Lucent RADIUS SERVER 2.0.1 Release Note (May 27, 1997) Introduction This Release Note describes the features and bug fixes in the Lucent RADIUS server release 2.0.1. Lucent RADIUS server 2.0.1 is now available in binary form for BSD/OS 2.0, SGI IRIX 5.2, IRIX 6.3, Linux 1.2.13 (ELF), Linux 2.0.30, IBM RS6000 AIX 4.1.4, Digital Alpha OSF/1 T3.0, HP/UX 10.01, SunOS 4.1.4, Solaris 2.5.1, and Solaris x86 2.5.1. Source code for RADIUS 2.0.1 will be released to Lucent customers in June. Before upgrading, read the WARNING below that usernames with spaces are now rejected, instead of treated as if the spaces were not present. This release supports both Linux 1.2 and 2.0, and IRIX 5.2 and 6.3. The next release after this one, RADIUS 2.1, will be the last release in binary form for Linux 1.2.13 and SGI IRIX 5.2, although source will still compile on those platforms. Future binary releases after RADIUS 2.1 will run on Linux 2.0 and IRIX 6.3. Refer to the RADIUS Administrator's Guide for more details of Lucent RADIUS server features. Postscript and PDF formats are available at ftp://ftp.livingston.com/pub/le/doc/manuals/. Report any problems to Lucent InterNetworking Systems Technical Support; contact information is at the bottom of this message. Contents RADIUS 2.0.1 Features RADIUS 2.0.1 Bug Fixes RADIUS 2.0.1 Installation RADIUS 2.0.1 FEATURES RADIUS 2.0.1 includes the following features: User-names with spaces in them are now rejected, instead of being truncated at the space and then compared. The problem with just truncating is that the accounting records would include the space in the username, so unless accounting scripts were carefully written the users "fred" "fred " and "fred baker" were all treated differently. In RADIUS 2.0, all three of those would be authenticated as "fred". In RADIUS 2.0.1 the first will be authenticated as "fred" and the second and third will be rejected. WARNING!  If you depended on the previous behavior of truncating usernames at the first space, do not upgrade to this release. Wait for the source release so you can modify the code. When used with ComOS 3.5 or later, the Password in the RADIUS user profile can be up to 48 characters long. Passwords in the users file can now be encrypted using the Crypt-Password check item. This feature can be used with scripted logins or PAP, but not with CHAP. The format of the Crypt-Password string is the same as in the UNIX password file. Here is an example: user Crypt-Password = "ijFYNcSNctBY" Service-Type = Framed-User, Framed-Protocol = PPP This is equivalent to the following entry, except that CHAP cannot be used with Crypt-Password. user Password = "abcdefgh" Service-Type = Framed-User, Framed-Protocol = PPP Auth-Type = Reject can now be used to automatically fail authentication. The following user will always fail authentication: user Auth-Type = Reject Service-Type = PPP, etc.. The Group check-item is supported in RADIUS 2.0.1. When Group is specified as a check-item in the user profile, only users within that UNIX group can be authenticated. The Group attribute is a string specifying the name of the group. Example of user profile with one Group: username Auth-Type = System, Group = "eng" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500 The Connect-Rate check-item is supported in RADIUS 2.0.1. If Connect-Rate is specified as a check-item, that user will fail authentication if he attempts to connect to a PortMaster 3 at a faster downstream connect speed than that. The use of this check-item requires the PortMaster to send Connect-Info in the Access-Request, so it requires a PortMaster 3 running ComOS 3.5.1 or later. If Connect-Info is not present in the Access-Request packet, the Connect-Rate check-item is ignored. The following example would allow a user to connect at 28800bps but not at 33600 or 56000. user Auth-Type = System, Connect-Rate = 28800 Service-Type = Framed-User, Framed-Protocol = PPP Support For Administrative Logins When used with ComOS 3.5 or later, RADIUS 2.0.1 can authenticate administrative logins with two classes of users: Administrative users with full configuration ability (everything that !root can do) Read-only administrative users who cannot change the configuration, but can reset ports, reboot, set debug flags, and show status. With this feature, rather than requiring everyone in a Network Operations Center (NOC) to know the global administrative passwords on all the PortMasters, an individual account to track access and limit configuration changes to appropriate personnel can be created. In ComOS 3.5 and later, if a RADIUS Access-Accept returns a Service-Type of Administrative-User (6), the PortMaster treats it as a !root login. If a RADIUS Access-Accept returns a Service-Type of NAS-Prompt-User, a restricted administrative login is granted that has permission to use the following commands: ifconfig ping ptrace reboot reset set console set debug show traceroute Any other commands that do not affect the configuration A NAS-Prompt-User does not have access to the following commands: add, delete, erase, save, tftp, or any set commands other than "set debug" and "set console". Following are examples of NAS-Prompt-User and Administrative-User in the users file: !pmmon Password = "dontuseth1s" Service-Type = NAS-Prompt-User !pmconfig Auth-Type = System, Prefix = "!" Service-Type = Administrative-User Caution - If you are using your RADIUS server with a combination of Lucent products and other vendors' products, confirm the following: Make sure that these two Service-Types are not used or Other vendor implementation of these two Service-Types is compatible with Lucent's implementation builddbm now prints the number of users file entries and identifies the line number of any duplicate entries it finds, instead of quitting when it finds duplicates. RADIUS 2.0.1 BUG FIXES Radiusd on Linux 1.2, Linux 2.0, and BSD/OS 2.0 would exit on signal 100 when the accounting server died in find_client(). This has been fixed. Unknown RADIUS packet types would cause the server to dump core. It now prints an error message and ignores the packet. Some non-Lucent RADIUS clients incorrectly pad RADIUS requests with garbage data at the end of the packet. The server now ignores such padding. Exiting from menus with Menu="EXIT" used to print Invalid Login and present another login prompt. It now hangs up the line, as it should. There was a rare condition when spawning and reaping child processes that could cause excess "Dropping duplicate ID" messages on some machines. This has been fixed. In 2.0, changes to the clients file were not reflected in the client cache until the second access-request packet came in. In 2.0.1, the cache will be updated as soon as the next access-request comes in. The SecurID support in 2.0.1 now calls sd_close() properly. RADIUS 2.0.1 INSTALLATION FTP the RADIUS distribution for your platform from ftp://ftp.livingston.com/pub/le/software and then follow the installation instructions in the RADIUS Administrator's Guide. Use caution when updating to avoid overwriting your existing users or clients files! The following example shows the commands to update an existing RADIUS 2.0 server on SunOS 4.1.4. mkdir /var/tmp/rad201 cd /var/tmp/rad201 ftp ftp.livingston.com (enter anonymous) (enter your e-mail address; it will not echo) binary cd /pub/le/software/sun4 get radius_2.0.1_sun4.tar.Z rad.tar.Z quit uncompress rad.tar.Z tar xvf rad.tar rm rad.tar mv /etc/radiusd /etc/radiusd.old mv /etc/raddb/dictionary /etc/raddb/dictionary.old mv sun4_4.1/radiusd /etc/radiusd mv radius/raddb/dictionary /etc/raddb/dictionary (kill the existing radiusd) /etc/radiusd If you are using the DBM version of radiusd (recommended), after killing the existing radiusd, instead of running /etc/radiusd use these three commands: cd /etc/raddb /etc/raddb/builddbm /etc/radiusd -b If you have any problems, report them to Lucent InterNetworking Systems Technical Support, and be sure to mention that you're running radiusd version 2.0.1. ftp://ftp.livingston.com/pub/le/software/Platform alpha/radius_2.0.1_alpha_T3.0.tar.Z Digital Alpha OSF/1 T3.0 bsdi/radius_2.0.1_BSDOS_2.0.tar.Z BSD/OS 2.0 hp/radius_2.0.1_hp9000_10.01.tar.Z HP/UX 10.01 linux/radius_2.0.1_Linux_1.2.tar.Z Linux 1.2.13(ELF) linux/radius_2.0.1_Linux_2.0.tar.Z Linux 2.0.30(ELF)(new) rs6000/radius_2.0.1_RS6000_4.1.tar.Z AIX 4.1 sgi/radius_2.0.1_IRIX_5.2.tar.Z IRIX 5.2 sgi/radius_2.0.1_IRIX_6.3.tar.Z IRIX 6.3(new) sun4/radius_2.0.1_sun4_4.1.tar.Z SunOS 4.1.4 sun4/radius_2.0.1_sun4_5.5.tar.Z Solaris 2.5.1 sun86/radius_2.0.1_sun86_5.5.tar.Z Solaris x86 2.5.1 Copyright and Trademarks Copyright 1996 Lucent Technologies, Inc. All rights reserved. The Livingston logo and the names Livingston, PortMaster, ComOS, RADIUS, ChoiceNet, PMconsole, IRX, True Digital, and RAMP are trademarks of Lucent Technologies, Inc. ProVision is a service mark of Lucent Technologies, Inc. All other marks are the property of their respective owners. Notices: Lucent Technologies, Inc. makes no representations or warranties with respect to the contents or use of this manual, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies, Inc. reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes. Contacting Lucent InterNetworking Systems Technical Support Lucent Technologies provides technical support via voice, FAX, and electronic mail. Technical support is available Monday through Friday 6am-5pm Pacific Time (GMT-8). To contact Lucent InterNetworking Systems Technical Support by voice, dial 1-800-458-9966 within the US or 1-510-737-2100 outside the US; by FAX, dial 1-510-737-2110; by electronic mail, send mail to support@livingston.com; and through the World Wide Web at http://www.livingston.com/.