Release Notes for Digital Networks Remote Access Security Software (Supercedes Digital Remote Access Security Version 2.3C) Software Version: Digital Networks RADIUS Server (DRAS) Version 2.4 Operating System and Version: Microsoft Windows NT (i386) Version 3.51 or higher OpenVMS Version 6.1 or higher (VAX and Alpha) Digital UNIX Version 3.2 or higher Software Version: Digital Networks RADIUS Manager Version 2.4 Operating System and Version: Microsoft Windows NT (i386) Version 3.51 or higher Microsoft Windows 98/2000/me Contents -- Installing Digital Networks Remote Access Security (DRAS) Software -- Summary of Changes -- Known Problems and Limitations -- Configuration Guidelines and Tips -- Additional Information -- Authentication Modules -- Documentation -- Documentation errors -- Reporting problems ----------------------------------------------------------------- Summary of Changes ----------------------------------------------------------------- DRAS Manager changes: -- A single click on a Server will not result in a connect to that server. We changed this to a single click to select the server, a double click is used to connect to the server. -- The session time and termination cause are not in the correct columns of the brief form of the accounting display. DRAS Server changes: -- New section in DRAS.INI file to control flat vs. structured names. -- RADIUS Client identified by Source IP address (for shared secret lookup). -- CHAP challenges up to 253 bytes in length. -- Session Types now supported are Telnet, Rlogin, Portmaster, RAW TCP, LAT Framed IP, Framed IPX, Framed Appletalk, Outbound, Administrative, NAS Prompt and Authenticate. In earlier versions of the software, the session types of TCP and TCPIP were swapped allowing the configuring of characteristics for a RAW TCP (TCP) session rather than the framed TCPIP session type. This version of DRAS contains the following enhancements: New Authentication Features --------------------------- 1.) Parsing of realm names in structured user names supports Authentication Method selection based on realm-part. This supplements the single DEFAULT user available in the previous release for selection of Authentication Method without each individual user name entered in the native DRAS password database. Prerequisite for RADIUS Proxy support. NOTE: This feature is defaulted to disabled. To enable this feature, edit the dras.ini file in the directory indicated in the DRAS_DIR environment variable and set the appropriate entry in the [names] section to "1". The default setting is "0". 2.) A password required User characteristic is present which bypasses the password checking for authentication methods which would usually require a password. ----------------------------------------------------------------- Known Problems and Limitations ----------------------------------------------------------------- The following sections describe known problems or limitations in the Digital Networks RADIUS Server software. DRAS Server: -- Not all existing RADIUS Accounting attributes are supported in the detailed accounting logs. -- Occasionally Accounting/Event log records extracted show a time shift. Time differences between the DRAS Server and DRAS Manager can result in an incorrect time shift when extracting log records for display. ----------------------------------------------------------------- Configuration Guidelines and Tips ----------------------------------------------------------------- -- Registering RADIUS clients RADIUS clients should be registered using their network IP address even if your client is registered on a Name Server. The client typically identifies itself in a RADIUS packet using the NAS-IP-Address attribute and the DRAS server does not currently attempt to translate this IP address to a host name. -- Restriction on PPP CHAP clients Users dialing in with clients that are configured for PPP CHAP authentication must be configured for CHAP authentication in the DRAS database. PPP CHAP clients are incompatible with other DRAS authentication methods such as HOST, SECURID, DEFENDER, WATCHWORD, and OTP. The reason for this restriction is that CHAP authentication requires access to the user's unencrypted password. The listed authentication methods cannot provide the user's password to the DRAS server. -- HOST authentication on Windows NT domain controllers If you install the DRAS server on a Windows NT server that is a primary domain controller, you must make the following changes to the account of any local user that is authenticated using HOST authentication: 1. Run the User Manager (Programs, Administrative Tools, User Manager). 2. From the menu, select User, New Local Group. 3. Create a new group named "DRAS Users" 4. From the menu select Policies, User Rights. 6. Select "Log in locally" from the drop-down listbox. 7. Add that right to the DRAS Users group. 8. Select the user accounts from which you will interactively run the DRAS Server and add that account as a member of the newly created DRAS Users group. The method current used by DRAS to perform HOST user authentication on Windows NT requires that the user have the right to log in locally to the host. An alternative is to install the DRAS server on a workstation in the domain and provide each user with the right to log in locally to that workstation. -- Running DRAS in console trace mode on Windows NT To perform HOST authentication on Windows NT while running in interactive trace mode, you must run from an account that has the privilege to act as part of the operating system. Use the following procedure to enable this privilege: 1. Run the User Manager (Programs, Administrative Tools, User Manager). 2. From the menu, select User, New Local Group. 3. Create a new group named "DRAS Server" 4. From the menu select Policies, User Rights. 5. Check the "Show Advanced User Rights" checkbox 6. Select "Act as part of the operating system" from the drop-down listbox. 7. Add that right to the DRAS Server group. 8. Select the user account from which you will interactively run the DRAS server and add that account as a member of the newly created DRAS Server group. Log off then on to enable the new privilege. -- Establishing a management link to a remote DRAS server There are several possible reasons why an attempt to create a management link between a workstation running the DRAS Manager and a remote system running a DRAS server may fail. The following checklist is a guide to troubleshooting management connection failures. 1. Verify that the remote DRAS Server is running. 2. Verify that the management station is correctly registered as a client in the DRAS Server database. The management station name must be either the full system and domain name, or the client's IP address. You can use the domain name if your client is registered in a domain naming system. Otherwise, you should use the client's IP address as the name. The database must also contain the correct client secret for the management station and the client must be enabled. Use the DRAS Manager to examine the "Local Database" entry for the client. 3. Verify that the remote management user is correctly registered in the DRAS server database. The user requesting the remote management connection must be registered with Administrator privilege in the DRAS server database. The Administrator privilege is assigned to a group and applies to each user that is a member of the group. The user must have PASSWORD authentication selected. Check that the user is enabled and the password is not expired. Note that case sensitivity can be a problem, particularly with cross-platform connections. -- Running the DRAS server in debug trace mode The DRAS server can run from the console in debug trace mode. The trace often provides sufficient information to solve authentication and remote management connection problems, and to verify that the server is able to start and initialize. To run in trace mode, first stop the server if it is running as an NT service. The environment variable DRAS_DIR must point to the location of the DRAS database files. Change directory to the DRAS installation directory. Use the command > drassrv console 5 to start the server. You can view more detailed trace information using a trace level of 6, 7, or 998. ----------------------------------------------------------------- Additional Information ----------------------------------------------------------------- -- Use of threads The Digital Networks Remote Access Security server is multi-threaded. By default, three threads are created to handle RADIUS requests and three threads are created to handle RADIUS Accounting requests. The number of threads created can be controlled using the RadiusThreads and AccountingThreads .INI file parameters. See the Digital NEtworks Remote Access Security Use documentation for more details. -- Increasing the responsiveness of DRAS Server on Windows NT You can increase the responsiveness of the server on Windows NT systems by adding the name and address of the host system to the file \winnt\system32\drivers\etc\hosts. You can also add the names and addresses of your RADIUS clients and remote management stations to the systems "hosts" file. If the RADIUS client is using its IP address as the name, simply enter the IP address as the name. The entry in the "hosts" file would appear as: 10.20.30.40 10.20.30.40 ;RADIUS client using IP address as name -- Registering RADIUS Clients It is very important to use the correct name when registering your RADIUS clients. Remote management clients may be registered under their name and domain if a name service is available. Otherwise, you should use the remote management client's IP address as the name. -- Failed Access-Request events for user {CUB} When the DRAS Manager is started it sends out a broadcast message (in the form of a RADIUS Access-Request packet containing the username '{CUB}')to detect DRAS Servers on the LAN. When DRAS Servers receive this broadcast, they send an Access-Reject packet back to the DRAS Manager client. This exchange makes each DRAS Server known to the DRAS Manager. A side effect, however, is that the DRAS Server logs these events in the accounting log as failed access requests for the user '{CUB}'. These access failures may be safely ignored. In a future DRAS release, these failures will be silently ignored and not logged. -- SetupDB (Database Initialization Utility) SetupDB is a utility for Windows NT that allows you to create an initial DRAS server database after you install the software. If you re-install the software or re-run the SetupDB utility at any time, the utility overwrites any existing database files already on your system. Before re-running SetupDB, you might want to back up the following files located in the directory pointed to by the DRAS_DIR environment variable: Windows NT ---------- drasusrs.* drasacct.dat drasdb.* drasrsrv.* (if found) ----------------------------------------------------------------- Authentication Modules ----------------------------------------------------------------- When performing remote management you must have the appropriate authentication callout modules available locally for any authentication callout that you intend to use or specify on the remote system. If you installed DRAS normally, the necessary authentication callout modules will have been installed in the appropriate place on your system(s). Seven authentication callout modules are supplied with this version of the software: - Static Password (PASSWORD), - Racal WatchWord (WATCHWORD) - CHAP/PAP (CHAP) - SecurID (SECURID) - One Time Password (OTP) - Host Password (HOST) - Digital Pathways (DEFENDER) The following sections contain additional important information about some of these authentication methods. Security Dynamics SecurID ------------------------- Configuring SecurID Authentication The DRAS server must be registered as a client on the Security Dynamics ACE server and you must have a copy the 'sdconf.rec' file that was created during installation of the ACE server in your DRAS_DIR directory. When registering users in the DRAS database, no information need be entered in the user's password field to use SecurID authentication. Using SecurID Authentication When logging in to a network access server, the user may enter the appropriate SecurID passcode at the "Password" prompt. The DRAS server will return a challenge if the user does not enter a passcode at the password prompt. Racal WatchWord --------------- When registering a user for WatchWord authentication, enter the user's DES key into the password field. The key is encrypted before being entered into the DRAS database. Host ---- When registering a user for Host password authentication, no information need be entered into the user's password field. The DRAS server uses the host's standard interactive logon service and native user database to authenticate the user, e.g. NT Domain Authnetication. One-Time-Password (OTP) ----------------------- One-Time-Password, also known as S/Key, implements a one-time password authentication system. The system provides authentication for system access(login) and other applications requiring authentication that is secure against passive attacks based on replaying captured reusable passwords. OTP evolved from the S/Key One-Time Password System that was released by Bellcore. OTP is described in RFC 1938 (May 1996) which is the product of the One Time Password Authentication Working Group of the IETF. This is now a Proposed Standard Protocol. Establishing OTP Authentication for a User Open an existing user record, or create a new user record and select OTP as the Authentication Method. Enter the user's pass-phrase and, optionally, the number of passwords to generate and a seed, into the Password field. The format of the password field is: pass-phrase+count+seed where pass-phrase, count, and seed are character strings separated with the '+' character. The pass-phrase should be 10 to 63 characters. This pass-phrase is only known by the user and is never passed over the network. A user may safely use the same OTP pass-phrase on multiple systems as long as the seed is different on the various systems. The count is the number of passwords to generate for this user. It is effectively the number of times the user may authenticate using this system. The seed is a number consisting of purely numeric characters and must be one to sixteen characters long. The server will generate a seed if one is not supplied. Authenticate/Login with OTP To login, enter your username. The password is not required. The DRAS server ignores anything entered into the password field. The DRAS server will return a challenge in the form: otp-md5 The sequence integer and seed are entered into the user's OTP calculator along with the secret pass-phrase to generate a response. This response is the user's currently valid one-time password. (Note: A prototype Java-based OTP calculator is currently [??] available at http://www.cs.umd.edu/~harry/jotp/). The DRAS Server only supports the MD5 hash algorithm. Make sure the OTP calculator you use supports the MD5 hash algorithm. The sequence number decreases every time a user successfully authenticates. Although the current sequence number is displayed as part of the challenge, the DRAS server generates an additional warning message to the user when the sequence number is smaller than 10. This version of the DRAS server does not support password sequence generation by the user. A new sequence of passwords can be only be generated by the management utility. Users May Change DRAS Password from a RADIUS Client ------------------------------------------------------- The DRAS server allows users to change their password when they login through a network access server. To change their password, users should use the following syntax at the NAS Password prompt: current,new,new That is, the current password should be followed by the new password entered twice, each delimited by a comma. By default DRAS expects a comma to separate the passwords. You may change this to some other printing character in the .INI file. The default entry is: [Password] Delimiter=, The character selected as the delimiter can not be part of a valid password. DRAS authenticates the user using the current password and, if successful, the server attempts to change the user's password. This operation will fail if the new passwords are not identical. If the server cannot change the password the user's login attempt is rejected and the password is not changed. Changing one's password in this fashion is currently supported only for users that are authenticated using the PASSWORD authentication method. ----------------------------------------------------------------- Documentation ----------------------------------------------------------------- The following documentation is available: -- Digital Networks Remote Access Security Installation Contains installation instructions for all installation kits. -- Digital Networks Remote Access Security Use (Windows NT and Windows 95). Describes how to use the Windows-based management utility, DRAS Manager. When viewing the documentation online, be sure to expand the display window to correctly view code examples and tables. ---------------------------------------------------------------- Documentation Errors ---------------------------------------------------------------- The following are corrections to documentation errors or was not available before the documentation was finalized. Digital Networks Remote Access Security Installation If viewing the book online, the tables that list the files installed in %SystemRoot%\System32 for Windows and Windows NT systems should include the following files: REGSVR32.EXE Creates entries in the Windows Registration Database OLEPRO32.DLL Specific OLE grid control ADVAPI32.DLL API for NT system services The following file should be deleted from the tables: DRASMSG.DLL If viewing the book online, the last paragraph of Step 2 of the Installing the Software topic in the DIGITAL UNIX Installation section refers to a WindowsNT directory. It should read WINNT directory. ----------------------------------------------------------------- Reporting Problems ----------------------------------------------------------------- Digital Networks is very interested in your feedback. When reporting problems to Digital Netowrks, please be sure to have the following information available: -- Component information Please indicate if the problem pertains to the DRAS Server, or DRAS Manager. -- Program version information Program version information is displayed in the DRAS Server log file when the server is started. In addition, serious conditions and significant events are logged with a leading timestamp which contains the version identification string for the image. For example: ___ Wed Jan 17 15:34:29 2000 __________ DRAS V2.4 _______ Digital Networks RADIUS Server started. Without this information, we cannot properly diagnose the problem. -- Hardware Platform and Operating System information Please provide the hardware platform (Alpha, Intel) as well as the operating system and version on which you are experiencing a problem. -- Problem description Only a full description of the problem will be most helpful to Digital Networks to diagnose the problem. If you are reporting problems electronically, please include as much detail as possible, including the server log file.