RADIUS 2.01 for OpenVMS porting notes ------------------- Features ------------------- - Full support of Livingston's RADIUS 2.0 specification - SYSUAF based authenitication - AUDIT + OPCOM messaging - Highest security based on VMS native facilities - Using of right id's for additional authorization - Session limit checking support - Accounting based on the VMS ACCOUNTING with full ..tracking of users/nas/port activities - Work in cluster environment with shared data files - High perfomance with large USERS file - All files produced by RADIUS are full documented for ..writting your own utilities - This port will be supported by author ..for reasonable fee - Any new features can be added by your request ASAP ------------------- Requirements ------------------- OS: oVMS 6.1 or Later (VAX/Alpha) Priv: SECURITY - for Scan Intrusion detection SYSPRV - for access to SYSUAF.DAT NETMBX,TMPMBX - usual OPER,WORLD - for sending to OPCOM TCP/IP support: UCX (tested), TCPWare-TCP (tested). Compiler: DEC C 5.0 or later ------------------- Installation ------------------- * I. Put distribution kit (Zip-file) in the special directory for the RADIUS, unpack & build executable image of the RADIUS server. * II. Revise & edit RADIUS_STARTUP.COM & RADIUS_START.COM from distribution kit. * III. Create special account entry in SYSUAF for RADIUS as follows: Username: INET_RADIUS Owner: RADIUS Server Account: TCP-IP UIC: [375,302] ([INET,INET_RADIUS]) CLI: DCL Tables: DCLTABLES Default: INET$ROOT:[RADIUS] LGICMD: LOGIN Flags: Restricted Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ##### Full access ###### ##### Full access ###### Batch: ----- No access ------ ----- No access ------ Local: ----- No access ------ ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: ----- No access ------ ----- No access ------ Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: (none) Pwdchange: (pre-expired) (pre-expired) Last Login: (none) (interactive), 29-OCT-1998 11:50 (non-interactive) Maxjobs: 0 Fillm: 300 Bytlm: 32768 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 40 JTquota: 4096 Prclm: 8 DIOlm: 40 WSdef: 256 Prio: 6 ASTlm: 40 WSquo: 256 Queprio: 0 TQElm: 40 WSextent: 512 CPU: (none) Enqlm: 2000 Pgflquo: 32768 Authorized Privileges: NETMBX SECURITY SYSPRV TMPMBX OPER WORLD Default Privileges: NETMBX SECURITY SYSPRV TMPMBX OPER WORLD * IV. Optionaly, add two entry in the SERVICES file, example for TCPWare-TCP follows: ... radius 1645/udp radact 1646/udp ... ------------------- Changes & Additions ------------------- * I. This version of the RADIUS can use SYSUAF for authentication and authorization task by using of sys$getuai system service. This feature of the server can be activated by parameters in the RADIUS's USERS. file as follows: ... rrl Auth-Type = System ... or ... DEFAULT Password = "UNIX" ( Password = "VMS" can be used also) ... During authentication phase of login procedure server performs of checking follows SYSUAF parameters: /FLAG=(DISUSER,RESTRICTED), /EXPIRATION=time,/DIALUP=range,/PRIMEDAYS=([NO]day[,...]),/PASSWORD. If login is not allowed by UAF then an Intrusion information is stored for the using at a next time. At successful end of this phase "last login: non-interactive field" will be updated for this user in the SYSUAF. All logins failure are stored in AUDUT's database, you can use ANALYZE/ADUIT utility for search & retriving this information. *NOTE: - There is some limitation of parameters length: ..username <= 12, ..password <= 32 bytes. - Using of username with space or tab is not allowed. * II. Three special SYSUAF's rights identifier can be used for additonal authorization of users: 56K - for users with connection speed in range 33600 < 56K=(56*1024) ISDN - for users with ISDN type of connection DUALPORT - eq. "MAX-Session-Limit = 2" in the RADIUS's USERS file. *NOTE: - If not IDs are defined in SYSUAF-checking is not preformed!! - This checking is perfomed for SYSUAF users only!!! - Value of speed connection is gived from "Connect-Info" ..attribute, check documentation of your equipment for ..of ability of getting this information!!! - DUALPORT override MAX-Session-Limit in the RADIUS's USERS. * III. This server also stored an accounting information in additional file which can be readed by VMS ACCOUNTING utility as usual. Accounting record is created at end of session (see "Acct-Status-Type = Stop" in the DETAIL file). *NOTE: - Session with zero elapsed time is recorded as LOGIN FAILURE, ..with elapsed time 0 00:00:00.95!!! - Don't try to put information to VMS System Accounting file!!! * IV. VMS Accounting This is a example of an account record in the RADIUS_ACCOUNTING file: NETWORK Process Termination --------------------------- Username: CC_RRL UIC: [MIS,CC_RRL] Account: MIS Finish time: 21-OCT-1998 19:12:01.98 Process ID: ED00003A Start time: 21-OCT-1998 19:11:52.98 Owner ID: Elapsed time: 0 00:00:09.00 Terminal name: Processor time: 0 00:00:00.00 Remote node addr: Priority: 0 Remote node name: Privilege <31-00>: 00000000 Remote ID: Privilege <63-32>: 00000000 Remote full name: /0.0.0.0 Queue entry: Final status code: 00000000 Queue name: TSrv11//1 Job name: Final status text: Page faults: 0 Direct IO: 3 Page fault reads: 0 Buffered IO: 275 Peak working set: 0 Volumes mounted: 0 Peak page file: 0 Images executed: 0 This is a record which was putted in the .DETAIL file: Wed Oct 21 19:12:01 1998 Acct-Status-Type = Stop User-Name = "cc_rrl" Service-Type = 8 NAS-IP-Address = 172.16.0.36 NAS-Port = 1 Acct-Session-Id = "ed00003a" Acct-Delay-Time = 0 Acct-Session-Time = 9 Acct-Authentic = RADIUS Acct-Output-Octets = 275 Acct-Input-Octets = 3 Timestamp = 908982721 Request-Authenticator = Unverified ---------------------------------------------------------------------- VMS Accounting field |.EQ.| RADIUS Accounting ---------------------------------------------------------------------- Username | User-Name Account (from SYSUAF) | UIC (from SYSUAF) | Process ID | Acct-Session-Id Direct IO | Acct-Input-Octets Buffered IO | Acct-Output-Octets Remote full name | Framed-Protocol/Framed-IP-Address Queue name | NAS:(IP-Address/Port-Type/Port/Rate) Finish time | Date of record Start time | Date of record - Acct-Session-Time Final status code | Acct-Termination-Cause ---------------------------------------------------------------------- *NOTE: - Session with zero elapsed time will be recorded in ..ACCOUNTING as a login attempt failed. - Don't use preffixes in the USERS file. - Rate is connection rate which obtained from "Connection-Info". - The RADIUS_ACCOUNTING file reopening at 24:00:00 every calendar day, ..you can use it for recreating of RADIUS_ACCOUNTING. * V. This version not allow of password change by RADPASS or by something like it facilities. * VI. This port can check maximum session limit if in USERS. file take place MAX-Session-Limit parameter. This checking is perfomed by using information from the RADIUS_CURRENT file. * VII. Optimizations issue All critical file I/O is rewritted with RMS I/O, in particulary, access to USERS. file controled by discipline: USERS. file opening at start of server; during run of server USERS. file stay open; for each 5 minutes (0 00:05:00.00) this file is marked as expired by setting special flag; when a next request is arrived the file is reopened again and expiration flag is cleared. This discipline reduces overhead for opening of the file during processing of each authentication request, and take advantages of a buffered I/O with big numbers of RMS buffers. ------------------- Logicals ------------------- RADIUS_DIR - where is root RADIUS's directory RADACCT_DIR - where will be placed .DETAIL files RADIUS_ACCOUNTING - accounting file in VMS ACCOUNTING format RADIUS_DICTIONARY - RADIUS's dictionary file RADIUS_CLIENTS - RADIUS's clients file RADIUS_USERS - RADIUS's users file RADIUS_LOGFILE - RADIUS's log file RADIUS_DEBUG - put debug information in the log file RADIUS_DISABLE_RIGHTSCHECK - Existing of this logical cause to disable checking of all ID in SYSUAF RADIUS_DISABLE_SESSIONLIMIT - Existing of this logical cause to disable checking for session limit RADIUS_CURRENT - file which contain "show session"-like information, about user activities on NASes' port. ------------------- Appendix ------------------- * A. Authentication flow (USERS. : Auth-Type = System, or Password = "UNIX", or Password = "VMS") Perfomed by vms_stuff/vms_login(): *NOTE: - Password & Username pair is NO-case-sensivity during checking. - Type of login is DIAULUP. Step 0.0:IF NO_USER in SYSUAF - put user in intruders list with No Such User status, alarm event, reject. Step 0.1:IF (DISUSER or RESTRICTED ) or (EXPIRATION < current time) - put user in intruders list with Invalid Login status, audit+alarm events, reject. Step 0.2:IF (PASSWORD is INVALID) - put user in intruders list with Authentication Fail status, audit+alarm events, reject. Step 0.3:IF (USER in INTRUDER LIST) - reject Step 0.4:IF (DIALUP login is not allowed at this time) - put user in intruders list with Invalid Login Time status, audit+alarm events, reject. Step 0.5: You Are Welcome!!! - modifying in SYSUAF.DAT "Last login: non-interactive" field ..for this user, this fact registered by AUDIT, also. :) Performed by vms_stuff/vms_right(): Step 2.0:IF (USERS connection speed < 33600) - skip to Step 3.0 Step 2.1:IF (USER connection speed within [33600 ... 56*1024]) && (USER haven't 56K) - Send message to OPCOM; reject. Step 2.2:IF (USER connection type > 1) && (USER haven't ISDN right id) - Send message to OPCOM; reject. Step 3.0 - IF (USER have DUALPORT right id) - set for this users MAX-Sessino-Limit = 2. *NOTE: - IF no IDs are defined in right list, result of checking by ..vms_right() is TRUE!!! Performed by vms_stuff/vms_get_stat(): Step 4.0 - IF (USER try to get sessions > MAX-Session-Limit) - Send message to OPCOM; reject. ------------------- Limitations ------------------- * A. Using of the RAIDUS preffixes, are is not allowed !!! Suffixes must be starting with characters '%' !!! * B. There is some limitation of parameters length: username <= 12, password <= 32 bytes. Using of username with space or tab is not allowed and will cause of authentication error. ------------------- FAQ ------------------- * Q1. Why cannot we allow password change by RADPASS ? A1. This functionality probably will be added later. * Q2. Are we recording login failures somewhere ? A2. This information recordes in the AUDIT's SECURITY journal, you can search & retrive this information by VMS ANALYZE/AUDIT facility. In addition, session with zero elapsed time will be recorded in ACCOUNTING as a login attempt failed. For retriving information use ACCOUNTING /TYPE=LOGFAIL ... * Q3. How easy will it be to install, maintain ? A3. As well as RADIUS 1.16. In addition read this notes with attention, in other case don't hesitate to call to support.:)) * Q4. Will there be any way to see who is currently online or lookup an individual user and figure out what his IP address is ? (Then we can do some cool CGI stuff for them i.e. say "You've got mail", when he opens our homepage. A4. This functionality is not present in original RADIUS at all. There is not simple and dependable way to keep and maintain this information. But it's functionality is presented in this version. Information stored in the file RADIUS_CURRENT, which you can display by TYPE, or write a small DCL procedure if you need peridoicaly display NAS/Port usage. Format of RADIUS_CURRENT file: Offset Length Name Description 0 15 NAS_ip NAS's IP address 16 3 NAS_port NAS's port number 20 32 NAS_ipname NAS's IP name if resolved, in other case ip address. 54 12 User Username 67 15 Frammed-IP Frammed IP address (not resolved) which assigned to client during login. ------------------- TroubleShuting ------------------- ------------------- To Do ------------------- * I. Unix i/o -> sequential RMS i/o *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Done. * II. Resting... C U SysMan (MailTo:"Ruslan R. Laishev" ).