1. Other Product Technical Information
1.1. VOP Radius

 

1.1.1. VOP Radius Release Information and Patches
1.1.1.1. Version 4.1 Build 229
1.1.1.1.1. Known Issues and Patches for 4.1.229
 

April 23, 2007: Update2 for VOP Radius 4.1 Build 229 Released.

 
 

Special Note: This update requires a reboot. Not doing so could cause console errors.

 
 

Note 1: All Updates are cumulative. That is, UpdateX will contain all the fixes present in UpdateX-1, UpdateX-2, etc..

 

Note 2: The Update and Instructions are available for download at the bottom of this page.

 

 

 

VOP Radius - README File.

 

*** Important Note ***

--------------------------------------------------------------------------------

SQL database types support has been extended starting in version 4.0.228. Even though SQL is a standard, there are some particularities to every server (MS SQL, MySQL, etc...) The Vircom specific attributes Analog-Access and Digital-Access records were defined originally of type binary. Binary record type not being "universal" enough, their record type is changed to integer. Depending of your SQL database server, the latter attributes may work properly independently of their record type. However it is HIGHLY RECOMMENDED when upgrading to version 4.0.228 and above to modify the record type of the Analog-Access and Digital-Access attributes to Integer in your SQL database.

 

1. A zero value means FALSE.

2. A non-zero value means TRUE (1,2, etc.)

3. NULL data is allowed and it means "don't care".

 

 

*** Important Note ***

--------------------------------------------------------------------------------

Customers using VOP Radius MMC, must update both VOP Radius Server and MMC.

 

--------------------------------------------------------------------------------

 

VPRRS229.2.EXE

--------------------------------------------------------------------------------

   - Fixed a rare exception occuring while loading the users from the disk.

   - Fixed display in the console (Radius Server tab --> ODBC DataSource)

 

 

VPRRS229.1.EXE

--------------------------------------------------------------------------------

  • Fixed a problem with "Check password when UserName clash" within "Add. Database IDs"/ "ODBC" in the console. The VOP Radius server was ignoring the feature; the user was found only by the user name. Please note that the same feature, in the "Radius Server" tab, was already working.

 

 

VPRRS229.EXE

--------------------------------------------------------------------------------

   - Added support for Rodopi AAA Corba Interface

       - For authentication ("Radius Server" and "Add. Database IDs" tabs)

       - For accounting ("Accounting" tab)

       - For secondary/fallback solution ("Cache/Fallback" tab)

 

 

Contacting us

=============

If you need assistance or have suggestions concerning our products, do not hesitate to call or write us. Our offices are open from 9:30AM to 6:00PM Eastern time, weekdays.

 

E-mail:Technical support 

support@vircom.com

 

E-mail:Suggestion box    

suggest@vircom.com

 

Our support Web Page     

http://www.vircom.com

 

Our tech support line

(514) 845-8474, weekdays,

9:30AM to 6:00PM Eastern time.

1.1.1.1.2. Important document for customers upgrading from an older version
1.1.1.1.3. Release Information
1.1.1.1.4. Manuals

VOP Radius manuals can be downloaded below:

1.1.1.1.5. Rodopi AAA CORBA Interface

VOP Radius uses the Rodopi AAA CORBA Interface to interact with the Rodopi billing software. This interface provides more flexibility in the selection of attributes than using stored procedures.

 

Authentication details:

 

1.     The Rodopi billing software must return either a Password attribute or an Auth-Type attribute.  

2.     The Service-Type attribute must be returned. Its value must be either a valid integer (see RFC 2865) or a Service-Type string value, found in the VOP Radius dictionary (VPRDict.txt):

 

·        VALUE<tab>Service-Type<tab>Framed-User<tab>2

 

Note: <tab> is a tabulation character

 

For further details, see “Authentication Access” in the VOP Radius Application Help File.

 

Configuring the AAA CORBA Interface:

 

·        Rodopi Server

 

The Rodopi AAA Interface configuration information is stored in an XML file on the server where the Rodopi AAA Interface service is installed. Any configuration changes must be saved in this file:

 

<Rodopi Installation Folder>\Shared Services\Rodopi.Service.AAA.exe.config

 

·        VOP Radius Server

 

Whether the AAA Interface is used for authentication or accounting, the setup information required by VOP Radius is the same:

 

o       Host name / IP Address: This identifies the machine where the Rodopi AAA Interface service is installed; it may be either a host name or an IP address. The default host name is Localhost.

 

o       Port: In the Rodopi.Service.AAA.exe.config file, this is defined as:

 

/configuration/appSettings/parameter/value where the parameter/key attribute is RadiusInterface.Port.

 

The default port is 8087.

 

o       CORBA object name

 

In the Rodopi.Service.AAA.exe.config file, this is defined as:

 

/configuration/rodopiAppConfiguration/solution/instance/parameter where the parameter/key attribute is RadiusInterface.Name
 
The default CORBA object name is RodopiRadiusAAA.
1.1.1.2. Version 4.0 Build 228

 

1.1.1.2.1. Important document for customers upgrading from an older version
1.1.1.2.2. Release Information
Please see attached "Release.pdf" document.
1.1.1.2.3. Manuals

VOP Radius manuals can be downloaded below:

1.1.1.2.4. Known Issues and Patches for 4.0.228

September 26, 2005: Update38 for VOP Radius 4.0 228 Released.

Special Note: This update requires a reboot. Not doing so could cause console errors.

Note 1: All Updates are cumulative. That is, UpdateX will contain all the fixes present in UpdateX-1, UpdateX-2, etc..

Note 2: The Update and Instructions are available for download at the bottom of this page.

Update information

*** Important Note ***
--------------------------------------------------------------------------------
SQL database types support has been extended starting in version 4.0.228. Even
though SQL is a standard, there are some particularities to every server (MS SQL,
MySQL, etc...) The Vircom specific attributes Analog-Access and Digital-Access
records were defined originally of type binary. Binary record type not being
"universal" enough, their record type is changed to integer. Depending of your
SQL database server, the latter attributes may work properly independently of
their record type. However it is HIGHLY RECOMMENDED when upgrading to version
4.0.228 and above to modify the record type of the Analog-Access and Digital-
Access attributes to Integer in your SQL database.

1. A zero value means FALSE.
2. A non-zero value means TRUE (1,2, and above)
3. NULL data is allowed and it means "don't care".


*** Important Note ***
--------------------------------------------------------------------------------
Customers using VOP Radius MMC, must update both VOP Radius Server and MMC.

--------------------------------------------------------------------------------

VPRRS228.38.EXE
--------------------------------------------------------------------------------
   - VOP Radius now performing VoIP detection for CISCO or unknown type NAS only.

--------------------------------------------------------------------------------

VPRRS228.37.EXE
--------------------------------------------------------------------------------
   - VOP Radius now logs incoming NAS IP address and NAS port upon access
     denial caused by an invalid password.

   - VOP Radius now omits users with service type 8 (Authenticate-Only) and
     service type 99 (Authenticate-Vop) from active users count validation of
     maximum simultaneous users on-line. (As per VOP Radius license key)

--------------------------------------------------------------------------------

VPRRS228.36.EXE
--------------------------------------------------------------------------------
   - VOP Radius now logging SQL query time lapse.

--------------------------------------------------------------------------------

VPRRS228.35.EXE
--------------------------------------------------------------------------------
   - This update apply to the ODBC authentification method.

     The "Analog-Access" and "Digital-Access" fields are now bound as SQL_C_LONG
     instead of SQL_C_ULONG.

     If a row was having a negative value (e.g. -1) for "Analog-Access" and/or
     "Digital-Access", then this row was not returned by the SQL server to
     VOP Radius (a negative value is invalid for SQL_C_ULONG). The user was
     simply not found.

     Here is a table showing the SQL types that VOP Radius uses to bind the
     columns.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Field Name         |  RADIUS Attribute       |  Formerly     |  Update 35    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  UserName           |  User-Name (1)          |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  Password           |  User-Password (2)      |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  Service-Type       |  Service-Type (6)       |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  Session-Limit      |  Session-Timeout (27)   |  SQL_C_LONG   |  SQL_C_LONG   |
|  Idle-Limit         |  Idle-Timeout (28)      |  SQL_C_ULONG  |  SQL_C_ULONG  |
|  Static-IP          |  Framed-IP-Address (8)  |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  IP-Netmask         |  Framed-IP-Netmask (9)  |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  TimeBank           |                         |  SQL_C_LONG   |  SQL_C_LONG   |
|  Framed-Route       |  Framed-Route (22)      |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  Filter-ID          |  Filter-Id (11)         |  SQL_C_CHAR   |  SQL_C_CHAR   |
|  Analog-Access      |                         |  SQL_C_ULONG  |  SQL_C_LONG   |
|  Digital-Access     |                         |  SQL_C_ULONG  |  SQL_C_LONG   |
|  Port-Limit         |  Port-Limit (62)        |  SQL_C_ULONG  |  SQL_C_ULONG  |
|  Speed-Limit        |  Connect-Info (77)      |  SQL_C_ULONG  |  SQL_C_ULONG  |
|  Expiry-Date        |                         |  SQL_C_DATE   |  SQL_C_DATE   |
|  Radius ProfileID   |                         |  SQL_C_CHAR   |  SQL_C_CHAR   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     Note:
     With VOP Radius 4.0.228, the Service-Type attribute may be absent from user
     definition attributes or absent from the profile attributes, but not both,
     except if the Framed-Protocol attribute was defined whereas the Service-Type
     of the incoming packet was "Framed-User", then in this case, only a warning
     message will be generated.

     For more information, a careful read of the "Authentication Access" page in
     the console help is strongly suggested.

--------------------------------------------------------------------------------

VPRRS228.34.EXE
--------------------------------------------------------------------------------
   - VOP Radius and VOPTest did not handle properly NAS port higher than
     0x7fffffff.

--------------------------------------------------------------------------------

VPRRS228.33.EXE
--------------------------------------------------------------------------------
   - Username and password check with NT SAM was not working using the Auth-Type
     attribute with the optional "\DomainName" used to identify a specific domain.

--------------------------------------------------------------------------------

VPRRS228.30.EXE
--------------------------------------------------------------------------------
   - VOP Radius would not accept CHAP challenges bigger than 16 bytes.

--------------------------------------------------------------------------------

VPRRS228.29.EXE
--------------------------------------------------------------------------------
   - Rodopi Accounting Stored Procedure Call Fixed.

     How the problem occured:
     1. The "Use ODBC for Accounting Logs" option is checked under the
        "Accounting" tab.
     2. In the ODBC Setup, the database type selected is "Rodopi".
     3. In the incoming accounting packet, the NAS-Port (5) attribute is
        omitted.

     Problem Description:
     When we called the stored procedure, we would put in the Stored Procedure
     call statement the NAS-Port (5) attribute with a value of NUL instead
     of NULL.

--------------------------------------------------------------------------------

VPRRS228.28.EXE
--------------------------------------------------------------------------------
   - Fixed VOPTest EAP testing feature broken in version 4.0 starting with
     update 16.

--------------------------------------------------------------------------------

VPRRS228.27.EXE
--------------------------------------------------------------------------------
   - Classified VOP Radius log tracking messages using only five categories.

--------------------------------------------------------------------------------

VPRRS228.26.EXE
--------------------------------------------------------------------------------
   - VOP Radius console and server able to read both old and new user log formats.

   - VOP Radius log message headers matched with log tracking console panel names.

   - VOP Radius calling station id concurrency option could not be used with
     verify port-limit upon server reply feature.

   - VOP Radius time banking feature only worked in version 4.0 if service type
     is defined in the profile.

--------------------------------------------------------------------------------

VPRRS228.25.EXE
--------------------------------------------------------------------------------
   - VOP Radius users online panel has new pause button preventing display to be
     refreshed. This is useful to scroll through the listing while searching for
     a specific user.

   - VOP Radius console can now display users with username containing spaces.

   - Fixed selection of default generic auto-mapping for ODBC authentication.
     (Custom Stored Procedure)

   - VOP Radius can now authenticate users with username containing apostrophes.

   - VOP Radius MMC can now use local rpc connections and named pipes for remote
     connections.

   - VOP Radius files panel now offers the possibility to change the path and
     the name of the client definition file (VPRTSDef.txt).

   - VOP Radius help file now documents use of client type in the radius client
     definition.

   - VOP Radius help file hyperlinks have been revised.

   - VOP Radius Max Authentication Timeout feature could cause server to lock
     up CPU resources. In the case where there is a fallback method configured
     else than the cache, and that both the primary data source and the fallback
     data source failed to answer, VOP Radius will not fallback to cache but
     rather falls in an endless loop. Unless the NAS sends another retry itself
     to unlock it. Hence it may happen in the case of double failure of the
     primary source and the fallback source when the latter is not configured
     to be the cache and that the NAS doesn't attempt the same request a few
     times.

--------------------------------------------------------------------------------

VPRRS228.24.EXE
--------------------------------------------------------------------------------
   - VOP Radius console is restored when re-opening the console once minimised.

   - Fixed selection of default generic auto-mapping for ODBC authentication.

--------------------------------------------------------------------------------

VPRRS228.23.EXE
--------------------------------------------------------------------------------
   - VOP Radius MMC did not allow sorting by calling station id.

--------------------------------------------------------------------------------

VPRRS228.22.EXE
--------------------------------------------------------------------------------
   - In version 4.0 starting with update 9, it may be possible that the chart
     under the Statistics Tab may not be displayed correctly occasionnally.

   - VOP Radius can use two different files to retrieve UNIX password and UNIX
     GID. This is helpful for those using a shadow file for the passwords.

   - VOP Radius processing time for text backup and ODBC backup cases has been
     reduced.

   - VOP Radius can attribute IP addresses to user requests with a service type
     else than "Framed-User". This is helpful for those willing to assign an IP
     address to outbound users.

--------------------------------------------------------------------------------

VPRRS228.21.EXE
--------------------------------------------------------------------------------
   - If an additionnal accounting attribute is of type String and the accounting
     packet can potentially contain many similar attributes, a string to look
     for can be provided to VOP Radius to find a match.  For example, this is
     useful to parse among vendor specific attribute-value pairs (AV-pairs).

   - Additional accounting attributes are allowed even if the packet is not a
     CISCO VoIP packet. However, a CISCO VoIP attribute value MAY NOT be added
     if your VOP Radius license does not support VoIP.

   - Implement use of Unix GID as profile name.

   - Optimised VOP Radius debugging performance, removed source IP debugging.

   - Special treatment provided to Ascend attributes without any vendor ID
     extended to Ascend attributes with Ascend vendor ID.

   - Fixed Help File for Users Online tab wrongly stating that "Limit" column
     units were seconds while in fact they are minutes.

--------------------------------------------------------------------------------

VPRRS228.20.EXE
--------------------------------------------------------------------------------
   - Starting in version 3.5.227.21, VoIP packet without any cisco H.323
     attribute absolutely needed NAS port type attribute to be present.

   - Starting in update 17, RODOPI accounting date format was wrongly modified.

--------------------------------------------------------------------------------

VPRRS228.19.EXE
--------------------------------------------------------------------------------
   - VOP Radius allows to assign an IP address to an outbound user whose
     outbound service type has been changed to framed user.

   - VOP Radius logs matched profile name.

   - VOP Radius sends both SESSION_LIMIT and ASCEND_SESSION_LIMIT to ASCEND
     units. (As well as both IDLE_TIMEOUT and ASCEND_IDLE_TIMEOUT)

   - VOP Radius avoids raising warning if the server can not open the client
     definition file when it is open by the console or the wizard.

   - VOP Radius provides option to turn off Windows Event Viewer Logging.

   - Renaming of "Authenticated" column within the console users online
     listing for "Authentication", as well as use of DONE and NONE rather
     than YES and NO to indicate whether user went through the authentication
     phase.

   - Update 17 prevented use of multi-login check on port zero.

--------------------------------------------------------------------------------

VPRRS228.18.EXE
--------------------------------------------------------------------------------
   - VOPCom does not unconditionnally insert anymore attribute 61 (NAS-Port-Type)
     with a value of 5 (Virtual) when opening a request with a NAS port value of
     zero. A NAS-Port-Type = Virtual will rather remove the NasPortID attribute
     from the packet.

   - Prevent multi-logins of user in version 4.0 only worked when remote server
     is down.

--------------------------------------------------------------------------------

VPRRS228.17.EXE
--------------------------------------------------------------------------------
   - Calling Station ID Concurrency feature implementation. If this option is
     checked, many users or a same user can be granted access to a same NAS port
     using different Calling Station IDs.  This option is useful for anyone using
     a wireless NAS which make use of Calling Station ID to store MAC address
     (e.g. Nomadix, etc.).
     If this option is checked, user port limit and NAS port limit are treated
     like connection limits no matter the type of the different connections being
     NAS ports and/or Calling Station IDs.
 
     In addition if this option is checked, VOP Radius considers Calling Station
     ID to be universally unique if the Calling Station ID is at least
     10-character long (The latter encompasses MAC address, E.163 and E.164
     format types).   Normally VOP Radius in order to prevent ghost connections
     when an access request comes in from a same NAS for a port VOP Radius has
     a user already connected to, the new connection is allowed to replace the
     ghost connection rather than being rejected. In case this option is checked,
     VOP Radius considers Calling Station ID to be a non-sharable resource too.
     In order to prevent ghost connections when an access request comes in for
     a Calling Station ID VOP Radius had a user already connected to, the new
     connection is allowed to replace the ghost connection rather than being
     rejected. Therefore this option is also useful for anyone using a carrier
     not providing any means to monitor their NAS activity (e.g. GlobalPOPs, etc.).

   - Additional accounting attributes for Rodopi data source are allowed even if
     the packet is not a CISCO VoIP packet. However, a CISCO VoIP attribute value
     MAY NOT be added in the SQL request if your VOP Radius license does not
     support VoIP (the value will be 'NULL' instead).

   - Any string attribute value may have one or more apostrophes.

--------------------------------------------------------------------------------

VPRRS228.16.EXE
--------------------------------------------------------------------------------
   - VOP Radius reflects RSA Security SecurID products renaming and re-branding.
     Effective October 2004, RSA ACE Server and Agent become RSA Authentication
     Manager and Agent. VOP Radius has been certified against RSA Authentication
     Manager version 6.0 dated September 2004.
   - VOPTest default timeout delay is adjusted to 3000 ms to better meet RSA
     SecurID authentication average latency.
   - VOPTest enhancements to test RSA Authentication consisting of multiple
     successive challenges.

--------------------------------------------------------------------------------

VPRRS228.15.EXE
--------------------------------------------------------------------------------
   - VOP Radius allows to assign an IP pool filter name to each NAS. Before
     sending back the reply to the NAS, VOP Radius verifies whether it has to
     assign an IP address to the user. First it looks whether the NAS has a
     filter name assigned to it. If not, in the case of roaming, it looks whether
     the remote server has a filter name assigned to it. Finally, it checks
     whether there is a Filter-ID attribute in the packet.
   - VOP Radius access check allows to check for exact connection speed using
     Connection-Spped-Limit in a profile. The  presence of the "@" character in
     front of the speed value forces exact connection speed check.

--------------------------------------------------------------------------------

VPRRS228.14.EXE
--------------------------------------------------------------------------------
  - VOP Radius access check allows to check for exact connection speed. The
    presence of the "@" character in front of the speed value forces exact
    speed check. Here are four valid examples for matching exact speed; either
    one of the four forms can be used:
 Connect-Info=@256
 Connect-Info="@256"
 Connect-Speed-Limit=@256
 Connect-Speed-Limit="@256"

  - Fixed exception fault occuring with very long username.

--------------------------------------------------------------------------------

VPRRS228.13.EXE
--------------------------------------------------------------------------------
  - Fixed exception fault when a user is provided with many profiles not using
    profile lists.

  - Added icon to VOP Radius Client title bar.

--------------------------------------------------------------------------------

VPRRS228.12.EXE
--------------------------------------------------------------------------------
  - Defining a client with a name format similar to an IP address
    ( xxx.xxx.xxx.xxx ) corrupted its own defintion.

--------------------------------------------------------------------------------

VPRRS228.11.EXE
--------------------------------------------------------------------------------
  - Connect-Info did not work properly as an access check item.

--------------------------------------------------------------------------------

VPRRS228.10.EXE
--------------------------------------------------------------------------------
  - Invalid password warning message is now providing invalid password value.
  - Fixed a bug inserted in 4.0.228.8 where only "Radius Server" could be used
    as fallback method.

---------------------------------------------------------------------------------

VPRRS228.9.EXE
--------------------------------------------------------------------------------
  - Maximum Authentication Timeout now by increments of 1 sec rather than 5 sec.

--------------------------------------------------------------------------------

VPRRS228.8.EXE
--------------------------------------------------------------------------------
  - Console layout tab order to navigate has been fixed.
  - Implementation of a fail-over server for each server meant for roaming users.
  - Implementation of a timeout to fail-over rather then relying on retries.
  - Roaming is searched for by suffix, then prefix and default roamer server now
    used as last resort.
  - Modify possible refresh rate of VOP Radius MMC from Hour:Minute to Minute:Second
  - Voptest now allows Client IP Address to differ from NAS IP Address.
  - Fixed the "Remove-Attributes" attribute. The list syntax was not working
    properly: only the first attribute of the list was removed.
  - Fixed an issue with the pdf documentation. Some rows were not showing properly.
  - Fixed an issue with the "Use ODBC Logs" option in the "Log Tracking" tab:
    The "Debug Informations: Level 2" error messages are now inserted in the
    database if the associated checkbox is marked. More messages are inserted
    as well if the associated "Error Log Information Level" is checked (very
    few may still only appear in the text file).

--------------------------------------------------------------------------------

VPRRS228.7.EXE
--------------------------------------------------------------------------------
  - Fixed SQL sample scripts to create Analog-Access and Digital-Access record
    as integer.
  - Fixed Microsoft Access sample database creating Analog-Access and Digital-
    Access record as integer.
  - Fixed VOP Radius help file to document Analog-Access and Digital-Access
    record as integer.

--------------------------------------------------------------------------------

VPRRS228.6.EXE
--------------------------------------------------------------------------------

  - Fixed SQL support for Analog-Access and Digital-Access special attributes.
       Some SQL server would return values else than 0 and 1.
  - Fixed VOP Radius MMC console.
       VOP Radius MMC console was not working using UDP.
       VOP Radius MMC console was not working properly with 4.0.228 server.
  - Fixed User List file format
       User list file format now friendly reader (stretched over 132 columns).
  - Fixed Time-Of-Day special attribute.
       A bug has been inserted in 4.0.228 which prevented use of Time-Of-Day.

--------------------------------------------------------------------------------

VPRRS228.5.EXE
--------------------------------------------------------------------------------

  - Fixed support for Windows 2003.
       On some Windows 2003 configurations, version verification during
       installation would caused the dll to be misplaced. Version verification
       has been replaced by date verification.
  - Fixed sample scripts to create SQL tables.
       Sample script was missing one line to create a field called "TimeBank".
  - Fixed a bug inserted in 4.0.228 where an Access Request with no NAS-Port-ID
       attribute would fail.
  - Fixed ODBC Fallback support.
       Four fields were greyed out under this option: Timebank, Port-Limit,
       SpeedLimit, and ExpirationDate.
--------------------------------------------------------------------------------

VPRRS228.4.EXE
--------------------------------------------------------------------------------

  - Fixed support for MySQL.
       Analog-Access and Digital-Access attributes could not be used with MySQL.
  - Fixed support for NULL String Vs NULL Data using SQL. (MS SQL does not
       necessarily return NULL DATA for NULL string.

--------------------------------------------------------------------------------

VPRRS228.3.EXE
--------------------------------------------------------------------------------

VPRRS.EXE (The VOPRadius server application itself)

  - Custom Stored Procedure Support
       With the VPRRS228.2.EXE update, the special attribute "Return-Code" had
       to be the first attribute returned. Now, this restriction has been
       removed.
  - The NAS-Port-Id attribute
       The NAS-Port-Id check was not working properly. The latter issue has been
       fixed.

--------------------------------------------------------------------------------

VPRRS228.2.EXE
--------------------------------------------------------------------------------

Main RADIUS Configuration console
VPRRS.EXE (The VOPRadius server application itself)

  - Custom Stored Procedure Support
       The "Custom Stored Procedure Support" feature can be used by customers
       with specific authentication needs.

       To have more info on that new feature:

       1. Open the Main RADIUS Configuration console.
       2. Select the "Radius Server" tab.
       3. Select the "ODBC DataSource" radiobutton.
       4. Click on the "Setup" button.
       5. Under "Database Type" combobox, select "Custom Stored Procedure".
       6. Click the "Yes" popup button and read the help associated to the
          "Custom Stored Procedure Support".

--------------------------------------------------------------------------------

VPRRS228.1.EXE
--------------------------------------------------------------------------------
 
Main RADIUS Configuration console

  - The current update number installed is now shown.
  - Added a title bar icon
  - Added the minimize functionality
  - Added an icon on the system tray to show the console if clicked

  * Users Online tab
    - Changed the values showed in the Service-Type column.
    - The remove button is now enabled only if it is available (interface
      improvement).
    - Added a comment saying that the remove button effect is not instantaneous.

  * Radius Server tab

    - For LDAP, when the "Bind with username" checkbox is checked, the password
      editbox is disabled under "mapping attribute names".  The reason for that
      is because the actual act of binding verifies the validity of the account.
      If you can't bind, the account's username & password are incorrect.  So no
      need to map the password field.

  * CONSOLE HELP

    - Revised the help related to the Users Online tab.
    - Revised the help for the Authentication Access.
 
VPRRS.EXE (The VOPRadius server application itself)

  - Fixed exception with LDAP authentication when the only attribute mapped was
    the Username.
  - The VOP Radius 4.0.228.0 release introduced some problems with the
    "Expiration" attribute. This is now fixed.
  - When an incoming packet Service-Type was Framed-User and no Service-Type was
    specified in the data source or in the user's profile, the normal behavior
    is to accept the connection as long as there's a Framed-Protocol present in
    the datasource or the profile. The code had a problem whereas even if the
    framed-protocol was NOT present, it was still acting as if it was present.
    This behavior is now fixed.

--------------------------------------------------------------------------------

----------------------------
Procedure to apply the patch
----------------------------

<DEVELOPER: Update the procedure below to the patch's requirements.>

1) Make sure version 4.0.228 is installed
2) Stop VOP Radius and close the console
3) Launch VPRRS228.x.EXE installation package.
4) Read the Readme.txt file.
5) Reboot computer
6) Start VOP Radius on startup (if service set to manual)
6) Confirm under NT Event Viewer --> Application Log that the service started ok

 

1.1.2. Troubleshooting
1.1.2.1. Description of common error codes and messages
1.1.2.1.1. Radius: VOPTEST: Invalid Packet Processing aborting simulation

Problem: When sending an Access Request packet, VOP Radius generates the error "Invalid Packet Processing aborting simulation !"

Cause: The secret set in VOPTest does not match the secret set in the client definition for VOPTest on VOP Radius.

Solution: Find the client definition for VOPTest under VOP Radius --> Clients Tab --> Client Definition for VOPTEST. Next, verify that the secret defined is the same as the secret entered in the VOPTEST console.

1.1.2.1.2. Radius: ODBC Error: State:08001, Msg:[Microsoft][ODBC SQL Server Driver][Shared Memory]SQL Server does not exist or access denied.

Problem: Either users do not authenticate or accounting packets are not recorded in the accounting database. And, the error log shows the following error:

(Debug   :02612) 10/1/2004 17:43:46 ** ODBC (0) ACCESS IDENTIFICATION ** (len=125)
(Error   :02732) 10/1/2004 17:44:03 ODBC Error: State:08001, Msg:[Microsoft][ODBC SQL Server Driver][Shared Memory]SQL Server does not exist or access denied.
(Debug   :02732) 10/1/2004 17:44:03 ODBC Error: Env=Ok,Connect=Ok,State=Error
(Error   :02732) 10/1/2004 17:44:03 ODBC Error: State:08003, Msg:[Microsoft][ODBC Driver Manager] Connection not open
(Debug   :02732) 10/1/2004 17:44:03 Radius ODBC Connection Error: DataSource VoIPRadius

Cause(s) : This is an ODBC error returned either from the ODBC Driver or Microsoft SQL. VOP Radius is reporting rather than generating the error. A list of possible causes includes the following:

* MS SQL Server down
* The wrong MS SQL Server specified under the ODBC Driver
* The credentials to connect to the database are wrong in either VOP Radius or the ODBC Driver.

1.1.2.1.3. “Access check: This user is defined to use a profile and none has been found! [User name: XXX] [0].
Problem Summary: The following error happens results from authentication: “Access check: This user is defined to use a profile and none has been found! [User name: XXX] [0]."
 

Cause:

 The user was assigned a profile but the profile was not found in the profiles.txt and a DEFAULT profile does not exist.
 

Resolution:

 Three are three different ways to resolve this issue.

1) In the authentication datasource fix the profile assignment error. For example, correct any spelling mistakes or remove the profile altogether if it was not intended.

2) In the profiles.txt file create the profile that the user was assigned. That is, create a profile with the same name as it is written in the authentication datasource.

3) In the profiles.txt file create a "DEFAULT" profile. VOP Radius uses the DEFAULT profile whenever the user has not been assigned to a profile by name or when the profile the user was assigned to does not exist.

Related Information:

 

1.1.2.1.4. Radius: Arithmetic overflow error converting expression to data type int
Problem Summary:

Problem: The Event Viewer and VOP Radius error log "VPRError.log" shows the following error:

VPR Radius Server Error: ODBC Error: State:22003, Msg:[Microsoft][ODBC SQL Server Driver][SQL Server]Arithmetic overflow error converting expression to data type int.

 

Cause:

First, it is important to understand that the source of the error is from the SQL Server / ODBC Driver and VOP Radius is only reporting it in the logs. Second, this error is most likely to happen only with accounting data since with authentication only a SELECT statement is performed. Third, the error means that there is a mismatch somewhere in one the fields between what VOP Radius is sending, via an INSERT statement, and what the SQL Server Table Field is set to support. For example, VOP Radius, via an INSERT statement, may be sending an INT value, but the SQL Server Table field accepting that field may be set to only accept TINY INT values. Fourth, in this problem it is important to understand that the data VOP Radius receives, and subsequently sends to the SQL Server Table, is actually originally sent by the Network Access Server (NAS). That is, the Network Access Server sends to VOP Radius the accounting data, VOP Radius in turn takes this accounting data "as is" and sends to the SQL Server Database Table configured under the Accounting --> ODBC Setup section.

 

 

Resolution:

 The difficulty with this error is that it not does narrow down the exact field (or fields) where the mismatch exists. For this reason, the administrator may need perform some guess work to find the problem. Here are some recommended troubleshooting steps:

1) Enable full log tracking in VOP Radius
2) Find the error in the VOP Radius error log "VPRError.log"
3) Examine the query for values that stand out as "large"
4) Using the SQL Query determine the field name where these "large" values are destined to be inserted
5) In the SQL Server Table look at the data type set for the field
6) Increase as necessary the data type size for the field

Note: The above troubleshooting steps take the viewpoint that what the Network Access Server is sending is correct. It may also be the case that a problem with the Network Access Server is causing it to send incorrect and inflated values. In this case the administrator may take troubleshooting steps focused on on the values that the Network Access Server is sending rather than try to compensate for the problem by changing the Data Type in the SQL Server Table field.

Related Information:

 

1.1.2.1.5. RADIUS: The service type is missing!
Problem Summary:

The following error message is listed as the reason for Access Reject:

"Access check : The service type is missing! [Attribute name: Service-Type] [User name: username@domain.com]

 

Cause:

VOP Radius cannot find a Service-Type attribute value associated with the user. The Service-Type attribute value received in the Access Request must match the Service-Type attribute value assigned to the user. The Service-Type attribute value is assigned to a user either in the Authentication Data Source (e.g. Text File, Database) or in the profile that the user has been assigned (i.e. profiles.txt file).
 

Resolution:

1. Turn on full log tracking to view the Service-Type value received in the Access Request (e.g. Framed-User)
2. Assign the user the same Service-Type attribute value using one of the following options:

Option 1: Directly in the Authentication Datasource
* For example, if the user is authenticating against an ODBC database, then assign the user a matching Service-Type value using the table field.
* For example, if the user is authenticating against a Text File, then assign the user a matching Service-Type value within the user's profile.

Option 2: Profile the user is assigned

If the user is assigned to a profile in the profiles.txt file, then a matching Service-Type value can be assigned there.

Option 3: Default profile

If the user is not assigned to a profile in the profiles.txt file, then the profile named "DEFAULT" can be used to assign the user a matching Service-Type value (the DEFAULT profile is assigned to all users that are not explicitly assigned a profile by name).

 

Related Information:

 

1.1.2.1.6. Radius: Cannot create a remote manager connection point. RPC error 1762.
Problem Summary:

The following error message displays in the Event Viewer and/or VOP Radius error log file "VPRError.log":

Cannot create a remote manager connection point. RPC error 1762.

 

Cause:

The error means that VOP Radius could not register the Remote Management Console (RMC) with the "Remote Procedure Call (RPC) Locator" service. For instance, the "Remote Procedure Call (RPC) Locator" service is disabled.
 

Resolution:

Turn on the "Remote Procedure Call (RPC) Locator" service under Administrative Tools -> Services. Note: The error message is minor. The most that will be affected is that the Remote Management Console will not work (i.e. the feature that allows administrators to connect via the MMC to view the 'Users Online' listing).

Related Information:

 

1.1.2.1.7. Radius: No Password error
Problem Summary:

In the Event Viewer or VOP Radius Error log file, the following error displays :

"No Password"

 

Cause:

 The error means that the Network Access Server (NAS) did not send the Password attribute (2) in the Access Request packet. That is, the NAS for whatever reason did not include this attribute when creating the packet. This may be a signal of a NAS problem or a configuration problem in the case that all packets sent by the NAS generate this error. The Password attribute is required in order to complete the authentication. Whenever this attribute is not present, VOP Radius generates the error and does not continue with the authentication process.

 

Resolution:

 The problem can only be resolved on the NAS (i.e. the device generating and sending packets to the Radius server). However, the Administrator may want to stop the error message from filling the Event Viewer. This can be done in 4.0 228 Update27 and higher by un-checking "Windows Event Viewer" under the "Log Tracking" Tab.

 

Related Information:

 

1.1.2.1.8. Radius: Error: ***1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it
Problem Summary:

VOP Radius Service does not start and the following error message is generated either in Message Box or in the computer's Event Viewer:

Error: ***1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it

 

Cause:

 No Hardware profile under the LogOn tab of the service properties  window.  This prevents the VOP Radius Service (or any other Service for that matter) from starting.
 

Resolution:

 Add or enable the Hardware profile to correct the problem.
Related Information:

 

1.1.2.1.9. Radius: class CAccessCheck : We got zero (0) as numeric value, this MAY be a problem!
Problem Summary:

The Error Log File (VPRError.log) shows the following error message:

"class CAccessCheck : We got zero (0) as numeric value, this MAY be a problem!"

For example,

"(Debug1  :01784) 3/30/2005 9:45:28 class CAccessCheck : We got zero (0) as numeric value, this MAY be a problem! [Attribute name: Session-Timeout] [User name: test]"

 

Cause:

This error message will only seen starting in version 4.0. The error message is harmless and only serves as a warning message to the administrator. In versions earlier than 4.0, VOP Radius ignored attribute field values where the value set was NULL or 0. By contrast, in version 4.0, VOP Radius logs a warning message when the field value is 0. In the example above, the warning error message means that during the authentication query against the database for the username "test", VOP Radius found the attribute Session-Timeout assigned to the user with a value of 0. In the end the warning error message is only logged and the attribute is not returned to the NAS in the Access Granted packet.
 

Resolution:

 There is nothing particular that the administrator must do if he/she is not bothered by the warning message. However, to make these warning messages "disappear" then the administrator can set the attribute field value to <NULL> rather than 0.

 

Related Information:

 

1.1.2.2. Problems and Solutions
1.1.2.2.1. Radius: New Cisco IOS 12.3 Version incompatible with VOP Radius Users Online (users disappear)

Problem: Users Disappear from VOP Radius User Listing after Cisco IOS upgrade to 12.3

Cause: In some cases the IOS upgrade seems to change the port information sent via the NAS-Port-ID attribute. Specifically, the Cisco NAS sends a value of 0 for the NAS-Port-ID attribute for all packets. VOP Radius reacts in this case by replacing the old username with the new username. The logic behind this is that it is impossible for two users to share the same port at the same time.

Solution: The following IOS command should instruct the Cisco NAS to send proper and unique values for the NAS-Port-ID attribute: radius-server attribute nas-port format d

For more information see the following Cisco Article: http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113db/113db_9/rad_log.htm

1.1.2.2.2. Radius: Service does not start : Error 1068 The dependency service could not start

Problem: VOP Radius Service does not start and the following error is generated: "Error 1068 The
dependency service could not start."

Cause: The VOP Radius actually does not have a dependency. The error message is referring to the Remote Manager component of VOP Radius. The error may happen when an IP is defined under VOP Radius Console --> Remote Manager --> Used Protocols does NOT exist on the machine. This error is most likely to happen when the IP on the machine is changed.

Solution: Delete the incorrect entry from under "Used Protocols". Start VOP Radius again.

1.1.3. Configuration Assistance
1.1.3.1. Recommended System Requirements
 

VOP Radius Recommended System Requirements

The following are Vircom’s recommended system requirements for VOP Radius:

 

-         Processor Pentium 3 800MHz or better

-         Memory 256 Megabytes

-         Hard Drive IDE or SCSI

-         Connectivity TCP/IP, Ethernet

-         Operating System Windows 2000 or 2003


Notes:

 

  • VOP Radius isn't by itself hardware intensive.  The slowest part is the authentication data source.  ODBC authentication is faster than any of the other means of authentication generally speaking.  If using ODBC, MS-SQL is much faster than Microsoft Access.  You can run MS-SQL on the same machine as VOP Radius but the ideal setup is to install VOP Radius on one machine and the SQL Server on another.
  • Because VOP Radius is a multi-threaded application, it can benefit from dual-CPU machines.  A low-end dual-CPU system (e.g. dual Pentium III or better) is usually sufficient.
  • Logging:
    • Logging of accounting packet data:
      • This information should be stored in a SQL database, which should be on a third machine.
    • Logging to a “log file”:
      • Depends on the logging level
      • For 5000 users, estimates show that the log file will grow to about 30MB each day (the file is automatically archived in another folder each day). At this daily file size, Vircom recommends at least 5 Gigs of disk space and setting up a process to delete old archived log files.

 

1.1.3.2. How-to and Tutorial
1.1.3.2.1. How-To: Set Up VOP Radius to Authenticate Against Microsoft Active Directory (i.e. LDAP)
1.1.3.2.2. How-To: Allow or deny access based on the user's connection speed (connect-Info 77)

Background

It is possible with VOP Radius to allow or deny access based on the connection speed of the user. For this to work, the Network Access Server (NAS) must send attribute 77 (i.e. "Connect-Info") along with a value. VOP Radius in turn will compare the value contained in the attribute with what has been specified in the user's assigned profile (i.e. profiles.txt file). 

There are two different logic comparisons that can be made: 1) Allow access if the Connect-Info value received in the Access Request is equal to or less than the value specified in the profile; 2) Allow access only if the Connect-Info value received in the Access Request is equal to the value specified in the profile. In this latter the case, the network provider generally will send an integer value corresponding to a specific network access. For example, a value of 1 may stand for dial-up at 28kbps; a value of 2 for dial-up at 54kbps; etc... It is important to coordinate with your network provider how the value will be sent or else the intended logic will fail and cause unintended authentication problems.

Implementation

The VOP Radius administrator has the choice of using the following attribute names in the profiles.txt file for the check against the value received for attribute 77 in the Access Request:

* Connect-Info
* Connect-Speed-Limit

The name "Connect-Info" is defined in the VOP Radius dictionary file "VPRDict.txt" and corresponds to attribute 77. However, "Connect-Speed-Limit" is not defined in "VPRDict.txt" and nor should it be. This name is simply a synonym allowed with the release of VOP Radius 4.0 thought to be more descriptive.

Allow access if Connect-Info value received is equal to or less than the value in the profile

This is the default behaviour of VOP Radius.

Profile="connect"
<TAB>Connect-Info="28880"

or

Profile="connect"
<TAB>Connect-Info=28880

or

Profile="connect"
<TAB>Connect-Speed-Limit="28880"

or

Profile="connect"
<TAB>Connect-Speed-Limit=28880

Explanation:  The profiles above will reject the user if the NAS sends an attribute 77 "Connect-Info" value greater than "28880". However, if the value received in the Access Request is equal to or less than "28880", then the user will be granted access (assuming that any other check items were successful).

Note 1: The effect of using the quotes is the same in all the above examples.
Note 2: The value 28880 in the above profiles is only an example. The principle is always the same: VOP Radius compares the value received with what has been specified. 
Note 3: <TAB> means to use the customer's TAB function button and not actually write that value.

 Allow access only if Connect-Info value received is equal to than the value in the profile

This logic is implemented by specifying the @ sign in front of the value in the profiles.txt file.

Profile="connect"
<TAB>Connect-Info=@5

or

Profile="connect"
<TAB>Connect-Info="@5"

or

Profile="connect"
<TAB>Connect-Speed-Limit=@5

or

Profile="connect"
<TAB>Connect-Speed-Limit="@5"

Explanation: The profiles above will reject the user if the NAS sends an attribute 77 "Connect-Info" value other than 5. That is, if the value is under 5 or above 5, the Access Request will be rejected.

Note 1: Again, the effects of using the quotes around the attribute value is the same in all the above examples
Note 2: The value of 5 in the above profiles is only an example. The principle is always the same: VOP Radius compares the value received with what has been specified. And, in the case when the @ sign is specified in front of the value within the profiles.txt file, it means an exact match is required or else the user will be rejected.
Note 3: The NAS does NOT have to send the @ sign in front of the Connect-Info attribute value. This symbol is only used within the profiles.txt file to change the logic VOP Radius applies to the comparison.
Note 4: <TAB> means to use the customer's TAB function button and not actually write that value.

1.1.3.2.3. How-To: Use the Ascend-Data-Filter (242) Attributes with VOP Radius

Background:

SPAM is a serious problem that many networks (UUNET, Broadwing, Quest, etc..) attempt to reduce. With large networks there are problems with users establishing dial-in connections to various Access Points and then spamming mail servers directly. It is very difficult to track these spammers because they avoid detection by purposely only spamming mail servers other than their own ISP's. To avoid this problem the large networks have forced participating ISPs to send filters in the Access Granted that function to limit the dial in user to only send mail to his ISP's SMTP server. This in itself will not stop the user from spamming; however, it makes it easier to track down the spammer. Moreover, because all the spam will now be relayed through the ISP's Mail Server, then the ISP is now forced to "own" the problem and deal with it accordingly.

Quick Facts:

* VOP Radius sends the value in the Ascend Binary Format
* VOP Radius uses the Generic Attribute (242) and not a Vendor Specific Attribute

Implementation:

1) By default if you do not send the Ascend-Data-Filter attributes, then the user will be prevented from connecting to Port 25 on another machine (i.e. they will not be able to send email). The Network Access Servers (NAS) on these networks are configured to drop all packets destined to Port 25, unless told otherwise. By returning the Ascend-Data-Filter attributes and values in the Access Granted, then you are telling the NAS to make an exception and not drop packets destined for Port 25 on a specific IP.

You will need to setup the Ascend-Data-Filter attributes in a profile inside the profiles.txt file. For example:
Profile = "Broadwing"
<TAB >Ascend-Data-filter = "ip in forward tcp est"
<TAB >Ascend-Data-filter = "ip in forward dstip 147.208.128.251/32"
<TAB >Ascend-Data-filter = "ip in forward tcp dstport = 25"
<TAB >Ascend-Data-filter = "ip in forward"

The following is important:
* Every line except the first begins with a <TAB> (i.e. Push the TAB key and not write <TAB>!!).
* Unlike the users.txt file, none of the lines end with a comma.
* Be very careful to enter the value exactly as your network has specified. Extra spaces can create serious problems.
* You will need to change the second Ascend-Data-Filter attribute in order to enter your Mail Server's IP


After the profile is created, then you need to assign the profile to the user. For example, if you are using "VOP Database", then you would enter "Broadwing" in the profiles column. However, if you wish to assign all your users to this profile, then there is an easy way to do it. In the profiles.txt file the word "DEFAULT" has special meaning to VOP Radius: It means "Always use this profile". If you choose to use this method, then you do not need to specifically configure each user in the database to use a profile.

For more information on the profiles.txt file please see: http://vircom.com/services/howto/howtovoprad_007.htm

2) When VOP Radius returns the Ascend-Data-Filter attributes in the Access Granted, it takes the plain text value written in the profile and translates this automatically into the Ascend Binary Format. The following is an example on how the Access Granted will look in the VOP Radius error log:

(Debug :01744) 2/11/2002 11:52:47 RECEIVED: 0.0.0.0, code=2 (Access Granted), id=1, len=189
( 33) Proxy-State = [40]"VPRR000192.168.0.243:1/1//C0A800F3/test/"
( 6) Service-Type = 2 Framed-User
( 7) Framed-Protocol = 1 PPP
(242) Ascend-Data-Filter = [26]"\001\001\001\000\000\000\000\000\000\000\000\000\000\000\006\001\000\000\000\000\000\000\000\000\000\000"
(242) Ascend-Data-Filter = [26]"\001\001\001\000\000\000\000\000\223\320\200\373\000 \000\000\000\000\000\000\000\000\000\000\000\000"
(242) Ascend-Data-Filter = [26]"\001\001\001\000\000\000\000\000\000\000\000\000\000\000\006\000\000\000\000\031\000\002\000\000\000\000"
(242) Ascend-Data-Filter = [26]"\001\001\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"

Notice:

The attribute number is 242 (This is not a VSA)
The total size of the value is 26 bytes.

3) It is possible that even after you configure everything properly that the Ascend-Data-Filter attributes are not being used properly by the NAS. The reason is likely that the NAS needs to receive the attributes with a different padding size. By default VOP Radius uses a padding of 4 (22 bytes + 4 bytes padding = 26 bytes). In general the newer Ascend Network Access Servers expect a padding of 4; while the older ones expect a padding of 2 (22 bytes + 2 bytes padding = 22 bytes). You could try different formats and see which one works, but to be absolutely sure, then you need to call your network to find out (e.g. Broadwing...). Even in the same network some nodes might expect a padding of 4 and others a padding of 2.

4) If you need to use a padding other than the default of 4, then you can do so on a per client basis.

Open the VOP Radius Control Panel
Go to the Client's Tab
Choose your Client
On the bottom right of the pane change the padding value where it says "Ascend-Data-Filter Padding"
Click Apply

For example, after changing the padding to 2, then the reply will look like the following:

(Debug :01744) 2/11/2002 12:01:56 RECEIVED: 0.0.0.0, code=2 (Access Granted), id=3, len=181
( 33) Proxy-State = [40]"VPRR000192.168.0.243:1/1//C0A800F3/test/"
( 6) Service-Type = 2 Framed-User
( 7) Framed-Protocol = 1 PPP
(242) Ascend-Data-Filter = [24]"\001\001\001\000\000\000\000\000\000\000\000\000\000\000\006\001\000\000\000\000\000\000\000\000"
(242) Ascend-Data-Filter = [24]"\001\001\001\000\000\000\000\000\223\320\200\373\000 \000\000\000\000\000\000\000\000\000\000"
(242) Ascend-Data-Filter = [24]"\001\001\001\000\000\000\000\000\000\000\000\000\000\000\006\000\000\000\000\031\000\002\000\000"
(242) Ascend-Data-Filter = [24]"\001\001\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
( 25) Class-ID = [1]"9"

Notice: The total size of the value is now 24 and not 26.


Troubleshooting:

"Users can still not send email?"

Answer:

We have to try and narrow down where things are going wrong. You should do one authentication request and then start with the VOP Radius error log:

1) Verify in the VPRError.log file that the profile containing the Ascend-Data-Filter attributes is being used.
2) Make a note of the size of the Ascend-Data-Filter value
3) Ask the network on what padding size you should be using
4) Ask the network to do a debug in the NAS and tell you what is not being sent properly. Often they can tell you what line has a problem and then all you need to do is verify that there are no syntax errors.

1.1.3.2.4. How-To: Set VOP Radius to authenticate anybody

Background

 

This how-to describes how to setup VOP Radius to authenticate any username/password combination. Administrators should keep in mind this setup in case they come across an emergency situation where the normal authentication method is no longer working. In this case the administrator could setup VOP Radius to authenticate anybody, buying him/her some time to resolve the problem.

 

Setup

 

Important: The setup for the users.txt file has changed in 4.0.

 

VOP Radius 4.0 228 and higher

 

1. Create a file called “users.txt” under the “radius” folder

2. In the file put the following information:

 

DEFAULT<TAB>Service-Type = Framed-User

<TAB>Auth-Type = "none"

 

3. Save the file

4. Open the VOP Radius Console à Radius Server Tab and choose Text File

5. Make sure the path points to the “users.txt” file

6. Click Apply

 

Note: <TAB> means to use the key on the keyboard.

 

VOP Radius 3.5 227 and lower

 

1. Create a file called “users.txt” under the “radius” folder

2. In the file put the following information:

 

DEFAULT<TAB>Service-Type = Framed-User

<TAB>Framed-Protocol = PPP

 

3. Save the file

4. Open the VOP Radius Console --? Radius Server Tab and choose Text File

5. Make sure the path points to the “users.txt” file

6. Click Apply

 

 

Note 1: <TAB> means to use the key on the keyboard.

Note 2: The OLD VOP Radius How-to Authenticate Anybody described using the profiles.txt file. There was no need for this and as a result this How-to has simplified things.

1.1.3.2.5. How-To: Filter Access Based on the Number Called (Called-Station-ID : Attribute Number 30)

Background:

VOP Radius can be configured to use the Called-Station-ID as a Check Item. Administrators can use this feature to Deny or Accept Access from users based on the Network Access Server (NAS) Telephone Number that they called.

Prerequisite:

In order for this to work the NAS needs to send the number within the Called-Station-ID (30) Attribute. You should contact your NAS manufacturer to see if this is possible and how to implement it. You should review the How-To on the Profiles.txt file to make sure that you use the correct syntax ( link to profiles.txt How-To).

Implementation:

  • The easiest way to implement the Called-Station-ID has a check item is to use a Radius Profile.
  • You can use multiple numbers, as long as they are separated by commas.
  • Make sure the whole definition appear between QUOTES.
  • If you wish to prevent access, you must include a '!' character in front of the definition.
  • Important: By default, if a user of this profile doesn't have a CallerID or a DNIS attribute included in the Access Request, he will be denied access. If you wish to grant access in those cases, just put a star '*' character at the beginning of the definition (prior to the '!' or any numbers).
  • Important: The value for this attribute can NOT exceed 230 characters and nor can you get around this limitation by creating two instances of the Attribute. If this will be a problem, then please see below for another method of using the Called-Station-ID.

Examples:

#This one allows access to all except if the Called-Station-ID is "2223333333" or "4445555555"
#A '*' is used in front of the string to tell VOP Radius to NOT reject if the Called-Station-ID is not sent

Profile = "RestrictForMost"
Called-Station-ID = "*2223333333, 4445555555"

#This one allows denies access if the Called-Station-ID is "1112223333" or "2223334444"
#As well if the Called-Station-ID attribute is not sent, then an Access Reject will result

Profile = "DenyForSome"
Called-Station-ID = "!1112223333, 2223334444"

Troubleshooting:

The following are some common problems and answers you might run into:

"I created the Profile with the Called-Station-ID Attribute to reject a few numbers, but now all my users are getting rejected?"

Answer:
Verify in the Error Log that the Called-Station-ID Attribute is being received. Unless you specified a * start in the profile string, then any Access Request without the Called-Station-ID Attribute will result in an Access Reject.

"I entered the phone numbers to reject in the Profile, but it is not working?"

Answer:
Be very careful how you are entering the phone numbers. VOP Radius tries to match the value of the Called-Station-ID in the Access Request with that in the Profile. A value of "5554443333" does NOT equal "555-444-3333" !

"I have way too many numbers to enter! There must be a better way?"

Answer:
Yes there is probably a better way. You might want to use another attribute (e.g. NAS-IP-Address or Source IP). Or if it is absolutely necessary that you base the filtering on the Called-Station-ID Attribute and the value of the line will exceed 230 characters, then you should use our VPRHook.dll feature.

1.1.3.2.6. How-To: Use VPRHook API to Filter Access Based on the Number Called (Called-Station-ID : Attribute Number 30)

Background:

VOP Radius can be configured to use the Called-Station-ID as a Check Item. Administrators can use this feature to Deny or Accept Access from users based on the Network Access Server (NAS) Telephone Number that they called. Normally this feature should be implemented using the profiles.txt file and the Called-Station-ID attribute which can include a maximum of 230 characters worth of numbers. See the KB article "How-To: Filter Access Based on the Number Called (Called-Station-ID : Attribute Number 30)" for more information. However, the 230 character limitation can be exceeded by using VPRHook.dll as a "workaround".

Prerequisite:

In order for this to work the NAS needs to send the number within the Called-Station-ID (30) Attribute. You should contact your NAS manufacturer to see if this is possible and how to implement it.

Implementation:

The VPRHook Called-Station-ID feature is made up of the following two files:

  • Our custom made "VPRHook.dll" file that you can download below.
  • "DenyID.txt" (specifies the telephone numbers, one per line, that should be rejected)

Here are the implementation steps:

  1. Download the VPRHook.dll file found at the bottom of this KB article
  2. Go to the folder called "RADIUS" where "VPRRS.exe" is located and create a file called "DenyID.txt"
  3. Stop VOP Radius
  4. Save "VPRHook.dll" to the Radius folder
  5. Restart VOP Radius so that "VPRHook.dll" can be loaded
  6. Edit "DenyID.txt" and specify the Called-Station-ID numbers, one per line, that VOP Radius should reject.

Some points:

  • If no match is found for the Called-Station-ID, then the normal authentication process continues.
  • You have the choice of specifying the whole Calling-Station-ID attribute value or only its beginning
    (wildcard support).
  • Only specify one telephone number per line.
  • VOP Radius must be restarted each time the DenyID.txt file is edited.
  • Important: Matches found in the "DenyID.txt" file will affect all users. There is not a way like with a profile to apply the filter to only a subset of users.
  • Important: VPRHook.dll may cause performance problems and as a result VOP radius should be closely monitored after the implementation. If a performance problem is suspected, then you should stop VOP Radius and rename "VPRHook.dll" and restart. Then "VPRHook.dll" will not be loaded and you can determine if it is related to the performance issues.

Examples:

Block all numbers with an area code of "555" and "444":

555
444

The more numbers you add, then the more specific the filter becomes

555222 (blocks any number that begins with "555222")

It is best to specify the whole number if you only need to specify a few in order to minimize side effects:

5552228888 (blocks only one number)

At the bottom of this KB article an example DenyID.txt file can be found.


Troubleshooting:

The following are some common problems and answers you might run into:

"I entered the phone numbers to reject in the DenyID.txt file, but it is not working?"

Answer:
Be very careful how you are entering the phone numbers. VOP Radius tries to match the value of the Called-Station-ID in the Access Request with that in the "DenyID.txt" file. A value of "5554448888" does not equal "4448888" ("555" does not match "444"). Remember a match is searched from left to right in the "DenyID.txt" file so you can specify only the beginning of the telephone number (e.g. "514" to block "514XXXYYYY).

"I have way too many numbers to enter! There must be a better way?"

Answer:
Yes there is probably a better way. You might want to use another attribute (e.g. NAS-IP-Address or Source IP). For instance, the NAS-IP-Address can be used instead to clock a user from calling all numbers on one particular NAS.

"I added a number to the DenyID.txt but when I test VOP Radius is not rejecting the authentication request?"

Answer:
VOP Radius must be restarted each time the DenyID.txt file is edited. If this is not the case then the error log with full log tracking should give more information on the source of the problem.

1.1.3.2.7. How-To: Setup a Centralized Roaming Network

What is Centralized Roaming?

With Centralized roaming, a roaming "agency" running a central RADIUS server acts as a proxy server for all members of the roaming network. This approach is used by some national roaming networks like US Online or the RODOPI club for instance. With centralized peer-to-peer roaming, ISP A, B and C share a common authentication link through ISP D (our central roaming agency).

Centralized roaming has several benefits over peer-to-peer roaming in that invidividual ISPs do not need to maintain a list of all members on the network. The central "roaming agency" takes care of that. It also make it fairly easy for anyone to become a central roaming hub. With this setup, any member of the network can have users login via any member of the network. Example:

  1. A user from ISP C connects to ISP A's NAS with a realm of ISPC.com
  2. The NAS belonging to ISP A, sends an access request to ISP A's RADIUS server with the users username and password.
  3. ISP A's Radius recognizes the user as having a realm so it dispatches the access request to ISP D's Radius server (our Roamin hub), sending with it an Access Request with the users username and password.
  4. ISP D receives the request and starts a lookup in its Clients table for a matching realm. After discovering the client with a realm of ISPC.com, it automatically sends an access request to ISP C RADIUS with the users username and password.
  5. ISP C receives the access request from ISP D, and queries it's local database for a matching username and password. After the user has been found in the database, ISP C send an access granted (or Access Rejected if unsuccessful) to ISP D [Central Roaming Hub].
  6. ISP D receives the access granted for that user and sends an access granted to ISP A.
  7. ISP A receives the access granted for the connected user and replies to it's NAS with an access granted. The user is now online.
  8. At this point all 3 ISPs will receive accounting start/stop packets letting each ISP keep track of activity. Eventually these ISPs will contact each other with an accounting report for payments

How to setup a member of the roaming network

In the ISP A clients tab, the radius server needs to have 2 types of clients configured. It'll need definitions for each NAS that will talk to the RADIUS server, and a client definition that would be used to identify ISP D's radius server for authentication which is acting as the central Roaming Hub.

Step 1 - Go to Clients tab and click on the Add button

Step 2 - Create the client definition for your NAS

  • Enter the name for your NAS.
  • Enter its IP address and select a shared secret that will encrypt traffic between the RADIUS server and the NAS being defined.
  • Under Client Type, select the type of NAS or select "OTHER" if it's not listed here.
  • Click on OK to close the dialogue.

For the sake of this example, we used NAS1 as the NAS name, 10.10.10.1 for IP and nas1 for the shared secret.

Step 3 - Create the client definition for ISP D [The central roaming hub]

We must now create the client connection that will be used to channel authentication packets to the central roaming hub when a user belonging to ISPs on the network logs on to ISPA's local NAS. This definition will also be used to channel local users that were authenticated by other RADIUS servers on the network (for instance, if a user from ISPA logged in through another ISP's dialup ports on the network).

Click add and enter the name, IP address and a secret for ISP D. Under Client Type select Roamer. Your screen should look like the following:

The Clients tab should look like the following:

With a roaming network that uses a central roaming hub, this is the behavior you want to have:

  • If someone logs into the local NAS as username and password, without a realm, the user should be authenticated locally [the setup does this by default].

  • If someone logs into the local NAS as username@remoterealm, the authentication request should be forwarded to the Central Hub [we will need to set the central hub as the default roamer].

  • If we receive an authentication packet FROM the Central hub with a username@localrealm, we want to authenticate the user locally [we will need to identify the local realm as being authenticated via the local database].

Step 4 - Set up the default roamer.

In the General tab under Default Roamer Server field, enter the IP address of ISP D. This will forward any incoming connections from users loging on with a realm not belonging to ISP A to the central hub.

Step 5 - Identify the local realm.

In the Add. Database IDs tab, go to the Local Roaming/Domain IDs field, enter the local realm (domain). This tells radius serer which realm to use for local authentication. Your screen should look like the following:




How to setup the central roaming hub:


In ISP D's clients tab, the radius server needs to have clients configured for each ISP that will be a member of the roaming network. ISP D may also have additional entries for it's own NASs.

Here is a step-by-step guide to configuring ISPD's radius server for authentication:

Step 1 - Create a definition for a member ISP

  • Go to the Clients tab in the RADIUS server
    Click Add.
  • In the Name field enter the name,
  • IP and secret associated with ISP A.
  • For Client Type select Roamer.
  • Repeat this step for each ISP.

The following is an example of what the clients tab should look like for ISP D:

If a user gets roamed to ISP D with a realm of ispa.com, the radius server will then look in the clients tab for a the client associated to this realm and then route the authentication (and accounting) packets to that RADIUS server. In this example it will locate the client called ISPA with IP of 10.10.10.1 and a secret of "ispd". If you go back to ISP A clients tab, you will find a client called ISPD with an IP of 20.20.20.1 and a secret of "ispd". This is how connections are made and roaming is done.

1.1.3.2.8. How-To: Define New Attributes With VOP Radius (e.g. VSAs)

Background

Radius attributes can be thought of as the carriers of information between the Radius Client (e.g. Network Access Server, Wireless Access Point, etc..) and the Radius Server (e.g. VOP Radius). There are hundreds, if not thousands, of attributes that can be used, and more are added all the time as the RADIUS protocol is integrated into new technologies. As a result, there is a good chance that at one point or another, usually with the integration of another product, the administrator will need to define new attributes.

Attributes can be classified into two groups:

1) Generic: Generally the oldest attributes – ones defined under the original RADIUS protocol RFC. These are used most often between Radius Server – Client exchanges and rarely need to be defined in a Radius Server’s dictionary file.

2) Vendor Specific Attributes (VSAs): Most Radius servers contain a subset of these attributes, but more often than not, they need to be defined by the administrator. For example, with the advent of wireless technologies, new manufacturers have emerged on the market and each with its own VSAs.

Understanding Attribute Format

Three hierarchical parts make-up an attribute:

Vendor Code – Attribute Number – Value

For Generic attributes the Vendor Code is 0. For VSAs a unique Vendor Code is used by each vendor. For example, Microsoft uses Vendor Code 311, Cisco 9, etc… Next, each vendor uses the attribute number to specify the attribute used. It should be apparent that without knowing the Vendor Code, it does not make sense to speak of just the attribute number. For instance, Generic attribute 1 represents the attribute that carries the username value. By contrast, Cisco attribute 1 represents the attribute often called Cisco-AVPair.

VOP Radius Dictionary Organization

VOP Radius reads a file called “VPRDict.txt” under the “Radius” folder. This is the file where new attributes can be defined. The following are the major logical sections:

Vendor Code definition:

VENDOR_CODE<TAB>VENDOR NAME<TAB>VENDOR CODE

Generic Attribute Definition:

ATTRIBUTE<TAB>ATTRIBUTE NAME<TAB>ATTRIBUTE NUMBER<TAB>ATTRIBUTE VALUE TYPE

Generic Attribute Value Definitions:

VALUE<TAB>ATTRIBUTE NAME<TAB>VALUE NAME<TAB>INTEGER VALUE

Vendor Specific Attribute Definitions:

VSA<TAB>VENDOR NAME<TAB>VSA NAME<TAB>VSA NUMBER<TAB>VSA VALUE TYPE

Vendor Specific Attribute Value Definitions:

VSA_VALUE<TAB>VENDOR NAME<TAB>VSA ATTRIBUTE NAME<TAB>VALUE NAME<TAB>INTEGER VALUE

Note: The <TAB> signifies pushing on the keyboard’s TAB key.

Note: No Vendor Code definition is needed for Generic Attributes.

Note: Value definitions are rarely used and not needed. They are simply available for the administrator to define a “friendly” name for values. These “friendly” names then appear in the error log file or can be used in the profiles.txt file (e.g. Service-Type = Framed-User rather than Service-Type = 2)

The Information Required to Define a New Attribute

* The Vendor Code of the attribute

* The VSA attribute number

* The “friendly” name of the attribute (e.g. username, password, Cisco-AVPair, etc..)

* The value type of the VSA (e.g. string, integer).

Without the above information there is not enough information to define a new attribute. The administrator should ask the Radius Client Vendor to supply this information as there is no way to “guess”.

Steps to Define New Vendor Specific Attribute

1) Under the “radius” folder make a backup copy of “VPRDict.txt”. This way if a mistake is made it will be easy to revert back to the original file.

2) Open “VPRDict.txt”, the file you want to edit, and add the Vendor Code Definition. For example:

VENDOR_CODE         WAVERIDER    2979

3) In the same file add the VSAs, each on its own line. For example:

VSA    WAVERIDER    Grade-of-Service      1        integer

4) Save the file

5) Restart VOP Radius – This is very important because VOP Radius only will load new definitions after it is restarted.

The best way to define new VSAs in the dictionary file is to use existing definitions as an example. Recent VOP Radius dictionary files should contain reference to Cisco VSAs. The idea would be to model any new definitions after Cisco.

Note: Some confusion might result in the fact that the file “VPRDICT.txt” contains a definition for generic attribute 26 called “Vendor-Specific”. This definition should never be changed. The way it works is that VSAs are actually encapsulated within this attribute and changing the name of this definition will prevent VSAs from not working! For a more complete technical explanation please consult the Radius RFC.

Using VSAs

In most cases the whole reason to define new attributes is so that they can be returned in the Access Granted packet to the Radius Client. The administrator can do this by creating a profile under the profiles.txt and then assigning the user to the profile name. For example:

In profiles.txt file:

Profile=”example”

<TAB>Service-Type = Framed-User

<TAB>Framed-Protocol = PPP

<TAB>Grade-of-Service = 4

In this example, we defined a profile called “example” and set it up to return the VSA 1 of Vendor 2979. However, before the attribute(s) in the profile will be returned in the Access Granted packet, the administrator needs to assign the user to the profile. For instance, if VOP Radius is authentication off the MS Access Database VOPDB.MDB that comes with the product, then the name “example” should be defined under the “Profiles” field under the table “Authentication”.

Questions and Problems

1. “In VPRDict.txt, what does “vtype=integer” mean when it appears in the VENDOR_CODE definition?”

Answer: “VTYPE” stands for Vendor Type and the value corresponds to the number of bytes used in the packet to hold data. According to the Radius RFC, the value should be 1 byte and it is very rare these days to find a Vendor that follows a different specification. However, in the past some vendors, most notable US Robotics, used a different specification for the Vendor Type field. Specifically, they used 4 rather than 1 bytes.

By default, VOP Radius assumes only 1 byte is used for the Vendor Type. However, if the entry “vtype=integer” is used on the far right of the vendor definition, then it tells VOP Radius that actually 4 bytes are used. The examples below explain in more detail the difference when the Vendor Type is 1 or 4 bytes:

From the RFCs: (Vendor type is 1 byte)

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|     Type      |  Length       |            Vendor-Id

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     Vendor-Id (cont)           | Vendor type   | Vendor length |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|    Attribute-Specific...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

 

For US Robotics: (Not as per RFC)

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|     Type      |  Length       |            Vendor-Id

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     Vendor-Id (cont)           |            Vendor type

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    Vendor-type (cont)          |       Attribute-Specific...  

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

In short, the “vtype” parameter is present in the VOP Radius dictionary file for backward compatibility purposes and the administrator should not need to worry about it.

1.1.3.2.9. How-To: Disable users in Radius

There are several different options to disable a user in Radius

Existing methods:

  1. Analog and Digital Access: Disable this access
  2. Expirationdate field: Enter an expiration date in the Expirationdate column of the authentication database

Alternate method:

  • Create a new column in the authentication database, e.g., call it "Allow."
  • A value of 1 = user does have access; a value of 0 = no access 
  • Add a WHERE statement to the query under the Radius Server Tab > ODBC Setup. In the white box beside "Add. WHERE statement," add the following: allow=1


NOTE:  You can test this by using one of the Add. Database Ids slots so as to not affect your production users.

1.1.3.2.10. How-To: Use the VOP Radius Failover Feature
1.1.3.2.11. How To: Use Interim/Watchdog Packets to prevent "ghosted" usernames and prevent false simultaneous login rejections
 

Background: VOP Radius uses the Users Online Listing to keep a record of which Usernames are online. The listing is updated passively; that is VOP Radius needs to be told via accounting packets by the NAS or foreign Radius Server who has logged on or off. Here is the normal sequence:

  1. The User authenticates and his username changes into the "ACK" state
  2. The username will stay in this state until the Accounting Start packet is received
  3. If the Accounting Start packet is never received, then the username will be removed after the time set in "ACK State Timeout"
  4. Once the Accounting Start is received, the Username goes into the "START" state. They are now officially online.
  5. When the user disconnects, the NAS should send an Accounting STOP packet.
  6. When VOP Radius receives the Accounting STOP packet, the Username will go into the "END" state until "END State Timeout"
  7. For purposes of checking for simultaneous logins, an username in the "END" state is not "seen" by VOP Radius

The RADIUS protocol runs over UDP/IP and at times some packets may go missing. When either an Accounting Start or Stop packet is not received by VOP Radius, then the Users Online Listing will not be accurate. Any time VOP Radius needs to force a Port-Limit setting, the Online Users Listing is consulted. For example, if username "joe" is online and his profile has been assigned a Port-Limit of 1, then if "joe" attempts another login, he will be rejected. However, if for some reason the username "joe" was not in the Online Users Listing even though he was really online, then "joe" would have falsely received a simultaneous login.

Here are the consequences of missing Accounting packets:

Missing Accounting Start: The Username stays in the ACK state until the "ACK State Timeout" is reached and is then removed. VOP Radius now has no indication that the user is online.

Missing Accounting Stop: The Username stays in the START state even though he is no longer online! VOP Radius will think that the user is online even though he is not. Theoretically the username can stay "frozen" there forever; however in practice this rarely happens, whenever a new Access Request is received with the same NAS-Port-ID, then VOP Radius will remove the "frozen" username and replace him with the new one. The logic is that it is impossible that 2 usernames be using the same Port at the same time, so VOP Radius assumes it missed the Accounting STOP for the first username and removes him from the listing. However, until VOP Radius does its "Cleaning Up Port: swap new for old", then the user with a Port-Limit=1 will not be able to authenticate. This is usually the most troublesome for network administrators because the customer ends up calling their ISP to find out why they can not connect.

How to reduce this from happening:

The good news is that VOP Radius has a feature to compensate for missing Accounting STOP records. To use this feature the NAS needs to support Watchdog Packets (also called Interim Packets). The idea is that VOP Radius will keep the username in the listing so long as it receives these Watchdog packets. If after a certain amount of time a Watchdog packet has not been received, then VOP Radius will assume that the user disconnected and the Accounting STOP packet went missing, and as a result it will remove the Username from the Users Online Listing.

To setup the NAS and VOP Radius to use the Watchdog/Interim packets:

  1. Consult the NAS manufacturer to confirm that it is possible. There are hundreds of NAS manufacturers and it is not possible for use to list the exact configuration here.
  2. Set the Interval time that the Watchdog packet will be sent (e.g. once every 3 minutes)
  3. Confirm that VOP Radius is receiving the Watchdog packets. You can do this by using the VPRError.log and locating an Accounting Packet. The value of the Acct-Status-Type Attribute (40) will equal "Watchdog" and/or an integer value of 3.
  4. Open the VOP Radius Control Panel-->Clients Tab and select the Client definition for the NAS.
  5. On the bottom left there should be a setting called "Interval time between Interim packets [sec]"
  6. Enter a value here that is at least 3 times greater compared to what was set in the NAS (e.g. 9 minutes). The reason we set the Interval time greater in VOP Radius is because we do not want to prematurely remove the username from the Users Online Listing. Accounting Watchdog packets like Stop packets do go missing.
1.1.3.2.12. How-to: Use the "IP Pools Filter Name" option in the client definition

Background

 

VOP Radius 4.0 228 and higher includes a new feature under the Clients Tab --> <Client Definition> called “IP Pools Filter Name”.  

 

In versions earlier than 4.0 228 it was only possible to assign a user an IP address if, and only if, the end authentication took place on VOP Radius (e.g. ODBC, Text File). In this case, the administrator would assign attribute 11 “Filter-ID” to the user, either using a profile or in the database. The new “IP Pools Filter Name” extends this feature for proxy situations, in which case authentication takes place on another radius server and not VOP Radius. For instance, for some realms/domains, VOP Radius may be set to forward the authentication packets to an upstream radius server for authentication. When this upstream radius server returns Access Granted to VOP Radius, the feature makes it possible to include a Framed-Address into the packet before returning the packet to the Network Access Server (NAS).

 

An example:

 

The following example is based on information contained in the screen shot above

 

1) VOP Radius receives an Access Request with the username username@intrex.net from NAS 1.1.1.1

2) VOP Radius matches the domain name “intrex.net” to the screen shot definition above

3) After the match, VOP Radius forwards the packet to 192.168.0.111

4) At the same time VOP Radius notes that the “IP Pools Filter Name” feature is used and the value is “dialupras”

5) When the Access Granted packet is received, and as long as it does not contain a Framed-Address attribute with a value other than 255.255.255.254, VOP Radius will try to find a match for the “dialupras” name under the “Radius Server” Tab “Static IP Pools”

6) Once a match is found, the IP address available from the pool will be included in the Access Granted packet.

7) VOP Radius returns the Access Granted packet with the Framed-Address attribute value to NAS 1.1.1.1

 

Important notes:

 

* For the feature to work, the “IP Pools Filter Name” value, representing a Filter-ID attribute value, must be found under the “radius server” tab “Static IP Pools”.

 

* If the upstream radius server returns a value for the Framed-Address attribute other than 255.255.255.254, VOP Radius will not then assign the user an IP from its local pool. This is based on the assumption that if a Framed-Address attribute value is present in the packet, then this was done for a reason and as a result should be returned to the user.

 

Actual Error Log Example:

 

Note: Comments are in red.

 

The Access Request from 192.168.0.112 is received by VOP Radius

 

Debug   :01560) 11/5/2004 17:53:42 RECEIVED: 192.168.0.112, code=1 (Access Request), id=15, len=88

                        (  7) Framed-Protocol = 1 PPP

                        (  6) Service-Type = 2 Framed-User

                        (  5) NAS-Port-Id = 1

                        (  2) Password = [16]"<encrypted>"

                        ( 32) Nas-Identifier = [7]"Voptest",\ 56 6F 70 74 65 73 74 \

                        (  4) NAS-IP-Address = 192.168.0.112

                        (  1) User-Name = [15]"test@intrex.net",\ 74 65 73 74 40 69 6E 74 72 65 78 2E 6E 65 74 \

(Debug   :01560) 11/5/2004 17:53:42 Add.Info: Nas=192.168.0.112 (ID:Voptest), Port=1, User=test@intrex.net

 

The realm (i.e. intrex.net) on the username matches with a roamer client definition

 

(Debug   :01560) 11/5/2004 17:53:42 Roaming User test@intrex.net : Radius Server 192.168.0.111

           

            01 0F 00 58 1D 0A 2B 31 34 25 12 45 19 09 80 54  ...X..+14%.E...T

            FF C6 E9 00 07 06 00 00 00 01 06 06 00 00 00 02  ................

            05 06 00 00 00 01 02 12 59 D1 87 81 70 97 6E 01  ........Y...p.n.

            F1 1C 01 BD 79 ED CC 8E 20 09 56 6F 70 74 65 73  ....y... .Voptes

            74 04 06 C0 A8 00 70 01 11 74 65 73 74 40 69 6E  t.....p..test@in

            74 72 65 78 2E 6E 65 74                          trex.net

 

            Building Proxy stream - Universal, id=15, code=1, nas=192.168.0.112

            Radius Attributes included in proxy:

                        ( 33) Proxy-State = [51]"VPRR000192.168.0.112:1/1//C0A80070/test@intrex.net/"

                        (  7) Framed-Protocol = 1 PPP

                        (  6) Service-Type = 2 Framed-User

                        (  5) NAS-Port-Id = 1

                        ( 32) Nas-Identifier = [7]"Voptest",\ 56 6F 70 74 65 73 74 \

                        (  4) NAS-IP-Address = 192.168.0.112

                        (  1) User-Name = [15]"test@intrex.net",\ 74 65 73 74 40 69 6E 74 72 65 78 2E 6E 65 74 \

                        (  2) Password = [16]"<encrypted>"

                        (  9)  = [38]"p......z......&D...W...~.9.x..:.p.\...",\ 70 00 A8 C0 14 07 13 7A 00 00 0B 18 00 00 26 44 00 00 C1 57 00 00 EB 7E A9 39 0F 78 81 91 3A F9 70 85 5C AB DC 16 \ [VendorID 2233623]

                        ( 61) NAS-Port-Type = 0 Async

            Upd_User_State: Found User test@intrex.net nas_ip: 192.168.0.112 nas_port: 1 newstate:Auth

            Upd_User_State: Found User test@intrex.net nas_ip: 192.168.0.112 nas_port: 1 newstate:Auth

 

The Access Request is forwarded to the roamer server 192.168.0.111 for authentication

 

(Debug   :01560) 11/5/2004 17:53:42 CSockServer::SendData: dest 192.168.0.111:1812 len:193

 

           

            01 0F 00 C1 81 F9 59 69 FB 02 8D 44 53 CA 0C AA  ......Yi...DS...

            CB B9 33 EB 21 35 56 50 52 52 30 30 30 31 39 32  ..3.!5VPRR000192

            2E 31 36 38 2E 30 2E 31 31 32 3A 31 2F 31 2F 2F  .168.0.112:1/1//

            43 30 41 38 30 30 37 30 2F 74 65 73 74 40 69 6E  C0A80070/test@in

            74 72 65 78 2E 6E 65 74 2F 07 06 00 00 00 01 06  trex.net/.......

            06 00 00 00 02 05 06 00 00 00 01 20 09 56 6F 70  ........... .Vop

            74 65 73 74 04 06 C0 A8 00 70 01 11 74 65 73 74  test.....p..test

            40 69 6E 74 72 65 78 2E 6E 65 74 02 12 DF 68 38  @intrex.net...h8

            80 4C 1B 75 A5 8B E9 5B DB 1B AB F0 58 1A 2E 00  .L.u...[....X...

            22 15 17 09 28 70 00 A8 C0 14 07 13 7A 00 00 0B  "...(p......z...

            18 00 00 26 44 00 00 C1 57 00 00 EB 7E A9 39 0F  ...&D...W...~.9.

            78 81 91 3A F9 70 85 5C AB DC 16 3D 06 00 00 00  x..:.p.\...=....

            00                                               .

 

            Received data on AUTH socket from 192.168.0.111:1812!

            User_Set_NewVal: Search for user: , nas_ip: -1062731664, nas_port: 1, service_type: 0, session_id:

            find_user: (3) Found by Port: 1

            Upd_User_State: Find STD: Search for user: test@intrex.net, nas_ip: 192.168.0.112, nas_port: 1, service_type: 2, session_id:

            find_user: (4) Found by Name: test@intrex.net, Port: 1

 

Access Granted received from the roamer server and Filter-ID attribute assigned

 

(Debug   :01560) 11/5/2004 17:53:42 RECEIVED: 192.168.0.111, code=2 (Access Granted), id=15, len=112

                        ( 33) Proxy-State = [51]"VPRR000192.168.0.112:1/1//C0A80070/test@intrex.net/",\ 56 50 52 52 30 30 30 31 39 32 2E 31 36 38 2E 30 2E 31 31 32 3A 31 2F 31 2F 2F 43 30 41 38 30 30 37 30 2F 74 65 73 74 40 69 6E 74 72 65 78 2E 6E 65 74 2F \

                        (  6) Service-Type = 2 Framed-User

                        (  7) Framed-Protocol = 1 PPP

                        (  8) Framed-Address = 255.255.255.254

                        ( 13) Framed-Compression = 1 Van-Jacobsen-TCP-IP

                        ( 11) Filter-Id = [9]"dialupras",\ 64 69 61 6C 75 70 72 61 73 \

                        ( 25) Class-ID = [2]"6a",\ 36 61 \

(Debug   :01560) 11/5/2004 17:53:42 Add.Info: Nas=192.168.0.112 (ID:<none>), Port=1, User=

 

Because a Filter-ID attribute assigned, VOP Radius searches for an IP under the “Static IP Pools”.

 

(Debug   :01560) 11/5/2004 17:53:42 Assigning Static IP Address: About to try pool 1 .

(Debug   :01560) 11/5/2004 17:53:42 Got range to try:LowIP: 3.3.3.1 HighIP:3.3.3.55 bDyn: 1

(Debug   :01560) 11/5/2004 17:53:42 Assigning Static IP Address 3.3.3.4 from a Pool!

            Upd_User_State: Found User test@intrex.net nas_ip: 192.168.0.112 nas_port: 1 newstate:Ack

           

IP Address and the Filter-ID attribute is assigned to the user. The packet is then returned to the NAS server.

 

Building Proxy stream - Specific, id=15, code=2, nas=192.168.0.112

            Radius Attributes included in proxy:

                        (  6) Service-Type = 2 Framed-User

                        (  7) Framed-Protocol = 1 PPP

                        (  8) Framed-Address = 3.3.3.4

                        ( 13) Framed-Compression = 1 Van-Jacobsen-TCP-IP

                        ( 11) Filter-Id = [9]"dialupras",\ 64 69 61 6C 75 70 72 61 73 \

                        ( 25) Class-ID = [2]"6a",\ 36 61 \

(Debug   :01560) 11/5/2004 17:53:42 CSockServer::SendData: dest 192.168.0.112:2147 len:59

1.1.3.2.13. How-to: Move VOP Radius from one machine to another

Before you start:

We recommend before performing the move that a temporary license be obtained from the sales department to use on the new VOP Radius machine (sales@vircom.com). This will ensure that there will not be any conflicts with the two Radius servers running in the same network.

It is also important to verify whether your permanent VOP Radius license key is in the new or old format. The old key format will only work on a machine name in which it was created for. You can recognize this old key format because it always starts with "PRRS-.." If you have an old style license key, then you have two options: 1) Request a "Transfer Form" from Vircom Accounting to have a new old style license key made for the new machine name. 2) Subscribe to a support plan and sales will issue a new permanent license key that does not bind to the machine name.

The Process:

Our VOP Mail and modusMail customers know that each of these products can be moved quite easily from one machine to another by making an export of the configuration and then importing it on the new machine. Unfortunately, VOP Radius does not have a similar feature and most of the re-configuration on the new machine has to be done manually. However, there is one way that can save a significant amount of time for the administrator by using the Support Tab in VOP Radius.

Step 1: Open the Support Tab in VOP Radius and fill in the fields

 

"SMTP Mail Server": Enter the IP address or hostname of your ISP's Mail Server
"Enter your email address here": Enter the email address that will appear for the FRO
M: . This is not important.
"Destination": Enter the email address where the VOP Radius configuration and files will be sent.
"Subject": You can leave this to the default.
"Additional Comments: You must enter at least one word here
"Include Client Definitions": Check this option because it will send the file "VPRTSDef.txt" that contains all the client definitions represented in the Clients Tab
"Include Error Log File": There is no need to check this option.

Before you send verify the settings, click "apply", and then "Send Configuration".

Step 2: Retrieve the email containing the VOP Radius Configuration and files

After you receive the email print-out the configuration so that you can use it to configure the new VOP Radius Server
Attached to the configuration will be some files. M
ake sure that you save the following files to a safe location:

"VPRTSDef.txt": This file contains all the client definitions that are represented under the VOP Radius Clients Tab
"VPRDict.txt": This is the dictionary file and it will be needed when you have defined new attributes.
"Profiles.txt": This is the file that contains all the VOP Radius profiles

Step 3: Install and configure the new VOP Radius Server

A) Install VOP Radius on the new machine
B) Copy into the "Radius" folder the old "VPRTSDef.txt" file.
C) Copy into the "Radius" folder the old "Profiles.txt" file.
D) Go to the "Radius" folder and rename "VPRDict.txt" to "VPRDict.old"
E) Copy into the "Radius" folder the old "VPRDict.txt " file (* Please see notes below)
F) Use the configuration printout from the old VOP Radius Server and configure the new VOP Radius Server. Note it might necessary to create the ODBC Drivers on the new machine if you are using a Billing Software Package (** Please see notes below)

* Explanation for the dictionary file: Customers going from an old to new version of VOP Radius may want to use the new dictionary file. In this case, the administrator should only take the unique entries out of the old dictionary file and then define them in the new one.

** If a database is being used other than the ones that come with VOP Radius, then the data sources will not be created during installation (e.g. Platypus, Rodopi, etc..). In this case, before the move you should contact the Billing Software package vendor to get detailed instructions on how to create the ODBC data source(s).

Step 4: Start VOP Radius and test with VOPTest before putting the system live!

Administrators can use the following "How-To" on VOPTest to be sure that the new VOP Radius Server can authenticate.

Step 5: Force the RADIUS traffic to the new machine

The easiest way to have the new VOP Radius machine to start receiving all the RADIUS traffic is to assign it the same IP that the old VOP Radius machine was using. If a new IP address needs to be used on the machine, then you will have to update all the Radius clients (NAS and Proxy Servers) so that they point to the new IP for both Authentication and Accounting.

1.1.3.2.14. How-To: Setup a Peer to Peer Roaming agreement

What is peer to peer roaming?

Peer to Peer roaming gives ISPs the ability to setup Roaming agreements. Traditionally, ISPs would need to setup POP sites in remote towns (with all the telco headaches and expenses this implies) to cover more than one region. With Roaming, you can get into an agreement with other ISPs to avoid this cost, or at least to share the burden.

In the above example for instance, we have a user (user from ISPB) connecting to the NAS and getting authenticated properly through ISPA. This is how it's done:

1- A user connects with a realm of ISPB.com on a NAS belonging to ISPA

2- NAS connects to Radius server belonging to ISPA sending with it an Access Request with the users username and password.

3- ISPA Radius recognizes the user with ISPB realm and establishes a connection to ISPB's Radius server, sending with it an Access Request with the users username and password.

4- ISPB Radius receives the request from ISPA radius with a username user@ISPB.com. ISPB Radius server then verifies it's local database for authentication [after stripping the realm]. ISPB Radius server successfully verifies the username and password, it sends an Access Granted (or Access Rejected if unsuccessful) to ISPA's Radius server.

5- ISPA Radius receives the Access Granted and forwards it to NAS, which in turn forwards it to the user, establishing a successful connection.


The Setup

In the ISPA clients tab, the radius server needs to have 2 clients configured. 1 for the incoming connection of his own NAS (where users connect to), and another client that would be used to establish a connection to the other ISP radius server for authentication. Additional entries would have to be created for any additional NAS.
Here is a step-by-step guide to configuring ISPA's radius server for authentication:

Step 1 - Go to Clients and click on the Add button



Step 2 - Create the client definition for your NAS

Enter the name for your NAS. Enter its IP address and select a shared secret to authenticate the connection. Under Client Type, select the type of NAS that would be used to connect to the Radius server. Click OK to close the dialogue.

For the sake of this example, we used NAS1 as the NAS name, 10.10.10.1 for IP and nas1 for the shared secret.

Step 3 - Create the client definition for ISPB

Click Add again to create another Client definition for the Radius-to-Radius connection. Enter the name for your connection, IP of the Radius server for IPS B and a secret to authenticate the connection. Under Client Type, select Roamer. Under Roaming ID's, you enter the realm for that ISP. Click OK. Your Clients list should look like this:

Step 4- How it should look like on ISPB's side

At this point you would make the same configuration at ISP B Radius server. His Clients tab should look like this:

1.1.3.2.15. How-To: Set Up A Backup VOP Radius
If you want to add redundancy to your RADIUS installation, Vircom sells VOPRadius at half the price of the original version if you use it as a backup Radius server. Basically, you use the backup RADIUS server as a proxy to the primary RADIUS server.

Since VOP Radius is a caching server, you can take advantage of that by having each Radius server build up it's own cache. This makes it possible for each Radius server to authenticate from cache should it lose contact with the datasource downstream from it.

During normal operations, authentication packets go from the NAS, through the Proxy radius server, and then to the Main radius server. The Main radius server authenticates the user against its datasource (in the above example, an ODBC database) and sends the reply back to the Proxy radius, which in turn relays the reply back to the NAS. If the reply in question was an access-granted, the Proxy and the Main radius server will keep a copy of the username and password of the user in their cache, respectively.

Now what does this imply?
a) If the main Datasource dies (MS-SQL crashes for instance)

Since the Main Radius server won't be able to access the DB after a couple of retries, it would authenticate from it's cache until the datasource comes back online.

b) The Main radius dies.

Since the Proxy server will no longer be able to talk to the Main radius, its cache would kick in after a couple of retries sent from the NAS until the Main Radius comes back online.

c) The Proxy server dies.

Since the NAS itself won't be able to talk to the primary authentication server (the Proxy radius), it will fallback to the secondary which in this case, points at the Main radius. This way, the failing backup server will be bypassed.


Overall, you wind up with triple redundancy!

The Setup
Lets look at this example:

Configuring the NAS (10.10.10.128)

Most NAS'es (Network Access Servers or Remote Access Servers) have both Primary Authentication/Accounting entries and Secondary Authentication/Accounting entries. So all you need to do is to tell your NAS where to point to:

a) Primary Auth/Acct to the Proxy Radius Server (10.10.10.20)
b) Secondary Auth/Acct to the Main Radius Server (10.10.10.10)


You will also be required to enter a secret for each entry. Use the same one across the board. (Lets say you're using the word "widget" as your secret ...)

Note that for cache authentication to kick in when there's a failure, the NAS has to send at least three retries within 15 seconds. Contact the manufacturer of your Access Servers to find out how to configure them to operate in that fashion.


Configuring the Proxy radius server (10.10.10.20)

Now that the NAS will talk primarily with the proxy server, we have to configure the proxy to listen to the NAS and relay all information to the Main radius server. We assume here that you already have some basic understanding of how VOP Radius is configured for normal operations.

a) Go to the RADIUS Server tab and select the proxy authentication method. In the setup, enter the IP of the Main radius server (10.10.10.10). This tells the proxy where to relay the authentication and accounting packets to.

b) Go to the Clients section and create the following client definitions:

First Entry: Name = MainRadius (this is arbitrary)
IP = 10.10.10.10, Secret = widget, Type = RadiusServer

Next Entry: Name = NAS (this is also arbitrary)
IP = 10.10.10.128, Secret = widget, Type = <select make of NAS>

c) Under the Cache/Fallback, you should, of course, select Fallback to Cache


Configuring the Main radius server (10.10.10.10)

We have to configure the Main radius server in such fashion that it will accept authentication requests from the proxy or directly from the NAS in case the proxy fails. We assume here that you already have it configured to talk to the main datasource (ODBC, NT-SAM or text file).

a) Go to the Clients section and create the following client definitions:

First Entry: Name = ProxyRadius (this is arbitrary)
IP = 10.10.10.20, Secret = widget, Type = RadiusServer

Next Entry: Name = NAS (this is also arbitrary)
IP = 10.10.10.128, Secret = widget, Type = <select make of NAS>

b) Under the Cache/Fallback, you should, of course, select Fallback to Cache

Note that if your Main radius server authenticates against the NT-SAM, we discovered that the cache setting on both the proxy and the main radius server should be set to "deny access" for Unknown users.

1.1.3.2.16. How-To: Set up static IP Pools

What is a Static IP Pool?

VOP Radius enabled you to assign dynamic or static IP's to incoming users based on pre-defined pools. By default a dynamic schema is used, and users are given an IP of 255.255.255.254 [which tells the NAS to give an IP from its own internal pool]. In some instances, some ISP's would prefer to assign static IPs to users from an IP pool defined on the RADIUS side. (an IP pool is a range of IP address, example: 10.10.10.1 to 10.10.10.255).

Radius IP Pool or Static IP?

If only a few users will require an IP be assigned from the Radius Server, then it would probably be more manageable to assign these users a static IP using the “Framed-Address” (attribute 8) and “Framed-Netmask” (attribute 9) attributes. These attributes can be assigned directly in the user’s profile whether the authentication data source is Text File, ODBC (e.g. Rodopi, Platypus, etc..). For example, in the authentication database VOPDB.mdb, there is a called “StaticIP” where you can specify an IP that should be assigned to the user at authentication.

Warning on using Radius Static IP Pools

Vircom strongly recommends against using a Radius Server manage and assign IPs from its pool because of the inherent unreliability of the protocol. It is very important to understand that reliable accounting information must be received for a radius based IP pool to work properly. An accounting START reminds VOP Radius of which IP it has already given out. If the accounting START is not received by VOP Radius, then it is possible that the same IP will be handed out to more than 1 username -- not good! Similarly, the accounting STOP tells VOP Radius that a specific IP is now free and can be handed out again. If the accounting STOP is never received when the user disconnects, VOP Radius will still think that the IP is still in use.

In short, when possible try see if it is possible for the Network Access Server assign the IPs from one of its own pools.

The Setup

1- Start VOP Radius and go to the Radius Server Tab

2- Click on the Static IP Pool Button then click on the Add button, you should see a screen like the following:

 

3- In the First IP Address field, enter the starting IP range (Example: 10.10.10.1) and in the Last IP Address field, enter the last IP range (Example: 10.10.10.255)

4- Under the Filter Name field enter a name for this filter, this name will be used to identify this IP pool (Ex: ISDNUsers).

5- Put a checkmark next to default to Dynamic if you want users to get an IP dynamically if no IP address is available. If this option is not checked, then the user will be refused access, until an IP Address in the POOL is freed. Click OK, your screen should look like the following:

 

To add additional IP pools, simply click again on Add and repeat step 3 to 5. Once all IP pools are configured, click on OK to close the Static IP Pool Configuration dialogue.

After the static IP pools are created, they have to be assigned to users, there are 2 ways to assign them, they could be added to specific users or to a profile which is assigned to users.

To assign IP pools to specific users for ODBC Database users:

6.1- Click on Setup button in the Radius Server tab

7.1- Make sure you have a column called Filter-ID for each user where a filter should be applied. In this field you would enter the Filter Name specified in the Static IP Pool properties.

To assign IP pools to specific users for NT SAM Database users:

6.2- Click on Setup button in the Radius Server tab

7.2- Enter the name of the filter next to the FilterID Name field

To assign IP pools to specific users for Text File/Unix file users:

6.3- Edit the file and locate the specific user you which to assign the filter

7.3- Add the entry Filter-ID = filtername, where "filtername" is the name of the filter you assigned in the Static IP Pool properties.


For a large number of users, it is best to create a profile that users are assigned to, and add the Filter-Id field in the specific user.

Creating a Profile:

Profiles are created by using the text file called profiles.txt, there should be a template already in the VOP Radius directory when the software is installed that provides some samples. Open the profiles.txt and create your profile with a field called Filter-Id = filtername where "filtername" is the name of your filter. For example:

Profile=”Filtered”
<TAB>Service-Type = Framed-User
<TAB>Framed-Protocol = PPP
<TAB>Filter-ID = “ISDNUsers

Note: <TAB> signifies that you need to use the TAB key on the keyboard and not actually enter that string.

For information on modifying the profiles.txt file refer to the online documentation.

Remember that when using the profiles text file, you must assign users to that profile by adding the profile name in the ProfileID column in your database or text file.

1.1.3.2.17. How-To: Set Up VOP Radius for TEXT File Authentication

Introduction

 

The RADIUS server can be configured to use a text file for authentication. By default, this file is called "users.txt" and you'll find it under \program files\vircom\radius. In it, you can store various authentication and authorization for all users authenticated with RADIUS. Each user has an entry which consists of three parts: the username, a method to verify the user's password, and optionally a list of "check items" and the RADIUS attributes to pass back to the network access server in the "access-granted" reply.

 

Syntax

 

The users.txt file requires that the administrator follow a specific syntax in order for VOP Radius to properly parse the file.

 

VOP Radius 4.0 and Higher Example:

username<TAB>Password="PasswordOfUser"
<TAB>Service-Type = Framed-User
<TAB>Framed-Protocol = PPP
<TAB>Framed-Address = "1.1.1.1"

Note the following:
* Between the username and Password keyword the administrator has to use the <TAB> key
* Each new line must begin with a <TAB> key
* Attributes with a string value should be enclosed in quotes (the VOP Radius dictionnary file "VPRDict.txt" defines whether the attribute takes a string value.

VOP Radius 3.5 and Lower

The same as with VOP Radius 4.0 and higher except everyline but the first and last must end with a comma (i.e. , ). For example:

username<TAB>Password="PasswordOfUser"
<TAB>Service-Type = Framed-User,
<TAB>Framed-Protocol = PPP,
<TAB>Framed-Address = "1.1.1.1"

 

Note: VOP Radius 4.0 and higher can properly parse the users.txt file if it was written with the 3.5 227 and earlier syntax.

 

Password Attribute: Additional Information

This attribute defines the user password. This attribute is unique, which means only its first occurrence is considered (all others are ignored).

Syntax: a character string.


Note: The password attribute is always required, except if the « Auth-Type » attribute is also present (either within the user data source or the profile).

 

Example:

username<TAB>Password="TryToGuessMe"

 

Auth-Type Attribute: Additional Information

 

Within the users.txt file it is possible to "point" the user password verification against another source rather than using the "Password" attribute. This is done with the "Auth-Type" attribute:

 

This attribute is useful when users have to be authenticated using a UNIX password file, an NT SAM password file, etc.


Syntax: "none," "system," "nt\DomainName," "securid"

* "none": No password check!
* "system": Username and password check using a Unix password file. This file can be specified using the VOP Radius console.
* "nt": Username and password check using an NT SAM password file. The « \DomainName » is optional and can be used to identify the domain to be used.
* "securid": Username and password check against an RSA ACE server.

 

Note: Most of the "Auth-Types" require PAP authentication. This attribute is unique, which means only its first occurrence is considered. Like all other unique attributes, a user data source attribute has precedence over the same profile attribute.

 

Example 1: none

Username<TAB>Auth-Type="none"
<TAB>Service-Type = Framed-User
<TAB>Framed-Protocol = PPP


Example 2: system


Username<TAB>Auth-Type="system"
<TAB>Service-Type = Framed-User
<TAB>Framed-Protocol = PPP

 

Note 1: In the example above the path to the UNIX password file must be defined within the console under Radius Server Tab--> Text File Authentication --> "UNIX Passwd File"

 

Note 2: In VOP Radius 3.5 227 and earlier the keyword "unix" was interchangeable with "system". However, in VOP Radius 4.0 228 and higher, the keyword "unix" is no longer supported.


Example 3: NT

Username<TAB>Auth-Type = "NT"
<TAB>Service-Type = Framed-User
<TAB>Framed-Protocol = PPP

Note: When verifying the user's password against the NT SAM, only PAP passwords sent from the NAS will work!


Example 4: securid

Username<TAB>Auth-Type = "securid"
<TAB>Service-Type = Framed-User
<TAB>Framed-Protocol = PPP

 

Note: When verifying the user's password against a RSA Server, the client portion of the RSA server must be installed on the VOP Radius.

 

1.1.3.2.18. How-To: Use Time Banking with VOP Radius
Time Banking lets you do a few things:
1. It lets you create time-based accounts where the person starts with a "bank" of time from which time is deducted the longer the person stays online. When the time falls to zero, the person is no longer allowed to connect until time is credited to their account again.

2. It can also be used to limit users to a fixed number of hours per day.

In both cases, you must use a program or script that will add time to the field corresponding to the time bank at appropriate times. In the first case, you would probably use a billing system or a homegrown package to have the user purchase more time and simply add the time (in seconds) to the timebank field. In the second instance, you would have to run a program or script that would "reset" the timebank field to a specific amount of time based on the account type.

Once you've put time in the timebank field, we take care of deducting time accordingly based on usage.


Restrictions
Time banking will work only under the following restrictions:
- it only works with the generic ODBC format
- your NAS'es must be sending accounting packets properly
- it cannot be used in conjunction with SNMP


Time banking setup
1. In the control panel on the Radius Server tab Select the default authorization method "ODBC data source"

2. Click "Setup" button and check that your ODBC data source is properly configured. Make sure that you're using the following fields: "TimeBank", "Radius ProfileID", "UserName", "Password" and "Service-Type". These must have corresponding fields in a database of some sort where the equivalent field names are defined in the "Table Column Name Definition".

3. Make sure that you have a test user in the table, including the username, password (in cleartext), the service type (typically, "Framed-User") and the profile associated with time banking that will be defined in the next step. For now, call this profile "Timed-Account"

4. Open up the profiles.txt with notepad or any other text editor and create the "Timed-Account" profile. You defined it basically like any other profile, but you must add the attribute "VPRRS Time Control = YES".

See the following examples:

Profile="Timed-Account"
Service-Type = Framed-User
Framed-Protocol = PPP
Idle-Limit = 3600
Port-Limit = 1
VPRRS Time Control = YES

5. In the profile, you can add an additional attributes, such as "VPRRS Credit Limit". This is used to provide a time buffer where the user can go over their credit limit. The value you put here is the amount of time in seconds they can go over the limit. Example: "VPRRS Credit Limit = 1200" would allow the user to go 20 minutes above their limit.

6. The attributes "VPRRS Time Control" and "VPRRS Credit Limit" should not be present in the VOP Radius dictionary file ("VprDict.txt" ). These are special attributes that are strictly used with VOP Radius. The dictionary can only contain valid RADIUS RFC attributes and values.

1.1.3.2.19. How to: use UNIX password files and UNIX GIDs

Background

VOP Radius supports the ability to authenticate users against an UNIX password file. In most cases the reason for this setup is related to a recent migration away from an UNIX based radius server to VOP Radius. Starting in VOP Radius 4.0 228 and Update21 more functionality was added to have VOP Radius intelligently assign a user to a profile based on the user's UNIX Primary Group ID (GID).

UNIX Files

There are two important UNIX password files that can be configured with VOP Radius. The following contains a brief description on each of these files.

1. UNIX User File (i.e. /etc/passwd file in UNIX).

Here is an example of the file format with a brief description:

smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash

Each field in a passwd entry is separated with ":" colon characters, and are as follows:

* Username, up to 8 characters. Case-sensitive, usually all lowercase
* An "x" in the password field means the value is stored in the ``/etc/shadow'' file. Otherwise. the value of the password will replace the x.
* Numeric user id. This is assigned by the ``adduser'' script. Unix uses this field, plus the following group field, to identify which files belong to the user.
* Numeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the group id will match the user id.
* Full name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable (under 30 characters).
* User's home directory. Usually /home/username (eg. /home/smithj). All user's personal files, web pages, mail forwarding, etc. will be stored here.
* User's "shell account". Often set to ``/bin/bash'' to provide access to the bash shell (my personal favorite shell).


2. UNIX Password file (i.e. /etc/shadow file in UNIX)

Here is an example of the file format with a brief description:

smithj:Ep6mckrOLChF.:10063:0:99999:7:::

As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:

* Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
* Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
* The number of days (since January 1, 1970) since the password was last changed.
* The number of days before password may be changed (0 indicates it may be changed at any time).
* The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years).
* The number of days to warn user of an expiring password (7 for a full week).
* The number of days after password expires that account is disabled.
* The number of days since January 1, 1970 that an account has been disabled
* A reserved field for possible future use.


Setup

Part 1

1. Go under the "Radius Server Tab" and select "Text File / Unix passwd file"
2. Click the "Setup" button and verify that  the "Users File Name" path is correct. By default it points to the file "users.txt" under the "radius" install folder.
3. Check the option "UNIX File for Password" in order to specify to VOP Radius the path to the file
4. Enter the path to the UNIX password file
5. Select the option "UNIX File for GID Group ID" if you want to enable this feature (more details below)
6. Enter the path to the UNIX user file containing the GID Group ID.
7. Click Ok and Apply

The above steps configure VOP Radius to perform default authentication with a text file (i.e. the "users.txt" file in the case of a default setup). The next part will explain how to setup the "users.txt" file to work with an UNIX password file.

Note 1: The "UNIX File for Password" path should point to what was called "UNIX password file (i.e. /etc/shadow file in UNIX)" in the section "UNIX FILES".
Note 2: The "UNIX File for GID Group ID" path should point to what was called "UNIX User File (i.e. /etc/passwd file in UNIX). " in the section "UNIX FILES".

Part 2

The administrator has to decide how he wants to format the "users.txt" file.

Option A

DEFAULT<TAB>Auth-Type="system"
<TAB>Service-Type = Framed-User

Explanation: The word "DEFAULT" has special meaning to VOP Radius as "use this if the username can not be found elsewhere in the file". Most administrators will choose to use this option for its simplicity. In this case with every Access Request, VOP Radius will look in the "users.txt" file and find a match with the "DEFAULT" user template. Next, because the first line reads Auth-Type = "system", VOP Radius will look for the user and his/her password in the UNIX password file specified. Here is an example of a UNIX password file line:

alice:teH0wLIpW0gyQ:511:512:Alice Smith:/home/alice:/bin/bash

Note 1: The line "Service-Type" and its corresponding value has been added to just remind the administrator that in addition to the password, the Service-Type received in the Access Request must also match what has been defined for the user. The administrator may omit the Service-Type from the user template and instead enter it in the user's assigned profile. This way a different Service-Type can be assigned to every group. 

Note 2: The <TAB> means that the TAB key on the keyboard must be used in order for VOP Radius to properly parse the file. 

Option B

username1<TAB>Auth-Type="system"
<TAB>Service-Type = Framed-User

username2<TAB>Auth-Type="system"
<TAB>Service-Type = Framed-User

username3<TAB>Password="password"
<TAB>Service-Type = Framed-User

Explanation: In this option the administrator has decided to create individual entries for each user. Most administrators will not want to setup the "users.txt" file this way for the obvious workload that it adds. However, in some cases it may be required such as when the "users.txt" file will contain both users that should authenticate against a UNIX password file and users that should have their passwords specified. For instance, in the above example VOP Radius will authenticate "username1" and "username2" against the UNIX password file; while for "username3" VOP Radius will compare the user's password against the value specified for the "Password" attribute.

Part 3 (optional)

The administrator has to decide whether or not he/she wants to use the feature "UNIX File for GID Group ID". This is a feature incorporated into VOP Radius starting with version 4.0 228 and Update22. When enabled, the feature causes VOP Radius to retrieve the user's GID in the UNIX User file and then automatically assign the user to a profile with the same name under the "profiles.txt" file. For example, suppose than in the UNIX password file the user is assigned to the UNIX GID of 333. VOP Radius will take the GID of 333 and search the profiles.txt file for a profile called "333". Next the attributes specified in the "333" profile will be assigned to the user. The purpose of the feature is to save the administrator some work (and time!) from having to manually assign the same attributes to a logical group of users already defined in the UNIX password file. Without this feature the user would have to enter individually all the UNIX users in the "users.txt" file and then specify a profile using the "profile" attribute. The following describes the sequence that the feature works:

1) VOP Radius finds the user in the "users.txt" file (either by matching the username or by finding the "DEFAULT" user template)
2) VOP Radius searches the UNIX password file and finds that the UNIX GID of 333 is assigned to the user
3) Assuming that the "username" and "password" match, VOP Radius searches the profiles.txt file for a profile called "333". For example:

Profile="333"
<TAB>Service-Type = Framed-User
<TAB>Session-Timeout = 3600

4) VOP Radius creates the Access Granted packets and returns the attributes found in the profile and enforces any of the access check attributes found. Keeping with the example, VOP Radius will return a Session-Timeout value of 3600 AND a Service-Type value of Framed-User.

Note: The profiles.txt file is found by default under the "radius" folder.

 

1.1.3.2.20. How-To: Test VOP Radius using the VOPTEST Client

When installing VOP Radius for the first time, you can do a test authentication without using the actual hardware (your NAS'es) to see if the RADIUS side is working properly. We provide a program called voptest.exe that you can use as a NAS simulator. Basically, it lets you send an access-request with fairly standard attributes to VOP Radius and will give you the result and the reason if it didn't receive an access-granted.

Simply follow these steps to use VOP Test ...

1- Create a test client in the VOP Radius client tab
Since VOP Test will be running on one of your machines as if it were a NAS, you need to declare that machine as a valid RADIUS client in the Client tab.

- Go to the VOP Radius Server configuration console (in your control panel).
- Click on the Client tab.
- Click on the Add button.
- At the Name field, type in the name you want to call it (ex: Test).
- At the IP Address field, type in the IP address where voptest will be run from. *
- At the Secret field, specify a shared secret (ex: test).
- At the Client type drop down menu, choose Other.
- Uncheck the Security Checkbox.
- Click on the OK button.
- Make sure you click on Apply button at VOP Radius Configuration Console.

* Normally, most people will run VOP Test from the same IP as VOP Radius server itself since voptest is on the same machine. So simply put the IP address of the RADIUS Server itself here, or the workstation IP that you are going to use VOPTest.exe client on if you're going to run it from somewhere else.

2- Run VOP Test
You'll usually find voptest.exe under c:\program files\vircom\radius. Feel free to create a shortcut to it on your desktop since voptest can be usefull in many situations.

- Run voptest.exe, a window should pop up.
- Type in the username and password that you want to do the test with.
- The Radius Request Type should be Framed-User by default.
- The Radius Server IP should be the VOP Radius Server IP Address.
- The Radius Server Port should be 1645 by default
- The NAS IP Address should be the IP you specified when you create the test client in RADIUS.
- The Shared Secret should be the secret defined in the client definition (ex: test).
- You can leave NAS Identifier as blank
- Click on Start button to start the test.

If the authentication works, you'll see the success count increment, otherwise you'll see the failure count grow. The reason for the failure will appear in the results text box.

1.1.3.2.21. How-To: Setup VPN with VOP Radius Authentication

What is VPN?

A virtual private network (VPN) is a private data network that makes use of the public telecommunications infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The idea of the VPN is to give the company the same capabilities at much lower cost by using the shared public infrastructure rather than a private one. Phone companies have provided secure shared resources for voice messages. A virtual private network makes it possible to have the same secure sharing of public resources for data. Companies today are looking at using a virtual private network for both extranets and wide-area intranets.
Using a virtual private network involves encrypting data before sending it through the public network and decrypting it at the receiving end. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. Microsoft, 3Com, and several other companies have developed the Point-to-Point Tunneling Protocol (PPTP) and Microsoft has extended Windows NT to support it. VPN software is typically installed as part of a company's firewall server.

In this setup, we will look at how to setup and configure VPN in Windows 2000 using Routing And Remote Access (RRAS) with Point-to-Point Tunneling Protocol (PPTP). The VPN server will communicate with VOP Radius for the authentication and accounting.

The Setup

The first step is to install and configure Windows 2000 Server to be used as the VPN server.

1-Install Windows 2000 Server operating system. This is the PC that will be used as the VPN server, therefore it requires a valid static IP and an internet connection.

2-Open the RRAS console (Start->Programs->Administrative Tools->Routing And Remote Access).

3-Right click on the server name and choose "Configure and Enable Routing and Remote Access."

4-Click on the Next button, when you arrive at the "Common Configurations" screen DO NOT choose "Virtual private network server." This portion of the wizard is buggy (see Microsoft Knowledge Base article Q243374 for more information). Choose "Manually configure server" instead.

5-Click through the rest of the wizard to finish the installation and reboot the server at the end.

6-Open the RRAS console. Right click on the server name and select "Properties."

7-Click on the "Security" tab. Choose "RADIUS Authentication" as the authentication provider.

8-Click the "Authentication Methods..." button. Deselect all the authentication protocols except "Unencrypted password (PAP)."

 

Click OK to save the changes and continue.

9-Click on the "Configure" button then the "Add" button in order to point Windows 2000 RRAS to the VOP Radius server. Enter the server's host name or IP address in the "Server Name" field. Click "Change..." to add and verify the RADIUS server's secret key. Click OK to save the changes and continue.

10-Enter the port number where the VOP Radius server is listening for packets in the "Port" field. Default = 1645

11-Repeat step 7 to 11 for accounting. Default = 1646

12-Click on the IP tab to configure the IP assignment to authenticating users, click OK to close the "Properties" page.

13-Right click on the "Ports" tab and select "Properties".

14-Click on the "WAN Miniport (L2TP)" and click on the "Configure" button.

15-Deselect "Remote Access Connections" and "Demand-Dial Routing Connections"

 

Click OK. This will deny access through L2TP and allow access to the PPTP protocol. If you whish to leave L2TP enabled, then you will need to install the Microsoft Certificate application and configure it with a proper certificate for inbound access requests.

16-Click OK.

 

17-Restart the RRAS service by right-clicking the server name and selecting "All Tasks -> Restart."

The VPN server is now ready to receive access requests and proxy them to the VOP Radius server. The second step of this setup would be to install and configure VOP Radius on a separate server to receive the requests from the VPN server.

1-Install VOP Radius on a dedicated server running Windows NT/2000. This server does not require a public IP that is visible to the internet, as long as the VPN server is able to ping the radius server.

2-Configure VOP Radius with the proper authentication method (text file, ODBC, etc...)

3-Create the VPN client in the Clients tab:

- Go to the VOP Radius Server configuration console (in your control panel).
- Click on the Client tab.
- Click on the Add button.
- At the Name field, type in the name you want to call it (ex: VPN).
- At the IP Address field, type in the IP address where the VPN server is located.
- At the Secret field, specify the shared secret that was specifyied on the RRAS properties (ex: test).
- At the Client type drop down menu, choose RAS.
- Uncheck the Security Checkbox.
- Click on the OK button.
- Make sure you click on the Apply button in the VOP Radius Configuration Console to save the changes.

 

4-Make the proper modifications to the dictionary file (VPRDict.txt). Add the following fields if they do not already exist:

VENDOR_CODE MICROSOFT 311

VSA MICROSOFT MS-CHAP-Response 1 octets
VSA MICROSOFT MS-CHAP-Error 2 string
VSA MICROSOFT MS-CHAP-CPW-1 3 octets
VSA MICROSOFT MS-CHAP-CPW-2 4 octets
VSA MICROSOFT MS-CHAP-LM-Enc-PW 5 octets
VSA MICROSOFT MS-CHAP-NT-Enc-PW 6 octets
VSA MICROSOFT MS-MPPE-Encryption-Policy 7 octets
VSA MICROSOFT MS-MPPE-Encryption-Type 8 string
VSA MICROSOFT MS-RAS-Vendor 9 integer # content is Vendor-ID
VSA MICROSOFT MS-CHAP-Domain 10 string
VSA MICROSOFT MS-CHAP-Challenge 11 octets
VSA MICROSOFT MS-CHAP-MPPE-Keys 12 octets
VSA MICROSOFT MS-BAP-Usage 13 integer
VSA MICROSOFT MS-Link-Utilization-Threshold 14 integer # values are 1-100
VSA MICROSOFT MS-Link-Drop-Time-Limit 15 integer
VSA MICROSOFT MS-MPPE-Send-Key 16 octets
VSA MICROSOFT MS-MPPE-Recv-Key 17 octets
VSA MICROSOFT MS-RAS-Version 18 string
VSA MICROSOFT MS-Old-ARAP-Password 19 octets
VSA MICROSOFT MS-New-ARAP-Password 20 octets
VSA MICROSOFT MS-ARAP-PW-Change-Reason 21 integer
VSA MICROSOFT MS-Filter 22 octets
VSA MICROSOFT MS-Acct-Auth-Type 23 integer
VSA MICROSOFT MS-Acct-EAP-Type 24 integer
VSA MICROSOFT MS-CHAP2-Response 25 octets
VSA MICROSOFT MS-CHAP2-Success 26 octets
VSA MICROSOFT MS-CHAP2-CPW 27 octets

#
# The draft defines two meanings for '28' and '29'
#
#VSA MICROSOFT MS-ARAP-Challenge 28 octets
#VSA MICROSOFT MS-ARAP-Guest-Account 29 integer

VSA MICROSOFT MS-Primary-DNS-Server 28 ipaddr
VSA MICROSOFT MS-Secondary-DNS-Server 29 ipaddr
VSA MICROSOFT MS-Primary-NBNS-Server 30 ipaddr
VSA MICROSOFT MS-Secondary-NBNS-Server 31 ipaddr

#
# Integer Translations
#

# MS-BAP-Usage Values

VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2

# MS-ARAP-Password-Change-Reason Values

VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Required-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4

# MS-ARAP-Guest-Account Values
#
# The first value (0) is not in the draft, but it might make sense...
#
#VALUE MS-ARAP-Guest-Account Dont-Use-Guest-Account 0
#VALUE MS-ARAP-Guest-Account Use-Guest-Account 1

# MS-Acct-Auth-Type Values

VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5

# MS-Acct-EAP-Type Values

VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13

5-Save and close the VPRDict.txt file and stop and restart the radius server. You are now ready to make the VPN connection. From any workstation that has an Internet connection, create the a VPN connection:

-Right click on "My Network Place" and select "Properties."

- Double click on "Make New Connection" button

-Click "Next" and select "Connect to a private network through the internet" radio button and click "Next."

 

-Enter the Host name or IP address of the VPN server and click "Next."

-Select the connection type and click "Next."

-Click "Next" and enter a name for the connection and click on the "Finish" button.

You should now see the VPN icon with the name you entered for the connection. Double click on the icon and enter the username and password to be used and click on the "Connect" button

 

Once you see the following sign at the buttom of the screen,

 

then the connection has succesfully been established; you are now connected to the private network. Depending on the settings assigned, you should be able to browse the network and access the servers from the network. Make sure you have been assigned a valid IP address in order to browse the network. If the IP begins with 169.254.*.* then you have been assigned an automatic IP via Windows and not through the DHCP server or static IP.

1.1.3.2.22. How-To: Setup the Remote Manager for VOP Radius

What is Remote Manager for Radius?
Remote Manager is a tool that provides administrators the ability to view a list of users online. It shows the duration of the connection and the session limit as well as the state and service of the users connection. It also displays the IP and port of the access server that the user authenticated on as well as the assigned IP for the user.

In case of a user getting stuck online, the administrator has the ability to highlight the user in the remote manager and deleting him from the list, therefore allowing him to reconnect successfully back onto the network.


When users get authenticated through radius, you will see there username that was used to authenticate in the remote manager, a symbol representing the connection will be displayed next to the username, the symbol represent the state of the users connection. Here are the symbols you may see next to the username:

 This symbol (handshake) represents a user in the Acknowledge state. The user has passed the authentication state. This symbol will change when radius receives the accounting packets.

 This symbol represents a user that has passed the authentication and that is being accounted for after receiving the accounting packets. Most users online should look like this.

 This symbol represents a user that is online and being accounted for but did not get authenticated through the database. The database could have been down or an accounting packet came before the authentication did.

 This symbol is for rejected users. Most likely cause of this symbol would be due to an incorrect username or password.

 This symbol represents a user that has disconnected from his session.

The Setup
There are two steps in installing and configuring remote manager, first setup should be done in the VOP Radius configuration panel, and the second step should be to install the remote manager on a remote PC.

Configuring Radius for remote manager:

1-Start Radius configuration panel

2-Click on the Remote Administration tab. You will notice 2 columns, Allow access: this is where you specify the users that would be allowed access to the radius server through the remote manager panel. The other column, Used Protocol: is where you specify the protocol information where VOP Radius will listen on for connection, this is usually the radius server IP when using the IP protocol.

 

3-Click on Add... button under the Allow access column and select all the users that you which to allow access through the remote manager panel, click OK when done.

4-Click on Add... button under the Used Protocol column:

 

5-In most situation, you would use TCP/IP, so for the purpose of this test we will use TCP/IP. Click on the TCP/IP radio button and add the IP address that VOP Radius will listen on for incoming connection; this is usually the sale IP as the radius server. Add the port number 9999; this is port number that is likely to be unused. You may choose a different port number if 9999 is already used. Click OK when done.

6-After you have added you allowed users and you have added you protocol, click on apply.

7-Click on the General tab and click on STOP radius server, after the services has stopped, click on START radius server to restart the services.

You are now ready to install the remote manager software and a local or remote PC. You may install the remote manager on as many PC's you wish.

Installing the Remote Manager application on a remote PC:

1-Execute the VPRrem.exe file located in the program files\vircom\radius directory

2-Click next and follow the steps to complete the installation. At the end of the installation, it will ask you if you would like to install the MMC console application. This is already installed in the Windows 2000 OS. If you are using Windows NT/98/95, please make sure that you install the required application if it is not already installed.

3-After the instillation, the remote manager will start automatically, right click on Vircom Radius Manager and select New VOP RADIUS Registration from the menu.

4-Click next

5-Enter a name for the radius server, Ex.: Radius_1

6-If you are installing the remote manager on a local PC, click on local radio button and click Finish. If it is on a remote PC, click on Remote, and then click next.

7-Choose the proper protocol from the drop down menu and fill out the proper fields for the IP and Port if you have selected TCP/IP.

8-Click Next

9-Enter the authentication fields accordingly and click Finish.

 

10-You should now see the new radius registration you have just created:

 

At first, it will show a "Connection failed..." message. Right click on the new radius server and select Connect from the menu. It should now look like the image below:

 

11-Click on the "+" sign next the radius server to expand the view and click on Users on-line tab; you should now see all the users that are connected online.

The users online screen will refresh automatically every 2 minutes, this could be augmented or reduced by right clicking on the Users on-line tab and selecting properties.

Remote Manager is a tool that provides administrators the ability to view a list of users online. It shows the duration of the connection and the session limit as well as the state and service of the users connection. It also displays the IP and port of the access server that the user authenticated on as well as the assigned IP for the user.

In case of a user getting stuck online, the administrator has the ability to highlight the user in the remote manager and deleting him from the list, therefore allowing him to reconnect successfully back onto the network.

1.1.3.2.22.1. How-To: Generate reports using the VOP Report utility

VOP Radius supports a simple report generating facility that can produce simple summary reports for you. The report template is made using Crytal Reports from seagate software. It's very usefull if you want to create your own templates and you use our "generic" database format instead of a third party billing package.

Here's how you generate a report ...

1- Convert the VPRAcct.log to ODBC (only if you're not logging to ODBC normally)
- Make sure you are not using Livingston format for accounting logs. It won't work if you are.
- Go to VOP Radius Accounting tab.
- At the Accounting Logs Conversion area:
- - Type in the path of the accounting log that you would like to convert and create report from.
- - At the To DataSource drop down menu choose the data source that you want to convert to.
- Then click on the Convert button.
- When the conversion is finished, a message willpop up saying “Conversion successful!”.
- Click on OK.

2- Create a report from ODBC using the VOP Report utility
- Go to C:\Program Files\Vircom\Radius\Reports\… and execute VOPRPT.exe
- At the menu bar click on File and choose Open Report.
- Open the file C:\Program Files\Vircom\Radius\Reports\Vprrsusg.rpt file (our template).
- At the menu bar click on Report and choose Set New Database.
- At the Source Name drop menu, choose the desired data source.
- Click on Set Database button.
- A message window should pop up saying “Database changed successfully!”.
- Click on OK.

You can modify the SQL query by go to menu bar Report and choose Modify SQL Query. You can also use the option at the bottom by specifying the StartDate, EndDate, RoamerList, RoamingID and UserID. After you have specified all the information that you need, you can click on the PREVIEW/PRINT button to start the "create report" process. In addition, a Usage Report window should pop up after the process.

1.1.3.2.23. How-To: Setup Concurrency Checking using the Port-Limit or NAS-Port-Limit attributes

Background

A common task among ISP administrators is preventing users from establishing more than one concurrent connection.

 

(TO BE COMPLETED)

1.1.3.2.24. How To : Configure VOP Radius ODBC accounting to log the Connect Info attribute as a string instead of an integer
1.1.3.3. FAQ
1.1.3.3.1. What is the difference between the various client types?
1.1.4. Tools approved by Vircom
1.1.4.1. Tool: Radius: VOPTest that does not send NAS-Port-ID attribute

Purpose: Troubleshooting Only.

This version of  VOPTest does not include the NAS-Port-ID attribute in the Access Request. Here is an example of what is sent in the Access Request packet:

(  7) Framed-Protocol = 1 
(  6) Service-Type = 2 Framed-User
(  5) Nas-Port-ID = 1 
(  2) Password = "<encrypted>"
( 32) Nas-Identifier = "Router",\ 52 6F 75 74 65 72 \
(  4) Nas-IP-Address = "192.168.0.112"
(  1) UserName = "test",\ 74 65 73 74 \

1.1.4.2. Tool: Radius: VOPTest Radius Client that sends large values for Accounting Attributes

Purpose: Troublehooting only.

This version of VOPTest sends large values for the following accounting attributes: 42, 43, 47, and 48. Here is an example of an Accounting Start and attributes sent with this version of VOPTest:

   (  1) UserName = "test"
   (  4) Nas-IP-Address = "192.168.0.112"
   ( 48) Acct-Output-Packets = 4294967295
   ( 47) Acct-Input-Packets = 4294967295
   ( 43) Acct-Output-Octets = 4294967295
   ( 42) Acct-Input-Octets = 4294967295
   ( 46) Acct-Session-Time = 500
   ( 44) Acct-Session-ID = "12345678"
   ( 40) Acct-Status-Type = 1
   (  5) Nas-Port-ID = 2
   (  6) Service-Type = 2 Framed-User
   (  7) Framed-Protocol = 1

1.1.5. Third Party Product Integration
1.1.5.1. How-To: Integrate VOP Radius with Slipstream (Bandwidth Optimizer)

The steps listed in this How-to are specifically related to integration with Slipstream. For more information on how to define any Vendor Specific Attributes (VSAs), please consult the document How-To: Define New Attributes With VOP Radius (e.g. VSAs)

1) Go to program files\vircom\radius and open up the vprdict.txt file with notepad [vopradius dictionary]

2) Where the Vendor Codes are, add:

VENDOR_CODE<tab>SLIPSTREAM<tab>7000

3) Where the VSA codes are, add:

VSA<tab>SLIPSTREAM<tab>Slipstream-Auth<tab>1<tab>String

4) Save and close

5) You will then need to create a profile that will be used by people who will have access to slipstream, go to program files\vircom\radius and open up the profiles.txt file with notepad. Before you create the profile, you will need to check the option “Default PPP Service [Login/Unknown Users]” under the “Radius Server Tab”. For some reason Slipstream Network Access Servers do not send the attribute “Service-Type = Framed-User”. However, when VOP Radius searches the profiles.txt file for the profile name is does so using: 1) Profile name; and 2) Service-Type. Enabling “Default PPP Service [Login/Unknown Users]” fakes a the Service-Type of “Framed-User”, allowing a match to be found in the profiles.txt file.


Profile="Slipstream"
<tab>Service-Type = Framed-User
<tab>Framed-Protocol = PPP
<tab>-- all your other attributes --
<tab>Slipstream-Auth = true

Note that the true MUST be in lower case, the slipstream bandwidth optimizer is case-sensitive.

1.1.5.2. How-To: Integrate VOP Radius with Colubris (wireless access point)

The steps listed in this How-to are specifically related to integration with Colubris. For more information on how to define any Vendor Specific Attributes (VSAs), please consult the document How-To: Define New Attributes With VOP Radius (e.g. VSAs)

1) Go to program files\vircom\radius and open up the vprdict.txt file with notepad [vopradius dictionary]

2) Where the Vendor Codes are, add:

VENDOR_CODE<tab>COLUBRIS<tab>8744

3) Where the VSA codes are, add:

VSA<tab>COLUBRIS<tab>Colubris-AVPair<tab>0<tab>String

4) Save and close

Colubris has provided Vircom and its customers example users.txt and profiles.txt files that can be used for a quick setup and/or for troubleshooting purposes.

Download the Colubris example users.txt file at the end of this page.

Download the Colubris example profiles.txt file at the end of this page.

Here are the rest of the steps to setup VOP Radius:

1) Under the Clients Tab make sure that a Client Definition is defined for the Colubris Wireless Access Point

2) Under the “Radius Server” Tab select “Text File” Authentication.

3) Under the VOP Radius install folder on disk (i.e. C:Program Files\Vircom\Radius\ ), replace the default “users.txt” and “profiles.txt” files with the ones you downloaded.

At this point you are ready to test with the accounts specified in the users.txt file.

1.1.5.3. How-to: Integrate VOP Radius with Propel (bandwidth optimizer)

bandwidth optimizer)

The steps listed in this How-to are specifically related to integration with Slipstream. For more information on how to define any Vendor Specific Attributes (VSAs), please consult the document: How-To: Define New Attributes With VOP Radius (e.g. VSAs)

 

1) Go to program files\vircom\radius and open up the vprdict.txt file with notepad [vopradius dictionary]

2) Where the Vendor Codes are, add:

VENDOR_CODE<tab>PROPEL<tab>14895

3) Where the VSA codes are, add:

VSA<tab>PROPEL<tab>Propel-Accelerate<tab>1<tab>integer

4) Save and close

5) You will then need to create a profile that will be used by people who will have access to propel, go to program files\vircom\radius and open up the profiles.txt file with notepad. Before you create the profile, you will need to check the option “Default PPP Service [Login/Unknown Users]” under the “Radius Server Tab”. For some reason Propel Network Access Servers do not send the attribute “Service-Type = Framed-User”. However, when VOP Radius searches the profiles.txt file for the profile name is does so using: 1) Profile name; and 2) Service-Type. Enabling “Default PPP Service [Login/Unknown Users]” fakes a the Service-Type of “Framed-User”, allowing a match to be found in the profiles.txt file.


Profile="Propel"
<tab>Service-Type = Framed-User
<tab>Framed-Protocol = PPP
<tab>-- all your other attributes --
<tab>Propel-Accelerate = 1

1.1.5.4. How-To: Use X-Stop filtering with VOP Radius

To use X-Stop with VOP Radius you will have to use the special attribute "VprrsXstop"
instead of the generic attribute "Class-Id". For more information on how to define any Vendor Specific Attributes (VSAs), please consult the document How-To: Define New Attributes With VOP Radius (e.g. VSAs).

Here is an example of a Radius X-STOP Profile that can be used in the profiles.txt file:

test Password="test"
Service-Type = Framed-User
Framed-Protocol = PPP
VprrsXstop = "B 80 I"
VprrsXstop = "R PORN I"
VprrsXstop = "1"

Note: Each X-Stop property is placed on a seperate line. Do not combine the above 3 lines in to 1 line.

1.1.5.5. How-to: Monitor VOP Radius with WhatsUp Gold (3.5, 4.0, and Professional 2005)

WhatsUp Gold (3.5): Monitoring a User-Defined Service

In order to monitor the VOP RADIUS from the WhatsUp Gold product,
you must define one of the User-Defined services for the RADIUS protocol:

Select a network element. Click the Monitor tab and enable the Monitor this option.

In the Properties dialog box, click the Services tab. The Services properties appear.

Click one of the User Define (1,2 or 3) options. The User-Defined services dialog box appears.

In the Name text box, enter a unique name for the service (i.e. RADIUS). This name will be displayed in the Services tab.

In the Port text box, enter the port number 1645.

Select the UDP network type.

In the Send Command on Connect put:
\x\D\@\v0123456789012345\a\f

In the Expected Command Response put:
\cD\@

In the Send to Disconnect put:
QUIT

WhatsUp Gold (4.0)

Under this new version use the Radius Server custom type service.

In the Expected command response, add a * (star) character at the end.

Save it (no need to change anything else).

Make sure the user TEST does not exist in your database
(otherwise change the username TEST to another four-letter name in the Send command on connect).

In the VOP RADIUS Control Panel application, you need to enter the Client Machine that will be sending those WhatsUp Gold Radius packets. Go in the Clients tab, and add a Client definition for the machine running WhatsUp Gold.

Choose Other as the Terminal Server type

Enter a secret (do not leave it blank). Any string will do.

Make sure to disable the Security Check (*VERY IMPORTANT*).

In order to verify if you are receiving packets from the WhatsUp program, just enable Debug Log Level 1 (in the Log Levels section of the VOP RADIUS Application), and look in the file VPRError.log for packets with code=24 (Monitor Request)

WhatsUp Gold (4.0)

Please see attached word document attached at the bottom for What's Up Gold Professional 2005.

 

1.1.5.6. Implementation Guide for RSA SecurID Ready and VOP Radius

Please see the attached RSA Secured PDF file for details on implementing RSA SecurID Ready with VOP Radius.

1.2. VOPCOM Technical Area
1.2.1. Release Information
1.2.1.1. VOP COM 4.0 228 Update 1

November 19th 2004: Update1 Released for VOP COM 4.0 228.

VOPCom does not unconditionnally insert anymore attribute 61 (NAS-Port-Type) with a value of 5 (Virtual) when opening a request with a NAS port value of zero. A NAS-Port-Type = Virtual will rather remove the NasPortID attribute from the packet.

Note: This update (i.e. vcom228.1.exe) is only an update file. You must already have the installation VCOM228.exe installed.

1.2.1.2. VOP COM 4.0 228

October 27th 2004: The new package of VOP COM can be downloaded at the bottom of this page. Important: You must unregister your current vopcom.dll (i.e. regsvr32 /u vopcom.dll) and register the new vopcom.dll (i.e. regsvr32 vopcom.dll) after the install (see manual for detailed information).

VOPCOM Client Object
Release Notes

October 27'04 (Version 4.0.228)

  • Fix support for passwords more than 16-character long.
  • Changed default RADIUS authentication and accounting ports to 1812 and 1813 to match latest VOP RADIUS server default ports. When the RADIUS standard was first written, the standard ports to use for RADIUS authentication and accounting packets were 1645 and 1646, respectively. Then it emerged that these ports had been assigned to another standard. The RADIUS standards group responded by changing the port assignments to 1812 and 1813, but many organizations still use the old assignments.

August 20'01 (Version 1.3.8)

  • Fix: Insufficient permissions to create and write log files could cause the failure to create VOPCom object.

December 11'00 (Version 1.2.5)

  • Added support for access-challenge responses

May 31'00 (Version 1.1.3)

In order to allow the VOP COM object to work with vendor specific attributes, we've added the following modifications:

  • Setting VOPCOM To Use A Different Dictionary
  • The "VOP COM.RadClnt" object has an additional property called "RADIUSDictionary". It tells VOP COM which radius dictionary to use. If this property is empty, the object is using the radius dictionary internally stored in the object. To specify an external file to use as a dictionary, assign its path to the property: Example: obj.RADIUSDictionary = "e:\VopRADIUS\VPRDict.txt"
  • Adding A Vendor-Specific Attribute
    To add vendor specific attribute use the method AddAttributeEx
  • Reading A Vendor-Specific Attribute
    To read vendor-specific attribute use the method GetAttributeValueEx
  • Getting The List Of Attributes
    In order to iterate through the list of the attributes use the two methods:
    GetAttributeCount and GetAttributeValueByIndex.

September 1'99 (Version 1.02)

  • Small fix involving Dictionnary being reloaded for no reason.

July 8'99 (Version 1.001)

  • Fix: The AddAttribute function would add attributes at the beginning of the packet, instead of the end, and would have problems adding integer attributes if an empty string was provided in wszValue, instead of a NULL value.

April 21'99 (Version 1.000)

  • First Beta release.