Digital Networks, Network Access Software Version 2.4 Digital Networks, Network Access Software Version 2.4 Digital Networks, Network Access Software Version 2.4 BL50 Release Notes BL50 Release Notes BL50 Release Notes January 2001 The Network Access Software Release Notes contain information about enhancements, known problems, workarounds and documenta- tion errata. The Release Notes should be distributed to the network access server manager(s), load host system manager(s), and any other individuals responsible for network access server maintenance. ________ ________ _________ _______ ______ ________ _______ ___ SOFTWARE VERSION: DECserver Network Access Software Version 2.4 _________ __ ______ Baselevel 50 (BL50) Digital Equipment Corporation Digital Equipment Corporation Digital Equipment Corporation Maynard, Massachusetts Maynard, Massachusetts Maynard, Massachusetts The information in this document is subject to change without notice and should not be construed as a commitment by Digital Networks. Digital Networks assumes no responsibility for any errors that may appear in this document. Possession, use, or copying of the software described in this publication is authorized only pursuant to a valid written license from Digital Networks or an authorized sublicensor. No responsibility is assumed for the use or reliability of software or equipment that is not supplied by Digital Networks or its affiliated companies. Digital Networks makes no representations that the use of its products in the manner described in this publication will not infringe on existing or future patent rights, nor do the de- scriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. __________ Copyright ©2001 Digital Networks, DNPG, LLC ("Digital Networks") All rights reserved. The following copyright applies to the CMU BOOTP implementa- tion. __________ Copyright ©1988 Carnegie Mellon Permission to use, copy, modify, and distribute this program for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Carnegie Mellon not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Carnegie Mellon and Stanford University. Carnegie Mellon makes no representations about the suitabil- ity of this software for any purpose. It is provided "as in" without express or implied warranty. __________ Copyright ©1986, 1987 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of California at Berkeley. The name of the University many not be used to endorse or promote products derived from this software without specific prior written per- mission. This software is provided "as is" without express or implied warranty. (#)Version.c.4.8 (Berkeley) 4/7/88 The following are trademarks of Compaq: DEC, DECnet, DELNI, DIGITAL, LAT, MicroVAX, MultiSwitch, OpenVMS, Q-bus, ThinWire, ULTRIX, UNIBUS, VAX, VAXcluster, VAXstation, VT220. AppleTalk is a registered trademark of Apple Computer, Inc. HP is a registered trademark of Hewlett-Packard Company. IBM is a registered trademark of International Business Machines, Corporation. MS-DOS is a registered trademark of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. SCO is a trademark of Santa Cruz Operations, Inc. SecurID is a registered trademark of Security Dynamics Technologies, Inc. Sun is a registered trademark of Sun Microsystems, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Ltd. Vitalink is a registered trademark of Vitalink Communications Corporation. Windows and Windows 95 are registered trademarks of Microsoft Corporation. Windows NT is a trademark of Microsoft Corporation. This document was prepared using VAX DOCUMENT, Version 2.1. Contents Contents Contents 1 INTRODUCTION 1 1 INTRODUCTION 1 1 INTRODUCTION 1 2 UNIX PLATFORM NOTES 1 2 UNIX PLATFORM NOTES 1 2 UNIX PLATFORM NOTES 1 3 DECSERVER MEMORY REQUIREMENTS 1 3 DECSERVER MEMORY REQUIREMENTS 1 3 DECSERVER MEMORY REQUIREMENTS 1 4 DISK SPACE REQUIREMENTS 1 4 DISK SPACE REQUIREMENTS 1 4 DISK SPACE REQUIREMENTS 1 5 VERSION 2.4 NEW FEATURES 2 5 VERSION 2.4 NEW FEATURES 2 5 VERSION 2.4 NEW FEATURES 2 5.1 Rlogin Client 2 5.1 Rlogin Client 2 5.1 Rlogin Client 2 5.2 Directed TFTP 2 5.2 Directed TFTP 2 5.2 Directed TFTP 2 5.3 RADUIS Accounting Termination Reason Codes 3 5.3 RADUIS Accounting Termination Reason Codes 3 5.3 RADUIS Accounting Termination Reason Codes 3 5.4 Local User Accounts Supports PPP CHAP 3 5.4 Local User Accounts Supports PPP CHAP 3 5.4 Local User Accounts Supports PPP CHAP 3 5.5 Inactivity Logout Charactistic for the 5.5 Inactivity Logout Charactistic for the 5.5 Inactivity Logout Charactistic for the Remote Console Port 3 Remote Console Port 3 Remote Console Port 3 6 NOTICE OF NON-SUPPORT 3 6 NOTICE OF NON-SUPPORT 3 6 NOTICE OF NON-SUPPORT 3 7 DOCUMENTATION ERRORS 3 7 DOCUMENTATION ERRORS 3 7 DOCUMENTATION ERRORS 3 7.1 DECserver 90M in the DIGITAL MultiStack 7.1 DECserver 90M in the DIGITAL MultiStack 7.1 DECserver 90M in the DIGITAL MultiStack System 3 System 3 System 3 7.2 Viewing Online Documentation 4 7.2 Viewing Online Documentation 4 7.2 Viewing Online Documentation 4 7.3 Authentication Methods 4 7.3 Authentication Methods 4 7.3 Authentication Methods 4 7.4 AUTOLINK Timers 4 7.4 AUTOLINK Timers 4 7.4 AUTOLINK Timers 4 7.5 Errata to Network Access Server Command 7.5 Errata to Network Access Server Command 7.5 Errata to Network Access Server Command Reference Manual 5 Reference Manual 5 Reference Manual 5 7.5.1 Chapter 4 Errata 5 7.5.2 Chapter 5 Errata 5 8 KNOWN PROBLEMS AND LIMITATIONS 5 8 KNOWN PROBLEMS AND LIMITATIONS 5 8 KNOWN PROBLEMS AND LIMITATIONS 5 8.1 Modem Configuration 6 8.1 Modem Configuration 6 8.1 Modem Configuration 6 8.2 Enhanced Displays 7 8.2 Enhanced Displays 7 8.2 Enhanced Displays 7 8.3 PPP Callback 8 8.3 PPP Callback 8 8.3 PPP Callback 8 8.4 CBCP Callback and Terminal Window 8.4 CBCP Callback and Terminal Window 8.4 CBCP Callback and Terminal Window Authentication 8 Authentication 8 Authentication 8 8.5 Callback Numbers 8 8.5 Callback Numbers 8 8.5 Callback Numbers 8 8.6 Known problems in the DEChub 900 9 8.6 Known problems in the DEChub 900 9 8.6 Known problems in the DEChub 900 9 8.7 DECserver Accounting 9 8.7 DECserver Accounting 9 8.7 DECserver Accounting 9 8.8 AppleTalk 9 8.8 AppleTalk 9 8.8 AppleTalk 9 8.9 Telnet Remote Console 10 8.9 Telnet Remote Console 10 8.9 Telnet Remote Console 10 8.10 PING 10 8.10 PING 10 8.10 PING 10 8.11 Cannot Abort User Authentication 10 8.11 Cannot Abort User Authentication 10 8.11 Cannot Abort User Authentication 10 8.12 Incorrect Login to Local Mode by Framed 8.12 Incorrect Login to Local Mode by Framed 8.12 Incorrect Login to Local Mode by Framed AUTOLINK user 11 AUTOLINK user 11 AUTOLINK user 11 8.13 Other 11 8.13 Other 11 8.13 Other 11 9 POTENTIALLY CONFUSING BEHAVIOR 11 9 POTENTIALLY CONFUSING BEHAVIOR 11 9 POTENTIALLY CONFUSING BEHAVIOR 11 9.1 Protocol Failover Interactions with 9.1 Protocol Failover Interactions with 9.1 Protocol Failover Interactions with Authorization 12 Authorization 12 Authorization 12 9.2 Information from DHCP Servers 13 9.2 Information from DHCP Servers 13 9.2 Information from DHCP Servers 13 iii iii iii Contents Contents Contents 9.3 Locally Configured Name Servers from DHCP 13 9.3 Locally Configured Name Servers from DHCP 13 9.3 Locally Configured Name Servers from DHCP 13 9.4 WINS Server Information 13 9.4 WINS Server Information 13 9.4 WINS Server Information 13 9.5 DS900 Operation in a DEChub 900 13 9.5 DS900 Operation in a DEChub 900 13 9.5 DS900 Operation in a DEChub 900 13 9.6 RADIUS Reply-Messages Not Sent to PPP 9.6 RADIUS Reply-Messages Not Sent to PPP 9.6 RADIUS Reply-Messages Not Sent to PPP Clients 14 Clients 14 Clients 14 9.7 Telnet Server Echo 14 9.7 Telnet Server Echo 14 9.7 Telnet Server Echo 14 9.8 TN3270 Enhancement 14 9.8 TN3270 Enhancement 14 9.8 TN3270 Enhancement 14 9.9 Backwards Compatibility of the 'harvestd' 9.9 Backwards Compatibility of the 'harvestd' 9.9 Backwards Compatibility of the 'harvestd' Utility 14 Utility 14 Utility 14 9.10 Development Notes for 'harvestd' Utility 15 9.10 Development Notes for 'harvestd' Utility 15 9.10 Development Notes for 'harvestd' Utility 15 9.11 Show Port Authorization Display 15 9.11 Show Port Authorization Display 15 9.11 Show Port Authorization Display 15 9.12 Vendor-Specific RADIUS attributes 16 9.12 Vendor-Specific RADIUS attributes 16 9.12 Vendor-Specific RADIUS attributes 16 9.13 Using Multiple RADIUS Hosts 16 9.13 Using Multiple RADIUS Hosts 16 9.13 Using Multiple RADIUS Hosts 16 9.14 Unexpected Authentication Failures with PPP, 9.14 Unexpected Authentication Failures with PPP, 9.14 Unexpected Authentication Failures with PPP, PPP/Callback 16 PPP/Callback 16 PPP/Callback 16 10 CORRECTIONS INCLUDED IN THIS VERSION OF DNAS 17 10 CORRECTIONS INCLUDED IN THIS VERSION OF DNAS 17 10 CORRECTIONS INCLUDED IN THIS VERSION OF DNAS 17 10.1 New Corrections 17 10.1 New Corrections 17 10.1 New Corrections 17 10.1.1 DHCP-provided WINS server information Bugcheck 17 10.1.2 RADIUS-provided IP address Problem17 10.1.3 Telnet Location Option Enhancement18 10.1.4 LPD/DIALER Port-List Problem 18 10.1.5 IP Services Problems 18 10.1.6 LPD Bugcheck 18 10.1.7 LPD Hangs 18 10.1.8 CBCP Bugcheck 18 10.1.9 TN3270 Screen Problems 19 10.1.10RADIUS Corrections 19 10.1.11Expanded TCP Port Numbers 19 10.2 DNAS V2.2 Corrections 19 10.2 DNAS V2.2 Corrections 19 10.2 DNAS V2.2 Corrections 19 10.2.1 Protocol Failover 19 10.2.2 LAT DATA_B Problem 19 10.2.3 Lost Default Gateway Information 20 10.2.4 Multiple Copies of a Gateway 20 10.2.5 Corrupted TN3270 Displays 20 10.2.6 LPD Problems 20 10.2.7 IP Services Failed 21 10.2.8 Incorrect Dialer Port Status 21 10.2.9 Bugcheck Corrections 21 10.2.10RADIUS Corrections 21 10.2.11Dedicated LAT User Problem 22 10.2.12NULL Response to Telnet send-location 22 10.2.13Maximum Number of TD/SMP Sessions 23 10.2.14PPP Stops Working 23 10.2.15SLIP Problem 23 10.2.16LAT Generated Unwanted BREAKs 23 iv iv iv Contents Contents Contents 10.2.17Problem With Inactivity Logout Timer 23 11 HOW TO REPORT A PROBLEM 23 11 HOW TO REPORT A PROBLEM 23 11 HOW TO REPORT A PROBLEM 23 11.1 Documentation Problems 24 11.1 Documentation Problems 24 11.1 Documentation Problems 24 11.2 Severe Errors 24 11.2 Severe Errors 24 11.2 Severe Errors 24 APPENDIX A RADIUS ATTRIBUTES SUPPORTED IN THIS RELEASE A-1 APPENDIX A RADIUS ATTRIBUTES SUPPORTED IN THIS RELEASE A-1 APPENDIX A RADIUS ATTRIBUTES SUPPORTED IN THIS RELEASE A-1 v v v 1 Introduction 1 Introduction 1 Introduction These release notes apply to the Network Access Software Version 2.4, for any of the supported load host platforms, and for any of the supported DECserver platforms. Some of the information in this document was not available at the time the product documentation was finalized. In addition, there are sections on new features, known problems, poten- tially confusing behavior, and bug fixes applied since the last release. 2 UNIX Platform Notes 2 UNIX Platform Notes 2 UNIX Platform Notes If you are installing this kit on a third-party UNIX host (that is, not DIGITAL UNIX), ensure that you read the README FILE provided with the installation kit, if any. It includes examples and hints relevant to the installation procedure, specifically, the making of CMU BOOTP sources on different UNIX systems and platforms. Note that the CMU BOOTP sources are pro- vided only as a convenience to those users that do not have BOOTP in their systems. Digital Networks does not offer any support of the BOOTP sources nor does it provide any warranties on their operation. 3 DECserver Memory Requirements 3 DECserver Memory Requirements 3 DECserver Memory Requirements Version 2.0 and greater of the Network Access Software requires any any any at least 4 MB of Dynamic RAM on of the supported DECserver platforms, DECserver 90M, DECserver 900TM, DECserver 7xx (700- 8, 700-16, 716, 732). 4 Disk Space Requirements 4 Disk Space Requirements 4 Disk Space Requirements The following information refers to the disk space required on the load host's system disk. The disk space size is approxi- mate. (Actual sizes may vary depending on the user's system environment, configuration, and software options.) For OpenVMS (VAX and Alpha) systems: For OpenVMS (VAX and Alpha) systems: For OpenVMS (VAX and Alpha) systems: DECserver 90M: 11,330 blocks DECserver 7xx/900TM: 9,790 blocks All DECserver platforms: 15,700 blocks 1 1 1 For Third-Party UNIX systems: For Third-Party UNIX systems: For Third-Party UNIX systems: DECserver 90M: 5.517 M bytes DECserver 7xx/900TM: 4.722 M bytes All DECserver platforms: 7.761 M bytes For DIGITAL UNIX (Alpha) systems: For DIGITAL UNIX (Alpha) systems: For DIGITAL UNIX (Alpha) systems: DECserver 90M: 5.789 M bytes DECserver 7xx/900TM: 4.995 M bytes All DECserver platforms: 8.034 M bytes For Microsoft Windows systems: For Microsoft Windows systems: For Microsoft Windows systems: Access Server Manager: 1.90 M bytes Access Server Loader: 5.54 M bytes Documentation: 1.33 M bytes All components: 8.77 M bytes 5 Version 2.4 New Features 5 Version 2.4 New Features 5 Version 2.4 New Features The DECserver Network Access Software Version 2.4 release pro- vides the following new features along with various feature enhancements and bug fixes. This section describes new features available with this software release. 5.1 Rlogin Client 5.1 Rlogin Client 5.1 Rlogin Client Remote login client (Rlogin) is a new feature in DECserver Network Access Software V2.3A. The Rlogin protocol, described in informational RFC 1282, allows users to log onto a remote computer (similar to Telnet). Rlogin supports pre-authenticated sessions on hosts that have been configured with trust rela- tionships. This allows users to connect to those hosts without needing to enter a username and password. 5.2 Directed TFTP 5.2 Directed TFTP 5.2 Directed TFTP Directed TFTP is a feature that allows the DECserver to load from a single, pre-specified TFTP server. Once configured for Directed TFTP, the DECserver ROM firmware downloads its operat- ing image from the specified TFTP server rather than soliciting a response from a BOOTP server. Directed TFTP makes it easier for the DECserver to obtain an operating image over the wide area network (WAN). 2 2 2 5.3 RADUIS Accounting Termination Reason Codes 5.3 RADUIS Accounting Termination Reason Codes 5.3 RADUIS Accounting Termination Reason Codes RADIUS (RFC 2139) Accounting protocol enhancement that reports a number of termination reason codes to the RADIUS server when user sessions are completed. For a complete description of the termination reason codes supported in the DECserver, refer to the RADIUS Survival Guide, provided as an ASCII text file on the DNAS CD-ROM distrubution media. 5.4 Local User Accounts Supports PPP CHAP 5.4 Local User Accounts Supports PPP CHAP 5.4 Local User Accounts Supports PPP CHAP Local user accounts now support PPP CHAP authentication. Previously the only PPP authentication method that was sup- ported was PAP. 5.5 Inactivity Logout Charactistic for the Remote Console Port 5.5 Inactivity Logout Charactistic for the Remote Console Port 5.5 Inactivity Logout Charactistic for the Remote Console Port An Inactivity Logout characteristic is now available for the Access Server Remote Console. This characteristic is akin to the port's Inactivity Logout where if enabled, will logout out the Remote Console after a period (defined by the Server's Inactivity Timer) of inactivity. 6 Notice of Non-support 6 Notice of Non-support 6 Notice of Non-support o The Telnet Print Filter files are no longer provided in the DNAS kit. o The DECserver Software, 1 megabyte images WWENG1 and MNENG1 are no longer provided in the DNAS kit. The hardware prod- ucts that operate this software no longer belong to Digital Networks and the software was retired. 7 Documentation Errors 7 Documentation Errors 7 Documentation Errors The following items were not included in the final version of the manuals. 7.1 DECserver 90M in the DIGITAL MultiStack System 7.1 DECserver 90M in the DIGITAL MultiStack System 7.1 DECserver 90M in the DIGITAL MultiStack System The DECserver 90M may be installed in the DIGITAL MultiStack System. The 10baseT twisted pair Ethernet interface of the DECserver 90M (the MJ8 connector on the front bezel) will be disabled disabled disabled when the DECserver 90M is installed in the MultiStack System. This mimics the behavior of the DECserver 90M when it is installed in the DEChub 90 hub or the DIGTAL MultiSwitch 900 hub. The 10base2 coaxial cable Ethernet interface of the 3 3 3 DECserver 90M (the BNC connector on the unit's side panel) remains active in these cases. In a hub configuration, how- ever, this connector is typically physically inaccessable for external connections. It is important to understand that the DECserver 90M has only one Ethernet MAC interface, and thus only one Ethernet connection may be made at any time. The op- tions for Ethernet connections are: (a) 10base2 via the BNC connector, (b) 10base2 via the backplane connector to the hub, and (c) 10baseT via the MJ8 connector. re-activate re-activate re-activate To the 10baseT twisted pair Ethernet interface of the DECserver 90M, when installed in a DIGITAL MultiStack System, set the Slot ID selector switch of the MultiStack System "back-end" module attached to the DECserver 90M to 15. This setting is indicated by the Agent icon (which looks like the profile of some cold war era spy). This setting of the Slot ID selector switch will cause the DECserver 90M to behave as if it were standalone, i.e. not installed in a hub. 7.2 Viewing Online Documentation 7.2 Viewing Online Documentation 7.2 Viewing Online Documentation When viewing the books online, be sure to expand the display window to properly display code examples and tables. 7.3 Authentication Methods 7.3 Authentication Methods 7.3 Authentication Methods The last sentence on p. 21-37 of the DNAS Management Guide should be replaced with the following statement: If the value for LCP Authentication is set to either LCP PAP /NoUsername or LCP CHAP/NoUsername, then the login will fail unless there was a prior interactive login that succeeded. That is, the NoUsername forms of authentication are considered too weak to be acceptable when Autolink Authentication is Enabled. 7.4 AUTOLINK Timers 7.4 AUTOLINK Timers 7.4 AUTOLINK Timers Some customers may need to tune the timers for pass one and pass two of AUTOLINK. The timer controls how long AUTOLINK will wait without sensing one of: (a) a valid PPP frame, (b) a valid SLIP frame, or (c) a single carriage return character. After the timer expires, AUTOLINK assumes a character cell terminal. The default values for these timers will be adequate for most users. Pass one of AUTOLINK is used to determine the authentication style, when authentication is required. Either PPP authentication or character cell authentication may be used. Pass two of AUTOLINK is only used when there has been an authentication pass, and it determines the protocol for the actual user session: SLIP, PPP or character cell terminal. 4 4 4 The timers may only be DEFINEd (not SET or CHANGEd), since they are only effective at port login. The default value for each timer is ten seconds. The command syntax to change the timer values is as follows: DEFine POrt [port-list] AUTOLink TIMer [PASS] {ONE|TWO} [value] The current values may be displayed using either a LIST PORT or SHOW PORT command. The line that displays the AUTOLINK TIMER values appears as follows: Autolink Timer One:10 Two:10 Dialer Script: None 7.5 Errata to Network Access Server Command Reference Manual 7.5 Errata to Network Access Server Command Reference Manual 7.5 Errata to Network Access Server Command Reference Manual The following syntax examples should be corrected: 7.5.1 Chapter 4 Errata 7.5.1 Chapter 4 Errata 7.5.1 Chapter 4 Errata - PORT PREFERRED: shows an extraneous bracket after the option SERVICE. The bracket is not part of the syntax. - SECURID REALM: under the PERMISSIONS option, the option TELNET is misspelled. Also, the options LAT, TELNET, SLIP, and PPP are the default values and should be shown in bold typeface. - USERACCOUNT: under the PERMISSIONS option, the option TELNET is misspelled. Also, the options LAT, TELNET, SLIP, and PPP are the default options and should be shown in bold typeface. 7.5.2 Chapter 5 Errata 7.5.2 Chapter 5 Errata 7.5.2 Chapter 5 Errata - SHOW/MONITOR/LIST PRINTER: the command is missing a line of information. That line appears as: Flag Page Type: PostScript (or Ascii) Auto C/R: Enabled (or Disabled) 8 Known Problems and Limitations 8 Known Problems and Limitations 8 Known Problems and Limitations The following list includes some of the known problems with this release of the DECserver Network Access Software. Workarounds are described where applicable. 5 5 5 8.1 Modem Configuration 8.1 Modem Configuration 8.1 Modem Configuration This note explains how to determine if a DECserver modem can support both callback, and non-callback type logins on its port. It also provides the modem configuration values needed to support each of the cases. If your modem does not support ap- propriate configuration values, you will not be able to perform both callback and interactive authentications without callback on the same port. When certain modem functions complete, a "result" code may be returned to the attached port. Modem configuration parameters determine if the result code is returned, and its format. When the DECserver dials out to initiate a callback, it wants to receive a "long" format result code. But when an incoming call is connected, the DECserver wants to suppress the results code. Some modems provide a single configuration value that provides exactly this combination; but many do not. The need to suppress receipt of results codes becomes an issue only if a client dialing in to the port requires an interactive login. The issue is irrelevant for PPP clients that use LCP au- thentication. But if SLIP is used with AUTOLINK AUTHENTICATION, or Window 3.1 PPP clients are used, the information in this note must be applied for proper operation. If your modem does not have the level of sophistication required, you will not be able to use AUTOLINK and DIALER on the same port. Below are two approaches to configuring the DECserver modem, so that dialback and non-dialback logins are both supported by the port. There may be other approaches, depending on the specific features of your modem. * Configure your modem to provide Results Codes only if the call is initiated from the modem and to suppress Results Codes for all calls initiated from the client. On some modems, this is value Q2. * Configure your modem to reload the modem configuration pa- rameters from the modem's NVRAM, following dropping of DTR (&D3 on some modems). Also, configure the results codes by using value Q1V1. Thus, each time a dialback session ends (which re-configured the modem to return results codes), the modem is reverted back to the configured setting for suppressing Results codes. 6 6 6 8.2 Enhanced Displays 8.2 Enhanced Displays 8.2 Enhanced Displays Enhancements to some displays were not captured for the final documentation. For example, DHCP now provides these DECserver network parameters: default DNS domain name, DNS name servers, WINS name servers, client (port) IP addresses. In some screens that display this information, the data is "tagged" to indicate its source. The current "tags" are as follows: (From DHCP), (From Port), (From Client), (From RADIUS). In each of the above cases, the DIALER Init string should be configured to be Q0V1. This requests Long form Results codes, when a dialed out call gets connected. Some modems have different capabilities than others, and react slightly differently under the same circumstances. While the following guidelines may not appear to be optimal for your particular brand of modem, they were developed in an attempt to make the majority of modems behave as similarly as possible. NOTE NOTE NOTE Modems used for AUTOLINK sessions and dialback access should be configured to include the following: ATQ1&C1&S1&D3 (save values in modem's NVRAM profile) Q1 - disable result codes &C1 - cause DCD to track actual state of remote modem's carrier &S1 - assert DSR at start of handshake &D3 - hang up, on DTR transition reset modem to NVRAM (initial) state The critical feature that assignment "&D3" provides is this: the configuration parameters stored in the Modem's NVRAM become the active values following each port logout. This guarantees that following a session that was initiated using a callback, the modem will be reset to use value Q1, which disables results codes for the next incoming call. Pleae note that the ports configured without AUTOLINK may still be subject to problems with result code strings from modems. One example of this is when PORT AUTHENTICATION is enabled. If you are going to be using the port for dialback, or, for any other reason require that the modem be configured to provide result codes on dial in, then you should use PORT AUTOLINK not not not AUTHENTICATION and use PORT AUTHENTICATION. 7 7 7 8.3 PPP Callback 8.3 PPP Callback 8.3 PPP Callback Certain callback requests can appear to be accepted but do not result in a return phone call. If the user is trying to use PPP to establish a PPP callback session, and the port being used has LCP passive open disabled (meaning the server immediately transmits characters in an attempt to start up the session), the callback request is likely to be lost. To avoid this problem, enter the following command for every port which could possibly use PPP to negotiate a PPP callback session: DEFINE PORT [n] LCP PASSIVE ENABLE DEFINE PORT [n] LCP PASSIVE ENABLE DEFINE PORT [n] LCP PASSIVE ENABLE Local> This specifies that when a port logs in, the server is to pas- sively wait for the client to begin PPP session negotiation. 8.4 CBCP Callback and Terminal Window Authentication 8.4 CBCP Callback and Terminal Window Authentication 8.4 CBCP Callback and Terminal Window Authentication Windows 95 clients (and similar) that support CBCP callback may not use the terminal window option for interactive (non-PPP) authentication if callback is desired. If you do, the callback will be initiated by the DECserver, but because the original connection to the client is broken first, the client believes that the connection is lost and will not answer the callback. The DECserver will try the call a second time, but then give up and log the port out. This procedure may tie up the port for about 90 seconds. 8.5 Callback Numbers 8.5 Callback Numbers 8.5 Callback Numbers It is recommended that the callback number for a given ses- exactly exactly exactly sion come from one source, and that all other possible sources of callback numbers have the value representing 'do not care', for example, '(Any)', '(None)' or '*'. If you specify different numbers in multiple sources, the callback will likely fail because of phone number authorization failure. That is to say, the precedence relations of multiple phone numbers is problematic in this release. The possible sources of callback numbers are: o RADIUS Callback-Number Attribute o PPP Client (by means of LCP Callback Option negotiation) o Security Realm default authorization value for DialBack Number o Dialer Service value for Number 8 8 8 8.6 Known problems in the DEChub 900 8.6 Known problems in the DEChub 900 8.6 Known problems in the DEChub 900 When using versions of HUBwatch earlier than release Version 4.1 (specifically 3.1) it is possible for HUBwatch to freeze. This can currently only be cured by exiting HUBwatch. When displaying current settings by means of a MAM console redirect, the field "resets" will always have a value of zero. NOTE NOTE NOTE When filing a problem report against hub based function- ality, Digital Networks requests that you include the MAM version level. If applicable, also include the man- agement tool version level, typically HUBwatch, and the platform on which you run the tool. 8.7 DECserver Accounting 8.7 DECserver Accounting 8.7 DECserver Accounting A session disconnect event in the DECserver accounting log in- cludes fields for the number of bytes transmitted and received during the life of the associated session. For TD/SMP sessions, these counters are invalid (they are correct for sessions other than TD/SMP sessions). When accessing the accounting log by means of the user interface, these counters follow the "TX:" and "RX:" fields in a Session Disconnect event. When accessing the accounting log by means of SNMP, these counters are avail- able by means of the objects acctEntrySentBytes and acctEn- tryReceivedBytes. This anomaly is also visible for active TD /SMP sessions by means of the SNMP CHARACTER-MIB in the objects charSessInCharacters and charSessOutCharacters. 8.8 AppleTalk 8.8 AppleTalk 8.8 AppleTalk There are certain situations that can cause an attached AppleTalk host to have a "stale" AppleTalk address (an ad- dress not contained in the current network range). This occurs if the network range changes during the lifetime of an ATCP connection, and the connection's address is not within the new range. Examples of this might be if the routers on a network were reconfigured with a new network range or if no routers were active and then one or more routers began functioning. The user is not notified of the new network configuration and con- tinues to operate with this "stale" address. This situation may not disrupt current network service connections but can inhibit future service connections. 9 9 9 Unfortunately, it can be difficult for the user to distinguish this problem from other unrelated network problems (for ex- ample, routers going down). In general, if users see reduced service access, they should try disconnecting the ATCP connec- tion (making sure the port gets logged out, for example, due to modem control) and then reconnecting. At this time, the connec- tion will be given a valid address within the current network range. 8.9 Telnet Remote Console 8.9 Telnet Remote Console 8.9 Telnet Remote Console When memory utilization is at or near 100%, a Telnet remote console connection request to the access server may be re- jected. It is possible, in some circumstances, for the Telnet connec- tion to the remote console to be broken, without disconnecting the remote console session itself. In this situation, the re- mote console will be continually "in use", and unavailable until the access server is rebooted. 8.10 PING 8.10 PING 8.10 PING There is a bug in the software which causes the output from a completed PING to be displayed in local mode instead of in session mode. This happens if the user starts a PING session, hits the break key, and does not resume the PING session before the test completes. If the user remains in session mode, the PING output displays properly. 8.11 Cannot Abort User Authentication 8.11 Cannot Abort User Authentication 8.11 Cannot Abort User Authentication The documentation indicates that a user can abort User Authentication requests once all information has been entered and the actual request has been sent onto the network by typ- ing a Break or local-switch character on the terminal. This feature is not implemented in the current release. Once the request is sent to the Kerberos KDC or security server the user must wait for a response from the KDC or security server or a timeout to occur before additional local mode commands may be entered. The timeout is controlled by the SET|DEFINE|CHANGE {KERBEROS|RADIUS|SECURID} TIMEOUT command. This limitation applies to both user login authentication and the KPASSWD com- mand. 10 10 10 8.12 Incorrect Login to Local Mode by Framed AUTOLINK user 8.12 Incorrect Login to Local Mode by Framed AUTOLINK user 8.12 Incorrect Login to Local Mode by Framed AUTOLINK user When using Autolink Protocol, a user may perform an interac- tive login (on Pass1) that identifies the user for a Framed access. Framed access is determined either from a Realm ACCESS = FRAMED, or, when using RADIUS authentication, from the RADIUS Service_Type attribute. This always results in starting "Pass2" If If If of Autolink. the user allows the Pass2 autolink timer to expire or enters a CR on a dumb terminal, the user is logged in to the Local Prompt. This action should have caused a lo- gin rejection during Pass2, because the Pass1 authentication authorized Framed operation. This error is not as significant as it might first appear. Without privilege, or Permissions, this local mode user will not be able to do much. (PPP users typically would only have permission for Telnet and PPP). This will be corrected in the next release. 8.13 Other 8.13 Other 8.13 Other Other known problems with this software release are as follows: o The INITIALIZE command does not properly measure the amount of delay time until the command is invoked. Add 1 minute to the time you specify to make sure an adequate delay takes place before the access server is initialized. o When setting up internet gateways, be aware of the follow- ing: - For class A and B addresses, the subnet mask must be at least as long as the network class portion. For class C addresses, the subnet mask must be at least as long as 255.255.0.0. - Network 17.1.1.1 mask 255.0.0.0 is illegal, since its network portion has extra bits not included in the subnet mask. - All subnet masks must have contiguous ones, starting from the left. - Network xxxx mask 255.255.255.255 is illegal. Use HOST xxxx instead. 9 Potentially Confusing Behavior 9 Potentially Confusing Behavior 9 Potentially Confusing Behavior This section describes behavior that may be confusing. 11 11 11 9.1 Protocol Failover Interactions with Authorization 9.1 Protocol Failover Interactions with Authorization 9.1 Protocol Failover Interactions with Authorization Behavior of Protocol Failover (CONNECT , when Port Default Protocol is ANY): In general, if the user enters the CONNECT command, the software will first attempt a LAT connection, followed by Telnet, followed by Rlogin. The failover occurs as expected, if the user has Authorization "permission" for all three types of connections. In the event that there is no LAT service with the specified name, the DECserver will failover to the Telnet protocol. If the named host does not have Telnet enabled, the DECserver will try Rlogin. If the user does not have permission for one of these protocols, then a connection via that protocol is not attempted, and an error message generated. If the user has permission for LAT, then the failover to Telnet, then Rlogin, will always occur as expected. For ex- ample, if the user permissions are: (LAT NOTELNET RLOGIN) and the remote host system does not run LAT. Local> CONNECT MYHOST Soliciting... Trying... (normal host login banner appears here) The Rlogin connection is successful in this example. If the user does not have permission for LAT, then the only other protocol attempted is Telnet. If the user only has permission for Rlogin (NOLAT NOTELNET RLOGIN), then the [CONNECT] RLOGIN command should be used, instead of CONNECT . The following is an example of the error messages generated when the user only has permission for Rlogin. The first message indicates that the user does not have permission for LAT. The second indicates the user does not have permission for Telnet. The DECserver does not failover to Rlogin, because the user doesn't have permission for LAT. Note that the RLOGIN command is successful (assuming remote host is properly configured). Local> CONNECT MYHOST Local -854- Insufficient Privilege for Command Local -854- Insufficient Privilege for Command Local> RLOGIN MYHOST Trying... (normal host login banner appears here) 12 12 12 9.2 Information from DHCP Servers 9.2 Information from DHCP Servers 9.2 Information from DHCP Servers When DHCP is enabled on the DECserver, information received from DHCP servers at boot time will be used in preference to locally configured information from NVRAM. This information in- cludes items such as default DNS domain name, DNS name servers, WINS name servers, and default IP gateways. The logic behind this feature is that DHCP Servers should al- ways know best in any true DHCP-managed environment. DHCP on the DECserver is enabled by default. If you wish to disable the learning feature, you may disable DHCP (using a DEFINE INTERNET DCHP DISABLE command). This will also disable DHCP for the purpose of obtaining IP addresses for DECserver ports. 9.3 Locally Configured Name Servers from DHCP 9.3 Locally Configured Name Servers from DHCP 9.3 Locally Configured Name Servers from DHCP In the SHOW INTERNET NAME RESOLUTION display, some Locally Configured name servers may be listed by IP address and the psuedonym "(From DHCP)". You will not be able to remove these name servers individually, using a CLEAR INTERNET NAMESERVER "name" command. Using a CLEAR INTERNET NAMESERVER ALL command will remove them, but also removes any truly locally configured entries. 9.4 WINS Server Information 9.4 WINS Server Information 9.4 WINS Server Information To obtain new WINS Server information from DHCP, you must re- boot the DECserver. This information is acquired and stored only during the DECserver software initialization. This re- striction also applies to DNS Server information that is de- noted as "(From DHCP)". 9.5 DS900 Operation in a DEChub 900 9.5 DS900 Operation in a DEChub 900 9.5 DS900 Operation in a DEChub 900 o When displaying current settings by means of a MAM console redirect, the LAT version is split between two lines. o When setting or displaying SNMP community strings by means of a MAM console redirect, only the first read-only and read-write string is displayed. o When modifying values by means of a MAM console redirect, most times these are permanent characteristics. In order to take effect you must re-initialize the server. This can be done by means of option 2 of the redirect menu "Reset with current settings" or by means of the server's UI based "Initialize" command. 13 13 13 o Selecting option 1 "Reset with Factory Defaults" will cause the server to reset all saved NVRAM characteristics to fac- tory default values. 9.6 RADIUS Reply-Messages Not Sent to PPP Clients 9.6 RADIUS Reply-Messages Not Sent to PPP Clients 9.6 RADIUS Reply-Messages Not Sent to PPP Clients The current software version does not attempt to send a Reply- Message from a RADIUS Access-Accept or Access-Reject packet to a PPP dial-in client. It is recommended that Reply-Messages not be used for PPP users' accounts. 9.7 Telnet Server Echo 9.7 Telnet Server Echo 9.7 Telnet Server Echo A Telnet server session to a network access server physical port made through the Telnet listener will respond with WILL- ECHO to a DO-ECHO request from a Telnet client; however, the access server will not actually perform echoing. Echoing of incoming network data is the responsibility of the device at- tached to the physical port. 9.8 TN3270 Enhancement 9.8 TN3270 Enhancement 9.8 TN3270 Enhancement Abbreviating keymap and/or terminal names is no longer accept- able. This was allowed in older versions, when the terminal and keymap names were known and abbreviations could be assumed to be unambiguous. Now, however, since the system manager can create new terminal and keymap names, abbreviations might be ambiguous. 9.9 Backwards Compatibility of the 'harvestd' Utility 9.9 Backwards Compatibility of the 'harvestd' Utility 9.9 Backwards Compatibility of the 'harvestd' Utility Version 1.3 of the unsupported UNIX utility 'harvestd' is back- ward compatible with previous versions of DECserver software. This new release supports 26 DECserver Accounting MIB variables while the earlier release supported 11 such variables. The DECserver Accounting log contains additional types of event records, that correspond to the additional variables in the DECserver Accounting MIB. The Version 1.3 harvestd utility automatically senses whether the DECserver software it is monitoring has the 11 variable version of the DECserver Accounting MIB or the 26 variable version. It assumes that DECserver has the latest software with the 26 variable MIB version. If harvestd fails to receive a valid response from DECserver as to the added variables, during the auto-sense phase, it backs off to a previous version. 14 14 14 The harvestd utility currently allows 10 retries with a limited exponential back off algorithm. The auto-sense process takes about 2 minutes. Once trained to work with an earlier version, harvestd does not adjust to later versions. During the course of execution, under rare situations, harvestd will adapt to an earliest version. To bring it back to a newer version, one will need to kill and restart harvestd. 9.10 Development Notes for 'harvestd' Utility 9.10 Development Notes for 'harvestd' Utility 9.10 Development Notes for 'harvestd' Utility This section is for customers that desire to modify the har- vestd source code. The software was developed under the CWEB environment. That means modifying .w files, using ctangle to generate .c and .h files. To generate documentation, one needs to run cweave to create .tex file, tex to generate .dvi file, and dvips to generate .ps file. All of this software is available from a GNU ftp site. To develop software independent of documentation, one can start with .c and .h files. Such files generated by ctangle are not human readable. One can use the following to generate a more readable file: pp.sh ctangled_file > readable_file This file has no comments, because ctangle extracts all such comments. 9.11 Show Port Authorization Display 9.11 Show Port Authorization Display 9.11 Show Port Authorization Display The data in this display reflects the values at the time of login. They are not updated dynamically due to commands issued from a Local prompt. If a user has changed the state of the port's privilege sta- tus, or has enabled SLIP or PPP on the port, the permissions attributes {PRIV, PPP, or SLIP} displayed by the command SHOW PORT AUTHORIZATION do not change. The SET PRIVILEGE command (which requires a password) creates a privileged status on the port, without disturbing the user's authorization record, which may not provide for the privileged port status. Similarly, the port PPP and SLIP enabled or disabled status are must must must separate from the user's SLIP or PPP permissions. The port be enabled for PPP or SLIP in order for the user's PPP or SLIP particular particular particular permission to be valid on that port. 15 15 15 9.12 Vendor-Specific RADIUS attributes 9.12 Vendor-Specific RADIUS attributes 9.12 Vendor-Specific RADIUS attributes Each security realm has a default set of permissions that are applied only when the Service-Type is NAS-Prompt. In this case, the permissions identified in the realm limit the commands that the user can enter. For example, if the Permission says NOTELNET, then the user cannot issue a Telnet request at the Local Prompt. With RADIUS servers, it may be necessary to use the Vendor-Specific attribute to supply a mask that covers all of the permissions. The Realm default permissions also include a DialOut Service, which is necessary to complete callbacks. A Vendor-Specific attribute for DialOut Service also exists. With RADIUS Servers, it may be necessary to use the Vendor-Specific attribute to supply the DialOut Service. Alternatively, the DialOut Service may be defined as the DEDICATED or PREFERRED SERVICE on the port. Provisions are also made to define a DialOut Service in the Local User Accounts. 9.13 Using Multiple RADIUS Hosts 9.13 Using Multiple RADIUS Hosts 9.13 Using Multiple RADIUS Hosts When you name multiple hosts for a specific RADIUS realm, the DECserver will try to contact each of the hosts, in round-robin fashion, should one fail to respond to a request. The number of seconds between retries and total time spent waiting for user authentication, are configurable parameters. These are modifiable via commands CHANGE RADIUS INTERVAL, and CHANGE RADIUS TIMEOUT respectively. 9.14 Unexpected Authentication Failures with PPP, PPP/Callback 9.14 Unexpected Authentication Failures with PPP, PPP/Callback 9.14 Unexpected Authentication Failures with PPP, PPP/Callback This version of DNAS implements a policy of rejecting PPP au- thentication attempts, in cases where the user authentication itself succeeds, but some authorization factor requires that the login be denied. The console messages will report this as an Authentication Failure. An example of this occurs when the client is PPP but the RADIUS authorization information says that the user's Framed-Protocol must be SLIP. Another example occurs when a dialout number is unavailable for a requested callback. Typically this is a problem with the callback authorization information supplied by the user's ac- count, or by other authorization defaults on the access server. In the callback case, a problem exists since some PPP client implementations will immediately disconnect the phone after ne- gotiating callback and receiving an authentication acknowledg- ment. If the callback is denied as a result of authentication, the access server will 'pretend' that the authentication itself 16 16 16 failed. This causes the PPP dial-in client to give a failure message to the user immediately, albeit a potentially confusing one. Otherwise the PPP client waits indefinitely for a callback that is not going to occur. Since PPP ports do not have the benefit of interactive er- ror messages, problems with PPP connections, or callback PPP connections are best diagnosed by looking at the DECserver Accounting Log. This must be performed by a privileged user, such as the system administrator. 10 Corrections Included in this Version of DNAS 10 Corrections Included in this Version of DNAS 10 Corrections Included in this Version of DNAS The Access Server load images supplied in this kit contain all the available corrections for software problems found in DNAS versions 1.0 through 2.2. The following list is not complete. It only goes back to DNAS V2.0. 10.1 New Corrections 10.1 New Corrections 10.1 New Corrections This section describes the corrections introduced by this re- lease. It includes the corrections added since the release of DNAS V2.2 BL29C-52, some of which were distributed as field test variants of BL29C-52. 10.1.1 DHCP-provided WINS server information Bugcheck 10.1.1 DHCP-provided WINS server information Bugcheck 10.1.1 DHCP-provided WINS server information Bugcheck This release corrects a problem which caused the DECserver to Bugcheck with a Code 299, soon after booting. The prob- lem occured when the DECserver had DHCP enabled, which is the factory-default state, and the DHCP server in the local environment provided more than two WINS server addresses in the DHCP packet. The DECserver software has been modifed to silently discard all but the first two WINS server addresses provided in a DHCP packet. 10.1.2 RADIUS-provided IP address Problem 10.1.2 RADIUS-provided IP address Problem 10.1.2 RADIUS-provided IP address Problem This release corrects a problem in which users would fail to be connected as a framed or callback-framed session if the IP address was being supplied by the RADIUS server authentication reply packet. In this case, DHCP address leasing is disabled, the port is not configured with an IP address nor is the dial- up client configured with an IP address. The DECserver software was modified to correctly use the RADIUS server supplied IP addrress. 17 17 17 10.1.3 Telnet Location Option Enhancement 10.1.3 Telnet Location Option Enhancement 10.1.3 Telnet Location Option Enhancement This release includes a customer-requested enhancement to the Telnet Location Option feature. The DECserver response to this Telnet option request has been expanded to include the DECserver's server name. The ASCII string format is now: "PNUM=:PNAM=:SNAM=:". 10.1.4 LPD/DIALER Port-List Problem 10.1.4 LPD/DIALER Port-List Problem 10.1.4 LPD/DIALER Port-List Problem This release corrects a problem which caused the SET/CHANGE /DEFINE LPD/DIALER SERVICE commands to misinterpret the keyword ALL when specifying a port list. Prior to this change using the keyword ALL to include all ports would result in a random port set being applied. 10.1.5 IP Services Problems 10.1.5 IP Services Problems 10.1.5 IP Services Problems - The IP address could not be modified once it had been set. - IP services was not shutdown if the DEChub 900's MAM was reset. 10.1.6 LPD Bugcheck 10.1.6 LPD Bugcheck 10.1.6 LPD Bugcheck The MONITOR PRINTER command would cause a bugcheck with an error code of 978 if the last port (8, 16, or 32 depending on hardware type) was used by an LPD printer service. 10.1.7 LPD Hangs 10.1.7 LPD Hangs 10.1.7 LPD Hangs After the release of BL29C-52 several additional causes of LPD hangs were discovered and corrected. In some cases the condi- tion could be cleared by logging out the port. In other cases the server had to be re-booted. The behavior varied depending on the operating system, the parameters supplied in the print command, the LPD configuration on the access server, and the size of the files. In addition there were several problems with the DNAS implementation of LPD so there's no single, simple description of the conditions under which the hang might occur. 10.1.8 CBCP Bugcheck 10.1.8 CBCP Bugcheck 10.1.8 CBCP Bugcheck The access server would bugcheck with a code of 567 if a Callback Framed user did not have Callback permission en- abled in his DRAS user profile. The failure would only occur if the access server was using Digital Networks Remote Access Security (DRAS) for authentication and the user's DRAS profile was intentionally configured incorrectly. 18 18 18 10.1.9 TN3270 Screen Problems 10.1.9 TN3270 Screen Problems 10.1.9 TN3270 Screen Problems This release corrects a problem that caused field data to be overwritten when traversing a TN3270 application display using the TAB key. 10.1.10 RADIUS Corrections 10.1.10 RADIUS Corrections 10.1.10 RADIUS Corrections This release contains the following corrections for Radius authentication and accounting problems encountered in V2.2 BL29C-52. - Radius authentication and accounting didn't work if the host name had to be resolved. - Radius accounting only used the first two accounting servers configured in a realm. 10.1.11 Expanded TCP Port Numbers 10.1.11 Expanded TCP Port Numbers 10.1.11 Expanded TCP Port Numbers This version of DNAS allows the user to specify a TCP desti- nation port from 1 through 65535 when making Telnet client connect requests. 10.2 DNAS V2.2 Corrections 10.2 DNAS V2.2 Corrections 10.2 DNAS V2.2 Corrections This section lists the corrections carried forward from DNAS V2.2 BL29A-52, BL29B-52, and BL29C-52. It also includes cor- rections carried forward from V2.2 field test images. It gives a brief description of the conditions, events and symptoms associated with each problem. 10.2.1 Protocol Failover 10.2.1 Protocol Failover 10.2.1 Protocol Failover Setting a port's Default Protocol Type to ANY allows it to au- tomatically try Telnet when a LAT service is not available. This release corrects a problem which disabled this functional- ity if TD/SMP (Multisessions) was active on the port. 10.2.2 LAT DATA_B Problem 10.2.2 LAT DATA_B Problem 10.2.2 LAT DATA_B Problem Using LAT DATA_B slots to remotely modify the settings of one port would affect subsequent attempts to modify the settings of other ports. For example, if port 1's character size was changed to 7 bits, then, port 2's baud rate was set to 9600, port 2 would "inherit" port 1's character size of 7 bits, un- less the DATA_B used to modify port 2 specified a size. 19 19 19 10.2.3 Lost Default Gateway Information 10.2.3 Lost Default Gateway Information 10.2.3 Lost Default Gateway Information This release corrects several problems related to losing de- fault gateway information. In most cases the following symptoms were observed. - The SHOW INTERNET GATEWAY display showed multiple copies of the same default gateway before the failure occurred. - The SHOW INTERNET GATEWAY display showed a large number of host gateways. - The SET/CHANGE INTERNET GATEWAY command failed due to insuf- ficient resources. As part of the correction this version of software monitors the routing table. If the table contains more than 130 routes it attempts to delete the least recently used, unreferenced, ICMP redirected route. If a route can not be deleted gateway failover is temporarily disabled. 10.2.4 Multiple Copies of a Gateway 10.2.4 Multiple Copies of a Gateway 10.2.4 Multiple Copies of a Gateway The DECserver's DHCP implementation does not support the sub- net mask option. As a result a subnet mask was not supplied when learned gateways were added to the routing table. This caused duplicate entries if a gateway was added by both the UI and DHCP. This version of software corrects the problem by defaulting to the server's subnet mask. 10.2.5 Corrupted TN3270 Displays 10.2.5 Corrupted TN3270 Displays 10.2.5 Corrupted TN3270 Displays The access server does not support the use of Graphical Escape character strings (GE_CHAR+character) and prior to this release it would strip the GE_CHAR then forward the remaining character to the terminal. In some situations this would cause the screen to be corrupted so the TN3270 implementation has been modified to discard the entire string. 10.2.6 LPD Problems 10.2.6 LPD Problems 10.2.6 LPD Problems This release corrects several LPD problems. The symptoms in- cluded the following behaviors. - Files would be printed multiple times. - The LPD print servers would hang. In some cases the con- dition could be cleared by logging out the port. In other cases the server had to be re-booted. The behavior varied depending on the operating system, the parameters supplied in the print command, the LPD configuration on the access server, and the size of the files. In addition there were 20 20 20 several problems with the DNAS implementation of LPD so there's no single, simple description of the conditions under which the hang might occur. 10.2.7 IP Services Failed 10.2.7 IP Services Failed 10.2.7 IP Services Failed This release corrects a problem which prevented the DECserver from providing IP services for the DEChub 900. There are how- ever several limitations. - The DECserver can not be managed using the DEChub 900 as it's SNMP agent. - The DECserver must have an IP address assigned to it and it's IP interface must be operational prior to assigning the Out of Band DEChub 900 IP address. 10.2.8 Incorrect Dialer Port Status 10.2.8 Incorrect Dialer Port Status 10.2.8 Incorrect Dialer Port Status The SHOW DIALER SERVICE STATUS display would show a port status of Available even if the port was actually in use. 10.2.9 Bugcheck Corrections 10.2.9 Bugcheck Corrections 10.2.9 Bugcheck Corrections Bugchecks are fatal errors that cause the server to abruptly cease operation and dump the contents of memory to a dump host. This section describes the bugcheck corrections available in this release. Please note that a single bugcheck code can occur for multiple reasons. The corrections available in this release apply to the currently known causes of the codes listed. - Bugcheck code 1028 caused by Radius authentication. - Bugcheck 299 soon after power up. The bugcheck only occurred when DHCP was enabled. - Bugcheck code 976 when the SHOW PRINTER or SHOW LPD commands were executed. - Dialback would bugcheck with a code of 0003. 10.2.10 RADIUS Corrections 10.2.10 RADIUS Corrections 10.2.10 RADIUS Corrections This release corrects the following RADIUS problems. - The re-transmission of access and accounting requests was inconsistent. A new packet would be generated if the name of an alternate host had to be resolved but not if the alter- nate host's IP address was already known. - DNAS would sometimes ignore valid replies if the reply ar- rived after the DECserver had started to resolve the name of an alternate host. 21 21 21 - The Authentication field in he SHOW PORT AUTHORIZATION dis- play would not be correct if separate hosts were used for authorization and accounting. - The Authentication/Accounting message retry timeout was longer than expected. - A Session-Timeout attribute value of 0 was ignored. - The first few requests for authentication were not being counted. - The I/O octet counts supplied in accounting messages were wrong. - Accounting Messages would be missed under the following conditions. + If a user authenticated via the Autolink Protocol using a terminal window, the accounting Start message was not issued following successful authentication that resulted in entry into Local Mode. + Accounting STOP message were sent to the wrong host. + The accounting host crashed. + A successful login followed a failed login. - Valid username/password combinations were sometime rejected with an "invalid password" failure. 10.2.11 Dedicated LAT User Problem 10.2.11 Dedicated LAT User Problem 10.2.11 Dedicated LAT User Problem Some of the authentication methods supported by DNAS support user authorization profiles restricting users to dedicated LAT services. Unlike a dedicated port a dedicated user will be logged out if the connection is not made within 60 seconds. This release corrects a problem which caused the port to hang by disabling the logout. 10.2.12 NULL Response to Telnet send-location 10.2.12 NULL Response to Telnet send-location 10.2.12 NULL Response to Telnet send-location The access server uses the NVRAM copy of a port's name to re- spond to the Telnet send-location option. Prior to this release however, the factory default port name stored in NVRAM was a string of 16 NULL characters so it didn't supply any useful information. Upgrading to this version of software will cause all ports, which have not been assigned a name, to be assigned the default name of PORT_n where n is the port number. Ports which have previously been assigned a name will not be affected. 22 22 22 10.2.13 Maximum Number of TD/SMP Sessions 10.2.13 Maximum Number of TD/SMP Sessions 10.2.13 Maximum Number of TD/SMP Sessions This release corrects a problem which limited the maximum num- ber of TD/SMP sessions to 64. With this correction the maximum is now 128. 10.2.14 PPP Stops Working 10.2.14 PPP Stops Working 10.2.14 PPP Stops Working This version of software corrects a problem which would cause PPP to fail. The failure was characterized by not being able to establish a link between the Access Server and the client. 10.2.15 SLIP Problem 10.2.15 SLIP Problem 10.2.15 SLIP Problem This version of software corrects a problem which caused SLIP connections to use an MTU size of 0. Attempts to ping the SLIP port from another port on the server generated "Local -040- Initialization complete" messages. 10.2.16 LAT Generated Unwanted BREAKs 10.2.16 LAT Generated Unwanted BREAKs 10.2.16 LAT Generated Unwanted BREAKs This version of software corrects a problem with the way un- supported parameters are handled in Set DATA_B slots. Prior to this change parameter code 7 would be misinterpreted as the Status parameter and cause a BREAK to be generated. 10.2.17 Problem With Inactivity Logout Timer 10.2.17 Problem With Inactivity Logout Timer 10.2.17 Problem With Inactivity Logout Timer DNAS V2.2 introduced a problem that caused the server's Inactivity Logout Timer to be ignored. Remote ports config- ured for inactivity logout would return to the Idle state if the port was idle for 2 minutes, regardless of the setting of the Inactivity Timer. 11 How to Report a Problem 11 How to Report a Problem 11 How to Report a Problem If you discover a problem with the operation of the DECserver Network Access Software, please submit a Software Problem Report (SPR). When completing an SPR, describe one problem at a time. This simplifies record keeping and facilitates a quick response. Keep the description simple yet accurate. Illustrate a general problem with several examples. If a FATAL BUGCHECK error occurs, submit a crash dump. Because problems are often difficult to reproduce with dif- ferent system configurations, please include as much detail as possible when reporting a problem. Define as precisely as possible the state of your system when the problem occurred and indicate the sequence of events or commands that caused the 23 23 23 problem. Attempt to reproduce the situation, if possible, using the minimum number of steps. If one of your user programs causes a problem in the DECserver and you are unable to send the program to Digital Networks, try to reproduce the problem with a standard utility. If this is not possible, try to describe the program's operation before and after the suspected failure. When a SPR contains concise problem information, that problem is more likely to be reproduced and corrected. Please ensure that any questions are direct and simply stated so they can be answered clearly and directly. 11.1 Documentation Problems 11.1 Documentation Problems 11.1 Documentation Problems When describing a problem found in a manual, specify the full title of the manual and identify the appropriate section, ta- ble, or page number. Describe what the manual says and also describe the suggested correction. If you are reporting an error with online help, please identify the full command and screen. 11.2 Severe Errors 11.2 Severe Errors 11.2 Severe Errors Severe errors may cause your DECserver to hang or bugcheck. If your DECserver hangs for more than 90 seconds, you will have to power down and up to restore normal operation. If this should occur, please describe the operating conditions on the DECserver at the time of the hang. If a FATAL BUGCHECK occurs, a bugcheck message is printed on the console terminal. The message shows the vital registers at the time of the bugcheck. Normally, an upline crash dump is automatically created when a fatal bugcheck occurs. For other types of problems, a crash dump is also an extremely valuable tool. For example, if you experience a problem that is not easily reproducible, a crash dump will normally allow Digital Networks to fix the problem even though it cannot be reproduced. You can force a CRASH by typing CRASH at the local mode prompt in privileged local mode. A code 300 fatal bugcheck will immediately occur. The location of the crash dump file may be determined as fol- lows: o After the DECserver reinitializes, enter local mode and enter a SHOW SERVER STATUS command. Information in this display will indicate the Ethernet address of the dump host. You can identify the dump host from this address. 24 24 24 OpenVMS systems: OpenVMS systems: OpenVMS systems: o The crash dump will be located in the SYS$COMMON:[DECSERVER] directory on the dump host, and the filename will be NA9xxxxxx.DMP, or NA7xxxxxx.DMP where xxxxxx is the DECnet node name assigned to the network ac- cess server as defined using the DSV$CONFIGURE configuration procedure. For example, if the DECserver 90M with node name LAT041 bugchecks, the crash dump will be found in SYS$COMMON:[DECSERVER]DS9LAT041.DMP on the dump host. ULTRIX systems: ULTRIX systems: ULTRIX systems: o The crash dump will be located in /usr /lib/dnet on the dump host and the filename will be DS9xxxxxx.DMP or DS7xxxxxx.DMP where xxxxxx is the DECnet node name assigned to the network access server as defined using the DSVCONFIG configuration procedure. For example, if the DECserver 90M with node name LAT041 bugchecks, the crash dump will be found in /usr/lib/dnet/ds9lat041.dmp on the dump host. DIGITAL UNIX and other UNIX systems: DIGITAL UNIX and other UNIX systems: DIGITAL UNIX and other UNIX systems: o The crash dump will be located in the /tftpboot directory. The file name will be one of the following: o WW_xxxxxx.DUMP o WWxxxxxx o MN_xxxxxx.DUMP o MNxxxxxx o Provide a .zip of the crash dump file to your service repre- sentative. 25 25 25 Appendix A Appendix A Appendix A RADIUS Attributes Supported in this Release RADIUS Attributes Supported in this Release RADIUS Attributes Supported in this Release Please refer to the document RADIUS_SURVIVAL.TXT (or very simi- lar file name) on your kit distribution media for a description of the supported RADIUS Attributes for this release. RADIUS Attributes Supported in this Release A-1 RADIUS Attributes Supported in this Release A-1 RADIUS Attributes Supported in this Release A-1