Cyno Technical Support

NAS NOTES

This page is taken from the MacRADIUS manual, with some subsequent user-provided additions, and contains notes we continue to collect about using MacRADIUS with various pieces of network access equipment. The notes are not intended to be a replacement for the documentation that came with your NAS, but rather as a source of supplemental information intended to help you use your equipment effectively with MacRADIUS. Much of this information is gleaned from the experiences of our customers, and we thank them for providing it to us.

You may also find it helpful to browse the notes for equipment other than your own, since the general techniques and troubleshooting often apply to more than one brand of equipment.

If you are a vendor of NAS equipment, or a user with experience using specific equipment, and find incomplete or inaccurate information here, please let us know.

Ascend

Ascend has used a (relatively) large set of 84 attribute numbers from the unassigned, reserved and experimental attribute ranges, to provide Ascend-specific RADIUS extensions. This can lead to interoperability problems with other equipment using the RADIUS protocol.

In order to accommodate the additional complexity imposed by the Ascend scheme without burdening customers who are not using Ascend equipment, MacRADIUS is shipped with a special Dictionary file and Aliases file that support the Ascend attributes (with as many of the standard and vendor-specific attributes integrated as possible.) These files replace the standard versions.

To prepare MacRADIUS to use Ascend equipment:

Be sure MacRADIUS is not running.

Move the "Dictionary" and "Aliases" files in the folder with MacRADIUS to another location. (Inside the "Examples" folder would be fine.)

Move the "Dictionary" and "Aliases" files from the "Examples:Custom UI:Ascend" folder into the folder with MacRADIUS.

Restart MacRADIUS.

Once you have done this, one or more "Ascend" icons will appear in the list of attribute sets on the left side of the user and group editing windows. Clicking on each of these icons will make Ascendís special attributes available for editing.

Ascend and Tribe have both defined the value 224 for their own use. The good news is that Ascend has merely "reserved" this value for use with the IPX protocol, and that Tribe allows you to pick a different number for their "User-Protocols" 224 attribute. In the Ascend-specific Aliases and Dictionary files provided on this website, we have moved the Tribe attribute to 80. (Earlier versions, including the version still contained in the MacRADIUS download package, relocated this attribute to 150, and then to 100, as Ascend expanded their use of the attribute space.) You must use WebManage to configure your Tribe NAS accordingly if you are using Ascend and Tribe together, and are running the Ascend-specific Dictionary and Aliases files as described in this section.

Once you have switched to the Ascend dictionary, you should still be able to use Livingston (and other NAS equipment that uses standard attributes) without problems.

Ascend RADIUS has the notion of special "users" that an Ascend device can query to get information. Ascend calls these "pseudo user profiles." For example, the user named "banner" can provide a sign-on message and a list of IP hosts that the caller can connect to. A user named "pools-NAME" (where NAME is replaced with the name of a specific Ascend NAS) can define IP address pools.

In all cases, these pseudo-users should have a password of "ascend" and have "Service Type" in the "Connecting" attribute set assigned to "Outbound User" and designated as a check attribute. (Flip the popup at the top of the window from "send" to "check.") This is done so hackers cannot log in as a pseudo-user using the password of "ascend."

Sometimes, you can setup pseudo-users using the MacRADIUS user interface. However, if multiple attributes of the same type are required--for example, the multiple "reply-message" attributes of the "banner" pseudo-user--the easiest way to get these users into MacRADIUS is to create a "users" text file that defines these special names and simply import them into MacRADIUS.

Some of our customers get a lot of strange authentication traffic from their Ascend equipment when first configuring MacRADIUS. This is usually the Ascend looking for pseudo-user profiles so that it can configure itself. The tip-off is that the user name being authenticated usually has the name of the Ascend NAS itself in it. You should either define the needed pseudo-users or turn configuration via RADIUS off at the Ascend.

Ascend supports passwords of 252 characters in length. Releases of MacRADIUS prior to Version 1.1 only support passwords of up to 16 characters.

MacRADIUS does not support a special DEFAULT user.

Some Ascend features require specific modifications to the RADIUS server to work; MacRADIUS does not support these.

For example, Ascend defines special keywords that can be used in passwords to activate special security functions, including the use of the password "Ascend-CLID" to perform a 2-stage caller ID authentication (where the user name is a phone number.) Most of these special keywords have no meaning on the Macintosh, and none of them are supported by MacRADIUS.

This release of MacRADIUS does not support the Ascend ARA authentication scheme.

The various custom Ascend attributes defined to support third-party authentication tokens (Token-Expiry, etc.) are not useful with MacRADIUS (which does not support third-party authentication tokens). They are presented in the MacRADIUS interface anyway in the name of completeness, and can be sent in Access-Accept packets, but are of limited use.

The date data type and password expiration attributes defined by Ascend are not supported by this release of MacRADIUS.

Ascend publishes a very nice Max T1/PRI Radius Supplement, available as a PDF file on their web site.

Cisco

Cisco IOS version 11.1 is the first release of their system software that supports RADIUS. You must use 11.1 or later.

Cisco documents how to turn on RADIUS authentication and accounting in IOS 11.1 in their Configuration Fundamentals/Configuation Guide in the Managing The System section under Security Management. You can find this on their web site at http://www.cisco.com.

RADIUS is enabled via variations of these commands:

aaa new-model

aaa authentication ppp default radius

aaa accounting network start-stop radius

radius-server host 111.11.111.11

radius-server key cisco

Note that what Cisco calls a "radius server key," MacRADIUS calls a shared secret.

Cisco publishes a table of attributes that IOS 11.1 understands. You can use the "attribute roadmap" at the end of the "Attributes In Depth" chapter in this guide to figure out where these attributes are in MacRADIUS. At a minimum, for PPP:

In "Connecting" set "Service Type" to "Framed"
set "Protocol" to "PPP"
set "IP Address" as appropriate

There are about 16 other attributes you can also set, but this should be enough to get you started.

Compatible Systems

MacRADIUS user Bill Vlahos of JPL provided the following notes (April 2000) on configuring IntraPort products for VPN use:

====================================

The IntraPort VPN Gateways work great with MacRADIUS at JPL. (Note that Compatible Systems was aquired by Cisco Systems but the VPN products have not changed, at least not yet.)

The IntraPort can use both standard and vendor specific (VSA) radius attributes. We don't need the added functionality of the VSA's so we don't use any.

There are only four (4) attributes the IntraPort needs which are not part of the default suite of standard RADIUS attributes. This should be true for any RADIUS server. The attribute numbers below are IntraPort defaults but can be changed as long as the RADIUS server is in agreement. The first two are for accounting and the last two are for authentication.

Client-Real-IP attribute 66

Client-Assigned-IP attribute 67

Tunnel-Password (i.e. shared secret) attribute 69

Connect-Info (VPN Group) attribute 77

That's all we needed to configure!

In fact, MacRADIUS allows you to edit the Dictonary and Aliases files (which are text files) so you even get to see these in the MacRADIUS user interface. MacRADIUS does not support vendor specific attributes in the user interface.

====================================

Computone

No notes at this time.

Livingston

Livingston originally invented the RADIUS protocol for use with their Portmaster products, so they are arguably the most compliant NAS vendor, directly supporting most of the standard attributes.

However, Livingston does not provide any Macintosh-hosted administration tools, so configuring a Livingston NAS device involves using telnet or terminal emulation software and an async connection to open a command-line interface directly to the NAS (or using SoftPC™ to run their Intel-hosted administration software).

The Portmaster command to set the shared secret is "set secret" (not "set password").

Livingston recently released its own Unix-based RADIUS 2.0 server. The server supports several extenstions to the "users" file syntax to provide a function similar to MacRADIUS groups. (MacRADIUS groups are, of course, more powerful and better!) MacRADIUS does not support these "users" file extensions.

The RADIUS 2.0 server also can send down menus to the Portmaster by reading a menu definition text file that exists on the Unix machine with the RADIUS 2.0 server. MacRADIUS does not support this, though we are told that the menus themselves are sent down in multiple reply-message attributes. If this is so, it should be possible to create a "users" file containing a group with a set of menu reply-messages, and put users who need that menu in that group. We have not investigated the mechanics of doing this, however.

Finally, tracking the work of the RADIUS Working Group of the IETF, Livingston RADIUS 2.0 now supports the latest attribute and value names in its dictionary. MacRADIUS has always done so. This means Livingston and MacRADIUS are now "in-sync" with regard to attribute and value names.

However, if you export a "users" list from a Portmaster it is likely to be using an older dictionary. The MacRADIUS dictionaries have extensive "backward compatibility" entries in them to be able to deal with this situation, but even so, you might run into an import error or two.

For example, the value that used to be called "Framed" is now called "Framed-User." If you try to import a "users" file created with an older dictionary, you may receive a message that says "There is no value "Framed" for the attribute "Service-Type" in the dictionary." ó or something similar.

The easiest way to resolve these problems is to open the MacRADIUS dictionary and see if you can figure out what the attribute or value has been renamed to, and then globally find and replace it in the "users" file you are trying to import. In this case you would replace "Framed" with "Framed-User."

(You could also modify the Dictionary itself to define the attribute or value, but then you would be moving in a backward, incompatible direction.)

Donít worry too much however; these import problems are rare and also easier to fix than to describe. Also, if you send the error message text to support@cyno.com, we can tell you how to proceed.

It is important that, after setting up authorization and accounting parameters in Livingston products, you execute a "save all," "reset all," and reboot sequence.

You should have MacRADIUS up and working on the same network as the Livingston product when you do this. There have been several reports that, if the Livingston does not "see" MacRADIUS when it first starts up, it wonít authenticate.

It is important to set any secondary or tertiary RADIUS server slots to MacRADIUS in the NAS so that if it decides to switch to a backup server, it is still pointing at a copy of MacRADIUS. If you wish, you can run a second copy of MacRADIUS on another Macintosh to provide a true backup server.

A typical setup for PPP includes:

"IP address" in "Connecting" set to "NAS Selects IP Address" (255.255.255.254)

"NetMask" in "Connecting" set to 255.255.255.0 (or whatever is correct for your location)

"Protocol" in "Connecting" set to PPP

"Service type" in "Connecting" set to "Framed"

"Routing" in "Configuring" set to "Send and Listen"

"Idle timeout" and "Max connect time" (both are in seconds) are also commonly set.

You can also use named filters with Livingston products (and specify the name using "Filter name" under "Connecting"). If you specify a filter name of "customer" in MacRADIUS for example, you must create two filters in the Livingston device, named "customer.in" and "customer.out" if you want filtering on both inbound and outbound packets.

Filter names on the Livingston MUST be name.in and/or name.out.

When MacRADIUS sends the name the Livingston will ALWAYS add .in and .out and use them as input and output filters. If either one does not exist, then only one filter is used. (If neither exists, no filter is used.)

The Portmaster does not notify you if it cannot find a filter, so be careful.

Shiva

Shiva products do not authenticate ARA connections using RADIUS.

The LanRover does not support accounting. The Access-Switch and ShivaPort products do.

Update: We are told version 4.52 of Shiva firmware now supports accounting.

As of October 1996, the Shiva Net Manager is at version 3.6 on the Macintosh, compared to version 4.0 for Windows. This means that, despite what the documentation indicates, there is no security pane in the Macintosh version to configure RADIUS. You can activate RADIUS authentication in the LanRover by performing the following steps:

Use the "command shell" menu choice to open a connection to the LanRover. Log in as root, and give your administrator password (if any).

At the command prompt, issue the command configure. Enter these lines:

[Security]

Default Type=radius

RADIUSServersList=ipaddr,port,secret

^Z

Ipaddr should be the IP address of MacRADIUS. Port should be 1645 (the default authentication port, if you havenít changed it in the MacRADIUS "Server Configuration" window.) Secret should be the shared secret between the LanRover and MacRADIUS. You should not quote this string. If you are running more than 1 copy of MacRADIUS, you can add additional ipaddr,port,secret entries to this line by separating them with a semicolon (up to 3).

Review the configuration when prompted if you like, then save the changes. You may then give the reboot command or power-cycle the LanRover to load your changed configuration.

The LanRover sends a NAS-Identifier attribute with the LanRoverís name when making authentication requests of MacRADIUS. This can be used as a check attribute.

The LanRover understands Callback-Number, Framed-IP-Address, and the other attributes given as examples in the LanRover documentation, but no complete list is available.

Because a LanRover user may use multiple services (telnet, LAN-to-LAN, PPP) after being authenticated once, Shiva has defined a vendor-specific string attribute to allow sending multiple service types to the LanRover (something the vanilla RADIUS protocol does not allow.) If there is a conflict between what is specified in the vendor-specific attribute and the standard RADIUS attribute, whichever attribute arrives last "wins"óthe LanRover just puts the information into internal cubby-holes as it arrives without any checking.

The default dictionary that ships with MacRADIUS defines this attribute with these lines:

VENDOR Shiva 166

ATTRIBUTE Shiva-User-Attributes 1 string Shiva

In a "users" text file you can add the Shiva-User-Attributes manually to users as described elsewhere in this manual.

If you wish to edit the Shiva string attribute directly using MacRADIUS, you need to move the vendor-specific attribute into the main number space and "borrow" a reserved number. For example, to move the attribute to 100, you need to enter the following lines when logged into the LanRover:

[Security]

Default Type=radius

RADIUSServersList=ipaddr,port,secret

UseExtendedAttributes=1

ExtendedAttributeBase=100

ExtendedAttributeCount=1

^Z

You then need to add this line to the MacRADIUS dictionary:

ATTRIBUTE Shiva-User-Attributes 100 string

Öand this line to the "aliases" file:

ATTR_ALIAS 100 "Shiva" "Connecting" <ao>

This will add the string attribute Shiva to the Connecting attribute set in the MacRADIUS user interface.

The Shiva string attribute is filled with user configuration switches, but there is no complete list of what is acceptable in a RADIUS context. The following was posted on CompuServe:

Shiva-User-Attributes="<switches>"

Replace <switches> with the Shiva user attributes. You can choose from the following attributes:

Attribute Description
/di Enables dial-in access.
/sh Enables command shell access (required to initiate LAN-to-LAN connections).
/max=<minutes> Sets the maximum number of minutes the user may stay connected for dial-in.

Shiva has published the following RADIUS accounting parameters for the Shiva Access Switch product. We could not find out if the first two parameters are reversed, since they seem backwards. The upcoming 4.5 firmware release for the Access Switch product will have more RADIUS accounting support.

[Accounting]

RADIUSAccounting=0

LogAccounting=1

RADIUSAcctRespSecret=0

RADIUSAcctServer=IPaddress,1646,secret

RADIUSAcctIdIsName=0

RADIUSAcctServerRetryCount=3

RADIUSAcctServerRetryInterval=10

The ShivaPort product supports both authentication and accounting. Consult your documentation for details.

You do not need to empty the internal user list before using RADIUS with the LanRover; however, the internal user list is ignored when RADIUS is being used.

Telebit

The Netblazer supports several features as vendor-specific attributes. You can add the following lines to the MacRADIUS dictionary file to define them:

VENDOR Telebit 117

ATTRIBUTE Telebit-Login-Command 1 string Telebit

ATTRIBUTE Telebit-Port-Name 2 string Telebit

ATTRIBUTE Telebit-Activate-Command 3 string Telebit

ATTRIBUTE Telebit-Accounting-Info 4 string Telebit

With this approach you must add these attributes manually to each user as described elsewhere in this manual.

You can also put the Telebit attributes in the main attribute space (where there are no conflicts) and then you can edit them in the MacRADIUS UI. But to do this you must change the definitions of the attribute numbers the NetBlazer is using by re-configuring it.

Example Dictionary modification to do this:

ATTRIBUTE Telebit-Login-Command 100 string Telebit

ATTRIBUTE Telebit-Port-Name 101 string Telebit

ATTRIBUTE Telebit-Activate-Command 102 string Telebit

ATTRIBUTE Telebit-Accounting-Info 103 string Telebit

The Aliases file then would need to have these lines added:

# Telebit Netblazer Stuff

ATTR_ALIAS 118 "Telebit Login Command" "Telebit" <io>

#Telebit-Login-Command

ATTR_ALIAS 119 "Telebit Port Name" "Telebit" <io>

# Telebit-Port-Name

ATTR_ALIAS 120 "Telebit Activate Command" Telebit"<io>

#Telebit-Activate-Command

ATTR_ALIAS 121 "Telebit Accounting Info" Telebit" <io>

#Telebit-Accounting-Info

 

The NetBlazer requires version 3.1 firmware at patch level 6 or later for full RADIUS support.

The NetBlazer sends Port-Type in an Access-Request and Service-Type if it has been specified, along with the User-Name, User-Password, etc.

The NetBlazer also understands the following attributes:

NAS-IP-Address set to the global IP address

NAS-Port set to the index of the line name; e.g. if the NetBlazer has line00, bri011, bri012 then 1=line00, 2=bri011, 3=bri012, set to zero for telnet sessions. The mapping is specific to a particular NetBlazer as different machines will have different line configurations. Two NetBlazers with the same line names will have the same mapping.

Service-Type set according to the connection type, e.g. for PAP/CHAP set to FRAMED, otherwise set to LOGIN or set to zero.

Framed-Protocol set to SLIP or PPP.

Framed-IP-Address not sent, but processed if received.

Framed-IP-Netmask not sent, but processed if received.

Filter-Id not sent, converted into the name of an interface to activate (i.e. the interface has the filters.)

Framed-MTU not sent, but processed if received into an mtu command appended to the activate command.

Framed-Compression not sent, but processed if received into a vj command appended to the activate command.

Login-Service not sent, but processed if received into TELNET or RLOGIN command.

Login-IP-Host not sent, but processed if received as where to TELNET or RLOGIN to. Ignored if login-service is not TELNET or RLOGIN.

Login-Port what port to use for login-service TELNET or RLOGIN.

Session-Timeout not sent, but processed if received as a "session timeout".

Framed-Routing not sent, currently ignored.

Framed-Route not sent, but processed if received into an auto-route appended to an activate command.

Vendor-Specific if received, treated as a login command. Only sent in accounting packets if the "radius vendor" command has defined the string to send.

Acct-Session-Id uses the described format, with 8 hex digits, the first being the reboot number, the next 6 being the login sequence number. The reboot number is stored in NVRAM in the clock chip and is incremented early in the boot process for both 386 and 68k NetBlazers.

Telebit-Login-Command, if sent by MacRADIUS, will be used as a NetBlazer login command.

Telebit-Port-Name is not currently used, but future NetBlazer firmware will probably use this to provide an easier mapping of a port number to a string when sent to MacRADIUS.

Telebit-Activate-Command, if sent by MacRADIUS, acts as an additional command used as an escape mechanism for PPP or SLIP users that need to specify or override the standard settings.

Telebit-Accounting-Info is sent to the MacRADIUS accounting server when the "vendor" command values are sent.

Thanks to Bill Webb of Telebit and Steve Shala for this information.

Tribe/Zoom

The default dictionary shipped with MacRADIUS should support Tribe with no modifications. In addition you may directly import a user list exported from a Tribe internal database using WebManage. If you are using Tribe along with the Ascend-specific Dictionary file, you will need to move the location of the Tribe-User-Protos attribute using WebManage. (See "Ascend" above.)

Versions of Tribe firmware through v2.1.2 have a number of minor authentication and accounting bugs. It is important to use the latest firmware released by Tribe. At this writing (February 1997) the latest firmware version for the TribeLink/8 is 2.5.3, and for the TribeLin/2 it is 2.5.1.

Tribe is one of the few vendors to correctly implement the way in which RADIUS authentication is invoked at the NAS. This means that you must remove ALL users from the internal Tribe database before it will try to use MacRADIUS for authentication.

Besides the "User Protocols" attribute under the "Tribe" icon in the attribute editing window, Tribe products also understand the following:

User-Service-Type

Session-Timeout

Idle-Timeout

Framed-Filter-Id

Framed-IP-Address

If you are using only Tribe equipment, you can take advantage of a custom "Aliases" file for Tribe that ships with MacRADIUS. This file causes MacRADIUS to display only the attributes that Tribe equipment understands. To use it, drag the "Aliases" file from the "Examples:Custom UI:Tribe Only:" folder to the same folder as MacRADIUS and restart MacRADIUS.

USR

USR extensions to the RADIUS protocol are not supported by MacRADIUS. "Vanilla" RADIUS and MacRADIUS should work fine, however.

Xyplex

The Whittaker Xyplex Maxserver MX1620, MX1640 and CS720 support RADIUS authentication, with RADIUS accounting to be added to the access servers in the near future. Whittaker Xyplex also plans to add RADIUS Authentication and Accounting to their Internetworking products in a future release.

Maxserver software 6.0.1 is the most recent version with RADIUS support.

The Maxserver uses only standard attributes, and is easily operated with MacRADIUS.

The Maxserver has several flexible methods for accessing MacRADIUS and specifying the type of service the user is to be granted, all of which work with MacRADIUS. Consult the Xyplex documentation for details.

Whittaker Xyplex provided the following table showing the RADIUS attributes they support. Cyno has abridged the information to focus on attributes that can be set with MacRADIUS. You can contact Whittaker Xyplex (http://www.xyplex.com) for full information and the latest information on software updates.

Attribute Name

Allowed
in Request

Allowed
in Accept

Supported
on Access Server

Supported
on Internet-working

NAS-IP-Address

0 - 1

0

X (v6-0-1)

future release

NAS-Port

0 - 1

0

X (v6-0-1)

future release

Service-Type

0 - 1

0 - 1

X (v6-0-1)

future release

Framed-Protocol

0 - 1

0 - 1

X (v6-0-1)

future release

Framed-IP-Address

0 - 1

0 - 1

A (v6-0-1)

future release

Framed-IP-Netmask

0 - 1

0 - 1

A (v6-0-1)

-

Framed-Routing

0

0 - 1

-

future release

Filter-Id

0

0+

X (v6-0-1)

-

Framed-MTU

0

0 - 1

-

-

Framed-Compression

0+

0+

A1 (v6-0-1)

future release

Login-IP-Host

0+

0+

A1 (v6-0-1)

-

Login-Service

0

0 - 1

X (v6-0-1)

-

Login-Port

0

0 - 1

X (v6-0-1)

-

Reply-Message

0

0+

X (v6-0-1)

-

Callback-Number

0 - 1

0 - 1

-

-

Callback-Id

0

0 - 1

-

-

Framed-Route

0

0+

-

-

Framed-IPX-Network

0

0 - 1

X (v6-0-1)

future release

Class

0

0+

future release

future release

Vendor-Specific

0+

0+

-

-

Session-Timeout

0

0 - 1

X (v6-0-1)

future release

Idle-Timeout

0

0 - 1

X (v6-0-1)

future release

Called-Station-Id

0 - 1

0

-

-

Calling-Station-Id

0 - 1

0

-

-

NAS-Identifier

0 - 1

0

future release

future release

Login-LAT-Service

0

0 - 1

X (v6-0-1)

-

Login-LAT-Node

0

0 - 1

X (v6-0-1)

-

Login-LAT-Group

0

0 - 1

-

-

Framed-AppleTalk-Link

0

0 - 1

-

-

Framed-AppleTalk-Network

0

0+

-

-

Framed-AppleTalk-Zone

0

0 - 1

-

-

NAS-Port-Type

0 - 1

0

future release

future release

Port-Limit

0 - 1

0 - 1

-

-

Login-LAT-Port

0 - 1

0 - 1

-

-


 

 

 

Xylogics

No notes at this time.

Back to top

Back to Technical Support Home |