RADIUS/TACACS+ Access Control Server for Windows
Installation and User Guide
A complete package for access control and accounting data management.Especially designed for Internet Service Providers.Available for Windows NT 4.0, Windows 95/98 and Windows 2000.Y2K Ready.INFORMATION IN THIS DOCUMENT MAY BE SUBJECT TO CHANGE WITHOUT NOTICE.IT IS ALSO POSSIBLE THAT THIS DOCUMENT COULD INCLUDE TYPOGRAPHICAL ERRORS OR TECHNICAL INACCURACIES.MASTER SOFT S.N.C. PROVIDES THIS DOCUMENT AND THE RELATED SOFTWARE NTTACPLUS “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANDABILITY OR FITNESS FOR A PARTICULAR PURPOSE.NO PART OF THIS DOCUMENT MAY BE REPRODUCED, TRANSMITTED, STORED IN A RETRIEVAL SYSTEM, NOR TRANSLATED INTO ANY LANGUAGE, IN ANY FORM OR BY ANY MEANS, ELECTRONIC, MECHANICAL, MAGNETIC, OPTICAL, CHEMICAL, MANUAL, OR OTHERWISE, WITHOUT THE EXPRESS WRITTEN PERMISSION FROM MASTER SOFT S.N.C.Copyright ( 1998-2000 MASTER SOFT S.N.C. – Novara (Italy) – All rights reserved.NTTacPlus and MSoft are registered trademarks of Master Soft S.n.c.All the references to other companies and product names are trademarks or registered trademarks of their respective holders.Installation and User Guide.Rel. 2.0.230 12/03/2007
SummaryIntroducing NTTacPlus3What is NTTacPlus3NTTacPlus Main Features4What’s new in NTTacPlus 2.07Introducing NTTacPlus 2.07Differences with release 1.x7How to upgrade NTTacPlus 1.x10NTTacPlus Installation11System requirements11Contents of the installation package11NTTacPlus setup11Uninstalling NTTacPlus12Running NTTacPlus as a stand-alone application12Running NTTacPlus as a Windows NT service12Running NTTacPlus in unregistered mode13NTTacPlus Configuration14First execution of NTTacPlus14First login on NTTacPlus15NTTacPlus Console Elements15Configuration parameters summary18NAS Configuration for use with NTTacPlus23RADIUS/TACACS+ specific parameter configuration27Configuring NTTacPlus and the NAS for forced disconnection29General settings32Configuration of the activity event log36Resynchronization with Cisco NASes38Configuring backup on a NTTacPlus server40Configuration of login messages41RADIUS & TACACS+42The AAA Model42Authentication42Authorization42Accounting43NTTacPlus AAA Model Implementation43The authentication process in NTTacPlus43The authorization process in NTTacPlus44The accounting process in NTTacPlus45Comparison between some RADIUS attributes and their TACACS+ equivalent46The RADIUS attributes and the dictionary46Account Management48The User Account Database48Hierarchical structure of the database48User (group) profile parameters49Using wildcards in expressions59Some user and group profile examples60Special settings63The post-authentication scripts64Expiring account warning e-mail messages format65Account profiles in ODBC SQL format66Managing accounts with the Profile Manager68Some remarks about Profile Manager settings69The accounting data77Accounting data generated by NTTacPlus77Per-user accounting files77Global accounting files78Accounting data on ODBC SQL databases79SQL Active users output79Configuring Accounting in NTTacPlus80Configuring the accounting output on ODBC82Configuring NTTacPlus manually85Configuration file structure85Flags and Debug special parameters87Technical support and Product Registration90Documentation to enclose with communications90How to register the product90License Agreement91How to contact us92Introducing NTTacPlusWhat is NTTacPlusNTTacPlus is a centralized server application for the control and management of remote access to the network through the standard protocols TACACS+ (developed by Cisco) and RADIUS (developed by Livingston, now IETF standard). This application implements the AAA model (Authentication, Authorization, Accounting):
Authentication.Identifying who a user is (username/password pair validation)
Authorization.Identifying what a user can do (network resource assignment).
Accounting.Recording process which keeps track of system utilization by the user.
Centralized Access Management
NTTacPlus can operate both as a stand alone program or as a service under Windows NT.NTTacPlus is based on a user database that can be implemented in two different ways: a set of simple text files, each file representing a user, and an ODBC SQL database (such as Microsoft Access or SQL server) in which there are two different tables: one for user accounts and one for the group profiles. User profiles contain account parameters (password expiration date, login hours and credits, etc.).The Network Access Server (NAS) sometimes also called Communication Server, Remote Access Server or Terminal Server is a device which usually accepts remote accesses through phone calls on analogic or ISDN lines with modems or ISDN terminal adapters. The NAS allows to connect dial-in users to the internal network (Intranet) – typically a Local Area Network (LAN) – or to the Internet as a whole.NTTacPlus accepts authentication and authorization queries from the NAS (such as 3Com Total Control, Ascend Max, Livingston PortMaster, Cisco AS5200), examining user profiles and taking into account the characteristics configured for each user.Moreover, NTTacPlus acquires the accounting data sent by the NAS and records it on a ODBC datasource. This allows to make accounting data available for statistical purpose processing about accesses, or for the creation of detailed billing reports, etc.NTTacPlus Main FeaturesHigh Performance , small resource consumptionNTTacPlus, developed in C++, is optimized to provide excellent performance, with a limited use of memory and resources. It can perform an high number of authentications per second, with reduced occupation of the CPU.The size of the executable file is small.. The installation is quick because the application does not make use of runtime DLLs or other external libraries not included in the operating system. Every component of the application is stored in the installation directory (no DLL is scattered in the Windows system directory or somewhere else).NTTacPlus does not make use of the Windows registry database: no waste of time wandering in the complicated registry structure looking for the configuration values of the program. All the configuration data is set in text files and reside in the installation directory.Complete support for authentication, authorization and accountingNTTacPlus supports any request of authentication, authorization and accounting as defined in the standard specifications of both TACACS+ and RADIUS protocol. Its flexibility allows to support new extensions of proprietary defined for the authorization for both protocols.Simplified and remote management of user profile databaseUser profiles can be easily modified with any text editor (such as notepad.exe) when they are stored in text files. If you plan to use ODBC support for your user database, you can edit them through simple queries.It is not necessary to load or save the user database because any modification to profiles is immediate as soon as the file is saved, even if you are using ODBC support.The backup of the whole database is also immediate: you simply have to copy the user and group profile directories or make a backup copy of the user database when operating with ODBC.Thanks to the NTTacPlus Console it is possible to perform a complete remote management of both NTTacPlus servers and the related accounts. The remote management application is reduced to a small executable and works on any Windows 9x, Windows 2000 and Windows NT machine connected to a TCP/IP network. The Remote Console allows to modify user profiles in real time, dialoguing with a NTTacPlus server. The data exchange between the Remote Console and the NTTacPlus Server is encrypted.Groups and InheritanceWith NTTacPlus it is possible to define not only user profiles but also group profiles.Group profiles can include all the parameters which can be applied to every single user. You just have to assign a user to a group and it will automatically inherit all the parameters previously set in the parent group.A user profile may belong to more than one group. In this case the search of attributes will proceed through the analysis of each group.Moreover, a group itself may belong to another group. It is therefore possible to create a hierarchical structure which allows to manage user profiles very easily, avoiding time-wasting repetitions of each profile and focusing only on the parameters that distinguish users, maintaining in the groups common settings.Real time and remote check on the activityNTTacPlus allows the monitoring of active connections thanks to a window showing a list of active users specifying how long and on which NAS they have been connected.Moreover, NTTacPlus records in real time all incoming requests of authentication, authorization and accounting, besides remote management sessions. The events are displayed on screen in a log window and are also permanently recorded on a log file.It is also possible to disconnect forcibly and automatically users through the RSHELL protocol (that has been implemented in this release of NTTacPlus) or using external utilities or scripts (like SNMPSET or telnet)Thanks to the NTTacPlus Console application it is possible to activate an exact copy of the active users window on any remote PC (Windows 9x Windows 2000 or NT) connected to a TCP/IP network.Redundant functioning and backup featuresNTTacPlus can be installed on another machine and configured as redundant backup server.NTTacPlus can automatically connect to the primary NTTacPlus server and synchronize periodically the whole user database.The transfer of data during synchronization occurs with TCP connection and exchanged packets are encrypted.In case of malfunctioning of the main server, the NAS can address its request to the backup server. Extended access controlNTTacPlus offers several parameters to regulate users access. In particular, it is possible to configure the access upon:
expire date of the account
connection time-table (daily or weekly, with programmable holiday calendar)
Called/Calling ID (called/calling phone number if supported by Telco)
source NAS or NAS port (distinction between analogic or ISDN calls)
Number of concurrent logins for the same account
Overall residual time credit
Overall residual traffic credit
Time quota assignment for a given period
Privilege level (from basic user to administrator)
Extended check on suspicious casesNTTacPlus can detect failed access attempts (due to wrong password, time of connection, privilege, double access attempts with the same username) and therefore undertake administrative actions (which can be freely enabled or disabled) such as:
E-mail notifications to the system administrator.
E-mail notifications to the relevant user.
Immediate disabling of the user account
Immediate forced disconnection of the userFurthermore NTTacPlus can send customizable warning e-mail messages to the user when his account is expiring or when his credits (time or traffic) are .under a warning threshold.Extended support for accounting (ODBC)NTTacPlus offers an extended support for accounting.In each session NTTacPlus records a series of useful information, such as, for instance, the duration of the session, input and output traffic and residual credit of time and traffic.The accounting output is transferred in real time in a standard ASCII file table or in a standard ODBC database, such as Microsoft Access, SQL Server, Oracle, etc.NTTacPlus can also maintain a real time updated table of currently logged in users in an ODBC database also.Functioning as a Proxy module for Windows NT, UNIX or other TACACS+ serversNTTacPlus allows to perform the authentication of username and password re-addressing access requests to a Windows NT machine (even remote) using its user database. It can also re-address authentications to other TACACS+ servers, or use accounts stored into standard UNIX passwd files.Automatic synchronization with Cisco Network Access Servers (NAS)NTTacPlus can synchronize its active users list with any Cisco NAS. In this way you can avoid information lost when a server running NTTacPlus restarts or when the NAS itself reboots.Furthermore NTTacPlus can periodically synchronize its active user list by querying the NASes and by updating its current accounting information. In this way NTTacPlus can eliminate a possible loss of accounting data (for example when the NAS doesn’t correctly send the STOP messages to NTTacPlus).NTTacPlus Open ArchitectureNTTacPlus offers an open architecture through the use of the ODBC standard for storing user/group profiles and accounting data. You can easily integrate NTTacPlus in legacy environments.NTTacPlus allows administrators to expand authentication and accounting capabilities using customizable external scripts.Easy web interfacingNTTacPlus can easily expose its accounting data (active users, user profiles, accounting reports) to a Web Server using ASP Cold Fusion Markup Language, CGI, etc.The administrator/webmaster has only to customize the HTML format of his Intranet/Internet web server, in order to manage users, to create accounting reports or to sell on-line his accounts and so on.What’s new in NTTacPlus 2.0Introducing NTTacPlus 2.0The new release of NTTacPlus introduces a lot of improvements and new features, such as the support for the RADIUS authentication protocol (a standard for all remote access hardware platforms) and the support for SQL ODBC databases for user account storage and management.NTTacPlus evolution proceeds in the direction of an opening standard towards the needing of the system and network administrators who want to integrate tightly the existing systems with the power of the AAA model.The way Master Soft wants to reach this target is known as the O.A.K. project (Open Administration Kit).NTTacPlus has been designed to be as much open as possible, thanks to the introduction of the ODBC user database support. The target of the O.A.K. project is to integrate the NTTacPlus authentication/accounting engine in the existing billing and accounting procedures (accounting applications, invoicing, billing, statistical tools and so on) without upsetting the existing procedures.The O.A.K. project will provide the release of the documentation and a set of APIs which will allow easy management of NTTacPlus servers from within any programming language.We’ll also release the support for Microsoft Active Server Pages and for Allaire Cold Fusion Application Server: everyone will be able to develop integrated web procedures in a very fast, flexible and easy way.Differences with release 1.xNTTacPlus introduces a lot of improvements from release 1.x; some relevant modifications have been applied to the user interface. We suggest to our Customers running NTTacPlus 1.x to read very carefully this brief chapter that shows the main differences between the old and the new versions. A detailed description of the new options and features will be introduced in the next chapters. Here it is a list of the main new features.
A new Graphical User Interface totally moved to the Remote Console
Support for the RADIUS protocol
Support for SQL ODBC database (now available for storing accounts also)
Complete menu and options reorganization
Improved Cisco NAS resynchronization options
A lot of minor changes and improvementsUser interface moved to the NTTacPlus Remote Console separate applicationThe remote console has been completely redesigned and now integrates into a single application the old NTTacPlus Console and the NTTacPlus User Manager.The server side interface has been reduced to a single dialog window (or systray icon if NTTacPlus is running minimized). If NTTacPlus is executed as a service no GUI windows is visible: this new concept optimizes server side memory utilization and performance.All the functions formerly available in the NTTacPlus main window are now accessible via the NTTacPlus Remote Console. In this way you can completely administer NTTacPlus servers anywhere from the network.The setup program allows you to choose if to install the NTTacPlus server only, the NTTacPlus Remote Console only or both.However you do not need to execute the setup to install the Remote Console on a client PC. It is just enough to copy the following two files in a directory of the PC on which you want to run NTTacPlus Remote Console:NTTACMON.EXERemote Console main executableRADDICT.DATThe RADIUS attribute dictionary used for user profiles managementIn order to manage locally a NTTacPlus server you need to start the Remote Console and login using localhost as the server address.RADIUS protocol supportThis release of NTTacPlus now supports fully the RADIUS protocol with any RADIUS enabled client.Some attributes specific to the RADIUS protocol are automatically re-mapped into standard NTTacPlus parameters, in order to maintain a graphical interface homogeneous with the TACACS+ protocol and at the same time compatible with the older versions of NTTacPlus. For a more in depth description of this feature, read the paragraph Comparison between some RADIUS attributes and their TACACS+ equivalent.Through the RADIUS protocol, NTTacPlus can now take advantage of the Session-Timeout attribute to implicitly terminate user sessions. See the chapter Use of session-timeout.Users and groups SQL ODBC database support NTTacPlus can now store user and group profiles in a SQL/ODBC database also: you can simply decide if you wish to maintain you existing accounts in simple ASCII text files or to import them in a ODBC database.You may find details relevant to the usage and migration to ODBC databases in the chapter Account profiles in ODBC SQL format.A sample MS Access 97 database is already distributed wit NTTacPlus.In this database you’ll find some routines useful for importing and exporting users to and from text profiles.New configuration menusAll configuration options have been reorganized and moved to a single dialog window accessible from the Tools/Options (F8) menu.You can access the configuration dialog window from any NTTacPlus Remote Console.Any modification issued from the configuration dialog windows becomes immediately effective as soon as you confirm it, and does not require any server restarting command.Cisco NAS resynchronization improvementsA new resynchronization set of routines has been implemented to eliminate problems due to Cisco loss of accounting STOP records. This is a workaround for some IOS releases bugs.You can find more details about this feature in the chapter Resynchronization with Cisco NASes.A list of minor changesA list of minor changes and new features follows. Detailed information about these changes are available further in this document.Modifications to the NTTacPlus graphical interface and configuration:
Added context menu support in the active users windows (now you can double click or right click on logged in users).
Changed external script syntax for the Kill section for forced user disconnection: wildcards are supported in interface names; you can distinguish by NAS, default command support added.
Added internal support for RSHELL protocol: you do not need to spawn external applications to issue rsh commands anymore.
Added global (not per-user) post-accounting script execution support, to extend accounting capabilities with your own procedures.
Added MS-CHAP, ARAP-DES authentication protocols support for TACACS+.
Reorganized Activity event log message format: now messages are more detailed and more compact at the same time.
Added a refuse (not) operator in wildcard expressions (the exclamation mark symbol “!”).
Improved administrative and warning email messages information detail.
Added system accounting support for TACACS+ protocol.
Added the possibility to configure the time interval between two checks on active sessions.
Added the possibility to disable the screen activity event log output, in order to reduce CPU load in case of many simultaneous Remote Console sessions.Account profile modifications:
Added support for the new parameter EffectiveFrom: now you can specify the account starting date besides the standard expiration date.
Added support for a new format in the Expires parameter: now you can tell NTTacPlus an account duration (in days) rather than an absolute expiration date. By combining this feature with the EffectiveFrom parameter NTTacPlus can handle fixed duration accounts that auto-activate from the first successful login.
Added per user post-authentication script execution support: now you can extend authentication capabilities with your own external procedures.
Reorganized warning and expiration email messages: now this feature is available to the time and traffic credit accounts also.
Added a dedicated password management section in the Profile Manager.
Added the support for DES encrypted password.
Added the support for the authentication over a standard UNIX passwd (5) file.How to upgrade NTTacPlus 1.xIn order to upgrade NTTacPlus 1.x to NTTacPlus 2.0 without damaging your user database and configuration, we suggest that you follow these few tips:
Make a backup copy of the whole NTTacPlus 1.x directory.
Stop any active instance of NTTacPlus remote console or NTTacPlus server.
Run NTTacPlus 2.0 setup installing the new release in the same directory of NTTacPlus 1.x.
Restart the service.
Login into the server using the NTTacPlus Remote Console.
Verify very carefully all the configuration parameters from the Tools/Options window.NTTacPlus InstallationThis chapter explains how to install NTTacPlus over a fresh system with no previous versions of the software. If you need to perform an upgrade or install over an existing version, please read the previous chapter.System requirements
Operating system Windows 9x, Windows NT 4.0, Windows 2000
CPU Pentium/133 or higher
RAM 32 Mb on Windows 9x, 48 Mb on Windows NT and Windows 2000
Disk space Less than 4 Mb for installation; additional space is required for log files, accounting data and user profile data
Network Winsock 1.1 compliant TCP/IP stack
Contents of the installation packageThe original NTTacPlus package includes the following files:
NTTACP.EXE Main NTTacPlus executable
NTTACP.INI Configuration file for NTTacPlus
RADDICT.DAT extensible RADIUS attributes dictionary
INSTSERV.EXE Utility for installing NTTacPlus as a NT service
README.TXT Text file including most up-to-date additions and useful information
MESSAGES\*.TXT Directory containing text files (pre and post authentication banners)
ODBC\STAT.MDB Microsoft Access database file with example accounting tables
ODBC\NTTACDB.MDB Microsoft Access database containing User and Group profile tables
NTTACMON.EXE NTTacPlus Remote Console Executable
EXTERNAL\*.* Directory with external NT utilities and scripts
DOCS\MANUAL.DOC English documentation
DOCS\ORDER.DOC Order form (Valid outside Italy)
DOCS\MANUALE.DOC Italian Documentation
DOCS\ORDINE.DOC Order form (valid only for Italy)
USERS\*.USR Examples of preconfigured user profiles in ASCII format
GROUPS\*.UGP Examples of preconfigured group profiles in ASCII format
Create a temporary directory for the installation of NTTacPlus (e.g. c:\temp).
Explode the zip archive in the directory created.
Run the installation program setup.exe and follow the instructions.Uninstalling NTTacPlusTo uninstall NTTacPlus you can click on the Uninstall icon in the NTTacPlus folder from the Windows Start menu. Alternatively you can open the Control Panel, Add/Remove Applications, select NTTacPlus 2.0 and click Remove.If the program has been configured as a Windows NT service, then it must be removed from the service list database before uninstallation, by using the enclosed INSTSERV.EXE utility.If the uninstall procedure does not complete successfully, after stopping and removing the service with INSTSERV, follow these steps:
Remove all the shortcuts to NTTacPlus in the Start menu folder.
Delete all the ODBC system datasources that point to NTTacPlus databases.
Delete the main NTTacPlus installation directory and its subdirectory (e.g. C:\NTTacPlus2)
Run REGEDIT.EXE and delete the following registry keys:HKEY_LOCAL_MACHINE\SOFTWARE\Master Soft\NTTacPlusConsoleHKEY_LOCAL_MACHINE\SOFTWARE\Master Soft\NTTacPlusMgrHKEY_LOCAL_MACHINE\SOFTWARE\Master Soft (only if this key is empty and has no subkeys)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NTTacPlus 2.0Running NTTacPlus as a stand-alone applicationNTTacPlus can be run as a stand alone application. To run the program simply execute NTTACP.EXEWe suggest to run the first execution of NTTacPlus as a stand alone application in order to complete all the configuration tasks.Running NTTacPlus as a Windows NT serviceNTTacPlus may be run as a Windows NT service (so you don’t need to be logged in Windows NT to start NTTacPlus).To install NTTacPlus as a service run INSTRSRV.EXE:To add NTTacPlus in the Service Control Manager services list, press Install Service button.To start the service press Start Service button.To stop NTTacPlus service press Stop Service.To remove NTTacPlus service press Remove Service.NOTE:the service removal doesn’t imply the stop of an active instance of NTTacPlus.Running NTTacPlus in unregistered modeWhen you run NTTacPlus the first time, it will start in unregistered mode.The unregistered mode lets you evaluate the software for 30 days from the first startup. The unregistered software is fully working in any feature.When the evaluation period has expired, NTTacPlus ceases to work when you restart it.You can switch NTTacPlus to registered mode by opening the Registration menu and filling the Registration dialog box.When you have inserted the right keys NTTacPlus switches to the registered mode. As the activation keys are calculated upon the Microsoft Network (LAN) name of the machine running NTTacPlus, if you plan to change the server name, you will have to request to Master Soft S.n.c. a new couple of activation keys.To get more information on how you can obtain activation keys, please read the chapter How to register the product at the end of this User Guide.NTTacPlus ConfigurationFirst execution of NTTacPlusWhen you start NTTacPlus a small window appears:NOTE:If you run NTTacPlus as a service no window is visible. If you run NTTacPlus as a stand alone application, when you iconize the NTTacPlus server window, a systray icon appears:You can take full control over NTTacPlus using the NTTacPlus Console: to configure the server for the first time you need to run the console (NTTACMON.EXE) that will ask you to login using an administrative account:First login on NTTacPlusTo login for the first time use this administrative account:Username = adminPassword = adminServer name = localhost (or the NTTacPlus server IP address)Encryption key = (leave empty if you are running NTTacPlus the for the first time)NTTacPlus Console ElementsActive Users windowWhen you start the NTTacPlus Console, after the login the active users main window appears:Activity event log windowPressing the F4 key or choosing the Edit/Log window menu, you can bring up the activity event log window, showing in real-time the NTTacPlus server activity with a customizable information detail, depending on the log output configuration (see further on the paragraph Configuration of the activity event log):NOTE:You can watch the activity event log in the NTTacPlus log window only if the menu item Edit/Receive log event stream is checked.Account Profile ManagerPressing the F10 key or choosing the Edit/Profile Manager menu you can bring up the NTTacPlus account manager window:Configuration Option WindowFrom the main window press F8 (or choose the Tools/Options menu) to open the configuration window:The configuration window is divided into several sections. We suggest that you proceed to configure each section reading the following table. When you have configured all the parameters, press the OK button to make changes active.Configuration parameters summaryThe following tables show you a summary overview of all the NTTacPlus server configuration options. You will find an exhaustive description of every option further on this manual.General section
E-Mail global settings
Notification E-Mail Address E-mail address that NTTacPlus sends administrative notifications to
SMTP Server SMTP server IP address or name. NTTacPlus will use this SMTP to deliver e-mail messages either to administrators or to users
Server source e-mail NTTacPlus sender e-mail address
Pre-authentication msg file Pathname of an ASCII file containing a customizable message that will be shown at the NAS login prompt before the authentication session
Post-authentication msg file Pathname of a ASCII file containing a customizable message that will be shown at the NAS login prompt after the authentication session
User database settings
Enable ODBC user database Enables ODBC to store User and Group Profiles. If unchecked NTTacPlus will use ASCII files
using this datasource System datasource name for the user database
Serialize SQL queries If checked NTTacPlus will execute queries to the database in a sequential queue (for use with databases such as SQL Server)
DB Username Username used to connect to the datasource
DB Password Password used to connect to the datasource
User file directory The directory in which user profiles (*.usr files) are stored in ASCII format (this setting is ignored if ODBC user database is active)
Group file directory The directory in which group profiles (*.ugp files) are stored in ASCII format (this setting is ignored if ODBC user database is active)
Enable <default> user It enables the use of the default user when a NTTacPlus does not find a username in the user database
Create user profile from <default> It allows the automatic creation of a user profiles, duplicating the default one.
Email admin on unknown users It sends notifications to the administrator when an unknown user tries to login.
Max login attempts Maximum numbers of failed logins before sending a notification email
First day of week It allows you to set the first day of the week (useful for weekly quota calculations) if you need to start the week on a day other than Sunday
Periodic check interval It sets the frequency NTTacPlus performs a credit check on active users. In this way NTTacPlus can proceed with forced disconnection if a user has no more time credit.
Use username for maxlogins It uniquely identifies a session, using the port name, the NAS address and the username also.
Resolve name (DNS) It resolves NAS addresses in names. (we suggest not to activate this feature to avoid performance degradation)
Event logging options
Enable logging to screen It sends the log information to the active console windows
Enable logging to file It records daily events in text files (ASCII format)
Log file directory Path where NTTacPlus saves daily log files
Debug Logging Events
Session thread execution It shows information about program threads start/stop and external application execution
Authentication session It shows details about authentication sessions
Authorization session It shows details about authorization requests and the AV pairs
Accounting session It shows details about accounting data received from the NAS
Packet dumping It shows in depth the contents of the RADIUS/TACACS+ packet received from the NAS
Password checking It shows in clear text the password verification process. Useful for debugging the most common authentication problems (UPPER/lower cases password, empty password, wrong password and so on)
Port cleaning commands It shows details about the disconnection commands sent to the NASes
User account charging It shows details about time and traffic charges
Max logins check It shows events about concurrent login checking
Extended session It shows details about Remote Console Sessions
Backup events It shows events about synchronization processes between NTTacPlus servers
SMTP connections It shows events about notification email message delivery
Time & traffic roundoff
Session time rounding offset Round off interval (in minutes) applied to time credit accounts. It defines the smallest “time packet” for a connection.
Session traffic rounding offset Round off interval (in Kbytes) applied to traffic credit accounts. It defines the smallest “Kbytes packet” for a connection.
Account expiration warnings
Date expiration warning It sets the expiring account warning period
Time expiration warning It sets the “low time credit” account warning threshold
Traffic expiration warning It sets the “low traffic credit” account warning threshold
Accounting directory Path where NTTacPlus creates ASCII accounting files
Enable accounting text output It enables daily accounting ASCII file creation (*.acc)
Per-user accounting logging It enables per-user accounting ASCII file creation. (*.log). These files contain all the START/STOP messages received from the NAS for a given user.
Log unknown user accounting It records all accounting data coming from unknown usernames, storing the messages in a file named _unknown_.log
Send unknown users to active window It shows unknown (unconfigured) users also in the active users window (recording the session data also)
Run the post accounting script It allows the execution of an external script when NTTacPlus receives an accounting message from the NAS
Enable ODBC accounting It enables ODBC accounting
Datasource name The Datasource name used to record accounting output
Login Username Username used to connect to the datasource
Login Password Password used to connect to the datasource
Accounting table name The name of the table containing information about user sessions
Log active users on table It enables real-time updating of a table in which an active users list is kept
Automatic reconnect on connection failure It enables the automatic restoring of the datasource connection in case of connection loss (for example SQL Server with TCP/IP net library)
Account expiring Message given when the account is going to expire
Account expired Message sent when the account is expired
Account disabled Message sent when the account is disabled
Account not effective Message sent when the account is not activated yet
Too many logins Message sent when the maximum numbers of login is exceeded
Invalid login time Message sent when a login attempt is made during a not allowed time
Login time-up Message sent when the user has no more time credit
Login Kbytes-up Message sent when the user has no more traffic credit
Quota time-up Message sent when the user has no more quota time left
Bad login user/pwd Message sent when the username or password are incorrect
Bad login NAS port Message sent when a login attempt to an unauthorized NAS port is made, or with an unauthorized calling ID (phone number)
Bad login NAS Message sent when a login attempt to an unauthorized NAS is made
Enable this server for backup It enables NTTacPlus as a backup server
Primary server name or addr Primary NTTacPlus server hostname or IP address
Primary server port Primary NTTacPlus server TCP port (default = 49)
Primary login username Administrative account (privilege 15) used by the backup server to connect to the primary NTTacPlus server
Primary login password Password for the backup administrative account
Backup interval Backup refresh interval (interval between two consecutive backups)
Remove local accounts before backup It deletes local accounts (including modified ones) on the backup server, replacing them with the accounts from the primary server
Forward accounting to primary server It sends a copy of accounting messages received from NASes to the primary NTTacPlus server (only TACACS+)
Cisco IOS boxes synch
List of NAS to query List of Cisco NASes (comma separated) to query for synchronization
List of valid interfaces List of valid interfaces for resynchronization
Perform synchronization during active users check It performs an active user refresh on Cisco NASes at a given interval (configured in the General Section)
Perform synchronization on maxlogin collision detected It performs a refresh cycle on Cisco NASes when NTTacPlus detects a possible user maximum login exceeding
Username for RSHELL Username used with RSHELL commands (RSH)
Command to issue with RSH IOS exec command used to get from the Cisco the active users list
Encryption key settings
Always encrypt NTTacPlus always sends encrypted TACACS+ packets if an encryption key is configured
Default secret key The default encryption key (global)
Restrict NAS to configured IP addresses only It authorizes NTTacPlus queries to be received only by the listed NASes
NAS IP address NAS IP addresses with autonomous secret keys
Secret key Secret key associated with a specific NAS
Kill commands configuration
Interface name Interface name on which the Kill command will be executed
Command line Command line to reset the interface
RADIUS protocol settings
RADIUS Authentication port UDP port listening to RADIUS authentication requests
RADIUS Accounting port UDP port listening to RADIUS accounting requests
Use Session-Timeout for disconnection If checked NTTacPlus uses the Session-Timeout RADIUS attribute to force the user disconnection when time credit is up.
TACACS+ protocol settings
TACACS+ TCP port TACACS+ authentication session and Remote Console listening TCP port
Ignore multiple STOP records If checked it removes the user from the active users list when receiving the first STOP record. The following ones will be only logged.
Username prompt NTTacPlus terminal login username prompt
Password prompt NTTacPlus terminal login password prompt
Enable prompt NTTacPlus terminal enable password login prompt
Holiday calendar section
Kill commands configuration
Date Day and month on which to establish an holiday
Type Holiday type (pre-holiday or holiday)
NAS Configuration for use with NTTacPlusGiven the variety of brands and models of Network Access Servers supporting the TACACS+ and the RADIUS protocols, it is not possible to include configuration commands for every kind. Here we suggest configuration guidelines to use NTTacPlus with NAS machines by Cisco, adopting the IOS operating system version 11.0 and subsequent.Setting NTTacPlus as the authentication/authorization/accounting serverEach Network Access Server supporting TACACS+ or RADIUS can delegate the authentication, authorization and the accounting (read the following chapter for details about these three phases) to an external server. To do this the NAS needs an IP address of the server, an encryption key and some NAS-specific attributes.Some NASes let you configure separately Authentication, Accounting and Authorization, setting up a different server for each phase. For optimal performances we suggest to delegate the three phases to a single server. For example, in the RADIUS protocol the authentication and authorization phases are executed into a single operation, and for this reason many NASes, such as the 3COM TotalControl and the Ascend MAX, allow to configure separately a server for the authentication and the authorization, and a server for the accounting phase. In this case you have to setup the same settings for both the configurations.The encryption key (secret key)Both TACACS+ and RADIUS can encrypt the communication between the NASes and the authentication server using specific encryption algorithms that use a secret key shared between the NASes and the server. This key (sometimes called encryption key, secret key or simply secret) is a simple alphanumeric string, just like a password (case sensitive) and it must be configured manually by the network administrator both in the NAS and in the server.An encrypted communication blocks (or at least reduces the possibilities) the interception of RADIUS/TACACS+ packets (containing passwords and usernames) sniffed during the communication between the NAS and the server.NOTE:a wrong (or missing) encryption key setup will result in no communication between the NAS and the authentication server, producing impredictable results. We suggest to verify always carefully the configuration of the encryption keys.
Setting encryption keys in NTTacPlusNTTacPlus can operate in two ways with the encryption keys:
NTTacPlus can use a global encryption key used to communicate with all the NASes, except with those that appear explicitly with their own key in the NAS list
NTTacPlus can discard any NAS request not coming from a NAS included in the NAS listIn the first case NTTacPlus can accept requests from any NAS without restrictions. When NTTacPlus receives a query, it looks for an encryption key configured for the requesting NAS. If NTTacPlus cannot find a specific key, it uses the global key (the default one).In the second case, when NTTacPlus receives a query from a NAS, it looks for a key for that NAS and if it the key is not configured then NTTacPlus will immediately discard the request.To configure the encryption keys in NTTacPlus, login in the Remote Console, select Tools/Options (F8) menu then choose the Secret section. If Restrict NAS access to configured IP addresses only is disabled, then NTTacPlus is configured to run in the first mode (using the default global key for any NAS query if a suitable encryption key has not been found).If Restrict NAS access to configured IP addresses only is enabled, then NTTacPlus is configured to run in the second mode (it looks for a specific key. If it is not found then NTTacPlus will reject the query)WARNING:NTTacPlus Console works just like a NAS. This means that the Console follows the same encryption rules. If you plan to configure a list of NASes to restrict the access to NTTacPlus and want to run the Console on the same host running the server, you MUST INCLUDE in that list also the IP address of the server itself . Furthermore when you need to login to the Remote Console you must use the same encryption key configured in NTTacPlus.If you are logged into the server and plan to change the encryption key, you must logoff and then logon again with the new encryption key.If something goes wrong with the encryption key setup, read the chapter Configuring NTTacPlus manually.Configuring TACACS+ on a Cisco NASThe AAA model in the Cisco NASes allows to configure separately the authentication, authorization and accounting procedures.NOTE:The TACACS+ AAA model is also supported in the version 10.3 of IOS. However, the accounting messages (START/STOP) that are crucial for the application to keep track of connected users are not sent to the server, instead they are kept in the NAS memory (which, by the way, fills up rather quickly after a working period).It is then essential to carry out, the upgrade of the operating system on the NASes which still have version of the IOS less than or equal to 11.0. For the upgrade of the system, consult the documentation enclosed with the product and contact your reseller.WARNING:the configuration of the Cisco NAS for the utilization of the TACACS+ protocol requires the use of the aaa new-model command which causes the immediate reset of all the interfaces (and therefore the forced disconnection of all the users from the lines). As a result we suggest to carry out the configuration process only when you are sure not to cause any problem.On a global level (router(config)#), insert the following configuration commands:!aaa new-modelit enables the AAA model!tacacs-server host a.b.c.dreplace “a.b.c.d” with the NTTacPlus server IP addresstacacs-server timeout 20value (in seconds) to wait for a responsetacacs-server key pipporeplace “pippo” with your encryption secret key!In order to activate the authentication with TACACS+, add the following lines on a global level:!aaa authentication login default tacacs+ localaaa authentication ppp default if-needed tacacs+ localaaa authentication enable default tacacs+ enable!These commands imply the activation of the authentication for the login with a terminal window, with PPP or for the passage into enable mode.The first line creates a default authentication procedure for users connecting to a tty o vty (prompt) of the Cisco and uses TACACS+ to verify username/password. The addition of the term local at the end of the line tells the system to use the internal list of usernames in case no TACACS+ server answers properly.The second line creates a default authentication procedure for those who connect requiring a PPP session to Cisco, and it uses TACACS+ to verify username/password (through PAP or CHAP).The addition of the term local at the end of the line tells the system to use the internal list of usernames in case no TACACS+ server answers properly.The further indication if-needed avoids to proceed again to an authentication phase in case a user already authenticated and connected to the prompt of the Cisco types the PPP command to switch to PPP mode.The third line creates a default authentication procedure for those who, being already connected to the Cisco prompt, need to switch to the enable mode (through the ENABLE command) and uses TACACS+ to check the enable password. The addition of the term enable at the end of the line tells the system to use the internal password secret/enable in case no TACACS+ server answers properly.It is also possible to add further lines for the authentication according to one's needs. Check the NAS documentation at this purpose.To activate the TACACS+ accounting messages, add the following on a global level:!aaa accounting exec default start-stop tacacs+aaa accounting network default start-stop tacacs+!The first line activates the accounting for the shell access (prompt), while the second activates the accounting for the use of network services (for example, for the PPP connection).The default keyword id supported since the 11.3.x IOS releases. If you are running earlier releases then you don’t need to type it.If you are running IOS 11.2.9 or newer, you need to add these following commands:!aaa accounting update newinfoaaa accounting nested!These commands let the router send accounting information about user session state changes (for example the static IP address assignment and so on). This option is implicit in the previous IOS releases.At the interface level (asynchronous, serial, BRI, Dialer, etc.), if you want to activate the use of the PAP protocol (Password Authentication Protocol) for the use with PPP, it is necessary to add (router(config-if)#) the following commands:! ppp authentication pap or chap (or both)!The configuration lines herein shown represent the typical case of an ISP selling accesses to the Internet through an analogic connection (with modem on asynchronous interfaces) or ISDN (for ex. on synchronous serial), through the encapsulation of the TCP/IP in the PPP protocol, activating the possibility of logging in both with PAP (or CHAP) and with a terminal window.It is possible to make Cisco automatically determine the mode chosen by the user by adding the following commands to the configuration lines (router(configline)#):! autoselect during-login autoselect ppp autocommand ppp!Finally it is possible to activate the authentication on a secondary NTTacPlus server adding a second line to the global configuration:!tacacs-server host e.f.g.hreplace "e.f.g.h" with the IP of the secondary NTTacPlus server!The Cisco NAS automatically sends the request to the second server in case the first should not answer.If you want to enable also the authorization, you can enter, for example, on a global level:!aaa authorization commands 1 default tacacs+ local if-authenticatedaaa authorization commands 15 default tacacs+ local if-authenticatedaaa authorization exec default tacacs+ localaaa authorization network default tacacs+ local!These lines activate the authorization for the shell (exec), for network services (network), for standard and enablemode (commands 1 and command 15) commands on already authenticated users, using the internal (local) configuration in case no TACACS+ server answers properly to the authorization requests (see more about authorization further on, in the chapter Authorization).The default keyword id supported since the 11.3.x IOS releases. If you are running earlier releases then you don’t need to type it.For a more detailed configuration and information about Cisco routers and for TACACS+/RADIUS implementations please refer to the documentation of you NAS.RADIUS/TACACS+ specific parameter configurationThis section provides the possibility to change the default settings relevant to specific paramete
rs of RADIUS or TACACS+ protocols.
Section Parameter Value
TACACS+/RADIUS RADIUS Authentication Port UDP Listening Port for RADIUS authentication requests
RADIUS Accounting Port UDP Listening Port for RADIUS accounting requests
Use Session-Timeout for disconnection It uses the RADIUS SessionTimeout attribute to force the user disconnection when time credits are over
TACACS+ TCP Port TCP Listening Port for TACACS+ requests and remote console management sessions
Ignore multiple (nested) STOP records It removes the user from the active users list when it receives the first STOP record. Further STOP messages will only be logged
Username prompt Prompt to present to the user during the terminal login when the username is requested
Password prompt prompt to present to the user during the terminal login when the password is requested
Enable prompt prompt to present to the user during the terminal login when the enable password is requested
The modification of the RADIUS listening port number can be useful in some cases. The original protocol specifications used to recommend the following UDP ports:1645 RADIUS Authentication Requests1646 RADIUS Accounting MessagesThe standard Internet committee (IANA) changed the specifications, in order to avoid conflicts with other services which were using the same ports, assigning officially the following UDP ports to the RADIUS protocol:1812 RADIUS Authentication Requests1813 RADIUS Accounting MessagesHowever the majority of NAS on the market (even in the latest software releases) still adopts by default the original non-standard numbers. NTTacPlus follows this settings by default too.Refer to the NAS documentation in order to verify which port numbers are used by the NAS.On the contrary the modification of the TACACS+ listening port number is convenient if you decide to change (for security reasons) the communication port between the NAS and NTTacPlus.
WARNING: The remote management protocol (NTTacPlus Console) and the backup protocol among NTTacPlus servers exploit the data transport over the same TCP ports of TACACS+. If you decide to change the TACACS+ TCP port number in a NTTacPlus server, it will be necessary to indicate this port also during the login on a remote console, and in the settings of any backup server which has to synchronize with the primary server (see paragraph Configuring backup on a NTTacPlus server).After you have changed the TCP port, you need to logoff the NTTacPlus server and then perform a new login specifying the new port.Use of Session-Timeout for disconnectionThe Use Session-Timeout for disconnection option allows NTTacPlus to make use of the SessionTimeout RADIUS attribute (which tells the NAS the absolute timeout, that is the maximum duration of a session, after which the NAS terminates forcibly the session), if supported by the NAS, to disconnect the user when his credit is expired. See the following section for a precise description about how NTTacPlus works for the user disconnection.(We suggest you to leave this section always active.Ignoring multiple STOP messages in TACACS+NTTacPlus updates its list of connected users basing on messages of start/end session (accounting START/STOP records) received from the NAS.Usually it may happen that the NAS sends NTTacPlus more nested START/STOP sequences. For example, if the user starts a terminal exec session (shell) to authenticate, and then enters the PPP mode (typing manually the ppp command, or because autocommand ppp was configured on that line), the NAS sends a START message when the Exec session begins; then it sends a second START when the PPP session begins. When the user disconnects, the NAS sends a STOP to report the end of the PPP session (this message includes also information about the traffic generated during the session), then it sends a second STOP to report the end of the exec session which the user entered the PPP mode from (this does not happen if the user connects directly in PPP/PAP mode; in this case the NAS sends a single START/STOP sequence).When the option Ignore multiple STOP records is not checked, NTTacPlus will consider the user disconnected (and so it will remove him from the list) only when it receives the last STOP record. Unfortunately with some IOS Cisco versions it may sometimes happen that the STOP message associated to the Exec session is not correctly sent by the NAS, so the user could result connected even though he is no more.( We strongly suggest you to leave this option always active.
Login promptsLogin prompts specify the messages the NAS should present to the user when requesting user credentials during login.Modifying this information can be useful if some remote clients use connection script that expect certain prompts before inserting automatically username and password.Configuring NTTacPlus and the NAS for forced disconnectionThere are two cases in which is useful to have a procedure that allows to terminate the session of one or more users.The first case concerns the manual disconnection on behalf of the administrator, when he decides to kill a session from the NTTacPlus remote console, without having to telnet, for example, to the NAS and issue the disconnection command.The second case concerns the automatic forced disconnection by NTTacPlus, when a user is going to exhaust his connection credits during a running session.NTTacPlus, in fact, can assign to each user profile connection time credits or periodical time quotas (daily, weekly, etc.). The system administrator can decide the behavior of NTTacPlus to the users that, during a session in process, are going to exhaust their credits or quota (let the session goes on till the end or stop
قیمت: 100 تومان