User guide

ManualsBrandsBay Networks ManualsComputer equipmentRemote Annex

Part No. 166-025-305 Rev. A

January 1997

User Guide

Remote Annex

Server Tools for

Windows NT

Summary of content (90 pages)

PAGE 1
Remote Annex Server Tools for ® Windows NT User Guide Part No. 166-025-305 Rev.
PAGE 2
Copyright © 1997 Bay Networks, Inc. All rights reserved. Printed in the USA. April 1997. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document.
PAGE 3
Revision Level History Revision Description A Initial release.
PAGE 4
Revision Level History iv Remote Annex Server Tools for Windows NT® User Guide
PAGE 5
Contents Preface About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Chapter 1 Introduction NA Utility Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Contents CLI Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 Virtual CLI Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 AppleTalk Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Preface R emote Annex Server Tools for Windows NT® allows you to boot, configure, and manage Remote Annexes on a Windows NT® network.
PAGE 8
Preface About This Book This book documents Remote Annex Server Tools for Windows NT®. It explains the product’s features and provides instructions for each of those features. The Remote Annex Server Tools for Windows NT® User Guide includes the following chapters: • Chapter 1, Introduction, provides an overview of Remote Annex Server Tools for Windows NT® features.
PAGE 9
Preface Documentation Conventions The following table lists the Remote Annex Server Tools for Windows NT® User Guide conventions: Convention: Represents: Italics chapter titles, book titles, and chapter headings. special type defines samples in the na utility. bold path names, program names, field names, or file names. ▼ one-step procedures. important information. conditions that can have adverse effects on processing. dangerous conditions.
PAGE 10
Preface x Remote Annex Server Tools for Windows NT® User Guide
PAGE 11
Chapter 1 Introduction R emote Annex Server Tools for Windows NT® allows you to boot and configure Remote Annexes and 5399 Remote Access Concentrator (RAC) Module(s) on a Windows NT® network. You can manage one or more Remote Annexes using the na utility. In addition, the product takes advantage of Windows NT® domains to authenticate and authorize users. NA Utility Features The na utility is a command-line interface that lets you monitor and modify Remote Annex and 5399 RAC operating characteristics.
PAGE 12
Chapter 1 Introduction Windows NT® Server Access Security Features Remote Annex Server Tools for Windows NT® works with a Windows NT® Server to provide access security. You define user and group access parameters in Windows NT®, and link the appropriate group definitions with the Remote Annex using the Server Tools Options graphical user interface. Remote Annex Server Tools for Windows NT® allows you access to the standard Remote Annex log file, a RADIUS server log file, and the Windows NT® Event Log.
PAGE 13
Chapter 1 Introduction Name Server Issues Remote Annex Server Tools for Windows NT® supports DNS and IEN116 name servers. We do not ship IEN-116 for Windows NT®. For more information, see the Remote Annex Administrator’s Guide for UNIX. Be aware that IEN-116 discussions do not apply to Remote Annex Server Tools for Windows NT®.
PAGE 14
Chapter 1 Introduction Book/Chapter Topic A /1 UNIX Host-Originated Connections A /2 Using the Terminal Server TTY (TSTTY) Using the Transport Multiplexing (TMux) Protocol A /4 Terminal Server TTY How TSTTY Interacts with Annex Port Parameters Configuring the Annex for TSTTY Transport Multiplexing Protocol (TMux) tip and uucp getty A /13 Printing from a BSD Host using aprint or rtelnet Printing from a System V Host using aprint or rtelnet A /14 Installing Software Using bfs IEN-116 Name Server Se
PAGE 15
Chapter 1 Introduction Book/Chapter Topic B /2 TMux-Specific Annex Parameters vs. MIB Objects C /4 aprint rtelnet Platform Requirements Remote Annex Server Tools for Windows NT® requires: • Windows NT® Server version 3.51 or 4.0 configured to support the TCP/IP protocol. • Administrative privileges on the server. • 15 MB free disk space on an NTFS drive. • One Windows NT® Server client license per Annex. • A PC with an Intel Pentium (or higher) CPU, or any fully compatible CPU. • 32 MB RAM.
PAGE 16
Chapter 1 Introduction Document References Refer to the following document sets for additional information on the desired subjects. The topics from all three books share the same chapter contents (with the exceptions noted after the book titles below).
PAGE 17
Chapter 2 Selecting Server Tools Options T he Server Tools Options window appears after you complete the installation process. Double-click on the Options icon in the Bay Networks program group window. The Server Tools Options window has four tabbed dialog boxes that allow you to select a security server, select booting and logging options, choose and configure a RADIUS server, and view information about your current Remote Annex Server Tools for Windows NT® software version.
PAGE 18
Chapter 2 Selecting Server Tools Options Figure 2-1. The Server Tools Options Dialog Box To select options in the Security window: Specify a Regime 2-2 Select the protocol you desire from the Regime radio box.
PAGE 19
Chapter 2 Native NT Security 1. Selecting Server Tools Options If you select Native NT in the Regime radio box, the Directory for Annex security files field becomes active. Accept the default or enter a new destination drive and directory for the acp_logfile file. This field designates the drive on which you installed Remote Annex Server Tools for Windows NT® and the etc directory, where the system stores the acp_dialup, acp_keys, and acp_userinfo files. 2.
PAGE 20
Chapter 2 Selecting Server Tools Options You can double-click on a group name from the Remote Access Groups list, to move it to the Groups list. If you want to change your selections, highlight the group from the Groups list box and click on Remove, or double-click the group name. If you install Remote Annex Server Tools for Windows NT® on a primary domain controller, the groups you select here must have local log on privileges to allow authentication.
PAGE 21
Chapter 2 Selecting Server Tools Options You can add or remove a new Remote Users Group (on the Security tab window) within the Server Tools Options application. However, unless this new group already exists, you must first create the new group and its information via the Windows NT® operating system. ▼ To add a new default group, click the Create Remote Users Group check box. Remote Users Group appears automatically in the Remote Access Groups list.
PAGE 22
Chapter 2 Selecting Server Tools Options 6. Select the newly created Group from the Groups list box and click on Add. The selected group appears in the Remote Access Groups list box. 7. When you have completed your changes, click on OK to set the changes you made and close the dialog box. Click on Cancel to close the dialog box without saving or applying your changes. Click on Apply to set your changes and leave the Server Tools Options window open on your desktop.
PAGE 23
Chapter 2 4. Selecting Server Tools Options Tab to the IP Address text field and enter the IP Address that goes with the Host Name. Repeat step 4 to configure the Secret format, the Timeout period, and the number of Retries (for more details on Secret, Timeout, and Retries, see Chapter 4). 5. Click on Accept to apply the new server information or Revert to cancel your changes. You can modify any of the fields before you click on Accept or Revert.
PAGE 24
Chapter 2 Selecting Server Tools Options Selecting Booting/Logging Options The Booting/Logging tab window allows you to select log files, to choose locations for load and dump files, and to choose directories, time formats and network address formats for the log file. ▼ To display this window, choose the Booting/Logging tab in the Server Tools Options window.
PAGE 25
Chapter 2 Selecting Server Tools Options To select options in the Booting/Logging window: 1. In the Directory for load and dump files field, you can accept the default or enter a drive and directory for the Remote Annex system images and dump files. This field automatically lists the drive on which the Remote Annex Server Tools for Windows NT® is installed, and the bfs default directory, where the system stores load and dump files.
PAGE 26
Chapter 2 Selecting Server Tools Options 3. If you select Use acp_logfile in the Booting/Logging dialog box, specify a time listings format, in the Time Format box. You can choose: 4. • YY/MM/DD HH:MM:SS to display the date and time that an event occurred (e.g., 95/12/30 06:22:15). • Use Seconds to list time in seconds since January 1, 1970.
PAGE 27
Chapter 2 ▼ Selecting Server Tools Options To view Windows NT® logs, double-click on the Event Viewer icon in Administrative Tools and select Application from the Log menu.
PAGE 28
Chapter 2 Selecting Server Tools Options The Windows NT® Event Log stores information in the following columns: • An icon at the beginning of each line indicates the severity of the message. • Date stores the date that the event was logged in Windows NT®. • Time stores the time that the event was logged into Windows NT®. TheDetail window of the Event Log lists the times events occur. • Source lists the software that logged the event.
PAGE 29
Chapter 2 Selecting Server Tools Options Configuring a RADIUS Server The RADIUS Servers tab dialog box allows you to create, modify, delete and configure a RADIUS server, and to set the IP Address and Secret format parameters. ▼ To view this information, click on the RADIUS Servers tab of the Server Tools Options window.
PAGE 30
Chapter 2 Selecting Server Tools Options Creating and Configuring a RADIUS Server To create and configure a new RADIUS Server: 1. Click on New. All information fields become active. 2. Enter the Host Name of the RADIUS Server you are creating in the text field. 3. Tab to the IP Address text field and enter the IP address of the Host Name. 4. Repeat step 3 to configure the Secret format, the Timeout period, and the number of Retries. 5.
PAGE 31
Chapter 2 Selecting Server Tools Options Modifying RADIUS Server Information 1. Select a desired RADIUS server from the RADIUS Servers list box. When you select a RADIUS server, the information fields on the right side of the dialog box automatically fill in with the appropriate information pertaining to the RADIUS server you chose. Click on Modify. All information text fields become active, except the Host name. 2.
PAGE 32
Chapter 2 Selecting Server Tools Options Deleting RADIUS Server Information 1. Select the RADIUS Server to be deleted and click on Delete. All information text fields remain inactive and a confirmation dialog box appears. 2. Click OK to delete the RADIUS Server or Cancel to exit the confirmation dialog box without deleting any server information. The confirmation dialog box closes. 3. Click OK to save your changes and close the Server Tools Options window.
PAGE 33
Chapter 2 Selecting Server Tools Options Displaying Version Information The Version tab window provides the company and product name, version number, and build number for the Remote Annex Server Tools for Windows NT®. ▼ To view this information, click on the Version tab of the Server Tools Options window.
PAGE 34
Chapter 2 2-18 Selecting Server Tools Options Remote Annex Server Tools for Windows NT® User Guide
PAGE 35
Chapter 3 Understanding Erpcd R emote Annex Server Tools for Windows NT®uses the expedited remote procedure call daemon (erpcd) running on a Windows NT® server. Erpcd responds to all Remote Annex boot, dump, and ACP security requests. ACP’s eservices file, stored in the \etc directory, lists the services that erpcd provides. Eservices includes controls for: • The block file server (bfs) program sends boot files to a Remote Annex and collects dump files from a Remote Annex.
PAGE 36
Chapter 3 Understanding Erpcd Editing Files You can edit the acp_userinfo, acp_dialup, and acp_keys files from the Bay Networks program group window. There is an icon for each file in the program group window. ▼ To open an individual file, such as the acp_userinfo file, from the Bay Networks program group window, double-click on the respective icon and the file will open in the Windows NT® Notepad editor. The changes take effect immediately. User names and group names are not case-sensitive.
PAGE 37
Chapter 3 Understanding Erpcd For example, if a user who belongs to the Engineering group requests access to a Remote Annex port on Monday morning at 10 a.m. and a profile excludes Engineering group members from using that Remote Annex on Mondays between 9 and 11 a.m., the user cannot log in to the port.
PAGE 38
Chapter 3 Understanding Erpcd • The attributes that erpcd applies when all user profile elements match the login environment of the user. • end to conclude the profile. The acp_userinfo file can include as many user profiles as you need. The matching process requires that all elements in a user profile match the login environment of the user. Using Profile Environment Keywords User profiles contain one or more keywords that define user login conditions.
PAGE 39
Chapter 3 time Keyword Understanding Erpcd The time keyword defines a period of time during which profile attributes apply. ▼ To use this keyword, type time= followed by one or more of the following: • A day of the week (e.g., Thursday). • A specific date, including the month and the date (e.g., March 1). • A range of hours in hh:mm format (e.g., 06:30). You must enter start time and end time. You can enter a.m. or p.m. following the times.
PAGE 40
Chapter 3 Understanding Erpcd To combine the annex and port keywords in one line, separate keyword/value entries with a semicolon (e.g., annex= Annex 02, 245.132.88.22; ports=1,3,6-22). If you omit Remote Annex names or addresses and list one or more ports, the profile attributes apply to all Remote Annexes. Understanding Profile Attributes In each user profile, one or more attributes follow keywords and their values. This section explains the attributes you can include.
PAGE 41
Chapter 3 Understanding Erpcd The acp_userinfo file can store accesscode attributes in a user profile. To create an accesscode entry: 1. Type accesscode followed by a code name. For IPX clients, enter IPX for the access code. 2. Type phone_no followed phone_no 634-5789). by an actual phone number (e.g., If you do not enter a phone number, the system prompts the user for it.
PAGE 42
Chapter 3 Understanding Erpcd 4. Type end. Repeat the line you created in Steps 1-3 if you want to use more than one CLI command. Erpcd executes CLI commands in the order they appear. 5. Add clicmd...end following the last line that lists a CLI command. Use this line if you want to continue the CLI session after erpcd executes the last CLI command. You cannot use clicmd unless you set the cli_security parameter to Y. Do not include the same CLI command in the clicmd and climask entries.
PAGE 43
Chapter 3 Understanding Erpcd When a user name and password match the profile, erpcd sends this list to the Remote Annex, which prevents the user from executing the commands. You cannot use climask unless the cli_security parameteris set to Y. Do not include the same CLI command in the clicmd and climask entries. For detailed information about CLI commands, please refer to Document References on page 1-6. deny The deny attribute prevents a user from connecting to a Remote Annex. To use the command: 1.
PAGE 44
Chapter 3 Understanding Erpcd 2. Find the area of the file where entry information resides, and type filter. 3. Enter a filter definition. 4. Type end. Repeat the line you created in Steps 1-3 if you want to use more than one filter. Erpcd executes filter attributes in the order of appearance. Each filter definition includes categories for direction, scope, family, criteria, and actions. Separate each part of the filter definition with a space.
PAGE 45
Chapter 3 • Understanding Erpcd Criteria includes the conditions for the filter. This section uses a keyword followed by a value. You can enter: • dst_address (the destination address of the packet) followed by an IP address. • dst_port (the destination port) followed by a port number from 1-65535 or by a service name. • src_port (the source port number) followed by a port number from 1-65535 or by a service name. • src_address (the source address of the packet) followed by an IP address.
PAGE 46
Chapter 3 Understanding Erpcd • Actions specify activity of a filter when its criteria match a packet. Enter one or more of the following actions: • discard discards the packet. If you use syslog, icmp, or netact with discard, the system discards the packet after it takes those actions. • icmp discards the packet and sends an ICMP message indicating that the destination is unreachable. • netact defines activity for a SLIP or PPP dynamic dial-out line.
PAGE 47
Chapter 3 5. Understanding Erpcd Enter an IP address for the gateway that is the next hop for the route. If you enter an asterisk, the Remote Annex uses the remote address of the port as the gateway. 6. If necessary, you can enter a number from 1 to 15 to indicate the number of hops to the destination, or -h to indicate that the route is hardwired. You can skip this step. You do not have to enter a number of hops or -h. 7. at_zone Type end. The at_zone attribute lists AppleTalk zones on a network.
PAGE 48
Chapter 3 Understanding Erpcd at_connect_time The at_connect_time attribute specifies the number of minutes that an ARA connection can remain open. To use this attribute: 1. From the Bay Networks program group window, double-click on the appropriate icon to open the acp_userinfo file. The acp_userinfo file opens in the Notepad editor. 2. Find the area of the file where entry information resides and type at_connect_time followed by the number of minutes.
PAGE 49
Chapter 3 Understanding Erpcd For object names, network numbers or subzone names, and zone names, you can use an asterisk as a wildcard. All entries in steps 3, 4, and 5 are case-sensitive and can use up to 32 characters. at_password The at_password attribute stores a passwords for registered AppleTalk users. Remote Annex Server Tools for Windows NT® uses the passwords to authenticate all AppleTalk users. To use this attribute: 1.
PAGE 50
Chapter 3 Understanding Erpcd Using the acp_keys File The acp_keys file stores Remote Annex names or IP addresses and corresponding encryption keys. Erpcd uses the keys you define here to create encryption keys that the security server and a Remote Annex use to exchange messages. When the security server receives an encrypted message from a Remote Annex, it matches the key with an associated Remote Annex in the acp_keys file. If there is no match, the Remote Annex and the server cannot communicate.
PAGE 51
Chapter 3 Understanding Erpcd For example, annex1, annex2: abcxyz is a simple entry that defines an encryption key for two Remote Annexes. If you need to continue an entry on a second line, use the backslash (/) at the end of the first line. Erpcd first attempts to match complete IP address entries in the acp_keys file. If erpcd does not find an exact match, it searches entries that contain wildcards. In either case, erpcd uses the first key entry it finds.
PAGE 52
Chapter 3 Understanding Erpcd 4. Use the Services control panel to stop or pause erpcd. 5. Use the reset annex security of the admin utility command to reset security for the Remote Annexes whose keys you added or changed. 6. Use the Services control panel to restart erpcd. Using the acp_dialup File The acp_dialup file stores user names, Remote Annex names and addresses, and port numbers. Erpcd matches Annex and user entries to provide IP addresses for users dialing in to the network.
PAGE 53
Chapter 3 3. Understanding Erpcd Enter one or more port numbers followed by @ and one or more Remote Annex names or IP addresses. Separate port numbers with commas and/or enter a range of numbers with dashes (e.g., 1,3,6-10@Annex01). 4. Enter a remote address followed by a local address. Use an asterisk (wildcard) for any part of an IP address. You must use spaces to separate the user name, port number/Remote Annex, Local Address, and Remote Address fields.
PAGE 54
Chapter 3 3-20 Understanding Erpcd Remote Annex Server Tools for Windows NT® User Guide
PAGE 55
Chapter 4 Using Security Features R emote Annex Server Tools for Windows NT® uses standard Windows NT® domain security and Remote Annex-based security features to protect your network from unauthorized access. To use Remote Annex Server Tools for Windows NT® security features, you need to: • Use the Windows NT® Administrative Tools/User Manager for Domains to create groups, user names, and passwords. • Use the na utility to set security parameters on the Remote Annex for the types of security you want.
PAGE 56
Chapter 4 Using Security Features Using Windows NT® Domain Security When a user logs on to a Remote Annex, to one of its ports, or to a network, the system performs authentication based on the security parameters you enter. Once you set the parameters that enable a type of security: • The system checks the Windows NT® user name and password.
PAGE 57
Chapter 4 Using Security Features Multiple Domain Authentication Setup Procedure Follow these Windows NT® steps to facilitate support for multiple domain authentication: Windows NT® steps Server Tools steps 1. Establish the appropriate trust relationship among domains. 2. Load the Remote Annex Server Tools for Windows NT® on the trusting domain controller. 3. Define the user(s) in the trusted domain’s security accounts manager database.
PAGE 58
Chapter 4 Using Security Features Setting Remote Annex Security Parameters The Access Control Protocol (ACP) of the Remote Annex provides server-based security. When you define one network server as a security server, use ACP software default settings or modify the software to create a customized security policy for your network.
PAGE 59
Chapter 4 Using Security Features You can customize security features by editing several ACP files. These files are maintained by the security server through the Remote Annex Server Tools for Windows NT® program window. • The acp_keys file includes encryption key information. • The acp_dialup file contains user names and addresses for dialup connections. • The acp_userinfo file contains initial login environment information and start-up CLI commands.
PAGE 60
Chapter 4 Using Security Features You need to set certain parameters to enable each type of security described here. Once you set parameters, each user will have to enter a user name and password. Remote Annex Server Tools for Windows NT®grants access only to those user names and passwords listed in any Windows NT® global group you selected in the Remote Access Groups tab window. PPP Security Point-to-Point (PPP) provides a link between hosts that carry IP, IPX, and ARA protocols.
PAGE 61
Chapter 4 ▼ Using Security Features To log user access for PPP, set the slip_ppp_security parameter to Y. If you want to set ppp_security_protocol and slip_ppp_security to values other than the ones described here, the system will not use Windows NT® user names and passwords for authentication. Please see Document References on page 1-6 to find sources of additional information about system behavior with other parameter values.
PAGE 62
Chapter 4 Using Security Features Port Server Security The port server process of the Remote Annex allows it to accept telnet or rlogin connection requests from network users, hosts, and applications. When a user connects to a Remote Annex via telnet or rlogin and responds to the port prompt by entering a port or rotary number, the security server requires an Windows NT® domain user name and password.
PAGE 63
Chapter 4 1. Using Security Features To use ACE/Server (SecurID) security, select the security regime SecurID radio button in the Security dialog box. Creating a SecurID Client for an NT Server: You must transfer a binary copy of the sd_conf.rec file from the SecurID server to the Windows NT root directory. Also the server must be registered as a SecurID client. Supported ACE/ Server Releases Remote Annex Server Tools for Window NT® offers support for ACE/ Server Release 2.1.1 and 2.2.
PAGE 64
Chapter 4 Using Security Features Remote Annex Server Tools for Windows NT® and UNIX-based systems support local Remote Annex security and Proprietary IPX security in the same way.
PAGE 65
Chapter 4 Using Security Features RADIUS and ACP Protocol Operation RADIUS and ACP servers work together to provide the user with a standard means of communication between a Network Access Server and a host-based server. When or If... The... the security profile matches the Server Tools Options dialog box RADIUS On/Off radio button, expedited remote procedure call daemon (ERPCD)/ACP prompts the Remote Annex for the user name and password.
PAGE 66
Chapter 4 Using Security Features RADIUS Authentication RADIUS authentication supports the authentication modes PAP and CHAP. This section covers the following topics: • PPP and CHAP Support • Access-Request Attributes • Access-Accept and Access-Reject Attributes PPP and CHAP Support RADIUS requires PPP/CHAP enforcement to be in the RADIUS server.: The... Then...
PAGE 67
Chapter 4 Using Security Features Access-Request Attributes ERPCD/ACP sends Access-Request packets which indicate how the user connects to the Annex. This information is used by the server as a hint or a restriction. The following section defines the available access-request attributes: User-Name Indicates the name of the user that the RADIUS server will authenticate. An unterminated ASCII string identical to the user name that ERPCD/ ACP retrieves via the user name prompt.
PAGE 68
Chapter 4 Using Security Features NAS-Port Specifies the current port number connection. NAS–Port number example: nxxx (decimal) n= Description 0 Serial interface port 2 Virtual (VCLI, FTP) 3 Dial-out 4 Ethernet (outbound) Although not an attribute, CHAP-Challenge appears in the Authenticator of the RADIUS header. Framed-Protocol Service-Type 4-14 Specifies the link level protocol type allowable to the user.
PAGE 69
Chapter 4 Using Security Features Access-Accept and Access-Reject Attributes In this version, attributes included in the RADIUS Access-Accept and Access-Reject packets are ignored by ERPCD/ACP. However, ERPCD/ ACP does instruct the Remote Annex to display text sent in a ReplyMessage attribute as long as the user is a CLI or port server user. RADIUS Accounting RADIUS Accounting defines a communication standard between a NAS and a host-based accounting server.
PAGE 70
Chapter 4 Using Security Features RADIUS Accounting Process The following table describes the RADIUS accounting process: When or If... The... the Remote Annex sends an ACP Audit-log to the server, security profile for the ACP Authorization-Request must match the Security dialog box RADIUS Regime On/Off radio button setting. On = RADIUS security active. Off = Native NT security active.
PAGE 71
Chapter 4 Using Security Features Acct-Delay-Time Specifies the time (in seconds) the RADIUS client has been trying to send a specific Accounting packet. Acct-Input-Octets Specifies number of octets received during the session. Acct-Output-Octets Specifies number of octets sent during the session. Acct-Session-Id A numeric string identifid with the session reported in the packet. Acct-Authentic Specifies how the user is authenticated. Always set to RADIUS.
PAGE 72
Chapter 4 Using Security Features Default Values If there is no configuration record for a RADIUS server, the following default values are used: Attribute Value Secret 0x0 Timeout 4 seconds Retries 10 Backup server None RADIUS Authentication Server and Accounting Server • RADIUS Authentication Server is the host name of the RADIUS Authentication server. • Accounting Server is the host name of the RADIUS Accounting server.
PAGE 73
Chapter 4 Using Security Features 2 Response Timeout and Number of Retries Format The Response Timeout and Number of Retries values are set in the RADIUS Servers dialog box. timeout The number of seconds to wait for a response before sending a retry. retries The number of times to retry before fail-over to the backup server, or authentication is discontinued. Fail-over occurs if the host is the original primary server. This entry must be on one line.
PAGE 74
Chapter 4 Using Security Features Backup Server The host name or Internet address of the backup RADIUS server or RADIUS Accounting server is configured using the RADIUS Server’s dialog box: 1. From the Server Tools Options dialog box, click on the Security tab. 2. Select the RADIUS radio button to enable the RADIUS security server. If you do not select this option, your security server will default to native Windows NT® security. 3.
PAGE 75
Chapter 4 Using Security Features When or If... The... the maximum number of retries (10 by default) is reached without a response from the server, attempt to authenticate against the primary server fails and ERPCD/ACP attempts to authenticate against the backup server (if defined). no response is received from the backup server, user is rejected. an accounting fail-over occurs, the server remains the same until, failure of the backup server.
PAGE 76
Chapter 4 Using Security Features RADIUS Dictionary File Included on the distribution kit is a reference RADIUS dictionary file which resides in the security files area. The erpcd server does not use this file, it is provided as documentation and a convenience. This file defines keywords, types, and values for RADIUS attributes and their corresponding code points. The file is in a format that is used as input by some RADIUS servers to parse messages, and write text output files.
PAGE 77
Chapter 4 Using Security Features The following is a partial example of the some of the dictionary contents: ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP- Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port 5 integer ATTRIBUTE Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr <...
PAGE 78
Chapter 4 4-24 Using Security Features Remote Annex Server Tools for Windows NT® User Guide
PAGE 79
Appendix A Browsing for Resources on a Microsoft Network B rowsing is locating network resources in a Domain or workgroup. Domains and workgroups are Microsoft's logical grouping of computers and other resources into managed groups. Browsing is implemented by accessing Browsers, which are computers that maintain resource lists for the Domain, rather than trying to directly locate the resource. Therefore locating a resource becomes a question of locating a Browser.
PAGE 80
Appendix A Browsing for Resources on a Microsoft Network The Primary Domain Controller (PDC) which provides authentication for the Domain, serves as the Domain Master Browser (DMB). The DMB has the responsibility of keeping track of and coordinating all the Master Browsers in the Domain as well as correlating information from other domains. The PDC wins the DMB election because it is heavily weighted by being the PDC.
PAGE 81
Appendix A Configuration and Election Process Browsing for Resources on a Microsoft Network Browsers are selected through configuration and an election process. It is possible to set a station to be a MB. This only gives it additional weight in the election process. Another weight in the election process is the type of operating system running (Microsoft Windows NT®, Windows 95, Windows for Workgroups). An election is held between all potential MBs to select the MB for the subnet.
PAGE 82
Appendix A Browsing for Resources on a Microsoft Network The WINS Solution WINS is a service that runs on a Windows NT® server. It is provided with Windows NT® 3.5 or greater. WINS primary function is to provide name services without broadcasts because WINS queries are directed datagrams. The current version of WINS, along with some client updates, also assists with browsing across subnets that do not contain Browsers. A WINS server can provide the location of the PDC which is also the DMB to a client.
PAGE 83
Appendix A Required Configuration Details Browsing for Resources on a Microsoft Network The following configuration details are required to make the browsing operation work correctly: • The PDCs of all domains should be Windows NT® server Version 3.5 or later. • All stations must use WINS to allow services to be recorded properly. • The client should disable the ability to be a browse master. This will prevent the client from browsing except when the user asks for a browse list.
PAGE 84
Appendix A Browsing for Resources on a Microsoft Network Remote Annex Example The Remote Annex forwards IP broadcasts from a remote access client to the network that the Annex is on. If that network is a subnet that has no PCs capable of being a master browser, the remote client must be configured to use WINS to be able to browse Microsoft resources. Another possible option might be to configure the router to pass IP broadcasts, but this is probably not desirable.
PAGE 85
Appendix A Resource Visibility Browsing for Resources on a Microsoft Network The problem of resource visibility becomes especially important when the remote “client” is another network that may have resources to be shared. The remote network should have a machine capable of acting as a MB. A MB locates resources by broadcasts on its subnet.
PAGE 86
Appendix A Browsing for Resources on a Microsoft Network Workgroups and Domains A-8 • #DOM:dept indicates that server name is a domain controller for the dept domain • #PRE indicates this entry is preloaded into the cache at start-up, this will allow the address to be found when the cache is searched and eliminate the WINS query and/or broadcast Windows 95 allows specification of a workgroup name (Control Panel Networks - Identification - Workgroup).
PAGE 87
Index A B Access Control Protocol.
PAGE 88
Index differences in Windows NT®-based vs.
PAGE 89
Index access-reject attributes 4-15 accounting process 4-16 accounting-request attributes 4-16 ACP protocol operation 4-11 authentication 4-12 backup security 4-21 dictionary file 4-22 PPP and CHAP support 4-12 RADIUS accounting 4-15 RADIUS authentication and accounting server creating 2-6 RADIUS configuration management authentication and accounting server 417 backup server 4-20 fail-over algorithm 4-20 response timeout and number of retries 4-19 secret format 4-18 RADIUS security 4-10 RADIUS server 2-15
PAGE 90
Index using ACE/Server security 4-8 V vcli_security parameter 4-8 version information 2-1 version information, displaying 2-17 virtual CLI security 4-7 W windows detail 2-12 server tools options 4-2 selecting server tools options window 2-1 workgroups and domains A-8 Index-4 Remote Annex Server Tools for Windows NT® User Guide