Page 3
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
Page 4
Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.
Page 5
from the date Software is first shipped to Licensee. Bay Networks will replace defective media at no charge if it is returned to Bay Networks during the warranty period along with proof of the date of shipment. This warranty does not apply if the media has been damaged as a result of accident, misuse, or abuse.
Page 6
THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs.
Page 7
foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports are restricted or embargoed under United States export control laws and regulations, or to any national or resident of such restricted or embargoed countries;...
Page 8
LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT.
Release 5.1. If you want to Configure RADIUS security. Learn about Release 5.1 features for the Model 5393 and Model 6300 Remote Annex. Before You Begin When administering a Remote Annex, be sure to refer to this supplement for features supported in Release 5.1.
About This Guide Conventions This manual uses the following printing conventions: Convention: special type special type Return bold italics 119346-A Rev. A Represents: In examples, indicates system output. special type Bold indicates user input. special type In command examples, this notation indicates that pressing enters the default value.
Acronyms ATCP CHAP erpcd HDLC IPCP IPXCP ISDN L2TP SLIP Access Control Protocol Automatic Firmware Download Apple Talk Control Protocol block file system Challenge Handshake Authentication Protocol Command Line Interface expedited remote procedure call daemon High Level Data Link Control Internet Protocol Internet Protocol Control Protocol IPX Control Protocol...
About This Guide Ordering Bay Networks Publications To purchase additional copies of this document or other Bay Networks publications, order by part number from Bay Networks Press following numbers: The Bay Networks Press catalog is available on the World Wide Web at support.baynetworks.com/Library/GenMisc. Bay Networks publications are available on the World Wide Web at support.baynetworks.com/Library/tpubs.
How to Get Help If you purchased a service contract for your Bay Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Bay Networks service program, call one of the following Bay Networks Technical Solutions Centers: Technical Solutions Center Billerica, MA...
• Embedded RADIUS -- Describes how to configure RADIUS security on Remote Annexes. • 5393 and 6300 Functions -- Release 5.1 functions that are supported only on the Model 5393 and Model 6300 Remote Annexes. • RADIUS Authentication includes authentication of the dial-up user to the RADIUS server, as well as authentication of the RADIUS server to the NAS.
Release 5.1 Supplement for Remote Annexes The Remote Annex software includes a native RADIUS client; a RADIUS server is available from Bay Networks separately, or you can use any other RADIUS server. You can use the RADIUS client independently, with the Remote Annex’s security regime set to RADIUS, or you can use erpcd as a proxy RADIUS client running under the ACP security regime.
RADIUS Parameters The following admin/na parameters support the Remote Annex embedded RADIUS capability. Refer to the Remote Access Concentrator Software Reference for a complete description of each parameter. • address_origin - This parameter specifies the server from which the dial-in user receives a network address. •...
Release 5.1 Supplement for Remote Annexes RADIUS Attributes RADIUS tracks various pieces of data using attributes. The Remote Annex supports a number of standard RADIUS attributes, plus a number of Bay Networks vendor-specific attributes (VSAs) that are equivalent to entries in various files used by the ACP security regime. 119346-A Rev.
Release 5.1 Supplement for Remote Annexes Bay Networks Vendor-Specific Attributes (VSAs) These attributes enable RADIUS to emulate the behavior of the ACP security regime: The RADIUS Dictionary File A reference RADIUS dictionary file is included in the distribution kit and is placed in the security files area.
Page 27
The file that Bay Networks provides includes the latest IETF definitions of the RADIUS protocol at the time of release; it includes all attributes and values that are needed to support the Bay Networks Remote Annex implementation. You do not need to use our definitions directly, but other dictionaries may have to be extended to cover our usage.
Page 28
Release 5.1 Supplement for Remote Annexes VALUE VALUE VALUE VALUE VALUE VALUE VALUE VALUE VALUE <...> VALUE VALUE VALUE VALUE VALUE 119346-A Rev. A User Service Types Service-Type Login-User Service-Type Framed-User Service-Type Callback-Login-User Service-Type Callback-Framed-User 4 Service-Type Outbound-User Service-Type Administrative-User Service-Type NAS-Prompt Service-Type...
Configuring Remote Annex Functions Using RADIUS You can configure Remote Annex functions by setting the values of RADIUS attributes on the RADIUS server. This section details what RADIUS attributes must be set to enable various Remote Annex functions. In the descriptions that follow, note that numbers for packet types appear in braces {1}, numbers for attributes appear in parentheses (1), and numbers for enumerations appear in brackets [1].
Page 30
Release 5.1 Supplement for Remote Annexes Automatic Connection You can configure RADIUS to connect a user to a specific service automatically when the user calls in. The Remote Annex port must be in CLI mode (through the port parameter mode set to cli or auto_detect). The RADIUS attributes Service-Type (6), Framed-Protocol (7), and Login-Service (15) determine the service to which the user is connected.
Page 31
Release 5.1 Supplement for Remote Annexes The Login-TCP-Port (16) attribute specifies the destination TCP port for the telnet or rlogin session. The default port for telnet is 23, and the default port for rlogin is 513. LAT/connect The Login-LAT-Node (35) attribute specifies the LAT node to connect to via the CLI connect command.
Page 32
Release 5.1 Supplement for Remote Annexes Table 2. Remote Annex Port Mode/Service Restrictions Service-Type (6) Login [1]/Callback [3] Framed [2]/Callback [4] Framed [2]/Callback [4] Framed [2]/Callback [4] Framed [2]/Callback [4] Outbound [5] Administrative [6] NAS-Prompt [7]/Callback [9] any unspecified Note that if Service-Type (6) = Callback-Framed[4], the user is granted access but will not be called back.
Release 5.1 Supplement for Remote Annexes Session Timeout You can restrict the user to a specified dial-in length using the Session- Timeout (27) attribute. The value of Session-Timeout (27) is equal to the number of seconds the user is allowed to be dialed in before the Remote Annex unilaterally terminates the user’s session.
Page 34
Release 5.1 Supplement for Remote Annexes CLI Command Filtering You can make certain CLI commands unavailable to the user. This feature uses the Annex-CLI-Filter (VSA Bay Networks 30) attribute to specify a list of CLI commands that the user cannot access. You must specify each filtered command in a separate attribute.
Page 35
Release 5.1 Supplement for Remote Annexes Raw Outbound Service The Remote Annex is capable of allowing raw outbound access to a Remote Annex port via telnet. In order to use this feature, the user must either have no Service-Type (6) specified or have Service-Type (6) = Outbound.
Page 36
Release 5.1 Supplement for Remote Annexes IP Static Route Configuration When IP is running over the link, you can configure static routes for that link with the Framed-Route (22) attribute. Note that the Remote Annex will accept the nonstandard format for this attribute used by the Nautica RADIUS server as well as the standard format.
Page 37
Release 5.1 Supplement for Remote Annexes Maximum Transmission Unit You can set the size of the maximum transmission unit (MTU) from the Remote Annex to the remote peer with the Framed-MTU (12) attribute, which is supported for SLIP and PPP, but not for ARAP. The value of this attribute is overridden by PPP, however, if the Remote Annex receives a ppp_mru value from the remote peer.
Page 38
Release 5.1 Supplement for Remote Annexes L2TP L2TP tunnels a user’s PPP session to another node where it is treated as if it were a local PPP session. L2TP is used to implement both DVS and MMP. L2TP uses CHAP for its peer authentication. Operation of this is the same as for regular PPP CHAP but with one exception: the CHAP Identifier is set to be the low order byte of the CHAP challenge.
Page 39
Release 5.1 Supplement for Remote Annexes IPCP You can configure the user’s IP address (the remote peer’s address) using the Framed-IP-Address (8) attribute if the address_origin port parameter is set to acp or auth_server. If an address is returned by the RADIUS server, then the Remote Annex insists on using that address, or it does not allow IPCP to come up.
Page 40
Release 5.1 Supplement for Remote Annexes SLIP You can configure the user’s IP address (the remote peer’s address) using the Framed-IP-Address (8) attribute if the admin address_origin port parameter is set to acp or auth_server. If an address is returned by the RADIUS server, then the Remote Annex uses that address.
Page 41
Release 5.1 Supplement for Remote Annexes Accounting This section describes the RADIUS Accounting features that the Remote Annex supports. Note that the RADIUS Accounting-Request {4} packets include the actual values of RADIUS attributes used, and not necessarily the values returned in the Access-Accept {2} packet. For example, this means that for a PPP user, the Framed-IP-Address (8) attribute is the address actually negotiated during IPCP startup, and not necessarily the address returned by RADIUS.
Page 42
Release 5.1 Supplement for Remote Annexes User Login The Remote Annex creates a log entry whenever a user is granted access to the Remote Annex. In this case, Acct-Status-Type (40) = Start [1]. The Remote Annex also includes the following attributes, when applicable, in this log: 119346-A Rev.
Page 43
User Logout The Remote Annex create a log entry whenever a user’s Remote Annex session completes. In this case, Acct-Status-Type (40) = Stop [2]. The Remote Annex also includes the following attributes, when applicable, in this log: • User-Name (1) •...
Page 44
Release 5.1 Supplement for Remote Annexes NAS Reboot Up The Remote Annex creates a log entry whenever the Remote Annex has booted and has come up. In this case, Acct-Status-Type (40) = Accounting-On [7]. The Remote Annex includes the following attributes, when applicable, in this log: NAS Reboot Down The Remote Annex creates a log entry whenever the Remote Annex is...
Page 45
NAS Accounting Start The Remote Annex creates a log entry whenever the Remote Annex starts RADIUS Accounting. This occurs when security is turned on and reset after initially being off. In these cases, Acct-Status-Type (40) = Accounting-Restart [VSE Bay Networks 6]. The Remote Annex includes the following attributes, when applicable, in this log: •...
Page 46
Release 5.1 Supplement for Remote Annexes User Reject The Remote Annex creates a log entry whenever the Remote Annex rejects the user based on security criteria. In this case, Acct-Status-Type (40) = User-Reject [VSE Bay Networks 1]. The Remote Annex also includes the following attributes in this log: 119346-A Rev.
Page 47
Call Start The Remote Annex creates a log entry whenever a 5399, 5393, or RA6300 accepts an incoming call. In this case, Acct-Status-Type (40) = Call- Start [4]. The Remote Annex also includes the following attributes, when applicable, in this log: •...
Page 48
Release 5.1 Supplement for Remote Annexes Call Stop The Remote Annex creates a log entry whenever it detects an end to a call. In this case, Acct-Status-Type (40) = Call-Stop [5]. The Remote Annex also includes the following attributes, when applicable, in this log: IPCP Start The Remote Annex creates a log entry whenever a PPP session starts IPCP.
Page 49
IPXCP Start The Remote Annex creates a log entry whenever a PPP session starts IPXCP. The log contains the negotiated IPX address. In this case, Acct- Status-Type (40) = IPXCP-Start [VSE Bay Networks 4]. The Remote Annex also includes the following attributes, when applicable, in this log: •...
Page 50
Release 5.1 Supplement for Remote Annexes Tunnel Start The Remote Annex creates a log entry whenever an L2TP tunnel is established with another node. When an L2TP tunnel is established, the log contains Acct-Status-Type (40) = Tunnel-Start [VSE Bay Networks 8]. The Remote Annex also includes the following attributes, when applicable, in this log: Tunnel Stop The Remote Annex creates a log entry whenever an L2TP tunnel is...
Page 51
Tunnel Reject The Remote Annex creates a log entry whenever it rejects L2TP tunnel establishment with a peer. When an L2TP tunnel is rejected, the log contain Acct-Status-Type (40) = Tunnel-Reject [VSE Bay Networks 10]. The Remote Annex also includes the following attributes, when applicable, in this log: •...
Page 52
Release 5.1 Supplement for Remote Annexes MP Stop The Remote Annex creates a log entry whenever an MP bundle is destroyed. For MMP, this will be logged only on the LNS. In this case, Acct-Status-Type (40) = MP-Stop [VSE Bay Networks 14]. The Remote Annex also includes the following attributes, when applicable, in this log: Time Stamps and Session Duration...
Page 53
Release 5.1 Supplement for Remote Annexes Session Tagging Each session in the Remote Annex has a unique Session Identifier. This identifier is an eight-digit uppercase hexadecimal number. For the initial session, the first four digits are random, the next three digits are zero, and the final digit is one.
5393 and 6300 Functions The following functions have been implemented for the Model 5393 and Model 6300 Remote Annexes: Using the Default Call Configuration When delivered to you, the Remote Annex is configured to detect...
Once the call type is detected, calls are handled as follows: • TA and modem calls are placed in protocol-detection mode and directed accordingly to a PPP, ARAP, or terminal emulation (CLI) process. Because of its inherent lack of security, SLIP cannot be detected;...
Page 56
Release 5.1 Supplement for Remote Annexes An SPB has three sections: How SPBs Are Scanned When it receives a call, the Remote Annex tries to match the SETUP information elements of the call with setup criteria values defined in the SPBs.
Page 57
If no SPBs are defined, or no matching SPBs are found, the Remote Annex handles a call as described in page -36. SPB Fields Use the following format when entering an SPB into the configuration file. Table 3 describes all possible SPB fields. Unless otherwise noted, each field is optional.
Page 58
Release 5.1 Supplement for Remote Annexes Table 3. SPB Field Definitions Field begin_session calling_no (continued on next page) 119346-A Rev. A Definition (Mandatory) Marks the beginning of an SPB and names it. The session name is an alphanumeric string of up to 12 characters. (The Remote Annex accepts longer strings, but 12 characters is the recommended limit.) You can use this string with the CLI superuser sessions command to display an SPB.
Page 59
Table 3. SPB Field Definitions (continued) Field Definition called_no Specifies the number the user entered to dial into the Remote Annex. Specify the entire number, including the area code, even if it would not normally be required. Separate the area code from the rest of the phone number with a dash, or enclose the area code in parentheses.
Page 60
Release 5.1 Supplement for Remote Annexes Table 3. SPB Field Definitions (continued) Field detected keyword (continued on next page) 119346-A Rev. A Definition Specifies a keyword indicating how to handle calls detected as a result of a call_action field set to detect in another SPB.
Page 61
Table 3. SPB Field Definitions (continued) Field Definition call_action keyword Defines how to handle the call. This field is mandatory, unless a detect action is already in effect for this call. Valid values for keyword are: detect [timeout], which attempts to recognize V.120 or synchronous PPP frames in the raw digital data delivered by the telco.
Page 62
Release 5.1 Supplement for Remote Annexes Table 3. SPB Field Definitions (continued) Field rate56k end_session 119346-A Rev. A Definition If set to yes, specifies a data rate of 56 Kb/s for the B channels, even if the bearer information in the incoming ISDN SETUP messages indicates a different rate.
Release 5.1 Supplement for Remote Annexes Automated Firmware Download (AFD) The Remote Annex uses automated firmware download (AFD) to obtain the correct firmware it requires for operation. The Remote Annex downloads the version of the firmware that is appropriate to the switch type and hardware platform in use.
Page 64
Release 5.1 Supplement for Remote Annexes Normal Download Normal download mode downloads firmware if it determines that the Mode current firmware revision is outdated, or the current firmware does not support the switch type in use.You can use the following entry to enable AFD in normal mode: %gateway download pri /* download pri module */...
Page 65
Solicited Status Entering the console port command afd displays the status of AFD. Following is the list of messages that may be displayed, depending on the status of AFD: Release 5.1 Supplement for Remote Annexes • afd not started yet AFD not invoked: •...
Release 5.1 Supplement for Remote Annexes Using Multi-System Multilink PPP Multi-system Multilink PPP (MMP), a superset of Multilink PPP, allows MP links belonging to the same MP bundle to terminate on multiple Remote Annexes. The Remote Annexes are combined together in an MMP group to use all of the incoming channels in the group, increasing the potential bandwidth of an MP bundle.
Page 67
Release 5.1 Supplement for Remote Annexes MMP Groups An MMP group is a set of one or more Remote Annexes that act as a single entity for any MP links that terminate on any of the Remote Annexes in the group. MMP groups usually are organized to correspond to telco hunt groups.
Page 68
Release 5.1 Supplement for Remote Annexes While the MP link is in the authentication phase, the Remote Annex initiates the Bundle Discovery Protocol to determine if an MP bundle head for the user exists. The MP bundle head is the Remote Annex that contains the first (primary) link of an MP bundle.
Page 69
Access Control Protocol (ACP) 2 address_origin parameter 3 auth_protocol parameter 3 automated firmware download (AFD) 45 Automatic Firmware Download 36 Bay Networks Press xiv configuring automatic connection 12 using RADIUS attributes 11 customer support programs xiv Technical Solutions Centers xv enable_radius_acct parameter 3 enable_security parameter 3 erpcd as proxy RADIUS client 2...