Digital Remote Access Security (DRAS) V2.3a Release Notes February 1998 Table of Contents 1.1 Identification 1.2 System Requirements 1.3 Summary of Changes 1.4 Known Problems and Limitations 1.4.1 Dual-CPU NT System 1.4.2 D-Unix Host Authentication 1.4.3 OpenVMS Command-Line Interface 1.4.4 Scan Function 1.4.5 D-Unix Defender Authentication 1.4.6 Accounting Log Time Shift 1.5 Installation 1.5.1 Database Conversion 1.5.2 Database Layout Change 1.5.3 Digital Unix Shareable Object Library libcxx.so 1.5.4 Installing on Windows NT as a system service 1.5.5 Running SetupDb.exe 1.6 Configuration Guidelines and Tips 1.6.1 Registering DECserver Clients 1.6.2 Restriction on PPP CHAP Clients 1.6.3 Host Authentication on NT Domain Controllers 1.6.4 Console Trace Mode on NT 1.6.5 Management Link on Remote Server 1.6.6 Server in Debug Trace Mode 1.7 Additional Information 1.7.1 Use of Threads 1.7.2 Increasing Server Responsiveness on NT 1.7.3 Registering RADIUS Clients 1.7.4 Failed Access-Request Events For User {CUB} 1.7.5 SetupDb (Database Initialization Utility) 1.7.6 Authentication Modules 1.7.7 Changing DRAS Password From DECserver 1.8 Documentation 1.8.1 Documentation Errors 1.8.2 Reporting Problems 1.1 Identification These release notes apply to DRAS 2.3a for OpenVMS, Windows NT/95, and Digital Unix. 1.2 System Requirements DRAS is compatible with the following operating systems: - OpenVMS VAX V6.1 or higher - OpenVMS Alpha V6.2 or higher - Windows NT V3.51 or higher (Intel or Alpha) - Windows 95 - Digital Unix V3.2* or higher 1.3 Summary of Changes This version of DRAS fixes the following problems (all problems pertain to all platforms unless otherwise noted): 1. Empty (defaulted) RADIUS packet attribute fields are no longer displayed by the Manager. 2. The NT Registry is now modified to reflect the correct country specific date format for display. 3. The accounting log now displays the Input Pkts/Output Pkts data values (requires DNAS V2.3). 1.4 Known Problems and Limitations The following sections describe known problems or limitations in the Digital Remote Access Security Server software. 1.4.1 Dual-CPU NT System DRAS server is not fully tested on a multi-CPU Windows NT system. Users may get slightly different behaviors and the one-line "current,new,new" password change may not work. 1.4.2 D-Unix Host Authentication DRAS HOST authentication on Digital Unix supports only base security. Enhanced security is not supported in this version of DRAS. 1.4.3 OpenVMS Command-Line Interface Unsupported Management Utility for OpenVMS Systems. The OpenVMS DRAS installation kit includes an unsupported command line Interface management utility (DRAS$MANAGER). You may use this utility with the understanding that it is unsupported and may be significantly changed, or may not be included in future releases of DRAS. This version of the utility is essentially unchanged from the first version. Setting password management parameters is not supported in this utility. 1.4.4 Scan Function DrasMan Scan function occasionally fails to refresh list. The Scan function will occasionally fail to refresh the list of servers in the tree view windows. To refresh the list, click on "All Servers" (the root node in the tree view) to refresh the view. 1.4.5 D-Unix Defender Authentication Digital Pathways DEFENDER authentication fails on Digital Unix V4. 1.4.6 Accounting Log Time Shift Occasionally Accounting/Event log records extracted show a time shift. Time differences between the DRAS server and DrasMan can result in an incorrect time shift when extracting log records for display. This happens more frequently with older version of OpenVMS systems that do not support UTC time. 1.5 Installation 1.5.1 Database Conversion WARNING: As part of the installation of DRAS on Digital Unix, the database files will be converted to a new format. Users will be asked to back up the original database before proceeding with the installation and conversion. This conversion is required due to the discovery that a database corruption occurred when the DRAS Server on Digital Unix 4.0B with patch kit #4 (or higher) was installed. If this matches your system configuration and if you have run the DRAS Server since the installation of the patch kit, there is the possibility that some database records were corrupted. This utility will save as many records as possible from the database files and convert them to a new format, which is not affected by the library change as a result of installing the patch kit. In some cases, users may have to delete the corrupted database and run setupdb.exe for re-configuring. The conversion utility will detect and not convert database files already stored in the new format. 1.5.2 Database Layout Change WARNING: As part of the installation of DRAS the database layout will be changed. DrasMan V1.0 can not be used to manage a database of the new layout. 1.5.3 Digital Unix Shareable Object Library libcxx.so DRAS for Digital Unix uses the libcxx.so shareable object library that is shipped with the operating system. However, the library may not be installed on your system. On Digital Unix V3.n, libcxx.so can be found in the optional subset CXXSHRDA3 0n On Digital Unix V4.0, libcxx.so can be found in the mandatory subset OSFBASE400 (CXXSHRDA130 on DEC OSF/1 V1.3, CXXSHRDA131 on V2.0) 1.5.4 Installing on Windows NT as a system service If a previous version of DRAS Server has been installed on Windows NT as a system service, please make sure that the service is stopped and de-installed before installing DRAS. You can remove this service by typing "drassrv remove" at the command prompt in the directory where it was installed. The NT system service display name for DRAS has changed. You will need to install the system service by typing "drassrv install". 1.5.5 Running SetupDb.exe For new installations on Digital Unix, you must run SetupDb.exe following the software installation to initialize the server's database to enable remote management from a Windows system. See the Installation Guide for complete information. For this release, you should run SetupDb.exe on new Windows NT installations to properly initialize the database. 1.6 Configuration Guidelines and Tips 1.6.1 Registering DECserver Clients For this release, DECservers should be registered using their network IP address even if your DECserver is registered on a Name Server. The DECserver identifies itself in a RADIUS packet using the NAS-IP-Address attribute and the DRAS server does not currently attempt to translate this IP address to a host name. 1.6.2 Restriction on PPP CHAP Clients Users dialing in with clients that are configured for PPP CHAP authentication must be configured for CHAP authentication in the DRAS database. PPP CHAP clients are incompatible with other DRAS authentication methods such as HOST, SECURID, DEFENDER, WATCHWORD, and OTP. The reason for this restriction is that CHAP authentication requires access to the user's unencrypted password. The listed authentication methods cannot provide the user's password to the DRAS server. 1.6.3 Host Authentication on NT Domain Controllers If you install the DRAS server on a Windows NT server that is a primary domain controller, you must make the following changes to the account of any local user that is authenticated using HOST authentication: 1. Run the User Manager (Programs, Administrative Tools, User Manager). 2. From the menu, select User, New Local Group. 3. Create a new group named "DRAS Users" 4. From the menu select Policies, User Rights. 5. Select "Log in locally" from the drop-down listbox. 6. Add that right to the DRAS Users group. 7. Select the user accounts from which you will interactively run the DRAS Server and add that account as a member of the newly created DRAS Users Group. The method currently used by DRAS to perform HOST user authentication on Windows NT requires that the user have the right to log in locally to the host. An alternative is to install the DRAS server on a workstation in the domain and provide each user with the right to log in locally to that workstation. 1.6.4 Console Trace Mode on NT To perform HOST authentication on Windows NT while running in interactive trace mode, you must run from an account that has the privilege to act as part of the operating system. Use the following procedure to enable this privilege: 1. Run the User Manager (Programs, Administrative Tools, User Manager). 2. From the menu, select User, New Local Group. 3. Create a new group named "DRAS Server" 4. From the menu select Policies, User Rights. 5. Check the "Show Advanced User Rights" checkbox 6. Select "Act as part of the operating system" from the drop- down listbox. 7. Add that right to the DRAS Server group. 8. Select the user account from which you will interactively run the DRAS Server and add that account as a member of the newly created DRAS Server Group. 9. Log off then log on to enable the new privilege. 1.6.5 Management Link on Remote Server There are several possible reasons why an attempt to create a management link between a workstation running the DRAS Manager and a remote system running a DRAS server may fail. The following checklist is a guide to troubleshooting management connection failures. 1. Verify that the remote DRAS server is running. 2. Verify that the management station is correctly registered as a client in the DRAS server database. The management station name must be either the full system and domain name, or the client's IP address. You can use the domain name if your client is registered in a domain naming system. Otherwise, you should use the client's IP address as the name. The database must also contain the correct client secret for the management station and the client must be enabled. You can check the client registration on OpenVMS using the unsupported CLI management utility. On Windows NT, use the DRAS Manager to examine the "Local Database" entry for the client. On Digital Unix, you must use the supplied SetupDb utility to establish an initial remote management client entry in the database. 3. Verify that the remote management user is correctly registered in the DRAS server database. The user requesting the remote management connection must be registered with Administrator privilege in the DRAS server database. The Administrator privilege is assigned to a group and applies to each user that is a member of the group. The user must have PASSWORD authentication selected. Check that the user is enabled and the password is not expired. Note that case sensitivity can be a problem, particularly with cross-platform connections. On OpenVMS, use quotes around names and passwords to preserve lower case spelling. 1.6.6 Server in Debug Trace Mode The DRAS server can run from the console in debug trace mode. The trace often provides sufficient information to solve authentication and remote management connection problems, and to verify that the server is able to start and initialize. To run in trace mode, first stop the server if it is running as a daemon, detached process, or service, depending on operating system. 1.6.6.1 Windows NT The environment variable DRAS_DIR must point to the location of the DRAS database files. Change directory to the DRAS installation directory. Use the command > drassrv console 5 to start the server. 1.6.6.2 OpenVMS The logical name DRAS$DIR must resolve to the location of the server database files. Define DRAS$TRACE_LEVEL as 5 and run the server using the command: $ MCR DRAS$SERVER. 1.6.6.3 Digital Unix The environment variable DRAS_DIR must point to the location of the DRAS database files. Start the server using the command # DRASD console. The DRAS_TRACE_LEVEL environment variable contains the trace level and the default five. You can view more detailed trace information using a trace level of 6, 7, or 998. 1.7 Additional Information 1.7.1 Use of Threads The Digital Remote Access Security server is multi-threaded. By default, three threads are created to handle RADIUS requests and three threads are created to handle RADIUS Accounting requests. The number of threads created can be controlled using the RadiusThreads and AccountingThreads .INI file parameters. See the Digital Remote Access Security Use documentation for more details. 1.7.2 Increasing Server Responsiveness on NT You can increase the responsiveness of the server on Windows NT systems by adding the name and address of the host system to the file \winnt\system32\drivers\etc\hosts. You can also add the names and addresses of your RADIUS clients and remote management stations to the systems "hosts" file. If the RADIUS client is using its IP address as the name, simply enter the IP address as the name. The entry in the "hosts" file would appear as: 16.20.48.8 16.20.48.8 ; RADIUS client using IP address as name 1.7.3 Registering RADIUS Clients It is very important to use the correct name when registering your RADIUS clients. Remote management clients may be registered under their name and domain if a name service is available. Otherwise, you should use the remote management client's IP address as the name. 1.7.4 Failed Access-Request Events For User {CUB} When the DRAS Manager is started it sends out a broadcast message (in the form of a RADIUS Access-Request packet containing the username `{CUB}') to detect DRAS Servers on the LAN. When DRAS Servers receive this broadcast, they send an Access-Reject packet back to the DRAS Manager client. This exchange makes each DRAS Server known to the DRAS Manager. A side effect, however, is that the DRAS Server logs these events in the accounting log as failed access requests for the user `{CUB}'. These access failures may be safely ignored. In a future DRAS release, these failures will be silently ignored and not logged. 1.7.5 SetupDb (Database Initialization Utility) SetupDb is a utility for Windows NT and Digital Unix that allows you to create an initial DRAS server database after you install the software. If you re-install the software or re-run the SetupDb utility at any time, the utility overwrites any existing database files already on your system. Before re-running SetupDb, you might want to back up the following files located in the directory pointed to by the DRAS_DIR environment variable: Windows NT Digital UNIX ---------- ------------ drasusrs.* drasusers.* drasacct.dat drasaccounting.dat drasdb.* drasdb.* drasrsrv.* (if found) 1.7.6 Authentication Modules When performing remote management you must have the appropriate authentication callout modules available locally for any authentication callout that you intend to use or specify on the remote system. If you installed DRAS normally, the necessary authentication callout modules will have been installed in the appropriate place on your system(s). Seven authentication callout modules are supplied with this version of the software: 1. Static Password (PASSWORD), 2. Racal WatchWord (WATCHWORD) 3. CHAP/PAP (CHAP) 4. SecurID (SECURID) 5. One Time Password (OTP) 6. Host Password (HOST) 7. Digital Pathways (DEFENDER) The following sections contain additional important information about some of these authentication methods. 1.7.6.1 Security Dynamics SecurID 1.7.6.1.1 Configuring SecurID Authentication The DRAS server must be registered as a client on the Security Dynamics ACE server and you must have a copy the `sdconf.rec' file that was created during installation of the ACE server in your DRAS_DIR (or DRAS$DIR, for OpenVMS) directory. When registering users in the DRAS database, no information need be entered in the user's password field to use SecurID authentication. 1.7.6.1.2 Using SecurID Authentication When logging in to a network access server, the user may enter the appropriate SecurID passcode at the "Password" prompt. The DRAS server will return a challenge if the user does not enter a passcode at the password prompt. 1.7.6.2 Racal WatchWord When registering a user for WatchWord authentication, enter the user's DES key into the password field. The key is encrypted before being entered into the DRAS database. 1.7.6.3 Host When registering a user for Host password authentication, no information need be entered into the user's password field. The DRAS server uses the host's standard interactive login service and native user database to authenticate the user. 1.7.6.4 One-Time-Password (OTP) One-Time-Password, also known as S/Key, implements a one-time password authentication system. The system provides authentication for system access (login) and other applications requiring authentication that is secure against passive attacks based on replaying captured reusable passwords. OTP evolved from the S/Key One-Time Password System that was released by Bellcore. OTP is described in RFC 1938 (May 1996) which is the product of the One Time Password Authentication Working Group of the IETF. This is now a Proposed Standard Protocol. 1.7.6.4.1 Establishing OTP Authentication for a User Open an existing user record, or create a new user record and select OTP as the Authentication Method. Enter the user's pass- phrase and, optionally, the number of passwords to generate and a seed, into the Password field. The format of the password field is: pass-phrase+count+seed where pass-phrase, count, and seed are character strings separated with the `+' character. The pass-phrase should be 10 to 63 characters. This pass-phrase is only known by the user and is never passed over the network. A user may safely use the same OTP pass-phrase on multiple systems as long as the seed is different on the various systems. The count is the number of passwords to generate for this user. It is effectively the number of times the user may authenticate using this system. The seed is a number consisting of purely numeric characters and must be one to 16 characters long. The server will generate a seed if one is not supplied. 1.7.6.4.2 Authenticate/Login with OTP To login, enter your username. The password is not required. The DRAS server ignores anything entered into the password field. The DRAS server will return a challenge in the form: otp-md5 The sequence integer and seed are entered into the user's OTP calculator along with the secret pass-phrase to generate a response. This response is the user's currently valid one-time password. (Note: A prototype Java-based OTP calculator is currently available at http://www.cs.umd.edu/~harry/jotp/). The DRAS server only supports the MD5 hash algorithm. Make sure the OTP calculator you use supports the MD5 hash algorithm. The sequence number decreases every time a user successfully authenticates. Although the current sequence number is displayed as part of the challenge, the DRAS server generates an additional warning message to the user when the sequence number is smaller than 10. This version of the DRAS server does not support password sequence generation by the user. A new sequence of passwords can be only be generated by the management utility. 1.7.7 Changing DRAS Password From DECserver The DRAS server allows users to change their password when they login through a network access server. To change their password, users should use the following syntax at the NAS Password prompt: current,new,new That is, the current password should be followed by the new password entered twice, each delimited by a comma. By default DRAS expects a comma to separate the passwords. You may change this to some other printing character in the .INI file. The default entry is: [Password] Delimiter=, The character selected as the delimiter can not be part of a valid password. DRAS authenticates the user using the current password and, if successful, the server attempts to change the user's password. This operation will fail if the new passwords are not identical. If the server cannot change the password the user's login attempt is rejected and the password is not changed. Changing one's password in this fashion is currently supported only for users that are authenticated using the "Password" authentication method. 1.8 Documentation The following documentation is available: - Digital Remote Access Security Installation Contains installation instructions for all installation kits. - Digital Remote Access Security Use Describes how to use the (NT/95) Windows-based management utility, DRAS Manager. When viewing the documentation online, be sure to expand the display window to correctly view code examples and tables. 1.8.1 Documentation Errors The following are corrections to documentation errors or was not available before the documentation was finalized. 1.8.1.1 Remote Access Security Installation If viewing the book online, the tables that list the files installed in %SystemRoot%\System32 for Windows and Windows NT systems should include the following files: REGSVR32.EXE Creates entries in the Windows Registration Database OLEPRO32.DLL Specific OLE grid control ADVAPI32.DLL API for NT system services The following file should be deleted from the tables: DRASMSG.DLL If viewing the book online, the last paragraph of Step 2 of the Installing the Software topic in the DIGITAL Unix Installation section refers to a WindowsNT directory. It should read WINNT directory. If viewing the book online, the command line in Step 2 of the De- installation topic of the DIGITAL Unix Installation section shows an incorrect version number. It should read: # setld -d DRAS022 1.8.2 Reporting Problems Digital is very interested in your feedback. Our main help desk telephone number is 1-800-354-9000. When reporting problems to Digital, please be sure to have the following information available: 1.8.2.1 Component information Please indicate if the problem pertains to the Remote Access Security server, or Windows NT or Windows 95 GUI. 1.8.2.2 Program Version Information Program version information is displayed in the Remote Access Security server log file when the server is started. For example, on OpenVMS VAX information similar to the following is displayed: TSTVAX$DKA100:[SYS0.SYSCOMMON.][SYSEXE]DRAS$SERVER.EXE;1 Image has NOT been INSTALLed image name: "DRAS$SERVER" image file identification: "DRAS V2.3a-01" link date/time: 1-APRIL-1997 15:33:10.99 linker identification: "05-13" Server process name is: TSTVAX::DRAS$SERVER Server Process ID is: 00000237 Username: SYSTEM UIC: [SYSTEM] Account: SYSTEM Privileges: SYSNAM,DETACH,GROUP,TMPMBX,OPER,NETMBX,SYSPRV CPU Model: VAX 6000-420 OpenVMS Version: V6.1 On other platforms, information like the following is displayed: Digital Remote Access Security for Win32 Alpha, version V2.3a- 01 Copyright c 1997 Digital Equipment Corporation. All rights reserved. In addition, serious conditions and significant events are logged with a leading timestamp, which contains the version identification string for the image. For example: ___ Wed May 17 15:34:29 1997 __________ DRAS V2.3a-01 _______ Digital Remote Access Security started. Without this information, we cannot properly diagnose the problem. 1.8.2.3 Hardware Platform/OS Information Please provide the hardware platform (VAX, Alpha, or Intel) as well as the operating system and version (OpenVMS, Windows NT, Digital Unix) on which you are experiencing a problem. 1.8.2.4 Problem Description Only a full description of the problem will be most helpful to Digital to diagnose the problem. If you are reporting problems electronically, please include as much detail as possible, including the server log file: 1. Any error messages displayed, including register information provided in a crash display. 2. A description of how to reproduce the problem, if known. 3. A history of when the problem started and what site or setup changes may have precipitated it. 4. Is this a new installation? Did any prior version of DRAS work? Were any new applications installed on the host? What has been done to isolate the problem to DRAS? 5. A LAN trace in situations where the problem appears to be one of connectivity, e.g. the DRAS server appears to be running but users can't authenticate. 6. Is there a workaround?