Documente Academic
Documente Profesional
Documente Cultură
Release 2.0
A complete package for access control and accounting data management. Especially designed for Internet Service Providers. Available for Windows NT 4.0, Windows 95/98 and Windows 2000. Y2K Ready.
INFORMATION IN THIS DOCUMENT MAY BE SUBJECT TO CHANGE WITHOUT NOTICE. IT IS ALSO POSSIBLE THAT THIS DOCUMENT COULD INCLUDE TYPOGRAPHICAL ERRORS OR TECHNICAL INACCURACIES. MASTER SOFT S.N.C. PROVIDES THIS DOCUMENT AND THE RELATED SOFTWARE NTTACPLUS AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANDABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO PART OF THIS DOCUMENT MAY BE REPRODUCED, TRANSMITTED, STORED IN A RETRIEVAL SYSTEM, NOR TRANSLATED INTO ANY LANGUAGE, IN ANY FORM OR BY ANY MEANS, ELECTRONIC, MECHANICAL, MAGNETIC, OPTICAL, CHEMICAL, MANUAL, OR OTHERWISE, WITHOUT THE EXPRESS WRITTEN PERMISSION FROM MASTER SOFT S.N.C.
Copyright 1998-2000 MASTER SOFT S.N.C. - Novara (Italy) - All rights reserved. NTTacPlus and MSoft are registered trademarks of Master Soft S.n.c. All the references to other companies and product names are trademarks or registered trademarks of their respective holders.
http://forum.persiannetworks.com
page 1/92
Summary
Introducing NTTacPlus................................................................................................................... 3 What is NTTacPlus....................................................................................................................... 3 NTTacPlus Main Features............................................................................................................ 5 Whats new in NTTacPlus 2.0......................................................................................................... 8 Introducing NTTacPlus 2.0........................................................................................................... 8 Differences with release 1.x......................................................................................................... 8 How to upgrade NTTacPlus 1.x................................................................................................. 11 NTTacPlus Installation.................................................................................................................. 12 System requirements................................................................................................................. 12 Contents of the installation package...........................................................................................12 NTTacPlus setup........................................................................................................................ 12 Uninstalling NTTacPlus.............................................................................................................. 14 Running NTTacPlus as a stand-alone application......................................................................14 Running NTTacPlus as a Windows NT service..........................................................................14 Running NTTacPlus in unregistered mode.................................................................................15 NTTacPlus Configuration.............................................................................................................. 16 First execution of NTTacPlus..................................................................................................... 16 First login on NTTacPlus............................................................................................................ 17 NTTacPlus Console Elements................................................................................................... 17 Configuration parameters summary........................................................................................... 20 NAS Configuration for use with NTTacPlus................................................................................26 RADIUS/TACACS+ specific parameter configuration................................................................30 Configuring NTTacPlus and the NAS for forced disconnection..................................................32 General settings......................................................................................................................... 35 Configuration of the activity event log......................................................................................... 39 Resynchronization with Cisco NASes........................................................................................ 41 Configuring backup on a NTTacPlus server...............................................................................43 Configuration of login messages................................................................................................ 44 RADIUS & TACACS+..................................................................................................................... 45 The AAA Model.......................................................................................................................... 45 Authentication............................................................................................................................ 45 Authorization.............................................................................................................................. 45 Accounting................................................................................................................................. 46
http://forum.persiannetworks.com
page 2/92
NTTacPlus AAA Model Implementation.....................................................................................46 The authentication process in NTTacPlus..................................................................................46 The authorization process in NTTacPlus....................................................................................48 The accounting process in NTTacPlus.......................................................................................49 Comparison between some RADIUS attributes and their TACACS+ equivalent........................50 The RADIUS attributes and the dictionary..................................................................................50 Account Management................................................................................................................... 52 The User Account Database...................................................................................................... 52 Hierarchical structure of the database........................................................................................52 User (group) profile parameters................................................................................................. 53 Using wildcards in expressions.................................................................................................. 63 Some user and group profile examples......................................................................................64 Special settings.......................................................................................................................... 68 The post-authentication scripts.................................................................................................. 69 Expiring account warning e-mail messages format....................................................................70 Account profiles in ODBC SQL format.......................................................................................71 Managing accounts with the Profile Manager.............................................................................73 Some remarks about Profile Manager settings..........................................................................74 The accounting data...................................................................................................................... 82 Accounting data generated by NTTacPlus.................................................................................82 Per-user accounting files............................................................................................................ 82 Global accounting files............................................................................................................... 83 Accounting data on ODBC SQL databases................................................................................84 SQL Active users output............................................................................................................. 84 Configuring Accounting in NTTacPlus........................................................................................85 Configuring the accounting output on ODBC.............................................................................88 Configuring NTTacPlus manually................................................................................................ 91 Configuration file structure......................................................................................................... 91 Flags and Debug special parameters......................................................................................... 93 Technical support and Product Registration..............................................................................96 Documentation to enclose with communications........................................................................96 How to register the product........................................................................................................ 96 License Agreement.................................................................................................................... 97 How to contact us....................................................................................................................... 98
http://forum.persiannetworks.com
page 3/92
Introducing NTTacPlus
What is NTTacPlus
NTTacPlus is a centralized server application for the control and management of remote access to the network through the standard protocols TACACS+ (developed by Cisco) and RADIUS (developed by Livingston, now IETF standard). This application implements the AAA model ( Authentication, Authorization, Accounting): Authentication. Identifying who a user is (username/password pair validation) Authorization. Accounting. Identifying what a user can do (network resource assignment). Recording process which keeps track of system utilization by the user.
Centralized Access Management NTTacPlus can operate both as a stand alone program or as a service under Windows NT. NTTacPlus is based on a user database that can be implemented in two different ways: a set of simple text files, each file representing a user, and an ODBC SQL database (such as Microsoft Access or SQL server) in which there are two different tables: one for user accounts and one for the group profiles. User profiles contain account parameters (password expiration date, login hours and credits, etc.). The Network Access Server (NAS) sometimes also called Communication Server, Remote Access Server or Terminal Server is a device which usually accepts remote accesses through phone calls on analogic or ISDN lines with modems or ISDN terminal adapters. The NAS allows to connect dial-in users to the internal network (Intranet) - typically a Local Area Network (LAN) - or to the Internet as a whole. NTTacPlus accepts authentication and authorization queries from the NAS (such as 3Com Total Control, Ascend Max, Livingston PortMaster, Cisco AS5200), examining user profiles and taking into account the characteristics configured for each user.
http://forum.persiannetworks.com
page 4/92
Moreover, NTTacPlus acquires the accounting data sent by the NAS and records it on a ODBC datasource. This allows to make accounting data available for statistical purpose processing about accesses, or for the creation of detailed billing reports, etc.
http://forum.persiannetworks.com
page 5/92
Complete support for authentication, authorization and accounting NTTacPlus supports any request of authentication, authorization and accounting as defined in the standard specifications of both TACACS+ and RADIUS protocol. Its flexibility allows to support new extensions of proprietary defined for the authorization for both protocols.
Simplified and remote management of user profile database User profiles can be easily modified with any text editor (such as notepad.exe) when they are stored in text files. If you plan to use ODBC support for your user database, you can edit them through simple queries. It is not necessary to load or save the user database because any modification to profiles is immediate as soon as the file is saved, even if you are using ODBC support. The backup of the whole database is also immediate: you simply have to copy the user and group profile directories or make a backup copy of the user database when operating with ODBC. Thanks to the NTTacPlus Console it is possible to perform a complete remote management of both NTTacPlus servers and the related accounts. The remote management application is reduced to a small executable and works on any Windows 9x, Windows 2000 and Windows NT machine connected to a TCP/IP network. The Remote Console allows to modify user profiles in real time, dialoguing with a NTTacPlus server. The data exchange between the Remote Console and the NTTacPlus Server is encrypted.
Groups and Inheritance With NTTacPlus it is possible to define not only user profiles but also group profiles. Group profiles can include all the parameters which can be applied to every single user. You just have to assign a user to a group and it will automatically inherit all the parameters previously set in the parent group. A user profile may belong to more than one group. In this case the search of attributes will proceed through the analysis of each group. Moreover, a group itself may belong to another group. It is therefore possible to create a hierarchical structure which allows to manage user profiles very easily, avoiding time-wasting repetitions of each profile and focusing only on the parameters that distinguish users, maintaining in the groups common settings.
Real time and remote check on the activity NTTacPlus allows the monitoring of active connections thanks to a window showing a list of active users specifying how long and on which NAS they have been connected.
http://forum.persiannetworks.com
page 6/92
Moreover, NTTacPlus records in real time all incoming requests of authentication, authorization and accounting, besides remote management sessions. The events are displayed on screen in a log window and are also permanently recorded on a log file. It is also possible to disconnect forcibly and automatically users through the RSHELL protocol (that has been implemented in this release of NTTacPlus) or using external utilities or scripts (like SNMPSET or telnet) Thanks to the NTTacPlus Console application it is possible to activate an exact copy of the active users window on any remote PC (Windows 9x Windows 2000 or NT) connected to a TCP/IP network. Redundant functioning and backup features NTTacPlus can be installed on another machine and configured as redundant backup server. NTTacPlus can automatically connect to the primary NTTacPlus server and synchronize periodically the whole user database. The transfer of data during synchronization occurs with TCP connection and exchanged packets are encrypted. In case of malfunctioning of the main server, the NAS can address its request to the backup server.
Extended access control NTTacPlus offers several parameters to regulate users access. In particular, it is possible to configure the access upon: expire date of the account connection time-table (daily or weekly, with programmable holiday calendar) Called/Calling ID (called/calling phone number if supported by Telco) source NAS or NAS port (distinction between analogic or ISDN calls) Number of concurrent logins for the same account Overall residual time credit Overall residual traffic credit Time quota assignment for a given period Privilege level (from basic user to administrator)
Extended check on suspicious cases NTTacPlus can detect failed access attempts (due to wrong password, time of connection, privilege, double access attempts with the same username) and therefore undertake administrative actions (which can be freely enabled or disabled) such as: E-mail notifications to the system administrator. E-mail notifications to the relevant user. Immediate disabling of the user account Immediate forced disconnection of the user
Furthermore NTTacPlus can send customizable warning e-mail messages to the user when his account is expiring or when his credits (time or traffic) are .under a warning threshold.
Extended support for accounting (ODBC) NTTacPlus offers an extended support for accounting. In each session NTTacPlus records a series of useful information, such as, for instance, the duration of the session, input and output traffic and residual credit of time and traffic. The accounting output is transferred in real time in a standard ASCII file table or in a standard ODBC database, such as Microsoft Access, SQL Server, Oracle, etc.
http://forum.persiannetworks.com
page 7/92
NTTacPlus can also maintain a real time updated table of currently logged in users in an ODBC database also.
Functioning as a Proxy module for Windows NT, UNIX or other TACACS+ servers NTTacPlus allows to perform the authentication of username and password re-addressing access requests to a Windows NT machine (even remote) using its user database. It can also re-address authentications to other TACACS+ servers, or use accounts stored into standard UNIX passwd files.
Automatic synchronization with Cisco Network Access Servers (NAS) NTTacPlus can synchronize its active users list with any Cisco NAS. In this way you can avoid information lost when a server running NTTacPlus restarts or when the NAS itself reboots. Furthermore NTTacPlus can periodically synchronize its active user list by querying the NASes and by updating its current accounting information. In this way NTTacPlus can eliminate a possible loss of accounting data (for example when the NAS doesnt correctly send the STOP messages to NTTacPlus).
NTTacPlus Open Architecture NTTacPlus offers an open architecture through the use of the ODBC standard for storing user/group profiles and accounting data. You can easily integrate NTTacPlus in legacy environments. NTTacPlus allows administrators to expand authentication and accounting capabilities using customizable external scripts.
Easy web interfacing NTTacPlus can easily expose its accounting data (active users, user profiles, accounting reports) to a Web Server using ASP Cold Fusion Markup Language, CGI, etc. The administrator/webmaster has only to customize the HTML format of his Intranet/Internet web server, in order to manage users, to create accounting reports or to sell on-line his accounts and so on.
http://forum.persiannetworks.com
page 8/92
User interface moved to the NTTacPlus Remote Console separate application The remote console has been completely redesigned and now integrates into a single application the old NTTacPlus Console and the NTTacPlus User Manager. The server side interface has been reduced to a single dialog window (or systray icon if NTTacPlus is running minimized). If NTTacPlus is executed as a service no GUI windows is visible: this new concept optimizes server side memory utilization and performance. All the functions formerly available in the NTTacPlus main window are now accessible via the NTTacPlus Remote Console. In this way you can completely administer NTTacPlus servers anywhere from the network. The setup program allows you to choose if to install the NTTacPlus server only, the NTTacPlus Remote Console only or both.
http://forum.persiannetworks.com
page 9/92
However you do not need to execute the setup to install the Remote Console on a client PC. It is just enough to copy the following two files in a directory of the PC on which you want to run NTTacPlus Remote Console:
NTTACMON.EXE RADDICT.DAT
Remote Console main executable The RADIUS attribute dictionary used for user profiles management
In order to manage locally a NTTacPlus server you need to start the Remote Console and login using localhost as the server address.
RADIUS protocol support This release of NTTacPlus now supports fully the RADIUS protocol with any RADIUS enabled client. Some attributes specific to the RADIUS protocol are automatically re-mapped into standard NTTacPlus parameters, in order to maintain a graphical interface homogeneous with the TACACS+ protocol and at the same time compatible with the older versions of NTTacPlus. For a more in depth description of this feature, read the paragraph Comparison between some RADIUS attributes and their TACACS+ equivalent. Through the RADIUS protocol, NTTacPlus can now take advantage of the Session-Timeout attribute to implicitly terminate user sessions. See the chapter Use of session-timeout.
Users and groups SQL ODBC database support NTTacPlus can now store user and group profiles in a SQL/ODBC database also: you can simply decide if you wish to maintain you existing accounts in simple ASCII text files or to import them in a ODBC database. You may find details relevant to the usage and migration to ODBC databases in the chapter Account profiles in ODBC SQL format. A sample MS Access 97 database is already distributed wit NTTacPlus. In this database youll find some routines useful for importing and exporting users to and from text profiles.
New configuration menus All configuration options have been reorganized and moved to a single dialog window accessible from the Tools/Options (F8) menu. You can access the configuration dialog window from any NTTacPlus Remote Console. Any modification issued from the configuration dialog windows becomes immediately effective as soon as you confirm it, and does not require any server restarting command.
Cisco NAS resynchronization improvements A new resynchronization set of routines has been implemented to eliminate problems due to Cisco loss of accounting STOP records. This is a workaround for some IOS releases bugs. You can find more details about this feature in the chapter Resynchronization with Cisco NASes.
http://forum.persiannetworks.com
page 10/92
A list of minor changes A list of minor changes and new features follows. Detailed information about these changes are available further in this document. Modifications to the NTTacPlus graphical interface and configuration: Added context menu support in the active users windows (now you can double click or right click on logged in users). Changed external script syntax for the Kill section for forced user disconnection: wildcards are supported in interface names; you can distinguish by NAS, default command support added. Added internal support for RSHELL protocol: you do not need to spawn external applications to issue rsh commands anymore. Added global (not per-user) post-accounting script execution support, to extend accounting capabilities with your own procedures. Added MS-CHAP, ARAP-DES authentication protocols support for TACACS+. Reorganized Activity event log message format: now messages are more detailed and more compact at the same time. Added a refuse (not) operator in wildcard expressions (the exclamation mark symbol !). Improved administrative and warning email messages information detail. Added system accounting support for TACACS+ protocol. Added the possibility to configure the time interval between two checks on active sessions. Added the possibility to disable the screen activity event log output, in order to reduce CPU load in case of many simultaneous Remote Console sessions. Account profile modifications: Added support for the new parameter EffectiveFrom: now you can specify the account starting date besides the standard expiration date. Added support for a new format in the Expires parameter: now you can tell NTTacPlus an account duration (in days) rather than an absolute expiration date. By combining this feature with the EffectiveFrom parameter NTTacPlus can handle fixed duration accounts that auto-activate from the first successful login. Added per user post-authentication script execution support: now you can extend authentication capabilities with your own external procedures. Reorganized warning and expiration email messages: now this feature is available to the time and traffic credit accounts also. Added a dedicated password management section in the Profile Manager. Added the support for DES encrypted password. Added the support for the authentication over a standard UNIX passwd (5) file.
http://forum.persiannetworks.com
page 11/92
http://forum.persiannetworks.com
page 12/92
NTTacPlus Installation
This chapter explains how to install NTTacPlus over a fresh system with no previous versions of the software. If you need to perform an upgrade or install over an existing version, please read the previous chapter.
System requirements
Windows 9x, Windows NT 4.0, Windows 2000 Pentium/133 or higher 32 Mb on Windows 9x, 48 Mb on Windows NT and Windows 2000 Less than 4 Mb for installation; additional space is required for log files, accounting data and user profile data Winsock 1.1 compliant TCP/IP stack
NTTacPlus setup
1. 2. Create a temporary directory for the installation of NTTacPlus (e.g. c:\temp). Explode the zip archive in the directory created.
http://forum.persiannetworks.com
page 13/92
3.
http://forum.persiannetworks.com
page 14/92
Uninstalling NTTacPlus
To uninstall NTTacPlus you can click on the Uninstall icon in the NTTacPlus folder from the Windows Start menu. Alternatively you can open the Control Panel, Add/Remove Applications, select NTTacPlus 2.0 and click Remove. If the program has been configured as a Windows NT service, then it must be removed from the service list database before uninstallation, by using the enclosed INSTSERV.EXE utility. If the uninstall procedure does not complete successfully, after stopping and removing the service with INSTSERV, follow these steps: 1. 2. 3. 4. Remove all the shortcuts to NTTacPlus in the Start menu folder. Delete all the ODBC system datasources that point to NTTacPlus databases. Delete the main NTTacPlus installation directory and its subdirectory (e.g. C:\NTTacPlus2) Run REGEDIT.EXE and delete the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Master Soft\NTTacPlusConsole HKEY_LOCAL_MACHINE\SOFTWARE\Master Soft\NTTacPlusMgr HKEY_LOCAL_MACHINE\SOFTWARE\Master Soft (only if this key is empty and has no subkeys) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NTTacPlus 2.0
To add NTTacPlus in the Service Control Manager services list, press Install Service button. To start the service press Start Service button. To stop NTTacPlus service press Stop Service. To remove NTTacPlus service press Remove Service.
http://forum.persiannetworks.com
page 15/92
NOTE: the service removal doesnt imply the stop of an active instance of NTTacPlus.
When you have inserted the right keys NTTacPlus switches to the registered mode. As the activation keys are calculated upon the Microsoft Network (LAN) name of the machine running NTTacPlus, if you plan to change the server name, you will have to request to Master Soft S.n.c. a new couple of activation keys. To get more information on how you can obtain activation keys, please read the chapter How to register the product at the end of this User Guide.
http://forum.persiannetworks.com
page 16/92
NTTacPlus Configuration
First execution of NTTacPlus
When you start NTTacPlus a small window appears:
NOTE: If you run NTTacPlus as a service no window is visible. If you run NTTacPlus as a stand alone application, when you iconize the NTTacPlus server window, a systray icon appears:
You can take full control over NTTacPlus using the NTTacPlus Console: to configure the server for the first time you need to run the console (NTTACMON.EXE) that will ask you to login using an administrative account:
http://forum.persiannetworks.com
page 17/92
(or the NTTacPlus server IP address) (leave empty if you are running NTTacPlus the for the first time)
Click here with the right mouse button to access users command menu If you select Properties (or double click on the username) an informative window appears, containing information about the user current session
This is a shortcut to start the default mail client and send a message to the user
http://forum.persiannetworks.com
page 18/92
Activity event log window Pressing the F4 key or choosing the Edit/Log window menu, you can bring up the activity event log window, showing in real-time the NTTacPlus server activity with a customizable information detail, depending on the log output configuration (see further on the paragraph Configuration of the activity event log):
NOTE: You can watch the activity event log in the NTTacPlus log window only if the menu item Edit/Receive log event stream is checked.
Account Profile Manager Pressing the F10 key or choosing the Edit/Profile Manager menu you can bring up the NTTacPlus account manager window:
http://forum.persiannetworks.com
page 19/92
Configuration Option Window From the main window press F8 (or choose the Tools/Options menu) to open the configuration window:
The configuration window is divided into several sections. We suggest that you proceed to configure each section reading the following table. When you have configured all the parameters, press the OK button to make changes active.
http://forum.persiannetworks.com
page 20/92
General section
E-Mail global settings Notification E-Mail Address SMTP Server Server source e-mail E-mail address that NTTacPlus sends administrative notifications to SMTP server IP address or name. NTTacPlus will use this SMTP to deliver e-mail messages either to administrators or to users NTTacPlus sender e-mail address
Banners Pre-authentication msg file Post-authentication msg file Pathname of an ASCII file containing a customizable message that will be shown at the NAS login prompt before the authentication session Pathname of a ASCII file containing a customizable message that will be shown at the NAS login prompt after the authentication session
User database settings Enable ODBC user database using this datasource Serialize SQL queries DB Username DB Password User file directory Group file directory Enables ODBC to store User and Group Profiles. If unchecked NTTacPlus will use ASCII files System datasource name for the user database If checked NTTacPlus will execute queries to the database in a sequential queue (for use with databases such as SQL Server) Username used to connect to the datasource Password used to connect to the datasource The directory in which user profiles (*.usr files) are stored in ASCII format (this setting is ignored if ODBC user database is active) The directory in which group profiles (*.ugp files) are stored in ASCII format (this setting is ignored if ODBC user database is active)
Default user Enable <default> user Create user profile from <default> Email admin on unknown users It enables the use of the default user when a NTTacPlus does not find a username in the user database It allows the automatic creation of a user profiles, duplicating the default one. It sends notifications to the administrator when an unknown user tries to login.
http://forum.persiannetworks.com
page 21/92
General Max login attempts First day of week Periodic check interval Maximum numbers of failed logins before sending a notification email It allows you to set the first day of the week (useful for weekly quota calculations) if you need to start the week on a day other than Sunday It sets the frequency NTTacPlus performs a credit check on active users. In this way NTTacPlus can proceed with forced disconnection if a user has no more time credit. It uniquely identifies a session, using the port name, the NAS address and the username also. It resolves NAS addresses in names. (we suggest not to activate this feature to avoid performance degradation)
Logging section
Event logging options Enable logging to screen Enable logging to file Log file directory Debug Logging Events Session thread execution Authentication session Authorization session Accounting session Packet dumping Password checking It shows information about program threads start/stop and external application execution It shows details about authentication sessions It shows details about authorization requests and the AV pairs It shows details about accounting data received from the NAS It shows in depth the contents of the RADIUS/TACACS+ packet received from the NAS It shows in clear text the password verification process. Useful for debugging the most common authentication problems (UPPER/lower cases password, empty password, wrong password and so on) It shows details about the disconnection commands sent to the NASes It shows details about time and traffic charges It shows events about concurrent login checking It shows details about Remote Console Sessions It shows events about synchronization processes between NTTacPlus servers It shows events about notification email message delivery It sends the log information to the active console windows It records daily events in text files (ASCII format) Path where NTTacPlus saves daily log files
Port cleaning commands User account charging Max logins check Extended session Backup events SMTP connections
Accounting section
Time & traffic roundoff Session time rounding offset Session traffic rounding offset Round off interval (in minutes) applied to time credit accounts. It defines the smallest time packet for a connection. Round off interval (in Kbytes) applied to traffic credit accounts. It defines the smallest Kbytes packet for a connection.
http://forum.persiannetworks.com
page 22/92
Account expiration warnings Date expiration warning Time expiration warning Traffic expiration warning ASCII Accounting Accounting directory Enable accounting text output Per-user accounting logging Path where NTTacPlus creates ASCII accounting files It enables daily accounting ASCII file creation (*.acc) It enables per-user accounting ASCII file creation. (*.log). These files contain all the START/STOP messages received from the NAS for a given user. It records all accounting data coming from unknown usernames, storing the messages in a file named _unknown_.log It sets the expiring account warning period It sets the low time credit account warning threshold It sets the low traffic credit account warning threshold
General Accounting Send unknown users to active window Run the post accounting script It shows unknown (unconfigured) users also in the active users window (recording the session data also) It allows the execution of an external script when NTTacPlus receives an accounting message from the NAS
ODBC Accounting Enable ODBC accounting Datasource name Login Username Login Password Accounting table name Log active users on table Automatic reconnect on connection failure It enables ODBC accounting The Datasource name used to record accounting output Username used to connect to the datasource Password used to connect to the datasource The name of the table containing information about user sessions It enables real-time updating of a table in which an active users list is kept It enables the automatic restoring of the datasource connection in case of connection loss (for example SQL Server with TCP/IP net library)
Messages section
Reply messages Account expiring Account expired Account disabled Account not effective Too many logins Invalid login time Login time-up Login Kbytes-up Quota time-up Bad login user/pwd Bad login NAS port Bad login NAS Message given when the account is going to expire Message sent when the account is expired Message sent when the account is disabled Message sent when the account is not activated yet Message sent when the maximum numbers of login is exceeded Message sent when a login attempt is made during a not allowed time Message sent when the user has no more time credit Message sent when the user has no more traffic credit Message sent when the user has no more quota time left Message sent when the username or password are incorrect Message sent when a login attempt to an unauthorized NAS port is made, or with an unauthorized calling ID (phone number) Message sent when a login attempt to an unauthorized NAS is made
http://forum.persiannetworks.com
page 23/92
http://forum.persiannetworks.com
page 24/92
Backup/Synch section
Backup settings Enable this server for backup Primary server name or addr Primary server port Primary login username Primary login password Backup interval Remove local accounts before backup Forward accounting to primary server It enables NTTacPlus as a backup server Primary NTTacPlus server hostname or IP address Primary NTTacPlus server TCP port (default = 49) Administrative account (privilege 15) used by the backup server to connect to the primary NTTacPlus server Password for the backup administrative account Backup refresh interval (interval between two consecutive backups) It deletes local accounts (including modified ones) on the backup server, replacing them with the accounts from the primary server It sends a copy of accounting messages received from NASes to the primary NTTacPlus server (only TACACS+)
Cisco IOS boxes synch List of NAS to query List of valid interfaces List of Cisco NASes (comma separated) to query for synchronization List of valid interfaces for resynchronization
Perform synchronization during It performs an active user refresh on Cisco NASes at a given interval active users check (configured in the General Section) Perform synchronization on maxlogin collision detected Username for RSHELL Command to issue with RSH It performs a refresh cycle on Cisco NASes when NTTacPlus detects a possible user maximum login exceeding Username used with RSHELL commands (RSH) IOS exec command used to get from the Cisco the active users list
Secrets section
Encryption key settings Always encrypt Default secret key Restrict NAS to configured IP addresses only NAS IP address Secret key NTTacPlus always sends encrypted TACACS+ packets if an encryption key is configured The default encryption key (global) It authorizes NTTacPlus queries to be received only by the listed NASes NAS IP addresses with autonomous secret keys Secret key associated with a specific NAS
Kill section
Kill commands configuration Interface name Command line Interface name on which the Kill command will be executed Command line to reset the interface
http://forum.persiannetworks.com
page 25/92
TACACS+/RADIUS section
RADIUS protocol settings RADIUS Authentication port RADIUS Accounting port Use Session-Timeout for disconnection TACACS+ protocol settings TACACS+ TCP port Ignore multiple STOP records Username prompt Password prompt Enable prompt TACACS+ authentication session and Remote Console listening TCP port If checked it removes the user from the active users list when receiving the first STOP record. The following ones will be only logged. NTTacPlus terminal login username prompt NTTacPlus terminal login password prompt NTTacPlus terminal enable password login prompt UDP port listening to RADIUS authentication requests UDP port listening to RADIUS accounting requests If checked NTTacPlus uses the Session-Timeout RADIUS attribute to force the user disconnection when time credit is up.
Kill commands configuration Date Type Day and month on which to establish an holiday Holiday type (pre-holiday or holiday)
http://forum.persiannetworks.com
page 26/92
Setting NTTacPlus as the authentication/authorization/accounting server Each Network Access Server supporting TACACS+ or RADIUS can delegate the authentication, authorization and the accounting (read the following chapter for details about these three phases) to an external server. To do this the NAS needs an IP address of the server, an encryption key and some NAS-specific attributes. Some NASes let you configure separately Authentication, Accounting and Authorization, setting up a different server for each phase. For optimal performances we suggest to delegate the three phases to a single server. For example, in the RADIUS protocol the authentication and authorization phases are executed into a single operation, and for this reason many NASes, such as the 3COM TotalControl and the Ascend MAX, allow to configure separately a server for the authentication and the authorization, and a server for the accounting phase. In this case you have to setup the same settings for both the configurations.
The encryption key (secret key) Both TACACS+ and RADIUS can encrypt the communication between the NASes and the authentication server using specific encryption algorithms that use a secret key shared between the NASes and the server. This key (sometimes called encryption key, secret key or simply secret) is a simple alphanumeric string, just like a password (case sensitive) and it must be configured manually by the network administrator both in the NAS and in the server. An encrypted communication blocks (or at least reduces the possibilities) the interception of RADIUS/TACACS+ packets (containing passwords and usernames) sniffed during the communication between the NAS and the server. NOTE: a wrong (or missing) encryption key setup will result in no communication between the NAS and the authentication server, producing impredictable results. We suggest to verify always carefully the configuration of the encryption keys.
Setting encryption keys in NTTacPlus NTTacPlus can operate in two ways with the encryption keys: NTTacPlus can use a global encryption key used to communicate with all the NASes, except with those that appear explicitly with their own key in the NAS list NTTacPlus can discard any NAS request not coming from a NAS included in the NAS list In the first case NTTacPlus can accept requests from any NAS without restrictions. When NTTacPlus receives a query, it looks for an encryption key configured for the requesting NAS. If NTTacPlus cannot find a specific key, it uses the global key (the default one). In the second case, when NTTacPlus receives a query from a NAS, it looks for a key for that NAS and if it the key is not configured then NTTacPlus will immediately discard the request. To configure the encryption keys in NTTacPlus, login in the Remote Console, select Tools/Options (F8) menu then choose the Secret section. If Restrict NAS access to configured IP addresses only is disabled, then NTTacPlus is configured to run in the first mode (using the default global key for any NAS query if a suitable encryption key has not been found).
http://forum.persiannetworks.com
page 27/92
If Restrict NAS access to configured IP addresses only is enabled, then NTTacPlus is configured to run in the second mode (it looks for a specific key. If it is not found then NTTacPlus will reject the query) WARNING: NTTacPlus Console works just like a NAS. This means that the Console follows the same encryption rules. If you plan to configure a list of NASes to restrict the access to NTTacPlus and want to run the Console on the same host running the server, you MUST INCLUDE in that list also the IP address of the server itself . Furthermore when you need to login to the Remote Console you must use the same encryption key configured in NTTacPlus. If you are logged into the server and plan to change the encryption key, you must logoff and then logon again with the new encryption key. If something goes wrong with the encryption key setup, read the chapter Configuring NTTacPlus manually.
Configuring TACACS+ on a Cisco NAS The AAA model in the Cisco NASes allows to configure separately the authentication, authorization and accounting procedures. NOTE: The TACACS+ AAA model is also supported in the version 10.3 of IOS. However, the accounting messages (START/STOP) that are crucial for the application to keep track of connected users are not sent to the server, instead they are kept in the NAS memory (which, by the way, fills up rather quickly after a working period). It is then essential to carry out, the upgrade of the operating system on the NASes which still have version of the IOS less than or equal to 11.0. For the upgrade of the system, consult the documentation enclosed with the product and contact your reseller. WARNING: the configuration of the Cisco NAS for the utilization of the TACACS+ protocol requires the use of the aaa new-model command which causes the immediate reset of all the interfaces (and therefore the forced disconnection of all the users from the lines). As a result we suggest to carry out the configuration process only when you are sure not to cause any problem. On a global level (router(config)#), insert the following configuration commands:
! aaa new-model ! tacacs-server host a.b.c.d tacacs-server timeout 20 tacacs-server key pippo !
it enables the AAA model replace a.b.c.d with the NTTacPlus server IP address value (in seconds) to wait for a response replace pippo with your encryption secret key
In order to activate the authentication with TACACS+, add the following lines on a global level:
! aaa authentication login default tacacs+ local aaa authentication ppp default if-needed tacacs+ local aaa authentication enable default tacacs+ enable !
These commands imply the activation of the authentication for the login with a terminal window, with PPP or for the passage into enable mode. The first line creates a default authentication procedure for users connecting to a tty o vty (prompt) of the Cisco and uses TACACS+ to verify username/password. The addition of the term local at the end of the line tells the system to use the internal list of usernames in case no TACACS+ server answers properly.
http://forum.persiannetworks.com
page 28/92
The second line creates a default authentication procedure for those who connect requiring a PPP session to Cisco, and it uses TACACS+ to verify username/password (through PAP or CHAP). The addition of the term local at the end of the line tells the system to use the internal list of usernames in case no TACACS+ server answers properly. The further indication if-needed avoids to proceed again to an authentication phase in case a user already authenticated and connected to the prompt of the Cisco types the PPP command to switch to PPP mode. The third line creates a default authentication procedure for those who, being already connected to the Cisco prompt, need to switch to the enable mode (through the ENABLE command) and uses TACACS+ to check the enable password. The addition of the term enable at the end of the line tells the system to use the internal password secret/enable in case no TACACS+ server answers properly. It is also possible to add further lines for the authentication according to one's needs. Check the NAS documentation at this purpose. To activate the TACACS+ accounting messages, add the following on a global level:
! aaa accounting exec default start-stop tacacs+ aaa accounting network default start-stop tacacs+ !
The first line activates the accounting for the shell access (prompt), while the second activates the accounting for the use of network services (for example, for the PPP connection). The default keyword id supported since the 11.3.x IOS releases. If you are running earlier releases then you dont need to type it. If you are running IOS 11.2.9 or newer, you need to add these following commands:
! aaa accounting update newinfo aaa accounting nested !
These commands let the router send accounting information about user session state changes (for example the static IP address assignment and so on). This option is implicit in the previous IOS releases. At the interface level (asynchronous, serial, BRI, Dialer, etc.), if you want to activate the use of the PAP protocol (Password Authentication Protocol) for the use with PPP, it is necessary to add (router(config-if)#) the following commands:
! ppp authentication pap or chap (or both) !
The configuration lines herein shown represent the typical case of an ISP selling accesses to the Internet through an analogic connection (with modem on asynchronous interfaces) or ISDN (for ex. on synchronous serial), through the encapsulation of the TCP/IP in the PPP protocol, activating the possibility of logging in both with PAP (or CHAP) and with a terminal window. It is possible to make Cisco automatically determine the mode chosen by the user by adding the following commands to the configuration lines (router(config-line)#):
! autoselect during-login autoselect ppp autocommand ppp !
http://forum.persiannetworks.com
page 29/92
Finally it is possible to activate the authentication on a secondary NTTacPlus server adding a second line to the global configuration: ! tacacs-server host e.f.g.h !
The Cisco NAS automatically sends the request to the second server in case the first should not answer. If you want to enable also the authorization, you can enter, for example, on a global level:
! aaa aaa aaa aaa ! authorization authorization authorization authorization commands 1 default tacacs+ local if-authenticated commands 15 default tacacs+ local if-authenticated exec default tacacs+ local network default tacacs+ local
These lines activate the authorization for the shell (exec), for network services (network), for standard and enable-mode (commands 1 and command 15) commands on already authenticated users, using the internal (local) configuration in case no TACACS+ server answers properly to the authorization requests (see more about authorization further on, in the chapter Authorization). The default keyword id supported since the 11.3.x IOS releases. If you are running earlier releases then you dont need to type it. For a more detailed configuration and information about Cisco routers and for TACACS+/RADIUS implementations please refer to the documentation of you NAS.
http://forum.persiannetworks.com
page 30/92
Username prompt
The modification of the RADIUS listening port number can be useful in some cases. The original protocol specifications used to recommend the following UDP ports: 1645 RADIUS Authentication Requests 1646 RADIUS Accounting Messages The standard Internet committee (IANA) changed the specifications, in order to avoid conflicts with other services which were using the same ports, assigning officially the following UDP ports to the RADIUS protocol: 1812 RADIUS Authentication Requests 1813 RADIUS Accounting Messages However the majority of NAS on the market (even in the latest software releases) still adopts by default the original non-standard numbers. NTTacPlus follows this settings by default too. Refer to the NAS documentation in order to verify which port numbers are used by the NAS. On the contrary the modification of the TACACS+ listening port number is convenient if you decide to change (for security reasons) the communication port between the NAS and NTTacPlus. WARNING: The remote management protocol (NTTacPlus Console) and the backup protocol among NTTacPlus servers exploit the data transport over the same TCP ports of TACACS+. If you decide to change the TACACS+ TCP port number in a NTTacPlus server, it will be necessary to indicate this port also during the login on a remote console, and in the settings of any backup server which has to synchronize with the primary server (see paragraph Configuring backup on a NTTacPlus server). After you have changed the TCP port, you need to logoff the NTTacPlus server and then perform a new login specifying the new port.
http://forum.persiannetworks.com
page 31/92
Use of Session-Timeout for disconnection The Use Session-Timeout for disconnection option allows NTTacPlus to make use of the Session-Timeout RADIUS attribute (which tells the NAS the absolute timeout, that is the maximum duration of a session, after which the NAS terminates forcibly the session), if supported by the NAS, to disconnect the user when his credit is expired. See the following section for a precise description about how NTTacPlus works for the user disconnection. We suggest you to leave this section always active.
Ignoring multiple STOP messages in TACACS+ NTTacPlus updates its list of connected users basing on messages of start/end session (accounting START/STOP records) received from the NAS. Usually it may happen that the NAS sends NTTacPlus more nested START/STOP sequences. For example, if the user starts a terminal exec session (shell) to authenticate, and then enters the PPP mode (typing manually the ppp command, or because autocommand ppp was configured on that line), the NAS sends a START message when the Exec session begins; then it sends a second START when the PPP session begins. When the user disconnects, the NAS sends a STOP to report the end of the PPP session (this message includes also information about the traffic generated during the session), then it sends a second STOP to report the end of the exec session which the user entered the PPP mode from (this does not happen if the user connects directly in PPP/PAP mode; in this case the NAS sends a single START/STOP sequence). When the option Ignore multiple STOP records is not checked, NTTacPlus will consider the user disconnected (and so it will remove him from the list) only when it receives the last STOP record. Unfortunately with some IOS Cisco versions it may sometimes happen that the STOP message associated to the Exec session is not correctly sent by the NAS, so the user could result connected even though he is no more. We strongly suggest you to leave this option always active.
Login prompts Login prompts specify the messages the NAS should present to the user when requesting user credentials during login. Modifying this information can be useful if some remote clients use connection script that expect certain prompts before inserting automatically username and password.
http://forum.persiannetworks.com
page 32/92
Use of session-timeout When you check the Session-Timeout option, as mentioned above, NTTacPlus computes during a user login the maximum length of the session for that user, sending to the NAS the result in the Session-Timeout attribute. After this time its up to the NAS to end the session. No command is explicitly sent by NTTacPlus. The value transmitted in the Session-Timeout attribute will be computed as the minimum value among the following ones: (see the chapter Account Management if you need further information about individual parameters): Maximum length of a single session (MaxConnectionTime) Residual time quota for the current period (QuotaLeft) Residual time credit for the account (TimeLeft)
Each of these parameters will be evaluated only if the account is configured to have a limitation on that parameter and only if the account is configured to be disconnected forcibly when this parameter is going to exhaust. Otherwise, the Session-Timeout attribute wont be sent to the NAS, and no implicit restrictions will be placed for the session. NOTE: This method works correctly only with the RADIUS authentication and if the NAS supports the Session-Timeout attribute. Through this method it is not possible to kill manually a user session from the Edit/Kill command of the Remote Console.
Configuration of external utilities for forced disconnection The explicit method for disconnection makes NTTacPlus execute, when the user reached his credit limit or the administrator selected the Edit/Kill command from the Remote Console, an external script which, after having received from NTTacPlus the descriptive parameters for the session, sends the NAS the disconnection command. The Kill section of the NTTacPlus configuration window contains the information needed to tell NTTacPlus which commands it has to execute for the disconnection of the user from the ports of the NAS he is connected
http://forum.persiannetworks.com
page 33/92
to. A command (program to be executed) can be configured for each type of port (interface) to which the user is connected. You can set for each NAS or each NAS port individually a different kill command. The following example shows how to configure the system to work with a Cisco Access Server and it exploits two utilities, $RSH (built-in command) and SNMPSET.EXE (external utility included into the EXTERNAL subdirectory created by the installation program):
default=$rsh $nas clear interface $port tty*=.\external\snmpset $nas public .1.3.6.1.4.1.9.2.9.10.0 $line
These lines tell NTTacPlus to execute SNMPSET in case the disconnection must be carried out on a user connected on a tty port, while the RSH command is executed for users connected to the asynchronous (analogic modems) and serial interfaces (ISDN connections). SNMPSET executes a set operation on the integer variable .1.3.6.1.4.1.9.2.9.10.0 setting it to the value of the line to disconnect. On the contrary, RSH sends the NAS the IOS command clear interface passing it the complete extended name of the port. The three macros included in the lines $nas, $port and $line are replaced at program call time respectively with the name of the NAS, the complete name of the port and the number extracted from the name of the port. For example, for a user connected to the NAS 198.83.24.2 on the tty port 14, the following would apply:
$nas = 198.83.24.2 $line = 14 $port = tty14
However it is necessary to configure the NAS so that it accepts the SNMP and RSH commands from the NTTacPlus server. For example if the address of the NTTacPlus server is 198.83.24.5, on the AS5200 it is necessary to add the following lines on a global level:
! username SYSTEM privilege 15 password xxxx ! ip rcmd rsh-enable ip rcmd remote-host SYSTEM 198.83.24.5 SYSTEM enable ! access-list 15 permit 198.83.24.5 ! snmp-server community public RW 15 !
The access list is not mandatory but is necessary to reject undesired SNMP operations from external hosts other than the machine running NTTacPlus. The syntax for binding the kill commands to NASes and interfaces is the following one:
[<nas_ip>@]<port>=<command>
Where port is the name of the interface on which the command should be executed (it is possible to use wildcards), while nas_ip is the (optional) address of the NAS. If the NAS is not specified, this command will be applied to any NAS. Here there are some examples:
default=otherapp.exe $sessionid tty*=myapp.exe $port 10.0.0.2@async*=kill_them_all.exe $nas $port
http://forum.persiannetworks.com
page 34/92
In this case script.bat will be executed for all the users connected to the NAS 10.0.0.5, kill_them_all.exe will be executed for all the users connected on the async port of the NAS 10.0.0.2, while myapp.exe will be executed for all the other users connected on the tty ports (independently of the NAS) and otherapp.exe for all the other cases (ports and NAS) not explicitly provided. Its possible to place the following macros on the script command line: $nas $username $sessionid $port = IP address of the NAS = username of the session to be terminated = session ID (transmitted by the NAS as accounting data) = port number (or line)
NTTacPlus supports a built-in RSHELL protocol, so it wont be necessary the execution of external applications. To send a RSHELL command it is sufficient to start the command with the $rsh macro:
Serial*=$rsh $nas clear interface $port
This command sends clear interface through RSHELL to the NAS. The username used by the RSHELL internal command is the one configured in the Synch section (see chapter Resynchronization with Cisco NASes further on).
http://forum.persiannetworks.com
page 35/92
General settings
Here there will be described some general configuration settings, apart from the kind of NAS used. All the options described here can be set from the option dialog window which can be brought up with Tools/Options menu (F8).
Configuring NTTacPlus for sending e-mail NTTacPlus can send administrative notifications via email in case of particular events like failed login attempts, attempts of unauthorized double accesses, failed backups, and so on. Moreover NTTacPlus can send the users particular notifications like an account expiration warning or the credit exhaustion warning. In order to send messages it is necessary to configure the following parameters: Section General Parameter Notification e-mail address Value Notification e-mail address to which NTTacPlus sends all the administrative notifications IP address or name of the mail server Email address of NTTacPlus (sender) It sends the administrator a notification in case of login attempts for unknown (unconfigured) users
SMTP Server Server source e-mail (sender) E-Mail admin on unknown users
Banners Parameters relevant to banners allow the configuration of text messages to be presented before and after the terminal authentication (login). Banners are ASCII text files, and currently they are supported only by the TACACS+ protocol. Section General Parameter Pre-authentication msg file Post-authentication msg file Value Pathname of the text file containing the login prompt banner Pathname of the text file containing the banner appearing after the authentication
Default user Settings relevant to the default user allow to activate a basic common profile used for any username non explicitly configured requiring the authentication. Section General Parameter Enable <default> user Create user profile from <default> Value Enables the utilization of a default profile Allows the default profile duplication upon a successful authentication
By activating the default profile, NTTacPlus uses, when a user profile with the username corresponding to the one used during the authentication cannot be found in the database, a standard profile called default.usr, retrieving all of its attributes (including the password). If, on the contrary, the default profile is not active, the authentication requests relative to usernames not included into the database will fail, giving back to the NAS an unknown user message.
http://forum.persiannetworks.com
page 36/92
The default profile can be useful if combined, for example, with the authentication proxy module for Windows NT server, so that it is possible to redirect the authentication towards an already existing NT SAM database. With the option Create profile from default checked (working only if the default profile is also enabled) NTTacPlus, when it receives an authentication request from an unknown user, uses the default.usr profile and, if the authentication is successful, it duplicates the default.usr profile into another identical profile, the name of which coincides with the new (formerly unknown) username; in the next login attempts that username wont be anymore unknown, because the newly created profile from the default will be available. It is possible to combine these options with the password grabbing functionality in order to capture the password entered by the user (if you need further information, see the paragraph User (group) profile parameters).
Max login attempts This value fixes the threshold of failed attempts for a user before sending a warning e-mail to the administrator and/or disable the account . For example, if the value is set to 4, then every 4 consecutive failed login attempts, an e-mail will be sent. On every successful login attempt, the counter is cleared. Section General Parameter Max login attempts Value Maximum number of login attempts before blocking the account or sending the administrator an e-mail.
NOTE: This setting has nothing to do with those configured in the NAS, which behaves on its own the numbers of attempts allowed before giving up with the connection.
Session identification through username Usually this box is not selected. This option is mainly intended for Cisco users. If you need to give the users router shell accesses, then activate the setting. However, leave this option unchecked when not strictly necessary. Section General Parameter Use username field also for maxlogins check Value It uses also the username in order to identify a session
As its not possible that two different users are connected at the same time to the same port of the same NAS, NTTacPlus usually identifies univocally a connected user examining the NAS he is connected to and the port of the NAS he is connected to. The username is not taken into account. In fact sometimes it can happen that (with some Cisco IOS versions) for some reasons some STOP messages may get lost. This leads to a situation where a user results to be wrongly connected even if he is no more. When NTTacPlus receives a START message for a given NAS/Port couple on which a user results already connected, it assumes that the STOP message for this user was missing, so it simulates a STOP, it removes the user from the list, and it adds the new user of the newly received START message to the list. All this can happen independently from the usernames. If the username would be compared, it wouldnt be possible to remove the old user from the list, and so two different username would result to be connected to the same NAS and to the same Port. Unfortunately sometimes its necessary to identify univocally the user connected comparing, besides the NAS and the NAS port, also the username which he is connected with. This happens, for example, when a user starts an Exec session (shell) at the NAS command prompt. If a user decides to login with a new account without performing a logout before, new credentials will be requested and (if the new authentication is successful) the NAS will send NTTacPlus a START for the new user before sending a STOP for the previous user. If the username wouldnt be compared, in this case NTTacPlus, receiving a START on a NAS/PORT couple already engaged, would think at the loss of the previous STOP, so it would replace the old user with the new one, but then when it receives the STOP for the old user, because it doesnt check who is the user, it considers this STOP as a session end of the new user. The result is that no user would result connected, while actually the new user has an Exec session open.
http://forum.persiannetworks.com
page 37/92
Name Resolution This option, if activated, allows to display NAS names instead of their IP address (if a reverse lookup is available). Section General Parameter Resolve NAS names (DNS) Value It resolves the IP address of the NAS to names
Users periodic check NTTacPlus runs periodically a thread which checks for credits and time quotas for each users with an active session in progress, in order to verify if some accounts exhausted their credit (and if necessary it executes the user forced disconnection command). Section General Parameter Periodic check interval Value Interval in minutes between two active users check
If the NAS in use handles the Session-Timeout parameter, this check thread can be useless. As in loading conditions (more than 200 simultaneous active users) this thread can take a long time for the execution (until 30 seconds), it is possible to configure the execution frequency , till disabling it at all with a value equal to zero.
First day of the week With this option it is possible to decide which day of the week clears the counter of the assigned weekly time quota. Section General Parameter First day of the week Value First day of the week
Usually Anglo-Saxon countries set out this value to Sunday. On the contrary, in Italy or other European countries it is necessary to set it out to Monday, so that the weekly quota restarts from the maximum value in coincidence of midnight between Sunday and Monday.
Holiday calendar As it is possible to define for each user a weekly plan for the hour-of-the-day login restrictions, NTTacPlus gives the possibility to establish also a yearly calendar of holidays and preholidays. The preholiday midweek days take the configuration set for Saturday; midweek holiday days or the holiday Saturdays take the configuration set for Sunday. Possible settings of the holiday calendar for the Sundays are ignored because Sunday is always considered as holiday. In order to establish the holiday calendar it is necessary to modify the Holiday section of the configuration file. You can set holiday and preholiday dates by inserting a line gg-mm=p for preholidays and gg-mm=h for holidays (p = preholiday, h = holiday). For example you can configure:
http://forum.persiannetworks.com
page 38/92
This example sets the 23rd September as preholiday, the Christmas eve and Christmas as holiday. NOTE: the holiday calendar does not bind dates to given years, so you need to configure particular holidays which do not occur on the same day year by year (e.g. Easter).
Configuration of user database Settings relevant to the configuration of the users database from the General section in NTTacPlus option window are separately discussed in the dedicated chapter Account Management.
http://forum.persiannetworks.com
page 39/92
Kind of messages and events NTTacPlus creates three different kinds of log messages: Ordinary messages Error messages Debug messages
Ordinary and error messages are always displayed. The debug messages set can be activated or not at will according to the options checked in the Debugging log events section. The general format of an ordinary message has this form:
#dd-mm-yyyy hh:mm:ss# message_text
or
#dd-mm-yyyy hh:mm:ss DEBUG# message_text
The message_text field, when it refers to events associated to packets exchanged with a NAS, has the following format:
PR_TYPE NAS_ADDR[SESSION_ID]: text
where: PR = protocol type (TAC=TACACS+, RAD=RADIUS) TYPE = request type (AUTHN=authentication, AUTHR=authorization, ACCT=accounting, EXTN=remote console) NAS_ADDR = NAS or remote console address SESSION_ID = number which identifies the session
Ordinary messages These messages are always displayed and report about ordinary events of the NTTacPlus server, like the acceptance or refusal of authentication requests, accounting messages, etc.
Error messages These messages are always displayed and report about anomalous events or non standard answers received by the NAS.
http://forum.persiannetworks.com
page 40/92
Debug messages These messages are displayed according to the options set out in the Options window of NTTacPlus. Summary of logging configuration parameters: Section Logging Parameter Enable logging to screen Enable logging to file Log file directory Value It enables the dispatch of the events log to the screen (to all the log Windows of open console) It enables the creation of a daily log file which records the activity Directory in which the event log files are created Value It shows information about start/end of program threads and external applications (script/utility) It shows details about authentication requests It shows details about authorization requests and A/V pairs It shows details about the accounting data received It shows the content of RADIUS/TACACS+ packets received It shows the password checking process in clear text It shows details about disconnection commands sent to the NAS It shows details about the calculation of time and traffic charging It shows events relevant to the control of concurrent logins It shows details about remote management session (Remote Console) It shows events relevant to the synchronization among NTTacPlus servers It shows events relevant to the dispatch of notification e-mails
Section Logging
Authentication session Authorization session Accounting session Packet dumping Password checking Port cleaning commands User account charging Max logins check Extended session Backup events SMTP connections
http://forum.persiannetworks.com
page 41/92
(preserve case as written!) where a.b.c.d is the address of NTTacPlus server, while the password of the SYSTEM local account has no meaning because it is not used by RSHELL. Set out the following parameters in the configuration window of NTTacPlus: Section Backup/synch Parameter List of NAS to query List of valid interfaces Perform synchronization during active users periodic check Perform synchronization on maxlogin collision detected Username for RSHELL protocol Command to issue with RSHELL Value IP list, separated by commas, of Cisco NAS to be queried List of interfaces to be included in the synchronization (empty=all) It carries out a verification with RSHELL during every active users check. It carries out a verification with RSHELL when it notices unauthorized contemporary accesses. Username to use with RSHELL Command sent through RSHELL to get back the user list
Inserting in List of NAS to query a comma separated list of IP addresses of Cisco NASes, NTTacPlus can automatically rebuild , when restarted, the list of the active users connected ( except for Caller ID). It is possible to filter the valid interfaces (for example in order to exclude virtual interfaces dynamically created) by inserting the list of interfaces, separated by commas; jolly characters are allowed (for example Async*, tty*, Serial*). Leaving the field blank, all the interfaces for which an accounting active action exists are retrieved. The Perform synchronization during active users periodic check tells NTTacPlus to ask Cisco through RSHELL for the list of active accounts during each periodic check of active users (whose frequency is configurable in the General section), compare it with the displayed list and, if there are some differences, update its list according to what it was received from Cisco.
http://forum.persiannetworks.com
page 42/92
The Perform synchronization on maxlogin collision detected indicates NTTacPlus to ask Cisco, through RSHELL, for the list of active accounts when a user tries to exceed the number of the allowed contemporary accesses. In that case NTTacPlus, before denying the access and taking severe measures, verifies through information given back from RSHELL that the overcoming is effective, that is, all the sessions reported for that user are effectively in process. These two last options guarantee always a real correspondence between the effective users and the sessions reported by NTTacPlus. However they have a side effect: to slow NTTacPlus performance, because any query through RSHELL stops the authentication and accounting processes during its execution (it can take up to 5 seconds). The option username for RSHELL protocol makes possible to configure the username through which NTTacPlus sends the NAS the RSHELL requests, and this should coincide with the local account created in Cisco for rsh (preserving case). The option Command to issue with RSHELL configures exactly the command to be sent to the Cisco NAS by NTTacPlus in order to retrieve the list of the accounting active actions. The last two options should be left on default values (respectively SYSTEM and show accounting) except on particular need.
http://forum.persiannetworks.com
page 43/92
The administrative account (username/password) is not a Windows NT account of the primary server, rather it is an account of the primary NTTacPlus database, having administrative privilege (privilege 15), just like an account used for login on remote console. The removal of local accounts (Remove local accounts before backup) replaces the whole database of the backup server with the primary one; this way, the accounts deleted from the primary are deleted also in the backup, and backup-server-only accounts are also deleted from the backup server itself. The Forward accounting to primary server option (working only with the TACACS+ protocol) is useful with Cisco NAS. In fact, if the primary server is not available, the Cisco sends the accounting records to the backup server; but as it "remembers" which server the accounting record was sent to, even though the primary server returns available, all the STOP messages (whose corresponding START messages have been sent to the backup server) are sent in any case to the backup server. In case of synchronization during the starting process, the session traced out by the backup server ends properly, while on the primary server the session rebuilt with the automatic synchronization remains active, as no STOP message is received by the primary server. The accounting forwarding option solves the problem.
http://forum.persiannetworks.com
page 44/92
http://forum.persiannetworks.com
page 45/92
Authentication
The authentication is the process of identifying who a user is. When a user tries to connect, the NAS asks the NTTacPlus server what to do. Typically, the server will tell the NAS to request a username/password pair to the user. Then it will send to the NAS an answer either of allowed or denied access.
Authorization
The authorization is the process of establishing what a user can do. After the user is connected, for each command typed or resource requested, the NAS sends an authorization request to the server. The NAS can propose a configuration (called list of Attribute/Value pairs) to be applied to the user. Relying on the information of the authorization request, the server will answer granting or denying the authorization. If the authorization is actually granted, the server can tell the NAS to apply a new series of attributes to the user. For example the server can communicate to the NAS to discard the proposed IP address using on the other hand the address proposed by the server itself, and apply a certain timeout value for the connection.. In the TACACS+ protocol, every attribute proposed by the NAS in the authorization request can be optional or mandatory. If the attribute is optional, the server can propose an alternative attribute. If it is mandatory, the server cannot modify such attribute. If the server thinks that such attribute is not valid, it can only answer with a denied authorization reply. Also the attributes added by the server in the granted authorization reply can be mandatory or optional. If they are optional, the NAS can independently choose whether to apply the attributes to the user or not . If they are mandatory, the NAS must use such attributes. If for any reason the NAS cannot respect the required attributes, it must deny the authorization even if the reply of the server was positive.
http://forum.persiannetworks.com
page 46/92
In the RADIUS protocol when an authentication request occurs, the NAS sends at the same time a set of parameters (the attribute/values pairs) describing the user login type and requested services. The RADIUS server may analyze these attributes and decide whether to authorize the user or not. In the former case the server can include in its reply another attribute set to be applied to the user who is logging in (for example a static IP address, the address of the DNS servers, etc.). Finally the NAS may decide if this set is suitable to that user and then continue or abort the session.
Accounting
The accounting is the process that measures resource consumption for a given user. Independently from the authentication and the authorization, with RADIUS or TACACS+ the NAS sends start accounting messages to the server to indicate the beginning of an accounting session and stop messages to indicate that the accounting session is over. The stop message usually contains also additional information related to the just ended session, such as the duration (time) of the session and the quantity (traffic) of the data exchanged during the session.
If any of the previous conditions is not true, then the login fails and NTTacPlus returns access denied (except for some special cases described further on), otherwise the authentication is carried out successfully.
http://forum.persiannetworks.com
page 47/92
In case of RADIUS requests, NTTacPlus successfully completes the authentication session only if the authorization session is also successful.
http://forum.persiannetworks.com
page 48/92
Authorization to the shell (Exec) The authorization to the shell (Exec) in the TACACS+ protocol establishes whether a user is granted the use of a command shell on the NAS and the conditions and filters to be applied to him. The authorization request for the shell occurs when a user connects to the NAS with a terminal emulator and requests a command prompt. This shell may not be requested in other situations, for example when the user connects to the NAS in PPP mode, using PAP or CHAP authentication.
Authorization to commands The authorization request for the commands is forwarded by the NAS to authorize the user to carry out specific commands. With NTTacPlus it is possible to set a list of commands allowed or denied and to specify the denial of some commands also on the basis of their parameters. It is possible for example to allow the use of the telnet command only when the parameters refer to specific hosts.
Authorization to network services The authorization to network services in the TACACS+ protocol establishes whether the user is allowed to connect to the NAS through a special protocol and the condition and the filters to be applied to the user. The authorization request for the network services takes place when a user connects to the NAS in PPP mode, for example, using the PAP or CHAP authentication.
List of Attribute-Value pairs The authorization to the shell (Exec) and to network services allows the specification of the filters to apply to the user. The parameters applied to the user are specified through the negotiation of the attribute/value pairs between the NAS and NTTacPlus. An A/V pair takes the following form: attribute=value or attribute*value where the equal "=" sign means that the attribute is mandatory and must be applied to the user (otherwise the authorization would fail), while the asterisk "*" sign represents an optional attribute that can be applied or not by the NAS.
http://forum.persiannetworks.com
page 49/92
The list of AV pairs supported by the NAS strictly depends on the brand and model of the NAS as well as on the version of its operating system. A list of AV pairs supported by the Cisco NAS (with IOS operating system) is included at the end of this manual. As a rule, the NAS and NTTacPlus negotiate the pairs to apply to the user. For each pair proposed by the NAS, if mandatory, NTTacPlus applies the following scheme: abif the same mandatory pair is configured in NTTacPlus, the pair is applied; if a contradictory pair (i.e. with a different value) is also configured in NTTacPlus but optional, the pair proposed by the NAS will be maintained; c- if a contradictory pair is configured in NTTacPlus as mandatory, or it is not configured, then the whole authorization is denied if the default value is deny; d- otherwise the pair will be maintained. If the pair proposed by the NAS is optional, NTTacPlus applies the following scheme: aif the same pair is configured as mandatory in NTTacPlus, the pair is replaced by the identical but mandatory pair; b- if a contradictory pair is configured as mandatory in NTTacPlus, the pair is replaced by that of NTTacPlus with the new value, and transmitted as mandatory; c- if the same pair is configured as optional in NTTacPlus, the pair is maintained as optional; d- if a contradictory pair is configured as optional in NTTacPlus, the pair is replaced by that of NTTacPlus with the new value (but remains optional); e- if none of the previous cases applies, the pair is discarded, but the authorization proceeds anyway if the default value for the authorization is deny; fotherwise the optional pair of the NAS is maintained.
The RADIUS Authorization With the RADIUS protocol the authorization process takes place at the same time of the authentication process. NTTacPlus receives from the NAS the authentication/authorization request and a set of attributes, then it compares the attribute set with those configured in the RADIUS check-list. Attributes existing only in the authentication request but not existing in the check-list are ignored (with the exception of some particular attributes described further on in this chapter) If attributes existing in the check-list match those coming from the NAS, NTTacPlus replies positively and, if needed, it adds another attribute set, taken from the RADIUS reply-list On the contrary, if some check-list attributes have different values from those existing in the authentication request, or they dont match to the request itself ones, then NTTacPlus denies the authorization.
http://forum.persiannetworks.com
page 50/92
Value rick mandy71 10.0.0.5 4 Framed PPP 275885412 268598741 MAX4030-01 Async
Actually in the RADIUS packet the pairs are not transmitted as they are represented in this table; each attribute is identified by an integer number (byte), and the value associated with it depends on the attribute itself. For example the NAS-Port attribute indicating the port number, is associated with an integer value, while the User-Name attribute is associated with a character string value. To maintain an extensibility for future changes and extension in the list of all the RADIUS attributes supported by the NAS and by the authentication server, and to allow the attributes enrichment with new pairs, the RADIUS dictionary mechanism has been implemented in NTTacPlus.
http://forum.persiannetworks.com
page 51/92
The RADIUS attribute dictionary (named RADDICT.DAT) consists of an ASCII text file in which all the known attributes are defined, with the integer number representing them and the type of value they specify. NTTacPlus may support new attributes, by inserting the attribute definition and the kind of data referring to it into the dictionary (and then restarting the server). WARNING: changing the dictionary file is a very delicate operation. The dictionary requires a precise syntax. Any damage to the dictionary file or a bad editing can turn NTTacPlus into an unusable state, because NTTacPlus loads and parses the dictionary when it starts, stopping immediately the execution in case of wrong syntax. Master Soft will release dictionary file updates as new attributes in the NAS will be introduced by manufacturers. In case of unrecoverable damage of the dictionary file, you can request Master Soft for an original dictionary file.
Support for Vendor-Specific attributes The RADIUS attribute dictionary can contain also definitions of Vendor-Specific attributes (extended attributes encapsulated in the attribute #26) both in the standard format suggested by RFCs, and in the USRobotics/3Com proprietary format.
http://forum.persiannetworks.com
page 52/92
Account Management
The User Account Database
NTTacPlus gives you the possibility of storing user accounts in ODBC SQL tables, or alternatively you can keep all user profiles in ASCII plain text files. There is no functional difference between the two methods: the following paragraphs will describe the user profiles in the ASCII text format, while the last paragraph of this chapter will explain how to configure NTTacPlus to use a SQL database and how the user profiles are stored in the database tables. NTTacPlus keeps its account database in two separate directories (configured by the administrator). The first one contains the group profiles, while the second one contains the user profiles. The profile of a user is composed by a text file (ASCII) whose structure is the same used in the configuration files of Windows 3.1 (initialization files *.INI). Different configuration parameters are divided into different sections. The file of a user profile has the *.usr extension while the name of the file stands for the username of the user. By changing the name of the file, you change implicitly also the username of the profile as well. In fact, NTTacPlus retrieves the profile of a determined username looking in the user directory for a file whose name coincides with the selected username, having the *.usr extension. The same rules apply to the files of the group profiles, the format of the group profiles being the same as the users profile. The only difference lies in the extension of the group file which is *.ugp (User GrouP).
NOTE: manual editing of user/group text files or records in the database tables- without using the NTTacPlus Profile Manager do not entail any verification on inconsistencies in the hierarchy
http://forum.persiannetworks.com
page 53/92
created by the administrator (circular references, etc.); therefore it is necessary to pay attention to manual changes made to the files. Example Group WHALES Group BEARS Group SQUIRTS User GULP (1) Group WHALES Group BEARS (2) Group WHALES (3) Group SQUIRTS (4) Group WHALES (5)
When NTTacPlus looks for the parameters of the Gulp profile, it orderly looks in the hierarchic tree created by the administrator. However the Whales group is explored twice (uselessly), first directly and then indirectly through Squirts. Hierarchy should be organized carefully. In this examples it is useless to specify directly Whales membership for the Gulp user, because Gulp indirectly already belongs to the Whales group from Squirts. When NTTacPlus must retrieve a determined parameter (for example TimeLeft=), it starts the search in the user profile. If it does not find it, it examines the list of belonging groups (Groups=) and then proceeds recursively and orderly the search starting from the first group of the list. If the parameter is not found in the first group, it is eventually searched in the belonging groups of the first group. After examining the entire branch of the first group, if the parameter is not found yet, NTTacPlus passes to the second branch and so on until the parameter is found or there are no more groups to examine. Referring to the example, let us suppose the following situation: Gulp.usr Squirts.ugp Whales.ugp Bears.ugp has has has not has not Groups=Bears,Whales,Squirts Groups=Whales Groups= Groups=
In this case the parameter search order is that indicated in the diagram. This is why the order followed in assigning the belonging to the groups is very important. In fact, if we suppose that both Bears and Squirts contain the parameter TimeLeft=, the first encountered on the research will be used, which is, to say, Bears.
http://forum.persiannetworks.com
page 54/92
[Global] Section This section describes the global authentication parameters Parameter Name Passwd Description Name or description of the user or group profile. It has only a descriptive value and does not affect the behavior of the profile. Password of the user. If the file (or record) is changed manually, it is only possible to insert the password in clear text. To insert the encrypted password it is necessary to use NTTacPlus Profile Manager to change the profile. In this field it is possible to tell to NTTacPlus to operate some special password validations. The syntax for the special values is: Passwd=[<type>][$|#][<value>] where <type> can be NT, TACACS+, NONE, DES, UNIX. Examples Passwd=[NT] It authenticates locally using NT accounts Passwd=[NT]\\pino It authenticates using NT accounts on the server PINO Passwd=[NT]ced It authenticates using NT accounts of the CED domain Passwd=[TACACS+]192.168.0.6 It authenticates using the TACACS+ server on the host 192.168.0.6 Passwd=[DES]CpuskTjR7spcM It authenticates using a DES encrypted password (UNIX-style) Passwd=[NONE] It successfully authenticates without verifying the password Passwd=[UNIX]c:\nttacplus2\passwd It authenticates on a UNIX standard password file Examples with "grab password" Passwd=[NT]#\\antonio It authenticates using NT accounts on the server ANTONIO, and at the first successful access of the user, the whole expression [NT]#\\antonio is replaced by the clear text password that the user has inserted. Passwd=[NT]$sales It authenticates using NT accounts on the SALES domain and at the first successful access of the user, the whole expression [NT]$sales is replaced by the encrypted password that the user has inserted. The encrypted passwords take the form: +@XXXXXX where XXXXXX is an hexadecimal expression. If this parameter is omitted, the authentication always fails. EffectiveFrom It specifies an activation date for the account. The field must have this format: dd-mm-yyyy If the year is indicated with two digits, numbers between 00 and 89 are interpreted as 2000-2089, while numbers between 90 and 99 become 1990-1999. If this parameter is omitted, the account is considered immediately active. Expires It specifies the expire date of the account. The field must have one of these
http://forum.persiannetworks.com
page 55/92
formats: dd-mm-yyyy or #nn[,dd-mm-yyyy] If the year is indicated with two digits, numbers between 00 and 89 are interpreted as 2000-2089, while numbers between 990 and 99 become 1990-1999. The first format indicates an absolute account expiration date. The second one allows you to specify a duration of the account (in days); the computation starts from the date set in the EffectiveFrom parameter. In this case, you can optionally configure an absolute expiration date independently from the duration expressed in days, by adding a comma and the absolute expiration date. If the EffectiveFrom parameter doesnt exist NTTacPlus creates automatically the field at the first successful login of the user, then it starts the counting in days. To specify an account that never expires it is necessary to type: Expires=never If this parameter is omitted, the account is considered expired. Groups Specifies a list of the belonging groups. For example: Groups=standard,isdn assigns the belonging to the two standard and isdn groups. If this parameter is omitted, the profile does not belong to any group. LoginHours It represents the time bands in which the login must be accepted. For example: LoginHours=02:00-06:00, 15:00-17.30 It allows the access from 2 to 6 AM and from 3 to 5.30 PM. Hours must be inserted in the 24h format. In order to differentiate the access according to the days of the week, it is necessary to type: LoginHours=weekly and add a weekly access plan in the [WeekPlan] section (see further on). If this parameter is omitted, no login hour control is applied MaxLogins It indicates the number of concurrent logins allowed to the profile. It can be a number between 0 and 9999. The account is disabled by inserting 0. If this parameter is omitted, NTTacPlus considers the account disabled. Disabled CallerID If set to 1 the account is disabled and all the others parameters are ignored. If set to 0 or omitted, the account is not disabled. This parameter can deny the accesses by examining the rem_addr field as specified in the TACACS+ protocol or examining the Calling-Station-Id RADIUS attribute. The content of this field depends on the NAS and on its operating system. For example, in the 11.3 version of the IOS, the field contains the calling and called telephone number for the calls from ISDN lines, in the following format: CallerID/CalledID and so it is possible to control the accesses according to the caller number. It is possible to specify a list of values that are valid for the field through the use of
http://forum.persiannetworks.com
page 56/92
wildcards. For example: CallerID=321498784*, 32145345[3-7]* Accepts all numbers beginning with 321498784 and have another digit between 3 and 7 (for the use of wildcards in the expressions see further on). If this parameter is omitted, no control is executed on the field. NAS This parameter can deny accesses by checking the NAS on which the user is connecting. You can enter a list of valid NASes or IP address intervals. For example: NAS=192.168.0.3,192.168.1.15-192.168.1.22 accepts requests from NASes whose address is 192.168.0.3 or between 192.168.1.15 and 192.168.1.22. If this parameter is omitted, no control is performed on the NAS address. Port This parameter can deny accesses according to the port of the NAS on which the account is trying the login. For example, with: Port=tty*, async* the account is granted the connection only on tty lines or asynchronous interfaces (denying in this way the ISDN access on the serial ports) For the use of wildcards in the expressions, see below. If this parameter is omitted, no control is executed on the port. Privilege This parameter assigns the privilege level of the user, and can be a numeric value between 0 and 15. The value 15 is required for the administrative accounts that need to use NTTacPlus Remote Console. When the authorization is enabled also for the exec sessions, NTTacPlus converts automatically this value in the A/V priv-lvl TACACS+ pair unless this is not explicitly configured in the corresponding section (see parameters for the authorization below). If this parameter is omitted, NTTacPlus assumes privilege equal to 0. NOTE: the privilege level attribute is not used in RADIUS. MaxConnectionTime This parameter sets the maximum length (in minutes) of a session. For example: MaxConnectionTime=480 limits the maximum length of a connection to 8 hours. NTTacPlus executes every 5 minutes the control on the connected users. If it finds some account beyond the maximum length, it sends a kill command to the NAS to force his disconnection. If this parameter is omitted, no limit is imposed to the duration of the session. Email This parameter specifies the e-mail address of the user. It is ignored in the group profiles. When NTTacPlus needs to send an administrative notification on an event relevant to the account, a copy of the message is also sent to the user if this parameter is supplied. This parameter is used also for delivering account expiration warnings. You can supply more than one email address by entering a comma separated list. If this parameter is omitted, the user does not receive any copy of the notifications. Comment A comment for the profile. This parameter does not affect the profile behavior.
http://forum.persiannetworks.com
page 57/92
ExpiringEMailMsg
This parameter points to a full pathname for a text file containing a warning message that may be delivered to the user when his account is expiring. For information on expiration warning messages, see the relevant section further on.
Pathname for the text file containing the email message to be sent the account is below the time credit warning threshold Pathname for the text file containing the email message to be sent the account is below the traffic credit warning threshold Post-authentication script are executed by NTTacPlus after a successful login. With this script you can extend authentication capabilities running external and fully customizable applications. If you omit this parameter no script is executed. For further information about post-authentication scripts refer to the paragraph The post-authentication scripts
[WeekPlan] Section This section (optional) establishes an access plan for the login hours in the days of the week. It gets examined only if LoginHours=weekly has been entered in the [Global] section. Parameter Mon Description It indicates the login hours during which the login can be allowed on Mondays. For the syntax, see LoginHours in the [Global] section. If this parameter is omitted, the access is denied for the whole day. To allow the access over 24 hours it is necessary to type explicitly the following line: Mon=00:00-23:59 Tue Wed Thu Fri Sat Same as mon= but valid for Tuesdays. Same as mon= but valid for Wednesdays. Same as mon= but valid for Thursdays. Same as mon= but valid for Fridays. It indicates the login hours during which the login can be allowed on Saturdays and on preholidays, as established in the holiday calendar of the global NTTacPlus configuration file. For the syntax, see LoginHours in the [Global] section If this parameter is omitted, the access is denied for the whole day. To allow the access over 24 hours it is necessary to explicitly type the following line: Sat=00:00-23:59 Sun It indicates the login hours during which the login can be allowed on Saturdays and on holidays, as established in the holiday calendar of the global NTTacPlus configuration file. For the syntax, see LoginHours in the [Global] section If this parameter is omitted, the access is denied for the whole day. To allow the access over 24 hours it is necessary to explicitly type the following line: Sun=00:00-23:59
http://forum.persiannetworks.com
page 58/92
[Credits] Section This section (optional) states the overall amount of the time and traffic credit for each account. The whole section can be omitted for accounts with unlimited credit. Parameter KBytesInitial KBytesLeft Description It indicates the initial amount of the traffic credit in Kbytes. It indicates the amount of the traffic credit left in Kbytes for the account. Initially this value coincides with KbytesInitial; afterwards NTTacPlus decreases the value as the account consumes the credit. It indicates the initial amount of the time credit in minutes. It indicates the amount of the time credit left in minutes for the account. Initially this value coincides with TimesInitial; afterwards NTTacPlus decreases the value as the account consumes the credit. If set to 1, it tells NTTacPlus to allow in any case the access to the system even if the user has exhausted his time credit, but then recording the exceeding hours on a distinct accounting field, to allow in this way the separate invoicing of the exceeding hours compared to the initial credit. If it is omitted, the default value is 0. OnExtraKBytesCharge If set to 1, it tells NTTacPlus to allow in any case the access to the system even if the user has exhausted his traffic credit, but then recording exceeding Kbytes on a distinct accounting field, to allow in this way the separate invoicing of exceeding Kbytes compared to the initial credit. If it is omitted, the default value is 0. OnTimeExceededKill If set to 1, it tells NTTacPlus to disconnect the user when he has exhausted his total time credit during his last session. If it is omitted, the default value is 0. OnQuotaExceededKill If set to 1, it tells NTTacPlus to disconnect the user when he has exhausted his total time quota credit during his last session for the current period. If it is omitted, the default value is 0. QuotaPeridod It configures the period on which to assign a time quota. It can be: daily weekly monthly yearly If it is omitted, there are no restrictions on time quotas. Quota QuotaLeft This is the amount in minutes for the time quota on the given period. (only used internally by NTTacPlus, we suggest not to modify this value). It stores the residual time quota for the current period.
TimeInitial KBytesLeft
OnExtraTimeCharge
[Warning] Section This section is created and updated automatically by NTTacPlus for its internal use. None of these parameters needs to be changed.
http://forum.persiannetworks.com
page 59/92
[Suspicious] Section This section establishes which action should NTTacPlus carry out in case of suspicious account behaviors. Parameter OnFailedEmail Description If it is set to 1, NTTacPlus sends an administrative e-mail notification every series of n consecutive failed attempts of the account, where n is the value set in the Max login attempts field of NTTacPlus Options. If it is omitted the default value is zero. OnFailedDisable If it is set to 1, NTTacPlus disables the account (MaxLogins=0) every series of n consecutive failed attempts of the account, where n is the value set in the Max login attempts field of NTTacPlus Options. If it is omitted the default value is zero. OnMultipleAccessEmail If it is set to 1, NTTacPlus sends an administrative e-mail notification when the user exceeds the maximum number of concurrent logins allowed for his account. If it is omitted the default value is zero. OnMultipleAccessKill If it is set to 1, NTTacPlus sends a kill command to NASes for every active occurrence of the username, when the user exceeds the maximum number of concurrent logins allowed for his account. If it is omitted the default value is zero. OnMultipleAccessDisable If it is set to 1, NTTacPlus disables the account (MaxLogins=0) when the user exceeds the maximum number of concurrent logins allowed for his account. If it is omitted the default value is zero. OnExpiredAuthenticate If it is set to 1, NTTacPlus allows the authentication of the account also when it has expired or it has exhausted its credit in time/traffic even if none of the options OnExtraTimeCharge or OnExtraKBytesCharge are set. However the expired account uses the authorization parameters of a special section which is different from that which is generally used. This feature allows to specify for instance that an expired access is allowed to read (but not send) e-mail, but not to navigate, or to connect to the only web page from which the credit can be automatically recharged, through a simple credit card number. OnExpiringEmail If set to 1, NTTacPlus sends an e-mail warning (as configured in the [Global]/ExpiringEMailMsg parameter) to the user the first time he logs in during the warning period preceding account expiration. The length of the warning period can be configured in NTTacPlus general options. Is set to 1, NTTacPlus sends a copy of the administrative notifications (usually sent to the administrator) also to the user. If set to 1, NTTacPlus sends an email message (as configured in the field TimeLowEmailMsg in the section [Global]) to the user having low time credit. The message is sent the first time the user connects having low time credit. You can configure the threshold for the low time credit in the general options of NTTacPlus. Just like the previous parameter, but referred to the traffic credit.
EmailNotifyToUser OnTimeLowEmail
OnTrafficLowEmail
http://forum.persiannetworks.com
page 60/92
[Authorization] Section This section rules the default behavior of NTTacPlus for authorization requests that are not explicitly configured. Parameter DefaultService Description If it is set to permit, NTTacPlus authorizes the request coming from the NAS for the services that are not explicitly configured. Otherwise the authorization fails. If it is omitted, the default value is deny. DefaultCommand If it is set to permit, NTTacPlus authorizes the request coming from the NAS for the commands of the shell (Exec) that are not explicitly configured. Otherwise the commands that are not configured are not authorized. If it is omitted, the default value is deny. NoAppendTacCmd If set to 1, NTTacPlus does not append any command authorization set up in the belonging group. If omitted, NTTacPlus completes the command authorization list of the user profile, by appending the list of the belonging group profiles. NoAppendTacSvc If set to 1, NTTacPlus does not append any service authorization set up in the belonging group. If omitted, NTTacPlus completes the service authorization list of the user profile, by appending the list of the belonging group profiles.
[cmd <cmd_name>] Sections These sections configure the TACACS+ authorization for the shell commands (Exec) of the NAS. Every section configures a given command. Therefore, the body of the section specifies whether to allow or deny the command on the basis of its parameters. For example, the following configuration: [cmd logout] *=permit [cmd telnet] 192.168.10.1 *=deny 192.168.10.*=permit allows the user to type at the prompt of the shell the logout command with any parameter, while the telnet command is allowed only if the first parameter is an IP address of the 192.168.10.0 class but the 192.168.10.1. As a rule, the syntax for the parameters of the command is: <argument_list>=permit | deny where <argument_list> is an expression which may contain wildcards. NOTE: Cisco NASes with some IOS system versions always literally add the four character string "<cr>" to mark the end of the line (carriage return). For a command typed without parameters, an authorization request is presented in any case with only one parameter (the "<cr>" string). Always keep in mind this string when configuring the valid parameters.
http://forum.persiannetworks.com
page 61/92
[Services] Section This section rules the behavior of NTTacPlus for TACACS+ authorization requests to the services. The body of the section can contain one or more lines allowing services. The syntax for the explicit configuration of a service is the following: <service_name> default=permit | deny For example, to configure the authorization to the shell (Exec) of the NAS, type: Exec default=permit | deny The permit or deny option rules the behavior that NTTacPlus must have towards the attribute/value pairs that are not explicitly configured for the service. With permit the pair received and not configured is maintained in any case (both if it is mandatory or optional) and the authorization is successful. With deny, the received and not configured pair is discarded and the authorization goes on if the pair is optional, while it fails if the pair is mandatory. For the services that require also the specification of a protocol (such as for PPP), type: <service_name>-<protocol> default=permit | deny For example, to configure the PPP service over the IP protocol, type: PPP-IP default=permit | deny WARNING: In the case of the PPP service, because the NAS sends separately the authorization request for PPP/LCP first (layer control) and then the request corresponding to the protocol to be executed over PPP (for ex. TCP/IP on PPP), it is necessary to configure both services explicitly (that is, PPP and PPP-IP).
For example, in order to activate the authorization to TCP/IP over PPP, the following lines are both required: PPP default=deny PPP-IP default=deny In order to configure also an attribute/value pair list, add the following lines: <service_name> AV=attr1=value1;attr2=value2;attr3*value3;... or <service_name>-<protocol> AV=attr1=value1;attr2=value2;attr3*value3;... Configuration example [Services] Exec default=deny Exec AV=autocmd=ppp PPP default=deny PPP-IP default=deny PPP-IP AV=addr=192.168.1.54;inacl=110
http://forum.persiannetworks.com
page 62/92
These lines configure the Exec, PPP/LCP and TCP/IP over PPP services. Moreover they assign the a/v pair autocmd=ppp (command to be executed when the shell is started) to the Exec service, while they assign addr=192.168.1.54 (static IP address) and inacl=110 (input access-list to be applied to the user) to the TCP/IP connection over PPP. The A/V pairs can be indicated as attribute=value or as attribute*value, where the equal "=" sign indicates a mandatory pair, while the asterisk "*" sign indicates an optional pair that can be applied or not upon NAS discretion.
[Services Expired] Section This section rules the behavior of NTTacPlus for TACACS+ authorization requests to services that must be applied only when the account has expired or it has exhausted its credit in time or traffic. This section is only read if the OnExpireAuthenticate parameter is set to 1. The body of this section contains parameters with the same syntax of the [Services] section.
[RADIUS] Section This section rules the default behavior of NTTacPlus for RADIUS authorization requests. Parameter NoAppendRadChk Description If set to 1, NTTacPlus does not append configured RADIUS attribute check-lists from any belonging group. If omitted, NTTacPlus appends to the profile RADIUS check-list the check-list retrieved from the belonging groups. NoAppendRadRep If set to 1, NTTacPlus does not append configured RADIUS attribute reply-lists from any belonging group. If omitted, NTTacPlus appends to the profile RADIUS reply-list the reply-list retrieved from the belonging groups.
[RADIUS CheckList] Section This section rules the behavior of NTTacPlus for RADIUS authorization requests. The body of the section can contain one or more Attribute-Value pair lines that must be received from the NAS to authenticate successfully the user. In fact the NAS sends a list of attributes describing the kind of access that the user is requesting. In this list you can insert some mandatory attributes that must be present among the attributes sent by the NAS. The line format is: <attribute-name>=<value> For example, if you want to limit the dialup access type only to the terminal login, you can set the attribute: [RADIUS CheckList] Service-Type=NAS-Prompt
[RADIUS ReplyList] Section This section rules the behavior of NTTacPlus for RADIUS authorization requests. The body of the section can contain one or more Attribute-Value pair lines that must be sent to the NAS together with the authentication succeeded reply .The NAS interprets the attributes received from NTTacPlus
http://forum.persiannetworks.com
page 63/92
and decides if it can apply them to the user, discard them or deny the access to the user. The line format is the same as in the RADIUS check-list: <attribute-name>=<value> For example to set a static IP address using RADIUS you have to insert these lines: [RADIUS ReplyList] Service-Type=Framed Framed-IP-Address=a.b.c.d Framed-IP-Netmask=e.f.g.h Where a.b.c.d is the IP Address to set and e.g.f.h is the subnet mask.
[RADIUS Expired CheckList] and [RADIUS Expired ReplyList] Sections This sections rule the behavior of NTTacPlus for RADIUS authorization requests to be applied only when the account is expired or has no more time and/or traffic credit. The sections are parsed only if the parameter OnExpiredAuthenticate is set to 1. The bodies of these sections contains lines with the same syntax as in the [RADIUS CheckList] and [RADIUS ReplyList]sections.
If you place a leading refuse character (!) in your wildcard expression, you are telling NTTacPlus to refuse the entire expression instead of accepting it in case of match. For example with the following command in the Port field: Port=!Async4,Async[1-8],Serial* NTTacPlus will accept the Async ports from 1 to 8 and all Serial ports, refusing connection on Async port 4.
http://forum.persiannetworks.com
page 64/92
All the subscriptions are yearly. The following group profiles can be created:
standard.ugp [Global] Name=Base common group MaxLogins=1 MaxConnectionTime=480 Privilege=1 NAS=192.168.0.1 Port=Async*,tty* ExpiringEMailMsg=c:\nttacplus\messages\expiring.txt [Suspicious] OnFailedEmail=1 OnExpiredAuthenticate=0 OnMultipleAccessEmail=1 OnMultipleAccessKill=0 OnMultipleAccessDisable=0 OnExpiringEmail=1 [Authorization] DefaultCommand=deny DefaultService=deny [Services] Exec default=deny Exec AV=autocmd=ppp PPP default=deny PPP-IP default=deny [cmd exit] *=permit [cmd logout]
http://forum.persiannetworks.com
page 65/92
http://forum.persiannetworks.com
NTTacPlus Installation and User Guide day.ugp [Global] Name=Day-time analogic access group Groups=standard LoginHours=weekly [WeekPlan] mon=08:00-19:59 tue=08:00-19:59 wed=08:00-19:59 thu=08:00-19:59 fri=08:00-19:59 sat=00:00-23:59 sun=00:00-23:59
page 66/92
night.ugp [Global] Name=Night-time analogic access group Groups=standard LoginHours=weekly [WeekPlan] mon=00:00-07:59,20:00-23:59 tue=00:00-07:59,20:00-23:59 wed=00:00-07:59,20:00-23:59 thu=00:00-07:59,20:00-23:59 fri=00:00-07:59,20:00-23:59 sat=00:00-23:59 sun=00:00-23:59
http://forum.persiannetworks.com
page 67/92
isdn300.ugp [Global] Name=ISDN access with 300 hours total time credit Groups=standard Port=Serial*,Async*,tty* [Credits] TimeInitial=18000 TimeLeft=18000
At this point the user profiles can be created easily, assigning them to the desired group. The Asdrubale user buys a flat analogic subscription starting from June, 1st 1999:
asdrubale.usr [Global] Name=Asdrubale Rossi Passwd=guessit Expires=01-06-2000 Groups=standard EMail=asdrubale.rossi@supermeganet.com
The Antonio user buys an ISDN subscription of 300 hours starting from May, 15th 1999, with a quota assignment of 20 hours per week:
antonio.usr [Global] Name=Antonio Bianchi Passwd=whoknowsit Expires=15-05-2000 Groups=isdn300 EMail=antonio.bianchi@supermeganet.com [Credits] QuotaPeriod=weekly Quota=1200
The Ermenegildo user buys an ISDN day-time subscription with a duration of 180 days, expiring anyway on April, 30 2001, with 2 concurrent accesses, a static IP address 199.189.161.15, and access limitation from his only two telephone numbers 02-77836524 and 02-77836525:
ermenegildo.usr [Global] Name=Ermenegildo Verdi Passwd=justforgotit Expires=#180,30-04-2001 Groups=dayisdn MaxLogins=2 CallerID=27783652[4-5]* EMail=ermenegildo.verdi@supermeganet.com [Services] PPP-IP AV=addr=199.189.161.15
http://forum.persiannetworks.com
page 68/92
Special settings
A remark on the privilege value When NTTacPlus receives a TACACS+ authorization request to the Exec (shell) service, it automatically adds to the list of A/V pairs in the answer also the "priv-lvl=nn" pair, where nn is the value retrieved by the Privilege= setting of the [Global] section. In this way it is possible for an administrator who has an account with Privilege=15 to enter directly the NAS prompt in the enable mode (on Cisco with IOS ver. 11.1 or later) without having to type the enable command and the enable password once again. If on the other hand you add explicitly the a/v "priv-lvl=nn" pair in the authorization configuration for the Exec service (for instance with "Exec AV=priv-lvl=7", the value of the Privilege parameter is ignored.
Enable passwords with TACACS+ On older Cisco IOS operating systems (11.1 or earlier) enable passwords are asked to the TACACS+ server without providing the username of the user who is trying to issue the enable command When NTTacPlus receives such an enable authentication request, it searches for the password in a special user profile whose name is $enab<n>$, if the enable request specifies a privilege value between 0 and 14 (being <n> a number between 0 and 14), while, if the privilege is 15, it searches first for a user called $enable15$ and then, if it cannot be found, it searches for a user called $enable$. This means that if you also activate the enable authentication with the TACACS+ protocol, it is necessary to configure the enable password in a user profile called $enable$.usr. In most recent versions, the enable authentication request also specifies the username of the user. In this case, if the user has the adequate privilege for the request, the password used by NTTacPlus is the same used by the user to carry out the login at the prompt of NAS.
Static IP address assignment in RADIUS The sample preconfigured groups in NTTacPlus contain the minimum RADIUS attributes required to authorize PPP network service access. By assigning a user to a group in which reply RADIUS attributes are configured to be allowed for PPP access (as the preconfigured ones), the user inherits automatically those attributes even if they are not explicitly declared in his profile: this happens because NTTacPlus appends the group attributes to the user attributes. The typical RADIUS reply attributes for a PPP access are: [RADIUS ReplyList] Service-Type=Framed Framed-Protocol=PPP Framed-IP-Address=Select-by-NAS To set a static IP address for a user, you have to configure in his profile: [RADIUS ReplyList] Service-Type=Framed Framed-Protocol=PPP Framed-IP-Address=a.b.c.d Framed-IP-Netmask=e.f.g.h Make sure to disable the automatic appending of the RADIUS group attributes with the option [RADIUS]
http://forum.persiannetworks.com
page 69/92
NoAppendRadRep=1 Without this tip NTTacPlus would return a list of attributes composed by the two lists: Service-Type=Framed Framed-Protocol=PPP Framed-IP-Address=a.b.c.d Framed-IP-Netmask=e.f.g.h Service-Type=Framed Framed-Protocol=PPP Framed-IP-Address=Select-by-NAS
In this case the NAS receives useless repetitions, and, most of all, the static IP address would be ignored because the last attributed relevant to the IP address selection is Select-by-NAS.
NTTacPlus waits for the script reply (access permitted or denied) on the standard output: the script must reply in the format parameter=value (without any blank spaces at the beginning of the line). Reply parameters NTTacPlus accepts are: status=pass (or fail) reply-msg=<text message to pass to the NAS and then to the user> The parameter status is mandatory while reply-msg is optional. Any other unrecognized lines are ignored.
A (quite useless) sample batch script In the user profile (or group profile) this line is configured:
AuthenScript=cmd.exe /c c:\nttacplus\external\fool.bat $user
http://forum.persiannetworks.com
page 70/92
@echo off if not "%1"=="albert" goto bother_this_is_not_albert echo reply-msg=Hello, Albert, welcome! goto exit_fool_bat :bother_this_is_not_albert echo reply-msg=Hey, you're not Albert. Welcome, anyway! :exit_fool_bat echo status=pass
NOTE: To deliver successfully messages to users, there must be no blank lines on the top of the file. Furthermore it is required that the first three lines of the file contain the From, To and Subject fields, followed by a blank line. Nine special macros can be included in the text, and, at delivery time, they are replaced by values relevant to the user: $fullname $username $email $expires $effectivefrom $timeinitial $timeleft $kbytesinitial $kbytesleft User full name Account username User e-mail address Account expiration date The account activation date The initial time credit (in minutes) for the account The time credit left (in minutes) for the account The initial traffic credit (in Kbytes) for the account The traffic credit left (in Kbytes) for the account
http://forum.persiannetworks.com
page 71/92
Both tables have the same field layout: Field TAC_ID TAC_ATTR TAC_VAL Type TEXT TEXT TEXT Primary Key
The TAC_ID field contains the profile username. The TAC_ATTR field contains the parameter name, that is to say a string composed by the equivalent text profile section name and the correspondent parameter name. The TAC_VAL field contains the value for the TAC_ATTR attribute. For a single username (or group name), in the user (group) table you will find as many records for each account as the number of the account parameters. NTTacPlus considers an account existing in the database when there is at least one record in which TAC_ID has that account name.
Text to database conversion example Suppose you have the following user profile (abelarda.usr): [Global] Name=Abelarda grandma Groups=ISDN Expires=#120,01-01-2002 EffectiveFrom=15-07-1999 Passwd=sprintgrandma NAS=212.195.12.121-212.195.12.126 [Credits] QuotaPeriod=weekly Quota=3600 QuotaLeft=2500 [RADIUS ReplyList] Framed-IP-Address=212.195.12.192 In the TAC_USR table the user would be composed by the following 10 records: TAC_ID abelarda abelarda abelarda abelarda TAC_ATTR [Global]Name [Global]Groups [Global]Expires [Global]EffectiveFrom TAC_VAL Abelarda grandma Expires #120,01-01-2002 15-07-1999
http://forum.persiannetworks.com
page 72/92
Setting up an ODBC datasource for the user database In order to use NTTacPlus user database with a SQL database, you have to configure an ODBC datasource referring to that database: 1. 2. 3. 4. 5. 6. Choose ODBC from the Control Panel. Choose System DSN tab. Click on Add and choose a database driver (for ex: MS Access Driver). Choose a name for the datasource (ex. user_db) and optionally a description. Click on Select and indicate the path/name of the database (ex. c:\NTTacPlus2\odbc\nttacdb.mdb). Click on OK, close all the windows and the control panel. The datasource is configured.
In order to enable NTTacPlus to query the SQL account database you have to check the Enable ODBC user database checkbox, configuring the right values in the fields Datasource, Username and Password, depending on what you set in the ODBC administrator control panel. The Serialize SQL Queries option makes all queries (either reading queries or writing statements) on the user database to be executed in a queue (sequentially); this option is required when using some ODBC drivers that dont support concurrent queries (for example MS SQL Server ODBC driver). If you plan to use MS Access you dont need to enable this option. WARNING: At the same moment you enable the ODBC User Database, then NTTacPlus uses immediately the accounts from the database, ignoring the text profiles! Pay attention before confirming the change, because if the administrative account you are logged in the console with is not configured in the database, you will be no more able to access NTTacPlus from the Remote Console.
Exporting/Importing text accounts from/to a database In the NTTacPlus package a sample MS Access 97 user database is included: the file is named NTTACDB.MDB. This database already contains the two tables requested by NTTacPlus (TAC_GRP and TAC_USR) and it is ready to be used by NTTacPlus. If you have MS Access 97 installed on your computer you can open the database: youll see a form that allows you to import into the database or export to text files user and group profiles. If you plan to use different databases you have to create your own suitable conversion routines.
The user database as an Open Standard An important feature of the NTTacPlus user database is the opening towards other applications. You can in fact create your own routines, queries, procedures to modify, create, delete the user profiles without using the NTTacPlus Remote Console. Any modifications on the database records are immediately effective at the end of the updating transaction. You can also modify the attributes of the user and group tables to insert your own values: NTTacPlus ignores any unrecognized attribute, maintaining them unaltered even in the backup database, even when they are stored in ASCII text files.
http://forum.persiannetworks.com
page 73/92
Creating a new user (group) 1. 2. 3. 4. 5. 6. Select Users (Groups) in the Display options box. Press the New user (New group) button. Type the username for the new account in the User/Group name text box. When you move to the next dialog item youll see the bitmap appear. Configure user parameters in the various sections. When you have finished press Update to commit changes.
Creating (duplicating) a new user (group) starting from an existing one 1. 2. 3. 4. 5. Select an existing username in the list box or type it in the text box. Move to another dialog item. Move back to the User/Group name and type the new username. Modify desired parameters. When you have finished press Update to commit changes.
http://forum.persiannetworks.com
page 74/92
Deleting an existing user (group) 1. 2. Select an existing user (group) from the dropdown list box. Press the Delete button and confirm the operation.
Modifying an existing user (group) 1. 2. 3. 4. Select an existing user (group) from the dropdown list box. When you move to the next dialog item, NTTacPlus loads the user profile attributes. When you modify parameters for that user profile youll see a little blue bullet telling you that the user profile has been modified but not saved yet: When you have finished to edit the profile press Update button to commit the changes or Revert to restore original values.
Parameter Full Name Account disabled E-Mail Expiration date Activation date Max concurrent logins Privilege level Allowed NASes Allowed Port
Description equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global]
/ / / / / / / / /
http://forum.persiannetworks.com
page 75/92
Caller/Called ID Comment
Parameter Regular Password No Password Blank Password NT Proxy Password TACACS+ Proxy Password DES Encrypted Password UNIX password file
Description equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global] equal to [Global]
/ / / / / / /
http://forum.persiannetworks.com
page 76/92
Section Failed login attempts Failed login attempts Concurrent logins exceeded Concurrent logins exceeded Concurrent logins exceeded
Parameter Send e-mail Disable the account Send e-mail Disable the account Terminate sessions Send a copy of... Authenticate even if...
Description equal to [Suspicious] / OnFailedEmail= equal to [Suspicious] / OnFailedDisable= equal to [Suspicious] / OnMultipleAccessEmail= equal to [Suspicious] / OnMultipleAccessDisable= equal to [Suspicious] / OnMultipleAccessKill= equal to [Suspicious] / EmailNotifyToUsers= equal to [Suspicious] / OnExpiredAuthenticate=
Parameter Send msg when expiring (date) Email msg file (date) Send msg when expiring (time) Email msg file (time) Send msg when expiring (traffic) Email msg file (traffic)
Description equal to [Suspicious] / OnExpiringEMail= equal to [Global] / ExpiringEMailMsg= equal to [Suspicious] / OnTimeLowEMail= equal to [Global] / TimeLowEMailMsg= equal to [Suspicious] / OnTrafficLowEMail= equal to [Global] / TrafficLowEMailMsg=
http://forum.persiannetworks.com
page 77/92
Group membership section settings This section allows to set the profile group membership. It is equivalent to the [Global] / Groups= setting.
Up and Down button allows you to change the group belonging order: NTTacPlus collects parameters parsing the groups in their order. So the order is very important! The Post authentication script parameter is equal to the [Global] / AuthenScript= setting.
Parameter Login Hours Week plan Mon Tue Wed Thu Fri Sat Sun
Description equal to [Global] / equal to [Global] / equal to [WeekPlan] equal to [WeekPlan] equal to [WeekPlan] equal to [WeekPlan] equal to [WeekPlan] equal to [WeekPlan] equal to [WeekPlan]
http://forum.persiannetworks.com
page 78/92
NOTE: If you configure a week plan leaving blank a particular day of the week but you do not set anything even at a group level, NTTacPlus will deny the access for that day. To grant access for a whole day without restrictions you have to specify explicitly a 24 hour interval.
Parameter Max connection time Initial Time Time Left Assign a time quota Quota Reset quota left Kill when exceeding time credit Kill when time quota is over Allow extra-credit time Initial KBytes KBytes Left Allow extra-credit Kbytes
Description equal to [Global] / MaxConnectionTime= equal to [Credits] / TimeInitial= equal to [Credits] / TimeLeft= equal to [Credits] / QuotaPeriod= equal to [Credits] / Quota= it deletes the parameter[Credits] / Quota= resetting the quota equal to [Credits] / OnTimeExceededKill=1 equal to [Credits] / OnQuotaExceededKill=1 equal to [Credits] / OnExtraTimeCharge=1 equal to [Credits] / KBytesInitial= equal to [Credits] / KBytesLeft= equal to [Credits] / OnExtraKBytesCharge=1
http://forum.persiannetworks.com
page 79/92
Parameter Description Permit commands not equal to [Authorization] / DefaultCommand= explicitly configured Permit services not equal to [Authorization] / DefaultService= explicitly configured Do not append all equal to [Authorization] / NoAppendTacCmd= group configured commands The permissions and the configured command section is equal to the [cmd <cmd_name>] sections. To add a shell command authorization, type the command in the left text box (for example: telnet) and then press the Add button on the left. After that, select the command you have just added to the command list, then type in the right text box the parameters you want to configure, choosing permit or deny. The press the Add button on the right.
http://forum.persiannetworks.com
page 80/92
The settings of this section are equal, in the profile, to the [Services] section if you enabled the Ordinary authorization. On other hand they are equal to the [Services Expired] section if you enabled the Expired Authorization option. The list of configured services in Configured Services is equal to the line: <svc_name>-<protocol>=permit|deny In order to add a list of A/V pairs to a configured service, select the service in the list on the left, then add the A/V pairs in the right text box, pressing the Add button when you have typed the right A/V pair. The pair can have the following format: attribute=value or attribute*value The Do not append all group services option is equal to the [Authorization] / NoAppendTacSvc= parameter.
The settings of this section are equal, in the profile, to the [Radius CheckList] section if you enabled the Ordinary authorization option. On other hand they are equal to the [Radius Expired CheckList] section if you enabled the Expired Authorization option. A list of attributes to be verified (added selecting the attributes from the left textbox) appears as the profile section body with the following format: attribute=value The A/V pairs dropdown list depends on the RADIUS attributes loaded from the RADDICT.DAT dictionary file. The Do not append all group attribute check list option is equal to the [RADIUS] / NoAppendRadChk= parameter.
http://forum.persiannetworks.com
page 81/92
The settings of this section are equal, in the profile, to the [Radius ReplyList] section if you enabled the Ordinary authorization option. On other hand they are equal to the [Radius Expired ReplyList] section if you enabled the Expired Authorization option. A list of attributes to be returned to the NAS after the authentication (added selecting the attributes from the left textbox) appears as the profile section body with the following format: attribute=value The A/V pairs dropdown list depends on the RADIUS attributes loaded from the RADDICT.DAT dictionary file. The Do not append all group attribute reply list option is equal to the [RADIUS] / NoAppendRadRep= parameter.
http://forum.persiannetworks.com
page 82/92
Description Date/time when of message reception, (format dd-mm-yyyy hh:mm:ss) Message type ("START", "STOP", or "UPDATE") NAS name or address from which the message comes Port name on which the user is connected Possible Caller ID of the user (for example his telephone number) Semicolon delimited list of extra arguments sent by the NAS Unique number identifying the task (common to each START/STOP pair) Duration of the session in seconds Total bytes sent by the user Total bytes received by the user Total packets sent by the user Total packets received by the user Total bytes exchanged by the user (if applicable) Total packets exchanged by the user (if applicable)
http://forum.persiannetworks.com
page 83/92
The ExtraTime, TimeLeft, ExtraKB and KBytesLeft fields are normally set to zero for sessions which do not have a traffic or time limit (credit), while they are useful for credit-based accounts. The exact duration of a session (not rounded off) can be calculate as the difference between start e stop times.
Example If the ermenegildo user has bought a subscription for 200 total minutes, he can have several sessions, for each of which he will consume some part of his credit. Let us suppose that the medium length of his sessions is 10-20 minutes. In this case, the accounting data will include a record for each session of ermenegildo, for example: Session 1 2 3 23 SessionTime 20 10 25 30 ExtraTime 0 0 0 0 TimeLeft 180 170 145 20
After 23 sessions, ermenegildo has a credit of 20 minutes left. If in his profile the OnExtraTimeCharge=1 parameter was not set, the user will be able to connect for the remaining 20 minutes, after which time in the subsequent connection attempts will be denied.
http://forum.persiannetworks.com
page 84/92
If on the contrary the OnExtraTimeCharge=1 parameter was set, ermenegildo will be able to connect even after having exhausted the 20 minutes credit, but the extra consumption will be recorded on the ExtraTime field instead of the SessionTime field. Let us suppose that when he reaches the 20 minutes credit left situation, then he connects for 30 minutes (thus using 10 extra minutes). Let us suppose again that he connects in another session for 40 minutes. The length of the session will be tracked in the accounting records in the following way: Session 24 25 SessionTime 20 0 ExtraTime 10 40 TimeLeft 0 0
This means that summing up all the values of SessionTime for an account since the user started to consume the credit, you obtain the initial credit (in this example 300) while to have the extra time consumption you have just to sum all the ExtraTime values (10 + 40 = 50 minutes). The same approach is also used for the consumption of the traffic in Kbytes. For an ISP it is then possible to sell a subscription for 300 hours connection in total, thus allowing the access also when the credit is exhausted, but applying a defined hourly charge for each hour of connection beyond the initial credit. The provider determines the total length of the extra connections summing them on the ExtraTime field, and can lay out an invoice for his customer extra consumption.
page 85/92
The same data presented in the currently logged in user monitor window may be stored in real time on a SQL database through the use of an ODBC datasource. The database must be configured to contain a table in a format similar to the one given in the sample database ( stat.mdb), which is a MS Access 97 file. Table fields are given in the following order: Field UserID NAS Port Username CallerID Address LoginTime Type TEXT (Primary Key) TEXT TEXT TEXT TEXT TEXT DATE/TIME
At the beginning or the end of each session, the corresponding record is added to or removed from the table, simultaneously to what is shown on the screen. It is therefore possible, for example with an ODBC http gateway, to have a connected user list on a web page.
Activating ASCII global accounting and per-user accounting Section Accounting Parameter Accounting directory Enable accounting text output Per-user accounting logging Value path where NTTacPlus creates ASCII accounting log files It enables daily accounting ASCII files creation (*.acc) It enables per user accounting ASCII files creation, recording all accounting messages received from the NAS (*.log) It records in the file _unknown_.log all accounting data relevant to unknown users
The Log unknown user accounting option enables NTTacPlus to create, in the accounting directory, a file named _unknown_.log in which the server collects all accounting data coming from NAS and relevant to users not configured in the NTTacPlus user database (for example, users presenting to the NAS with a blank username). If this option is disabled then NTTacPlus simply ignores those records.
Sending unknown user accounting to the active users log window Section Accounting Parameter Send unknown users to active window Value It sends unknown users (not configured in NTTacPlus user database) to the active users windows (logging their sessions)
The Send unknown users to active window option tells NTTacPlus to process accounting START/STOP records for unknown users, by adding them to the active users window, and by creating the corresponding
http://forum.persiannetworks.com
page 86/92
accounting session record (either in the .ACC file or in the ODBC datasource) at the end of the unknown user session. This option can be useful when the network administrator configures a unique default profile.
http://forum.persiannetworks.com
page 87/92
Running a customized post-accounting script Section Accounting Parameter Run the following post accounting external script Value It enables the execution of an external script when an accounting message is received from the NAS
You can configure NTTacPlus to execute a script or an external application when an accounting message is received from the NAS. This feature can extend accounting capabilities according to fully customized procedures. NOTE: This setting operates at a global level and not on a per-user basis, as it happens for the postauthentication scripts. From the command line you can issue commands or scripts to which you can pass the following macros as command line parameters: Macro
$user $nas $port $clid $addr $priv $type $taskid $elapsed $bytesin $bytesout $paksin $paksout
Value Username NAS IP address or name Port/Interface Caller ID Network Address Privilege level Accounting record type (= START, STOP or UPDATE) Session ID Elapsed time (in seconds), calculated by the NAS and not by NTTacPlus Input Bytes Output Bytes Input packets Output packets
Post-accounting (useless) script example Command line configured in the Options window:
cmd.exe /c c:\nttacplus2\external\foolacct.bat $user $type
http://forum.persiannetworks.com
page 88/92
Time and traffic consumption rounding Section Accounting Parameter Session time rounding offset Value Round off value (in minutes) applied to the accounting session time for every session (it defines the minimum time packet for a session) Round off value (in Kbytes) applied to the accounting session traffic for every session (it defines the minimum traffic packet for a session)
The time rounding offset value sets the minimum value (in minutes) used to calculate the rounding offset of a single session connection time. For example if you set that value to 5 minutes, all connection times are calculated every five minutes: so for example a 7 minutes and 32 seconds session will be rounded up to 10 minutes. This option is useful to set a minimum time packet the user will consume anyway: this feature applies especially on time credit accounts. The same procedure applies to the traffic (intended as a sum of In Kbytes and Out Kbytes) where you can set the minimum Kbytes consumption in the Traffic rounding offset field.
Setting up time and traffic warning thresholds NTTacPlus can send customizable email messages to warn the user that his account is expiring (either by date or by time/traffic credit). You can set the warning threshold that triggers the email notification delivery. Section Accounting Parameter Date expiration warning Time expiration warning Traffic expiration warning Value It sets the warning period (days) before the warning message is sent It sets the warning threshold (minutes) before the warning message is sent It sets the warning threshold (Kbytes) before the warning message is sent
In order to optimize the potential of the ODBC accounting (recording of duration and traffic of the sessions) it is possible to use the sample MS Access 97 database supplied with the package ( stat.mdb). It is necessary to configure an ODBC datasource referring to that database:
http://forum.persiannetworks.com
page 89/92
1. 2. 3. 4. 5. 6.
Choose ODBC from the Control Panel. Choose the System DSN tab. Click on Add and choose MS Access database as a driver. Choose a name for the datasource (ex. accesses) and eventually a description. Click on Select and indicate the path/name of stat.mdb (ex. c:\NTTacPlus2\ODBC\stat.mdb). Click on OK, close all the windows and the control panel. The datasource is configured.
To enable ODBC accounting output in NTTacPlus, check the Enable ODBC accounting output checkbox and make sure to insert the right parameters in the datasource name, username and password fields. In the Accounting table name field insert the table name that will receive the accounting information. If you want to update the active session table also, turn on the Log Active users on table checkbox, specifying the name of the active session table. In the distribution package youll find the stat.mdb file: it contains the accounting and the active session tables called respectively Accounting and ActiveUsers. The last option (Automatic reconnect on connection failure) allows NTTacPlus to start a datasource reconnection attempt when the connection with the ODBC driver drops. This option is useful for example when you are using remote SQL databases (like Oracle or SQL Server) that need a TCP/IP connection between the ODBC driver and the host running the database server.
http://forum.persiannetworks.com
page 90/92
Retrieving the sessions of a user given a date interval Sessions for the ermenegildo user between 01-jan-99 and 10-jan-99:
SELECT * FROM Accounting WHERE (Start BETWEEN #1/1/99# AND #1/10/99#) AND (Username = ermenegildo) ORDER BY Start
Counting the sessions of a user given a date interval Number of sessions for the ermenegildo user between 01-jan-99 and 10-jan-99:
SELECT COUNT(username) AS SessionNumber FROM Accounting HAVING (Start BETWEEN #1/1/99# AND #1/10/99#) AND (Username = ermenegildo)
Retrieving the total for extra traffic and time of a user given a date interval Extra traffic and time for the ermenegildo user between 01-feb-99 and today:
SELECT Sum(ExtraTime) AS TotalTime, Sum(ExtraKB) AS TotalKB FROM Accounting HAVING (Username = ermenegildo) AND (Start >= #1/1/99#)
Who was connected at midnight at New Millenium Eve (1999-2000)? No additional comment (!):
SELECT * FROM Accounting WHERE (Start <= #12/31/99 11:59:00 PM#) AND (Stop > #1/1/00#) ORDER BY Start
http://forum.persiannetworks.com
page 91/92
Parameter
LogPath UserPatha GroupPath AcctPath PreAuthMsgFile PostAuthMsgFile UsernamePrompt PasswordPrompt EnablePrompt Email SMTP Key MaxLoginAttempts TimeRoundUp KbytesRoundUp Debug TacacsPort WarningPeriod FirstDayOfWeek SourceEMail WarningTime WarningKBytes UserCheckInterval RADIUSAuthPort
In the Option window equals to (section/value) Logging / Log file directory General / User file directory General / Group file directory Accounting / Accounting directory General / Pre-authentication message file General / Post-authentication message file TACACS+ / Username prompt TACACS+ / Password prompt TACACS+ / Enable prompt General / Notification E-Mail Address General / SMTP Server Secrets / Default secret key General / Max login attempts Accounting / Session time rounding offset Accounting / Session traffic rounding offset (see specific table further on) TACACS+ / TACACS+ TCP Port Accounting / Date expiration warning period General / First day of week General / Server source e-mail Accounting / Time expiration warning period Accounting / Traffic expiration warning period General / Periodic check interval RADIUS / RADIUS Authentication port
Restart required? yes yes yes yes no no no no no yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes
http://forum.persiannetworks.com
NTTacPlus Installation and User Guide RADIUSAcctPort Flags AccountingScript LSCfgChkPt [Registration] Name Key1 Key2 [ODBC] Datasource AccountingTable LoginUser LoginPasswd OnlineTable UserDBDatasource UserDBLoginUser UserDBLoginPasswd [Messages] AccountDisabled TooManyLogins InvalidLoginTime LoginTimeUp LoginKBytesUp BadLoginPassword BadLoginPort BadLoginNAS AccountExpiring AccountExpired QuotaTimeUp AccountNotEffective [Backup] PrimaryTacascPort BackupInterval PrimaryTacacsServer TacUser TacPass [RSH] Username AccountingCommand [Resynch] NASResynchList NASResynchPorts [Holiday] [Kill] [Keys] (dd-mm list) (interface list) (nas list)
page 92/92
RADIUS / RADIUS Accounting port (see specific table further on) Accounting / post accounting script used internally Registration / Registration name Registration / Registration key 1 Registration / Registration key 2 Accounting / ODBC Datasource name Accounting / Accounting table name Accounting / Login Username Accounting / Login Password Accounting / online users table General / User database / using this datasource General / DB Username General / DB Password Messages / Account disabled Messages / Too many logins Messages / Invalid login time Messages / Login time-up Messages / Login Kbytes-up Messages / Bad login user/pwd Messages / Bad login NAS port Messages / Bad login NAS Messages / Account expiring Messages / Account expired Messages / Quota time-up Messages / Account not effective Backup / Primary server port Backup / Backup interval Backup / Primary server name or address Backup / Primary login username Backup / Primary login password Synch / Username for RSHELL Synch / Command to issue with RSHELL Synch / List of NAS to query Synch / List of valid interfaces Holiday calendar as in the Holiday section Interfaces/commands list as in the Kill section IP addresses/secret keys list as in the Secrets section
yes yes no -yes yes yes yes yes yes yes yes yes yes yes no no no no no no no no no no no no yes yes yes yes yes no no no no no no no
http://forum.persiannetworks.com
page 93/92
Flags values Configuration window equivalent option General / Resolve names (DNS) Secrets / Always encrypt Accounting / Enable accounting text output Accounting / Enable ODBC accounting TACACS+ / Ignore multiple STOP records Backup / Remove local accounts before backup Backup / Enable this server for backup General / Use username for maxlogins check General / Email admin on unknown users General / Enable <default> user General / Create user profile from <default> Accounting / Log active users on table <nn> Accounting / Per-user accounting logging Logging / Enable logging to file Accounting / Automatic reconnect on connection failure (value used internally) Accounting / Log unknown user accounting Accounting / Send unknown users to the active window Backup / Forward accounting to primary server Secrets / Restrict NAS to configured IP addresses only Synch / Perform synchronization during active users check Logging / Enable logging to screen Synch / Perform synchronization on maxlogins collision detected General / Enable ODBC user database Accounting / Run the post accounting script General / Serialize SQL queries RADIUS / Use Session-Timeout for disconnection Value (hexadecimal) 0x00000001 0x00000002 0x00000004 0x00000008 0x00000010 0x00000020 0x00000040 0x00000080 0x00000100 0x00000200 0x00000400 0x00000800 0x00001000 0x00002000 0x00004000 0x00008000 0x00010000 0x00020000 0x00040000 0x00080000 0x00100000 0x00200000 0x00400000 0x00800000 0x01000000 0x02000000 0x04000000
http://forum.persiannetworks.com
page 94/92
Debug values Logging configuration window equivalent option Extended session Session thread execution Authorization session Authentication session Accounting session Password checking Backup events Packet dumping Port cleaning commands User account charging SMTP connections Max logins check Value (hexadecimal) 0x00000002 0x00000004 0x00000008 0x00000010 0x00000020 0x00000040 0x00000080 0x00000100 0x00001000 0x00002000 0x00004000 0x00008000
http://forum.persiannetworks.com
page 95/92
timeout idletime autocmd noescape nohangup priv-lvl remote_user remote_host callback-dialstring callback-line callback-rotary nocallback-verify
For all Boolean attributes, valid values are "true" or "false". A value of NULL means an attribute with a zero length string for its value. A more in-depth description of the supported attributes may be found online on the Cisco CCO site at the URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/index.htm
http://forum.persiannetworks.com
page 96/92
Important! The purchase of a copy of the product grants the right to the license for the use of two copies that can be installed on two different machines (enabling the activation of a primary and a backup server). Upon receiving your order, Master Soft will send you two activation keys valid for two hosts.
http://forum.persiannetworks.com
page 97/92
License Agreement
Master Soft S.n.c. licenses the enclosed software NTTacPlus (the "Software") to you only upon the condition that you accept all of the terms contained in this license agreement before installing the Software. Please read carefully the terms and conditions of this agreement. By installing, copying or otherwise using this Software you agree to be bound by the conditions of this agreement. If you do not agree with these terms, you should not install or use this Software, and you should destroy all the copies of this Software you have. License This Software is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The Software that accompanies this license is the property of Master Soft S.n.c. and is licensed, not sold. While Master Soft S.n.c. continues to own the Software, you will have certain rights to use the Software after your acceptance of this license. This license agreement gives you the rights to: install and use two (2) copies of the Software on two different machines (a copy for the primary server and a copy for a backup server); create a copy of the Software for archival purposes only. You cannot copy the documentation that accompanies the Software, rent or lease any portion of the Software, decompile, disassemble, reverse engineer, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.
Warranty disclaimer To the maximum extent permitted by applicable law, with regard to the Software Master Soft S.n.c. disclaims any warranty or condition, either express or implied, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose. In no event shall Master Soft S.n.c. be liable for any special, incidental, indirect or consequential damages (including damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use or inability to use the Software, even if Master Soft S.n.c. has been advised of the possibility of such damages.
Termination Master Soft S.n.c. may terminate the right to use the Software if you fail to comply with the terms and conditions of this agreement. You may terminate this license at any time by destroying or erasing your copy of the Software. Upon the termination of this license, you must discontinue all use of the Software and you must remove the Software from your system. Master Soft S.n.c. reserves the right at any time and without any notice to you, to alter prices, features, specifications, capabilities, functions, licensing terms, availability, documentation or any other characteristics of this Software.
http://forum.persiannetworks.com
page 98/92
How to contact us
For suggestions, support, problem reporting, commercial information, purchase information or other, the Master Soft support staff can be contacted at the following address: Master Soft S.n.c. Piazzale Lombardia, 4 28100 NOVARA (ITALY) Phone +39 0321 466 889 Fax +39 0321 465 939
The Master Soft Support Staff may be contacted by e-mail at the following addresses: Marketing Team: Technical Support Team: Master Soft Staff: software@msoft.it support@msoft.it staff@msoft.it
News, prices, information and updates of the NTTacPlus and other software products are available on line at the following web addresses: MSoft Software Site: MSoft Beta Software Site: NTTacPlus Site: NTMonitor Site: NTBatch Site : http://software.msoft.it/ http://beta.software.msoft.it/ http://www.nttacplus.com/ http://www.ntmonitor.com/ http://www.ntbatch.com/
http://forum.persiannetworks.com