RADIUS/TACACS+ Access Control Server for Windows

NTTacPlus® Server

RADIUS/TACACS+ Access Control Server for Windows

Installation and User Guide

Release 2.0

NTTacPlus Server for Windows 2.0

A complete package for access control and accounting data management.

Especially designed for Internet Service Providers.

Available for Windows NT 4.0, Windows 95/98 and Windows 2000.

Y2K Ready.

INFORMATION IN THIS DOCUMENT MAY BE SUBJECT TO CHANGE WITHOUT NOTICE.

IT IS ALSO POSSIBLE THAT THIS DOCUMENT COULD INCLUDE TYPOGRAPHICAL ERRORS OR TECHNICAL INACCURACIES.

MASTER SOFT S.N.C. PROVIDES THIS DOCUMENT AND THE RELATED SOFTWARE NTTACPLUS “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANDABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

NO PART OF THIS DOCUMENT MAY BE REPRODUCED, TRANSMITTED, STORED IN A RETRIEVAL SYSTEM, NOR TRANSLATED INTO ANY LANGUAGE, IN ANY FORM OR BY ANY MEANS, ELECTRONIC, MECHANICAL, MAGNETIC, OPTICAL, CHEMICAL, MANUAL, OR OTHERWISE, WITHOUT THE EXPRESS WRITTEN PERMISSION FROM MASTER SOFT S.N.C.

Copyright  1998-2000 MASTER SOFT S.N.C. - Novara (Italy) - All rights reserved.

NTTacPlus and MSoft are registered trademarks of Master Soft S.n.c.

All the references to other companies and product names are trademarks or registered trademarks of their respective holders.

Installation and User Guide.

Rel. 2.0.23012/03/2007

Master Soft S.n.c.NTTacPlus Access Control Serverrel. 2.0

NTTacPlus – Installation and User Guidepage 1/92

Summary

Introducing NTTacPlus...... 3

What is NTTacPlus...... 3

NTTacPlus Main Features...... 4

What’s new in NTTacPlus 2.0...... 7

Introducing NTTacPlus 2.0...... 7

Differences with release 1.x...... 7

How to upgrade NTTacPlus 1.x...... 10

NTTacPlus Installation...... 11

System requirements...... 11

Contents of the installation package...... 11

NTTacPlus setup...... 11

Uninstalling NTTacPlus...... 12

Running NTTacPlus as a stand-alone application...... 12

Running NTTacPlus as a Windows NT service...... 12

Running NTTacPlus in unregistered mode...... 13

NTTacPlus Configuration...... 14

First execution of NTTacPlus...... 14

First login on NTTacPlus...... 15

NTTacPlus Console Elements...... 15

Configuration parameters summary...... 18

NAS Configuration for use with NTTacPlus...... 23

RADIUS/TACACS+ specific parameter configuration...... 27

Configuring NTTacPlus and the NAS for forced disconnection...... 29

General settings...... 32

Configuration of the activity event log...... 36

Resynchronization with Cisco NASes...... 38

Configuring backup on a NTTacPlus server...... 40

Configuration of login messages...... 41

RADIUS & TACACS+...... 42

The AAA Model...... 42

Authentication...... 42

Authorization...... 42

Accounting...... 43

NTTacPlus AAA Model Implementation...... 43

The authentication process in NTTacPlus...... 43

The authorization process in NTTacPlus...... 44

The accounting process in NTTacPlus...... 45

Comparison between some RADIUS attributes and their TACACS+ equivalent...... 46

The RADIUS attributes and the dictionary...... 46

Account Management...... 48

The User Account Database...... 48

Hierarchical structure of the database...... 48

User (group) profile parameters...... 49

Using wildcards in expressions...... 59

Some user and group profile examples...... 60

Special settings...... 63

The post-authentication scripts...... 64

Expiring account warning e-mail messages format...... 65

Account profiles in ODBC SQL format...... 66

Managing accounts with the Profile Manager...... 68

Some remarks about Profile Manager settings...... 69

The accounting data...... 77

Accounting data generated by NTTacPlus...... 77

Per-user accounting files...... 77

Global accounting files...... 78

Accounting data on ODBC SQL databases...... 79

SQL Active users output...... 79

Configuring Accounting in NTTacPlus...... 80

Configuring the accounting output on ODBC...... 82

Configuring NTTacPlus manually...... 85

Configuration file structure...... 85

Flags and Debug special parameters...... 87

Technical support and Product Registration...... 90

Documentation to enclose with communications...... 90

How to register the product...... 90

License Agreement...... 91

How to contact us...... 92

Introducing NTTacPlus

What is NTTacPlus

NTTacPlus is a centralized server application for the control and management of remote access to the network through the standard protocols TACACS+ (developed by Cisco) and RADIUS (developed by Livingston, now IETF standard). This application implements the AAA model (Authentication, Authorization, Accounting):

• Authentication.Identifying who a user is (username/password pair validation)
• Authorization.Identifying what a user can do (network resource assignment).
• Accounting.Recording process which keeps track of system utilization by the user.

Centralized Access Management

NTTacPlus can operate both as a stand alone program or as a service under Windows NT.

NTTacPlus is based on a user database that can be implemented in two different ways: a set of simple text files, each file representing a user, and an ODBC SQL database (such as Microsoft Access or SQL server) in which there are two different tables: one for user accounts and one for the group profiles. User profiles contain account parameters (password expiration date, login hours and credits, etc.).

The Network Access Server (NAS) sometimes also called Communication Server, Remote Access Server or Terminal Server is a device which usually accepts remote accesses through phone calls on analogic or ISDN lines with modems or ISDN terminal adapters. The NAS allows to connect dial-in users to the internal network (Intranet) - typically a Local Area Network (LAN) - or to the Internet as a whole.

NTTacPlus accepts authentication and authorization queries from the NAS (such as 3Com Total Control, Ascend Max, Livingston PortMaster,Cisco AS5200), examining user profiles and taking into account the characteristics configured for each user.

Moreover, NTTacPlus acquires the accounting data sent by the NAS and records it on a ODBC datasource. This allows to make accounting data available for statistical purpose processing about accesses, or for the creation of detailed billingreports, etc.

NTTacPlus Main Features

High Performance , small resource consumption

NTTacPlus, developed in C++, is optimized to provide excellent performance, with a limited use of memory and resources. It can perform an high number of authentications per second, with reduced occupation of the CPU.

The size of the executable file is small.. The installation is quick because the application does not make use of runtime DLLs or other external libraries not included in the operating system. Every component of the application is stored in the installation directory (no DLL is scattered in the Windows system directory or somewhere else).

NTTacPlusdoes not make use of the Windows registry database: no waste of time wandering in the complicated registry structure looking for the configuration values of the program. All the configuration data is set in text files and reside in the installation directory.

Complete support for authentication, authorization and accounting

NTTacPlus supports any request of authentication, authorization and accounting as defined in the standard specifications of both TACACS+ and RADIUS protocol. Its flexibility allows to support new extensions of proprietary defined for the authorization for both protocols.

Simplified and remote management of user profile database

User profiles can be easily modified with any text editor (such as notepad.exe) when they are stored in text files. If you plan to use ODBC support for your user database, you can edit them through simple queries.

It is not necessary to load or save the user database because any modification to profiles is immediate as soon as the file is saved, even if you are using ODBC support.

The backupof the whole database is also immediate: you simply have to copy the user and group profile directories or make a backup copy of the user database when operating with ODBC.

Thanks to the NTTacPlus Console it is possible to perform a complete remote management of both NTTacPlus servers and the related accounts. The remote management application is reduced to a small executable and works on any Windows 9x, Windows 2000 and Windows NT machine connected to a TCP/IP network. The Remote Console allows to modify user profiles in real time, dialoguing with a NTTacPlus server. The data exchange between the Remote Console and the NTTacPlus Server is encrypted.

Groups and Inheritance

With NTTacPlus it is possible to define not only user profiles but also group profiles.

Group profiles can include all the parameters which can be applied to every single user. You just have to assign a user to a group and it will automatically inherit all the parameters previously set in the parent group.

A user profile may belong to more than one group. In this case the search of attributes will proceed through the analysis of each group.

Moreover, a group itself may belong to another group. It is therefore possible to create a hierarchical structure which allows to manage user profiles very easily, avoiding time-wasting repetitions of each profile and focusing only on the parameters that distinguish users, maintaining in the groups common settings.

Real time and remote check on the activity

NTTacPlus allows the monitoring of active connections thanks to a window showing a list of active users specifying how long and on which NAS they have been connected.

Moreover, NTTacPlus records in real time all incoming requests of authentication, authorization and accounting, besides remote management sessions. The events are displayed on screen in a log window and are also permanently recorded on a log file.

It is also possible to disconnect forcibly and automatically users through the RSHELL protocol (that has been implemented in this release of NTTacPlus) or using external utilities or scripts (like SNMPSET or telnet)

Thanks to the NTTacPlus Console application it is possible to activate an exact copy of the active users window on any remote PC (Windows 9x Windows 2000 or NT) connected to a TCP/IP network.

Redundant functioning and backup features

NTTacPlus can be installed on another machine and configured as redundant backup server.

NTTacPlus can automatically connect to the primary NTTacPlusserver and synchronize periodically the whole user database.

The transfer of data during synchronization occurs with TCP connection and exchanged packets are encrypted.

In case of malfunctioning of the main server, the NAS can address its request to the backup server.

Extended access control

NTTacPlus offers several parameters to regulate users access. In particular, it is possible to configure the access upon:

-expire date of the account

-connectiontime-table (daily or weekly, with programmable holiday calendar)

-Called/Calling ID (called/calling phone number if supported by Telco)

-source NAS or NASport (distinction between analogic or ISDN calls)

-Number of concurrent logins for the same account

-Overall residual time credit

-Overall residual traffic credit

-Time quota assignment for a given period

-Privilege level (from basic user to administrator)

Extended check on suspicious cases

NTTacPlus can detect failed access attempts (due to wrong password, time of connection, privilege, double access attempts with the same username) and therefore undertake administrative actions (which can be freely enabled or disabled) such as:

-E-mail notifications to the system administrator.

-E-mail notifications to the relevant user.

-Immediate disabling of the user account

-Immediate forced disconnection of the user

Furthermore NTTacPlus can send customizable warning e-mail messages to the user when his account is expiring or when his credits (time or traffic) are .under a warning threshold.

Extended support for accounting (ODBC)

NTTacPlus offers an extended support for accounting.

In each session NTTacPlus records a series of useful information, such as, for instance, the duration of the session, input and output traffic and residual credit of time and traffic.

The accounting output is transferred in real time in a standard ASCII file table or in a standard ODBC database, such as Microsoft Access, SQL Server, Oracle, etc.

NTTacPlus can also maintain a real time updated table of currently logged in users in an ODBC database also.

Functioning as a Proxy module for Windows NT, UNIX or other TACACS+ servers

NTTacPlus allows to perform the authentication of username and password re-addressing access requests to a Windows NT machine (even remote) using its user database. It can also re-address authentications to other TACACS+ servers, or use accounts stored into standard UNIX passwd files.

Automatic synchronization with Cisco Network Access Servers (NAS)

NTTacPlus can synchronize its active users list with any Cisco NAS. In this way you can avoid information lost when a server running NTTacPlus restarts or when the NAS itself reboots.

Furthermore NTTacPlus can periodically synchronize its active user list by querying the NASes and by updating its current accounting information. In this way NTTacPlus can eliminate a possible loss of accounting data (for example when the NAS doesn’t correctly send the STOP messages to NTTacPlus).

NTTacPlus Open Architecture

NTTacPlus offers an open architecture through the use of the ODBC standard for storing user/group profiles and accounting data. You can easily integrate NTTacPlus in legacy environments.

NTTacPlus allows administrators to expand authentication and accounting capabilities using customizable external scripts.

Easy web interfacing

NTTacPlus can easily expose its accounting data (active users, user profiles, accounting reports) to a Web Server using ASP Cold Fusion Markup Language, CGI, etc.

The administrator/webmaster has only to customize the HTML format of his Intranet/Internet web server, in order to manage users, to create accounting reports or to sell on-line his accounts and so on.

What’s new in NTTacPlus 2.0

Introducing NTTacPlus 2.0

The new release of NTTacPlus introduces a lot of improvements and new features, such as the support for the RADIUS authentication protocol (a standard for all remote access hardware platforms) and the support for SQL ODBC databases for user account storage and management.

NTTacPlus evolution proceeds in the direction of an opening standard towards the needing of the system and network administrators who want to integrate tightly the existing systems with the power of the AAA model.

The way Master Soft wants to reach this target is known as the O.A.K. project (Open Administration Kit).

NTTacPlus has been designed to be as much open as possible, thanks to the introduction of the ODBC user database support. The target of the O.A.K. project is to integrate the NTTacPlus authentication/accounting engine in the existing billing and accounting procedures (accounting applications, invoicing, billing, statistical tools and so on) without upsetting the existing procedures.

The O.A.K. project will provide the release of the documentation and a set of APIs which will allow easy management of NTTacPlus servers from within any programming language.

We’ll also release the support for Microsoft Active Server Pages and for Allaire Cold Fusion Application Server: everyone will be able to develop integrated web procedures in a very fast, flexible and easy way.

Differences with release 1.x

NTTacPlus introduces a lot of improvements from release 1.x; some relevant modifications have been applied to the user interface. We suggest to our Customers running NTTacPlus 1.x to read very carefully this brief chapter that shows the main differences between the old and the new versions. A detailed description of the new options and features will be introduced in the next chapters. Here it is a list of the main new features.

• A new Graphical User Interface totally moved to the Remote Console
• Support for the RADIUS protocol
• Support for SQL ODBC database (now available for storing accounts also)
• Complete menu and options reorganization
• Improved Cisco NAS resynchronization options
• A lot of minor changes and improvements

User interface moved to the NTTacPlus Remote Console separate application

The remote console has been completely redesigned and now integrates into a single application the old NTTacPlus Console and the NTTacPlus User Manager.

The server side interface has been reduced to a single dialog window (or systray icon if NTTacPlus is running minimized). If NTTacPlus is executed as a service no GUI windows is visible: this new concept optimizes server side memory utilization and performance.

All the functions formerly available in the NTTacPlus main window are now accessible via the NTTacPlus Remote Console. In this way you can completely administer NTTacPlus servers anywhere from the network.

The setup program allows you to choose if to install the NTTacPlus server only, the NTTacPlus Remote Console only or both.

However you do not need to execute the setup to install the Remote Console on a client PC. It is just enough to copy the following two files in a directory of the PC on which you want to run NTTacPlus Remote Console:

NTTACMON.EXERemote Console main executable

RADDICT.DATThe RADIUS attribute dictionary used for user profiles management

In order to manage locally a NTTacPlus server you need to start the Remote Console and login using localhost as the server address.

RADIUS protocol support

This release of NTTacPlus now supports fully the RADIUS protocol with any RADIUS enabled client.

Some attributes specific to the RADIUS protocol are automatically re-mapped into standard NTTacPlus parameters, in order to maintain a graphical interface homogeneous with the TACACS+ protocol and at the same time compatible with the older versions of NTTacPlus. For a more in depth description of this feature, read the paragraph Comparison between some RADIUS attributes and their TACACS+ equivalent.

Through the RADIUS protocol, NTTacPlus can now take advantage of the Session-Timeout attribute to implicitly terminate user sessions. See the chapter Use of session-timeout.

Users and groups SQL ODBC database support

NTTacPlus can now store user and group profiles in a SQL/ODBC database also: you can simply decide if you wish to maintain you existing accounts in simple ASCII text files or to import them in a ODBC database.

You may find details relevant to the usage and migration to ODBC databases in the chapter Account profiles in ODBC SQL format.

A sample MS Access 97 database is already distributed wit NTTacPlus.

In this database you’ll find some routines useful for importing and exporting users to and from text profiles.

New configuration menus

All configuration options have been reorganized and moved to a single dialog window accessible from the Tools/Options (F8) menu.

You can access the configuration dialog window from any NTTacPlus Remote Console.