TITLE: ComOS 3.4.1L Release Note

Introduction

The new Lucent Technologies ComOS 3.4.1L software release is now available for the PortMaster Office Router OR-M and OR-U, and adds support for the new PortMaster Synchronous 384K Office Router (OR-LS) and PortMaster Synchronous T1/E1 Office Router (OR-HS). The only feature change from 3.4L is the support for the two new synchronous office routers.

This software release is provided at no charge to all Lucent customers. The following document describes the features of the ComOS 3.4L and 3.4.1L software release and how to upgrade your PortMaster. Upgrade instructions are included at the end of this release note.

WARNING! YOU MUST USE PMINSTALL VERSION 3.3 OR LATER IN ORDER TO PERFORM THIS UPGRADE!

Contents

  • Introduction
  • Contents
  • New Features in ComOS 3.4.1L
  • New Features in ComOS 3.4L
  • Bug Fixes in ComOS 3.4L
  • ISDN Basic Rate Interface (BRI) support
  • Configuring ISDN
  • New RADIUS Attributes
  • Quick Setup Example for OR-U
  • Quick Setup Example for OR-LS or OR-HS
  • Upgrade Instructions
  • Copyright and Trademarks
  • Notices
  • Contacting Lucent InterNetworking Systems Technical Support

New Features in ComOS 3.4.1L

ComOS 3.4.1L adds support for the W1 synchronous port on the PortMaster Synchronous 384K Office Router (OR-LS) and PortMaster Synchronous T1/E1 Office Router (OR-HS) and includes all the features of 3.4L.

If the external clock rate on W1 exceeds 384Kbps the OR-LS displays the message "W1: External clock exceeds maximum rate" to the console.

New Features in ComOS 3.4L

ComOS 3.4L includes the following new features:

  • ISDN Basic Rate Interface (BRI) support (on OR-U)
  • Multilink PPP on ISDN (on OR-U)
  • Multilink V.120 on ISDN (on OR-U)
  • Data over voice for both inbound and outbound ISDN connections (on OR-U)
  • AT strings for more user control for outbound ISDN dialing (on OR-U)
  • Dynamic loadable software modules for memory management
  • Console now ignores modem type and autolog
  • !root login on serial ports can be disabled
  • Non-printing characters allowed in passwords
  • Require PAP option
  • Per user port limit (for Multilink PPP and Multilink V.120)
  • Per user idle timeouts
  • Per user session time limits
  • IP numbered interfaces through User Table
  • BOOTP support
  • RFC 1877 support so clients can learn DNS server from PortMaster
  • Port Type included in RADIUS Authorization and Accounting
  • RADIUS Accounting records signed
  • Called-Station-Id and Calling-Station-Id RADIUS accounting
  • RADIUS accounting sends notification of PortMaster boot
  • Input and output octet counters in RADIUS Accounting
  • Location Table entries made simpler and easier
  • Outbound PAP authentication

Description of New Features in ComOS 3.4L

This section describes the new features in ComOS 3.4L in more detail.

  • ISDN Basic Rate Interface (BRI) support ISDN basic rate interface support has been added. This release added full support for the ISDN BRI interface on the OR-U. See "ISDN Basic Rate Interface (BRI) support" below for specific information about ISDN support on the OR-U.
  • Multilink PPP on ISDN Multilink PPP is now supported on ISDN interfaces. This is supported concurrently with the Lucent Multi-line Load Balancing. The PortMaster detects and accepts both Multi-line Load Balancing and Multilink PPP connections. Outbound, the PortMaster can be set to use Multilink PPP via the Location Table by using the "set location Location_Name multilink on" command.
    Compatibility with Ascend's version of Multilink PPP has been added.
  • Multilink V.120 on ISDN Implemented Multilink V.120 on ISDN interfaces. This allows the Lucent PowerLink128 ISDN PC modem to make 128Kbps connections to the PortMaster OR-U. Second connections generate PowerLink128 RADIUS Accounting records.
  • Data over voice for both inbound and outbound ISDN connections Data over voice is now supported for both inbound and outbound ISDN connections. The PortMaster accepts voice calls inbound and treats them as data calls. Outbound, setting the voice attribute in the location table with "set Location_Name voice on" forces a voice call. In outbound asynchronous mode, the AT&N55 command forces a voice call.
  • AT strings for more user control for outbound ISDN dialing In asynchronous ISDN mode new AT attributes have been added to allow more user control when performing outbound dialing. Specifically the new attributes are: 
       &N55 Perform an outbound call using
            data over voice(a voice call is originated).
       &N56 Perform an outbound call using a 56000
            data connection.
       &N64 Perform an outbound call using a 64000
            data connection.
       &N0 Attempt to autodetect the available
            data service(64000 or 56000)
  • Dynamic loadable software modules for memory management Memory management has been improved and Dynamic Load modules have been implemented. Device drivers now only load if the specific device is present in the PortMaster (i.e. ISDN). In addition if SNMP or IPX are not needed they can be disabled to save memory. The commands "set ipx off" and "set snmp off" causes the modules to not load. Any device drivers or subsystems not needed provide additional operational memory for the PortMaster.
    IMPORTANT - to use IPX, you must now use the "set ipx on" command. If you are upgrading from a previous release and had IPX configured, it defaults to on in this release. When turning IPX or SNMP off, you must do a "save all" and reboot the PortMaster before the change takes effect.
  • Console now ignores modem type and autolog When the console diagnostic switch is up, the PortMaster no longer attempts to configure the modem specified for the console port. This allows a terminal to be more easily attached to the console for debugging purposes when a modem was previously attached. Any autolog setting on S0 is now ignored if the console diagnostic switch is up.
  • !root login on serial ports can be disabled The command "set serial-admin off" disables !root logins on the serial ports. !root can still login on port S0 if the console dip switch is up.
  • Non-printing characters allowed in passwords Support has been added to allow the entry of non-printing characters in the login password field.
  • Require PAP option The support for Challenge Handshake Authentication Protocol (CHAP) can now be disabled. Administrators who do not wish to support inbound CHAP authentication can now use the command "set chap off" to disable it. In this case the only authentication supported is PAP or simple username/password. It is recommended that this form of authentication use more advanced security subsystems like one-time password smart cards.
  • Per user port limit for Multilink PPP and Multilink V.120 Implemented Port Limits on a per user basis, only for Multilink V.120 and Multilink PPP users. If left unconfigured, port limits are not imposed and Multilink V.120 and Multilink PPP (MP) sessions are allowed. If a port limit is set, the user is limited to that number of ports on the PortMaster for Multilink V.120 and Multilink PPP only. The command to do so is "set user Username maxports Number". This can be specified using the new RADIUS Port-Limit attribute.
  • Per user idle timeouts Implemented idle timeouts on a per user basis. Idle timeouts can be set in the User Table or can be provided as part of the new RADIUS Idle-Timeout attribute. To set them in the User Table use the "set user Username idle Minutes" command.
  • Per user session time limits Implemented session limits from the User Table or RADIUS. If RADIUS returns a session time limit using the new Session-Timeout attribute, the user is disconnected when the time limit is exceeded. To set a session limit in the User Table use the "set user Username session-limit Minutes" command.
  • IP numbered interfaces through the User Table Implemented IP numbered interfaces for login users through the user Table. By using the "set user Username local-ip-address IPaddress" command, the PortMaster advertises the local-ip-address as its IP address as to the serial interface. This function is not available in RADIUS.
  • BOOTP support BOOTP Support has been added. Clients dialing into the PortMaster can now make BOOTP requests to determine IP address, Subnet Mask, Default Gateway, DNS server, and Domain Name. The PortMaster only responds to BOOTP requests on its serial or ISDN lines.
  • RFC 1877 support so clients can learn DNS server from PortMaster Support for RFC 1877 has been added. This allows hosts which support RFC 1877 to learn their DNS (and other servers) through the PPP protocol negotiation. Use the "set nameserver Ipaddress" command on the PortMaster to set the nameserver that the PortMaster tells the host about. You can set an alternate name server with "set nameserver 2 Ipaddress".
  • Port Type included in RADIUS Authorization and Accounting RADIUS accounting and authorization has been extended. The new NAS-Port-Type is now included in Access Requests and Accounting Requests. This allows administrators to know definitively whether a user is attempting a session on an asynchronous port, an ISDN port, or a synchronous port.
  • RADIUS Accounting records signed RADIUS accounting has been extended to deliver signed accounting records for verification of authenticity as per the current RADIUS Internet-Draft.
  • Called-Station-Id and Calling-Station-Id for RADIUS accounting RADIUS Accounting has been extended to provide Called-Station-Id and Calling-Station-Id on ISDN dial-up connections (where provided by the ISDN carrier). These attributes can be used to differentiate ISDN calls from analog calls and to track origination of ISDN calls.
  • RADIUS accounting sends notification of PortMaster boot The PortMaster now logs an Accounting Start record (with no User-Name) to the RADIUS accounting server at boot time.
  • Input and output octet counters in RADIUS Accounting RADIUS accounting has been extended to include input and output bytes counts in the RADIUS Stop records.
  • Outbound PAP authentication Outbound PAP authentication is now supported. The PortMaster previously required the remote end to authenticate with CHAP. Now, by specifying a PAP username and Password in the Location Table dial script, the PortMaster can be authenticated by the remote end using PAP. This is done by setting the Send String in the last line of the dial script to contain the PAP information. To authenticate using PAP as user User with password Password, the command is: 
       set location Location_Name script Number
                    "=PAP=User/Password"
  • Location Table entries made simpler and easier New location table entries now default to PPP and its associated configuration parameters to simplify data entry for the most common types of dial locations.
    Automatic location table scripting has been implemented. Instead of requiring the administrator to enter a V25bis or AT style send/expect dial script, they can simply enter the telephone number, user name, and password to use when dialing to a remote location. The following commands have been added to support this: 
       set location Location_Name telephone 8005551212
       set location Location_Name username PPP_PAP_username
       set location Location_Name password PPP_PAP_password

Bug Fixes in ComOS 3.4L

The following bugs have been fixed in ComOS 3.4L.

The PortMaster no longer loses track of IP addresses it provided as assigned address from the pool. This bug caused the PortMaster to start giving out address 0.0.0.0 to dial-in hosts because it is out of addresses.

Users which have initiated a PPP connection using PPP autodetect and get authenticated and authorized as a SLIP user are now properly handled. Service is denied and the PortMaster cleans up the session. Previously a variety of symptoms would be experienced causing an incorrect active configuration.

The correct active user is retained for ports configured for host prompt.

Serial port spurious interrupt handling has been extended to include detecting streams of framing errors. Some modems get confused about their configuration and begin sending continuous data to the PortMaster at a baud rate different than set on the PortMaster. This would cause all operation on the PortMaster to appear stopped for several minutes to several hours. The PortMaster now attempts to reset the modem and continues to operate properly even if the modem does not recover.

ISDN Basic Rate Interface (BRI) support

ComOS 3.4L adds support for Lucent's new PortMaster ISDN Office Router (OR-U).

PortMasters support dial-on-demand ISDN connections using the BRI port and the PPP protocol. Each BRI supports two 64 Kbps B channels for data and one 16 Kbps D channel for signaling. Multiple lines can be used to increase bandwidth, either using Multilink PPP, as defined by RFC 1717, or using Lucent's Multiline Load Balancing. ISDN BRI ports are easier to configure than asynchronous or synchronous ports because the NT1 is integrated in the port, so no modem, CSU/DSU, or external terminal adapter is required.

ISDN ports can also be used to do anything that an asynchronous port can be used for except network hardwired. Asynchronous or synchronous usage is autodetected. 56K or 64K speeds are also autodetected. Hayes AT commands have been added to allow a user to telnet to a 64K B-channel and use the ISDN port as a dial-out modem. The ISDN ports support synchronous PPP and asynchronous V.120 PPP or SLIP.

ISDN connections can be initiated on an as-needed basis or they can remain active all the time. A dial-out location must be specified in the Location Table for dial-out connections and a dial-in user must be specified in the User Table or RADIUS for dial-in connections.

CHAP is available for dial-in or dial-out authentication. PAP is available for dial-in authentication, and is available for dial-out authentication if the =PAP= Send string is used in the V.25bis dialing script.

The following commands have been added to configure ISDN:

set isdn-switch ni-1|dms-100|5ess|5ess-ptp
set Port spid Number
set Port directory Number

See "Configuring ISDN" below for more information on the ISDN commands.

Hayes AT commands can be used for ISDN dial-out modems.

Any 64K ISDN B-channel port can be used as a dial-out ISDN modem. A user can telnet to a ISDN port and then execute a Hayes AT dialing command to connect to a remote ISDN PortMaster, PortMaster ISDN Office Router, or external ISDN modem.

The PortMaster responds to any "AT" command which is not specifically a dial command with an "OK". That way, attempts to set S registers, flow control, or other things needed by analog modems are accepted by the PortMaster but ignored. This allows existing configured dialer software to be used on the PortMaster ISDN dialer without any changes.

The "AT&N56" command sets the port for 56K operation for this dialout, and the "AT&N64" command sets the port for 64K. The "AT&N0" command attempts to autodetect the available data service, either 56000 or 64000.

The "AT&N55" command performs an outbound call using data over voice.

A dial command can be ATDT, ATD or ATDP followed by the phone number. Phone numbers can have dashes "-", commas "," or digits in them, ending with a carriage return. Since ISDN does not require pauses in dialing, commas in the phone number are accepted but ignored.

Configuring ISDN

Only two additional things need to be configured on the PortMaster to permit ISDN service, with an optional third thing. They are: the ISDN Switch type, a Service Profile Identifier (SPID) for each ISDN port, and optionally a directory number for each ISDN port. All three can be configured from the command line interface. To display ISDN debug information on the console, use the following commands: 

set console
set debug isdn on

To turn off debugging use the commands: 

set debug isdn off
reset console

ISDN Switch Type

The ISDN Switch Type can be set to one of four values. Your telephone company can tell you which type its switch is: National ISDN-1 (NI-1), Northern Telecom DMS-100 Custom, AT&T 5ESS Custom Multi-Point, or AT&T 5ESS Custom Point-to-Point.

If they have a DMS-100 or 5ESS switch that uses National ISDN-1, treat that as NI-1.

Use one of the following commands to set the switch type. The default is NI-1. If you change the switch type after setting a SPID on a port you must reboot the PortMaster for the change to take effect. 

set isdn-switch ni-1
set isdn-switch dms-100
set isdn-switch 5ess
set isdn-switch 5ess-ptp

SPID

The Service Profile Identifier (SPID) is a number up to 20 digits long set for each port, which identifies the port to the telephone company. The telephone company can provide you with the SPIDs for each line. If the spid is invalid the command "set debug isdn on" provides debugging information. An example command is: 

set s10 spid 1510555121200

Directory Number

If you set the Directory Number, then an incoming call must match this number to determine which port the call is taken on. It is a 10-digit phone number provided by the telephone company. Either of the following commands are accepted: 

set s10 dn 5105551111
set s10 directory 5105551111

Other port configuration

ISDN ports are simpler to configure than asynchronous ports. You never set modem control (carrier detect), flow control or speed on an ISDN port. The PortMaster senses the speed and sets the port to 64000 or 56000 accordingly, flow control isn't needed on a synchronous line since clock is provided by the telephone company, and carrier detect is always used. Refer to the Communications Server Hardware Installation Guide for information on ISDN LED activity.

The ports support both sync and async PPP (V.120). The show port command displays 64000/async if async PPP is in use. The port can be configured for anything an async port can be configured for, except that network hardwired is not supported.

When using the ISDN port for network dial-out, the dial-out location should use a V25bis script and authenticate using CHAP, but PAP is also available.

Here is a table for what show port displays according to port status: 


Port Status  Modem       Status     Description
NO-SERVICE   DCD- CTS- TELCO- NT1- No SPID set
NO-SERVICE   DCD- CTS- TELCO- NT1+ No cable or no circuit
                                   to TelCo
NO-SERVICE   DCD- CTS+ TELCO+ NT1+ Cable and ISDN circuit OK 
				   but SPID not registered
IDLE         DCD- CTS+ TELCO+ NT1+ SPID registered and ready
                                   to use
ESTABLISHED  DCD- CTS+ TELCO+ NT1+ Connecting or providing 
                                   device service but no
                                   carrier sensed
ESTABLISHED  DCD+ CTS+ TELCO+ NT1+ Connected
ESTABLISHED  DCD+ CTS- TELCO+ NT1+ Connected with V.120 async
                                   but flow controlled by
                                   other end

New RADIUS Attributes

To use the new RADIUS attributes with RADIUS 1.16, upgrade your PortMaster to ComOS 3.4L as described below, add the following lines to your /etc/raddb/dictionary file, kill your radiusd daemon and restart it. 

ATTRIBUTE   Session-Timeout       27      integer
ATTRIBUTE   Idle-Timeout          28      integer
ATTRIBUTE   Called-Station-Id     30      string
ATTRIBUTE   Calling-Station-Id    31      string
ATTRIBUTE   Acct-Input-Octets     42      integer
ATTRIBUTE   Acct-Output-Octets    43      integer
ATTRIBUTE   NAS-Port-Type         61      integer
ATTRIBUTE   Port-Limit            62      integer

VALUE       NAS-Port-Type         Async        0
VALUE       NAS-Port-Type         Sync         1
VALUE       NAS-Port-Type         ISDN         2
VALUE       NAS-Port-Type         ISDN-V120    3
VALUE       NAS-Port-Type         ISDN-V110    4

Idle-Timeout is expressed in seconds but is rounded to a minute boundary, and can be any value from 120 (2 minutes) to 14400 (4 hours). Session-Timeout is expressed in seconds but is rounded to a minute, and can be up to a year long. Note that Port-Limit only works with certain types of users; see the Enhancements section above for restrictions.

Here is an example /etc/raddb/users entry for a network user that is authenticated using a login script or PAP using her password from the UNIX /etc/passwd file, and uses PPP with an address assigned from the PortMaster's dynamic assigned address pool. She is only allowed to connect once concurrently per PortMaster. After ten minutes of idle time without any traffic she is disconnected. After two hours elapsed time she is disconnected regardless of what she is doing. 

#
# Example PPP user, address Assigned by PortMaster
#

Pfn     Password = "UNIX"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 255.255.255.254,
        Framed-MTU = 1500,
        Idle-Timeout = 600,
        Session-Timeout = 7200,
        Port-Limit = 1

Quick Setup Example for OR-U

This is a quick reference on how to configure your OR-U to dial out on demand to another site using ISDN. You can abbreviate the commands to uniqueness. Fill in the blanks with your information. The filter shown is just an example, see the "Configuring Filters" chapter of the Configuration Guide for PortMaster Products or Chapman & Zwicky's Building Internet Firewalls for more detailed information on using packet filters. 

set gateway ____________         
(IP address of router at other end)
set isdn-switch ni-1             
(or dms-100 or 5ess or 5ess-ptp)
set ether0 address _____________ 
(your IP address)
set ether0 netmask 255.255.255.0 
(or whatever you are using)

set s1 spid ________________
set s1 directory ___________
set s1 group 2
set s2 spid ________________
set s2 directory ___________
set s2 group 2

add filter isp.in
set filter isp.in 1 deny ___________/24 0.0.0.0/0 
(your network number)
set fil isp.in 2 permit tcp estab
set fil isp.in 3 permit 0.0.0.0/0 _____/32 tcp dst eq 80 
(WWW host)
set fil isp.in 4 permit 0.0.0.0/0 _____/32 tcp dst eq 119 
(News server)
set fil isp.in 5 permit 0.0.0.0/0 _____/32 tcp dst eq 25 
(mail server)
set fil isp.in 6 permit 0.0.0.0/0 _____/32 tcp dst eq 21 
(FTP server)
set fil isp.in 7 permit 0.0.0.0/0 _____/32 udp dst eq 53 
(DNS server)
set fil isp.in 8 permit 0.0.0.0/0 _____/32 tcp dst eq 53 
(DNS server)
set fil isp.in 9 permit tcp src eq 20 dst gt 1023
set fil isp.in 10 permit icmp

add filter isp.out
set filter isp.out 1 deny 0.0.0.0/0 ______/24 
(your network number)
set fil isp.out 2 permit tcp estab
set fil isp.out 3 permit tcp dst eq 80
set fil isp.out 4 permit tcp dst eq 119
set fil isp.out 5 permit tcp dst eq 25
set fil isp.out 6 permit tcp dst eq 21
set fil isp.out 7 permit tcp src eq 20 dst gt 1023
set fil isp.out 8 permit udp src eq 53
set fil isp.out 9 permit udp dst eq 53
set fil isp.out 10 permit udp dst eq 520
set fil isp.out 11 permit icmp

add location isp
set location isp on_demand
set location isp destination ________    
(same address as gateway)
set location isp netmask 255.255.255.0
set location isp idletime 2              
(2 to 240 minutes, do NOT use
1)
set location isp group 2
set location isp username ________       
(your username on isp)
set location isp password ________       
(your password on isp)
set location isp telephone _______       
(ISDN phone# of isp)
set location isp ifilter isp.in
set location isp ofilter isp.out
set location isp maxports 2

save all
reset s1
reset s2

On isp you must add a netuser to the User Table or RADIUS using the above username and password, protocol PPP, TCP header compression on, address either negotiated or set the same as the ether0 address above.

Quick Setup Example for OR-LS or OR-HS

This is a quick reference on how to configure your OR-LS (or OR-HS) to connect to another site using PPP over a synchronous leased line. You can abbreviate the commands to uniqueness. Fill in the blanks with your information. Use the same filters isp.in and isp.out as described in the previous setup example. If you are connecting using Frame Relay instead of PPP, see "Synchronous Frame Relay Connections" in the Configuration Guide for PortMaster Products. The W1 synchronous port always requires external clock from either the telephone company or the CSU/DSU. 

set gateway ____________         
(IP address of router at other end)
set ether0 address _____________ 
(your IP address)
set ether0 netmask 255.255.255.0 
(or whatever you are using)

set w1 network hardwire
set w1 protocol ppp
set w1 routing broadcast         
(unless instructed otherwise by ISP)
set w1 destination ________   255.255.255.0 
(same as gateway)
set w1 mtu 1500
set w1 ifilter isp.in
set w1 ofilter isp.out

save all
reset w1

Upgrade Instructions

These upgrade instructions assume you have already installed the PMconsole software into /usr/portmaster from floppy, CDROM, or FTP from ftp://ftp.livingston.com/pub/le/. To upgrade, run pminstall: 

 # /usr/portmaster/pminstall

To upgrade to ComOS 3.4.1L, run pminstall (version 3.3 or later) and choose the Upgrade PortMaster option, choose or_3.4.1L from the menu of upgrade choices, enter the hostname or IP address of your PortMaster, and enter the administrative password of your PortMaster. pminstall then upgrades your PortMaster to ComOS 3.4.1L.

Copyright and Trademarks

© Copyright 1997 Lucent Technologies, Inc. All rights reserved.

The product names, "ComOS," "IRX," "PortMaster," "PMconsole," and "RADIUS" are trademarks belonging to Lucent Technologies, Inc.

All brand product names mentioned in this document are trademarks or registered trademarks of their respective manufacturers.

Notices

Lucent Technologies, Inc. makes no representations or warranties with respect to the contents or use of this manual, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies, Inc. reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes.

Contacting Lucent InterNetworking Systems Technical Support

Every Lucent PortMaster or IRX¿ product comes with a one year hardware warranty. Lucent Technologies provides technical support via voice, FAX, and electronic mail. Technical support is available Monday through Friday 6am-5pm Pacific Time (GMT-8).

To contact Lucent InterNetworking Systems technical support by voice, dial 1-800-458-9966 within the US or 1-510-426-0770 outside the US, by FAX, dial 1-510-426-8951, by electronic mail, send mail to support@livingston.com, and through the World Wide Web at http://www.livingston.com/.