ComOS 3.3.2 Release Note Introduction The new Lucent Technologies ComOSTM 3.3.2 software release is now available for the PortMaster® 2, 2E, 2ER, 2R and 25. This release is provided at no charge to all Lucent customers. The following document describes the features of the ComOS 3.3.2 software release and how to upgrade your PortMaster. Upgrade instructions are included at the end of this release note. WARNING! YOU MUST USE PMINSTALL VERSION 3.3.1 OR LATER TO PERFORM THIS UPGRADE! If you are upgrading using PMconsole for Windows, you must use PMconsole for Windows version 1.1 or later. See "Upgrade Instructions" for more information. If you have any port speeds set to 115200 and upgrade to ComOS release 3.3.2 and later downgrade to any earlier release you must set the port speeds again after downgrading. Contents Introduction Contents New Features in ComOS 3.3.2 Bug Fixes in ComOS 3.3.2 MOD-10I-ST LED Behavior RADIUS for Outbound Users RADIUS Accounting Terminate Cause Upgrade Instructions New Features in ComOS 3.3.2 ComOS 3.3.2 includes the following new features: Support for International ISDN Command to show flash file system Session Termination Cause logging in RADIUS Accounting RADIUS Outbound-User support TCP port number for Login User in RADIUS Accounting Maximum Receive Unit increased to 1520 bytes PAP and CHAP for Dialback PPP users Easier configuration of CHAP for dial-out Locations ChoiceNet without RADIUS Set all command made easier Debug off command Support for International ISDN Support for International ISDN using the MOD-10I-ST expansion board has been added. This is the ISDN 5 BRI expansion card for use in Europe, Japan, and other countries using international ISDN standards. See "MOD-10I-ST LED Behavior" for LED behavior. New ISDN switch type settings for "setisdn-switch" are listed in the following table. set isdn-switch Used for _______________ ________ net3 EuroISDN standard (includes Swiss extensions) vn2 France - Older switch type vn3 France - Older switch type vn4 France - Current National switch type 1tr6 Germany - Older switch type ntt Japan kdd Japan A change in switch type does not take effect until the PortMaster is rebooted. Command to show flash file system The "show files" command has been added to display how much of the 128 KB flash configuration file system is in use. Output also shows file names. Files are: File Contents ________ ________ confdata Extensions to port configurations, ether1, RADIUS config Global configuration and standard port configurations passwd User Table hosttab Host Table routes Static Routes location Location Table, except for chat scripts script Chat Scripts for the Location Table snmp SNMP filters IP filters listnames ChoiceNet list IDs contained in filters ipxfilt IPX filters sapfilt SAP filters netmasks Static Netmask Table modem Modem Table Session Termination Cause logging in RADIUS Accounting RADIUS accounting now reports the reason for session termination. In addition, the new "set debug termination on" command displays more detailed port terminations to the system console as well as sending these messages to syslog. See "RADIUS Accounting Terminate Cause" for more information on termination causes and how to edit the RADIUS dictionary file to take advantage of them. (Also available in 3.3.1c1.) RADIUS Outbound-User support The PortMaster now supports the RADIUS Outbound-User service-type. In addition, the PortMaster logs outbound user activity to RADIUS accounting. See "RADIUS for Outbound Users" for information on using this feature. IMPORTANT NOTE: If you are currently using outbound Telnet security with RADIUS you must change those entries in your RADIUS users file to use Service-Type=Outbound-User when you upgrade to ComOS release 3.3.2. TCP port number for Login User in RADIUS Accounting The Telnet and Netdata TCP port number is now identified in RADIUS accounting. Previously, Login Users sent to a host with Telnet would be identified only as using the Telnet service even if they were directed by RADIUS to a TCP port number other than 23. In ComOS release 3.3.2, if the user is sent to a port other than 23 RADIUS accounting reports the TCP port number. This is useful for determining whether the user was sent to a special service on the identified host. Accounting records for Login Users using the Netdata (TCP-Clear) login service now always include the TCP port number. Maximum Receive Unit increased to 1520 bytes LCP now allows the remote end to request (via a NAK) a maximum receive unit of up to 1520 bytes instead of the previous limit of 1500. This accommodates some Multilink PPP implementations which use a MRU larger than 1500 bytes. PAP and CHAP for Dialback PPP users PAP and CHAP authentication support has been added for Dialback PPP users. Easier configuration of CHAP for dial-out Locations The new command "set location Location_Name chap [ on|off ]" has been added to make outbound CHAP authentication easier to configure. When "chap on" is set for the location, the PortMaster requires that it be authenticated using CHAP on an outbound dial. The username and password entered in the location table are used as the "system identifier" and "MD5 secret" in the CHAP authentication. Use of this feature eliminates the need to use the sysname and user table configurations for CHAP unless the device being dialed to also sometimes dials into the PortMaster. The default setting is "chap off". ChoiceNet without RADIUS ChoiceNet can now be used without RADIUS, using the commands "set choicenet Ipaddress" and "set choicenet-secret String". Set All command made easier The "set all" command no longer affects the W1 port, the P0 parallel port or the new C0 (PM-2I and PM-2E-10I only) console port. Now it affects only ports S0-29. The command "set all network dialin" is now supported. Debug off command The command "set debug off" has been added. This command clears all debug settings which are currently active in the PortMaster. Bug Fixes in ComOS 3.3.2 The following bugs have been fixed in ComOS 3.3.2. PM-2ER WAN port lockup fixed The W1 lockup problem on the PM-2ER has been fixed. Previously, from every few days to every few weeks the W1 port on the PM-2ER would stop transmitting packets and would recover after some amount of time or after a port reset. This software bug has been fixed. (Also available in 3.3.1c1.) MOD-10I-U port S14-15 lockup fixed In some cases, one of the middle BRI ports (S14-15 or S24-25) on the MOD-10I-U ISDN expansion card would stop functioning and require a reboot of the PortMaster to re-enable. This has been fixed. Zero Length Filters are now ignored Zero length filters applied to Ethernet interfaces are now treated as permit filters. That is, if a filter has no rules at all it now permits everything through. If it has one or more rules then anything not explicitly permitted by a rule is denied at the end of the filter. Ports using ChoiceNet can be reset safely Previously, resetting or disconnecting a port which is waiting for ChoiceNet to upload a dynamic packet filter would cause the PortMaster to reboot. This has been fixed; ports can now be reset without causing a problem. State Attribute cleared properly Previously the RADIUS State attribute could be inadvertently retained between login sessions, displaying the wrong RADIUS menu when users logged on. This has been fixed. (RADIUS menus are supported in the RADIUS 2.0 server, to be released later.) Too-long Filter-Id Attributes now truncate Previously, a RADIUS Filter-Id attribute longer than 12 characters for PPP users would cause the PortMaster to reboot. This has been fixed. A Filter-Id longer than 12 characters is now truncated to 12 characters before appending the ".in" and ".out" to the filter name. Host Prompt now works over ISDN Previously an ISDN port set for host prompt would not echo characters back to the user. This has been fixed. Location username now deletes properly Previously, adding a username to a location, deleting the location, and adding the location again would bring back the username entry. The username is now properly deleted when the location is deleted. Extraneous console message removed If a user dials in and negotiates IPX while the console is set, the console gets a burst of "e_getpacket: no packet available" messages at the end of negotiations. These are harmless, but have been removed. Commands fixed The usage statement for ptrace has been fixed. Previously, only the command "save host" would save the PortMaster Hosts Table. The plural form "save hosts" is now supported as well. MOD-10I-ST LED Behavior When you first turn power on, each BRI status LED on the MOD-10I-ST expansion card blinks twice a second for up to ten seconds while the board is performing a self-test. If the BRI synchronizes with the attached NT1 and switch the LED turns solid. If it fails to synchronize the LED stays off, except that if a Directory Number is set on the port, the LED flashes on briefly once every five seconds as the PortMaster tries to activate the BRI. If no Directory Number is set, the LED stays off. If the Directory Number is set and you plug in the RJ-45 from the NT1, at the next 5-second flash the LED comes on and stays on, or if the switch tries to activate the BRI the LED goes on. If the PortMaster tries to dial out and finds the BRI has been inactivated, the LED goes off. RADIUS for Outbound Users RADIUS on the PortMaster now supports Service-Type=Outbound-User, used to authenticate users gaining outbound access to network device ports. If you do not have any ports set to "device /dev/network" or "twoway /dev/network" you can ignore this entire section, it does not apply to you. If you do have any ports set to "device /dev/network" or "twoway /dev/network" and have been using RADIUS to authenticate outbound users, you should read this section carefully and understand it completely before upgrading to this release, because things will work differently after the upgrade. In ComOS release 3.3.1 and earlier, to allow users to access the modems for outbound dialing across your network but require a password for such access, you set the port up like this (after first moving your telnet administration port to something other than 23 with a command like "set telnet 24"): set s1 device /dev/network set s1 service_device telnet 10000 save s1 reset s1 And then set up a user like this in the PortMaster User Table: add user fred set user fred password What4ever set user fred service telnet 10000 set user fred host >PortMaster ether0 IP address< save user A user can then telnet to the PortMaster at the usual telnet port of 23, get a login prompt, enter "fred", get a password prompt, enter "What4ever", and would be connected to the device connected to port s1, typically a modem. You can pool multiple ports together by setting their service device telnet port to the same number. Any port number between 10000 and 10100 has this special property. In ComOS 3.3.2 and later (3.4.2L and later on the Office Router, 3.4.2R and later on the IRX) this behavior has changed. In 3.3.2, you set up the port the same way as before, but now when the user telnets to port 23 and gives his username and password, the PortMaster first checks the local User Table, as it did before. If the user is not found in the local User Table and the PortMaster is configured to use a RADIUS server, the PortMaster sends a RADIUS Access-Request to the RADIUS server with the hint that Service-Type (6) = Outbound-User (5). If the PortMaster receives back an Access-Accept from the RADIUS server with Service-Type = Outbound-User, it allows the user to connect to the port. Check your /etc/raddb/dictionary file for the exact spelling of attribute 6 and value 5. An example entry in the /etc/raddb/users file for an Outbound-User follows: fred Password = "What4ever", Service-Type = Outbound-User Service-Type = Outbound-User, Login-Service = Telnet, Login-TCP-Port = 10000 Note that the user file can only have one entry named "fred". If fred is already used in the RADIUS users file as a different kind of user, you must use a different username to dial out with. RADIUS 2.0 will make this easier. RADIUS Accounting Terminate Cause Release 3.3.2 has added support for the RADIUS Accounting Acct-Terminate-Cause attribute to provide information on the cause of session termination. In addition, if termination debugging is turned on using the "set debug termination on" command, additional termination information is sent to syslog (auth.info) and the system console. Before upgrading the PortMaster, update your /etc/raddb/dictionary file by adding the following lines, kill your radiusd and restart it. An updated dictionary file is available at ftp://ftp.livingston.com/pub/le/radius/dictionary. ATTRIBUTE Acct-Terminate-Cause 49 integer VALUE Acct-Terminate-Cause User-Request 1 VALUE Acct-Terminate-Cause Lost-Carrier 2 VALUE Acct-Terminate-Cause Lost-Service 3 VALUE Acct-Terminate-Cause Idle-Timeout 4 VALUE Acct-Terminate-Cause Session-Timeout 5 VALUE Acct-Terminate-Cause Admin-Reset 6 VALUE Acct-Terminate-Cause Admin-Reboot 7 VALUE Acct-Terminate-Cause Port-Error 8 VALUE Acct-Terminate-Cause NAS-Error 9 VALUE Acct-Terminate-Cause NAS-Request 10 VALUE Acct-Terminate-Cause NAS-Reboot 11 VALUE Acct-Terminate-Cause Port-Unneeded 12 VALUE Acct-Terminate-Cause Port-Preempted 13 VALUE Acct-Terminate-Cause Port-Suspended 14 VALUE Acct-Terminate-Cause Service-Unavailable15 VALUE Acct-Terminate-Cause Callback 16 VALUE Acct-Terminate-Cause User-Error 17 VALUE Acct-Terminate-Cause Host-Request 18 The following simple script produces a list of termination causes seen. Note that this script does not remove duplicates, so it provides only an approximate count. cat /var/adm/radacct/*/detail | grep Acct-Terminate-Cause | \ sort | uniq -c Here are the syslog messages and their meanings. Where a message would also go to RADIUS Accounting, the Acct-Terminate-Cause is included in the syslog message before the dash. In normal operation you would expect to see User-Request, Host-Request, and Lost-Carrier, although Lost-Carrier can be caused by the user hanging up his end of the connection or by line or modem problems. Admin Reset Port was reset by administrator. Also sent to RADIUS Accounting if a session was active on the port. Callback Callback User is disconnected so the port can be used to call user back. Cause Unknown Contact Lucent InterNetworking Systems Technical Support. Host Request - PMD Disconnected or logged out from host using in.pmd service. This can mean either normal termination of a login session, or the remote host has crashed or become unreachable. Also sent to RADIUS Accounting. Host Request Disconnected or logged out from host. This can mean either normal termination of a login session, or the remote host has crashed or become unreachable. Also sent to RADIUS Accounting. Idle Timeout Idle timer expired for user or port. Also sent to RADIUS Accounting. Login Timeout The login:, password:, or host: prompt is set to timeout after five minutes with no input and has done so. Lost Carrier Session terminated when modem dropped DCD. This can either mean the user or his modem hung up the phone from their end, in which case there is no problem, or can mean that the line was dropped or took a noise hit too severe for the modems to recover from, or can mean that the local modem dropped DCD for some other reason. Also sent to RADIUS Accounting. Lost Service - Interface Down Contact Lucent InterNetworking Systems Technical Support. Lost Service - Interface Error Contact Lucent InterNetworking Systems Technical Support. Lost Service - Invalid Network Handle Contact Lucent InterNetworking Systems Technical Support. Lost Service - LMI A Frame Relay interface missed six consecutive LMI replies. Lost Service - No netbufs No netbufs are available for service. Contact Lucent InterNetworking Systems Technical Support. NAS Error - PPP Unknown State The PortMaster could not determine state of PPP. Contact Lucent InterNetworking Systems Technical Support. NAS Request - Modem Config Complete The Modem table entry has finished initializing the modem attached to the port. NAS Request - PPP Maximum Retransmissions PPP negotiations failed after the PortMaster sent 10 configuration requests. This is caused by a configuration error on the client, PortMaster, or RADIUS user entry. No Event Identified Contact Lucent InterNetworking Systems Technical Support. Port Error - PPP Couldn't Send The PortMaster could not send PPP negotiation. Check that the port and modems at both ends are properly configured for hardware flow control (RTS/CTS); if the problem still occurs, contact Lucent InterNetworking Systems Technical Support. Port Error - PPP Loop Detect The PortMaster saw its own Magic Number in an LCP Configuration Request. The two most likely causes are either that our modem is in echo mode or that we dialed into a UNIX system and it is echoing our packets back to us. In the former case, correct the configuration in the modem. In the latter case, change the chat script in the location table entry on the PortMaster to expect "~" instead of "PPP". Port Error - Spurious Interrupts Attached device is causing too many interrupts, so the PortMaster reset the port. Also sent to RADIUS Accounting if a session was active on the port. Port Error - Unknown State Contact Lucent InterNetworking Systems Technical Support. Port Error - Wrong Type Port is configured for login users only and a network user is trying to log in, or vice versa. To configure ports appropriately: set all login Login users only set all network dialin Network users only set all login network dialin Both Service Unavailable - Access Denied The port Access Filter does not permit connection to requested host. If you get this message and you wish to allow a connection to the host: If you did not intend to use an access filter, remove the ifilter from the port with "set Port ifilter". If you are using an access filter, check your filter rules. Service Unavailable - Auth Failed Three attempts by the user to authenticate at the login: prompt have failed, so the user is disconnected. Service Unavailable - Device Port is set for host device but in.pmd or the pseudo-tty configured is unavailable. This gets logged once per second until the situation is corrected. Service Unavailable - Host Login session was unable to connect to host. The most common cause is that the host is down or refusing connections or not running in.pmd or rlogind. Service Unavailable - PPP Auth Failed Contact Lucent InterNetworking Systems Technical Support. Service Unavailable - PPP CHAP Auth Failed The user's PPP CHAP authentication failed. Service Unavailable - PPP No Protocol Neither IP nor IPX was negotiated for PPP, so no service can be provided. This is a configuration error for either the dial-in client or the user entry. Service Unavailable - PPP Outbound PAP Auth Failed PortMaster dialed out to another site and was being authenticated by PAP but failed, so the PortMaster is hanging up. (Note that if we are authenticated by CHAP and fail, it is the responsibility of the other end to hang up.) Service Unavailable - PPP PAP Auth Failed The user's PPP PAP authentication failed. Session Timeout Session timer expired for user. Also sent to RADIUS Accounting. User Error - PPP LCP Protocol Reject The PortMaster received a LCP Protocol Reject. This should never happen; it indicates there is a bug in the software of the remote system since the remote system is claiming it does not support LCP. User Error - PPP NCP Active to Reply PortMaster received a PPP Configuration ACK when a session was already established, so it terminated the session. This is caused by a PPP implementation error in the dial-in client. Also sent to RADIUS Accounting. User Error - PPP NCP Active to Request PortMaster received a PPP Configuration Request when a session was already established, so it terminated the session. This is caused by a PPP implementation error in the dial-in client. Also sent to RADIUS Accounting. User Request - Admin Quit Quit command issued from the command line interface. User Request - PPP Term Ack Dial-in client requested that we terminate immediately without sending an acknowledgment. This message is expected from a proper PPP client termination. Also sent to RADIUS Accounting. User Request - PPP Term Req Dial-in client requested that we send a Termination ACK and then terminate. This message is expected from a proper PPP client termination. Also sent to RADIUS Accounting. Upgrade Instructions If you are upgrading from ComOS 2.3 or 2.4 to 3.3.2, you must first upgrade to ComOS 3.0.4, reboot, then upgrade to 3.3.2. If you have any port speeds set to 115200 and upgrade to ComOS release 3.3.2 and later downgrade to any earlier release you must set the port speeds again after downgrading. WARNING! YOU MUST USE PMINSTALL VERSION 3.3.1 OR LATER TO PERFORM THIS UPGRADE! If you are upgrading using PMconsole for Windows, you must use PMconsole for Windows version 1.1 or later. If you are installing a MOD-10I-U or MOD-10I-ST expansion card and upgrading from ComOS 3.1.4 or earlier up to 3.3 or later, see the "Memory Usage" caution in the 3.3.1 release notes, available as release331.html for HTML, ftp://ftp.livingston.com/pub/le/doc/release/release331.txt for text, or ftp://ftp.livingston.com/pub/le/doc/release/release331.ps for PostScript. The 3.3.2 upgrade image is available for the PortMaster 25 at ftp://ftp.livingston.com/pub/le/upgrades/pm25_3.3.2 and for the PortMaster 2, 2E, 2ER, and 2R at ftp://ftp.livingston.com/pub/le/upgrades/pm2_3.3.2. An updated RADIUS dictionary file is available at ftp://ftp.livingston.com/pub/le/radius/dictionary. To upgrade using the floppy included with the MOD-10I-ST board, follow these instructions. If you have different media, replace /dev/rfd0c with the appropriate device. You can also FTP the installation software from ftp://ftp.livingston.com/pub/le/software/. To upgrade a PM-2, PM-2E, PM-2ER, or PM-2R to ComOS 3.3.2, run the new pminstall and choose the Upgrade PortMaster option, choose pm2_3.3.2 from the menu of upgrade choices, enter your PortMaster's hostname or IP address, enter your PortMaster's administrative password. pminstall upgrades your PortMaster to ComOS 3.3.2. umask 22 mkdir /usr/portmaster cd /usr/portmaster tar xvf /dev/rfd0c ./pminstall To upgrade a PM-25 follow the above instructions except choose pm25_3.3.2 from the menu of upgrade choices instead of pm2_3.3.2. The upgrade does not affect your stored configuration in the PortMaster; however if you would like to backup your PortMaster configuration before upgrading, run pmreadconf: cd /usr/portmaster ./pmreadconf Pmname Pmpassword data/Pmname.conf chmod 600 data/pmname.conf Copyright and Trademarks © Copyright 1997 Lucent Technologies, Inc. All rights reserved. The product names, "ComOS," "IRX," "PortMaster," "PMconsole," and "RADIUS" are trademarks belonging to Lucent Technologies, Inc. All brand product names mentioned in this document are trademarks or registered trademarks of their respective manufacturers. Notices Lucent Technologies, Inc. makes no representations or warranties with respect to the contents or use of this manual, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies, Inc. reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes. Contacting Lucent InterNetworking Systems Technical Support Every Lucent PortMaster or IRX¿ product comes with a one year hardware warranty. Lucent Technologies provides technical support via voice, FAX, and electronic mail. Technical support is available Monday through Friday 6am-5pm Pacific Time (GMT-8). To contact Lucent InterNetworking Systems technical support by voice, dial 1-800-458-9966 within the US or 1-510-426-0770 outside the US, by FAX, dial 1-510-426-8951, by electronic mail, send mail to support@livingston.com, and through the World Wide Web at http://www.livingston.com/.