· web viewnttacplus® server. radius/tacacs+ access control server for windows. installation and...

NTTacPlusNTTacPlus®® Server Server

RADIUS/TACACS+ Access Control Server for Windows

Installation and User Guide

Release 2.0

NTTacPlus Server for Windows 2.0

A complete package for access control and accounting data management.

Especially designed for Internet Service Providers.

Available for Windows NT 4.0, Windows 95/98 and Windows 2000.

Y2K Ready.

INFORMATION IN THIS DOCUMENT MAY BE SUBJECT TO CHANGE WITHOUT NOTICE.IT IS ALSO POSSIBLE THAT THIS DOCUMENT COULD INCLUDE TYPOGRAPHICAL ERRORS OR TECHNICAL INACCURACIES.MASTER SOFT S.N.C. PROVIDES THIS DOCUMENT AND THE RELATED SOFTWARE NTTACPLUS “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANDABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

NO PART OF THIS DOCUMENT MAY BE REPRODUCED, TRANSMITTED, STORED IN A RETRIEVAL SYSTEM, NOR TRANSLATED INTO ANY LANGUAGE, IN ANY FORM OR BY ANY MEANS, ELECTRONIC, MECHANICAL, MAGNETIC, OPTICAL, CHEMICAL, MANUAL, OR OTHERWISE, WITHOUT THE EXPRESS WRITTEN PERMISSION FROM MASTER SOFT S.N.C.

Copyright 1998-2000 MASTER SOFT S.N.C. - Novara (Italy) - All rights reserved.

NTTacPlus and MSoft are registered trademarks of Master Soft S.n.c.

All the references to other companies and product names are trademarks or registered trademarks of their respective holders.

Installation and User Guide.Rel. 2.0.233 14/03/2007

Master Soft S.n.c. NTTacPlus Access Control Server rel. 2.0

NTTacPlus – Installation and User Guide page 1/92

SummaryIntroducing NTTacPlus...................................................................................................................3

What is NTTacPlus.......................................................................................................................3

NTTacPlus Main Features............................................................................................................4

What’s new in NTTacPlus 2.0.........................................................................................................7

Introducing NTTacPlus 2.0...........................................................................................................7

Differences with release 1.x..........................................................................................................7

How to upgrade NTTacPlus 1.x..................................................................................................10

NTTacPlus Installation.................................................................................................................. 11

System requirements.................................................................................................................. 11

Contents of the installation package...........................................................................................11

NTTacPlus setup........................................................................................................................ 11

Uninstalling NTTacPlus..............................................................................................................12

Running NTTacPlus as a stand-alone application......................................................................12

Running NTTacPlus as a Windows NT service..........................................................................12

Running NTTacPlus in unregistered mode.................................................................................13

NTTacPlus Configuration..............................................................................................................14

First execution of NTTacPlus......................................................................................................14

First login on NTTacPlus............................................................................................................15

NTTacPlus Console Elements....................................................................................................15

Configuration parameters summary...........................................................................................18

NAS Configuration for use with NTTacPlus................................................................................24

RADIUS/TACACS+ specific parameter configuration.................................................................28

Configuring NTTacPlus and the NAS for forced disconnection..................................................30

General settings......................................................................................................................... 33

Configuration of the activity event log.........................................................................................37

Resynchronization with Cisco NASes.........................................................................................39

Configuring backup on a NTTacPlus server...............................................................................41

Configuration of login messages................................................................................................42

RADIUS & TACACS+..................................................................................................................... 43

The AAA Model.......................................................................................................................... 43

Authentication............................................................................................................................. 43

Authorization............................................................................................................................... 43

Accounting.................................................................................................................................. 44

NTTacPlus AAA Model Implementation......................................................................................44



The authentication process in NTTacPlus..................................................................................44

The authorization process in NTTacPlus....................................................................................45

The accounting process in NTTacPlus.......................................................................................46

Comparison between some RADIUS attributes and their TACACS+ equivalent........................47

The RADIUS attributes and the dictionary..................................................................................47

Account Management................................................................................................................... 49

The User Account Database.......................................................................................................49

Hierarchical structure of the database........................................................................................49

User (group) profile parameters..................................................................................................50

Using wildcards in expressions...................................................................................................60

Some user and group profile examples......................................................................................61

Special settings.......................................................................................................................... 64

The post-authentication scripts...................................................................................................65

Expiring account warning e-mail messages format....................................................................66

Account profiles in ODBC SQL format........................................................................................67

Managing accounts with the Profile Manager.............................................................................69

Some remarks about Profile Manager settings...........................................................................70

The accounting data...................................................................................................................... 78

Accounting data generated by NTTacPlus.................................................................................78

Per-user accounting files............................................................................................................78

Global accounting files...............................................................................................................79

Accounting data on ODBC SQL databases................................................................................80

SQL Active users output.............................................................................................................80

Configuring Accounting in NTTacPlus........................................................................................81

Configuring the accounting output on ODBC..............................................................................83

Configuring NTTacPlus manually................................................................................................86

Configuration file structure..........................................................................................................86

Flags and Debug special parameters.........................................................................................88

Technical support and Product Registration..............................................................................91

Documentation to enclose with communications........................................................................91

How to register the product.........................................................................................................91

License Agreement..................................................................................................................... 92

How to contact us....................................................................................................................... 93



Introducing NTTacPlusWhat is NTTacPlus

NTTacPlus is a centralized server application for the control and management of remote access to the network through the standard protocols TACACS+ (developed by Cisco) and RADIUS (developed by Livingston, now IETF standard). This application implements the AAA model (Authentication, Authorization, Accounting):

Authentication. Identifying who a user is (username/password pair validation) Authorization. Identifying what a user can do (network resource assignment). Accounting. Recording process which keeps track of system utilization by the user.

Centralized Access Management

NTTacPlus can operate both as a stand alone program or as a service under Windows NT.NTTacPlus is based on a user database that can be implemented in two different ways: a set of simple text files, each file representing a user, and an ODBC SQL database (such as Microsoft Access or SQL server) in which there are two different tables: one for user accounts and one for the group profiles. User profiles contain account parameters (password expiration date, login hours and credits, etc.).The Network Access Server (NAS) sometimes also called Communication Server, Remote Access Server or Terminal Server is a device which usually accepts remote accesses through phone calls on analogic or ISDN lines with modems or ISDN terminal adapters. The NAS allows to connect dial-in users to the internal network (Intranet) - typically a Local Area Network (LAN) - or to the Internet as a whole.NTTacPlus accepts authentication and authorization queries from the NAS (such as 3Com Total Control, Ascend Max, Livingston PortMaster, Cisco AS5200), examining user profiles and taking into account the characteristics configured for each user.Moreover, NTTacPlus acquires the accounting data sent by the NAS and records it on a ODBC datasource. This allows to make accounting data available for statistical purpose processing about accesses, or for the creation of detailed billing reports, etc.



NTTacPlus Main Features

High Performance , small resource consumption

NTTacPlus, developed in C++, is optimized to provide excellent performance, with a limited use of memory and resources. It can perform an high number of authentications per second, with reduced occupation of the CPU.The size of the executable file is small.. The installation is quick because the application does not make use of runtime DLLs or other external libraries not included in the operating system. Every component of the application is stored in the installation directory (no DLL is scattered in the Windows system directory or somewhere else).NTTacPlus does not make use of the Windows registry database: no waste of time wandering in the complicated registry structure looking for the configuration values of the program. All the configuration data is set in text files and reside in the installation directory.

Complete support for authentication, authorization and accounting

NTTacPlus supports any request of authentication, authorization and accounting as defined in the standard specifications of both TACACS+ and RADIUS protocol. Its flexibility allows to support new extensions of proprietary defined for the authorization for both protocols.

Simplified and remote management of user profile database

User profiles can be easily modified with any text editor (such as notepad.exe) when they are stored in text files. If you plan to use ODBC support for your user database, you can edit them through simple queries.It is not necessary to load or save the user database because any modification to profiles is immediate as soon as the file is saved, even if you are using ODBC support.The backup of the whole database is also immediate: you simply have to copy the user and group profile directories or make a backup copy of the user database when operating with ODBC.Thanks to the NTTacPlus Console it is possible to perform a complete remote management of both NTTacPlus servers and the related accounts. The remote management application is reduced to a small executable and works on any Windows 9x, Windows 2000 and Windows NT machine connected to a TCP/IP network. The Remote Console allows to modify user profiles in real time, dialoguing with a NTTacPlus server. The data exchange between the Remote Console and the NTTacPlus Server is encrypted.

Groups and Inheritance

With NTTacPlus it is possible to define not only user profiles but also group profiles.Group profiles can include all the parameters which can be applied to every single user. You just have to assign a user to a group and it will automatically inherit all the parameters previously set in the parent group.A user profile may belong to more than one group. In this case the search of attributes will proceed through the analysis of each group.Moreover, a group itself may belong to another group. It is therefore possible to create a hierarchical structure which allows to manage user profiles very easily, avoiding time-wasting repetitions of each profile and focusing only on the parameters that distinguish users, maintaining in the groups common settings.

Real time and remote check on the activity

NTTacPlus allows the monitoring of active connections thanks to a window showing a list of active users specifying how long and on which NAS they have been connected.Moreover, NTTacPlus records in real time all incoming requests of authentication, authorization and accounting, besides remote management sessions. The events are displayed on screen in a log window and are also permanently recorded on a log file.



It is also possible to disconnect forcibly and automatically users through the RSHELL protocol (that has been implemented in this release of NTTacPlus) or using external utilities or scripts (like SNMPSET or telnet)Thanks to the NTTacPlus Console application it is possible to activate an exact copy of the active users window on any remote PC (Windows 9x Windows 2000 or NT) connected to a TCP/IP network.

Redundant functioning and backup features

NTTacPlus can be installed on another machine and configured as redundant backup server.NTTacPlus can automatically connect to the primary NTTacPlus server and synchronize periodically the whole user database.The transfer of data during synchronization occurs with TCP connection and exchanged packets are encrypted.In case of malfunctioning of the main server, the NAS can address its request to the backup server.

Extended access control

NTTacPlus offers several parameters to regulate users access. In particular, it is possible to configure the access upon:

- expire date of the account- connection time-table (daily or weekly, with programmable holiday calendar)- Called/Calling ID (called/calling phone number if supported by Telco)- source NAS or NAS port (distinction between analogic or ISDN calls)- Number of concurrent logins for the same account- Overall residual time credit- Overall residual traffic credit- Time quota assignment for a given period- Privilege level (from basic user to administrator)

Extended check on suspicious cases

NTTacPlus can detect failed access attempts (due to wrong password, time of connection, privilege, double access attempts with the same username) and therefore undertake administrative actions (which can be freely enabled or disabled) such as:

- E-mail notifications to the system administrator.- E-mail notifications to the relevant user.- Immediate disabling of the user account- Immediate forced disconnection of the user

Furthermore NTTacPlus can send customizable warning e-mail messages to the user when his account is expiring or when his credits (time or traffic) are .under a warning threshold.

Extended support for accounting (ODBC)

NTTacPlus offers an extended support for accounting.In each session NTTacPlus records a series of useful information, such as, for instance, the duration of the session, input and output traffic and residual credit of time and traffic.The accounting output is transferred in real time in a standard ASCII file table or in a standard ODBC database, such as Microsoft Access, SQL Server, Oracle, etc.NTTacPlus can also maintain a real time updated table of currently logged in users in an ODBC database also.



Functioning as a Proxy module for Windows NT, UNIX or other TACACS+ servers

NTTacPlus allows to perform the authentication of username and password re-addressing access requests to a Windows NT machine (even remote) using its user database. It can also re-address authentications to other TACACS+ servers, or use accounts stored into standard UNIX passwd files.

Automatic synchronization with Cisco Network Access Servers (NAS)

NTTacPlus can synchronize its active users list with any Cisco NAS. In this way you can avoid information lost when a server running NTTacPlus restarts or when the NAS itself reboots.Furthermore NTTacPlus can periodically synchronize its active user list by querying the NASes and by updating its current accounting information. In this way NTTacPlus can eliminate a possible loss of accounting data (for example when the NAS doesn’t correctly send the STOP messages to NTTacPlus).

NTTacPlus Open Architecture

NTTacPlus offers an open architecture through the use of the ODBC standard for storing user/group profiles and accounting data. You can easily integrate NTTacPlus in legacy environments.NTTacPlus allows administrators to expand authentication and accounting capabilities using customizable external scripts.

Easy web interfacing

NTTacPlus can easily expose its accounting data (active users, user profiles, accounting reports) to a Web Server using ASP Cold Fusion Markup Language, CGI, etc.The administrator/webmaster has only to customize the HTML format of his Intranet/Internet web server, in order to manage users, to create accounting reports or to sell on-line his accounts and so on.



What’s new in NTTacPlus 2.0

Introducing NTTacPlus 2.0

The new release of NTTacPlus introduces a lot of improvements and new features, such as the support for the RADIUS authentication protocol (a standard for all remote access hardware platforms) and the support for SQL ODBC databases for user account storage and management.NTTacPlus evolution proceeds in the direction of an opening standard towards the needing of the system and network administrators who want to integrate tightly the existing systems with the power of the AAA model.The way Master Soft wants to reach this target is known as the O.A.K. project (Open Administration Kit).NTTacPlus has been designed to be as much open as possible, thanks to the introduction of the ODBC user database support. The target of the O.A.K. project is to integrate the NTTacPlus authentication/accounting engine in the existing billing and accounting procedures (accounting applications, invoicing, billing, statistical tools and so on) without upsetting the existing procedures.The O.A.K. project will provide the release of the documentation and a set of APIs which will allow easy management of NTTacPlus servers from within any programming language.We’ll also release the support for Microsoft Active Server Pages and for Allaire Cold Fusion Application Server: everyone will be able to develop integrated web procedures in a very fast, flexible and easy way.

Differences with release 1.x

NTTacPlus introduces a lot of improvements from release 1.x; some relevant modifications have been applied to the user interface. We suggest to our Customers running NTTacPlus 1.x to read very carefully this brief chapter that shows the main differences between the old and the new versions. A detailed description of the new options and features will be introduced in the next chapters. Here it is a list of the main new features.

A new Graphical User Interface totally moved to the Remote Console Support for the RADIUS protocol Support for SQL ODBC database (now available for storing accounts also) Complete menu and options reorganization Improved Cisco NAS resynchronization options A lot of minor changes and improvements

User interface moved to the NTTacPlus Remote Console separate application

The remote console has been completely redesigned and now integrates into a single application the old NTTacPlus Console and the NTTacPlus User Manager.The server side interface has been reduced to a single dialog window (or systray icon if NTTacPlus is running minimized). If NTTacPlus is executed as a service no GUI windows is visible: this new concept optimizes server side memory utilization and performance.All the functions formerly available in the NTTacPlus main window are now accessible via the NTTacPlus Remote Console. In this way you can completely administer NTTacPlus servers anywhere from the network.The setup program allows you to choose if to install the NTTacPlus server only, the NTTacPlus Remote Console only or both.



However you do not need to execute the setup to install the Remote Console on a client PC. It is just enough to copy the following two files in a directory of the PC on which you want to run NTTacPlus Remote Console:

NTTACMON.EXE Remote Console main executableRADDICT.DAT The RADIUS attribute dictionary used for user profiles management

In order to manage locally a NTTacPlus server you need to start the Remote Console and login using localhost as the server address.

RADIUS protocol support

This release of NTTacPlus now supports fully the RADIUS protocol with any RADIUS enabled client.Some attributes specific to the RADIUS protocol are automatically re-mapped into standard NTTacPlus parameters, in order to maintain a graphical interface homogeneous with the TACACS+ protocol and at the same time compatible with the older versions of NTTacPlus. For a more in depth description of this feature, read the paragraph Comparison between some RADIUS attributes and their TACACS+ equivalent.Through the RADIUS protocol, NTTacPlus can now take advantage of the Session-Timeout attribute to implicitly terminate user sessions. See the chapter Use of session-timeout.

Users and groups SQL ODBC database support

NTTacPlus can now store user and group profiles in a SQL/ODBC database also: you can simply decide if you wish to maintain you existing accounts in simple ASCII text files or to import them in a ODBC database.You may find details relevant to the usage and migration to ODBC databases in the chapter Account profiles in ODBC SQL format.A sample MS Access 97 database is already distributed wit NTTacPlus.In this database you’ll find some routines useful for importing and exporting users to and from text profiles.

New configuration menus

All configuration options have been reorganized and moved to a single dialog window accessible from the Tools/Options (F8) menu.You can access the configuration dialog window from any NTTacPlus Remote Console.Any modification issued from the configuration dialog windows becomes immediately effective as soon as you confirm it, and does not require any server restarting command.

Cisco NAS resynchronization improvements

A new resynchronization set of routines has been implemented to eliminate problems due to Cisco loss of accounting STOP records. This is a workaround for some IOS releases bugs.You can find more details about this feature in the chapter Resynchronization with Cisco NASes.



A list of minor changes

A list of minor changes and new features follows. Detailed information about these changes are available further in this document.

Modifications to the NTTacPlus graphical interface and configuration:

Added context menu support in the active users windows (now you can double click or right click on logged in users).

Changed external script syntax for the Kill section for forced user disconnection: wildcards are supported in interface names; you can distinguish by NAS, default command support added.

Added internal support for RSHELL protocol: you do not need to spawn external applications to issue rsh commands anymore.

Added global (not per-user) post-accounting script execution support, to extend accounting capabilities with your own procedures.

Added MS-CHAP, ARAP-DES authentication protocols support for TACACS+. Reorganized Activity event log message format: now messages are more detailed and more compact at

the same time. Added a refuse (not) operator in wildcard expressions (the exclamation mark symbol “!”). Improved administrative and warning email messages information detail. Added system accounting support for TACACS+ protocol. Added the possibility to configure the time interval between two checks on active sessions. Added the possibility to disable the screen activity event log output, in order to reduce CPU load in

case of many simultaneous Remote Console sessions.

Account profile modifications:

Added support for the new parameter EffectiveFrom: now you can specify the account starting date besides the standard expiration date.

Added support for a new format in the Expires parameter: now you can tell NTTacPlus an account duration (in days) rather than an absolute expiration date. By combining this feature with the EffectiveFrom parameter NTTacPlus can handle fixed duration accounts that auto-activate from the first successful login.

Added per user post-authentication script execution support: now you can extend authentication capabilities with your own external procedures.

Reorganized warning and expiration email messages: now this feature is available to the time and traffic credit accounts also.

Added a dedicated password management section in the Profile Manager. Added the support for DES encrypted password. Added the support for the authentication over a standard UNIX passwd (5) file.



How to upgrade NTTacPlus 1.x

In order to upgrade NTTacPlus 1.x to NTTacPlus 2.0 without damaging your user database and configuration, we suggest that you follow these few tips:

1. Make a backup copy of the whole NTTacPlus 1.x directory.2. Stop any active instance of NTTacPlus remote console or NTTacPlus server.3. Run NTTacPlus 2.0 setup installing the new release in the same directory of NTTacPlus 1.x.4. Restart the service.5. Login into the server using the NTTacPlus Remote Console.6. Verify very carefully all the configuration parameters from the Tools/Options window.



NTTacPlus Installation

This chapter explains how to install NTTacPlus over a fresh system with no previous versions of the software. If you need to perform an upgrade or install over an existing version, please read the previous chapter.

System requirements

Operating system Windows 9x, Windows NT 4.0, Windows 2000

CPU Pentium/133 or higher

RAM 32 Mb on Windows 9x, 48 Mb on Windows NT and Windows 2000

Disk space Less than 4 Mb for installation; additional space is required for log files, accounting data and user profile data

Network Winsock 1.1 compliant TCP/IP stack

Contents of the installation package

The original NTTacPlus package includes the following files:

NTTACP.EXE Main NTTacPlus executableNTTACP.INI Configuration file for NTTacPlusRADDICT.DAT extensible RADIUS attributes dictionaryINSTSERV.EXE Utility for installing NTTacPlus as a NT serviceREADME.TXT Text file including most up-to-date additions and useful informationMESSAGES\*.TXT Directory containing text files (pre and post authentication banners)ODBC\STAT.MDB Microsoft Access database file with example accounting tablesODBC\NTTACDB.MDB Microsoft Access database containing User and Group profile tablesNTTACMON.EXE NTTacPlus Remote Console ExecutableEXTERNAL\*.* Directory with external NT utilities and scriptsDOCS\MANUAL.DOC English documentationDOCS\ORDER.DOC Order form (Valid outside Italy)DOCS\MANUALE.DOC Italian DocumentationDOCS\ORDINE.DOC Order form (valid only for Italy)USERS\*.USR Examples of preconfigured user profiles in ASCII formatGROUPS\*.UGP Examples of preconfigured group profiles in ASCII format

NTTacPlus setup

1. Create a temporary directory for the installation of NTTacPlus (e.g. c:\temp).2. Explode the zip archive in the directory created.3. Run the installation program setup.exe and follow the instructions.



Uninstalling NTTacPlus

To uninstall NTTacPlus you can click on the Uninstall icon in the NTTacPlus folder from the Windows Start menu. Alternatively you can open the Control Panel, Add/Remove Applications, select NTTacPlus 2.0 and click Remove.If the program has been configured as a Windows NT service, then it must be removed from the service list database before uninstallation, by using the enclosed INSTSERV.EXE utility.If the uninstall procedure does not complete successfully, after stopping and removing the service with INSTSERV, follow these steps:

1. Remove all the shortcuts to NTTacPlus in the Start menu folder.2. Delete all the ODBC system datasources that point to NTTacPlus databases.3. Delete the main NTTacPlus installation directory and its subdirectory (e.g. C:\NTTacPlus2)4. Run REGEDIT.EXE and delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Master Soft\NTTacPlusConsoleHKEY_LOCAL_MACHINE\SOFTWARE\Master Soft\NTTacPlusMgrHKEY_LOCAL_MACHINE\SOFTWARE\Master Soft (only if this key is empty and has no subkeys)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NTTacPlus 2.0

Running NTTacPlus as a stand-alone application

NTTacPlus can be run as a stand alone application. To run the program simply execute NTTACP.EXEWe suggest to run the first execution of NTTacPlus as a stand alone application in order to complete all the configuration tasks.

Running NTTacPlus as a Windows NT service

NTTacPlus may be run as a Windows NT service (so you don’t need to be logged in Windows NT to start NTTacPlus).To install NTTacPlus as a service run INSTRSRV.EXE:

To add NTTacPlus in the Service Control Manager services list, press Install Service button.To start the service press Start Service button.To stop NTTacPlus service press Stop Service.To remove NTTacPlus service press Remove Service.

NOTE: the service removal doesn’t imply the stop of an active instance of NTTacPlus.



Running NTTacPlus in unregistered mode

When you run NTTacPlus the first time, it will start in unregistered mode.The unregistered mode lets you evaluate the software for 30 days from the first startup. The unregistered software is fully working in any feature.When the evaluation period has expired, NTTacPlus ceases to work when you restart it.You can switch NTTacPlus to registered mode by opening the Registration menu and filling the Registration dialog box.

When you have inserted the right keys NTTacPlus switches to the registered mode. As the activation keys are calculated upon the Microsoft Network (LAN) name of the machine running NTTacPlus, if you plan to change the server name, you will have to request to Master Soft S.n.c. a new couple of activation keys.To get more information on how you can obtain activation keys, please read the chapter How to register the product at the end of this User Guide.



NTTacPlus Configuration

First execution of NTTacPlus

When you start NTTacPlus a small window appears:

NOTE: If you run NTTacPlus as a service no window is visible. If you run NTTacPlus as a stand alone application, when you iconize the NTTacPlus server window, a systray icon appears:

You can take full control over NTTacPlus using the NTTacPlus Console: to configure the server for the first time you need to run the console (NTTACMON.EXE) that will ask you to login using an administrative account:



First login on NTTacPlus

To login for the first time use this administrative account:Username = adminPassword = adminServer name = localhost (or the NTTacPlus server IP address)Encryption key = (leave empty if you are running NTTacPlus the for the first time)

NTTacPlus Console Elements

Active Users window

When you start the NTTacPlus Console, after the login the active users main window appears:


Click here with the right mouse button to access users command menu

If you select Properties (or double click on the username) an informative window appears, containing information about the user current session

This is a shortcut to start the default mail client and send a message to the user


Activity event log window

Pressing the F4 key or choosing the Edit/Log window menu, you can bring up the activity event log window, showing in real-time the NTTacPlus server activity with a customizable information detail, depending on the log output configuration (see further on the paragraph Configuration of the activity event log):

NOTE: You can watch the activity event log in the NTTacPlus log window only if the menu item Edit/Receive log event stream is checked.

Account Profile Manager

Pressing the F10 key or choosing the Edit/Profile Manager menu you can bring up the NTTacPlus account manager window:



Configuration Option Window

From the main window press F8 (or choose the Tools/Options menu) to open the configuration window:

The configuration window is divided into several sections. We suggest that you proceed to configure each section reading the following table. When you have configured all the parameters, press the OK button to make changes active.



Configuration parameters summary

The following tables show you a summary overview of all the NTTacPlus server configuration options. You will find an exhaustive description of every option further on this manual.

General section

E-Mail global settingsNotification E-Mail Address E-mail address that NTTacPlus sends administrative notifications toSMTP Server SMTP server IP address or name. NTTacPlus will use this SMTP to

deliver e-mail messages either to administrators or to usersServer source e-mail NTTacPlus sender e-mail address

BannersPre-authentication msg file Pathname of an ASCII file containing a customizable message that will

be shown at the NAS login prompt before the authentication sessionPost-authentication msg file Pathname of a ASCII file containing a customizable message that will

be shown at the NAS login prompt after the authentication session

User database settingsEnable ODBC user database Enables ODBC to store User and Group Profiles. If unchecked

NTTacPlus will use ASCII filesusing this datasource System datasource name for the user databaseSerialize SQL queries If checked NTTacPlus will execute queries to the database in a

sequential queue (for use with databases such as SQL Server)DB Username Username used to connect to the datasourceDB Password Password used to connect to the datasourceUser file directory The directory in which user profiles (*.usr files) are stored in ASCII

format (this setting is ignored if ODBC user database is active)Group file directory The directory in which group profiles (*.ugp files) are stored in ASCII

format (this setting is ignored if ODBC user database is active)

Default user

Enable <default> user It enables the use of the default user when a NTTacPlus does not find a username in the user database

Create user profile from <default>

It allows the automatic creation of a user profiles, duplicating the default one.

Email admin on unknown users It sends notifications to the administrator when an unknown user tries to login.



GeneralMax login attempts Maximum numbers of failed logins before sending a notification emailFirst day of week It allows you to set the first day of the week (useful for weekly quota

calculations) if you need to start the week on a day other than SundayPeriodic check interval It sets the frequency NTTacPlus performs a credit check on active users.

In this way NTTacPlus can proceed with forced disconnection if a user has no more time credit.

Use username for maxlogins It uniquely identifies a session, using the port name, the NAS address and the username also.

Resolve name (DNS) It resolves NAS addresses in names. (we suggest not to activate this feature to avoid performance degradation)

Logging section

Event logging options

Enable logging to screen It sends the log information to the active console windowsEnable logging to file It records daily events in text files (ASCII format)Log file directory Path where NTTacPlus saves daily log files

Debug Logging EventsSession thread execution It shows information about program threads start/stop and external

application executionAuthentication session It shows details about authentication sessions

Authorization session It shows details about authorization requests and the AV pairsAccounting session It shows details about accounting data received from the NASPacket dumping It shows in depth the contents of the RADIUS/TACACS+ packet

received from the NASPassword checking It shows in clear text the password verification process. Useful for

debugging the most common authentication problems (UPPER/lower cases password, empty password, wrong password and so on)

Port cleaning commands It shows details about the disconnection commands sent to the NASesUser account charging It shows details about time and traffic chargesMax logins check It shows events about concurrent login checkingExtended session It shows details about Remote Console SessionsBackup events It shows events about synchronization processes between NTTacPlus

serversSMTP connections It shows events about notification email message delivery

Accounting section

Time & traffic roundoff

Session time rounding offset Round off interval (in minutes) applied to time credit accounts. It defines the smallest “time packet” for a connection.

Session traffic rounding offset Round off interval (in Kbytes) applied to traffic credit accounts. It defines the smallest “Kbytes packet” for a connection.



Account expiration warningsDate expiration warning It sets the expiring account warning periodTime expiration warning It sets the “low time credit” account warning thresholdTraffic expiration warning It sets the “low traffic credit” account warning threshold

ASCII Accounting

Accounting directory Path where NTTacPlus creates ASCII accounting filesEnable accounting text output It enables daily accounting ASCII file creation (*.acc)

Per-user accounting logging It enables per-user accounting ASCII file creation. (*.log). These files contain all the START/STOP messages received from the NAS for a given user.

Log unknown user accounting It records all accounting data coming from unknown usernames, storing the messages in a file named _unknown_.log

General AccountingSend unknown users to active window

It shows unknown (unconfigured) users also in the active users window (recording the session data also)

Run the post accounting script It allows the execution of an external script when NTTacPlus receives an accounting message from the NAS

ODBC AccountingEnable ODBC accounting It enables ODBC accountingDatasource name The Datasource name used to record accounting outputLogin Username Username used to connect to the datasourceLogin Password Password used to connect to the datasourceAccounting table name The name of the table containing information about user sessionsLog active users on table It enables real-time updating of a table in which an active users list is

keptAutomatic reconnect on connection failure

It enables the automatic restoring of the datasource connection in case of connection loss (for example SQL Server with TCP/IP net library)

Messages section

Reply messagesAccount expiring Message given when the account is going to expireAccount expired Message sent when the account is expiredAccount disabled Message sent when the account is disabledAccount not effective Message sent when the account is not activated yetToo many logins Message sent when the maximum numbers of login is exceededInvalid login time Message sent when a login attempt is made during a not allowed timeLogin time-up Message sent when the user has no more time creditLogin Kbytes-up Message sent when the user has no more traffic creditQuota time-up Message sent when the user has no more quota time leftBad login user/pwd Message sent when the username or password are incorrectBad login NAS port Message sent when a login attempt to an unauthorized NAS port is

made, or with an unauthorized calling ID (phone number)Bad login NAS Message sent when a login attempt to an unauthorized NAS is made



Backup/Synch section

Backup settings

Enable this server for backup It enables NTTacPlus as a backup serverPrimary server name or addr Primary NTTacPlus server hostname or IP addressPrimary server port Primary NTTacPlus server TCP port (default = 49)Primary login username Administrative account (privilege 15) used by the backup server to

connect to the primary NTTacPlus serverPrimary login password Password for the backup administrative accountBackup interval Backup refresh interval (interval between two consecutive backups)Remove local accounts before backup

It deletes local accounts (including modified ones) on the backup server, replacing them with the accounts from the primary server

Forward accounting to primary server

It sends a copy of accounting messages received from NASes to the primary NTTacPlus server (only TACACS+)

Cisco IOS boxes synchList of NAS to query List of Cisco NASes (comma separated) to query for synchronizationList of valid interfaces List of valid interfaces for resynchronizationPerform synchronization during active users check

It performs an active user refresh on Cisco NASes at a given interval (configured in the General Section)

Perform synchronization on maxlogin collision detected

It performs a refresh cycle on Cisco NASes when NTTacPlus detects a possible user maximum login exceeding

Username for RSHELL Username used with RSHELL commands (RSH)Command to issue with RSH IOS exec command used to get from the Cisco the active users list

Secrets section

Encryption key settings

Always encrypt NTTacPlus always sends encrypted TACACS+ packets if an encryption key is configured

Default secret key The default encryption key (global)Restrict NAS to configured IP addresses only

It authorizes NTTacPlus queries to be received only by the listed NASes

NAS IP address NAS IP addresses with autonomous secret keysSecret key Secret key associated with a specific NAS

Kill section

Kill commands configuration

Interface name Interface name on which the Kill command will be executedCommand line Command line to reset the interface



TACACS+/RADIUS section

RADIUS protocol settings

RADIUS Authentication port UDP port listening to RADIUS authentication requestsRADIUS Accounting port UDP port listening to RADIUS accounting requestsUse Session-Timeout for disconnection

If checked NTTacPlus uses the Session-Timeout RADIUS attribute to force the user disconnection when time credit is up.

TACACS+ protocol settings

TACACS+ TCP port TACACS+ authentication session and Remote Console listening TCP port

Ignore multiple STOP records If checked it removes the user from the active users list when receiving the first STOP record. The following ones will be only logged.

Username prompt NTTacPlus terminal login username promptPassword prompt NTTacPlus terminal login password promptEnable prompt NTTacPlus terminal enable password login prompt

Holiday calendar section

Kill commands configuration

Date Day and month on which to establish an holidayType Holiday type (pre-holiday or holiday)



NAS Configuration for use with NTTacPlus

Given the variety of brands and models of Network Access Servers supporting the TACACS+ and the RADIUS protocols, it is not possible to include configuration commands for every kind. Here we suggest configuration guidelines to use NTTacPlus with NAS machines by Cisco, adopting the IOS operating system version 11.0 and subsequent.

Setting NTTacPlus as the authentication/authorization/accounting server

Each Network Access Server supporting TACACS+ or RADIUS can delegate the authentication, authorization and the accounting (read the following chapter for details about these three phases) to an external server. To do this the NAS needs an IP address of the server, an encryption key and some NAS-specific attributes.Some NASes let you configure separately Authentication, Accounting and Authorization, setting up a different server for each phase. For optimal performances we suggest to delegate the three phases to a single server. For example, in the RADIUS protocol the authentication and authorization phases are executed into a single operation, and for this reason many NASes, such as the 3COM TotalControl and the Ascend MAX, allow to configure separately a server for the authentication and the authorization, and a server for the accounting phase. In this case you have to setup the same settings for both the configurations.

The encryption key (secret key)

Both TACACS+ and RADIUS can encrypt the communication between the NASes and the authentication server using specific encryption algorithms that use a secret key shared between the NASes and the server. This key (sometimes called encryption key, secret key or simply secret) is a simple alphanumeric string, just like a password (case sensitive) and it must be configured manually by the network administrator both in the NAS and in the server.An encrypted communication blocks (or at least reduces the possibilities) the interception of RADIUS/TACACS+ packets (containing passwords and usernames) sniffed during the communication between the NAS and the server.

NOTE: a wrong (or missing) encryption key setup will result in no communication between the NAS and the authentication server, producing impredictable results. We suggest to verify always carefully the configuration of the encryption keys.

Setting encryption keys in NTTacPlus

NTTacPlus can operate in two ways with the encryption keys:

NTTacPlus can use a global encryption key used to communicate with all the NASes, except with those that appear explicitly with their own key in the NAS list

NTTacPlus can discard any NAS request not coming from a NAS included in the NAS list

In the first case NTTacPlus can accept requests from any NAS without restrictions. When NTTacPlus receives a query, it looks for an encryption key configured for the requesting NAS. If NTTacPlus cannot find a specific key, it uses the global key (the default one).In the second case, when NTTacPlus receives a query from a NAS, it looks for a key for that NAS and if it the key is not configured then NTTacPlus will immediately discard the request.To configure the encryption keys in NTTacPlus, login in the Remote Console, select Tools/Options (F8) menu then choose the Secret section. If Restrict NAS access to configured IP addresses only is disabled, then NTTacPlus is configured to run in the first mode (using the default global key for any NAS query if a suitable encryption key has not been found).If Restrict NAS access to configured IP addresses only is enabled, then NTTacPlus is configured to run in the second mode (it looks for a specific key. If it is not found then NTTacPlus will reject the query)



WARNING: NTTacPlus Console works just like a NAS. This means that the Console follows the same encryption rules. If you plan to configure a list of NASes to restrict the access to NTTacPlus and want to run the Console on the same host running the server, you MUST INCLUDE in that list also the IP address of the server itself . Furthermore when you need to login to the Remote Console you must use the same encryption key configured in NTTacPlus.If you are logged into the server and plan to change the encryption key, you must logoff and then logon again with the new encryption key.If something goes wrong with the encryption key setup, read the chapter Configuring NTTacPlus manually.

Configuring TACACS+ on a Cisco NAS

The AAA model in the Cisco NASes allows to configure separately the authentication, authorization and accounting procedures.

NOTE: The TACACS+ AAA model is also supported in the version 10.3 of IOS. However, the accounting messages (START/STOP) that are crucial for the application to keep track of connected users are not sent to the server, instead they are kept in the NAS memory (which, by the way, fills up rather quickly after a working period).It is then essential to carry out, the upgrade of the operating system on the NASes which still have version of the IOS less than or equal to 11.0. For the upgrade of the system, consult the documentation enclosed with the product and contact your reseller.

WARNING: the configuration of the Cisco NAS for the utilization of the TACACS+ protocol requires the use of the aaa new-model command which causes the immediate reset of all the interfaces (and therefore the forced disconnection of all the users from the lines). As a result we suggest to carry out the configuration process only when you are sure not to cause any problem.

On a global level (router(config)#), insert the following configuration commands:

!aaa new-model it enables the AAA model!tacacs-server host a.b.c.d replace “a.b.c.d” with the NTTacPlus server IP addresstacacs-server timeout 20 value (in seconds) to wait for a responsetacacs-server key pippo replace “pippo” with your encryption secret key!

In order to activate the authentication with TACACS+, add the following lines on a global level:

!aaa authentication login default tacacs+ localaaa authentication ppp default if-needed tacacs+ localaaa authentication enable default tacacs+ enable!

These commands imply the activation of the authentication for the login with a terminal window, with PPP or for the passage into enable mode.

The first line creates a default authentication procedure for users connecting to a tty o vty (prompt) of the Cisco and uses TACACS+ to verify username/password. The addition of the term local at the end of the line tells the system to use the internal list of usernames in case no TACACS+ server answers properly.

The second line creates a default authentication procedure for those who connect requiring a PPP session to Cisco, and it uses TACACS+ to verify username/password (through PAP or CHAP).



The addition of the term local at the end of the line tells the system to use the internal list of usernames in case no TACACS+ server answers properly.The further indication if-needed avoids to proceed again to an authentication phase in case a user already authenticated and connected to the prompt of the Cisco types the PPP command to switch to PPP mode.The third line creates a default authentication procedure for those who, being already connected to the Cisco prompt, need to switch to the enable mode (through the ENABLE command) and uses TACACS+ to check the enable password. The addition of the term enable at the end of the line tells the system to use the internal password secret/enable in case no TACACS+ server answers properly.It is also possible to add further lines for the authentication according to one's needs. Check the NAS documentation at this purpose.

To activate the TACACS+ accounting messages, add the following on a global level:

!aaa accounting exec default start-stop tacacs+aaa accounting network default start-stop tacacs+!

The first line activates the accounting for the shell access (prompt), while the second activates the accounting for the use of network services (for example, for the PPP connection).The default keyword id supported since the 11.3.x IOS releases. If you are running earlier releases then you don’t need to type it.If you are running IOS 11.2.9 or newer, you need to add these following commands:

!aaa accounting update newinfoaaa accounting nested!

These commands let the router send accounting information about user session state changes (for example the static IP address assignment and so on). This option is implicit in the previous IOS releases.

At the interface level (asynchronous, serial, BRI, Dialer, etc.), if you want to activate the use of the PAP protocol (Password Authentication Protocol) for the use with PPP, it is necessary to add (router(config-if)#) the following commands:

! ppp authentication pap or chap (or both)!

The configuration lines herein shown represent the typical case of an ISP selling accesses to the Internet through an analogic connection (with modem on asynchronous interfaces) or ISDN (for ex. on synchronous serial), through the encapsulation of the TCP/IP in the PPP protocol, activating the possibility of logging in both with PAP (or CHAP) and with a terminal window.It is possible to make Cisco automatically determine the mode chosen by the user by adding the following commands to the configuration lines (router(config-line)#):

! autoselect during-login autoselect ppp autocommand ppp!

Finally it is possible to activate the authentication on a secondary NTTacPlus server adding a second line to the global configuration:

!tacacs-server host e.f.g.h replace "e.f.g.h" with the IP of the secondary NTTacPlus server



!

The Cisco NAS automatically sends the request to the second server in case the first should not answer.

If you want to enable also the authorization, you can enter, for example, on a global level:

!aaa authorization commands 1 default tacacs+ local if-authenticatedaaa authorization commands 15 default tacacs+ local if-authenticatedaaa authorization exec default tacacs+ localaaa authorization network default tacacs+ local!

These lines activate the authorization for the shell (exec), for network services (network), for standard and enable-mode (commands 1 and command 15) commands on already authenticated users, using the internal (local) configuration in case no TACACS+ server answers properly to the authorization requests (see more about authorization further on, in the chapter Authorization).The default keyword id supported since the 11.3.x IOS releases. If you are running earlier releases then you don’t need to type it.

For a more detailed configuration and information about Cisco routers and for TACACS+/RADIUS implementations please refer to the documentation of you NAS.



RADIUS/TACACS+ specific parameter configuration

This section provides the possibility to change the default settings relevant to specific parameters of RADIUS or TACACS+ protocols.

Section Parameter ValueTACACS+/RADIUS RADIUS Authentication Port UDP Listening Port for RADIUS

authentication requestsRADIUS Accounting Port UDP Listening Port for RADIUS

accounting requestsUse Session-Timeout for disconnection It uses the RADIUS Session-Timeout

attribute to force the user disconnection when time credits are over

TACACS+ TCP Port TCP Listening Port for TACACS+ requests and remote console management sessions

Ignore multiple (nested) STOP records It removes the user from the active users list when it receives the first STOP record. Further STOP messages will only be logged

Username prompt Prompt to present to the user during the terminal login when the username is requested

Password prompt prompt to present to the user during the terminal login when the password is requested

Enable prompt prompt to present to the user during the terminal login when the enable password is requested

The modification of the RADIUS listening port number can be useful in some cases. The original protocol specifications used to recommend the following UDP ports:

1645 RADIUS Authentication Requests1646 RADIUS Accounting Messages

The standard Internet committee (IANA) changed the specifications, in order to avoid conflicts with other services which were using the same ports, assigning officially the following UDP ports to the RADIUS protocol:

1812 RADIUS Authentication Requests1813 RADIUS Accounting Messages

However the majority of NAS on the market (even in the latest software releases) still adopts by default the original non-standard numbers. NTTacPlus follows this settings by default too.Refer to the NAS documentation in order to verify which port numbers are used by the NAS.

On the contrary the modification of the TACACS+ listening port number is convenient if you decide to change (for security reasons) the communication port between the NAS and NTTacPlus.

WARNING: The remote management protocol (NTTacPlus Console) and the backup protocol among NTTacPlus servers exploit the data transport over the same TCP ports of TACACS+. If you decide to change the TACACS+ TCP port number in a NTTacPlus server, it will be necessary to indicate this port also during the login on a remote console, and in the settings of any backup server which has to synchronize with the primary server (see paragraph Configuring backup on a NTTacPlus server).After you have changed the TCP port, you need to logoff the NTTacPlus server and then perform a new login specifying the new port.



Use of Session-Timeout for disconnection

The Use Session-Timeout for disconnection option allows NTTacPlus to make use of the Session-Timeout RADIUS attribute (which tells the NAS the absolute timeout, that is the maximum duration of a session, after which the NAS terminates forcibly the session), if supported by the NAS, to disconnect the user when his credit is expired. See the following section for a precise description about how NTTacPlus works for the user disconnection.

We suggest you to leave this section always active.

Ignoring multiple STOP messages in TACACS+

NTTacPlus updates its list of connected users basing on messages of start/end session (accounting START/STOP records) received from the NAS.Usually it may happen that the NAS sends NTTacPlus more nested START/STOP sequences. For example, if the user starts a terminal exec session (shell) to authenticate, and then enters the PPP mode (typing manually the ppp command, or because autocommand ppp was configured on that line), the NAS sends a START message when the Exec session begins; then it sends a second START when the PPP session begins. When the user disconnects, the NAS sends a STOP to report the end of the PPP session (this message includes also information about the traffic generated during the session), then it sends a second STOP to report the end of the exec session which the user entered the PPP mode from (this does not happen if the user connects directly in PPP/PAP mode; in this case the NAS sends a single START/STOP sequence).When the option Ignore multiple STOP records is not checked, NTTacPlus will consider the user disconnected (and so it will remove him from the list) only when it receives the last STOP record. Unfortunately with some IOS Cisco versions it may sometimes happen that the STOP message associated to the Exec session is not correctly sent by the NAS, so the user could result connected even though he is no more.

We strongly suggest you to leave this option always active.

Login prompts

Login prompts specify the messages the NAS should present to the user when requesting user credentials during login.Modifying this information can be useful if some remote clients use connection script that expect certain prompts before inserting automatically username and password.



Configuring NTTacPlus and the NAS for forced disconnection

There are two cases in which is useful to have a procedure that allows to terminate the session of one or more users.The first case concerns the manual disconnection on behalf of the administrator, when he decides to kill a session from the NTTacPlus remote console, without having to telnet, for example, to the NAS and issue the disconnection command.The second case concerns the automatic forced disconnection by NTTacPlus, when a user is going to exhaust his connection credits during a running session.NTTacPlus, in fact, can assign to each user profile connection time credits or periodical time quotas (daily, weekly, etc.). The system administrator can decide the behavior of NTTacPlus to the users that, during a session in process, are going to exhaust their credits or quota (let the session goes on till the end or stop it when the credit reaches the zero).

Unfortunately neither RADIUS nor TACACS+ protocols provide commands or extensions to ask the NAS to terminate active sessions. So NTTacPlus exploits two methods for the disconnection: an implicit method through the RADIUS Session-Timeout attribute, and an explicit method by means of external utilities/scripts which allow to send to the NAS the suitable command to end the sessions.The use of external applications or scripts is due to the fact that each NAS brand (and even each model or each software release for a specific model) provides different commands or ways to accomplish the task, because there is not a standard command for the disconnection.

Use of session-timeout

When you check the Session-Timeout option, as mentioned above, NTTacPlus computes during a user login the maximum length of the session for that user, sending to the NAS the result in the Session-Timeout attribute. After this time it’s up to the NAS to end the session. No command is explicitly sent by NTTacPlus.The value transmitted in the Session-Timeout attribute will be computed as the minimum value among the following ones: (see the chapter Account Management if you need further information about individual parameters):

Maximum length of a single session (MaxConnectionTime) Residual time quota for the current period (QuotaLeft) Residual time credit for the account (TimeLeft)

Each of these parameters will be evaluated only if the account is configured to have a limitation on that parameter and only if the account is configured to be disconnected forcibly when this parameter is going to exhaust.Otherwise, the Session-Timeout attribute won’t be sent to the NAS, and no implicit restrictions will be placed for the session.

NOTE: This method works correctly only with the RADIUS authentication and if the NAS supports the Session-Timeout attribute. Through this method it is not possible to kill manually a user session from the Edit/Kill command of the Remote Console.

Configuration of external utilities for forced disconnection

The explicit method for disconnection makes NTTacPlus execute, when the user reached his credit limit or the administrator selected the Edit/Kill command from the Remote Console, an external script which, after having received from NTTacPlus the descriptive parameters for the session, sends the NAS the disconnection command.The Kill section of the NTTacPlus configuration window contains the information needed to tell NTTacPlus which commands it has to execute for the disconnection of the user from the ports of the NAS he is connected



to. A command (program to be executed) can be configured for each type of port (interface) to which the user is connected. You can set for each NAS or each NAS port individually a different kill command.The following example shows how to configure the system to work with a Cisco Access Server and it exploits two utilities, $RSH (built-in command) and SNMPSET.EXE (external utility included into the EXTERNAL subdirectory created by the installation program):

default=$rsh $nas clear interface $porttty*=.\external\snmpset $nas public .1.3.6.1.4.1.9.2.9.10.0 $line

These lines tell NTTacPlus to execute SNMPSET in case the disconnection must be carried out on a user connected on a tty port, while the RSH command is executed for users connected to the asynchronous (analogic modems) and serial interfaces (ISDN connections).SNMPSET executes a set operation on the integer variable .1.3.6.1.4.1.9.2.9.10.0 setting it to the value of the line to disconnect. On the contrary, RSH sends the NAS the IOS command clear interface passing it the complete extended name of the port. The three macros included in the lines $nas, $port and $line are replaced at program call time respectively with the name of the NAS, the complete name of the port and the number extracted from the name of the port.For example, for a user connected to the NAS 198.83.24.2 on the tty port 14, the following would apply:$nas = 198.83.24.2$line = 14$port = tty14

and the command to be executed would correspond to:

.\external\snmpset 198.83.24.2 public .1.3.6.1.4.1.9.2.9.10.0 14

However it is necessary to configure the NAS so that it accepts the SNMP and RSH commands from the NTTacPlus server. For example if the address of the NTTacPlus server is 198.83.24.5, on the AS5200 it is necessary to add the following lines on a global level:!username SYSTEM privilege 15 password xxxx!ip rcmd rsh-enableip rcmd remote-host SYSTEM 198.83.24.5 SYSTEM enable!access-list 15 permit 198.83.24.5!snmp-server community public RW 15!

The access list is not mandatory but is necessary to reject undesired SNMP operations from external hosts other than the machine running NTTacPlus.The syntax for binding the kill commands to NASes and interfaces is the following one:

[<nas_ip>@]<port>=<command>

Where port is the name of the interface on which the command should be executed (it is possible to use wildcards), while nas_ip is the (optional) address of the NAS. If the NAS is not specified, this command will be applied to any NAS. Here there are some examples:

default=otherapp.exe $sessionidtty*=myapp.exe $port10.0.0.2@async*=kill_them_all.exe $nas $port10.0.0.5@*=script.bat $line



In this case script.bat will be executed for all the users connected to the NAS 10.0.0.5, kill_them_all.exe will be executed for all the users connected on the async port of the NAS 10.0.0.2, while myapp.exe will be executed for all the other users connected on the tty ports (independently of the NAS) and otherapp.exe for all the other cases (ports and NAS) not explicitly provided.

It’s possible to place the following macros on the script command line:

$nas = IP address of the NAS$username = username of the session to be terminated$sessionid = session ID (transmitted by the NAS as accounting data)$port = port number (or line)

NTTacPlus supports a built-in RSHELL protocol, so it won’t be necessary the execution of external applications. To send a RSHELL command it is sufficient to start the command with the $rsh macro:

Serial*=$rsh $nas clear interface $port

This command sends “clear interface” through RSHELL to the NAS. The username used by the RSHELL internal command is the one configured in the Synch section (see chapter Resynchronization with Cisco NASes further on).



General settings

Here there will be described some general configuration settings, apart from the kind of NAS used. All the options described here can be set from the option dialog window which can be brought up with Tools/Options menu (F8).

Configuring NTTacPlus for sending e-mail

NTTacPlus can send administrative notifications via email in case of particular events like failed login attempts, attempts of unauthorized double accesses, failed backups, and so on.Moreover NTTacPlus can send the users particular notifications like an account expiration warning or the credit exhaustion warning. In order to send messages it is necessary to configure the following parameters:

Section Parameter ValueGeneral Notification e-mail address Notification e-mail address to which

NTTacPlus sends all the administrative notifications

SMTP Server IP address or name of the mail serverServer source e-mail (sender) Email address of NTTacPlus (sender)E-Mail admin on unknown users It sends the administrator a notification

in case of login attempts for unknown (unconfigured) users

Banners

Parameters relevant to banners allow the configuration of text messages to be presented before and after the terminal authentication (login). Banners are ASCII text files, and currently they are supported only by the TACACS+ protocol.

Section Parameter ValueGeneral Pre-authentication msg file Pathname of the text file containing the

login prompt bannerPost-authentication msg file Pathname of the text file containing the

banner appearing after the authentication

Default user

Settings relevant to the default user allow to activate a basic common profile used for any username non explicitly configured requiring the authentication.

Section Parameter ValueGeneral Enable <default> user Enables the utilization of a default

profileCreate user profile from <default> Allows the default profile duplication

upon a successful authentication

By activating the default profile, NTTacPlus uses, when a user profile with the username corresponding to the one used during the authentication cannot be found in the database, a standard profile called default.usr, retrieving all of its attributes (including the password).If, on the contrary, the default profile is not active, the authentication requests relative to usernames not included into the database will fail, giving back to the NAS an “unknown user” message.



The default profile can be useful if combined, for example, with the authentication proxy module for Windows NT server, so that it is possible to redirect the authentication towards an already existing NT SAM database.With the option Create profile from default checked (working only if the default profile is also enabled) NTTacPlus, when it receives an authentication request from an unknown user, uses the default.usr profile and, if the authentication is successful, it duplicates the default.usr profile into another identical profile, the name of which coincides with the new (formerly unknown) username; in the next login attempts that username won’t be anymore unknown, because the newly created profile from the default will be available. It is possible to combine these options with the password grabbing functionality in order to capture the password entered by the user (if you need further information, see the paragraph User (group) profile parameters).

Max login attempts

This value fixes the threshold of failed attempts for a user before sending a warning e-mail to the administrator and/or disable the account . For example, if the value is set to 4, then every 4 consecutive failed login attempts, an e-mail will be sent. On every successful login attempt, the counter is cleared.

Section Parameter ValueGeneral Max login attempts Maximum number of login attempts

before blocking the account or sending the administrator an e-mail.

NOTE: This setting has nothing to do with those configured in the NAS, which behaves on its own the numbers of attempts allowed before giving up with the connection.

Session identification through username

Usually this box is not selected. This option is mainly intended for Cisco users. If you need to give the users router shell accesses, then activate the setting. However, leave this option unchecked when not strictly necessary.

Section Parameter ValueGeneral Use username field also for maxlogins check It uses also the username in order to

identify a session

As it’s not possible that two different users are connected at the same time to the same port of the same NAS, NTTacPlus usually identifies univocally a connected user examining the NAS he is connected to and the port of the NAS he is connected to. The username is not taken into account. In fact sometimes it can happen that (with some Cisco IOS versions) for some reasons some STOP messages may get lost. This leads to a situation where a user results to be wrongly connected even if he is no more. When NTTacPlus receives a START message for a given NAS/Port couple on which a user results already connected, it assumes that the STOP message for this user was missing, so it simulates a STOP, it removes the user from the list, and it adds the new user of the newly received START message to the list. All this can happen independently from the usernames. If the username would be compared, it wouldn’t be possible to remove the old user from the list, and so two different username would result to be connected to the same NAS and to the same Port. Unfortunately sometimes it’s necessary to identify univocally the user connected comparing, besides the NAS and the NAS port, also the username which he is connected with.This happens, for example, when a user starts an Exec session (shell) at the NAS command prompt. If a user decides to login with a new account without performing a logout before, new credentials will be requested and (if the new authentication is successful) the NAS will send NTTacPlus a START for the new user before sending a STOP for the previous user. If the username wouldn’t be compared, in this case NTTacPlus, receiving a START on a NAS/PORT couple already engaged, would think at the loss of the previous STOP, so it would replace the old user with the new one, but then when it receives the STOP for the old user, because it doesn’t check who is the user, it considers this STOP as a session end of the new user. The result is that no user would result connected, while actually the new user has an Exec session open.



Name Resolution

This option, if activated, allows to display NAS names instead of their IP address (if a reverse lookup is available).

Section Parameter ValueGeneral Resolve NAS names (DNS) It resolves the IP address of the NAS to

names

We suggest to leave this option unchecked to avoid a performance loss.

Users periodic check

NTTacPlus runs periodically a thread which checks for credits and time quotas for each users with an active session in progress, in order to verify if some accounts exhausted their credit (and if necessary it executes the user forced disconnection command).

Section Parameter ValueGeneral Periodic check interval Interval in minutes between two active

users check

If the NAS in use handles the Session-Timeout parameter, this check thread can be useless. As in loading conditions (more than 200 simultaneous active users) this thread can take a long time for the execution (until 30 seconds), it is possible to configure the execution frequency , till disabling it at all with a value equal to zero.

First day of the week

With this option it is possible to decide which day of the week clears the counter of the assigned weekly time quota.

Section Parameter ValueGeneral First day of the week First day of the week

Usually Anglo-Saxon countries set out this value to Sunday. On the contrary, in Italy or other European countries it is necessary to set it out to Monday, so that the weekly quota restarts from the maximum value in coincidence of midnight between Sunday and Monday.

Holiday calendar

As it is possible to define for each user a weekly plan for the hour-of-the-day login restrictions, NTTacPlus gives the possibility to establish also a yearly calendar of holidays and preholidays.The preholiday midweek days take the configuration set for Saturday; midweek holiday days or the holiday Saturdays take the configuration set for Sunday. Possible settings of the holiday calendar for the Sundays are ignored because Sunday is always considered as holiday.In order to establish the holiday calendar it is necessary to modify the Holiday section of the configuration file.You can set holiday and preholiday dates by inserting a line gg-mm=p for preholidays and gg-mm=h for holidays (p = preholiday, h = holiday).For example you can configure:



23-09=p24-12=p25-12=h

This example sets the 23rd September as preholiday, the Christmas eve and Christmas as holiday.NOTE: the holiday calendar does not bind dates to given years, so you need to configure particular holidays

which do not occur on the same day year by year (e.g. Easter).

Configuration of user database

Settings relevant to the configuration of the users database from the General section in NTTacPlus option window are separately discussed in the dedicated chapter Account Management.



Configuration of the activity event log

NTTacPlus gives the possibility to monitor in real time the server activity, showing on the video (and sending the flow to all the open administrative consoles) the stream of events.NTTacPlus allows also to record the course of events in daily ASCII log files named by creation date, stored into the log directory, and the name of which is in the format yyyymmdd.log.

Kind of messages and events

NTTacPlus creates three different kinds of log messages:

Ordinary messages Error messages Debug messages

Ordinary and error messages are always displayed. The debug messages set can be activated or not at will according to the options checked in the Debugging log events section.The general format of an ordinary message has this form:

#dd-mm-yyyy hh:mm:ss# message_text

while debug or error messages have this form:

#dd-mm-yyyy hh:mm:ss ERROR# message_text

or#dd-mm-yyyy hh:mm:ss DEBUG# message_text

The message_text field, when it refers to events associated to packets exchanged with a NAS, has the following format:

PR_TYPE NAS_ADDR[SESSION_ID]: text

where:PR = protocol type (TAC=TACACS+, RAD=RADIUS)TYPE = request type (AUTHN=authentication, AUTHR=authorization, ACCT=accounting,

EXTN=remote console)NAS_ADDR = NAS or remote console addressSESSION_ID = number which identifies the session

Ordinary messages

These messages are always displayed and report about ordinary events of the NTTacPlus server, like the acceptance or refusal of authentication requests, accounting messages, etc.

Error messages

These messages are always displayed and report about anomalous events or non standard answers received by the NAS.



Debug messages

These messages are displayed according to the options set out in the Options window of NTTacPlus.

Summary of logging configuration parameters:

Section Parameter ValueLogging Enable logging to screen It enables the dispatch of the events log

to the screen (to all the logWindows of open console)

Enable logging to file It enables the creation of a daily log file which records the activity

Log file directory Directory in which the event log files are created

Section Parameter ValueLogging Session thread execution It shows information about start/end of

program threads and external applications (script/utility)

Authentication session It shows details about authentication requests

Authorization session It shows details about authorization requests and A/V pairs

Accounting session It shows details about the accounting data received

Packet dumping It shows the content of RADIUS/TACACS+ packets received

Password checking It shows the password checking process in clear text

Port cleaning commands It shows details about disconnection commands sent to the NAS

User account charging It shows details about the calculation of time and traffic charging

Max logins check It shows events relevant to the control of concurrent logins

Extended session It shows details about remote management session (Remote Console)

Backup events It shows events relevant to the synchronization among NTTacPlus servers

SMTP connections It shows events relevant to the dispatch of notification e-mails



Resynchronization with Cisco NASes

Accounting messages are vital for the proper working of NTTacPlus, which bases its knowledge of active sessions and time and traffic usage on START, STOP and UPDATE records which are sent by the NAS as accounting messages.Unfortunately sometimes it may happen (also because of problems in the IOS operating systems) that with Cisco NASes some STOP records (session end) are not transmitted to NTTacPlus, preventing it from knowing the end of a user session. In this case NTTacPlus keeps on showing the user as active, even if he is no more; this situation creates some problems relevant to the wrong recording of “used” time and traffic and furthermore it does not allow a right calculation of the user active sessions (blocking if necessary also new legal attempts).

NTTacPlus includes a method based on some RSHELL extensions in order to re-create an updated list of active sessions, even if a STOP message was undelivered.In order to enable this feature it is necessary first of all to check that in the Cisco the RSHELL protocol is active, (the same protocol used to send the commands for forced disconnection); the protocol activation commands are the same:

!username SYSTEM privilege 15 password doesnt_matterip rcmd rsh-enableip rcmd remote-host SYSTEM a.b.c.d SYSTEM enable!

(preserve case as written!)

where a.b.c.d is the address of NTTacPlus server, while the password of the SYSTEM local account has no meaning because it is not used by RSHELL.Set out the following parameters in the configuration window of NTTacPlus:

Section Parameter ValueBackup/synch List of NAS to query IP list, separated by commas, of Cisco

NAS to be queriedList of valid interfaces List of interfaces to be included in the

synchronization (empty=all)Perform synchronization during active users periodic check

It carries out a verification with RSHELL during every active users check.

Perform synchronization on maxlogin collision detected

It carries out a verification with RSHELL when it notices unauthorized contemporary accesses.

Username for RSHELL protocol Username to use with RSHELLCommand to issue with RSHELL Command sent through RSHELL to get

back the user list

Inserting in List of NAS to query a comma separated list of IP addresses of Cisco NASes, NTTacPlus can automatically rebuild , when restarted, the list of the active users connected (except for Caller ID).It is possible to filter the valid interfaces (for example in order to exclude virtual interfaces dynamically created) by inserting the list of interfaces, separated by commas; jolly characters are allowed (for example “Async*, tty*, Serial*”). Leaving the field blank, all the interfaces for which an accounting active action exists are retrieved.The Perform synchronization during active users periodic check tells NTTacPlus to ask Cisco through RSHELL for the list of active accounts during each periodic check of active users (whose frequency is configurable in the General section), compare it with the displayed list and, if there are some differences, update its list according to what it was received from Cisco.



The Perform synchronization on maxlogin collision detected indicates NTTacPlus to ask Cisco, through RSHELL, for the list of active accounts when a user tries to exceed the number of the allowed contemporary accesses. In that case NTTacPlus, before denying the access and taking severe measures, verifies through information given back from RSHELL that the overcoming is effective, that is, all the sessions reported for that user are effectively in process.

These two last options guarantee always a real correspondence between the effective users and the sessions reported by NTTacPlus. However they have a side effect: to slow NTTacPlus performance, because any query through RSHELL stops the authentication and accounting processes during its execution (it can take up to 5 seconds).

The option username for RSHELL protocol makes possible to configure the username through which NTTacPlus sends the NAS the RSHELL requests, and this should coincide with the local account created in Cisco for rsh (preserving case).The option Command to issue with RSHELL configures exactly the command to be sent to the Cisco NAS by NTTacPlus in order to retrieve the list of the accounting active actions.The last two options should be left on default values (respectively SYSTEM and show accounting) except on particular need.



Configuring backup on a NTTacPlus server

The majority of NAS models may be configured to address authentication, authorization and accounting requests to more than one server, switching then automatically the requests to the first available server (backup server), if the main server is not temporarily available.

NTTacPlus can run as backup of another NTTacPlus server . The users database synchronization occurs automatically through a TCP connection between the two servers.In fact the backup server, at regular intervals, opens a TCP connection with the main server (using the same transport of the TACACS+ protocol), authenticates itself on the main server with an administrative NTTacPlus account, and then it retrieves all the account information.If the backup procedure fails (due to, for example, the end of the TCP connection because of the timeout), the backup server sends a failure administrative notification email, retrying the backup again within the next 10 minutes, and going on this way till the backup procedure completes successfully.The backup preserves any additional parameter which has been manually inserted by the administrator.

The data transmission during the backup procedure is encrypted exactly as for the TACACS+ packets.

Section Parameter ValueBackup/synch Enable this server for backup It enables NTTacPlus as backup server

Primary server name or addr IP name or address of the primary NTTacPlus server.

Primary server port Primary server TCP port (default=49)Username Administrative username for login on

the primary serverPassword Administrative account passwordBackup interval Interval (in minutes) between two

consecutive backupsRemove local accounts before backup It removes the local accounts replacing

them with the primary onesForward accounting to primary server It sends the primary server any received

accounting record (TACACS+ only)

The administrative account (username/password) is not a Windows NT account of the primary server, rather it is an account of the primary NTTacPlus database, having administrative privilege (privilege 15), just like an account used for login on remote console.

The removal of local accounts (Remove local accounts before backup) replaces the whole database of the backup server with the primary one; this way, the accounts deleted from the primary are deleted also in the backup, and backup-server-only accounts are also deleted from the backup server itself.

The Forward accounting to primary server option (working only with the TACACS+ protocol) is useful with Cisco NAS. In fact, if the primary server is not available, the Cisco sends the accounting records to the backup server; but as it "remembers" which server the accounting record was sent to, even though the primary server returns available, all the STOP messages (whose corresponding START messages have been sent to the backup server) are sent in any case to the backup server. In case of synchronization during the starting process, the session traced out by the backup server ends properly, while on the primary server the session rebuilt with the automatic synchronization remains active, as no STOP message is received by the primary server. The accounting forwarding option solves the problem.



Configuration of login messages

The configuration of login messages gives the possibility of customizing the NTTacPlus server reply message for terminal type logins (interactive).Such messages cannot be displayed for example in PPP/PAP or PPP/CHAP authentication types (e.g. with Windows 95/98 RAS clients).

Section Parameter ValueReply messages Account expiring Returned when the account is below the expiring

warning thresholdAccount expired Returned when the account is expiredAccount disabled Returned when the account is disabled

Account not effective Returned if the starting date follows the date of the login attempt

Too many logins Returned if the maximum number ofconcurrent logins is exceeded

Invalid login time Returned when a login attempt is made during an unauthorized hour of the day

Login time-up Returned when time credit is exhaustedLogin Kbytes-up Returned when traffic credit is exhaustedQuota time-up Returned when the period time quota is exhaustedBad login user/pwd Returned in case of unknown username or bad passwordBad login NAS port Returned if a login attempt is made to an unauthorized

NAS interface or with an unauthorized Caller IDBad login NAS Returned if a login attempt is made to an unauthorized

NAS



RADIUS & TACACS+ protocols

The AAA Model

The RADIUS protocol is a security protocol developed by Livingston and has soon become an Internet standard ratified by the IETF, and so included in the list of the official RFCs.The TACACS+ protocol is a sophisticated protocol developed by Cisco Systems. Although the name can be misleading, this protocol is rather different from TACACS and XTACACS.NTTacPlus currently supports both TACACS+ and RADIUS protocols but not TACACS and XTACACS, which are less flexible, reliable and safe than the two previous ones. Furthermore Cisco Systems itself has abandoned the development of TACACS and XTACACS, declaring them obsolete.The AAA security model, upon which RADIUS and TACACS+ protocol are based, states an exact distinction among the three distinct phases of a network user access: Authentication, Authorization and Accounting. The activation of each of these three phases can be configured independently on the NAS. What the NAS will send to the AAA server (NTTacPlus) strictly depends on the configuration of the NAS itself.Practically, in the great majority of cases, the activation of authentication and accounting will be crucial, while the activation of authorization is not indispensable unless you desire to have a detailed control of what the user can do.In the RADIUS protocol authentication and authorization are unified in a single phase, in which the authentication request contains the authorization parameters also.

Authentication

The authentication is the process of identifying who a user is. When a user tries to connect, the NAS asks the NTTacPlus server what to do. Typically, the server will tell the NAS to request a username/password pair to the user. Then it will send to the NAS an answer either of allowed or denied access.

Authorization

The authorization is the process of establishing what a user can do. After the user is connected, for each command typed or resource requested, the NAS sends an authorization request to the server. The NAS can propose a configuration (called list of Attribute/Value pairs) to be applied to the user. Relying on the information of the authorization request, the server will answer granting or denying the authorization. If the authorization is actually granted, the server can tell the NAS to apply a new series of attributes to the user. For example the server can communicate to the NAS to discard the proposed IP address using on the other hand the address proposed by the server itself, and apply a certain timeout value for the connection..

In the TACACS+ protocol, every attribute proposed by the NAS in the authorization request can be optional or mandatory. If the attribute is optional, the server can propose an alternative attribute. If it is mandatory, the server cannot modify such attribute. If the server thinks that such attribute is not valid, it can only answer with a denied authorization reply.Also the attributes added by the server in the granted authorization reply can be mandatory or optional. If they are optional, the NAS can independently choose whether to apply the attributes to the user or not . If they are mandatory, the NAS must use such attributes. If for any reason the NAS cannot respect the required attributes, it must deny the authorization even if the reply of the server was positive.



In the RADIUS protocol when an authentication request occurs, the NAS sends at the same time a set of parameters (the attribute/values pairs) describing the user login type and requested services. The RADIUS server may analyze these attributes and decide whether to authorize the user or not. In the former case the server can include in its reply another attribute set to be applied to the user who is logging in (for example a static IP address, the address of the DNS servers, etc.). Finally the NAS may decide if this set is suitable to that user and then continue or abort the session.

Accounting

The accounting is the process that measures resource consumption for a given user. Independently from the authentication and the authorization, with RADIUS or TACACS+ the NAS sends start accounting messages to the server to indicate the beginning of an accounting session and stop messages to indicate that the accounting session is over. The stop message usually contains also additional information related to the just ended session, such as the duration (time) of the session and the quantity (traffic) of the data exchanged during the session.

NTTacPlus AAA Model Implementation

NTTacPlus supports all kinds of Authentication, Authorization and Accounting defined in the specifications of the TACACS+ protocol (at the moment of the drawing up of this manual up to the version DRAFT 1.78).NTTacPlus fully supports all kinds of AAA requests for the RADIUS protocol (at the moment of the drawing up of this manual defined in RFC 2138 and 2139) with the exclusion of ARAP and MSCHAP authentication requests.

The authentication process in NTTacPlus

When NTTacPlus receives an authentication request from the NAS, it asks it a username/password pair. NTTacPlus then looks for the user within its database.If the user is not found and the default authentication is not active or the default profile default.usr does not exist, NTTacPlus returns access denied to the NAS and the process quits immediately.If the user is not found but the default authentication is active, then the control is executed on the default profile instead of the user's one.If, on the contrary, the user does exist NTTacPlus uses his profile.NTTacPlus checks for the following conditions:

Is the password correct? Is the account enabled? Can the user connect from the NAS from which the request starts? Has the account expired? Can the user connect from the port of the NAS from which the access is attempted? Can the user connect with the proposed Caller ID (possible ISDN telephone number)? Can the user connect in this hour of the day or in this day of the week? Has the user some credit left (minutes) for the connection? Has the user some credit left (Kbytes) for the connection? Has the user exceeded the maximum number of simultaneous accesses allowed?

If any of the previous conditions is not true, then the login fails and NTTacPlus returns access denied (except for some special cases described further on), otherwise the authentication is carried out successfully.In case of RADIUS requests, NTTacPlus successfully completes the authentication session only if the authorization session is also successful.



The authorization process in NTTacPlus

TACACS+ Authorization

NTTacPlus receives from the NAS the authorization request, together with a series of attributes and then replies with a positive answer (and a possibly modified series of attributes) or it denies the authorization.

Authorization requests can occur for three different kinds of services:

Authorization to the shell (Exec) Authorization to commands Authorization to network services

Authorization to the shell (Exec)

The authorization to the shell (Exec) in the TACACS+ protocol establishes whether a user is granted the use of a command shell on the NAS and the conditions and filters to be applied to him.The authorization request for the shell occurs when a user connects to the NAS with a terminal emulator and requests a command prompt. This shell may not be requested in other situations, for example when the user connects to the NAS in PPP mode, using PAP or CHAP authentication.

Authorization to commands

The authorization request for the commands is forwarded by the NAS to authorize the user to carry out specific commands.With NTTacPlus it is possible to set a list of commands allowed or denied and to specify the denial of some commands also on the basis of their parameters. It is possible for example to allow the use of the telnet command only when the parameters refer to specific hosts.

Authorization to network services

The authorization to network services in the TACACS+ protocol establishes whether the user is allowed to connect to the NAS through a special protocol and the condition and the filters to be applied to the user.The authorization request for the network services takes place when a user connects to the NAS in PPP mode, for example, using the PAP or CHAP authentication.

List of Attribute-Value pairs

The authorization to the shell (Exec) and to network services allows the specification of the filters to apply to the user. The parameters applied to the user are specified through the negotiation of the attribute/value pairs between the NAS and NTTacPlus.An A/V pair takes the following form:

attribute=valueor

attribute*value

where the equal "=" sign means that the attribute is mandatory and must be applied to the user (otherwise the authorization would fail), while the asterisk "*" sign represents an optional attribute that can be applied or not by the NAS.



The list of AV pairs supported by the NAS strictly depends on the brand and model of the NAS as well as on the version of its operating system.A list of AV pairs supported by the Cisco NAS (with IOS operating system) is included at the end of this manual.As a rule, the NAS and NTTacPlus negotiate the pairs to apply to the user.For each pair proposed by the NAS, if mandatory, NTTacPlus applies the following scheme:

a- if the same mandatory pair is configured in NTTacPlus, the pair is applied;b- if a contradictory pair (i.e. with a different value) is also configured in NTTacPlus but optional, the pair

proposed by the NAS will be maintained;c- if a contradictory pair is configured in NTTacPlus as mandatory, or it is not configured, then the whole

authorization is denied if the default value is deny;d- otherwise the pair will be maintained.

If the pair proposed by the NAS is optional, NTTacPlus applies the following scheme:

a- if the same pair is configured as mandatory in NTTacPlus, the pair is replaced by the identical but mandatory pair;

b- if a contradictory pair is configured as mandatory in NTTacPlus, the pair is replaced by that of NTTacPlus with the new value, and transmitted as mandatory;

c- if the same pair is configured as optional in NTTacPlus, the pair is maintained as optional;d- if a contradictory pair is configured as optional in NTTacPlus, the pair is replaced by that of NTTacPlus

with the new value (but remains optional);e- if none of the previous cases applies, the pair is discarded, but the authorization proceeds anyway if the

default value for the authorization is deny;f- otherwise the optional pair of the NAS is maintained.

The RADIUS Authorization

With the RADIUS protocol the authorization process takes place at the same time of the authentication process.NTTacPlus receives from the NAS the authentication/authorization request and a set of attributes, then it compares the attribute set with those configured in the RADIUS check-list.Attributes existing only in the authentication request but not existing in the check-list are ignored (with the exception of some particular attributes described further on in this chapter)If attributes existing in the check-list match those coming from the NAS, NTTacPlus replies positively and, if needed, it adds another attribute set, taken from the RADIUS reply-listOn the contrary, if some check-list attributes have different values from those existing in the authentication request, or they don’t match to the request itself ones, then NTTacPlus denies the authorization.

The accounting process in NTTacPlus

NTTacPlus uses the NAS accounting messages to maintain an active user list, to keep track of the single user session duration and the traffic generated by the user in each session.NTTacPlus stores all accounting data received by the NAS in plain text tables or in a SQL (ODBC) database: in this way it’s easy to process data and get complete resource utilization reports for each user.NTTacPlus uses the same accounting data to process the time and traffic credits for those users having a time/traffic based account. NTTacPlus can also deny the access to those users having no more credits, and store in different fields the session extra-duration and the extra-traffic the user has generated, when his credit account has expired.



Comparison between some RADIUS attributes and their TACACS+ equivalent

The TACACS+ protocol requires that some basic parameters, which describe the type of login the user is carrying out, are communicated to the server not through A/V couples, rather through specific TACACS+ packet fields.On the contrary the RADIUS protocol communicates all the parameters (including username and password) through the use of attribute/value pairs.

NTTacPlus, in order to maintain a common and substantial interface, independent from the kind of used protocol (RADIUS or TACACS+) where possible, re-maps transparently some RADIUS attribute in equivalent standard parameters of NTTacPlus user profiles, originally belonging to specific fields of the TACACS+ protocol. This allows to avoid the explicit configuration of a RADIUS check-list and separate TACACS+ filters.The following RADIUS attributes are validated in these fields, independently from the configured check-list:

NAS-Port and NAS-Port-Type (if one or both are present) are combined and compared with the Port attribute, following the same TACACS+ validation rules (with regular expressions).

Calling-Station-Id is copied into the NTTacPlus CallerID field, and is validated with the expressions included in the homonymous profile field.

NAS-IP-Address is turned into the standard ASCII dotted format and used as reference for the validation of the NAS field of NTTacPlus user profiles.

The RADIUS attributes and the dictionary

The RADIUS protocol focuses on the concept of Attribute/Value pairs.Each RADIUS packet exchanged between the NAS and the server encapsulates the information to be transmitted in a list of attribute/value pairs. For example, a typical authentication request packet sent by the NAS could have the following content:

Type = Authentication-RequestID = (request identificator)Attribute/Value list

Attribute ValueUser-Name rickUser-Password mandy71NAS-IP-Address 10.0.0.5NAS-Port 4Service-Type FramedFramed-Protocol PPPCalled-Station-Id 275885412Calling-Station-Id 268598741NAS-Identifier MAX4030-01NAS-Port-Type Async

Actually in the RADIUS packet the pairs are not transmitted as they are represented in this table; each attribute is identified by an integer number (byte), and the value associated with it depends on the attribute itself. For example the NAS-Port attribute indicating the port number, is associated with an integer value, while the User-Name attribute is associated with a character string value.To maintain an extensibility for future changes and extension in the list of all the RADIUS attributes supported by the NAS and by the authentication server, and to allow the attributes enrichment with new pairs, the RADIUS dictionary mechanism has been implemented in NTTacPlus.



The RADIUS attribute dictionary (named RADDICT.DAT) consists of an ASCII text file in which all the known attributes are defined, with the integer number representing them and the type of value they specify. NTTacPlus may support new attributes, by inserting the attribute definition and the kind of data referring to it into the dictionary (and then restarting the server).

WARNING: changing the dictionary file is a very delicate operation. The dictionary requires a precise syntax. Any damage to the dictionary file or a bad editing can turn NTTacPlus into an unusable state, because NTTacPlus loads and parses the dictionary when it starts, stopping immediately the execution in case of wrong syntax.

Master Soft will release dictionary file updates as new attributes in the NAS will be introduced by manufacturers.In case of unrecoverable damage of the dictionary file, you can request Master Soft for an original dictionary file.

Support for Vendor-Specific attributes

The RADIUS attribute dictionary can contain also definitions of Vendor-Specific attributes (extended attributes encapsulated in the attribute #26) both in the standard format suggested by RFCs, and in the USRobotics/3Com proprietary format.



Account Management

The User Account Database

NTTacPlus gives you the possibility of storing user accounts in ODBC SQL tables, or alternatively you can keep all user profiles in ASCII plain text files.There is no functional difference between the two methods: the following paragraphs will describe the user profiles in the ASCII text format, while the last paragraph of this chapter will explain how to configure NTTacPlus to use a SQL database and how the user profiles are stored in the database tables.NTTacPlus keeps its account database in two separate directories (configured by the administrator). The first one contains the group profiles, while the second one contains the user profiles.The profile of a user is composed by a text file (ASCII) whose structure is the same used in the configuration files of Windows 3.1 (initialization files *.INI). Different configuration parameters are divided into different sections.The file of a user profile has the *.usr extension while the name of the file stands for the username of the user. By changing the name of the file, you change implicitly also the username of the profile as well. In fact, NTTacPlus retrieves the profile of a determined username looking in the user directory for a file whose name coincides with the selected username, having the *.usr extension.The same rules apply to the files of the group profiles, the format of the group profiles being the same as the users profile. The only difference lies in the extension of the group file which is *.ugp (User GrouP).

Hierarchical structure of the database

NTTacPlus offers the possibility of configuring parameters that are common to a series of user profiles only once, through the use of the group profiles.This feature not only avoids repeating common parameters of each user profile, but it allows to focus the attention only on the parameters which differentiate the user profiles, such as the password or the expire date of the account.You just assign the belonging of users to a determined group, to let them inherit automatically all the settings configured for the group of which they are members.It is also possible to assign the belonging of users to more than one group, or assign the belonging of the same group to other groups. In this way it is possible to build a simple or complex hierarchy, making easier the management of the single user profile.The following rules apply:

a user may belong to no group a user may belong to more than one group a group may not belong to any other group (basic group) a group may belong to one or more groups a group cannot belong to groups belonging to that group (circular reference): this situation would lead to

a never ending loop a user or group may (uselessly) belong to more than one group, one or more of which belonging to a

common group to which the profile itself refers directly or indirectly a group cannot belong to itself (!).

NOTE: manual editing of user/group text files –or records in the database tables- without using the NTTacPlus Profile Manager do not entail any verification on inconsistencies in the hierarchy created by the administrator (circular references, etc.); therefore it is necessary to pay attention to manual changes made to the files.



Example

When NTTacPlus looks for the parameters of the Gulp profile, it orderly looks in the hierarchic tree created by the administrator. However the Whales group is explored twice (uselessly), first directly and then indirectly through Squirts.Hierarchy should be organized carefully. In this examples it is useless to specify directly Whales membership for the Gulp user, because Gulp indirectly already belongs to the Whales group from Squirts.When NTTacPlus must retrieve a determined parameter (for example TimeLeft=), it starts the search in the user profile. If it does not find it, it examines the list of belonging groups (Groups=) and then proceeds recursively and orderly the search starting from the first group of the list. If the parameter is not found in the first group, it is eventually searched in the belonging groups of the first group. After examining the entire branch of the first group, if the parameter is not found yet, NTTacPlus passes to the second branch and so on until the parameter is found or there are no more groups to examine.Referring to the example, let us suppose the following situation:

Gulp.usr has Groups=Bears,Whales,SquirtsSquirts.ugp has Groups=WhalesWhales.ugp has not Groups=Bears.ugp has not Groups=

In this case the parameter search order is that indicated in the diagram.This is why the order followed in assigning the belonging to the groups is very important. In fact, if we suppose that both Bears and Squirts contain the parameter TimeLeft=, the first encountered on the research will be used, which is, to say, Bears.

User (group) profile parameters

A detailed description of all parameters of a user (group) profile follows. At the end of the paragraph you may find some sample user and group profiles.


Group WHALES

Group BEARS

Group SQUIRTS

User GULP (1)

Group WHALES

Group WHALES (5)

Group BEARS (2)

Group WHALES (3)

Group SQUIRTS (4)


[Global] Section

This section describes the global authentication parameters

Parameter Description

Name Name or description of the user or group profile. It has only a descriptive value and does not affect the behavior of the profile.

Passwd Password of the user. If the file (or record) is changed manually, it is only possible to insert the password in clear text. To insert the encrypted password it is necessary to use NTTacPlus Profile Manager to change the profile.In this field it is possible to tell to NTTacPlus to operate some special password validations.The syntax for the special values is:Passwd=[<type>][$|#][<value>]

where <type> can be NT, TACACS+, NONE, DES, UNIX.

ExamplesPasswd=[NT]

It authenticates locally using NT accountsPasswd=[NT]\\pino

It authenticates using NT accounts on the server PINOPasswd=[NT]ced

It authenticates using NT accounts of the CED domainPasswd=[TACACS+]192.168.0.6

It authenticates using the TACACS+ server on the host 192.168.0.6Passwd=[DES]CpuskTjR7spcM

It authenticates using a DES encrypted password (UNIX-style)Passwd=[NONE]

It successfully authenticates without verifying the passwordPasswd=[UNIX]c:\nttacplus2\passwd

It authenticates on a UNIX standard password fileExamples with "grab password"Passwd=[NT]#\\antonio

It authenticates using NT accounts on the server ANTONIO, and at the first successful access of the user, the whole expression [NT]#\\antonio is replaced by the clear text password that the user has inserted.

Passwd=[NT]$salesIt authenticates using NT accounts on the SALES domain and at the first successful access of the user, the whole expression [NT]$sales is replaced by the encrypted password that the user has inserted.

The encrypted passwords take the form:+@XXXXXXwhere XXXXXX is an hexadecimal expression.If this parameter is omitted, the authentication always fails.

EffectiveFrom It specifies an activation date for the account. The field must have this format:dd-mm-yyyy

If the year is indicated with two digits, numbers between 00 and 89 are interpreted as 2000-2089, while numbers between 90 and 99 become 1990-1999.

If this parameter is omitted, the account is considered immediately active.Expires It specifies the expire date of the account. The field must have one of these

formats:



dd-mm-yyyyor

#nn[,dd-mm-yyyy]

If the year is indicated with two digits, numbers between 00 and 89 are interpreted as 2000-2089, while numbers between 990 and 99 become 1990-1999.

The first format indicates an absolute account expiration date.

The second one allows you to specify a duration of the account (in days); the computation starts from the date set in the EffectiveFrom parameter.

In this case, you can optionally configure an absolute expiration date independently from the duration expressed in days, by adding a comma and the absolute expiration date.

If the EffectiveFrom parameter doesn’t exist NTTacPlus creates automatically the field at the first successful login of the user, then it starts the counting in days.

To specify an account that never expires it is necessary to type:

Expires=never

If this parameter is omitted, the account is considered expired.Groups Specifies a list of the belonging groups. For example:

Groups=standard,isdn

assigns the belonging to the two standard and isdn groups.

If this parameter is omitted, the profile does not belong to any group.

LoginHours It represents the time bands in which the login must be accepted. For example:

LoginHours=02:00-06:00, 15:00-17.30

It allows the access from 2 to 6 AM and from 3 to 5.30 PM. Hours must be inserted in the 24h format. In order to differentiate the access according to the days of the week, it is necessary to type:

LoginHours=weekly

and add a weekly access plan in the [WeekPlan] section (see further on).

If this parameter is omitted, no login hour control is appliedMaxLogins It indicates the number of concurrent logins allowed to the profile. It can be a

number between 0 and 9999.

The account is disabled by inserting 0.

If this parameter is omitted, NTTacPlus considers the account disabled.

Disabled If set to 1 the account is disabled and all the others parameters are ignored.If set to 0 or omitted, the account is not disabled.

CallerID This parameter can deny the accesses by examining the rem_addr field as specified in the TACACS+ protocol or examining the Calling-Station-Id RADIUS attribute. The content of this field depends on the NAS and on its operating system. For example, in the 11.3 version of the IOS, the field contains the calling and called telephone number for the calls from ISDN lines, in the following format:

CallerID/CalledID

and so it is possible to control the accesses according to the caller number. It is possible to specify a list of values that are valid for the field through the use of wildcards. For example:



CallerID=321498784*, 32145345[3-7]*

Accepts all numbers beginning with 321498784 and have another digit between 3 and 7 (for the use of wildcards in the expressions see further on).

If this parameter is omitted, no control is executed on the field.

NAS This parameter can deny accesses by checking the NAS on which the user is connecting. You can enter a list of valid NASes or IP address intervals. For example:NAS=192.168.0.3,192.168.1.15-192.168.1.22

accepts requests from NASes whose address is 192.168.0.3 or between 192.168.1.15 and 192.168.1.22.If this parameter is omitted, no control is performed on the NAS address.

Port This parameter can deny accesses according to the port of the NAS on which the account is trying the login. For example, with:

Port=tty*, async*

the account is granted the connection only on tty lines or asynchronous interfaces (denying in this way the ISDN access on the serial ports)

For the use of wildcards in the expressions, see below.

If this parameter is omitted, no control is executed on the port.

Privilege This parameter assigns the privilege level of the user, and can be a numeric value between 0 and 15.

The value 15 is required for the administrative accounts that need to use NTTacPlus Remote Console.

When the authorization is enabled also for the exec sessions, NTTacPlus converts automatically this value in the A/V priv-lvl TACACS+ pair unless this is not explicitly configured in the corresponding section (see parameters for the authorization below).

If this parameter is omitted, NTTacPlus assumes privilege equal to 0.NOTE: the privilege level attribute is not used in RADIUS.

MaxConnectionTime This parameter sets the maximum length (in minutes) of a session. For example:

MaxConnectionTime=480

limits the maximum length of a connection to 8 hours.

NTTacPlus executes every 5 minutes the control on the connected users. If it finds some account beyond the maximum length, it sends a kill command to the NAS to force his disconnection.

If this parameter is omitted, no limit is imposed to the duration of the session.Email This parameter specifies the e-mail address of the user. It is ignored in the group

profiles.

When NTTacPlus needs to send an administrative notification on an event relevant to the account, a copy of the message is also sent to the user if this parameter is supplied.

This parameter is used also for delivering account expiration warnings.

You can supply more than one email address by entering a comma separated list.

If this parameter is omitted, the user does not receive any copy of the notifications.

Comment A comment for the profile. This parameter does not affect the profile behavior.

ExpiringEMailMsg This parameter points to a full pathname for a text file containing a warning message that may be delivered to the user when his account is expiring.



For information on expiration warning messages, see the relevant section further on.

TimeLowEMailMsg Pathname for the text file containing the email message to be sent the account is below the time credit warning threshold

TrafficLowEMailMsg Pathname for the text file containing the email message to be sent the account is below the traffic credit warning threshold

AuthenScript Post-authentication script are executed by NTTacPlus after a successful login. With this script you can extend authentication capabilities running external and fully customizable applications.If you omit this parameter no script is executed.For further information about post-authentication scripts refer to the paragraph Thepost-authentication scripts

[WeekPlan] Section

This section (optional) establishes an access plan for the login hours in the days of the week. It gets examined only if LoginHours=weekly has been entered in the [Global] section.


Mon It indicates the login hours during which the login can be allowed on Mondays. For the syntax, see LoginHours in the [Global] section.

If this parameter is omitted, the access is denied for the whole day. To allow the access over 24 hours it is necessary to type explicitly the following line:

Mon=00:00-23:59Tue Same as mon= but valid for Tuesdays.Wed Same as mon= but valid for Wednesdays.Thu Same as mon= but valid for Thursdays.Fri Same as mon= but valid for Fridays.Sat It indicates the login hours during which the login can be allowed on Saturdays

and on preholidays, as established in the holiday calendar of the global NTTacPlus configuration file. For the syntax, see LoginHours in the [Global] section

If this parameter is omitted, the access is denied for the whole day. To allow the access over 24 hours it is necessary to explicitly type the following line:

Sat=00:00-23:59Sun It indicates the login hours during which the login can be allowed on Saturdays

and on holidays, as established in the holiday calendar of the global NTTacPlus configuration file. For the syntax, see LoginHours in the [Global] section

If this parameter is omitted, the access is denied for the whole day. To allow the access over 24 hours it is necessary to explicitly type the following line:

Sun=00:00-23:59



[Credits] Section

This section (optional) states the overall amount of the time and traffic credit for each account. The whole section can be omitted for accounts with unlimited credit.


KBytesInitial It indicates the initial amount of the traffic credit in Kbytes.KBytesLeft It indicates the amount of the traffic credit left in Kbytes for the account. Initially

this value coincides with KbytesInitial; afterwards NTTacPlus decreases the value as the account consumes the credit.

TimeInitial It indicates the initial amount of the time credit in minutes.KBytesLeft It indicates the amount of the time credit left in minutes for the account. Initially

this value coincides with TimesInitial; afterwards NTTacPlus decreases the value as the account consumes the credit.

OnExtraTimeCharge If set to 1, it tells NTTacPlus to allow in any case the access to the system even if the user has exhausted his time credit, but then recording the exceeding hours on a distinct accounting field, to allow in this way the separate invoicing of the exceeding hours compared to the initial credit.

If it is omitted, the default value is 0.

OnExtraKBytesCharge If set to 1, it tells NTTacPlus to allow in any case the access to the system even if the user has exhausted his traffic credit, but then recording exceeding Kbytes on a distinct accounting field, to allow in this way the separate invoicing of exceeding Kbytes compared to the initial credit.

If it is omitted, the default value is 0.

OnTimeExceededKill If set to 1, it tells NTTacPlus to disconnect the user when he has exhausted his total time credit during his last session.If it is omitted, the default value is 0.

OnQuotaExceededKill If set to 1, it tells NTTacPlus to disconnect the user when he has exhausted his total time quota credit during his last session for the current period.If it is omitted, the default value is 0.

QuotaPeridod It configures the period on which to assign a time quota. It can be:dailyweeklymonthlyyearly

If it is omitted, there are no restrictions on time quotas.Quota This is the amount in minutes for the time quota on the given period.QuotaLeft (only used internally by NTTacPlus, we suggest not to modify this value). It stores

the residual time quota for the current period.

[Warning] Section

This section is created and updated automatically by NTTacPlus for its internal use. None of these parameters needs to be changed.



[Suspicious] Section

This section establishes which action should NTTacPlus carry out in case of suspicious account behaviors.


OnFailedEmail If it is set to 1, NTTacPlus sends an administrative e-mail notification every series of n consecutive failed attempts of the account, where n is the value set in the Max login attempts field of NTTacPlus Options.

If it is omitted the default value is zero.

OnFailedDisable If it is set to 1, NTTacPlus disables the account (MaxLogins=0) every series of n consecutive failed attempts of the account, where n is the value set in the Max login attempts field of NTTacPlus Options.


OnMultipleAccessEmail If it is set to 1, NTTacPlus sends an administrative e-mail notification when the user exceeds the maximum number of concurrent logins allowed for his account.


OnMultipleAccessKill If it is set to 1, NTTacPlus sends a kill command to NASes for every active occurrence of the username, when the user exceeds the maximum number of concurrent logins allowed for his account.


OnMultipleAccessDisable If it is set to 1, NTTacPlus disables the account (MaxLogins=0) when the user exceeds the maximum number of concurrent logins allowed for his account.


OnExpiredAuthenticate If it is set to 1, NTTacPlus allows the authentication of the account also when it has expired or it has exhausted its credit in time/traffic even if none of the options OnExtraTimeCharge or OnExtraKBytesCharge are set.

However the expired account uses the authorization parameters of a special section which is different from that which is generally used. This feature allows to specify for instance that an expired access is allowed to read (but not send) e-mail, but not to navigate, or to connect to the only web page from which the credit can be automatically recharged, through a simple credit card number.

OnExpiringEmail If set to 1, NTTacPlus sends an e-mail warning (as configured in the [Global]/ExpiringEMailMsg parameter) to the user the first time he logs in during the warning period preceding account expiration. The length of the warning period can be configured in NTTacPlus general options.

EmailNotifyToUser Is set to 1, NTTacPlus sends a copy of the administrative notifications (usually sent to the administrator) also to the user.

OnTimeLowEmail If set to 1, NTTacPlus sends an email message (as configured in the field TimeLowEmailMsg in the section [Global]) to the user having low time credit. The message is sent the first time the user connects having low time credit. You can configure the threshold for the low time credit in the general options of NTTacPlus.

OnTrafficLowEmail Just like the previous parameter, but referred to the traffic credit.



[Authorization] Section

This section rules the default behavior of NTTacPlus for authorization requests that are not explicitly configured.


DefaultService If it is set to permit, NTTacPlus authorizes the request coming from the NAS for the services that are not explicitly configured. Otherwise the authorization fails.

If it is omitted, the default value is deny.

DefaultCommand If it is set to permit, NTTacPlus authorizes the request coming from the NAS for the commands of the shell (Exec) that are not explicitly configured. Otherwise the commands that are not configured are not authorized.

If it is omitted, the default value is deny.NoAppendTacCmd If set to 1, NTTacPlus does not append any command authorization set up in the

belonging group.If omitted, NTTacPlus completes the command authorization list of the user profile, by appending the list of the belonging group profiles.

NoAppendTacSvc If set to 1, NTTacPlus does not append any service authorization set up in the belonging group.If omitted, NTTacPlus completes the service authorization list of the user profile, by appending the list of the belonging group profiles.

[cmd <cmd_name>] Sections

These sections configure the TACACS+ authorization for the shell commands (Exec) of the NAS. Every section configures a given command. Therefore, the body of the section specifies whether to allow or deny the command on the basis of its parameters. For example, the following configuration:

[cmd logout]*=permit

[cmd telnet]192.168.10.1 *=deny192.168.10.*=permit

allows the user to type at the prompt of the shell the logout command with any parameter, while the telnet command is allowed only if the first parameter is an IP address of the 192.168.10.0 class but the 192.168.10.1.As a rule, the syntax for the parameters of the command is:

<argument_list>=permit | deny

where <argument_list> is an expression which may contain wildcards.

NOTE: Cisco NASes with some IOS system versions always literally add the four character string "<cr>" to mark the end of the line (carriage return). For a command typed without parameters, an authorization request is presented in any case with only one parameter (the "<cr>" string). Always keep in mind this string when configuring the valid parameters.



[Services] Section

This section rules the behavior of NTTacPlus for TACACS+ authorization requests to the services. The body of the section can contain one or more lines allowing services. The syntax for the explicit configuration of a service is the following:

<service_name> default=permit | deny

For example, to configure the authorization to the shell (Exec) of the NAS, type:

Exec default=permit | deny

The permit or deny option rules the behavior that NTTacPlus must have towards the attribute/value pairs that are not explicitly configured for the service. With permit the pair received and not configured is maintained in any case (both if it is mandatory or optional) and the authorization is successful. With deny, the received and not configured pair is discarded and the authorization goes on if the pair is optional, while it fails if the pair is mandatory.

For the services that require also the specification of a protocol (such as for PPP), type:

<service_name>-<protocol> default=permit | deny

For example, to configure the PPP service over the IP protocol, type:

PPP-IP default=permit | deny

WARNING: In the case of the PPP service, because the NAS sends separately the authorization request for PPP/LCP first (layer control) and then the request corresponding to the protocol to be executed over PPP (for ex. TCP/IP on PPP), it is necessary to configure both services explicitly (that is, PPP and PPP-IP).

For example, in order to activate the authorization to TCP/IP over PPP, the following lines are both required:

PPP default=denyPPP-IP default=deny

In order to configure also an attribute/value pair list, add the following lines:

<service_name> AV=attr1=value1;attr2=value2;attr3*value3;...

or

<service_name>-<protocol> AV=attr1=value1;attr2=value2;attr3*value3;...

Configuration example

[Services]Exec default=denyExec AV=autocmd=pppPPP default=denyPPP-IP default=denyPPP-IP AV=addr=192.168.1.54;inacl=110



These lines configure the Exec, PPP/LCP and TCP/IP over PPP services. Moreover they assign the a/v pair autocmd=ppp (command to be executed when the shell is started) to the Exec service, while they assign addr=192.168.1.54 (static IP address) and inacl=110 (input access-list to be applied to the user) to the TCP/IP connection over PPP.

The A/V pairs can be indicated as attribute=value or as attribute*value, where the equal "=" sign indicates a mandatory pair, while the asterisk "*" sign indicates an optional pair that can be applied or not upon NAS discretion.

[Services Expired] Section

This section rules the behavior of NTTacPlus for TACACS+ authorization requests to services that must be applied only when the account has expired or it has exhausted its credit in time or traffic.This section is only read if the OnExpireAuthenticate parameter is set to 1.The body of this section contains parameters with the same syntax of the [Services] section.

[RADIUS] Section

This section rules the default behavior of NTTacPlus for RADIUS authorization requests.


NoAppendRadChk If set to 1, NTTacPlus does not append configured RADIUS attribute check-lists from any belonging group.If omitted, NTTacPlus appends to the profile RADIUS check-list the check-list retrieved from the belonging groups.

NoAppendRadRep If set to 1, NTTacPlus does not append configured RADIUS attribute reply-lists from any belonging group.If omitted, NTTacPlus appends to the profile RADIUS reply-list the reply-list retrieved from the belonging groups.

[RADIUS CheckList] Section

This section rules the behavior of NTTacPlus for RADIUS authorization requests.The body of the section can contain one or more Attribute-Value pair lines that must be received from the NAS to authenticate successfully the user. In fact the NAS sends a list of attributes describing the kind of access that the user is requesting. In this list you can insert some mandatory attributes that must be present among the attributes sent by the NAS. The line format is:

<attribute-name>=<value>

For example, if you want to limit the dialup access type only to the terminal login, you can set the attribute:

[RADIUS CheckList]Service-Type=NAS-Prompt

[RADIUS ReplyList] Section

This section rules the behavior of NTTacPlus for RADIUS authorization requests.The body of the section can contain one or more Attribute-Value pair lines that must be sent to the NAS together with the authentication succeeded reply .The NAS interprets the attributes received from NTTacPlus



and decides if it can apply them to the user, discard them or deny the access to the user. The line format is the same as in the RADIUS check-list:

<attribute-name>=<value>

For example to set a static IP address using RADIUS you have to insert these lines:

[RADIUS ReplyList]Service-Type=FramedFramed-IP-Address=a.b.c.dFramed-IP-Netmask=e.f.g.h

Where a.b.c.d is the IP Address to set and e.g.f.h is the subnet mask.

[RADIUS Expired CheckList] and [RADIUS Expired ReplyList] Sections

This sections rule the behavior of NTTacPlus for RADIUS authorization requests to be applied only when the account is expired or has no more time and/or traffic credit.The sections are parsed only if the parameter OnExpiredAuthenticate is set to 1.The bodies of these sections contains lines with the same syntax as in the [RADIUS CheckList] and [RADIUS ReplyList]sections.

Using wildcards in expressions

Expressions containing wildcards used by NTTacPlus (for instance in the Port= or CallerID= fields or in the allowed command parameter configuration) use the following special characters:

Character Meaning

* Zero or more characters? Any single character[<a>-<b>] Any single character between <a> and <b> (for instance [2-9] means figures

between 2 and 9)\* The literal character *\? The literal character ?\[ The literal character [\\ The literal character \

If you place a leading refuse character (“!”) in your wildcard expression, you are telling NTTacPlus to refuse the entire expression instead of accepting it in case of match.For example with the following command in the Port field:

Port=!Async4,Async[1-8],Serial*

NTTacPlus will accept the Async ports from 1 to 8 and all Serial ports, refusing connection on Async port 4.



Some user and group profile examples

Let us suppose the case of an Internet Service Provider, providing ISDN and analogic accesses with TCP/IP over PPP connection, equipped with a NAS which can distinguish between analogic and ISDN incoming calls, such as the Cisco AS5200 access server. The IP address of the 5200 be 192.168.0.1.

Let us suppose that the provider decides to sell the following kinds of access:

FLAT 24h analogic HALF 12h day-time from 8:00 to 20:00 analogic (except holidays/preholidays allowing 24h) HALF 12h night-time from 20:00 to 8:00 analogic (except holidays/preholidays allowing 24h) HALF 12h daily from 8:00 to 20:00 ISDN (also in holidays/preholidays) HALF 12h night-time 20:00 to 8:00 ISDN (also in holidays/preholidays) ISDN with a total of 300 hours

All the subscriptions are yearly.

The following group profiles can be created:

standard.ugp[Global]Name=Base common groupMaxLogins=1MaxConnectionTime=480Privilege=1NAS=192.168.0.1Port=Async*,tty*ExpiringEMailMsg=c:\nttacplus\messages\expiring.txt

[Suspicious]OnFailedEmail=1OnExpiredAuthenticate=0OnMultipleAccessEmail=1OnMultipleAccessKill=0OnMultipleAccessDisable=0OnExpiringEmail=1

[Authorization]DefaultCommand=denyDefaultService=deny

[Services]Exec default=denyExec AV=autocmd=pppPPP default=denyPPP-IP default=deny

[cmd exit]*=permit

[cmd logout]*=permit



day.ugp[Global]Name=Day-time analogic access groupGroups=standardLoginHours=weekly

[WeekPlan]mon=08:00-19:59tue=08:00-19:59wed=08:00-19:59thu=08:00-19:59fri=08:00-19:59sat=00:00-23:59sun=00:00-23:59

night.ugp[Global]Name=Night-time analogic access groupGroups=standardLoginHours=weekly

[WeekPlan]mon=00:00-07:59,20:00-23:59tue=00:00-07:59,20:00-23:59wed=00:00-07:59,20:00-23:59thu=00:00-07:59,20:00-23:59fri=00:00-07:59,20:00-23:59sat=00:00-23:59sun=00:00-23:59

dayisdn.ugp[Global]Name=Day-time ISDN access groupGroups=standardLoginHours=08:00-19:59Port=Serial*,Async*,tty*

nightisdn.ugp[Global]Name=Night-time ISDN access groupGroups=standardLoginHours=00:00-07:59,20:00-23:59Port=Serial*,Async*,tty*



isdn300.ugp[Global]Name=ISDN access with 300 hours total time creditGroups=standardPort=Serial*,Async*,tty*

[Credits]TimeInitial=18000TimeLeft=18000

At this point the user profiles can be created easily, assigning them to the desired group.The Asdrubale user buys a flat analogic subscription starting from June, 1st 1999:

asdrubale.usr[Global]Name=Asdrubale RossiPasswd=guessitExpires=01-06-2000Groups=standardEMail=asdrubale.rossi@supermeganet.com

The Antonio user buys an ISDN subscription of 300 hours starting from May, 15th 1999, with a quota assignment of 20 hours per week:

antonio.usr[Global]Name=Antonio BianchiPasswd=whoknowsitExpires=15-05-2000Groups=isdn300EMail=antonio.bianchi@supermeganet.com

[Credits]QuotaPeriod=weeklyQuota=1200

The Ermenegildo user buys an ISDN day-time subscription with a duration of 180 days, expiring anyway on April, 30 2001, with 2 concurrent accesses, a static IP address 199.189.161.15, and access limitation from his only two telephone numbers 02-77836524 and 02-77836525:

ermenegildo.usr[Global]Name=Ermenegildo VerdiPasswd=justforgotitExpires=#180,30-04-2001Groups=dayisdnMaxLogins=2CallerID=27783652[4-5]*[email protected]

[Services]PPP-IP AV=addr=199.189.161.15



Special settings

A remark on the privilege value

When NTTacPlus receives a TACACS+ authorization request to the Exec (shell) service, it automatically adds to the list of A/V pairs in the answer also the "priv-lvl=nn" pair, where nn is the value retrieved by the Privilege= setting of the [Global] section.In this way it is possible for an administrator who has an account with Privilege=15 to enter directly the NAS prompt in the enable mode (on Cisco with IOS ver. 11.1 or later) without having to type the enable command and the enable password once again.If on the other hand you add explicitly the a/v "priv-lvl=nn" pair in the authorization configuration for the Exec service (for instance with "Exec AV=priv-lvl=7", the value of the Privilege parameter is ignored.

Enable passwords with TACACS+

On older Cisco IOS operating systems (11.1 or earlier) enable passwords are asked to the TACACS+ server without providing the username of the user who is trying to issue the enable commandWhen NTTacPlus receives such an enable authentication request, it searches for the password in a special user profile whose name is $enab<n>$, if the enable request specifies a privilege value between 0 and 14 (being <n> a number between 0 and 14), while, if the privilege is 15, it searches first for a user called $enable15$ and then, if it cannot be found, it searches for a user called $enable$. This means that if you also activate the enable authentication with the TACACS+ protocol, it is necessary to configure the enable password in a user profile called $enable$.usr.In most recent versions, the enable authentication request also specifies the username of the user. In this case, if the user has the adequate privilege for the request, the password used by NTTacPlus is the same used by the user to carry out the login at the prompt of NAS.

Static IP address assignment in RADIUS

The sample preconfigured groups in NTTacPlus contain the minimum RADIUS attributes required to authorize PPP network service access.By assigning a user to a group in which reply RADIUS attributes are configured to be allowed for PPP access (as the preconfigured ones), the user inherits automatically those attributes even if they are not explicitly declared in his profile: this happens because NTTacPlus appends the group attributes to the user attributes.The typical RADIUS reply attributes for a PPP access are:

[RADIUS ReplyList]Service-Type=FramedFramed-Protocol=PPPFramed-IP-Address=Select-by-NAS

To set a static IP address for a user, you have to configure in his profile:

[RADIUS ReplyList]Service-Type=FramedFramed-Protocol=PPPFramed-IP-Address=a.b.c.dFramed-IP-Netmask=e.f.g.h

Make sure to disable the automatic appending of the RADIUS group attributes with the option

[RADIUS]NoAppendRadRep=1



Without this tip NTTacPlus would return a list of attributes composed by the two lists:

Service-Type=FramedFramed-Protocol=PPPFramed-IP-Address=a.b.c.dFramed-IP-Netmask=e.f.g.hService-Type=FramedFramed-Protocol=PPPFramed-IP-Address=Select-by-NAS

In this case the NAS receives useless repetitions, and, most of all, the static IP address would be ignored because the last attributed relevant to the IP address selection is Select-by-NAS.

The post-authentication scripts

Besides the standard NTTacPlus authentication verifications (password, expire date….), you can extend the authentication procedure by running external scripts (executables, batch files, etc.). NTTacPlus passes to these scripts some standard parameters received from the NAS and waits for an answer from the script in order to reply to the authentication request.In the post-authentication script command line (AuthenScript parameter in the [Global] section), you can use the following macros that are automatically expanded by NTTacPlus:

$user Username$pass Password typed by the user$nas Ip address or NAS name$port NAS port number/name $clid Caller ID (if available)$addr Network address$priv Privilege level$svc Service type numeric code $action Requested action$type Authentication type

NTTacPlus waits for the script reply (access permitted or denied) on the standard output: the script must reply in the format parameter=value (without any blank spaces at the beginning of the line).Reply parameters NTTacPlus accepts are:

status=pass (or fail)reply-msg=<text message to pass to the NAS and then to the user>

The parameter status is mandatory while reply-msg is optional. Any other unrecognized lines are ignored.

A (quite useless) sample batch script

In the user profile (or group profile) this line is configured:AuthenScript=cmd.exe /c c:\nttacplus\external\fool.bat $user

And this is the script fool.bat:

@echo offif not "%1"=="albert" goto bother_this_is_not_albert


User profile attributes

Attributes appended from the group


echo reply-msg=Hello, Albert, welcome!goto exit_fool_bat:bother_this_is_not_albertecho reply-msg=Hey, you're not Albert. Welcome, anyway!:exit_fool_batecho status=pass

Expiring account warning e-mail messages format

Messages sent to a user whose account is expiring (either by date or by time/traffic credit), are simple ASCII text files with the following format:

From: SuperExtraMeganet Staff <[email protected]>To: $fullname <$email>Subject: Account expiration warning

Dear $fullname,this message has been automatically provided to youto remind you that your account (account ID = <$username>)will expire on $expires.

We would like to inform you that for this month wedo have special offers for Internet access subscriptions.If you apply for a new subscription within the end of the month,you may get the benefit of special discounts.

Best Regards,

The SuperExtraMeganet Staff.

NOTE: To deliver successfully messages to users, there must be no blank lines on the top of the file.Furthermore it is required that the first three lines of the file contain the From, To and Subject fields, followed by a blank line. Nine special macros can be included in the text, and, at delivery time, they are replaced by values relevant to the user:

$fullname User full name$username Account username$email User e-mail address$expires Account expiration date$effectivefrom The account activation date$timeinitial The initial time credit (in minutes) for the account$timeleft The time credit left (in minutes) for the account$kbytesinitial The initial traffic credit (in Kbytes) for the account$kbytesleft The traffic credit left (in Kbytes) for the account



Account profiles in ODBC SQL format

NTTacPlus can store user and group profiles in a ODBC SQL compliant database instead of using text files.NTTacPlus uses the following two tables to store, respectively, group profiles and user profiles:

Group profile table: TAC_GRPUser profile table: TAC_USR

Both tables have the same field layout:

Field TypeTAC_ID TEXTTAC_ATTR TEXTTAC_VAL TEXT

The TAC_ID field contains the profile username.The TAC_ATTR field contains the parameter name, that is to say a string composed by the equivalent text profile section name and the correspondent parameter name.The TAC_VAL field contains the value for the TAC_ATTR attribute.For a single username (or group name), in the user (group) table you will find as many records for each account as the number of the account parameters.NTTacPlus considers an account existing in the database when there is at least one record in which TAC_ID has that account name.

Text to database conversion example

Suppose you have the following user profile (abelarda.usr):

[Global]Name=Abelarda grandmaGroups=ISDNExpires=#120,01-01-2002EffectiveFrom=15-07-1999Passwd=sprintgrandmaNAS=212.195.12.121-212.195.12.126

[Credits]QuotaPeriod=weeklyQuota=3600QuotaLeft=2500

[RADIUS ReplyList]Framed-IP-Address=212.195.12.192

In the TAC_USR table the user would be composed by the following 10 records:

TAC_ID TAC_ATTR TAC_VALabelarda [Global]Name Abelarda grandmaabelarda [Global]Groups Expiresabelarda [Global]Expires #120,01-01-2002abelarda [Global]EffectiveFrom 15-07-1999abelarda [Global]Passwd sprintgrandma


Primary Key


abelarda [Global]NAS 212.195.12.121-212.195.12.126abelarda [Credits]QuotaPeriod weeklyabelarda [Credits]Quota 3600abelarda [Credits]QuotaLeft 2500abelarda [RADIUS ReplyList]Framed-IP-Address 212.195.12.192

Setting up an ODBC datasource for the user database

In order to use NTTacPlus user database with a SQL database, you have to configure an ODBC datasource referring to that database:

1. Choose ODBC from the Control Panel.2. Choose System DSN tab.3. Click on Add and choose a database driver (for ex: MS Access Driver).4. Choose a name for the datasource (ex. user_db) and optionally a description.5. Click on Select and indicate the path/name of the database (ex. c:\NTTacPlus2\odbc\

nttacdb.mdb).6. Click on OK, close all the windows and the control panel. The datasource is configured.

In order to enable NTTacPlus to query the SQL account database you have to check the Enable ODBC user database checkbox, configuring the right values in the fields Datasource, Username and Password, depending on what you set in the ODBC administrator control panel.The Serialize SQL Queries option makes all queries (either reading queries or writing statements) on the user database to be executed in a queue (sequentially); this option is required when using some ODBC drivers that don’t support concurrent queries (for example MS SQL Server ODBC driver). If you plan to use MS Access you don’t need to enable this option.

WARNING: At the same moment you enable the ODBC User Database, then NTTacPlus uses immediately the accounts from the database, ignoring the text profiles!Pay attention before confirming the change, because if the administrative account you are logged in the console with is not configured in the database, you will be no more able to access NTTacPlus from the Remote Console.

Exporting/Importing text accounts from/to a database

In the NTTacPlus package a sample MS Access 97 user database is included: the file is named NTTACDB.MDB.This database already contains the two tables requested by NTTacPlus (TAC_GRP and TAC_USR) and it is ready to be used by NTTacPlus.If you have MS Access 97 installed on your computer you can open the database: you’ll see a form that allows you to import into the database or export to text files user and group profiles.If you plan to use different databases you have to create your own suitable conversion routines.

The user database as an Open Standard

An important feature of the NTTacPlus user database is the opening towards other applications.You can in fact create your own routines, queries, procedures to modify, create, delete the user profiles without using the NTTacPlus Remote Console. Any modifications on the database records are immediately effective at the end of the updating transaction. You can also modify the attributes of the user and group tables to insert your own values: NTTacPlus ignores any unrecognized attribute, maintaining them unaltered even in the backup database, even when they are stored in ASCII text files.



Managing accounts with the Profile Manager

If you press F10 from the NTTacPlus Remote Console (or if you select the Edit/Profile Manager menu) you can access the NTTacPlus Profile Manager window.

Creating a new user (group)

1. Select Users (Groups) in the Display options box.2. Press the New user (New group) button.3. Type the username for the new account in the User/Group name text box.4. When you move to the next dialog item you’ll see the bitmap appear.5. Configure user parameters in the various sections.6. When you have finished press Update to commit changes.

Creating (duplicating) a new user (group) starting from an existing one

1. Select an existing username in the list box or type it in the text box.2. Move to another dialog item.3. Move back to the User/Group name and type the new username.4. Modify desired parameters.5. When you have finished press Update to commit changes.



Deleting an existing user (group)

1. Select an existing user (group) from the dropdown list box.2. Press the Delete button and confirm the operation.

Modifying an existing user (group)

1. Select an existing user (group) from the dropdown list box.2. When you move to the next dialog item, NTTacPlus loads the user profile attributes.3. When you modify parameters for that user profile you’ll see a little blue bullet telling you that the user

profile has been modified but not saved yet: 4. When you have finished to edit the profile press Update button to commit the changes or Revert to

restore original values.

Some remarks about Profile Manager settings

All parameters you can set in user profiles can also be set in the group profiles.If you leave a setting blank, the (group) word appears to remind that NTTacPlus will search for the relevant parameter in the group profiles which the user belongs to.If the profile does not belong to any group, the setting is ignored and is value is set to null. Pay attention to check that mandatory settings are correctly filled (for example the expiry date). If some mandatory fields are left blank both authentication and the authorization will fail.

General section settings

Parameter DescriptionFull Name equal to [Global] / Name=Account disabled equal to [Global] / Disabled=1E-Mail equal to [Global] / Email=Expiration date equal to [Global] / Expires=Activation date equal to [Global] / EffectiveFrom=Max concurrent logins equal to [Global] / MaxLogins=Privilege level equal to [Global] / Privilege=Allowed NASes equal to [Global] / NAS=Allowed Port equal to [Global] / Port=Caller/Called ID equal to [Global] / CallerID=



Comment equal to [Global] / Comment=

Password section settings

Parameter DescriptionRegular Password equal to [Global] / Passwd=<user_password>No Password equal to [Global] / Passwd=[NONE]Blank Password equal to [Global] / Passwd= (empty)NT Proxy Password equal to [Global] / Passwd=[NT]TACACS+ Proxy Password equal to [Global] / Passwd=[TACACS+]DES Encrypted Password equal to [Global] / Passwd=[DES]UNIX password file equal to [Global] / Passwd=[UNIX]

Options section settings



Section Parameter DescriptionFailed login attempts Send e-mail equal to [Suspicious] /

OnFailedEmail=Failed login attempts Disable the account equal to [Suspicious] /

OnFailedDisable=Concurrent logins exceeded

Send e-mail equal to [Suspicious] / OnMultipleAccessEmail=

Concurrent logins exceeded

Disable the account equal to [Suspicious] / OnMultipleAccessDisable=

Concurrent logins exceeded

Terminate sessions equal to [Suspicious] / OnMultipleAccessKill=

Send a copy of... equal to [Suspicious] / EmailNotifyToUsers=

Authenticate even if... equal to [Suspicious] / OnExpiredAuthenticate=

Warnings section settings

Parameter DescriptionSend msg when expiring (date) equal to [Suspicious] / OnExpiringEMail=Email msg file (date) equal to [Global] / ExpiringEMailMsg=Send msg when expiring (time) equal to [Suspicious] / OnTimeLowEMail=Email msg file (time) equal to [Global] / TimeLowEMailMsg=Send msg when expiring (traffic) equal to [Suspicious] / OnTrafficLowEMail=Email msg file (traffic) equal to [Global] / TrafficLowEMailMsg=



Group membership section settings

This section allows to set the profile group membership. It is equivalent to the [Global] / Groups= setting.

Up and Down button allows you to change the group belonging order: NTTacPlus collects parameters parsing the groups in their order. So the order is very important!The Post authentication script parameter is equal to the [Global] / AuthenScript= setting.

Hours section settings

Parameter DescriptionLogin Hours equal to [Global] / LoginHours=Week plan equal to [Global] / LoginHours=weeklyMon equal to [WeekPlan] / Mon=Tue equal to [WeekPlan] / Tue=Wed equal to [WeekPlan] / Wed=Thu equal to [WeekPlan] / Thu=Fri equal to [WeekPlan] / Fri=Sat equal to [WeekPlan] / Sat=Sun equal to [WeekPlan] / Sun=



NOTE: If you configure a week plan leaving blank a particular day of the week but you do not set anything even at a group level, NTTacPlus will deny the access for that day. To grant access for a whole day without restrictions you have to specify explicitly a 24 hour interval.

Credits section settings

Parameter DescriptionMax connection time equal to [Global] / MaxConnectionTime=Initial Time equal to [Credits] / TimeInitial=Time Left equal to [Credits] / TimeLeft=Assign a time quota equal to [Credits] / QuotaPeriod=Quota equal to [Credits] / Quota=Reset quota left it deletes the parameter[Credits] / Quota= resetting the quotaKill when exceeding time credit

equal to [Credits] / OnTimeExceededKill=1

Kill when time quota is over

equal to [Credits] / OnQuotaExceededKill=1

Allow extra-credit time

equal to [Credits] / OnExtraTimeCharge=1

Initial KBytes equal to [Credits] / KBytesInitial=KBytes Left equal to [Credits] / KBytesLeft=Allow extra-credit Kbytes

equal to [Credits] / OnExtraKBytesCharge=1



TACACS+ Command Authorization section settings

Parameter DescriptionPermit commands not explicitly configured

equal to [Authorization] / DefaultCommand=

Permit services not explicitly configured

equal to [Authorization] / DefaultService=

Do not append all group configured commands

equal to [Authorization] / NoAppendTacCmd=

The permissions and the configured command section is equal to the [cmd <cmd_name>] sections. To add a shell command authorization, type the command in the left text box (for example: telnet) and then press the Add button on the left.After that, select the command you have just added to the command list, then type in the right text box the parameters you want to configure, choosing permit or deny. The press the Add button on the right.

TACACS+ Services section settings

The settings of this section are equal, in the profile, to the [Services] section if you enabled the Ordinary authorization. On other hand they are equal to the [Services Expired] section if you enabled the Expired Authorization option.



The list of configured services in Configured Services is equal to the line:

<svc_name>-<protocol>=permit|deny

In order to add a list of A/V pairs to a configured service, select the service in the list on the left, then add the A/V pairs in the right text box, pressing the Add button when you have typed the right A/V pair. The pair can have the following format:

attribute=value

or

attribute*value

The Do not append all group services option is equal to the [Authorization] / NoAppendTacSvc= parameter.

RADIUS CheckList section settings

The settings of this section are equal, in the profile, to the [Radius CheckList] section if you enabled the Ordinary authorization option. On other hand they are equal to the [Radius Expired CheckList] section if you enabled the Expired Authorization option. A list of attributes to be verified (added selecting the attributes from the left textbox) appears as the profile section body with the following format:

attribute=value

The A/V pairs dropdown list depends on the RADIUS attributes loaded from the RADDICT.DAT dictionary file.The Do not append all group attribute check list option is equal to the [RADIUS] / NoAppendRadChk= parameter.



RADIUS Reply List section settings

The settings of this section are equal, in the profile, to the [Radius ReplyList] section if you enabled the Ordinary authorization option. On other hand they are equal to the [Radius Expired ReplyList] section if you enabled the Expired Authorization option. A list of attributes to be returned to the NAS after the authentication (added selecting the attributes from the left textbox) appears as the profile section body with the following format:

attribute=value

The A/V pairs dropdown list depends on the RADIUS attributes loaded from the RADDICT.DAT dictionary file.The Do not append all group attribute reply list option is equal to the [RADIUS] / NoAppendRadRep= parameter.



The accounting data

Accounting data generated by NTTacPlus

NTTacPlus can generate different kinds of output for the accounting data, which contains information about the number, length and traffic of the sessions recorded by NTTacPlus:

Distinct text files for each user, created in the Accounting directory, whose name coincide with the username of the user, and has a *.log extension. These files record, for each user all the accounting messages sent by the NAS.

Global accounting text files, created daily in the Accounting directory, whose name is in the yyyymmdd.acc format (year/month/day). These files record, for each user session, information about the length and the traffic generated during the session.

Global accounting output on SQL/ODBC database. These portions of data are inserted into a table (whose format is described below) and they record the length and the traffic generated by each session.

Per-user accounting files

Accounting files generated individually for each user contain the exact data received as accounting messages from the NAS server. Each line (record) represents a START, STOP or UPDATE message and lists the fields in a format separated by commas (comma delimited), with the following meaning:

Field DescriptionDatetime Date/time when of message reception, (format dd-mm-yyyy hh:mm:ss)Type Message type ("START", "STOP", or "UPDATE")NAS NAS name or address from which the message comesPort Port name on which the user is connectedCallerID Possible Caller ID of the user (for example his telephone number)ExtraArgs Semicolon delimited list of extra arguments sent by the NASTask_ID Unique number identifying the task (common to each START/STOP pair)Elapsed_Time Duration of the session in secondsBytes_In Total bytes sent by the userBytes_Out Total bytes received by the userPaks_In Total packets sent by the userPaks_Out Total packets received by the userBytes Total bytes exchanged by the user (if applicable)Paks Total packets exchanged by the user (if applicable)

Example:

15-01-1998 14:30:49,START(2),194.184.16.2,tty53,async/321457913,addr=194.184.16.57;service=ppp,3769,0,0,0,0,0,0,0

15-01-1998 14:30:49,UPDATE(8),194.184.16.2,tty53,async/321457913,addr=194.184.16.57;service=ppp;protocol=ip,3769,0,0,0,0,0,0,0

15-01-1998 14:32:56,STOP(4),194.184.16.2,tty53,async/321457913,addr=194.184.16.57;service=ppp;protocol=ip,3769,133,12415,49283,162,106,0,0



Global accounting files

Global accounting files store in each line (record) a single user sessions. These ASCII files contain the fields in a format separated by tabulation characters (tab delimited), with the following meaning:

Field DescriptionUsername Name of the account to which the session refersCallerID Possible Caller ID of the user (for example his telephone number)Addr Possible user addressNAS NAS name or address to which the user was connected toPort Port name on which the user was connected toStartTime Date/time of the beginning of the session (format dd-mm-yyyy hh:mm:ss)StopTime Date/time of the end of the session (format dd-mm-yyyy hh:mm:ss)SessionTime Length of the session in minutes, rounded off according to what is configured

in the NTTacPlus optionsExtraTime Length of the session in minutes (rounded off) over the credit in time for the

accountTimeLeft Total remaining credit in minutes after the sessionKBytesIN Total Kbytes sent by the userKBytesOut Total Kbytes received by the userSessionKB Total traffic (in Kbytes) generated during the session, rounded off according

to what was configured in the NTTacPlus optionsExtraKB Total traffic (in KBytes) generated during the session (rounded off) over the

traffic credit for the accountKBytesLeft Total remaining credit in Kbytes after the session

The ExtraTime, TimeLeft, ExtraKB and KBytesLeft fields are normally set to zero for sessions which do not have a traffic or time limit (credit), while they are useful for credit-based accounts.The exact duration of a session (not rounded off) can be calculate as the difference between start e stop times.

Example

If the ermenegildo user has bought a subscription for 200 total minutes, he can have several sessions, for each of which he will consume some part of his credit. Let us suppose that the medium length of his sessions is 10-20 minutes. In this case, the accounting data will include a record for each session of ermenegildo, for example:

Session SessionTime ExtraTime TimeLeft1 20 0 1802 10 0 1703 25 0 145… … … …23 30 0 20

After 23 sessions, ermenegildo has a credit of 20 minutes left. If in his profile the OnExtraTimeCharge=1 parameter was not set, the user will be able to connect for the remaining 20 minutes, after which time in the subsequent connection attempts will be denied.



If on the contrary the OnExtraTimeCharge=1 parameter was set, ermenegildo will be able to connect even after having exhausted the 20 minutes credit, but the extra consumption will be recorded on the ExtraTime field instead of the SessionTime field.Let us suppose that when he reaches the 20 minutes credit left situation, then he connects for 30 minutes (thus using 10 extra minutes). Let us suppose again that he connects in another session for 40 minutes. The length of the session will be tracked in the accounting records in the following way:

Session SessionTime ExtraTime TimeLeft24 20 10 025 0 40 0

This means that summing up all the values of SessionTime for an account since the user started to consume the credit, you obtain the initial credit (in this example 300) while to have the extra time consumption you have just to sum all the ExtraTime values (10 + 40 = 50 minutes).

The same approach is also used for the consumption of the traffic in Kbytes.For an ISP it is then possible to sell a subscription for 300 hours connection in total, thus allowing the access also when the credit is exhausted, but applying a defined hourly charge for each hour of connection beyond the initial credit. The provider determines the total length of the extra connections summing them on the ExtraTime field, and can lay out an invoice for his customer extra consumption.

Accounting data on ODBC SQL databases

The same records that are stored in the daily accounting text files can also be recorded onto a SQL database through the use of the ODBC datasource. The database must be configured in such a way that it contains a table in the a format which is similar to the one provided in the sample database (stat.mdb). This is a MS Access 97 file. The fields of the accounting table are given in the following order (no matter about extra field administrator can add at the end of the table):

Field TypeUsername TEXTCallerID TEXTAddr TEXTNAS TEXTPort TEXTStartTime DATE/TIMEStopTime DATE/TIMESessionTime LONG INTEGERExtraTime LONG INTEGERTimeLeft LONG INTEGERKBytesIN LONG INTEGERKBytesOut LONG INTEGERSessionKB LONG INTEGERExtraKB LONG INTEGERKBytesLeft LONG INTEGER

SQL Active users output



The same data presented in the currently logged in user monitor window may be stored in real time on a SQL database through the use of an ODBC datasource. The database must be configured to contain a table in a format similar to the one given in the sample database (stat.mdb), which is a MS Access 97 file. Table fields are given in the following order:

Field TypeUserID TEXT (Primary Key)NAS TEXTPort TEXTUsername TEXTCallerID TEXTAddress TEXTLoginTime DATE/TIME

At the beginning or the end of each session, the corresponding record is added to or removed from the table, simultaneously to what is shown on the screen. It is therefore possible, for example with an ODBC http gateway, to have a connected user list on a web page.

Configuring Accounting in NTTacPlus

NTTacPlus accounting configuration parameters are available in the Accounting section of the console Options window (Tools/Options menu, or F8).

Activating ASCII global accounting and per-user accounting

Section Parameter ValueAccounting Accounting directory path where NTTacPlus creates ASCII accounting

log filesEnable accounting text output It enables daily accounting ASCII files creation

(*.acc)Per-user accounting logging It enables per user accounting ASCII files

creation, recording all accounting messages received from the NAS (*.log)

Log unknown user accounting It records in the file _unknown_.log all accounting data relevant to unknown users

The Log unknown user accounting option enables NTTacPlus to create, in the accounting directory, a file named _unknown_.log in which the server collects all accounting data coming from NAS and relevant to users not configured in the NTTacPlus user database (for example, users presenting to the NAS with a blank username). If this option is disabled then NTTacPlus simply ignores those records.

Sending unknown user accounting to the active users log window

Section Parameter ValueAccounting Send unknown users to active

windowIt sends unknown users (not configured in NTTacPlus user database) to the active users windows (logging their sessions)

The Send unknown users to active window option tells NTTacPlus to process accounting START/STOP records for unknown users, by adding them to the active users window, and by creating the corresponding accounting session record (either in the .ACC file or in the ODBC datasource) at the end of the unknown user session. This option can be useful when the network administrator configures a unique default profile.



Running a customized post-accounting script

Section Parameter ValueAccounting Run the following post accounting

external scriptIt enables the execution of an external script when an accounting message is received from the NAS

You can configure NTTacPlus to execute a script or an external application when an accounting message is received from the NAS. This feature can extend accounting capabilities according to fully customized procedures.NOTE: This setting operates at a global level and not on a per-user basis, as it happens for the post-

authentication scripts.

From the command line you can issue commands or scripts to which you can pass the following macros as command line parameters:

Macro Value$user Username$nas NAS IP address or name$port Port/Interface $clid Caller ID $addr Network Address $priv Privilege level $type Accounting record type (= START, STOP or UPDATE)$taskid Session ID $elapsed Elapsed time (in seconds), calculated by the NAS and not by NTTacPlus$bytesin Input Bytes$bytesout Output Bytes$paksin Input packets $paksout Output packets

Any value returned by the script is ignored.

Post-accounting (useless) script example

Command line configured in the Options window:cmd.exe /c c:\nttacplus2\external\foolacct.bat $user $type

content of the script file foolacct.bat

@echo offif not "%1"=="albert" goto exit_foolacct_batif "%2"=="START" goto is_startif "%2"=="STOP" goto is_stopgoto exit_foolacct_bat:is_startnet send david "Hey, Albert is logging on!"goto exit_foolacct_bat:is_stopnet send david "Hey, Albert is logging off!":exit_foolacct_bat



Time and traffic consumption rounding

Section Parameter ValueAccounting Session time rounding offset Round off value (in minutes) applied to the

accounting session time for every session (it defines the minimum “time packet” for a session)

Session traffic rounding offset Round off value (in Kbytes) applied to the accounting session traffic for every session (it defines the minimum “traffic packet” for a session)

The time rounding offset value sets the minimum value (in minutes) used to calculate the rounding offset of a single session connection time. For example if you set that value to 5 minutes, all connection times are calculated every five minutes: so for example a 7 minutes and 32 seconds session will be rounded up to 10 minutes.This option is useful to set a minimum “time packet” the user will consume anyway: this feature applies especially on time credit accounts.The same procedure applies to the traffic (intended as a sum of In Kbytes and Out Kbytes) where you can set the minimum Kbytes consumption in the Traffic rounding offset field.

Setting up time and traffic warning thresholds

NTTacPlus can send customizable email messages to warn the user that his account is expiring (either by date or by time/traffic credit). You can set the warning threshold that triggers the email notification delivery.

Section Parameter ValueAccounting Date expiration warning It sets the warning period (days) before the

warning message is sentTime expiration warning It sets the warning threshold (minutes) before the

warning message is sentTraffic expiration warning It sets the warning threshold (Kbytes) before the

warning message is sent

Configuring the accounting output on ODBC

Section Parameter ValueAccounting Enable ODBC accounting It enables accounting on an ODBC database

Datasource name System datasource name configured to collect accounting information

Login Username Username required to connect to the ODBC databaseLogin Password Password required to connect to the ODBC databaseAccounting table name Table name that will record session informationLog active users on table It enables the updating of a table in which active users

are stored.Automatic reconnect on connection failure

It enables the automatic restoring of the datasource connection in case the connection drops (for example the TCP connection with a SQL Server)

In order to optimize the potential of the ODBC accounting (recording of duration and traffic of the sessions) it is possible to use the sample MS Access 97 database supplied with the package (stat.mdb). It is necessary to configure an ODBC datasource referring to that database:



1. Choose ODBC from the Control Panel.2. Choose the System DSN tab.3. Click on Add and choose MS Access database as a driver.4. Choose a name for the datasource (ex. accesses) and eventually a description.5. Click on Select and indicate the path/name of stat.mdb (ex. c:\NTTacPlus2\ODBC\

stat.mdb).6. Click on OK, close all the windows and the control panel. The datasource is configured.

To enable ODBC accounting output in NTTacPlus, check the Enable ODBC accounting output checkbox and make sure to insert the right parameters in the datasource name, username and password fields.

In the Accounting table name field insert the table name that will receive the accounting information.If you want to update the active session table also, turn on the Log Active users on table checkbox, specifying the name of the active session table.

In the distribution package you’ll find the stat.mdb file: it contains the accounting and the active session tables called respectively Accounting and ActiveUsers.

The last option (Automatic reconnect on connection failure) allows NTTacPlus to start a datasource reconnection attempt when the connection with the ODBC driver drops. This option is useful for example when you are using remote SQL databases (like Oracle or SQL Server) that need a TCP/IP connection between the ODBC driver and the host running the database server.



Examples of accounting data processing

This paragraph presents some examples about how to extract the accounting data for different kinds of processing, in the case of an accounting output on a SQL/ODBC database, and contains the examples as SQL queries.

Retrieving the sessions of a user given a date interval

Sessions for the ermenegildo user between 01-jan-99 and 10-jan-99:

SELECT * FROM AccountingWHERE (Start BETWEEN #1/1/99# AND #1/10/99#) AND (Username = ‘ermenegildo’)ORDER BY Start

Counting the sessions of a user given a date interval

Number of sessions for the ermenegildo user between 01-jan-99 and 10-jan-99:

SELECT COUNT(username) AS SessionNumber FROM AccountingHAVING (Start BETWEEN #1/1/99# AND #1/10/99#) AND (Username = ‘ermenegildo’)

Retrieving the total for extra traffic and time of a user given a date interval

Extra traffic and time for the ermenegildo user between 01-feb-99 and today:

SELECT Sum(ExtraTime) AS TotalTime, Sum(ExtraKB) AS TotalKB FROM AccountingHAVING (Username = ‘ermenegildo’) AND (Start >= #1/1/99#)

Who was connected at midnight at New Millenium Eve (1999-2000)?

No additional comment (!):

SELECT * FROM AccountingWHERE (Start <= #12/31/99 11:59:00 PM#) AND (Stop > #1/1/00#)ORDER BY Start



Configuring NTTacPlus manually

NTTacPlus stores all configuration parameters in the NTTACP.INI text file located in the same directory where NTTacPlus main executables are placed.You do not have to edit manually this configuration file, as all parameters may be set directly from the NTTacPlus Remote Console Options window. If you modify manually the configuration parameters in the text file then you need to stop and restart NTTacPlus to make the modifications effective.On the contrary, if you modify the configuration using the NTTacPlus Remote Console any change is immediately effective.Consider the manual modification of the configuration file as a last resort when some wrong changes to the configuration could have locked the server and all attempts to connect to the server through the Remote Console would fail.

Configuration file structure

The NTTACP.INI configuration file has the same structure as the standard Windows INI files, and it is divided into different sections. The following table lists all the configuration parameters, showing their equivalent in the Remote Console Options window, and whether the modification on the file requires a server restart.

Section Parameter In the Option window equals to (section/value) Restart required?

[Options] LogPath Logging / Log file directory yesUserPatha General / User file directory yesGroupPath General / Group file directory yesAcctPath Accounting / Accounting directory yesPreAuthMsgFile General / Pre-authentication message file noPostAuthMsgFile General / Post-authentication message file noUsernamePrompt TACACS+ / Username prompt noPasswordPrompt TACACS+ / Password prompt noEnablePrompt TACACS+ / Enable prompt noEmail General / Notification E-Mail Address yesSMTP General / SMTP Server yesKey Secrets / Default secret key yesMaxLoginAttempts General / Max login attempts yesTimeRoundUp Accounting / Session time rounding offset yesKbytesRoundUp Accounting / Session traffic rounding offset yesDebug (see specific table further on) yesTacacsPort TACACS+ / TACACS+ TCP Port yesWarningPeriod Accounting / Date expiration warning period yesFirstDayOfWeek General / First day of week yesSourceEMail General / Server source e-mail yesWarningTime Accounting / Time expiration warning period yesWarningKBytes Accounting / Traffic expiration warning period yesUserCheckInterval General / Periodic check interval yesRADIUSAuthPort RADIUS / RADIUS Authentication port yesRADIUSAcctPort RADIUS / RADIUS Accounting port yes



Flags (see specific table further on) yesAccountingScript Accounting / post accounting script noLSCfgChkPt used internally --

[Registration] Name Registration / Registration name yesKey1 Registration / Registration key 1 yesKey2 Registration / Registration key 2 yes

[ODBC] Datasource Accounting / ODBC Datasource name yesAccountingTable Accounting / Accounting table name yesLoginUser Accounting / Login Username yesLoginPasswd Accounting / Login Password yesOnlineTable Accounting / online users table yesUserDBDatasource General / User database / using this datasource yesUserDBLoginUser General / DB Username yesUserDBLoginPasswd General / DB Password yes

[Messages] AccountDisabled Messages / Account disabled noTooManyLogins Messages / Too many logins noInvalidLoginTime Messages / Invalid login time noLoginTimeUp Messages / Login time-up noLoginKBytesUp Messages / Login Kbytes-up noBadLoginPassword Messages / Bad login user/pwd noBadLoginPort Messages / Bad login NAS port noBadLoginNAS Messages / Bad login NAS noAccountExpiring Messages / Account expiring noAccountExpired Messages / Account expired noQuotaTimeUp Messages / Quota time-up noAccountNotEffective Messages / Account not effective no

[Backup] PrimaryTacascPort Backup / Primary server port yesBackupInterval Backup / Backup interval yesPrimaryTacacsServer Backup / Primary server name or address yesTacUser Backup / Primary login username yesTacPass Backup / Primary login password yes

[RSH] Username Synch / Username for RSHELL noAccountingCommand Synch / Command to issue with RSHELL no

[Resynch] NASResynchList Synch / List of NAS to query noNASResynchPorts Synch / List of valid interfaces no

[Holiday] (dd-mm list) Holiday calendar as in the Holiday section no

[Kill] (interface list) Interfaces/commands list as in the Kill section no

[Keys] (nas list) IP addresses/secret keys list as in the Secrets section no



Flags and Debug special parameters

All the NTTacPlus options associated to a checkbox in the Options window, are stored in a configuration file in the form of numeric values (bitmapped) in two different parameters of the [Options] section: the Debug parameter (describing the behavior of the activity event log) and the Flag parameter (for any other option).Direct configuration file modifications for these parameters require NTTacPlus to be restarted.

Flags values

Configuration window equivalent option Value (hexadecimal)

General / Resolve names (DNS) 0x00000001Secrets / Always encrypt 0x00000002Accounting / Enable accounting text output 0x00000004Accounting / Enable ODBC accounting 0x00000008TACACS+ / Ignore multiple STOP records 0x00000010Backup / Remove local accounts before backup 0x00000020Backup / Enable this server for backup 0x00000040General / Use username for maxlogins check 0x00000080General / Email admin on unknown users 0x00000100General / Enable <default> user 0x00000200General / Create user profile from <default> 0x00000400Accounting / Log active users on table <nn> 0x00000800Accounting / Per-user accounting logging 0x00001000Logging / Enable logging to file 0x00002000Accounting / Automatic reconnect on connection failure 0x00004000(value used internally) 0x00008000Accounting / Log unknown user accounting 0x00010000Accounting / Send unknown users to the active window 0x00020000Backup / Forward accounting to primary server 0x00040000Secrets / Restrict NAS to configured IP addresses only 0x00080000Synch / Perform synchronization during active users check 0x00100000Logging / Enable logging to screen 0x00200000Synch / Perform synchronization on maxlogins collision detected 0x00400000General / Enable ODBC user database 0x00800000Accounting / Run the post accounting script 0x01000000General / Serialize SQL queries 0x02000000RADIUS / Use Session-Timeout for disconnection 0x04000000



Debug values

Logging configuration window equivalent option Value (hexadecimal)

Extended session 0x00000002Session thread execution 0x00000004Authorization session 0x00000008Authentication session 0x00000010Accounting session 0x00000020Password checking 0x00000040Backup events 0x00000080Packet dumping 0x00000100Port cleaning commands 0x00001000User account charging 0x00002000SMTP connections 0x00004000Max logins check 0x00008000



Cisco NAS TACACS+ AttributesList of TACACS+ authorization attributes supported by Cisco NAS

This section contains the list of the attributes for the authorization, as defined in the specifications of the TACACS+ protocol.

Attribute Description

acl ASCII number representing a connection access list. Used only for the Exec service.

inacl ASCII identifier for an interface input access list.

outacl ASCII identifier for an interface output access list.

zonelist A numeric zonelist value. (Applicable to AppleTalk only).

addr A network address.

addr-pool The identifier of an address pool from which the NAS should assign an address.

routing A Boolean. Specifies whether routing information is to be propagated to, and accepted from this interface.

route Indicates a route that is to be applied to this interface. Values must be of the form "<dst_address> <mask> [<routing_addr>]". If a <routing_addr> is not specified, the resulting route should be via the requesting peer.

timeout An absolute timer for the connection (in minutes). A value of zero indicates no timeout.

idletime An idle-timeout for the connection (in minutes). A value of zero indicates no timeout.

autocmd an auto-command to run. Used only with the Exec service.

noescape Boolean. Prevents user from using an escape character. Used only with the Exec service.

nohangup Boolean. Do no disconnect after an automatic command. Used only with the Exec service.

priv-lvl Privilege level to be assigned.

remote_user Remote userid (authen_method must have the value TAC_PLUS_AUTHEN_METH_RCMD).

remote_host Remote host (authen_method must have the value TAC_PLUS_AUTHEN_METH_RCMD).

callback-dialstring Indicates that callback should be done. Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dial-string through other means.

callback-line The line number to use for a callback.

callback-rotary The rotary number to use for a callback.

nocallback-verify Do not require authentication after callback.

For all Boolean attributes, valid values are "true" or "false". A value of NULL means an attribute with a zero length string for its value.A more in-depth description of the supported attributes may be found online on the Cisco CCO site at the URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/index.htm


http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/index.htm


Technical support and Product Registration

Documentation to enclose with communications

To help us provide quickly solutions to your problems and questions, we suggest to gather the following information and include it in any specific request you'll send us:

1. Type and version number of the operating system where NTTacPlus server is running.

2. Brand and model of the NAS (Network Access Server) and version of its operating system.

3. Configuration corresponding to the TACACS+ or RADIUS protocols in the NAS.

4. NTTacPlus configuration file (NTTACP.INI) and possibly concerned user/group profiles.

5. Log files generated by NTTacPlus (with the debug information as detailed as possible) addressing the specific problem.

6. NTTacPlus version and build number (you can retrieve them from the Registration/About... window)

7. If you are a registered customers, please attach the name and the registration keys of the product which were provided to you by Master Soft.

How to register the product

To obtain the use license and the keys which activate the product in registered mode, pleaseREAD CAREFULLY AND FILL IN ANY PART the attached order form (ORDER.DOC), and send it via fax or as an e-mail attachment to the following addresses:

FAX ordering:

To: Master Soft S.n.c.Software SupportSubject: NTTacPlus OrderFax: +39-0321-465939

E-mail ordering:

To: [email protected]: NTTacPlus Order

Important!

The purchase of a copy of the product grants the right to the license for the use of two copies that can be installed on two different machines (enabling the activation of a primary and a backup server).Upon receiving your order, Master Soft will send you two activation keys valid for two hosts.



License Agreement

Master Soft S.n.c. licenses the enclosed software NTTacPlus (the "Software") to you only upon the condition that you accept all of the terms contained in this license agreement before installing the Software. Please read carefully the terms and conditions of this agreement. By installing, copying or otherwise using this Software you agree to be bound by the conditions of this agreement. If you do not agree with these terms, you should not install or use this Software, and you should destroy all the copies of this Software you have.

License

This Software is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties.The Software that accompanies this license is the property of Master Soft S.n.c. and is licensed, not sold. While Master Soft S.n.c. continues to own the Software, you will have certain rights to use the Software after your acceptance of this license.This license agreement gives you the rights to: install and use two (2) copies of the Software on two different machines (a copy for the primary server and a copy for a backup server); create a copy of the Software for archival purposes only.You cannot copy the documentation that accompanies the Software, rent or lease any portion of the Software, decompile, disassemble, reverse engineer, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

Warranty disclaimer

To the maximum extent permitted by applicable law, with regard to the Software Master Soft S.n.c. disclaims any warranty or condition, either express or implied, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose. In no event shall Master Soft S.n.c. be liable for any special, incidental, indirect or consequential damages (including damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use or inability to use the Software, even if Master Soft S.n.c. has been advised of the possibility of such damages.

Termination

Master Soft S.n.c. may terminate the right to use the Software if you fail to comply with the terms and conditions of this agreement. You may terminate this license at any time by destroying or erasing your copy of the Software. Upon the termination of this license, you must discontinue all use of the Software and you must remove the Software from your system.Master Soft S.n.c. reserves the right at any time and without any notice to you, to alter prices, features, specifications, capabilities, functions, licensing terms, availability, documentation or any other characteristics of this Software.



How to contact us

For suggestions, support, problem reporting, commercial information, purchase information or other, the Master Soft support staff can be contacted at the following address:

Master Soft S.n.c.

Piazzale Lombardia, 428100 NOVARA (ITALY)

Phone +39 – 0321 – 466 889Fax +39 – 0321 – 465 939

The Master Soft Support Staff may be contacted by e-mail at the following addresses:

Marketing Team: [email protected] Support Team: [email protected] Soft Staff: [email protected]

News, prices, information and updates of the NTTacPlus and other software products are available on line at the following web addresses:

MSoft Software Site: http://software.msoft.it/MSoft Beta Software Site: http://beta.software.msoft.it/NTTacPlus Site: http://www.nttacplus.com/NTMonitor Site: http://www.ntmonitor.com/NTBatch Site : http://www.ntbatch.com/


http://www.ntbatch.com/

http://www.ntmonitor.com/

http://www.nttacplus.com/

http://beta.software.msoft.it/

http://software.msoft.it/

mailto:[email protected]



· web viewnttacplus® server. radius/tacacs+ access control server for windows. installation and...

Documents