS: oVMS 6.1 or Later (VAX/Alpha)
Priv: SECURITY - for Scan Intrusion detection
SYSPRV - for access to SYSUAF.DAT
NETMBX,TMPMBX - usual
OPER,WORLD - for sending to OPCOM
TCP/IP support: UCX (tested), TCPWare-TCP (tested).
Compiler: DEC C 5.0 or later
-------------------
Installation
-------------------
* I. Put distribution kit (Zip-file) in the special directory for the
RADIUS, unpack & build executable image of the RADIUS server.
* II. Revise & edit RADIUS_STARTUP.COM & RADIUS_START.COM from distribution kit.
* III. Create special account entry in SYSUAF for RADIUS as follows:
Username: INET_RADIUS Owner: RADIUS Server
Account: TCP-IP UIC: [375,302] ([INET,INET_RADIUS])
CLI: DCL Tables: DCLTABLES
Default: INET$ROOT:[RADIUS]
LGICMD: LOGIN
Flags: Restricted
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
Primary 000000000011111111112222 Secondary 000000000011111111112222
Day Hours 012345678901234567890123 Day Hours 012345678901234567890123
Network: ##### Full access ###### ##### Full access ######
Batch: ----- No access ------ ----- No access ------
Local: ----- No access ------ ----- No access ------
Dialup: ----- No access ------ ----- No access ------
Remote: ----- No access ------ ----- No access ------
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none) Pwdchange: (pre-expired) (pre-expired)
Last Login: (none) (interactive), 29-OCT-1998 11:50 (non-interactive)
Maxjobs: 0 Fillm: 300 Bytlm: 32768
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 40 JTquota: 4096
Prclm: 8 DIOlm: 40 WSdef: 256
Prio: 6 ASTlm: 40 WSquo: 256
Queprio: 0 TQElm: 40 WSextent: 512
CPU: (none) Enqlm: 2000 Pgflquo: 32768
Authorized Privileges:
NETMBX SECURITY SYSPRV TMPMBX
OPER WORLD
Default Privileges:
NETMBX SECURITY SYSPRV TMPMBX
OPER WORLD
* IV. Optionaly, add two entry in the SERVICES file, example for TCPWare-TCP
follows:
...
radius 1645/udp
radact 1646/udp
...
* V. Edit CLIENTS file from RADIUS distribution kit for adding IP names of your Network
Access Servers and "shared secret" (don't forget that maximum length of
"shared secret" can't be more that 8 bytes.
* VI. Start RADIUS server by RADIUS_STARTUP.COM as detached process, or for debuging
purpose run RADIUS_START.COM from command line.
* VII Use RT.EXE utility for ensure that RADIUS can see USERS/CLIENTS/DICTIONARY files.
-------------------
Changes & Additions
-------------------
* I. This version of the RADIUS can use SYSUAF to authentication and
authorization task by using of sys$getuai system service. This
feature of the server can be activated by parameters in the RADIUS's
USERS. file as follows:
...
rrl Auth-Type = System
...
or
...
DEFAULT Password = "UNIX" ( Password = "VMS" can be used also)
...
During authentication phase of login procedure server performs of
checking follows SYSUAF parameters: /FLAG=(DISUSER,RESTRICTED),
/EXPIRATION=time,/DIALUP=range,/PRIMEDAYS=([NO]day[,...]),/PASSWORD.
If login is not allowed by UAF then Intrusion information is stored for
the using at a next time. At successful end of this phase
"last login: non-interactive field" will be updated for this user in
the SYSUAF. All logins failure are stored in VMS AUDUT's database, you can
use ANALYZE/ADUIT utility for searching & retriving this information.
*NOTE: - There is some natural limitation of parameters length:
..username <= 12,
..password <= 32 bytes.
- Using of username with space or tab is not allowed.
* II. Three special SYSUAF's rights identifier can be used for additonal
authorization of users:
56K - for users with connection speed in range 33600 < 56K=(56*1024)
ISDN - for users with ISDN type of connection (eq. NAS-Port-Type)
DUALPORT - eq. "MAX-Session-Limit = 2" in the RADIUS's USERS file.
*NOTE: - If not IDs are defined in SYSUAF-checking is not preformed!!
- This checking is perfomed for SYSUAF users only!!!
- Value of speed connection is gived from "Connect-Info"
..attribute, check documentation of your equipment for
..of ability of getting this information!!!
- DUALPORT override MAX-Session-Limit in the RADIUS's USERS.
* III. This server also store an accounting information in additional file
which can be readed by VMS ACCOUNTING utility as usual. Accounting
record is created at end of session (see "Acct-Status-Type = Stop"
in the DETAIL file).
*NOTE: - Session with zero elapsed time is recorded as LOGIN FAILURE,
..with elapsed time 0 00:00:00.95!!!
- Don't try to put information to VMS System Accounting file by
..defining of radius_accounting as sys$manager:accountng.dat!!!
* IV. VMS Accounting
This is an example of an account record in the RADIUS_ACCOUNTING file:
NETWORK Process Termination
---------------------------
Username: CC_RRL UIC: [PUBLIC,CC_RRL]
Account: Finish time: 29-JAN-1999 00:02:23.94
Process ID: 32015396 Start time: 28-JAN-1999 23:56:58.94
Owner ID: Elapsed time: 0 00:05:25.00
Terminal name: ISDN Processor time: 0 00:00:00.00
Remote node addr: Priority: 0
Remote node name: Privilege <31-00>: 00000000
Remote ID: Privilege <63-32>: 00000000
Remote full name: modem106.somewhere.net
Queue entry: 18 Final status code: 00000001
Queue name: nas806.somewhere.net
Job name: PPP
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults: 38400 Direct IO: 404
Page fault reads: 0 Buffered IO: 363
Peak working set: 0 Volumes mounted: 0
Peak page file: 0 Images executed: 0
This is a record which had been putted in the .DETAIL file:
Fri Jan 29 00:02:23 1999
Acct-Session-Id = "32015396"
User-Name = "CC_RRL"
NAS-IP-Address = 172.16.1.30
NAS-Port = 18
NAS-Port-Type = ISDN
Acct-Status-Type = Stop
Acct-Session-Time = 325
Acct-Authentic = RADIUS
Acct-Input-Octets = 404
Acct-Output-Octets = 363
Acct-Terminate-Cause = User-Request
Connection-Info = "38400/V42bis"
Vendor-Specific = 307
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.17.1.32
Acct-Delay-Time = 0
Timestamp = 917589743
Request-Authenticator = Unverified
----------------------------------------------------------------------
VMS Accounting field |.EQ.| RADIUS Accounting
----------------------------------------------------------------------
Username | User-Name
Account (from SYSUAF) |
UIC (from SYSUAF) |
Process ID | Acct-Session-Id
Page faults ! Connection-Info
Direct IO | Acct-Input-Octets
Buffered IO | Acct-Output-Octets
Remote full name | Framed-IP-Address (resolved)
Queue entry | NAS-Port
Queue name | NAS-IP-Address (resolved)
Job name | Framed-Protocol
Finish time | Date of record
Start time | Date of record - Acct-Session-Time
Final status code | Acct-Termination-Cause
----------------------------------------------------------------------
*NOTE: - Session with zero elapsed time will be recorded in
..ACCOUNTING as a login attempt failed.
- Don't use preffixes in the USERS file.
- The RADIUS_ACCOUNTING file reopening at 24:00:00 every calendar day,
..you can use this for recreating of RADIUS_ACCOUNTING.
* V. This version is not allow of password changing by RADPASS or by something
like it facilities.
* VI. This port can check maximum session limit if in USERS. file take
place MAX-Session-Limit parameter as "Check Item" for particulary user.
This checking is perfomed by using information from the RADIUS_CURRENT
file. Please, work with this feature with attention: because session
is "started" when "Start" accounting packet is received from NAS, and
session is closed when "Stop" packed is received from NAS. An equipment of
some vendors send these packet with big delaying, for example: 3Com/USR TC.
There is several reasons for this: high CPU and I/O load on the system
where is live RADIUS/ACCT; and incorrect behaviour of NAS's emmbending
software.
* VII. Optimizations issue
All critical file I/O is rewritted with RMS I/O, in particulary,
access to USERS. file controled by discipline:
USERS. file opening at start of server; during run of server USERS. file
stay open; for each 10 minutes (0 00:10:00.00) this file is marked as
expired by setting of special flag; when a next request is arrived the
file is reopened again and expiration flag is cleared.
This discipline reduces overhead for opening of the file during
processing of each authentication request, and take advantages of
buffered I/O with big numbers of RMS buffers.
All requestes to IP to NAME (reverse resolving) translation use caching.
-------------------
Logicals
-------------------
RADIUS_DIR - where is root RADIUS's directory
RADACCT_DIR - where will be placed .DETAIL files
RADIUS_ACCOUNTING - accounting file in VMS ACCOUNTING format
RADIUS_DICTIONARY - RADIUS's dictionary file
RADIUS_CLIENTS - RADIUS's clients file
RADIUS_USERS - RADIUS's users file
RADIUS_LOGFILE - RADIUS's log file
RADIUS_DEBUG - put debug information in the log file
RADIUS_DISABLE_RIGHTSCHECK - Existing of this logical cause
to disable checking of all ID in SYSUAF
RADIUS_DISABLE_SESSIONLIMIT - Existing of this logical cause
to disable checking for session limit
RADIUS_CURRENT - file which contain "show session"-like
information, about user activities on NASes' port.
RADIUS_NODETAIL - disable putting accounting information to .DETAIL
files
-------------------
Appendix
-------------------
* A. Authentication flow (USERS. : Auth-Type = System, or Password = "UNIX",
or Password = "VMS")
Perfomed by vms_stuff/vms_login():
*NOTE: - Password & Username pair is NO-case-sensivity during checking.
- Type of login is DIAULUP.
Step 0.0:IF NO_USER in SYSUAF
- put user in intruders list with No Such User status,
alarm event,
reject.
Step 0.1:IF (DISUSER or RESTRICTED ) or (EXPIRATION < current time)
- put user in intruders list with Invalid Login status,
audit+alarm events,
reject.
Step 0.2:IF (PASSWORD is INVALID)
- put user in intruders list with Authentication Fail status,
audit+alarm events,
reject.
Step 0.3:IF (USER in INTRUDER LIST)
- reject
Step 0.4:IF (DIALUP login is not allowed at this time)
- put user in intruders list with Invalid Login Time status,
audit+alarm events,
reject.
Step 0.5: You Are Welcome!!!
- modifying in SYSUAF.DAT "Last login: non-interactive" field
..for this user, this fact is registered by AUDIT, also. :)
Performed by vms_stuff/vms_right():
Step 2.0:IF (USERS connection speed < 33600)
- skip to Step 3.0
Step 2.1:IF (USER connection speed within [33600 ... 56*1024]) &&
(USER haven't 56K)
- Send message to OPCOM;
reject.
Step 2.2:IF (USER connection type > 1) &&
(USER haven't ISDN right id)
- Send message to OPCOM;
reject.
Step 3.0 - IF (USER have DUALPORT right id)
- set for this users MAX-Sessino-Limit = 2.
*NOTE: - IF no IDs are defined in right list, result of checking by
..vms_right() is TRUE!!!
Performed by vms_stuff/vms_get_stat():
Step 4.0 - IF (USER try to get sessions > MAX-Session-Limit)
- Send message to OPCOM;
reject.
-------------------
Limitations
-------------------
* A. Using of the RAIDUS preffixes, are is not allowed !!! Suffixes must be
starting with characters '%' !!!
* B. There is some natural limitation of parameters length: username <= 12,
password <= 32 bytes.
Using of username with space or tab is not allowed and will cause to
authentication error.
-------------------
FAQ
-------------------
* Q1. Why cannot we allow password change by RADPASS ?
A1. This functionality probably will be added later.
* Q2. Are we recording login failures somewhere ?
A2. This information recordes in the AUDIT's SECURITY journal, you can
search & retrive this information by VMS ANALYZE/AUDIT facility. In
addition, session with zero elapsed time will be recorded in ACCOUNTING
as a login attempt failed.
For retriving information use ACCOUNTING /TYPE=LOGFAIL ...
* Q3. How easy will it be to install, maintain ?
A3. As well as RADIUS 1.16. In addition read this notes with attention, in
other case don't hesitate to call to support.:))
* Q4. Will there be any way to see who is currently online or lookup an
individual user and figure out what his IP address is ? (Then we
can do some cool CGI stuff for them i.e. say "You've got mail", when
he opens our homepage.
A4. This functionality is not present in original RADIUS at all. There is
not simple and dependable way to keep and maintain this information.
But it's functionality is presented in this version. Information is stored
in the file RADIUS_CURRENT, which you can display by TYPE, or write a
small DCL procedure if you need periodicaly displaying NAS/Port usage.
Format of RADIUS_CURRENT file:
Offset Length Name Description
0 15 NAS_ip NAS's IP address
16 3 NAS_port NAS's port number
20 32 NAS_ipname NAS's IP name if resolved,
in other case ip address.
54 12 User Username
67 15 Frammed-IP Frammed IP address (not resolved)
which assigned to client during
login.
Use RADIUS_LOOKUP.C program as example for using information from
RADIUS_CURRENT file.
-------------------
TroubleShuting
-------------------
* 11-JAN-1999 Fixed bug with /EXPIRATION date checking
* accounting: could not append to file radacct_dir:.detail
* 19-JAN-1999 Fixed some incorrectness in ACCT.C module: if .DETAIL file was locked,
accounting was not written at all. This caused: to accumulation of "busy"
line, and to exceeding of session limit.
Add GBC file attribute to radius_current for improving of access speed.
* 22-JAN-1999 Added logicals to disabling of writting information to the
radacct_dir:.detail - files.
* "-ACC-W-INVTIME, record XXX has time in the future"
* 29-JAN-1999 Fixed bug with buffer overflow during copying username in ACCT.C, this
overflow cause to "-ACC-W-INVTIME, record XXX has time in the future"
error message when VMS ACCOUNTING utility is used with radius_accounting.dat
file.
Some modifications in VMS_STUFF.C/vms_accounting(), now all information from
.DETAIL file gathered to separate fields. This is more useful for selection.
Some modifications in the RADIUS.C module for DEC C 6.0/VAX compiler compatibility.
* 1-FEB-1999 Disable reverse lookuping in ACCT.C module for Frammed-IP-address
and NAS-Address, gethostbyaddr() executing very long time, this enough for
losing of accounting information. A yet another reason of session information
loosing is DNS inaccesibility (during restart, crach etc), because RADIUS use
reverse lookuping for IP to NAME translation, and use NAME for retrive of
"shared secret" from CLIENTS file.
* 2-FEB-1999 vms_stuff.c/vms_get_stat() - If user/nas_ip/port is equaly to the same parameters to
checking then a count of sessions is not incremented.
* 3-FEB-1999 radiusd.c/rad_authenticate() - fixed bug with auth packet which no contain
NAS-Port attrubute, this cause to ACCVIO error at line 10480.
* 5-FEB-1999 Some modifications in UTIL.C/ip_hostname(), VMS_STUFF.C/vms_alarm(),LOG.C/log_msg().
DNS cache capability.
* 19-FEB-1999 Creating two version of RADIUS: basic and enhanced.
BASIC version:
- SYSUAF based authenitication
- AUDIT + OPCOM messaging
- Highest security based on VMS INTRUSION DETECTION
- Accounting based on the VMS ACCOUNTING with full
..tracking of users/nas/port activities
ENHANCED version:
- Using of right id's for additional authorization
- Session limit checking support
- Connection speed checking support
* 28-FEB-1999 Some changes in radiusd.c/rad_authenticate () - to prevent session limit
checking if in received auth packet not contain port type. This fix allow
using of Linux PAM mudule which doing of authenication of local users
by requestes to RADIUS server.
-------------------
To Do
-------------------
* I. Resting...
C U SysMan (MailTo:"Ruslan R. Laishev" ).
Name Created Size Description
![[DIR]](/httpd/-/directory_c.gif)
livingston/ 21-Jan-2001 16:16 1,024 subdirectory
org/ 21-Jan-2001 16:16 512 subdirectory
![[TXT]](/httpd/-/text.gif)
acct.c 3-Mar-1999 23:51 14,923 C source
acc_test.c 18-Nov-1998 14:03 4,130 C source
attrprint.c 20-Oct-1998 13:01 3,282 C source
badacc.c 28-Jan-1999 18:02 1,977 C source
clients 19-Feb-1999 12:47 366 plain text
conf.h 13-Oct-1998 01:25 1,338 C header
cp.com 22-May-1999 13:40 86 DCL procedure
descrip.mms 28-Apr-1999 23:24 2,410 Module Management System rules
dict.c 29-Oct-1998 15:29 7,390 C source
dictionary 9-Nov-1998 15:18 7,156 plain text
fdset.h 29-Oct-1996 11:02 948 C header
iledef.h 28-Jan-1999 19:28 5,040 C header
ipass_fetch.c 4-Dec-1998 09:56 10,136 C source
lgidef.h 29-Oct-1998 15:59 2,228 C header
log.c 4-Feb-1999 22:02 2,763 C source
md5.c 5-Jun-1997 09:52 10,711 C source
md5.h 5-Jun-1997 09:52 2,220 C header
menu.c 5-Jun-1997 09:52 6,487 C source
rad.com 4-Feb-1999 20:56 542 DCL procedure
radclear.com 26-Nov-1998 10:54 1,626 DCL procedure
radius.h 21-Feb-1999 00:47 6,356 C header
![[ZIP]](/httpd/-/gzip.gif)
radius201.zip 22-May-1999 13:43 67,414 ZIP-compressed
radiusd.c 22-May-1999 13:34 35,586 C source
radiusd.com 30-Oct-1998 21:59 449 DCL procedure
radius_accounting.fdl 4-Dec-1998 11:11 579 VMS File Definition Language
radius_accounting_new.com 4-Dec-1998 11:50 1,160 DCL procedure
radius_lookup.c 19-Jan-1999 23:05 2,408 C source
radius_start.com 29-Jan-1999 12:00 1,269 DCL procedure
radius_startup.com 29-Jan-1999 11:58 504 DCL procedure
radtest.c 12-Nov-1998 13:59 9,677 C source
rad_netio.c 3-Mar-1999 23:35 2,562 C source
readme.txt 1-Mar-1999 19:24 18,102 plain text
rsay.c 22-May-1999 13:36 4,624 C source
rt.c 12-Nov-1998 21:01 8,518 C source
rwho.c 22-May-1999 13:37 4,590 C source
securid.c 5-Jun-1997 09:52 6,337 C source
users 4-Feb-1999 21:38 318 plain text
users.c 20-Feb-1999 14:09 12,068 C source
users.h 22-Oct-1998 16:15 1,383 C header
util.c 1-Apr-1999 15:58 7,270 C source
version.c 20-Feb-1999 20:28 3,166 C source
vms_stuff.c 20-Feb-1999 14:32 18,875 C source