PortAuthority

Version 2.1.0 Build 548-006

Introduction

This release note documents commands and features not covered in the PortAuthority Administrator's Guide.

See "Software Requirements", "Limitations of PortAuthority" and "Known Issues" for more information before installing.

Contents

Back To TOP

Software Requirements

Operating System

PortAuthority is certified to run on the following platforms:
- Microsoft Windows NT Server 4.0 Service Pack 3
- Microsoft Windows NT Workstation 4.0 Service Pack 3
- Sun Solaris 2.5.1 (With Patches)
- Sun Solaris 2.6 (With Patches)
- Sun Solaris 2.7

  PortAuthority is certified to run using the following Java environments:
- Solaris: Java Runtime Environment (JRE) 1.1.6.03
- Solaris: Java Development Kit (JDK) 1.1.6.03
- Windows NT: JRE 1.1.7
- Windows NT: JDK 1.1.7

Back To TOP

Bugs Fixed

Bugs Fixed in Build 548-005

  • Fixed problem where some plug-in errors would not follow method-on-fail.
  • Attribute references to check-items will be removed implicitly, so that verifications don't fail at the end of the authentication chain.
Bugs Fixed in Build 548-005
  • CLI: Fixed bug where help would stop displaying
  • DropAll: Entries in pa.log from the DropAll plug-in did not have the plug-in name prefixed to the log messages
  • DropAll: The message defined in DropAll-Message was not logged to the pa.log file
  • USS: Fixed bug where count command in the USS CLI did not return any response
  • USS: Fixed bug where if you issued the list command in the USS C CLI with an invalid option the USS CLI session would hang
  • USS: Fixed bug where Group2Name and Group3Name used Group1Name's Value
  • Fixed bug where if a verification item (check item) fails a null pointer error was reported when not running in debug mode. The correct message was logged in debug mode. This was a logging error only and did not affect operation.
  • Fixed bug where bad class name for plug-in would report a null pointer error. Now reports unloadable plug-in/method.
Bugs Fixed in Build 548-004
  • FilePass Will correctly handle packets with no password if configured to do so
  • Fixed bug where help is not displayed in USS and admin servers
  • Fixed bug where web server would hang if HTML directory was not present.
  • Fixed CallCheck null pointer exception if no Service-Type in packet
  • Fixed pathing problem in NT batch files
  • TestClient no longer require -script argument if -userfile is specified
  • Fixed bug with relative and absolute paths in http server
Bugs Fixed in Build 548-003
  • pa UNIX script fixes: Added background support, 'list' command, logging of standard out
  • Allow_Missing_Username tag now allows missing user names.
  • Fixed problem with Framed-IP-Address not being recorded in State Server.
  • Fixed bug where FilePass would not follow Method-On-Fail on password mismatch in a regular users file.
  • Fixed bug where USS would not follow Method-0n-Fail for limits failure.
  • Fixed bug with Framed-IP-Address and Framed-Address aliasing
  • Fixed problem with trailing \ when looking for license during install
Bugs Fixed in Build 548-002
  • Fixed problem where USS was not checking Port-Limit correctly.
  • Fixed problem with acct dir and -files on NT.
  • Fixed problem with non-gui mode of install requiring X Server
Bugs Fixed in Build 548-001
  • Web page reference to host name fixed.
  • Fixed line delimiter for verification debug output
  • PA now only creates a global acct dir if in "drop-in mode"
  • Fixed SHA password handling
  • Deny-User plug-in takes -files into consideration.

Back To TOP

New Features/Changes to the Manual

CallCheck: Method-On-Fail Support

The CallCheck plug-in will now follow the the Method-On-Fail chain when a packet is processed that is not of Service-Type=Call-Check.

Crypt Passwords

PortAuthority now supports crypt passwords stored in user records. The syntax for specifying a password as UNIX crypt style is:

Password="{crypt}XXXXXXXXXX"

Where XXXXXXXXXX is the crypt password.

DenyUser: DenyUser-PassThruMode Property

The DenyUser plug-in's behavior is controlled by the DenyUser-PassThruMode property. If set to TRUE, then the rejection type is "user error" when a user is found in the list, which follows Method-On-Fail. If FALSE, then the rejection type is "forbidden" when a user is found in the list, which terminates the method chain.

FilePass: FilePass-AllowMissingPassword Property

The FilePass plug-in now has a FilePass-AllowMissingPassword method property. This will allow packets to be processed that do not contain a password. Valid settings for this method property are True and False. This property must be set to True when used to process Auth packets of Service-Type = Call-Check.

FilePass: User-Name Length

FilePass now supports User-Names up to 253 octets in length

Proxy: Allow challenge-response from remote proxy host

The Proxy plug-in will now forward Access-Challenge from a remote host back to a client.

Logging events to syslog Service

PortAuthority may optionally log to a syslog server rather then a file. To configure this set the property "Log_Location" in server_properties to the following:

Log_Location="method=syslog, host=<HOST>, facility=<FACILITY>, level=<LEVEL>"

Where <HOST> is the name of the host to send the syslog messages to.

Where <FACILITY> is one of the following keywords that represent a syslog facility:

LOG_KERN
LOG_USER
LOG_MAIL
LOG_DAEMON
LOG_AUTH
LOG_SYS
LOG_LPR
LOG_NEWS
LOG_UUCP
LOG_CRON
LOG_LOCAL0
LOG_LOCAL1
LOG_LOCAL2
LOG_LOCAL3
LOG_LOCAL4
LOG_LOCAL5
LOG_LOCAL6
LOG_LOCAL7
Where <LEVEL> is one of the following which represent a syslog priority/level:
LOG_EMERG
LOG_ALERT
LOG_CRIT
LOG_ERR
LOG_WARNING
LOG_NOTICE
LOG_INFO
LOG_DEBUG

Method Property Tag Now Case Insensitive

All method tags are now case insensitive. Method tag values are still case sensitive. The following Tags are still case sensitive:


Method-Type
Method-On-Fail
Method-Next

Server Property: Acct_Methods_Filename Property

The server property Acct_Methods_Filename can be used to select an alternate file name for the accounting methods. By default this is set to acct_methods.

Server Property: Allow_Accounting_Boomerang_Response Property

The server property Allow_Accounting_Boomerang_Response is used to control the contents of Accounting-Response packets. When set to True the entire contents of the Accounting-Request packet are echoed back to the client when an Accounting-Response is sent. By default this is set to True.

Server Property: Allow_Accounting_Custom_Response Property

The server property Allow_Accounting_Custom_Response is used to control the contents of Accounting-Response packets. When set to True the contents of the Accounting-Response packet are expected to be generated by a custom plug-in and placed in the response area for the request. By default this is set to False.

Server Property: Allow_Accounting_ACK_only Property

The server property Allow_Accounting_ACK_only is used to control the contents of Accounting-Response packets. When set to True the Accounting-Response packet contains no Attribute Value Pairs. By default this is set to False.

Server Property: File_ClientMethods Property

The server property File_clientMethods can be used to select an alternate file name for the property file containing client specific information referenced by client type in the clients file. By default this is set to client_properties.

Server Property: File_Clients Property

Server Property: File_Clients Property The server property File_Clients can be used to select an alternate file name for the clients list. By default this is set to clients.

Server Property: File_Users Property

The server property File_Users can be used to select an alternate file name for file containing user information when running in drop in replacement mode. By default this is set to users.

Server Property: Methods_Filename Property

The server property File_Users can be used to select an alternate file name for file containing user authentication methods. By default this is set to auth_methods.

Server Property: Realms_Filename Property

The server property File_Users can be used to select an alternate file name for file containing the information for the starting method for Auth and Accounting packets. By default this is set to method_select.

SHA Passwords

PortAuthority now supports SHA encrypted passwords stored in user records. The syntax for specifying a password as SHA crypt style is:

Password="{SHA}XXXXXXXXXX"

Where XXXXXXXXXX is the encrypted password.

StateLimits: Limit Types

The USS now supports the following type of limits:


User
DNIS
Realm
Group1
Group2
Group3

User is a per User-Name limit. DNIS is based on the called station ID. Realm is based on the users Realm. Group1, Group2, and Group3 are arbitrary user groupings.

The Following are the valid method tags for controlling the limits: 

StateLimits-UserLimit   - This tag is used to assign the per user limit based 
                          on User-Name.  
StateLimits-UserLabel   - This tag is used to uniquely identify a user when
                          counting the users limit (For example if you have
                          two users called bob in different name spaces) and
                          should be set to a unique string for each name 
                          space for each unique user.
StateLimits-DNISLimit   - This tag is used to assign an overall limit for a 
                          single Called-Station-Id.
StateLimits-RealmLimit  - This tag is used to assign an overall limit for a 
                          single user realm.
StateLimits-Group1Limit - This tag is used to assign an overall limit for the
                          first arbitrary group.
StateLimits-Group2Limit - This tag is used to assign an overall limit for the
                          second arbitrary group.
StateLimits-Group3Limit - This tag is used to assign an overall limit for the
                          third arbitrary group.
StateLimits-Group1Name  - This tag is used to set a unique name to identify 
                          the first arbitrary group.
StateLimits-Group2Name  - This tag is used to set a unique name to identify 
                          the second arbitrary group.
StateLimits-Group3Name  - This tag is used to set a unique name to identify
                          the third arbitrary group.

*** NOTE: The User Label and Group Names are case sensitive. The following are considered three different groups: Rei rei REI

StateLimits: Limit Syntax

The syntax has changed to allow each limit to be set to the value of an attribute as well as a constant. If an attribute is referenced as the value, then a default constant can be specified as well.

To reference the value of an attribute, the following syntax can be used: 

	"$<namespace>.<attribute>:<constant>"

An example of this would be:

	StateLimits-UserLimit="$response.Port-Limit:1"

This would mean:  Get the value to use for the user limit from
the Port-Limit attribute in the user's return items (the response).

The "namespace" defines which set of attributes are being
referenced; legal values are:

	request		- Attributes in the accounting or
			  access request

	response	- Attributes in the user's return
			  items.

	check		- Attributes from the user's check-items.

	client		- Attributes for this client from
			  client_properties.

	server		- Attributes from server_properties
			  (global server attributes)

USS Property: StateServer_Port

You can now specify the port for the state server to use in the property file for the USS (uss_properties by default). This setting can be over ridden on the command line with the '-port' option. The format for this property is: StateServer_Port = <PORT> Where <PORT> is the port number you wish for the state server to use.

USS Property: StateServer_LocalAddress

You can now specify the IP address for the state server to use in the property file for the USS (uss_properties by default). The format for this property is:

StateServer_LocalAddress = <IP ADDRESS>

Where <IP ADDRESS> is the IP address you wish for the state server to use. By default the State Server will bind to all addresses.

USS: Reset Command

You can now reset the StateServer database by issuing the command 'reset' to the State server CLI. This will remove all records from the state server database.

TestClient -nousername option

The TestClient program will not accept a '-nousername' option to allow the creation of RADIUS packets that do not have a User-Name Attribute Value Pair.

Back To TOP

Setting PortAuthority to Run on System Startup

Windows NT

Running PortAuthority as a Windows NT Service

You can configure your system to run PortAuthority as a service. The PortAuthority server starts automatically when the system starts up. The following requirements must be met to install PortAuthority as a service under Windows NT:

* PortAuthority is correctly running as an application on the Windows NT host.
* You have a Windows NT account with the ability to add a service.
* You have the files srvany.exe and instsrv.exe from the Windows NT Resource Kit.

Installing the Service

Perform the following steps to install the service:

  1. Copy srvany.exe and instsrv.exe to your system.
  2. From the Windows NT command line, enter the following command:

    C:\instsrv pa C:\ntkitpath\srvany.exe

    Substitute the path where you copied srvany.exe for C:\ntkitpath. You should see something similar to the following:

    C:\WINNT\system32>instsrv pa C:\ntkitpath\srvany.exe The service was successfully added!

  3. Select Start -> Settings -> Control Panel -> Services -> pa.
  4. Select the Automatic startup type to cause PortAuthority to start up when the system is booted.
  5. Select a log on method for the service.

    You can select System Account or enter an account name. If the service is logged in as a system account, it has no access to network file systems. If the service is logged in as a system account and you want the PortAuthority window to display, you must select Allow Service to Interact with Desktop. If the service is logged in as a nonsystem account, it has access to the network and files as that user.

  6. Click OK, and then click Close.

    Do not start the service at this time.

  7. Run the Registry Editor from the Windows NT 4.0 command line:

    C:\>REGEDIT.EXE

  8. In the Registry Editor, select the key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pa .
  9. Select Edit -> New -> Key to create a new key, Parameters.
  10. Select the Parameters key, then select Edit -> New -> String Value to create a new value, Application.
  11. Double-click the value to open the Edit String dialog box.
  12. Enter the path for the PortAuthority startup batch file in the Value data field:

    C:\Lucent\rabm\bin\pa.bat

    This value enables you to stop the service from the Control Panel, but not the PortAuthority processes. To stop PortAuthority you must enter CTRL-C from the command prompt window.

  13. Click OK to close the dialog box.
  14. Select Edit -> New -> Key to create a new key, Parameters.
  15. Select the Parameters key, then select Edit -> New -> String Value to create a new value, AppParameters.
  16. Double-click the value to open the Edit String dialog box.
  17. Enter "start" in the Value data field (with out quotes). Optional you could enter "debug" to start in DEBUG mode.

Solaris

To start PortAuthority on Solaris on system startup you will need to add it to the system rc2.d files. Please see your system administrator for more in information. A sample script is included below.

S93radius: 

#
case "$1" in
'start')
       if [ -f /export/home/pa/bin/pa ]; then
            /export/home/pa/bin/pa start
            # Also if using USS
            /export/home/pa/bin/pa uss
       fi
       ;;

'stop')
       if [ -f /export/home/pa/bin/pa ]; then
            /export/home/pa/bin/pa stop
            # Also if using USS
            /export/home/pa/bin/pa stopuss
       fi
       ;;
*)
        echo "Usage: radius { start }"
        ;;
esac

Back To TOP

Limitations of PortAuthority

Differences between Lucent RADIUS 1.16 and PortAuthority 2.1

PortAuthority does not support the following Lucent RADIUS 1.16 features:

Menus
Expiration

Differences between Lucent RADIUS 2.0.1 and PortAuthority 2.1

PortAuthority does not support the following Lucent RADIUS 2.0.1 features:

Expiration
Menu
Termination-Menu
Prefix
Connect-Rate
PortAuthority does support the following Lucent RADIUS 2.0.1 features but in a different manner:

Crypt-Password
Group
Suffix
Multiple DEFAULT entries (See know issues)

Supported Characters in User-Name

Currently the FilePass plug-in only supports the following characters for use in the User-Name:

0 to z
-
/
.
_
*
!
Use of Auth "helper" Plug-ins in Failure Chains

When using "helper" plug-ins (Plug-ins that do other then user verification such as Message) in the the auth chain care must be taken when used in a failure cain as if the helper plug-in succeeded then the request will receive an Access-Accept in response. For example if an instance of the StateLimits plug-in On-Fail goes to the Message plug-in to log a message and the the chain stops the user will we authorized since the last plug-in returned a success (Message was logged) unless other verification (check) items fail. To prevent this condition make the last plug-in in a failure chain an instance of RejectAll.

USS and Proxy plug-in use

Currently both the USS plug-in and Proxy plug-in should be the last in the authentication chain. This cause them to not be compatible for use with each other. Proxy does not currently support a Method-Next option and if the USS is before proxy the USS will record the user as authenticated even if the Proxy instance rejects the user.

USS: Clearing connections

Currently to clear a connection from the USS a new authentication request or a stop record must be inserted for the same port. This can be done by a new record from the NAS or manually through the CLI

USS: NAS boot and Accounting on and off records

Currently the USS does not process NAS boot records or accounting start and stop requests to adjust state information

Back To TOP

Known Issues

Accounting Directory for classic plug-in

Currently the accounting directory is created relative to the directory that the pa startup script is run from.

CallCheck: Does not follow On-Fail if no DNIS

The CallCheck plug-in will not currently follow Method-On-Fail if the Called-Station-Id attribute is not present and the value of Calling-Station-Id or the value "No-Call-Id" will remain in the User-Name attribute value pair.

Classic: Accounting dir must be absolute or relative

When specifing the directory for accounting files it must be specified as an absolute path or a path relative to the current directory when the server is started.

client dns resolution

If an client is listed in the clients file using one format (FQN or host name) but the resolver returns the client name in a different format you may receive an unknown host error message even if the host is listed. For example if an FQN is used in the clients file and due to a host file entry a host name only entry is returned when resolving the client.

DenyUser: Reports "User Not Found" When User is Found in Deny List

DenyUser will log "User Not Found" when the user is found in the deny list.

DenyUser: Incorrectly reports using "Forbidden" when PassThrough is true

When DenyUser-PassThruMode is set to true and the server run in debug mode the plug-in will incorrectly report it will return Forbidden. The plug-in will perform as documented.

FilePass: Excessive Payloads may cause invalid packets to be generated

If a Attribute Value Pair in a FilePass instance has a payload that exceeds the RFC allowed length an invalid response packet may be generated.

FilePass: FilePass-ShadowFile Property and -files option

The FilePass-ShadowFile currently requires an absolute path and does not make the file relative to the -files option on startup

FilePass: Invalid DEFAULT Entries not Validated on Startup

If you create a DEFAULT entry that does not have Auth-Type=System or Password="UNIX" it is not reported on init but is caught if a reload is issued in the telnet interface. *NOTE* Any users that match this entry will be authenticated regardless of Password.

FilePass: Invalid IP Addresses may generate invalid packets

Entering an invalid value for an Attribute Value Pair of type IP Address may cause an invalid response packet to be generated.

FilePass: Large User Entries

User entries over 1096 bytes may cause the server to hang on startup or when a reload command is issued for the user file.

JRE must be in path

Currently the jre for running PortAuthority must be in the path and can not be called by an absolute reference.

Method and/or Plugin name not always reported on error messages

In some cases if a file a plug-in needs does not exist only the file name is logged and not the plug-in or instance name of the plug-in that is reporting the error.

Method Select file must have a new line to function

The last line in the method_select file must have a new line character on the end to function properly.

Method Select file must have null realm before * realm

The * realm will match a null entry as well as any undefined realm. There for the null realm must come before the * realm.

Multiple DEFAULT Entries

Currently only one DEFAULT entry is allowed per instance of the FilePass plug-in. However you may have additional DEFAULT.{Suffix} entries and you mail chain multiple instances for FilePass together with each instance having a DEFAULT entry.

Proxy: Access-Challange Packets not Proxied

Proxy is currently rejecting Access-Challenge packets.

Proxy-State Support in Auth Requests

PortAuthority will not return the Proxy-State attribute if it is the final remote server in an proxy auth chain. This will cause problems on any server in the chain that requires Proxy-State.

References to master.cfg

Any references to master.cfg should be referred to server_properties.

Uninstall: QuickStart Files not removed

If the uninstall option is used and the QuickStart option was selected on installation then not all files may be uninstalled and require manual removal.

USS: Accounting Records with no Authentication Request

The USS will not currently list a session as active if only an accounting record is received with no authentication request first.

USS: Extreme number of counter keys

If items that are used as counters (DNIS, Group Names, Labels) that are normally fixed in size/values are set to items that normally contain non-repeting data (i.e.: Group Name set to Calling-Station-Id) the JVM may abort the StateServer.

USS: Interaction with Verification Items

If a user record contains verification items the user may be logged in the USS as authenticated but may be actually rejected. This is due to the fact that verification items other then Password are checked after all method instances are invoked in the authenticated chain.

USS: Missing Required Attribute Causes null pointer

If a required attribute is missing from an Accounting packet a null pointer error is generated. This will only happen if the RADIUS client does not conform to the RFC standards.

USS: Out of sequence Start and Stop Accounting Records

The USS will not correctly update the status of a session of the Start and Stop accounting records are received out of order or interleaved with another session.

USS: reset Command Causes scoket I/O Error

Entering the reset command in the USS comand line interface will cause all StateLimits instances to get a socket I/O error on the next packet processed by the instances. The StateLimts plug-ins will reconnect on the next packet proccessed.

Back To TOP

Installation Instructions

Getting the Software

An evaluation copy can be downloaded from:

http://www.livingston.com/marketing/products/port-authority.html

Installing the Software

To install the software run setup.bat or setup.sh depending on your platform. You must have your JRE/JDK working before installing PortAuthority

Back To TOP

Copyright and Trademarks

(c) 1999 Lucent Technologies. All rights reserved. PortMaster, ComOS, and ChoiceNet are registered trademarks of Lucent Technologies Inc. RADIUS ABM, PMVision, IRX, and PortAuthority are trademarks of Lucent Technologies Inc. PolicyFlow is a service mark of Lucent Technologies Inc. All other marks are the property of their respective owners.

Notices

Lucent Technologies, Inc. makes no representations or warranties with respect to the contents or use of this publication, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies, Inc. reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes.

Contacting Lucent Remote Access Technical Support

Lucent Technologies Remote Access Business Unit (previously Livingston Enterprises) provides technical support via voice, fax, electronic mail, or through the World Wide Web at http://www.livingston.com/. Please specify the PortAuthority version and build, JRE or JDK version, and operating system, when reporting problems with this release.

Internet service providers (ISPs) and other end users in Europe, the Middle East, Africa, India, and Pakistan should contact their authorized Lucent Remote Access sales channel partner for technical support; see http://www.livingston.com/International/EMEA/distributors.html.

For North and South America and Asia Pacific customers, technical support is available Monday through Friday from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966 within the United States (including Alaska and Hawaii), Canada, and the Caribbean, or 1-925-737-2100 from elsewhere, for voice support. Otherwise, fax to 1-925-737-2110, or send email to rabm-support@ra.lucent.com (asia-support@ra.lucent.com for Asia Pacific customers).