Remote Annex
Server Tools for
®
Windows NT
User Guide
Part No. 166-024-379 Rev. A
December 1996
Copyright © 1996 Bay Networks, Inc.
All rights reserved. Printed in the USA. December 1996.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, b ut are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Bay Networks, Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance with
the terms of that license.
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notice for All Other Executive Agencies
Notwithstanding any other license agreement that may pertain to, or accompany the deli very of, this computer softw are,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial
Computer Software-Restricted Rights clause at FAR 52.227-19.
Trademarks of Bay Networks, Inc.
Annex, Remote Annex, Annex Manager , Remote Annex 2000, Remote Annex 4000, Remote Anne x 6100, Remote Annex
6300, Remote Annex 5390/Async, Remote Annex 5391/CT1, Remote Annex 5393/PRI, BayStack Remote Anne x 2000
Server,Quick2Config, Bay Networks, Bay Networks Press, and the Bay Networks logo are trademarks of Bay Networks,
Inc.
Third Party Trademarks
All other trademarks and registered trademarks are the property of their respective owners.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability , Bay Netw orks, Inc. reserves the right
to make changes to the products described in this document without notice.
Bay Networks, Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Contents
Preface
About this Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Chapter 1
Introduction
NA Utility Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Windows NT
Using Remote Annex Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
User Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Name Server Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Logging Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Documentation Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Platform Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Chapter 2
Selecting Server Tools Options
Selecting a Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Creating a Remote Users Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Creating a RADIUS Authentication and Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Selecting Booting/Logging Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Using the Event Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Configuring a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Creating and Configuring a RADIUS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Modifying RADIUS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Deleting RADIUS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Displaying Version Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
®
Server Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Chapter 3
Understanding Erpcd
Editing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Using the acp_userinfo File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Defining User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Using the acp_keys File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Creating Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Using the acp_dialup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Using Local and Remote Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Chapter 4
Using Security Features
Using Windows NT® Domain Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Support for Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Multiple Domain Authentication Setup Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Setting Remote Annex Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Types of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
PPP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
CLI Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
®
Remote Annex Server Tools for Windows NT
User Guide
iii
Contents
Virtual CLI Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
AppleTalk Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Port Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Additional Security Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
RADIUS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
RADIUS and ACP Protocol Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
PPP and CHAP Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Access-Request Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Access-Accept and Access-Reject Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
RADIUS Accounting Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Accounting-Request Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
RADIUS Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
Backup Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
RADIUS Dictionary File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Appendix A Browsing for Resources on a Microsoft Network
Browser Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Locating Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
The WINS Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Remote Annex Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Additional Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
iv
Remote Annex Server Tools for Windows NT® User Guide
Preface
Remote Annex Server Tools for Windows NT
configure, and manage Remote Annexes on a W indows NT
performs user authentication and authorization from a Windows NT
network and supports:
• Remote Annex 2000
• Remote Annex 4000
• Remote Annex 6100 and 6300
• 5390, 5391, 5393
• MicroCS
• Cabletron CSMIMII
• 3COM 6133C-XS
• 3COM 6117C-XS
TheRemote Annex Server T ools
for System Administrators or others who need to configure Remote
Annex servers. It assumes that you are familiar with network protocols
and that you know the parameter values you need to configure Remote
Annexes.
for Windows NT
®
allows you to boot,
®
network. It
®
User Guide is intended
®
This guide is part of the complete Remote Annex documentation
set. You should refer to other manuals in the set for information
not related to Remote Annex Server Tools for Windows NT
®
Remote Annex Server Tools for Windows NT
User Guide
®
.
v
Preface
About this Book
This book documents Remote Annex Server Tools for W indo ws NT®. It
explains the product’ s features and provides instructions for each of those
features.
The Remote Annex Server Tools
the following chapters:
• Chapter 1
Annex Server Tools
, Introduction, provides an overview of Remote
for Windows NT
customers who are migrating to the
environment, this chapter compares and contrasts several
features and behaviors that were ported from UNIX. In
addition, this chapter lists minimum system requirements.
• Chapter 2,
®
NT
Server security options and tells you how to set
Selecting ServerTools Options, describes Windows
Remote Annex security parameters.
• Chapter 3,
Understanding Erpcd, discusses the role of the
expedited remote procedure call daemon (erpcd). Erpcd is
a Remote Annex software sub-system that receives and
responds to all Remote Annex boot, dump, and ACP
security requests.
• Chapter 4,
Using Security Features, discusses Windows NT
Server security and host-based network security.
for Windows NT
®
features. For existing
Windows NT
®
User Guide includes
®
®
• Appendix A, Browsing for Resources on a Microsoft
• The Index gives you detailed page references for the entire
vi
Remote Annex Server Tools for Windows NT® User Guide
Network, describes Microsoft client setup for locating
resources on a Microsoft network.
Remote Annex Server Tools for Windows NT® User Guide.
Documentation Conventions
Preface
The following table lists the Remote Annex Server Tools for Windows NT
User Guide conventions:
Convention: Represents:
Italics chapter titles, book titles, and chapter headings.
special type
bold commands, path names, program names, or file
▼
defines samples in the na utility.
names.
one-step procedures.
important information.
conditions that can have adverse effects on
processing.
dangerous conditions.
®
Remote Annex Server Tools for Windows NT® User Guide
vii
Preface
viii
Remote Annex Server Tools for Windows NT® User Guide
Chapter 1
Introduction
Remote Annex Server Tools for Windows NT
and configure Remote Annexes on a Windows NT
manage one or more Remote Annexes using the na utility. In addition,
the product takes advantage of Windows NT
and authorize users.
NA Utility Features
The na utility is a command-line interface that lets you monitor and
modify Remote Annex operating characteristics. It allows you to:
• Boot a Remote Annex.
• Reset a Remote Annex.
• Identify a Remote Annex by its Internet address or host
• Show and set values for all Remote Annex configuration
name.
parameters.
®
allows you to boot
®
network. You can
®
domains to authenticate
• Save current configuration parameter settings into script
files.
• Copy the current parameter settings from one port to
another or from one Remote Annex to another.
• Create new site defaults.
®
Remote Annex Server Tools for Windows NT
User Guide
1-1
Chapter 1 Introduction
Windows NT® Server Access Security Features
Remote Annex Server Tools for Windows NT® works with a Windows
®
Server to provide access security . You define user and group access
NT
®
parameters in Windows NT
with the Remote Annex through the Server Tools Options graphical user
interface.
Remote Annex Server Tools for Windows NT
standard Remote Annex log file, a RADIUS server log file, and/or the
®
Windows NT
Event Log.
and link the appropriate group definitions
®
allows you to view the
Using Remote Annex Documentation
In addition to this manual, you need theRemote Annex Administrator’s Guide
for UNIX and the Remote Annex 6300 Supplement to the Remote Annex
Administrator’s Guide for UNIX . These guides provide reference,
procedure, and feature descriptions for the Remote Annexes in a UNIX
environment.
Be aware that minor differences exist between Windows NT
erpcd and UNIX-based erpcd. This section lists these issues and guides
you to the appropriate manuals.
User Authentication Issues
Remote Annex Server Tools for Windows NT® takes full advantage of
®
Windows NT
remote dial-in events trigger security services from Windows for NT
For information about Remote Annex Server Tools Windows NT
authentication, see
server user authentication and authorization. Logon and
Chapter 2, Chapter 4, and Chapter 4.
®
-based
®
®
user
.
1-2
Remote Annex Server Tools for Windows NT®User Guide
Chapter 1 Introduction
Name Server Issues
Remote Annex Server Tools for Windows NT® supports DNS and IEN-
®
116 name servers. W e do not ship IEN-116 for W indows NT
information, see the
Remote Annex Administrator’ s Guide for UNIX.Be aware
. For more
that IEN-116 discussions do not apply to Remote Annex Server T ools for
®
Windows NT
.
Logging Issues
In addition to the standard Annex log destinations, you can configure
®
Remote Annex Server Tools for Windows NT
®
log messages to the Windo ws NT
Event Log. See Chapter 3 for details.
For additional logging information, you can refer to numerous chapters
in the
6300 Supplement to the Remote Annex Administrator’s Guide for UNIX.
Remote Annex Administrator’s Guide for UNIX and the Remote Annex
to send Syslog and ACP
Documentation Exceptions
Some information in theRemote Annex Administrator’ s Guide for UNIX does
®
not apply to Remote Annex Server Tools for Windows NT
®
to innate differences between Windows NT
and UNIX environments.
In addition, certain UNIX-based Annex features are not implemented in
®
Remote Annex Server Tools for Windows NT
. You can use this table
as a guide to documentation that does not apply to Remote Annex Server
®
Tools for Windows NT
.
, due in part
Remote Annex Server Tools for Windows NT®User Guide
1-3
Chapter 1 Introduction
Book/Chapter Topic
A /1 UNIX Host-Originated Connections
A /2 Using the Terminal Server TTY (TSTTY)
Using the Transport Multiplexing (TMux) Protocol
A /4 Terminal Server TTY
How TSTTY Interacts with Annex Port Parameters
Configuring the Annex for TSTTY
Transport Multiplexing Protocol (TMux)
tip and uucp
getty
A /13 Printing from a BSD Host using aprint or rtelnet
Printing from a System V Host using aprint or rtelnet
A /14 Installing Software Using bfs
IEN-116 Name Server
Setting Up a Host for 4.3BSD Syslogging
A /15 Configuring the acp_regime file
Creating User Password Files
Limiting Access to Hosts via acp_restrict
Overview of Password History and Aging
Enabling and Configuring Password Histories
Overview of Blacklisting
Viewing and Managing the acp_dbm Database
Security for NDP Ports
Using Kerberos Authentication
Using the ACE Server
Using SafeWord AS Security
Modifying the Supplied Security Application
Using the ch_password Utility
(continued on next page)
1-4
Remote Annex Server Tools for Windows NT®User Guide
Book/Chapter Topic
B /2 TMux-Specific Annex Parameters vs. MIB Objects
C /4 aprint
Platform Requirements
Remote Annex Server Tools for Windows NT® requires:
• Windows NT® Server version 3.51 or 4.0 configured to
support the TCP/IP protocol.
• Administrative privileges on the server.
Chapter 1 Introduction
rtelnet
• 10 MB free disk space on an NTFS drive.
• One
Windows NT
®
Server client license per Annex.
• A PC with an Intel 486 (or higher) CPU, or any fully
compatible CPU.
• 32 MB RAM.
• CD ROM drive to install the product.
Remote Annex Server Tools for Windows NT®User Guide
1-5
Chapter 1 Introduction
1-6
Remote Annex Server Tools for Windows NT®User Guide
Chapter 2
Selecting Server Tools Options
The Server Tools Options window appears when you complete the
installation process or when you double-click on the Options icon in the
Bay Networks program group window. The Server Tools Options
window has four tabbed dialog boxes that allo w you to select a security
server , select booting and logging options, choose and setup a RADIUS
server, and view information about your current Remote Annex Server
®
Tools for Windows NT
• Selecting a Security Server and Group Authentication
• Selecting Booting/Logging Options
• Configuring a RADIUS Server
• Displaying Version Information
software version. This chapter includes:
Selecting a Security Server
TheSecurity tab dialog box allows you to choose a security regime, select
RADIUS Authentication and Accounting servers, and add or remove
domains and remote access groups.
▼ To see this information, click on the Server Tools Options window’s
Security tab.
Remote Annex Server Tools for Windows NT
®
User Guide
2-1
Chapter 2 Selecting Server Tools Options
To select options in the Security window:
1. Select your desired security protocol from the Regime list
box.
By default, Native NT security is selected.
2. In the Directory for security files field, accept the default or
enter a new destination drive and directory for the
acp_logfile file.
This field lists the drive on which you installed Remote Annex
Server Tools
for Windows NT
®
and the etc directory, where the
system stores the acp_dialup, acp_keys, and acp_userinfo
files.
2-2
Remote Annex Server Tools for Windows NT®User Guide
Chapter 2 Selecting Server Tools Options
3. If you selected RADIUS as your security protocol, select the
Authentication Server and Accounting Server in the RADIUS
Servers list box.
If you selected Native NT from the Regime list box, skip this
step.
If the only options available in these two drop–do wn lists
is local and same as authentication server you need to
create a list of servers from which to choose. For more
information on this procedure, see Configuring a
RADIUS Authentication and Accounting Server , later in
this section.
4. If you selected Native NT as your regime, select the Global
Group Authentication check box.
You must select this box if you want to use
Windows NT
®
global groups to authenticate users. If you do not select it,
the system will authenticate user names and passwords only.
5. If you selected Native NTand want to create a default remote
users group, select the Create Remote Users Group check box
to create the default Remote Users Group availability.
If want to create a new Remote Users Group, see Creating a
Remote Users Group later in this section.
6. If you selected Native NT, select an existing domain from the
Domain field.
When you select a domain, the groups within that domain
appear in the Groups list box.
7. If you selected Native NT, select a name from the Groups list
box.
8. Use
Add to move the group you selected to the Remote
Access Groups list box.
Remote Annex Server Tools for Windows NT®User Guide
2-3
Chapter 2 Selecting Server Tools Options
The groups you add appear in the Remote Access Groups
list box preceded by their domain names. All users in the
groups you list will be allowed access once they are
authenticated using Windows NT
who are not members of any group listed here will not have
access to Remote Annexes, their ports, or networks.
You can double-click on a group name to move additional
groups to the list. If you want to change your selections,
select the group from the list box and use the use Remove.
If you install Remote Annex Server Tools for Windows NT® on a
primary domain controller, the groups you select here must ha ve local
log on privileges to allo w authentication. For more information about
this privilege, refer toInstalling Remote Annex Network Software for
NT® included with your documentation set.
®
domain security. Users
9. When you have completed your Security setup, click on OK
to set the changes you made and close the dialog box.
Click on Cancel to close the dialog box without saving or
applying your changes.
Click on Apply to set your changes and leave the Server
Tools Options window open on your desktop.
Use this option if you want to make changes in any of the other
tabbed dialogs.
Creating a Remote Users Group
You can add or remove a new Remote Users Group in the Security tab
window within the Server Tools Options application. However, unless
this new group already exists, you must first create the ne w group and its
®
information via the Windows NT
operating system.
2-4
Remote Annex Server Tools for Windows NT®User Guide
Chapter 2 Selecting Server Tools Options
▼ To add a new default group, choose the Create Remote Users Group
check box.
Remote Users Group appears automatically in the Remote Access
Groups list. If you find you do not need the group, you can delete it
before you click on OK or Apply by selecting it and clicking on
Remove or by deselecting the Create Remote Users Group check
box.
To create a new Group:
1. Click on the Administrative Tools icon in the Windows NT
®
program group window.
The Administrative Tools window appears.
2. Click on the User Manager for Domains icon.
The User Manager for Domains dialog box appears.
3. Add the new Group and associated information.
For more information, see the Windows NT
®
documentation on
using the options in this window.
4. When you have completed adding your Group information,
click on the Security tab in the Server Tools Options window.
The Security dialog box opens.
5. Click on the Domain pull–down menu.
The list boxes Groups and Remote Access Groups become
active and list the group (s) you created in the above steps.
Remote Annex Server Tools for Windows NT®User Guide
2-5
Chapter 2 Selecting Server Tools Options
6. Select the newly created Group fr om the Groups list box and
click on Add.
The selected group appears in the Remote Access Groups list
box.
7. When you have completed your changes, click on OK to set
the changes you made and close the dialog box.
Click on Cancel to close the dialog box without saving or
applying your changes.
Click on Apply to set your changes and leave the Server
Tools Options window open on your desktop.
Use this option if you want to make changes in any of the other
tabbed dialogs.
Creating a RADIUS Authentication and Accounting
Server
To create a RADIUS Authentication or Accounting server:
1. Click on the Server Tools Options windows’s RADIUS
Servers tab.
The RADIUS Servers dialog box opens.
2. Click on New.
All information fields become active.
3. Enter the Host Name of the RADIUS server to be created.
2-6
Remote Annex Server Tools for Windows NT®User Guide
Chapter 2 Selecting Server Tools Options
4. Tab to the IP Address text field and enter the IP Address that
is associated with the Host Name.
Repeat step 4 to configure the Secret format, the Timeout
period, and the number of Retries (
Timeout, and Retries, see Chapter 4).
for more details on Secr et,
5. Click on Accept to apply the new server information or
Revert to cancel your changes.
Any fields can be modified before you click on Accept
or Revert. When Accept or Revert is chosen, the fields
become inactive and can only be reactivated for editing
by sele ting the server then choosing Modify.
6. Click on OK to save your changes and close the dialog box.
Click on Cancel to close the dialog box without saving or
applying your changes.
Click on Apply to set your changes and leave the Server
Tools Options window open on your desktop.
Use this option if you want to make changes in any of the other
tabbed dialogs.
Before you can select a Backup Server, you must create more than
one new RADIUS servers. Once you create a second RADIUS server ,
the first RADIUS server created appears in the Backup Server dropdown list.
Remote Annex Server Tools for Windows NT®User Guide
2-7
Chapter 2 Selecting Server Tools Options
Selecting Booting/Logging Options
TheBooting/Loggingtab window allo ws you to select log files, to choose
locations for load and dump files, and to choose directories, time formats
and network address formats for the log file.
▼ To display this window, choose the Booting/Logging tab in the Server
Tools Options window.
2-8
Remote Annex Server Tools for Windows NT®User Guide
If you selectUse NT Event Log,your selections for time and network
address formats will appear in the acp_logfile and in the NT® Event
Log’s Detail window.
Chapter 2 Selecting Server Tools Options
To select options in the Booting/Logging window:
1. In the Directory for load and dump files field, accept the
default or enter a drive and a directory for the Remote
Annex system images and dump files.
This field automatically lists the drive on which you installed
Remote Annex Server Tools
for Windows NT
®
and the bfs
directory, where the system stores load and dump files.
If you enter a new directory , you can use the File Manager
to move Remote Annex software images to the new
directory. If you enter a new directory and do not move
the images, Remote Annexes will not be able to boot.
2. Select Use NT Event Log, Use acp_logfile, or Use RADIUS
Logging to choose a method for storing log messages.
You can log syslog messages generated at the Remote Annex as
well as security messages generated by erpcd or RADIUS:
• If you choose Use NT Event Log, the system stores
messages in the Applications portion of the standard
®
Windows NT
Event Log.
• If you choose Use acp_log file, the system stores
messages in the acp_logfile in the directory selected in
the Security dialog box. (You can see the acp_logfile
by double-clicking on the acp_logfile icon in the Bay
Networks program group window.)
• If you choose Use RADIUS logging, the system sends
messages in the RADIUS server.
RADIUS logging is not available (grayed–out) unless the
RADIUS security regime is selected in the Security
dialog box.
Remote Annex Server Tools for Windows NT®User Guide
2-9
Chapter 2 Selecting Server Tools Options
3. If you selected Use acp_logfile in the Booting/Logging dialog
box, in the Time Format box, select a format for time
listings.
You can choose:
• YY/MM/DD HH:MM:SS to display the date and time
• Use Seconds to list time in seconds since January 1,
4. If you selected Use acp_logfile or NT Event Log in the
Booting/Logging dialog box, in the Network Address Format
box, choose an IP address or Host Name format.
You can choose:
that an event occurred (e.g., 95/12/30 06:22:15).
1970.
• Use IP Address to place the Internet address of a Remote
Annex that generates logging messages in the log files.
• Use Host Name to include a Remote Annex name in the
log files instead of the Remote Annex’ s Internet address.
The time and address formats you choose will appear in
the acp_logfile or RADIUS logging. If you chose Use
NT Event Log, the format appears in the event log’s
Detail window.
Using the Event Viewer
Remote Annex Server Tools for Windows NT® uses the standard
®
Windows NT
Booting/Loggingdialog box, the Windo ws NT
will include syslog and security messages.
Event Viewer. If you selected Use NT Event Log in the
®
Application Event Log
2-10
Remote Annex Server Tools for Windows NT®User Guide
Chapter 2 Selecting Server Tools Options
▼ T o see Windows NT
®
logs, double-click on theEvent Viewer icon in
Administrative Tools and select Application from the Log menu.
WARNING
Remote Annex Server Tools for Windows NT®User Guide
2-11
Chapter 2 Selecting Server Tools Options
The Windows NT® Event Log stores information in the following
columns:
•Anicon at the beginning of each line indicates the severity
of the message.
• Date stores the date that the event was logged in
Windows NT
®
.
• Time stores the time that the event was logged into
Windows NT
®
. The Event Log’s Detail window lists the
time an event occurred.
• Source lists the software that logged the event.
• For syslog messages from a Remote Annex or from the
network,
Annex_syslog appears.
• For messages generated by erpcd, the column displays
Annex_syslog.
• For security messages, the log entry reads
Annex_ACP.
• Category classifies events.
• Event contains a number generated by the Remote Annex to
identify each event.
• User displays
®
NT
does not use this column.
N/A. Remote Annex Server Tools for Windows
• Computer displays the name of the host on which you
2-12
Remote Annex Server Tools for Windows NT®User Guide
installed erpcd.
Y ou can display the ev ent log’sDetail window by double-clicking on
any line in the Windows NT® Event Log.
Configuring a RADIUS Server
TheRADIUS Servers tab dialog box allows you to create, modify , delete
and configure a RADIUS server and to set parameters such as IP Address
and Secret format.
▼ To see this information, click on the Server Tools Options window’s
RADIUS Servers tab.
Chapter 2 Selecting Server Tools Options
First Time Use
The first time you open theRADIUS Servers dialog box after installation,
the information fields will be blank and inactive. You need to create and
configure the RADIUS servers that you will be using. Use the following
procedures to create, configure, modify , and delete your RADIUS servers
and associated parameters.
Remote Annex Server Tools for Windows NT®User Guide
2-13
Chapter 2 Selecting Server Tools Options
Creating and Configuring a RADIUS Server
To create and configure a new RADIUS Server:
1. Click on New.
All information fields become active.
2. Enter the Host Name in the text field.
3. Tab to the IP Address text field and enter the IP address that
is associated with the Host Name.
4. Repeat step 3 to configure the Secret format, the Timeout
period, and the number of Retries.
5. Click on Accept to apply the new server information or
Revert to cancel your changes.
Any fields can be modified before you click the Accept or
Revert buttons. When Accept or Revert is chosen, the fields
become inactive and can only be reactivated for editing by
selecting the server then choosing the Modify button.
6. Click OK to save your changes and close the Server Tools
Options window.
Click on Cancel to close the dialog box without saving or
applying your changes.
Click on Apply to set your changes and leave the Server
Tools Options window open on your desktop.
Use this option if you want to make changes in any of the other
tabbed dialogs.
Before you can select a Backup Server, you must create more than
onenew RADIUS servers. Once you create a second RADIUS server ,
the first RADIUS server created appears in the Backup Server dropdown list.
2-14
Remote Annex Server Tools for Windows NT®User Guide
Chapter 2 Selecting Server Tools Options
Modifying RADIUS Server Information
1. Select your desired RADIUS server from the RADIUS
Servers list box.
When you select your RADIUS server, the information fields on
the right side of the dialog box automatically fill in with the
appropriate information pertaining to the RADIUS server that
you selected. Click on Modify.
All information text fields become activ e, except the Host name.
2. Place your cursor in the desired information field to be
modified and enter the new information.
3. Click on Accept to save the modified information or
Revert to cancel your changes.
Any fields can be modified before you choose Accept or Revert.
When Accept or Revert is chosen, the fields become inactive
and can only be reactivated by choosing the Modify button.
4. Click OK to save your changes and close the Server Tools
Options window.
Click on Cancel to close the dialog box without saving or
applying your changes.
Click on Apply to set your changes and leave the Server
Tools Options window open on your desktop.
Use this option if you want to make changes in any of the other
tabbed dialogs.
Remote Annex Server Tools for Windows NT®User Guide
2-15
Chapter 2 Selecting Server Tools Options
Deleting RADIUS Server Information
1. Select the RADIUS Server to be deleted and click on Delete.
All information text fields remain inactive and a confirmation
dialog box appears.
2. Click OK to delete the RADIUS Server or Cancel to exit the
confirmation dialog box without deleting any server
information.
The confirmation dialog box closes.
3. Click OK to save your changes and close the Server Tools
Options window.
Click on Cancel to close the dialog box without saving or
applying your changes.
Click on Apply to set your changes and leave the Server
Tools Options window open on your desktop.
Use this option if you want to make changes in any of the other
tabbed dialogs.
2-16
Remote Annex Server Tools for Windows NT®User Guide
Displaying Version Information
The Version tab window provides the company and product name,
version number, and build number for the Remote Annex Server Tools
®
for Windows NT
▼ To see this information, click on the Server Tools Options window’s
Version tab.
.
Chapter 2 Selecting Server Tools Options
Remote Annex Server Tools for Windows NT®User Guide
2-17
Chapter 2 Selecting Server Tools Options
2-18
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3
Understanding Erpcd
Remote Annex Server Tools for Windows NT
remote procedure call daemon (erpcd) running on a Windows NT
server. Erpcd responds to all Remote Annex boot, dump, and ACP
security requests. ACP’s eservices file, stored in the \etc directory, lists
the services that erpcd provides. Eservices includes controls for:
• The block file server program (bfs) that sends boot files to a
Remote Annex and collects dump files from a Remote
Annex.
• The Access Control Protocol (ACP) program that provides
security when you define a
security server. See for additional information.
You can use the Remote Annex Administrator’s Guide for UNIX to
find additional information about erpcd, the acp_userinfo,
acp_keys, andacp_dialup files. However, Remote Anne x Server
T ools implementserpcd differently because it uses Windows NT
domain authentication.
This chapter describes the files you can edit. It includes:
Windows NT
®
uses the expedited
®
server as a
®
®
• Editing Files
• Using the acp_userinfo File
• Using the acp_keys File
• Using the acp_dialup File
Remote Annex Server Tools for Windows NT
®
User Guide
3-1
Chapter 3 Understanding Erpcd
Editing Files
You can edit the acp_userinfo, acp_dialup, and acp_keys files from the
Bay Networks program group window . For each file, there is an associated
icon in the program group window.
▼ To open an individual file, such as the acp_userinfo file, from the Bay
Networks program group windo w, doub le-click on the associated icon
and the file will open in the Windows NT® Notepad editor.
Your changes take effect immediately. User names and group names are
not case-sensitive.
Using the acp_userinfo File
The acp_userinfo file stores information about the Remote Annex
commands and protocols that are available to users. When a user logs in
to the server, erpcd matches the login environment with acp_userinfo
entries and controls user access based on these entries.
Defining User Profiles
Defining user profiles is useful only when you want to restrict a user’s
privileges for remote access connections.
The acp_userinfo file allows you to control network access based on a
user’s login environment. When you create a profile, erpcd first
authenticates users and then attempts to match the user name with an
entry in theacp_userinfo file. If a profile matches the login en vironment,
erpcd downloads attribute information.
3-2
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
For example, if a user who belongs to the Engineering group requests
access to a Remote Annex port on Monday morning at 10 a.m. and a
profile excludes Engineering group members from using that Remote
Annex on Mondays between 9 and 11 a.m., the user cannot log in to the
port. In this case, Remote Annex Server Tools for Windows NT
®
authenticates the user’s W indo ws NT® name and password, matches the
current environment (the Remote Annex, port, day and time) to an entry
in acp_userinfo, and downloads instructions (or attributes) so that the
Remote Annex denies access to the user.
For more detailed information about profiles and for examples using
the na utility, please refer to the Remote Annex Administrator’s
Guide for UNIX. Some terminology differs in this book, but ke yword
and attribute names and formats are identical in function.
User Profile Formats
The acp_userinfo file stores user profiles in the user ...end block format.
This format can include:
user to begin the block.
•
• One or more keywords that specify the user environment.
Entries must contain:
• A keyword, an equal sign (=) and a value, without spaces.
For an explanation of these keywords, refer to
Environment Keywords later in this chapter.
User
• A semicolon (;) to separate keyword/value statements.
• A backslash (\) at the end of a line if you continue the
entry on a second line.
Y ou cannot use each ke yword more than once in any user
profile. A line cannot exceed 80 characters.
Y ou cannot include spaces on either side of the equal sign,
the semicolon, or within the value, except in a value for
time.
Remote Annex Server Tools for Windows NT®User Guide
3-3
Chapter 3 Understanding Erpcd
Using Profile Environment Keywords
User profiles contain one or more keywords that define user login
conditions. Erpcd matches these conditions to environment conditions
listed in a user profile.
• The attributes that erpcd applies when all user profile
elements match the user’s login environment.
•
end to conclude the profile.
The acp_userinfo file can include as many user profiles as you need.
The matching process requires that all elements in a user profile match
the user’s login environment.
Since erpcd uses the first profile it finds that matches a user’s login
environment, you need to place profiles in the order in which you
want them to match.
Username and Group
Ke ywords
Theusername keyword specifies a single Windo ws NT® user . The group
keyword allo ws you to create a user profile for any member of a Windows
®
group.
NT
▼ To use these keywords, enter username= or group= followed by a
user or group name.
If you do not enter a user or group name, the profile applies to all
users. You can use an asterisk as a wildcard following a partial name
or an asterisk alone to indicate that the profile applies for all users or
group members who meet the criteria.
If you do not enter a domain name, erpcd assumes the user is
registered in the domain in which Remote Annex Server Tools
Windo ws NT
®
is installed. If you create a profile for a user or group
for
in a different domain, you must enter the domain name, two
backslashes, and the user or group name (e.g.,
Marketing\\Russell).
3-4
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
time Keyword
protocol Keyword
The time keyword allo ws you to define a period of time during which a
profile’s attributes apply.
▼ To use this keyword, type time= followed by one or more of the
following:
• A day of the week (e.g., Tuesday).
• A specific date, including the month and the date
August 1).
(e.g.,
• A range of hours in hh:mm format (e.g.,
06:30). You
must enter a start time and an end time. You can enter
a.m. or p.m. following each time.
If you do not enter a day and/or a date, erpcd applies the start and
end time every day of the week. If you omit
a.m. or p.m., you are
specifying time in the 24-hour format.
The protocol keyword defines a protocol by which a user can connect to
a Remote Annex.
▼ T o define a protocol, type protocol= followed by slip, ppp, or cli.
annex and ports
Keywords
You cannot enter more than one protocol on a line. However, you
can repeat the
protocol= format and add a second or third profile.
The annex and ports keywords specify the Remote Annexes and ports
to which profile attributes will apply.
▼ To list Remote Annexes and/or ports, type annex= and/or ports=
followed by one or more Remote Annex names or IP addresses and
one or more port numbers, respectively.
You can use an asterisk to specify a partial Remote Annex name or
IP address. In addition, you can enter individual port numbers
separated by commas or a range of port numbers using dashes (e.g.,
ports=1,3,6-22).
Remote Annex Server Tools for Windows NT®User Guide
3-5
Chapter 3 Understanding Erpcd
Understanding Profile Attributes
In each user profile, one or more attributes follow keywords and their
values. This section explains the attributes you can include.
To combine the annex and port keywords in one line, separate
keyword/value entries with a semicolon
annex= Annex 02, 245.132.88.22; ports=1,3,6-22). If
(e.g.,
you omit Remote Annex names or addresses and list one or more
ports, profile attributes will apply to all Remote Annexes.
accesscode
Theaccesscode attribute controls the text that a user enters when logging
in to a dial-back port. Before you can use the accesscode attribute, you
must define at least two modem pools (one for dial-in and one for dialout) in the acp_userinfo file. A modem pool groups asynchronous ports
on one or more Remote Annexes.
Modem pool definitions usually appear at the end of the acp_userinfo
file. To define a modem pool:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
pool inboundpool1).
3. Type
pool followed by a name for the modem pool (e.g.,
ports followed by one or more port numbers, @, and
one or more Remote Annex names or IP addresses.
You can separate port numbers with commas and/or enter a
range of numbers with dashes (e.g.,
ports 1,6-10@Annex01).
3-6
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
The acp_userinfo file can store one or more accesscode attributes in a
user profile. To create an accesscode entry:
1. Type
2. Type
accesscode followed by a code name.
For IPX clients, you must enter
phone_no followed by an actual phone number (e.g.,
phone_no 634-5789).
IPX for the access code.
If you do not enter a phone number, the system prompts the user
for it. You can enter
charge_back for IPX clients so that the
system prompts the user for a phone number, drops the
connection, and calls the user at that number.
3. Type
4. Type
5. Type
in_pool followed by the name of an inbound modem
pool (e.g.,
pool (e.g.,
end.
in_pool inboundpool1).
out_pool followed by the name of an outbound modem
out_pool outboundpool1).
job followed by one CLI command, its arguments, and
You do not need to enter a job specification.
6. Type
end.
clicmd
The clicmd attribute allows you to list CLI commands that erpcd will
execute if the profile matches. To use this attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
clicmd.
3. Enter a single user or superuser CLI command or the name
of an existing macro defined for a Remote Annex.
Remote Annex Server Tools for Windows NT®User Guide
3-7
Chapter 3 Understanding Erpcd
4. Type end.
You can repeat the line you created in Steps 1-3 if you want to
use more than one CLI command. Erpcd executes CLI
commands in the order in which they appear.
climask
5. Add
clicmd...end following the last line that lists a CLI
command.
You can use this line only if you want to continue the CLI
session after erpcd executes the last CLI command.
You cannot use clicmd unless you set the cli_security parameter to
Y. You should not include the same CLI command in the clicmd and
climask entries.
The climask attribute limits the CLI commands a user can execute. To
use this attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
climask.
3. Enter one or more CLI commands. If you enter more than
one command, separate commands with spaces.
4. Type
3-8
Remote Annex Server Tools for Windows NT®User Guide
end to conclude the climask entry.
Y ou can use include files in place of repeatedclimask entries. T o use
these files, type include and the file name. Include files must be
stored in the same directory as is the acp_userinfo file.
Chapter 3 Understanding Erpcd
When a user’s name and passw ord match the profile, erpcd sends this list
to the Remote Annex, which prevents the user from executing the
commands.
You cannot use climask unless you set the cli_security parameter to
Y. You should not include the same CLI command in the clicmd and
climask entries.
For detailed information about all CLI commands, please refer to the
Remote Annex Administrator’s Guide for UNIX.
deny
filter
The deny attribute prevents a user from connecting to a Remote Annex.
To use the command:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
If you include additional attributes in a profile that uses deny, the
profile will not execute additional attributes.
deny following a user name or group name.
When erpcd denies access to a Remote Annex, it generates a message in
the log file. For CLI users, the message appears on the screen.
The filter attribute sets network address restrictions for specific users or
groups. These restrictions apply to the port on which a user logs in.
To use the attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
Remote Annex Server Tools for Windows NT®User Guide
3-9
Chapter 3 Understanding Erpcd
2. Go to the area of the file where entry information resides
and type
filter.
3. Enter a filter definition.
4. Type
end.
You can repeat the line you created in Steps 1-3 if you want to
use more than one filter. Erpcd executes filter attributes in the
order in which they appear.
Each filter definition includes categories for direction, scope, family,
criteria, and actions. You must separate each part of the filter definition
with a space.
• Direction applies the filter to incoming or outgoing packets.
You can enter
input or output. To apply a filter to incoming
as well as outgoing packets, you must create two separate
definitions.
• Scope controls how erpcd matches the filter definition. You
can enter
match the definition, or
include to apply the filter only to packets that
exclude to apply the filter only to
packets that do not meet the definition.
• Family, an optional part of the definition, specifies the
protocol to which the filter applies. Currently, the system
supports only
ip.
3-10
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
• Criteria includes the conditions for the filter. This section
uses a keyword followed by a value. You can enter:
•
dst_address (the packet’s destination address)
followed by an IP address.
dst_port (the destination port) followed by a port
•
number from 1-65535 or by a service name.
src_port (the source port number) followed by a port
•
number from 1-65535 or by a service name.
src_address (the packet’ s source address) followed by
•
an IP address.
address_pair for incoming or outgoing packets passing
•
between two addresses, followed by two IP addresses.
You must enter both addresses, separated by a space, on
the same line. If you use this keyword, you cannot use
dst_address or src_address.
•
port_pair for incoming or outgoing packets passing
between two ports or services, followed by a port number
or service name. If you use this keyword, you cannot use
dst_port or src_port.
•
protocol (the packet’ s transport protocol) followed by
a number from 1 to 65535 or by
T o match all addresses or port numbers, enter -1 or*
in place of an address or port number. For service
names, you can enter domain, finger, ftp, name,
nfs, nntp, rlogin, route, routed, router,
rtelnet, sftp, smtp, telnet,tftp, time, who,
or login. For the port numbers that correspond to
these service names, refer to the Remote Annex
Administrator’s Guide for UNIX.
tcp, udp, or icmp.
Remote Annex Server Tools for Windows NT®User Guide
3-11
Chapter 3 Understanding Erpcd
• Actions specify a filter’s activity when its criteria match a
packet. You can enter one or more of the following actions:
•
discard discards the packet. If you use syslog, icmp,
netact with discard, the system discards the packet
or
after it takes those actions.
icmp discards the packet and sends an ICMP message
•
indicating that the destination is unreachable.
netact defines activity for a SLIP or PPP dynamic dial-
•
out line. When you use
netact in a filter that is enabled
on SLIP or PPP dynamic dial-out line, packets that match
the filter constitute activity on the line. If the line is not
netact discards the packet.
up,
•
no_start, used with include (in the Scope category),
specifies that packets defined as activity will not activ ate
a dynamic dial-out line, but will keep the line up and will
reset the net_inactivity timer parameter to
0.
route
•
syslog logs the event in the log files.
The route attribute defines the IP routes that a router can make available
through a Remote Annex when it dials in. You should use this attribute
when you do not want a router to incur overhead in running a routing
protocol itself. To use this attribute, you must:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
route.
3. Enter an IP address for the route’s destination.
4. Enter a subnet mask for the destination’s address.
3-12
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
5. Enter an IP address for the gateway that is the next hop for
the route.
If you enter an asterisk, the Remote Annex uses the port’s
remote address as the gateway.
6. If necessary , you can enter a number fr om 1 to 15 to indicate
the number of hops to the destination or -h to indicate that
the route is hardwired.
You can skip this step. You do not have to enter a number of
hops or
-h.
at_zone
7. Type
end.
The at_zone attribute lists AppleTalk zones on a network. To use this
attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
1. Go to the area of the file where entry information resides
and type
at_zone.
2. Enter one or more zone names.
If you use more than one zone name, separate names using
spaces (e.g.,
at_zone zone1 zone2). Zone names use 1-32
characters; you cannot use non-printable characters. If you enter
a name that contains spaces, you must enclose the entire name
in double quotation marks.
3. Type
end.
Remote Annex Server Tools for Windows NT®User Guide
3-13
Chapter 3 Understanding Erpcd
at_connect_time
at_nve_filter
The at_connect_time attribute specifies the number of minutes that an
ARA connection can remain open. To use this attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
at_connect_time followed by a number of
minutes.
The at_nve_filter attribute allows you to include or exclude users from
specific objects, network numbers, subzones, and zones. Y ou can specify
one at_nve_filter attribute for each user in a profile. To use this attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
at_nve_filter.
3-14
3. Type
include or exclude.
4. Enter an object name followed by a colon (:).
5. Enter a network number or subzone name followed by @.
6. Enter a zone name.
7. Type
Remote Annex Server Tools for Windows NT®User Guide
end.
For object names, network numbers or subzone names, and zone
names, you can use an asterisk as a wildcard. All entries in steps 3,
4, and 5 are case-sensitive and can use up to 32 characters.
Chapter 3 Understanding Erpcd
at_password
The at_password attribute stores a password for each registered
®
AppleT alk user . Remote Annex Server T ools for W indows NT
uses this
password to authenticate all AppleTalk users. To use this attribute:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
at_password followed by a password using 1 to 9
characters.
You can include punctuation marks in a password. If you use
spaces and/or hexadecimal values, use the backslash (/)
preceding these characters.
If you want to allow AppleTalk guests access to the network, you
should use the na utility to set the at_guest parameter to Y. You can,
however, create an at_password attribute here using Guest (case
sensitive) as a user name.
chap_secret
Thechap_secret attribute defines the token used for authentication when
you use the CHAP protocol for PPP links. CHAP authenticates users
based on the user names in the acp_userinfo file. To create a token:
1. Open the acp_userinfo file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_userinfo file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and type
chap_secret following by the token.
Each token can use up to 32 alphanumeric characters. We
recommend that all tokens use at least 16 characters.
Remote Annex Server Tools for Windows NT®User Guide
3-15
Chapter 3 Understanding Erpcd
Using the acp_keys File
The acp_keys file stores Remote Annex names or IP addresses and
corresponding encryption keys. Erpcd uses the keys you define here to
create encryption keys that the security server and a Remote Annex use
to exchange messages. When the security server receives an encrypted
message from a Remote Annex, it matches the key with an associated
Remote Annex in the acp_keys file. If there is no match, the Remote
Annex and the server cannot communicate.
To create an entry in the acp_keys file:
1. Open the acp_keys file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_keys file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and enter one or more Remote Annex names or IP
addresses.
You can use an asterisk (wildcard) for any part of an IP
address. If you list more than one Remote Annex, you must
separate names or IP addresses using commas.
3. Type a colon to separate Remote Annex names or addresses
from the encryption key.
4. Enter an encryption key that uses up to 15 characters.
You cannot use spaces or tabs here. Encryption keys are
case-sensitive. For additional information, refer to
Creating
Encryption Keys on page 3-17.
3-16
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
For example, annex1, annex2: abcxyz is a simple entry that defines an
encryption key for two Remote Annex es. If you need to continue an entry
on a second line, use the backslash (/) at the end of the first line.
Erpcd first attempts to match complete IP address entries in the
acp_keys file. If it does not find an exact match, it searches entries
that contain wildcards. In either case, it uses the first key entry it finds.
Creating Encryption Keys
You must define encryption keys by setting the acp_key parameter for
each Remote Annex. If the key v alue is not the same in the acp_keys file
and for the acp_key parameter, the Remote Annex and the server cannot
communicate. In addition, you must set the enable_security parameter
Y to use any security feature.
to
To set up encryption keys:
1. Open the acp_keys file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_keys file opens in the Notepad editor.
2. Go to the area of the file where entry information resides
and enter Remote Annex names or IP addresses and
encryption keys in the acp_keys file.
3. Use the admin utility on the Remote Annex to set the acp_key
parameter for each Remote Annex you listed in theacp_keys
file.
Remote Annex Server Tools for Windows NT®User Guide
3-17
Chapter 3 Understanding Erpcd
4. Use the Services control panel to stop or pause erpcd.
5. Use the admin utility’s reset annex security command to reset
security for the Remote Annexes whose keys you added or
changed.
6. Use the Services control panel to restart erpcd.
Using the acp_dialup File
The acp_dialup file stores user names, Remote Annex names and
addresses, and port numbers. Erpcd matches Annex and user entries to
provide IP addresses for users dialing in to the network. It denies access
to users if it does not find a matching entry.
To use the information in acp_dialup, you must set the
dialup_addresses parameter to Y via the na utility. This allows a
Remote Annex to search the acp_dialup file for the remote client’s
user name and for local and remote addresses.
To create an entry in the acp_dialup file:
1. Open the acp_dialup file from the Bay Networks program
group window by double-clicking on the appropriate icon.
The acp_dialup file opens in the Notepad editor.
2. Go to the end of the file and enter a user name. If
authentication is performed with multiple domain
controllers, enter the domain name and the user name like
this:
domain-name\\user-name
3-18
Remote Annex Server Tools for Windows NT®User Guide
Chapter 3 Understanding Erpcd
3. Enter one or more port numbers followed by @ and one or
more Remote Annex names or IP addresses.
You can separate port numbers with commas and/or enter a
range of numbers with dashes (e.g.,
1,3,6-10@Annex01).
4. Enter a remote address followed by a local address.
You can use an asterisk (wildcard) for any part of an IP address.
You must use spaces to separate the user name, port number/
Remote Annex, Local Address, and Remote Address fields.
Using Local and Remote Addresses
If the acp_dialup file contains a matching user name and:
• The local and remote addresses exist in the file, the Remote
Annex uses those values.
• The acp_dialup file contains a remote address but not a
local address, the Remote Annex uses the remote address
from the file and the Remote Annex’s IP address for the
local address.
If the file does not contain a matching user name, the Remote Annexuses
values from the local_address and remote_address parameters.
• If both parameters contain addresses, the Remote Annex
uses these values.
• If both parameters are set to
0.0.0.0, the Remote Annex
negotiates for both addresses with the remote PPP client.
The connection is denied for a remote SLIP client.
•Iflocal_address contains a value and remote_address is set
0.0.0.0, the Annex uses the local address and negotiates
to
with the remote PPP client for the remote address. The
connection is denied for a remote SLIP client.
Remote Annex Server Tools for Windows NT®User Guide
3-19
Chapter 3 Understanding Erpcd
3-20
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4
Using Security Features
Remote Annex Server Tools for Windows NT
®
Windows NT
features to protect your network from unauthorized access. T o use Remote
Annex Server Tools for Windows NT
• Use the
Manager for Domains to create groups, user names, and
passwords.
• Use the na utility to set security parameters on the Remote
Annex for the types of security you want.
You can use group authentication by selecting options in the Security
dialog box:
• Select Global Group Authentication.
• Select the groups whose members can be authenticated.
For more information on group authentication, see
This chapter summarizes most security features and explains the
relationship between Windows NT
security. It includes:
domain security and Remote Annex-based security
®
security features, you need to:
Windows NT
®
Administrative Tools/User
®
domain security and server-based
®
uses standard
Chapter 3.
Although this manual documents the differences between UNIX and
Windows NT
implementation is significantly different from the UNIX implementation.
Therefore to avoid confusion, all RADIUS for Windows NT
information is included in this chapter.
• Using Windows NT® Domain Security
• Setting Remote Annex Security Parameters
• RADIUS Security
® implementation, the RADIUS for Windows NT®
®
Remote Annex Server Tools for Windows NT
User Guide
®
4-1
Chapter 4 Using Security Features
Using Windows NT® Domain Security
When a user logs on to a Remote Annex, to one of its ports, or to a network,
the system performs authentication based on the security parameters you
set. Once you set the parameters that enable a type of security:
• The system checks the
Windows NT
®
user name and
password.
• The system performs additional authentication if you
selected Global Group Authentication and chose groups
for remote access in the Server Tools Options windows. If
the user name and password are valid, the system determines
whether the user is a member of any group you selected.
Support for Multiple Domains
Remote Annex Server Tools for Windows NT® can authenticate users
from domains other than the security server’ s default domain. To facilitate
®
this feature, the Windows NT
one-way trust relationship.
In essence, a trusting domain controller can be linked to one or more
trusted domain controllers. When a cross-domain authentication request
arrives at the (trusting) domain controller , the request is transferred to the
appropriate (trusted) domain controller. The trusted controller’s domain
security accounts manager database includes the user in question and
authenticates that user.
administrator must establish at least a
4-2
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
Multiple Domain Authentication Setup Procedure
Follow these Windows NT® steps to facilitate support for multiple
domain authentication:
Windows NT® steps
Server Tools steps
1. Establish the appropriate trust relationship among
domains.
2. Load the Remote Annex Server Tools for Windows NT
® on
the trusting domain controller.
3. Define the user(s) in the trusted domain’s security accounts
manager database.
4. Add the trusted domain user(s) to a global group. Use the
trusted domain’s User Manager for Domain’s Utility.
5. Click on the Server Tools Options window.
6. Select the Security tab.
7. Use
Add and Remove to define (by domain and group) those
users who require authentication.
All Windows NT
®
users who require authentication services must be
defined to the Remote Annex Server Tools software. Those definitions
are accomplished in the following steps:
1. Add a valid entry(s) in the acp_userinfo file.
The user’s name must be defined in the acp_userinfo and acp_dialup
file in the format:
domain-name\\user-name
For example, a user named Stephen from the Marketing domain would
log on as
Workgroups
2. If the caller requires a dial-up address, add a valid entry(s)
in the acp_dialup file.
Marketing\\Stephen.Windows NT
®
, and Windows 95® use this format.
Remote Annex Server Tools for Windows NT®User Guide
®
, Windows for
4-3
Chapter 4 Using Security Features
Setting Remote Annex Security Parameters
The Remote Annex’s Access Control Protocol (ACP) provides serverbased security . When you define one network server as a security serv er,
you can use ACP software default settings or modify the software to create
a customized security policy for your network.This section includes:
• Security Requirements
• Types of Security
Security Requirements
Before you can use server-based security, you must use the na utility to:
• Set the enable_security parameter to
Y.
• Define one server as the primary security server by entering
its address in the pref_secure1_host parameter. You can
define a backup security server in the pref_secure2_host
parameter.
• If a Remote Annex queries the primary server and does
not receive a response within the time defined in the
network_turnaround parameter, it queries the backup
server.
• If the backup server does not respond within the time
specified, the Remote Annex broadcasts to the network for
another server running erpcd as long as the
security_broadcast parameter is set to
For instructions on using the na utility and detailed explanations for
each parameter, refer to the Remote Annex Administrator’s Guide
for UNIX.
Y.
4-4
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
You can customize security features by editing several A CP files. These
files are maintained by the security server through Remote Annex Server
Tools for Windows NT
® program window.
• The acp_keys file includes encryption key information.
• The acp_dialup file contains user names and addresses for
dial-up connections.
• The acp_userinfo file contains initial login environment
information and start-up CLI commands. .
The Remote Annex Administrator’s Guide for UNIX includes
detailed discussions about server-based security and examples using
thena utility. Y ou should use this guide for reference. Ho wever , some
instructions and examples refer to the acp_regime, acp_restrict,
acp_group, and acp_password files. Remote Annex Server Tools
for Windows NT® servers does not use the acp_regime,
acp_restrict, acp_group, or acp_password files. You should skip
the steps that discuss these files.
Types of Security
You can configure your system for several types of server -based security
by using the na utility to set security parameters. Once you set these
®
parameters, Remote Annex Server Tools for Windows NT
®
Windows NT
user names and passwords to authenticate users. This
section describes the type of server-based security that use W indows NT
domain security. It includes:
• PPP Security
• CLI Security
• Virtual CLI Security
• AppleTalk Security
• Port Server Security
uses
®
Remote Annex Server Tools for Windows NT®User Guide
4-5
Chapter 4 Using Security Features
PPP Security
Point-to-Point (PPP) provides a link between hosts that carry IP , IPX, and
ARA protocols. After PPP negotiates Link Control Protocol (LCP)
options, the hosts at either end of the link authenticate their identities
using PAP or CHAP security protocols.
You need to set certain parameters to enable each type of security
described here. Once you set parameters, each user will have to enter
a user name and password. Remote Annex Server T oolsfor Windo ws
®
will grant access only to those user names and passwords listed
NT
in any Windows NT® global group you selected in the Remote
Access Groups tab window.
• PAP is a two-way handshake in which hosts exchange user
names and passwords in clear text.
• CHAP is a three-way handshake that uses a secret token
defined in the acp_userinfo file to authenticate users.
▼ To configure Windows NT® security for PPP links, you must set the
ppp_security_protocol parameter.
• If you set ppp_security_protocol to pap, the system uses
Windows NT
®
user names and passwords for authentication.
• If you set ppp_security_protocol to chap–pap, the system
first requests CHAP security. If CHAP is not acknowledged,
it requests PAP.
CHAP does not use Windows NT® user names,
passwords, or remote access groups for authentication. It
authenticates based on user names from theacp_userinfo
file and the CHAP token.
4-6
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
▼ To log user access for PPP, set the slip_ppp_security parameter to Y.
If you want to set ppp_security_protocol andslip_ppp_security to
values other than the ones described here, the system will not use
Windo ws NT
refer to the Remote Annex Administrator’s Guide for UNIX for
information about system behavior with other parameter values.
®
user names and passwords for authentication. Please
CLI Security
The Remote Annex’s Command Line Interpreter (CLI) allows users to
connect to hosts, to move between established sessions, to modify port
characteristics, and to display statistics for the Remote Annex, hosts, and
the network. CLI also provides superuser commands for network
administration and management.
▼ To configure server-based security for CLI connections, set the
cli_security parameter to
Y.
Virtual CLI Security
Virtual CLI (VCLI) connections allow network users access to CLI
commands. When a user enters a telnet command to connect to a Remote
Annex and requests the CLI at the port server prompt, the Remote Annex’ s
port server process creates a virtual CLI connection.
AppleTalk Security
Remote Annex Server Tools for Windows NT® authenticates AppleT alk
users via the acp_userinfo file. This file includes entries for usernames
and passwords, a guest profile for anonymous access, and an AppleTalk
connection timer.
▼ To authenticate AppleTalk users, set the at_security parameter to Y.
Remote Annex Server Tools for Windows NT®User Guide
4-7
Chapter 4 Using Security Features
Port Server Security
The Remote Annex’s port server process allows it to accept telnet or
rlogin connection requests from network users, hosts, and applications.
When a user connects to a Remote Annex via telnet or rlogin and
responds to the port prompt by entering a port or rotary number, the
security server requires an Windows NT
password.
▼ T o configure server-based security for port server connections, set the
When a user connects to a Remote Annex via telnet or rlogin and
responds to the port prompt by entering a port or rotary number, the
security server requires a Windo ws NT
port_server_security parameter to
®
domain user name and
Y.
®
domain user name and password.
▼ To configure server-based security for VCLI connections, set the
vcli_security parameter to
Y.
Additional Security Types
Remote Annex Server T ools for W indows NT® supports port server, CLI,
®
VCLI, and PPP security using Windows NT
passwords. In addition, Remote Annex Server Tools for Windo ws NT
supports:
• Security Filters, ARA and Dial-back security defined in the
acp_userinfo file.
• Dial-up security defined in the acp_dialup file.
Remote Annex Server T ools for Windo ws NT
support local Remote Annex security and Proprietary IPX security in the
same way. Remote Annex Server Tools for Windows NT
support the following server-based security types (for more details, see
the Remote Annex Administrator’s Guide for UNIX):
domain user names and
®
and UNIX-based systems
®
does not
®
4-8
Remote Annex Server Tools for Windows NT®User Guide
RADIUS Security
RADIUS is an IETF- developed protocol that defines a communication
standard between a Network Access Server (NAS) and a host-based
communication server. RADIUS modes are as follows:
Chapter 4 Using Security Features
• Connection Security
• Password History and Aging
• Blacklisting
• Kerberos Authentication
• Using ACE/Server Software
• Using SafeWord AS Software
• RADIUS Authentication includes authentication of the
dial-up user to the RADIUS server , as well as authentication
of the RADIUS server to the NAS. RADIUS supports
authentication modes PAP and CHAP
Authentication Protocol)
.
(Challenge Handshake
• RADIUS Accounting, another IETF-developed protocol,
defines a communication standard between an NAS and a
host-based accounting server. It records duration of service,
packet throughput, and raw throughput.
• Although RADIUS Authorization is not supported in this
release, Authorization is addressed by the Access Control
Protocol (ACP). Authorization of the acp_userinfo,
acp_restrict, and acp_dialup files still apply to users that
are authenticated through RADIUS.
Remote Annex Server Tools for Windows NT®User Guide
4-9
Chapter 4 Using Security Features
RADIUS and ACP Protocol Operation
RADIUS and ACP servers work together to provide the user with a
standard means of communication between a Network Access Server and
a host-based server.
When or If... The...
the security profile matches the
Server Tools Options dialog box
RADIUS on/off toggle switch,
expedited remote procedure call
daemon (ERPCD)/ACP prompts the
Remote Annex for the user name and
password.
the user name and password are
entered correctly,
ERPCD/ACP sends a RADIUS Access-
Request packet to the RADIUS server
(this packet contains the normal
RADIUS header and the Access-
Request attributes).
the Access-Accept, Access-
ERPCD/ACP re-sends the packet.
Reject, or Access-Challenge
packet fails to arrive in the
specified amount of time,
no response is received, ERPCD/ACP sends the Access-
Request packet to the backup RADIUS
server, if configured in the Serv er Tools
Options dialog box.
ERPCD/ACP receives an
Access-Accept packet,
ERPCD/ACP considers the user
validated.
ERPCD/ACP receives an Access-
Reject or an unsupported AccessChallenge or the backup
RADIUS server also fails to
respond,
4-10
Remote Annex Server Tools for Windows NT®User Guide
ERPCD/ACP considers the user
invalidated.
Chapter 4 Using Security Features
RADIUS Authentication
RADIUS authentication supports the authentication modes PAP and
CHAP. This section covers the following topics:
• PPP and CHAP Support
• Access-Request Attributes
• Access-Accept and Access-Reject Attributes
PPP and CHAP Support
RADIUS requires PPP/CHAP enforcement to be in the RADIUS server .:
The... Then...
Remote Annex sends the ACP server
an ACP Authorization-Request
message containing the CHAP
information,
RADIUS server validates the
information and returns either an
Access-Accept or Access-Reject
message,
If the RADIUS on/off toggle switch in the Server Tools Options/
Security dialog box is set to off, the A CP server validates against the
chap_secret entry in the acp_userinfo file.
the ACP server determines if
RADIUS is to be used (set in
Server Tools Options dialog box)
and sends a request to the RADIUS
server containing the CHAP
information needed for validation.
the ACP server responds to the
Remote Annex with
REQ_GRANTED or
REQ_DENIED for authorization.
Remote Annex Server Tools for Windows NT®User Guide
4-11
Chapter 4 Using Security Features
Access-Request Attributes
ERPCD/ACP sends each Access-Request packet indicating ho w the user
has connected to the Annex. This information can be used by the server
as a hint or a restriction. The following section defines the available
access-request attributes:
User-Name
User-Password
CHAP-Password
NAS-IP-Address
NAS-Port-Type
Indicates the name of the user that the RADIUS server will authenticate.
An unterminated ASCII string identical to the user name that ERPCD/
ACP retrieves via the user name prompt. You can specify up to 31
alphanumeric characters.
Specifies the password of the user that the RADIUS server will
authenticate.
Specifies the response value provided by a CHAPuser in response to the
password challenge.
Indicates the IP address of the Annex authenticating the user or sending
an Accounting packet.
Specifies the Remote Annex port handling the user session. This value
corresponds to the physical port type. Supported port types:
• Async (0)
• ISDN Sync (2)
• ISDN Async V.120 (3)
• Virtual (5)
4-12
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
NAS-Port
Framed-Protocol
Specifies the port number to which the user has connected.
NAS–Port number example:
nxxx (decimal)
n= Description
0 Serial interface port
2 Virtual (VCLI, FTP)
3 Dial-out
4 Ethernet (outbound)
Although not an attribute, CHAP-Challenge appears in the
Authenticator of the RADIUS header.
Specifies the link level protocol type allo wed to the user. Supported values
are:
• PPP
• SLIP
Service-T ype
Specifies the type of service the user is to receive. Supported types of
service are:
• Login
• Framed
• NAS–Prompt
• Outbound
• Administrative
Remote Annex Server Tools for Windows NT®User Guide
4-13
Chapter 4 Using Security Features
Access-Accept and Access-Reject Attributes
Attributes included in the RADIUS Access-Accept and Access-Reject
packets are ignored by ERPCD/ACP in this version. However, ERPCD/
ACP does instruct the Remote Annex to display an y text sent in a ReplyMessage attribute as long as the user is a CLI or port server user.
RADIUS Accounting
RADIUS Accounting defines a communication standard between a NAS
and a host-based accounting server . It records duration of service, packet
throughput and raw throughput. This section covers the follo wing topics:
• RADIUS Accounting Process
• Accounting-Request Attributes
In order to utilize RADIUS Accounting, you must select the Use
RADIUS Logging radio button in the Booting/Logging dialog box.
4-14
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
RADIUS Accounting Process
The following table describes the RADIUS accounting process:
When or If... The...
the Remote Annex sends an ACP
Audit-log to the server,
ERPCD/ACP receives a login or
logout log request,
The ERPCD/ACP server receives
the RADIUS Accounting-Response,
security profile for the ACP
Authorization-Request must match
the Security dialog box RADIUS
Regime On/Off toggle switch
setting.
On = RADIUS security active.
Off = NT security active.
ERPCD/ACP sends an AccountingRequest packet to the RADIUS
Accounting server.
ERPCD/ACP returns the ACP audit
log verification PDU to the Remote
Annex.
Accounting-Request Attributes
ERPCD/ACP sends each Accounting-Request packet with the follo wing
attributes:
Acct-Status-Type
Marks whether the Accounting packet sent to the RADIUS server is the
beginning or end of a dial-up session.
• Start (1) - ERPCD/ACP login events
• Stop (2) - ERPCD/ACP logout events
• Accounting-on (7) - ACP logging connection
becomes active
• Accounting-off (8) - A CP audit logging connection becomes
inactive
Remote Annex Server Tools for Windows NT®User Guide
4-15
Chapter 4 Using Security Features
Acct-Delay-Time
Acct-Input-Octets
Acct-Output-Octets
Acct-Session-Id
Acct-Authentic
Acct-Input-Packets
Acct-Output-
Packets
Acct-Session-Time
Other Attributes
Specifies how many seconds the RADIUS client has been trying to send
a specific Accounting packet.
Specifies how many octets have been received during the session.
Specifies how many octets have been sent during the session.
A unique numeric string identified with the session reported in the packet.
Specifies how the user is authenticated. Always set to RADIUS.
Specifies how many packets have been received during the session.
Specifies how many packets have been sent during the session.
Specifies the elapsed session time as calculated in RADIUS.
All attributes that are included in the Access-Request packet are also
included in the Accounting-Request packet.
RADIUS Configuration Management
4-16
Configuring the RADIUS Authentication and Accounting server inv olves
setting parameters to define the server’s operating and administrative
attributes. This section covers the following topics:
• The RADIUS Servers dialog box:
• RADIUS Servers
• Host Name
• IP Address
• Secret Format
• Response Timeout and Number of Retries Format
• Backup Server
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
Default Values
If there is no configuration record for a RADIUS server, the following
default values are used:
Attribute Value
Secret 0x0
Timeout 4 seconds
Retries 10
Backup server None
RADIUS Authentication Server and Accounting Server
• RADIUS Authentication Server is the host name of the
RADIUS Authentication server.
• Accounting Server is the host name of the RADIUS
Accounting server.
If no Accounting server is specified, it defaults to the A CP serv er. If
no RADIUS server is specified, the RADIUS server defaults to the
ACP server.
Secret Format
The format for secret is an ASCII string or a he xadecimal string. The
hexadecimal string format always starts with0x followed by a string
of bytes, with each two hexadecimal digits indicating one byte. The
maximum limit is 16 in ASCII, or the hexadecimal equivalent.
Each entry in the erpcd.conf file must be contained on one line. Any
amount of white space can exist between keywords, keyword/value
pairs, and semi-colon delimeters. No white space can exist between
the keyword and “=” or the value and “=”.
Remote Annex Server Tools for Windows NT®User Guide
4-17
Chapter 4 Using Security Features
erpcd.conf File
Example
radius default RADIUS=132.245.66.11;Accounting=132.245.33.60
radius server host=132.245.66.11;secret=spikesecret;timeout=5;retries=5;backup=132.245.33.17
radius server host=132.245.33.17;secret=mysecretmysecret;timeout=6;retries=10
radius server host=132.245.33.60;secret=nottimesec;temeout=4;retries=10;backup=132.245.66.18
radius server host=132.245.66.18;secret=hpposecret;timeout=8;retries=12
Response Timeout and Number of Retries Format
The values of Response Timeout and Number of Retries is set in the
RADIUS Servers dialog box.
timeout The number of seconds to wait for a response before sending
a retry.
retries The number of times to retry before fail-over to the backup
server, or authentication is discontinued.
Fail-over occurs only if host is the original primary server.
This entry must be on one line.
4-18
Remote Annex Server Tools for Windows NT®User Guide
Chapter 4 Using Security Features
Backup Server
The host name or Internet address of the backup RADIUS server or
RADIUS Accounting server can be configured using the RADIUS
Server’s dialog box:
1. From the Server Tools Options dialog box, click on the
Security tab.
2. Select the RADIUS radio button to enable the RADIUS
security server.
If you do not select this option, your security server will default
to native Windows NT
® security.
3. From the Server Tools Options dialog box, click on the
RADIUS Servers tab.
4. Select the Backup Server down arrow to select the backup
RADIUS server or RADIUS accounting server.
IfNoneis displayed in the Backup Server drop–down list,
see Chapter 2, Configuring a RADIUS Server, for more
information on creating a new RADIUS server.
Fail-over Algorithm Process
The following table describes the fail-over algorithm process for
authentication and accounting.
When or If... The...
a user is to be authenticated, RADIUS server first polled is specified
in the Server Tools Options dialog box.
an Access-Request packet is sent
to the RADIUS server,
the time expires, ERPCD/ACP retries the request
(continued on next page)
ERPCD/ACP waits the specified
timeout value (4 seconds by default)
for the response packet.
Remote Annex Server Tools for Windows NT®User Guide
4-19
Chapter 4 Using Security Features
When or If... The...
the maximum number of retries
(10 by default) is reached without
a response from the server,
no response is received from the
backup server,
an accounting fail-over occurs, the
server remains the same until,
both the accounting primary
server and backup fail,
Backup Security
If you configure port server, CLI, VCLI, and PPP security to use W indows
NT
available, the Remote Annex can use its locally-stored password
parameters to restrict user access. These parameters settings serve as
backup security .To use backup security , you must set the parameters listed
in the following table.
attempt to authenticate against the
primary server fails and ERPCD/ACP
attempts to authenticate against the
backup server (if defined).
user is rejected.
failure of the backup server.
the acp_logfile records RADIUS
accounting.
®
domain names and passwords and the ACP security server is not
For: Back-up Security uses:
Port Server port_password
Incoming Port port_password
VCLI vcli_password
4-20
Remote Annex Server Tools for Windows NT®User Guide
For additional information about back-up security and settings for
these parameters, please refer to the Remote Annex Administrator’s
Guide for UNIX.
RADIUS Dictionary File
Included on the distribution kit is a reference RADIUS dictionary file
which will be placed in the security files area. The erpcd server does not
use this file, it is provided as documentation and a conv enience. This file
defines keywords, types, and values for RADIUS attributes and their
corresponding code points. The file is in a format that is used as input by
some RADIUS servers to parse messages, and write text output files.
Customers may have existing dictionaries with dif ferences in the keyword
names, and may want to ev aluate the impact to their databases and output
reports.
The file that we provide includes the latest IETF definitions of the
RADIUS protocol at the time of release. It includes all attributes and
values that are needed to support our Remote Annex and erpcd
implementation. It is not necessary that our definitions be used directly ,
but other dictionaries may have to be extended to cover our usage.
Chapter 4 Using Security Features
This file may be used as a reference to add or change existing RADIUS
dictionaries as need be. Since it is in the format of some of the popular
RADIUS servers, in some cases it may be used as a direct replacement.
Howev er, the network manager should review the dependencies and make
a decision on how to apply the differences.
Remote Annex Server Tools for Windows NT®User Guide
4-21
Chapter 4 Using Security Features
The following is a partial example of the some of the dictionary contents:
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP- Password 3 string
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
<...>
# Framed Protocols
VALUE Framed-Protocol PPP 1
VALUE Framed-Protocol SLIP 2
VALUE Framed-Protocol ARAP 3
VALUE Framed-Protocol Gandalf-SL/MLP 4
VALUE Framed-Protocol IPX/SLIP 5
# User Service Types
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt 7
VALUE Service-Type Authenticate-Only 8
VALUE Service-Type Callback-NAS-Prompt 9
<...>
4-22
Remote Annex Server Tools for Windows NT®User Guide
Appendix A Browsing for Resources
on a Microsoft Network
Browsing is locating network resources in a Domain or workgroup.
Domains and workgroups are Microsoft's logical grouping of computers
and other resources into managed groups. Browsing is implemented by
accessing Browsers, which are computers that maintain resource lists for
the Domain, rather than trying to directly locate the resource. Therefore
locating a resource becomes a question of locating a Browser. This
location process becomes a problem in subnetted TCP/IP networks
because the location process utilizes UDP broadcasts which are generally
not passed through routers between subnets. IPX is not a problem because
the datagram location mechanisms used are not generally blocked by
routers. Howev er, in mixed protocol environments, the browser will use
TCP/IP. This discussion assumes a TCP/IP only network. Some points
of location and discovery of Browsers are different for other protocols.
This discussion assumes that WINS is not available. The WINS solution
is outlined at the end of the document.
Browser Definition
Browsers are distributed on the network based on the domain, subnet,
and number of workstations. The Browsers are assigned through a
weighted election process that allows replacement of Browsers when they
fail or are shutdown. This can make Bro wsers dif ficult to locate because
they may not always be on the same machine.
Microsoft now provides a Windows Internet Naming Service
(WINS) for the Windows NT
the problems with locating Browsers.
®
server that eliminates many of
Remote Annex Server Tools for Windows NT
®
User Guide
A-1
Appendix A Browsing for Resources on a Microsoft Network
The Primary Domain Controller (PDC) which provides authentication
for the Domain, serves as the Domain Master Browser (DMB). The DMB
has the responsibility of keeping track of and coordinating all the Master
Browsers in the Domain as well as correlating information from other
domains. The PDC wins the DMB election because it is heavily weighted
by being the PDC.
Master Browsers
Subnets
Master Browsers (MB) are located on each subnet and are responsible
for tracking resources on the subnet. They provide updated subnet
resource lists to the DMB and receive domain resource lists from the
DMB. When a MB first comes up, it broadcasts on the subnet asking all
resources to identify themselves. Resources are required to reply within
30 seconds. New resources should announce their presence to the MB.
The MB also exchanges lists with the DMB. This exchange is repeated
every 15 minutes and when new resources announce themselves on the
subnet. Resources are removed from the list when they either announce
their departure or they fail to respond 3 times to the 15 minute update
query (45 minutes).
There should be one MB for each subnet. If the number of active stations
on a subnet exceeds 32, a backup browser is selected for each 32 stations.
The MB is responsible for keeping the backup browser’s browse list up
to date. When a station wants to access a Browser for the first time, it
receives a list (explained below) of all the available browsers on its subnet.
The station caches the location of up to 3 browsers and accesses them in
the future in a random pattern. The browse request load is thereby spread
among the available browsers.
A-2
Remote Annex Server Tools for Windows NT® User Guide
Appendix A Browsing for Resources on a Microsoft Network
Configuration and
Election Process
Browsers are selected through configuration and an election process. It
is possible to set a station to be a MB. This only gives it additional weight
in the election process. Another weight in the election process is the type
®
of operating system running (Microsoft Windows NT
Windo ws for Workgroups). An election is held between all potential MBs
, Windows 95,
to select the MB for the subnet. This process can be affected by such
things as boot speed (after a power failure) and is a very dynamic process.
Except for the DMB, it is not always possible to statically determine the
address of a MB. If the current MB shuts down or certain other conditions
occur, a new MB election can be triggered, although in general, once a
MB has been selected, it remains the MB, even if other stations may no w
be a better weighted choice.
Locating Browsers
The client station maintains a cache of IP addresses and important
services and will first (a)check its cache for browsers. If the cache does
not contain any browsers, the next step is to (b)generate a NetBIOS o ver
IP broadcast to try to locate a MB on its subnet. If the subnet MB responds,
the client will send a directed query to the MB to get a list of browsers
on the subnet. The MB returns a list of browsers on the Domain/subnet
being queried. The client caches up to 3 browsers as previously
mentioned. The broadcast time out occurs if there is no MB on the client’s
subnet. There is no way to direct a client to a MB outside its subnet.
Therefore, if there is no MB on the subnet, a client on that subnet can not
browse. If the client can not find the MB after 3 attempts, a Force Election
broadcast is issued to force election of a new MB for the subnet. Howe ver,
a station on a slow link (remote access) is prevented from being a Browser .
So even if the remote access client is capable of acting as a Browser, the
link type prevents it. A remote access client calling into a subnet with no
MB will be unable to browse the network.
Remote Annex Server Tools for Windows NT® User Guide
A-3
Appendix A Browsing for Resources on a Microsoft Network
The WINS Solution
WINS is a service that runs on a Windo ws NT® server . It is provided with
®
Windo ws NT
services without broadcasts because WINS queries are directed
datagrams. The current version of WINS, along with some client updates,
also assists with browsing across subnets that do not contain Browsers.
A WINS server can provide the location of the PDC which is also the
DMB to a client. When the PDC comes up, it registers a couple of special
names with WINS. These names consist of the domain name followed
by characters <1B> and <1D> (ex. eng<1B> and eng<1D>). These
special names are associated with the IP address of the DMB. When a
client attempts to browse on a subnet with no MB, the client first does a
broadcast to locate the MB, which fails. The client also directs a
NameQuery to WINS asking for the special version of the domain name
followed by <1B>. WINS returns the IP address of the DMB. The client
can then query the DMB for the browse list for the domain.
3.5 or greater. WINS primary function is to pro vided name
Clients
A-4
The following clients can use the enhanced WINS browse capability (are
WINS aware):
• Windows NT
®
• Windows 95
• Windows for Workgroups - with latest drivers
Requires VREDIR.386 included on Windows NT
Requires Microsoft TCP/IP 32 drivers (32 bit TCP/IP)
Remote Annex Server Tools for Windows NT® User Guide
®
3.5 server
Appendix A Browsing for Resources on a Microsoft Network
Required
Configuration Details
The following configuration details are required to make the browsing
operation work correctly:
®
• The PDCs of all domains should be Windows NT
server
Version 3.5 or later.
• All stations must use WINS to allow services to be recorded
properly.
• The client should disable the ability to be a browse master.
This will prevent the client from browsing except when the
user asks for a browse list. This reduces delays caused by
broadcasting for the MB in the background.
• For Windows 95:
– Control panel - Networks - File and Print Sharing for
Microsoft
– Networks - Properties - Advanced - BrowseMaster -
Disabled
• For WFW 3.11:
– system.ini
– [Network]
– MaintainServerList=No
Note that this is only necessary on clients that will encounter
browsing problems because their broadcast queries will not be
routed correctly. If a master browser exists on the subnet, the
disabling will not be necessary.
Remote Annex Server Tools for Windows NT® User Guide
A-5
Appendix A Browsing for Resources on a Microsoft Network
Remote Annex Example
The Remote Annex forwards IP broadcasts from a remote access client
to the network that the Annex is on. If that network is a subnet that has
no PCs capable of being a master browser, the remote client must be
configured to use WINS to be able to browse Microsoft resources.
Another possible option might be to configure the router to pass IP
broadcasts, but this is probably not desirable.
Number of PCs on the
Subnet
Another issue to consider is the number of PCs on the subnet that can act
as master browsers. The number and type of machines may give
unpredictable behavior for a remote access client. Consider for example,
a remote client that is not configured to use WINS. During the day, the
subnet dialed into has several W indows 95 stations that can act as master
browsers. The PDC and other resources are on a different subnet. When
the client dials in during the day, a broadcast finds one of the Windows
95 systems and browsing works as expected. However, it is company
policy to shut down PCs at night, so when everyone goes home all
Windows 95 machines are shut down. Now the remote client dials in,
broadcasts to the subnet, but no master browsers are a vailable. Browsing
works during the day, but not at night. WINS would overcome this
problem by finding the DMB when the Windo ws 95 machines were not
available.
Note also that the ip_forward_broadcast parameter on the Annex
controls broadcast traffic from the ethernet to the remote client. It has no
effect on broadcasts generated by the client for the ethernet. Client to
ethernet broadcasts are on and can not be configured off. Replies to the
client browser broadcasts are directed datagrams and will not be affected
by the ip_forward_broadcast setting.
A-6
Remote Annex Server Tools for Windows NT® User Guide
Appendix A Browsing for Resources on a Microsoft Network
Resource Visibility
Resolve a Name to an
IP Address
The problem of resource visibility becomes especially important when
the remote “client” is another network that may have resources to be
shared. The remote network should have a machine capable of acting as
a MB. A MB locates resources by broadcasts on its subnet. If there is no
MB on the remote net, there must be one on the network the Annex is on
and the ip_forward_broadcast parameter should be Y to allow the MB
request to reach the resource. WINS will also be useful in this
environment to assure reliable communication between all the browser
components.
Additional Information
When a client tries to resolve a name to an IP address it follows the
following steps:
1. Check internal cache of resolved names.
2. Ask WINS (if enabled).
3. Broadcast to resolve name.
Preload PDC Address
Example
4. Check LMHOSTS file.
Preloading the cache at start-up with the address of the PDC may simplify
the authentication process, even if WINS is configured. It may be required
if WINS is not used. This is done by adding an entry to the client’slmhosts
file.
NT: \Winnt35\System32\Drivers\Etc\lmhosts
Windows 95:\windows\lmhosts
555.555.55.555 servername #PRE #DOM:dept #net
group’s DC
This gives the IP address (555.555.55.555) of the PDC (servername).
Remote Annex Server Tools for Windows NT® User Guide
A-7
Appendix A Browsing for Resources on a Microsoft Network
• #DOM:dept indicates that server name is a domain
controller for the dept domain
• #PRE indicates this entry is preloaded into the cache at startup, this will allow the address to be found when the cache is
searched and eliminate the WINS query and/or broadcast
Workgroups and
Domains
Windows 95 allows specification of a workgroup name (Control Panel Networks - Identification - Workgroup). Users should be aware that
workgroups and domains are very similar concepts. Domain membership
is used for authentication but resource visibility and access can be limited
by workgroup membership. If you log in to the domain but are specified
to be a member of a workgroup other than the domain, resources may not
be visible to you depending on how those resources are configured.
A-8
Remote Annex Server Tools for Windows NT® User Guide
Index
A
Access Control Protocol. See ACP
access security
features, for Windows NT® server 1-2
accesscode attribute 3-6
Accounting Server selection 2-3
ACP 3-1, 4-20
acp_dialup file 2-2, 3-18, 4-5, 4-8
using local and remote addresses with 3-
19
acp_key parameter 3-17
acp_keys file 2-2, 3-16, 4-5
creating encryption keys with 3-17
acp_logfile 2-8
acp_userinfo file 3-2 to 3-15, 4-5, 4-6, 4-7
defining user profiles with 3-2 to 3-15
addresses, using local and remote 3-19
admin utility 3-17
annex keyword 3-5
at_connect_time attribute 3-14
at_guest parameter 3-15
at_nve_filter attribute 3-14
at_password attribute 3-15
at_security parameter 4-7
at_zone attribute 3-13
attributes, profile 3-6 to 3-15
Authenication Server selection 2-3
B
bfs directory 2-9, 3-1
block file server. See bfs directory
Booting
options 2-8
Booting/Logging Options 2-1
Browser Definition A-1
Browsing a Microsoft Network
browser definition A-1
resolve a name to an IP address A-7
Browsing a Microsoft Network, required con-
figuration details A-5
C
CHAP security protocol 4-6
chap_secret attribute 3-15
cli_security parameter 3-8, 4-7
clicmd attribute 3-7
climask attribute 3-8
Configuration and Election Process A-3
Configuring a RADIUS Serve 2-1
conventions, documentation vii
D
deny attribute 3-9
Detail window 2-8, 2-12
dialup_addresses parameter 3-18
Directory for security file 2-2
documentation conventions vii
documentation, using remote annex 1-2 to 1-
5
list of documentation exceptions 1-3
logging issues 1-3
name server issues 1-3
user authentication issues 1-2
Domain, selecting 2-3
E
Editing Files 3-2
enable_security parameter 3-17, 4-4
encryption keys, creating 3-17
erpcd 2-9, 4-4
differences in Windows NT®-based vs.
UNIX-based 1-2 to 1-5
understanding 3-1 to 3-19
eservices file 3-1
etc directory 2-2
Event Viewer 2-10
F
files, creating 3-2 to 3-19
acp_dialup file 3-18
acp_keys file 3-16
Index-1Remote Annex Server Tools for Windows NT® User Guide
Index
acp_userinfo file 3-2 to 3-15
filter attribute 3-9
G
Global Group Authentication 2-3, 4-1
group keyword 3-4
I
icons
Options 2-1
introduction 1-1 to 1-5
K
keywords, profile environment 3-4 to 3-6
L
local_address parameter 3-19
Locating Browsers A-3
Logging
options 2-8
logging 1-3
selecting options 2-1 to 2-10
M
Master Browsers A-2
N
na utility 3-3, 3-15, 3-18, 4-1
features 1-1
using for security 4-4
name servers 1-3
net_inactivity timer parameter 3-12
network_turnaround parameter 4-4
P
PAP security protocol 4-6
parameters See security parameters
platform requirements 1-5
port_server_security parameter 4-8
ports keyword 3-5
ppp_security_protocol parameter 4-6
pref_secure1_host parameter 4-4
pref_secure2_host parameter 4-4
Preload PDC Address A-7
profiles, defining user 3-2 to 3-15
understanding profile attributes and 3-6
to 3-15
user profile formats and 3-3
using profile environment keywords 3-4
protocol keyword 3-5
R
RADIUS
access request attributes 4-12
access-accept attributes 4-14
access-reject attributes 4-14
accounting-request attributes 4-15
ACP protocol operation 4-10
authentication 4-11
backup security 4-20
dictionary file 4-21
PPP and CHAP support 4-11
RADIUS Accounting 4-14
RADIUS Configuration Management
authentication and accounting server 4-
16
backup server 4-19
fail-over algorithm 4-19
response timeout and number of
retries 4-18
secret format 4-17
RADIUS Security 4-9
RADIUS Server
creating 2-14
deleting 2-16
RADIUS Servers
none defined 2-1
related documents 1-2 to 1-5
Remote Access Groups 4-1
Remote Access Groups list 2-3
Remote Annex Example A-6
Index-2
Remote Annex Server Tools for Windows NT® User Guide
Index
Remote Users Group
creating 2-4
Remote Users Group, creating 2-4
remote_address parameter 3-19
Resolve a Name to an IP Address A-7
route attribute 3-12
S
security
backup 4-20
features 4-1 to 4-20
protocols
CHAP 4-6
PAP 4-6
requirements 4-4
server-based 4-4
types of server-based 4-5 to 4-9
additional security types 4-8
AppleTalk security 4-7
CLI security 4-7
port server security 4-6
PPP security 4-6
virtual CLI security 4-8
using Windows NT® domain 4-2
Security files directory 2-2
security regime 2-1
Security Server selection 2-1, 2-17
security_broadcast parameter 4-4
Selecting 2-1
Selecting a Security Server 2-1
Server Tools Options
selecting booting and logging options 2-
1
Server Tools Options window 4-2
displaying version information in 2-17
selecting groups for authentication 2-5
selecting logging options in 2-8 to 2-10
using event viewer in 2-10
slip_ppp_security parameter 4-7
Subnets A-2
T
The WINS Solution A-4
time keyword 3-5
U
Use NT Event Log 2-8
user authentication 1-2
User Manager 4-1
user...end block 3-3
username keyword 3-4
V
vcli_security parameter 4-8
Version Information 2-1
Version information, displaying 2-17
W
windows
Detail 2-8, 2-12
Server Tools Options 4-2
selecting
Server Tools Options window 2-1
Workgroups and Domains A-8
Index-3Remote Annex Server Tools for Windows NT® User Guide
Index
Index-4
Remote Annex Server Tools for Windows NT® User Guide
Loading...