Authentication forces users to prove their identities when attempting to connect to the LRS. The connection type affects the authentication sequence and how the authentication information is transferred. Incoming connections may be one of the following types: character mode (Local> prompt) logins, PPP logins, SLIP logins, or virtual port logins.

11.2.1 Character Mode Logins

Each LRS serial port may be configured to support any combination of the following:

A server-wide login password
A username/password pair
Dialback on serial ports with modems attached

To configure a port to support character mode, see Port Modes .

11.2.1.1 Login Password

To set the login password, use the Set/Define Server Login Password command:

Figure 11-1: Defining Login Password

Local>> DEFINE SERVER LOGIN PASSWORD badger

Passwords and user names can be up to 10 characters long. The default password is access.

To require that users enter the login password when logging into a particular port, use the Set/Define Port Password command:

Figure 11-2: Requiring Login Password on a Port

Local>> DEFINE PORT 2 PASSWORD ENABLED

11.2.1.2 Individual Username/Password Pairs

In addition to the login password, each port may be configured to prompt users for a personal username and password. When the user enters the username/password pair, the LRS scans the authentication databases (see Comparing the Username/Password to Authentication Databases ) for a matching pair. If a match is not found, the login will not be permitted.

To enable username/password authentication, use the Set/Define Port Authenticate command:

Figure 11-3: Enabling Username/Password Authentication

Local>> DEFINE PORT 2 AUTHENTICATE ENABLED

11.2.1.3 Dialback

When dialback is used, the LRS will verify the identity of incoming users by logging the port out and dialing the user back at a specified number. Dialback may be configured to do any combination of the following:

Permit connections without dialback
Log a port out and call the user back
Terminate the connection when unauthorized users attempt to connect

The port must be configured to use modems; for additional information, see Chapter 9 - Modems.

To use dialback for character logins, a list of authorized users must be configured. Complete the following steps:

1. Enable modem control using the Define Port Modem Control Enabled command.

2. Assign a modem type to the port using the Define Port Modem Type command.

3. Enable dialback using the Define Port Dialback Enabled command:

Figure 11-4: Define Dialback Enabled

Local>> DEFINE PORT 3 DIALBACK ENABLED
4. Configure how the Dialback feature works for users that are not in the dialback database.

The Dialback Bypass setting controls what happens when a user that is not in the dialback database attempts to connect to the LRS. If Bypass is enabled, these users will be allowed to connect without dialback occurring. If Bypass is disabled, these users will not be able to connect.

Figure 11-5: Disabling Dialback Bypass

Local>> DEFINE DIALBACK BYPASS DISABLED
5. Add users to the dialback database.

To add a user to the dialback database, use the Set/Define Dialback command and specify a username and telephone number. If the user must bypass dialback (regardless of whether Dialback Bypass is enabled or disabled), specify the Bypass parameter:

Figure 11-6: Adding Users to the Dialback Database

Local>> DEFINE DIALBACK BYPASS DISABLED
Local>> DEFINE DIALBACK FRANK BYPASS
Local>> DEFINE DIALBACK BOB "555-1235"
In the example above, user frank will bypass dialback. When user bob attempts to connect, the LRS will call him back at 555-1235. If any other user attempts to connect, they will be subject to dialback; because they are not in the dialback database, the attempt will fail.

11.2.1.4 Virtual Port Logins

Users can connect to a virtual port via a terminal connected to the serial console port or over the network using Telnet, Rlogin, or EZCon. For a complete discussion of virtual ports, see Virtual Ports .

By default, incoming Telnet and Rlogin connections are not required to enter the login password. To require the login password, use the Set/Define Server Incoming Password command:

Figure 11-7: Requiring Login Password for Telnet/Rlogin Connections

Local>> DEFINE SERVER INCOMING PASSWORD
To require username/password authentication for virtual port logins, use the Set/Define Port Authenticate command. Specify port 0 as the port number.

Figure 11-8: Virtual Port Username/Password Authentication

Local>> DEFINE PORT 0 AUTHENTICATE ENABLED

11.2.2 PPP Logins

This section covers authentication on ports dedicated to PPP or with PPPdetect enabled. If PPP will be started from character mode, see Character Mode Logins .

To dedicate a port to PPP or enable PPPdetect, see Chapter 8 - Ports.

11.2.2.1 How the Username/Password is Transmitted

The username and password may be transmitted using PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). Each protocol goes through a negotiation sequence to complete the authentication; see Chapter 3 - Basic Remote Networking for details.

To use PAP or CHAP to authenticate incoming callers, CHAP Remote or PAP Remote must be enabled on the port accepting the call. One or both may be enabled, however, CHAP is recommended.

Figure 11-9: Enabling PAP and CHAP for Incoming Connections

Local>> DEFINE PORT 2 PPP CHAP REMOTE
Local>> DEFINE PORT 2 PPP PAP REMOTE
If both CHAP and PAP are configured for authentication, CHAP authentication will be attempted first. If the remote host does not understand CHAP, PAP will be attempted instead. If both PAP and CHAP fail to successfully authenticate the caller, the connection will be terminated.

11.2.2.2 Comparing the Username/Password to Authentication Databases

If the username sent by the caller matches a site name, that site will be checked to determine if it has a local password defined. The local password is the password expected from the incoming caller. To configure a local password for a site, use the Define Site Authentication Local command:

Figure 11-10: Defining a Site Local Password

Local>> DEFINE SITE irvine AUTHENTICATION LOCAL "wallaby"
If the password entered matches the site's local password, that site will be started.

If it does not match the local password, or the site does not have a local password defined, the LRS will check the next database (according to the order of database precedence). See Database Configuration for details.

A custom site will only be started if the username matches a site name and any password in an authentication database. If the username does not match a site name, but matches a username/password pair in an authentication database, a temporary site will be used to manage the connection.

If a matching username/password pair are not found in any authentication database, the connection attempt will fail.

11.2.2.3 Offering Authentication Information to the Incoming Caller

If the incoming caller must authenticate the LRS, the port must have PAP Local or CHAP Local configured. Use the Define Port PPP PAP Local/Define Port PPP CHAP Local command:

Figure 11-11: Enabling CHAP and PAP Local

Local>> DEFINE PORT 2 PPP CHAP LOCAL
Local>> DEFINE PORT 2 PPP PAP LOCAL
During PAP/CHAP negotiation, the LRS will send the site's username and remote password to the incoming caller. To set a site's username and remote password, use the Define Site Authentication command:

Figure 11-12: Configuring the Site Username and Remote Password

Local>> DEFINE SITE irvine AUTHENTICATION USERNAME seattle
Local>> DEFINE SITE irvine AUTHENTICATION REMOTE gopher
Use caution when configuring a site to offer and accept authentication information (the site has both a local and remote password). PAP does not offer complete security in this situation; if the site has PAP authentication enabled for incoming and outgoing connections, both passwords may be compromised during the LCP negotiation process.

When the LRS receives an incoming call, a site configured with a local and remote password may let the incoming caller know that it is willing to transmit these passwords. If the remote caller has PAP authentication enabled, it may persuade the LRS to transmit its passwords to the remote caller as part of the PAP authentication negotiation. At that point, the remote caller can hang up in possession of the LRS passwords; the caller may be able to use the LRS remote password to login to other networks, or to call the LRS and connect as an authorized user.

11.2.3 SLIP Logins

SLIP does not support authentication; authentication must take place before SLIP is started.

Ensure that the port will start in character mode by disabling SLIP autodetection and SLIP dedicated modes. Autodetection and dedicated are disabled by default.

Figure 11-13: Disabling SLIPdetect and SLIP Dedicated

Local>> DEFINE PORT 2 SLIPDETECT DISABLED
Local>> DEFINE PORT 2 SLIP DISABLED
Local>> DEFINE PORT 2 SLIP ENABLED
To configure character mode authentication, see Character Mode Logins .

11.2.4 Starting PPP/SLIP From Character Mode

PPP or SLIP may be started when a port is in character mode using the Set PPP or Set SLIP commands. If an incoming user specifies a particular site to be started (for example, Set PPP irvine), the site may prompt the user for its local (site-specific) password.

To configure a site's local password, use the Define Site Authentication Local command.

Figure 11-14: Setting a Site's Local Password

Local>> DEFINE SITE irvine AUTHENTICATION LOCAL "badger"
To prompt the user for the local password when they attempt to start the site, use the Define Site Authentication Prompt command:

Figure 11-15: Requiring Site's Local Password

Local>> DEFINE SITE irvine AUTHENTICATION PROMPT ENABLED

11.2.5 Dialback From SLIP/PPP Mode

To authenticate incoming PPP and SLIP callers using dialback, the site managing the incoming connection must have dialback enabled. Use the Define Site Authentication Dialback command:

Figure 11-16: Enabling Dialback on a Site

Local>> DEFINE SITE irvine AUTHENTICATION DIALBACK ENABLED
Ensure that the correct ports and telephone numbers are defined; the site will use the defined site-specific or port-specific telephone number to dial the incoming caller. See Telephone Numbers for more information.

11.2.6 Database Configuration

Five types of databases can store authentication information:

Local authentication database stored in the LRS's permanent memory (NVR)
NetWare bindery
UNIX password file
SecurID ACE/Server
Kerberos V4 server

The database search order is determined by each database or server's precedence. When configuring database precedence, it makes sense to specify the location where the username/password pair is most likely to be found as the primary database.

To check the database information, use the Show Authentication command. Databases are listed according to their precedence numbers.

11.2.6.1 Local (NVR) Database

The local database is stored in the LRS NVR. Storing authentication information locally offers the following advantages:

A network server is not required
Local authentication functions even when the network is down
Local authentication can execute and restrict user commands
CHAP may be used for authentication

Disadvantages include:

The LRS cannot share its databases with other servers
The LRS cannot share existing databases
The local database is limited by the size of the server's NVR

11.2.6.1.1 Specifying the Precedence

A precedence must be specified in order to use the Local database. To specify the precedence, use the Set/Define Authentication Local command:

Figure 11-17: Specifying the Precedence

Local>> DEFINE AUTHENTICATION LOCAL PRECEDENCE 1

11.2.6.1.2 Username/Password Pairs

To add a username/password pair to the local database, use the Set/Define Authentication Local command:

Figure 11-18: Adding User and Password to Local Database

Local>> DEFINE AUTHENTICATION USER "elmo" PASSWORD "badger"

All passwords are case sensitive. All usernames are case insensitive.

11.2.6.1.3 Forcing Execution of Commands

A command or series of commands may be associated with a particular username; the commands will be run when the user is successfully authenticated. For example, when user elmo logs into the LRS, he will be automatically telnetted to host 192.0.1.67.

Figure 11-19: Forcing Commands

Local>> DEFINE AUTHENTICATION USER "elmo" COMMAND "telnet 192.0.1.67; logout"
Commands must be enclosed in quotes. If a series of commands a specified, they must be separated by semicolons.

11.2.6.1.4 Permitting Users to Change Their Passwords

By default, users are not permitted to change their passwords. To enable a user to change his or her password, use the Set/Define Authentication User Alter command:

Figure 11-20: Permitting User to Change Passwords

Local>> DEFINE AUTHENTICATION USER "elmo" ALTER ENABLED

11.2.6.1.5 Forcing Selection of a New Password

Users may be forced to select a new password during their next login. This is useful when the user has forgotten his or her password, or to ensure that new passwords are chosen on a regular basis.

Figure 11-21: Forcing a User's Password to Expire

Local>> DEFINE AUTHENTICATION USER "elmo" EXPIRED

11.2.6.1.6 Displaying the Local Database

Local database entries can be checked with the Show/Monitor/List Authentication User command. All users, their passwords, and other parameters are listed.

See Show/Monitor/List Authentication .

11.2.6.1.7 Purging the Local Database

To remove a particular user from the database, use the Clear/Purge Authentication User command.

11.2.6.2 Kerberos

11.2.6.2.1 Introduction

The Kerberos Authentication Service is a network-based authentication service. Passwords are always transmitted in encrypted form. The LRS supports Kerberos version 4.

Kerberos is available as public-domain software and from commercial vendors. Please refer to your Kerberos server documentation for detailed information about setting up a Kerberos server, registering Kerberos clients, and administering a network that uses Kerberos.

Kerberos advantages include the following:

Passwords are always encrypted; it is not possible to obtain a user's password by eavesdropping on a connection attempt
Kerberos is a widely-accepted standard, proven to be very secure
The LRS may be easily added to an existing Kerberos network
A large number of users may be supported

Disadvantages include:

Configuring the Kerberos database can be complicated
Kerberos only runs over IP
Kerberos does not guard against guessing a user's password
If the caller attempts to use CHAP for authentication, Kerberos cannot be used

11.2.6.2.2 Configuration

Ensure that the LRS clock is synchronized with the clock on the Kerberos server. The Kerberos authentication model attaches timestamps to the packets sent between the LRS and Kerberos server to prevent replay attacks. The LRS timestamp is only allowed to deviate 5 minutes from the Kerberos server clock before the packet is considered invalid, which would result in a failed authentication attempt.

To synchronize the LRS and the Kerberos clocks, use the Set/Define IP Timeserver command:

Figure 11-22: Synchronizing the Clocks

Local>> DEFINE IP TIMESERVER 192.0.1.110
Designate a precedence number for the Kerberos server, then configure the primary and secondary Kerberos server locations by IP address:

Figure 11-23: Configuring Kerberos Precedence

Local>> DEFINE AUTHENTICATION KERBEROS PRECEDENCE 2
Local>> DEFINE AUTHENTICATION KERBEROS PRIMARY 192.0.1.52
Local>> DEFINE AUTHENTICATION KERBEROS SECONDARY 192.0.1.53
The realm is the name of the Kerberos administrative region that defines the scope of client authentication data maintained by a Kerberos server. Most installations choose realm names that mirror their Internet domain name system. To specify the realm, use the Set/Define Authentication Kerberos Realm command:

Figure 11-24: Configuring the Kerberos Realm

Local>> DEFINE AUTHENTICATION KERBEROS REALM PHRED.COM
The principle, instance and authenticator enable the Kerberos server to identify the LRS. Principle, instance, and authenticator entries must be configured on the LRS to match the corresponding entries on the Kerberos server.

The default setting for the LRS principle is rcmd; for the LRS instance, the default setting is lrs.

The authenticator is the password for the principle/instance pair. It must be defined on the LRS and the Kerberos server. A text string or an eight-byte hexadecimal value may be specified.

To specify the LRS principle, instance, and authenticator, use the Set/Define Authentication Kerberos command:

Figure 11-25: Configuring the Principle, Instance, and Authenticator

Local>> DEFINE AUTH KERBEROS PRINCIPLE "kerbauth"
Local>> DEFINE AUTH KERBEROS INSTANCE "lrsname"
Local>> DEFINE AUTH KERBEROS AUTHENTICATOR "passwd"
Local>> DEFINE AUTH KERBEROS AUTHENTICATOR 0x08FF6D3E97735421
The Key Version Number (KVNO) ensures that the LRS and Kerberos server are using the correct authenticator for the defined principle/instance pair. A KVNO must be configured on the LRS to match the KVNO on the Kerberos server.

To configure the LRS KVNO, use the Set/Define Authentication Kerberos KVNO command:

Figure 11-26: Configuring the LRS KVNO

Local>> DEFINE AUTHENTICATION KERBEROS KVNO 1
By default, the KVNO is set to 1.

For additional Kerberos configuration instructions, see Set/Define Authentication .

11.2.6.3 NetWare Bindery

NetWare file servers use a database called the bindery. The NetWare bindery offers the following advantages:

An existing NetWare database may be used
The bindery is easy to manage
A large number of users may be supported

Disadvantages include:

If the caller attempts to use CHAP for authentication, the bindery cannot be used
The bindery is not compatible with NDS unless bindery emulation mode is used

To store username/password pairs in the NetWare bindery, use the Set/Define Authentication NetWare command:

Figure 11-27: Configuring the LRS to Search a NetWare Bindery

Local>> DEFINE AUTHENTICATION NETWARE PRECEDENCE 3
Local>> DEFINE AUTHENTICATION NETWARE PRIMARY doc_server
Local>> DEFINE AUTHENTICATION NETWARE SECONDARY spare_server

11.2.6.4 SecurID

The LRS supports the ACE/Server security system, manufactured by Security Dynamics Technologies Inc. ACE/Server is a system of UNIX-based client-server software and accompanying token cards.

Please refer to the Security Dynamics documentation for ACE/Server installation instructions.

The SecurID card generates a single-use unpredictable numerical code. This "cardcode," together with the user's PIN, form the basis of the SecurID authentication. The PIN and generated cardcode are referred to collectively as the SecurID passcode. To gain access to a network protected by SecurID, both elements of the passcode must be entered correctly.

SecurID advantages include the following:

Three items are required for authentication: the token card, a PIN, and a user ID.
The card's cardcode is constantly changing, thus changing the passcode that the user enters
If someone eavesdrops on a connection attempt and obtains a passcode, the passcode will not be useful; a new passcode will be required in a few minutes. This enhances the security of Telnet connections.

Disadvantages include:

If the caller attempts to use CHAP for authentication,
SecurID cannot be used
Users are required to carry the token card
Cannot be used for LAN to LAN connections; the LRS does not have a way to generate passcodes
The SecurID server must be configured

To log into the LRS, the user must enter a username at the username prompt, and the passcode at the password prompt.

To use the ACE/Server to authenticate username/passcodes, use the Set/Define Authentication SecurID command:

Figure 11-28: Configuring the LRS to Use SecurID

Local>> DEFINE AUTHENTICATION SECURID PRECEDENCE 4
Local>> DEFINE AUTHENTICATION SECURID PRIMARY 192.0.1.50
Local>> DEFINE AUTHENTICATION SECURID SECONDARY 192.0.1.51
If SecurID receives repeated authentication requests for an invalid username/password pair, it will assume that a login attack is taking place. SecurID will react by continually slowing its responses to the LRS.

When SecurID is used in conjunction with other authentication methods, this problem can be avoided by ensuring that SecurID has the highest precedence number. For example, if you're using SecurID, Kerberos, and a UNIX password file, set SecurID's precedence to 3.

For additional SecurID configuration instructions, see Set/Define Authentication .

11.2.6.5 UNIX Password File

Trivial File Transfer Protocol (TFTP) can be used to retrieve files from remote systems. During authentication, the LRS can TFTP a UNIX password file and check the username and password fields for the pair provided by a user. The LRS cannot add, modify, or delete password file entries.

The TFTP file is stored in unix /etc/passwd format. It must be in a location reachable via TFTP.

TFTP poses a security risk. If the LRS can retrieve the file, chances are that other hosts on the network can retrieve the file and potentially crack the passwords. If your network is not trusted, you may not want to use TFTP authentication.

To use a UNIX password file to authenticate users, use the Set/Define Authentication TFTP command:

Figure 11-29: Configuring the LRS to Use a UNIX Password File

Local>> DEFINE AUTHENTICATION TFTP PRECEDENCE 5
Local>> DEFINE AUTHENTICATION TFTP PRIMARY 192.0.1.50
Local>> DEFINE AUTHENTICATION TFTP SECONDARY 192.0.1.51
Specify the full pathname of the password file using the Set/Define Authentication TFTP Filename command:

Figure 11-30: Specifying the Pathname of the Password File

Local>> DEFINE AUTHENTICATION TFTP FILENAME "/tftpboot/passwd"

11.3 Outgoing LAN to LAN Authentication

When the LRS attempts to connect to a remote host, the host may require that the LRS send a username and password. The method used to transmit this username/password pair is dependent upon the type of login: character, SLIP, or PPP.

11.3.1 Character Mode Logins

If the remote device is expecting the information in character mode, the username and password must be sent in a chat script. The chat script should expect the username prompt, send the appropriate username, expect the password prompt, and send the appropriate password. See Chapter 4 - Additional Remote Networking for information on configuring chat scripts.

11.3.2 PPP Logins

If the remote device supports PPP, the username and password may be transmitted using PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). Each protocol goes through a negotiation sequence to complete the authentication; see Chapter 3 - Basic Remote Networking for details.

To enable CHAP and PAP authentication on outgoing connections, use the Define Site Authentication CHAP and Define Site Authentication PAP commands. One or both may be enabled, however, CHAP is recommended.

Figure 11-31: Enabling PAP/CHAP Outgoing Authentication

Local>> DEFINE SITE dallas AUTHENTICATION CHAP ENABLED
Local>> DEFINE SITE dallas AUTHENTICATION PAP ENABLED
If both CHAP and PAP are configured for authentication, CHAP authentication will be attempted first. If the remote host does not understand CHAP, PAP will be attempted instead. If both PAP and CHAP fail, the connection will be terminated.

To define the username that the LRS sends to the remote host, use the Define Site Authentication Username command:

Figure 11-32: Configuring Site Username

Local>> DEFINE SITE dallas AUTHENTICATION USER "seattle"
The password sent to the remote host is called the remote password. Configure this password with the Define Site Authentication Remote command.

Figure 11-33: Configuring Site Remote Password

Local>> DEFINE SITE dallas AUTHENTICATION REMOTE "badger"

11.3.3 SLIP Logins

All outgoing SLIP authentication must be done with chat scripts before SLIP starts. SLIP does not support any authentication. To configure chat scripts, see Chapter 4 - Additional Remote Networking.

11.4 Restricting Users

LRS users may be restricted in a number of ways. They may be prevented from using particular commands, forced to use a certain configuration, or forced to use a particular IP address.

11.4.1 Privileged Commands

Many of the LRS commands require privileged user (superuser) status. To become the privileged user, use the Set Privileged command. The default privileged password is system.

Figure 11-34: Set Privileged Command

Local> SET PRIVILEGED
Password> system (not echoed)
Local>>

To change the privileged password, use the Set/Define Server Privileged Password command.

Only one user may have privileged status at any time. If another user currently has privileged status, the Set Privileged Override command may be used to forcibly become the privileged user.

To stop being the privileged user, use the Set Noprivileged command.

11.4.2 Controlling Use of the Set PPP/SLIP Commands

In order for incoming callers to start PPP or SLIP with the Set PPP/SLIP commands, PPP or SLIP must be enabled on the port receiving the call. By default, PPP and SLIP are disabled.

To enable or disable PPP or SLIP on a port, use the Set/Define PPP/SLIP command:

Figure 11-35: Disabling PPP and SLIP

Local>> DEFINE PORT 2 PPP DISABLED
Local>> DEFINE PORT 2 SLIP DISABLED

11.4.3 Securing a Port

When a port is secure, users on that port will be prevented from editing many of the port's settings. In addition, they will only be able to display a limited amount of information using Show/Monitor/List commands.

It is recommended to secure ports used for public use; for example, ports used for public dialin modem pools. To secure a port, use the Set/Define Port Security command:

Figure 11-36: Securing a Ports

Local>> DEFINE PORT 2 SECURITY ENABLED
Users logged in on secure ports cannot become privileged users.

11.4.4 Locking a Port

The Lock command may be used to secure a port without disconnecting sessions. When Lock is entered, the user will be prompted to enter a password. The port will then be locked until this password is used to unlock it.

Figure 11-37 displays an example.

Figure 11-37: Locking and Unlocking a Port

Local> LOCK
Password> donut (not echoed)
Verification> donut (not echoed)
Unlock password> donut (not echoed)
Local>

Secure ports (set using the Set/Define Port Security command) cannot be locked.

To unlock a port without the Lock password, a privileged user must use the Unlock Port command or log out the port using the Logout command. Logout will disconnect all sessions.

11.4.5 Forcing Execution of Commands

When a username is entered in the local authentication database (NVR), a series of commands may be associated with that user. These commands will be executed when the user is successfully authenticated.

To execute commands when a user logs into the LRS, ensure that authentication databases have been configured; see Database Configuration for instructions.

Associate commands with the username using the Set/Define Authentication User Command command. When the user is successfully authenticated, these commands will be executed.

Figure 11-38: Forcing User to Start a Particular Site

Local>> DEFINE AUTHENTICATION USER bob COMMAND "SET PPP dialin_users; logout"
In the example above, when user bob logs into the LRS, he will automatically start PPP and run site dialin_users.

To ensure that the user is not left at the Local> prompt after the forced command finishes executing, the string ";logout" may be added.

11.4.6 Menu Mode

For added security, ports may be configured to run menu mode. When a port is in menu mode, users that log into the port will be presented with a list of menu options. They will be limited to the choices listed on the menu, and will not be permitted to enter text commands.

To set up a menu, use the Set/Define Menu command. For each menu entry, specify the option's numbered position in the table, the option name that will be listed, and the actual command invoked when the user chooses that option. Option and command names must be enclosed in quotes.

Figure 11-39: Adding Command Entry to Menu Mode

Local>> DEFINE MENU 4 "Telnet irvine" "TELNET 192.0.1.53"
To display the current menu, use the Show/Monitor/List Menu command.

To enable menu mode on a particular port, use the Set/Define Port Menu command:

Figure 11-40: Configuring Port to Run Menu Mode

Local>> DEFINE PORT 2 MENU ENABLED

11.4.7 IP Address Restriction

To avoid routing problems and enhance security, the LRS can restrict incoming remote networking callers to a particular address or range of addresses.

Each site may specify a particular range of acceptable IP addresses. When an incoming caller requests to use a specific address, it will be compared to this range. If the address falls within the range, the connection will be permitted, if not, the connection attempt will fail.

To specify the beginning and end of the range, use the Define Site IP Remoteaddress command. Two addresses must be specified: the beginning of the range, and the end of the range.

Figure 11-41: Specifying Range of Addresses

Local>> DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.110 192.0.1.250
Callers will not be permitted to use IP addresses with the host part of the address set to zero or -1. These addresses are reserved to identify broadcast packets. If the range that you specify includes such an address (for example, 192.4.5.0 or 192.4.5.255) and a caller requests this address, the connection will not be permitted.

For more information on IP address assignment, see IP and IPX Addressing .

11.5 Network Restrictions

11.5.1 Incoming Telnet/Rlogin Connections

Incoming Telnet and Rlogin connections can be permitted without restriction, forced to enter the login password, or prevented entirely. By default, incoming Telnet and Rlogin connections are permitted without entering the login password; to change this configuration, use the Set/Define Server Incoming command:

Figure 11-42: Preventing Incoming Telnet/Rlogin Logins

Local>> DEFINE SERVER INCOMING NONE
Local>> DEFINE SERVER INCOMING PASSWORD
In Figure 11-42, the first command prevents all incoming Telnet and Rlogin connections. The second command permits the connections, but requires that the login password be entered before the connection is permitted.

To configure the login password, see Login Password .

11.5.2 Outgoing Rlogin Connections

The Set/Define Server Rlogin setting controls whether or not outgoing Rlogin connections are permitted. By default, outgoing Rlogin is disabled; to change this setting, use the following command:

Figure 11-43: Permitting Outgoing Rlogin Connections

Local>> DEFINE SERVER RLOGIN ENABLED
To configure incoming Rlogin connections, see Incoming Telnet/Rlogin Connections on page 11 - 28.

11.5.3 Port Access

A port's access may be set to one of the following: dynamic, local, remote, or none. Dynamic permits both local and remote logins, local permits only local logins, and remote permits only remote logins. None prevents all incoming and outgoing connections; the port is unusable.

To configure a port's access setting, use the Set/Define Port Access command.

Figure 11-44: Configuring Connection Type

Local>> DEFINE PORT 2 ACCESS REMOTE
Local>> DEFINE PORT 2 ACCESS DYNAMIC

For more information about configuring a port's access, refer to Access to a Port .

11.5.4 Packet Filters and Firewalls

Filters enable the LRS to restrict packet traffic. Each filter specifies a particular rule, for example, only IP packets will be permitted passage. Packets that pass the filter will be forwarded; packets that don't will be discarded.

Filters are organized into ordered filter lists, which are referenced by name. For example, a filter named firewall may permit forwarding of packets that match a particular IP rule, but deny passage to packets that match a generic rule.

For a complete explanation of filter rules, see Set/Define Filter .

Filter lists are associated with sites. Sites use filter lists for the following purposes:

Table 11-1: Types of Filter Lists

Type of Filter List Purpose
Idle Determines whether the site will remain active. Packets that pass the filter will reset the site's idle timer, preventing the site from being timed out.
Incoming Determines whether to forward incoming packets received from a remote site. Packets that pass the filter will be forwarded.
Outgoing Determines whether to forward outgoing packets to a remote site. Packets that pass the filter will be forwarded.
Startup Determines whether a site will initiate a connection to a
remote site. When a packet passes the filter, the LRS will initiate an outgoing connection. (If an outgoing connection currently exists, this filter will be ignored).
When a site with an associated filter list receives a packet, the LRS will compare the packet against each filter starting with the first filter on the list. If the packet matches any of the filters, the packet will be forwarded or discarded according to the filter's specification. If the packet does not match any of the filters in the list, it will not be forwarded.

Type of Filter List	Purpose
Idle	Determines whether the site will remain active. Packets that pass the filter will reset the site's idle timer, preventing the site from being timed out.
Incoming	Determines whether to forward incoming packets received from a remote site. Packets that pass the filter will be forwarded.
Outgoing	Determines whether to forward outgoing packets to a remote site. Packets that pass the filter will be forwarded.
Startup	Determines whether a site will initiate a connection to a remote site. When a packet passes the filter, the LRS will initiate an outgoing connection. (If an outgoing connection currently exists, this filter will be ignored).

11.5.4.1 Filter Order

The order that filters appear in a list is very important. For example, consider the following filter list.

1. Allow any packets

2. Deny all IP traffic matching a particular rule

When this filter list is associated with a site, all packets will be forwarded. Packets will be compared to the first filter in the list, and all packets will match specification "any packets". Therefore, all packets will be forwarded without being compared to the second filter.

Switching the order of the filters will have very different effects. Examine the filter list below, where the order of the two filters is reversed.

1. Deny all IP traffic matching a particular rule

2. Allow any packets

When this filter list is used, any IP traffic matching the specified rule will be discarded. Therefore, some IP packets will be discarded without being compared to the second filter.

11.5.4.2 Preventing all IP or IPX Traffic

To prevent all packet traffic from a particular protocol (for example, all IP packets), filter lists do not need to be used. Use the Define Site IP/Define Site IPX Disabled command:

Figure 11-45: Preventing IPX Packet Traffic

Local>> DEFINE SITE irvine IPX DISABLED

11.5.4.3 Setting up Filter Lists

Configuring filter lists involves two primary steps: creating the filter list, and associating the list with a particular site.

1. Creating a Filter List

When a filter list is created, it must be assigned a name of no more than 12 characters. The remainder of the configuration consists of a series of rules that will filter packet traffic in a particular way.

Use the Set/Define Filter command to create a new filter.

Figure 11-46: Define Filter Command

Local>> DEFINE FILTER firewall ADD 1 DENY IP SRC 192.0.1.0 255.255.255.0
Each rule is assigned a particular position in the filter list, denoted by a number. In Figure 11-46, the rule Deny IP will be added to the firewall filter in the first position of the list. If a position number isn't specified with the Set/Define Filter command, the rule will be added to the end of the filter list.

2. Associating a Filter List With a Site

A single filter list can be associated with many sites. Each site may use a filter list as an incoming, outgoing, startup, or idle filter.

Filter list types are described in Table 11-1 .

To associate a filter list with a site, use the Define Site Filter command.

Figure 11-47: Associating a Filter List With Sites

Local>> DEFINE SITE irvine FILTER IDLE firewall
Local>> DEFINE SITE dallas FILTER INCOMING firewall
In Figure 11-47, filter firewall will be used as an idle filter for site irvine, and as an incoming filter for site dallas.

11.6 Event Logging

Event logging enables a network administrator to track network and user activity.

Logging can be configured at a number of levels. For example, one level of logging may record only system problems related to authentication, and another level may record all authentication activities (all passwords).

11.6.1 Destination

In order to use logging, the LRS must be configured to send logging information to one of following destinations:

A TCP/IP host running syslog
A Novell fileserver
The LRS memory
The LRS console port

To specify the logging destination, use the Set/Define Logging Destination command:

Figure 11-48: Specifying Logging Destination

Local>> DEFINE LOGGING DESTINATION CONSOLE
Local>> DEFINE LOGGING DESTINATION 192.0.1.5
Local>> DEFINE LOGGING DESTINATION betty:
If an IP hostname is specified (rather than an IP address), a colon must be appended to the hostname. Use of an IP address is suggested. Novell fileserver names must have a backslash ( \ ) appended to the name.

11.6.2 Logging Levels

The following table lists the different areas that can be logged and the logging options available for each area:

Table 11-2: Events Logged by the LRS

To Log Events Associated With: The Following Options are Available:
(Numbers Reflect Logging Level)
IP

Errors
Routing Table Changes
Incoming/Outgoing RIP packets
Resulting routing table
Contents of all RIP packets
Routed packets
IPX

Critical Conditions
Error Conditions
Warnings
Normal but Significant Conditions
Informational Messages
Debug-level Messages
Site

Errors
State Transitions
Chat Scripts
Modem Dialing
Port Connections
Connection Failures
Usage Summary
Modem

Problem
Call Statistics Dump From Modem
Setup
PPP

Local System Problems
Remote System Problems
Negotiation Failures
Negotiation Data
State Transitions
Full Debugging
Authentication

System Problems
Failures and Successes
All Logins
Incorrect Passwords
All Passwords
Commands Enabled
Disabled
Network Enabled
Disabled
Printer Enabled
Disabled
System Enabled
Disabled

To Log Events Associated With:		The Following Options are Available: (Numbers Reflect Logging Level)
IP		Errors Routing Table Changes Incoming/Outgoing RIP packets Resulting routing table Contents of all RIP packets Routed packets
IPX		Critical Conditions Error Conditions Warnings Normal but Significant Conditions Informational Messages Debug-level Messages
Site		Errors State Transitions Chat Scripts Modem Dialing Port Connections Connection Failures Usage Summary
Modem		Problem Call Statistics Dump From Modem Setup
PPP		Local System Problems Remote System Problems Negotiation Failures Negotiation Data State Transitions Full Debugging
Authentication		System Problems Failures and Successes All Logins Incorrect Passwords All Passwords
Commands		Enabled Disabled
Network		Enabled Disabled
Printer		Enabled Disabled
System		Enabled Disabled

For example, to log all logins and send the information to the console port, use the following command:

Figure 11-49: Logging All Logins

Local>> DEFINE LOGGING AUTHENTICATION 3

Caution: Logging passwords may compromise security.

Each logging level will also log all events associated with lower logging levels. For example, if logging level 6 is specified, the events associated with levels 1-5 will also be logged.

To disable all logging of a particular area (for example, IPX), use the Set/Define Logging None command:

Figure 11-50: Disabling IPX Logging

Local>> DEFINE LOGGING IPX NONE
To disable all logging, use the following command:

Figure 11-51: Disabling Event Logging

Local>> DEFINE LOGGING DESTINATION NONE

11.7 Examples

11.7.1 Database Search Order

The LRS must be configured for authentication using an existing NetWare bindery and UNIX password file. The configuration must meet the following criteria:

The majority of users are listed in the NetWare bindery, located on the doc_server NetWare file server.
Two other groups of users are listed in UNIX password files; the files are on hosts 192.0.1.87 and 192.0.1.99
Any additional users will be added to the local database

Figure 11-52 shows how to configure the LRS in this situation:

Figure 11-52: Configuring Database Order

Local>> DEFINE AUTHENTICATION NETWARE PRECEDENCE 1
Local>> DEFINE AUTHENTICATION NETWARE PRIMARY doc_server
Local>> DEFINE AUTHENTICATION TFTP PRECEDENCE 2
Local>> DEFINE AUTHENTICATION TFTP PRIMARY 192.0.1.99
Local>> DEFINE AUTHENTICATION TFTP SECONDARY 192.0.1.87
Local>> DEFINE AUTHENTICATION LOCAL PRECEDENCE 3
In order for the configuration to take effect, the LRS must be rebooted after configuration.

11.7.2 Terminal User Forced to Execute Command

Terminal user jerry does not have an existing account on UNIX or the NetWare fileserver. He will only use the LRS to telnet to his own remote host, venus.

The following figure shows the commands necessary to add jerry to the local database.

Figure 11-53: A Single User Entry

Local>> DEFINE AUTHENTICATION USER "jerry" PASSWORD "3no37" COMMAND "TELNET
venus;LOGOUT" ALTER DISABLED
When jerry connects to the LRS, he is prompted for a login password, then his own username and password. When authenticated, he is automatically telnetted to host venus and logged out of the LRS.

Jerry will see the following:

Figure 11-54: Results of User Authentication with Command

Type HELP at the 'Local_1>' prompt for assistance.

Login password> badger (not echoed)
Username> jerry
Password> 3no37 (not echoed)

Telnet/TCP protocol emulation v2.2
SunOS UNIX (venus)
Login:_

11.7.3 Multiple-User Authentication

A large number of users need to connect to the LRS. These users must be authenticated. The LRS must be configured to meet the following criteria:

All users will connect to port 2.
100 users have their usernames and passwords stored in a UNIX password file.
Another 50 users are PPP users that share site pppUsers for their connections. This site's password is special.
There is one SLIP user that will use site SlipMan. This site has password exception; once the password is entered, the site must automatically enter SLIP mode.

Port 2 must be configured to automatically detect PPP so that it can begin running PPP and CHAP when necessary. The port must not be dedicated to PPP, however, because other connections will be using the same port.

In order to authenticate the SLIP user, SLIPdetect must be disabled.

Figure 11-55 displays the commands necessary for this configuration:

Figure 11-55: Authentication for Multiple Users

Local>> DEFINE AUTHENTICATION TFTP PRECEDENCE 1
Local>> DEFINE AUTHENTICATION TFTP PRIMARY 192.0.1.88
Local>> DEFINE PORT 2 AUTHENTICATE ENABLED

Local>> DEFINE SITE PPPusers LOCAL "special"
Local>> DEFINE PORT 2 PPPDETECT ENABLED

Local>> DEFINE PORT 2 SLIPDETECT DISABLED
Local>> DEFINE SITE SlipMan IP REMOTEADDRESS 192.0.1.17
Local>> DEFINE SITE SlipMan LOCAL "exception"
Local>> DEFINE SITE SlipMan PROTOCOL SLIP

11.7.4 Outgoing LAN to LAN Connection

An LRS in Dallas must connect to an LRS in Seattle. The Dallas LRS must be configured in the following manner:

The LRS in Dallas must have a site for the connection to the Seattle LRS. The site's name is seattle.
PPP will be used for the connection.
PAP authentication will be used.
To authenticate itself, the LRS in Dallas must send username dallas and password texas.

Figure 11-56 requires the following commands:

Figure 11-56: Configuring Remote Site Authentication

Local>> DEFINE SITE seattle AUTHENTICATION PAP ENABLED
Local>> DEFINE SITE seattle AUTHENTICATION USERNAME dallas
Local>> DEFINE SITE seattle AUTHENTICATION REMOTE "texas"

11.7.5 Creating a Firewall

A local network consists of addresses 192.0.1.0 through 192.0.1.24. Site irvine is used to manage connections to this network. Irvine requires a firewall that does the following:

Prevents IP spoofing
Permits outgoing Telnet connections
Permits SMTP (Simple Mail Transfer Protocol) traffic to the local SMTP server, 192.0.1.102. The backup SMTP server is 192.0.1.103
Permits NNTP (Network News Transfer Protocol) traffic between the local NNTP server, 192.0.1.104, and the remote NNTP server, 192.0.2.100
Permits outgoing FTP connections
Permits DNS queries to the local Domain Name Server, 192.0.1.101
Permits ICMP (Internet Control Message Protocol) messages
Permits outgoing requests

The firewall will be named fw_i. Packets that do not specifically match the filters in fw_i will be denied passage through the LRS.

Due to the length of the commands in this example, the keywords Define and Filter are shortened to Def and Filt.

The Set/Define Filter Create command is used to create the firewall.

Figure 11-57: Creating the Filter List

Local>> DEF FILT fw_i CREATE
To prevent IP spoofing, the Define Filter Add Deny IP SRC command is used. This filter will block any packets from an outside network that claim to have originated from the local network. This filter is placed at the beginning of the filter list; if it were not, spoofed IP packets could be permitted passage by filters positioned before this rule.

Figure 11-58: Preventing IP Spoofing

Local>> DEF FILT fw_i ADD DENY IP SRC 255.255.255.0 192.0.1.0

The CERT advisory on IP spoofing is available from ftp://cert.org/pub/cert_advisories/CA-95:01.IP.Spoofing.

To permit outgoing Telnet connections initiated from the local network, the following command is used:

Figure 11-59: Permitting Outgoing Telnet Connections

Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ TELNET DPORT GT 1023 ACK
To permit SMTP traffic between the LRS and the local and backup SMTP servers, the following commands are required:

Figure 11-60: Permitting SMTP Traffic to SMTP Servers

Local>> DEF FILT fw_i ADD ALLOW IP TCP DPORT EQ SMTP SPORT GT 1023 DST 255.255.255.255 192.0.1.102
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ SMTP DPORT GT 1023 ACK DST 255.255.255.255. 192.0.1.102
Local>> DEF FILT fw_i ADD ALLOW IP TCP DPORT EQ SMTP SPORT GT 1023 DST 255.255.255.255 192.0.1.103
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ SMTP DPORT GT 1023 ACK DST 255.255.255.255 192.0.1.103
To permit NNTP traffic between the local and remote NNTP servers, the following commands are required:

Figure 11-61: Permitting Traffic Between NNTP Servers

Local>> DEF FILT fw_i ADD ALLOW IP TCP DPORT EQ NNTP SPORT GT 1023 DST 255.255.255.255 192.0.1.104 SRC 255.255.255.255 192.0.2.100
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ NNTP DPORT GT 1023 ACK DST 255.255.255.255 192.0.1.104 SRC 255.255.255.255 192.0.2.100
The following commands are used to permit outgoing FTP connections:

Figure 11-62: Permitting Outgoing FTP Connections

Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ FTP DPORT GT 1023 ACK
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT GT 1023 DPORT GT 1023 ACK
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ FTPDATA DPORT GT 1023 DST 255.255.255.255.255 192.0.1.101
The three commands below permit UDP- and TCP-based queries and answers to the local Domain Name Server:

Figure 11-63: Permitting DNS Queries

Local>> DEF FILT fw_i ADD ALLOW IP UDP DPORT EQ DNS DST 255.255.255.255 192.0.1.101
Local>> DEF FILT fw_i ADD ALLOW IP TCP DPORT EQ DNS SPORT GT 1023 DST 255.255.255.255 192.0.1.101
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ DNS DPORT GT 1023 ACK DST 255.255.255.255 192.0.1.101
To permit ICMP messages (except for redirect messages), a generic IP rule is defined:

Figure 11-64: Permitting ICMP Messages

Local>> DEF FILT fw_i ADD ALLOW IP ICMP IPGENERIC OFFSET 0 MASK 0xf0000000 NE 0x50000000
Outgoing finger requests are permitted and incoming requests prevented using the command below:

Figure 11-65: Permitting Outgoing Requests

Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ FINGER DPORT GT 1023 ACK
To use firewall fw_i as an incoming filter list for site irvine, the Define Site Filter Incoming command is used:

Figure 11-66: Configuring a Firewall

Local>> DEF SITE irvine FILTER INCOMING fw_i

11.7.6 Dialback

An LRS must be configured to prevent all users from connecting with the exception of two users, sam and paul. When sam and paul attempt to connect to the LRS, the modem must dial them back to verify their identities.

The modem is connected to LRS port 2, and there isn't a corresponding modem profile. The generic modem profile must be used.

Figure 11-67: Enabling Modem Handling/Selecting a Modem Type

Local>> LIST MODEM
1- Modem 1
2- Modem 2
3- Generic
Local>> DEFINE PORT 2 MODEM ENABLED
Local>> DEFINE PORT 2 MODEM TYPE 3
%Info: Port speed changed to 57600.
%Info: Port flow control changed to CTS.
To configure dialback, the following commands are used:

Figure 11-68: Configuring Dialback

Local>> DEFINE PORT 2 DIALBACK ENABLED
Local>> DEFINE DIALBACK sam "123-4567"
Local>> DEFINE DIALBACK paul "867-5309"
Local>> DEFINE DIALBACK BYPASS DISABLED
Local>> LOGOUT PORT 2

11.8 Troubleshooting

To troubleshoot authentication problems, use event logging. To configure event logging, use the Set/Define Logging command.

Figure 11-69: Configuring Authentication Event Logging

Local>> DEFINE LOGGING DESTINATION CONSOLE
Local>> DEFINE LOGGING AUTHENTICATION 4
Fri Jan 26 13:44:40 1996 LRS_00DD12: SYSTEM: notice: log closed
Fri Jan 26 13:44:40 1996 LRS_00DD12: SYSTEM : notice: syslog started
Fri Jan 26 13:44:49 1996 LRS_00DD12: AUTH: info: Denied Port 4 User john Password badpass Method Local
Fri Jan 26 13:45:27 1996 LRS_00DD12: AUTH: info: Granted Port 4 User john Password goodpass Method Local
Fri Jan 26 13:45:39 1996 LRS_00DD12: AUTH: notice: Port 4 user john privilege password denied.
Fri Jan 26 13:45:49 1996 LRS_00DD12: AUTH: notice: Port 4 user john privilege password granted.

11.9 Quick Reference

Incoming Authentication: Character Mode Logins
To	Use This Command	Example(s)	What Example Does
Set the Login Password	Set/Define Server Login Password	DEFINE SERVER LOGIN PASSWORD badger	Defines "badger" as the LRS login password. See Login Password for more information.
Require the Login Password for Character Mode Logins to a Particular Port	Set/Define Port Password	DEFINE PORT 2 PASSWORD ENABLED	Requires the login password for character mode logins to port 2. See Login Password for more information.
Enable Username/Password Authentication for a Particular Port	Set/Define Port Authenticate	DEFINE PORT 2 AUTHENTICATE ENABLED	Requires a username/password pair for character mode logins to port 2. See Individual Username/Password Pairs for more information.
Use Dialback for Character Mode Logins	1. Define Port Modem Control	DEFINE PORT 2 MODEM CONTROL ENABLED	Enables modem operation on port 2. See Dialback for more information.
	2. Define Port Modem Type	DEFINE PORT 2 MODEM TYPE 11	Applies the settings in modem profile 11 to port 2.
	3. Define Port Dialback	DEFINE PORT 2 DIALBACK ENABLED	Enables dialback operation on port 2.
	4. Define Port Dialback Bypass	DEFINE DIALBACK BYPASS DISABLED	Controls what happens when users not in the dialback database attempt to a connection to the LRS. In this example, users not in the database will not be able to connect.
Incoming Authentication: Character Mode Logins, cont.
To	Use This Command	Example(s)	What Example Does
	5. Set/Define Dialback Bypass	DEFINE DIALBACK FRANK BYPASS DEFINE DIALBACK BOB "555-1235"	Adds users "Frank" and "Bob" to the dialback database. User Frank will be permitted to connect to the LRS without dialback occurring. When Bob attempts to connect, he will be dialed back at 555-1235. All other users will be prevented from connecting.
Prompt Users for a Site's Local Password When the Set PPP/Set SLIP Command is Used	Define Site Authentication Prompt	DEFINE SITE irvine AUTHENTICATION PROMPT ENABLED	When a user enters Set PPP <sitename> or Set SLIP <sitename>, they will be prompted for that site's local password. See Starting PPP/SLIP From Character Mode for more information.
Incoming Authentication: Virtual Port Logins
To	Use This Command	Example(s)	What Example Does
Require the Login Password for Incoming Telnet and Rlogin Attempts	Set/Define Server Incoming	DEFINE SERVER INCOMING PASSWORD	Required that incoming Telnet and Rlogin users enter the LRS login password. See Virtual Port Logins or Login Password for more information.
Require Username/Password Authentication on Virtual Ports	Set/Define Port Authenticate	DEFINE PORT 0 AUTHENTICATE ENABLED	Requires a username/password pair for incoming Telnet/Rlogin connections. See Virtual Port Logins for more information.
Incoming Authentication: PPP Logins
To	Use This Command	Example(s)	What Example Does
Use CHAP to Authenticate Incoming Callers	Define Port PPP CHAP Remote	DEFINE PORT 2 PPP CHAP REMOTE	Uses CHAP to transmit the incoming username/password pair. See How the Username/Password is Transmitted for more information.
Use PAP to Authenticate Incoming Callers	Define Port PPP PAP Remote,	DEFINE PORT 2 PPP PAP REMOTE	Uses PAP to transmit the incoming username/password pair. See How the Username/Password is Transmitted for more information.
Define the Password Expected From the Incoming Caller for a Particular Site	Define Site Authentication Local	DEFINE SITE irvine AUTHENTICATION LOCAL "wallaby"	Defines "wallaby" as the local password for site irvine. When an incoming caller enters "irvine" and "wallaby" as its username and password, site irvine will be used to manage the connection. See Comparing the Username/Password to Authentication Databases for more information.
Send a Username/Password Pair to the Remote Host	Define Site Authentication Username	DEFINE SITE irvine AUTHENTICATION USERNAME seattle	When the remote host requests authentication information from site irvine, the LRS will send "seattle" as its username. See Offering Authentication Information to the Incoming Caller for more information.
		DEFINE SITE irvine AUTHENTICATION REMOTE gopher	When the remote host requests authentication information from site irvine, the LRS will send "gopher" as its password.
	Define Port PPP CHAP Local	DEFINE PORT 2 PPP CHAP LOCAL	Uses CHAP to send a username/password pair to the remote host.
	Define Port PPP PAP Local	DEFINE PORT 2 PPP PAP LOCAL	Uses PAP to send a username/password pair to the remote host.
Incoming Authentication: PPP Logins, cont.
To	Use This Command	Example(s)	What Example Does
Use Dialback to Authenticate Incoming PPP Users	Define Site Authentication Dialback	DEFINE SITE irvine AUTHENTICATION DIALBACK ENABLED	Enables dialback for PPP users using site "irvine". See Dialback From SLIP/PPP Mode for more information.
Incoming Authentication: SLIP Logins
To	Use This Command	Example(s)	What Example Does
Authenticate Users Before SLIP is Started	Set/Define Port SLIPdetect	DEFINE PORT 2 SLIPDETECT DISABLED	Disables SLIP autodetection on port 2. See SLIP Logins for more information.
	Define Port SLIP	DEFINE PORT 2 SLIP DISABLED	Disables dedicated SLIP on port 2.
	Define Port SLIP	DEFINE PORT 2 SLIP ENABLED	Re-enables SLIP on port 2.
Use Dialback to Authenticate Incoming SLIP Users	Define Site Authentication Dialback	DEFINE SITE irvine AUTHENTICATION DIALBACK ENABLED	Enables dialback for SLIP users using site "irvine". See Dialback From SLIP/PPP Mode for more information.
Authentication Databases: Local
To	Use This Command	Example(s)	What Example Does
Specify the Precedence of the Local Database (NVR)	Set/Define Authentication Local Precedence	DEFINE AUTHENTICATION LOCAL PRECEDENCE 1	When an incoming caller submits a username/password pair, it will be compared to the local database before other databases. See Specifying the Precedence for more information.
Add a Username/Password Pair to the Local Database	Set/Define Authentication User Password	DEFINE AUTHENTICATION USER "elmo" PASSWORD "badger"	Adds user "elmo" and its corresponding password, "badger" to the local database. See Username/Password Pairs for more information.
Execute a Series of Commands When a Particular User Logs into the LRS	Set/Define Authentication User Command	DEFINE AUTHENTICATION USER "elmo" COMMAND "telnet 192.0.1.67; logout"	When user "elmo" logs into the LRS, he will be automatically telnetted to host 192.0.1.67. See Forcing Execution of Commands for more information.
Permit a Particular User to Change His/Her Password	Set/Define Authentication User Alter	DEFINE AUTHENTICATION USER "elmo" ALTER ENABLED	Permits user "elmo" to change his password. See Permitting Users to Change Their Passwords for more information.
Force a Particular User to Enter a New Password Upon Next Login	Set/Define Authentication User Expired	DEFINE AUTHENTICATION USER "elmo" EXPIRED	Requires that user "elmo" enter a new password the next time he logs into the LRS. See Forcing Selection of a New Password for more information.
Display the Current Entries in the Local Database	Show/Monitor/List Authentication Users	SHOW AUTHENTICATION USERS	Displays information about the current users in the local database. See Displaying the Local Database for more information.
Remove a Particular User From the Local Database	Clear/Purge Authentication User	PURGE AUTHENTICATION USER "elmo"	Removes user "elmo" from the local database. See Purging the Local Database for more information.
Authentication Databases: Kerberos
To	Use This Command	Example(s)	What Example Does
Synchronize the LRS and the Kerberos Clocks	Set/Define IP Timeserver	DEFINE IP TIMESERVER 192.0.1.110	Designates host 192.0.1.110 as the timeserver for the LRS. See Configuration for more information.
Specify the Precedence of the Kerberos Server	Set/Define Authentication Kerberos Precedence	DEFINE AUTHENTICATION KERBEROS PRECEDENCE 2	When an incoming caller submits a username/password pair, it will be compared to the database with precedence number 1, then to the Kerberos server. See Configuration for more information.
Designate the Primary Kerberos Server	Set/Define Authentication Kerberos Primary	DEFINE AUTHENTICATION KERBEROS PRIMARY 192.0.1.52	Designates host 192.0.1.52 as the primary Kerberos server. See Configuration for more information.
Designate a Backup Kerberos Server	Set/Define Authentication Kerberos Secondary	DEFINE AUTHENTICATION KERBEROS SECONDARY 192.0.1.53	Designates host 192.0.1.53 as the backup Kerberos server. This server will be used when the primary server is unavailable. See Configuration for more information.
Specify the Kerberos Realm	Set/Define Authentication Kerberos Realm	DEFINE AUTHENTICATION KERBEROS REALM PHRED.COM	Defines "PHRED.COM" as the Kerberos realm. See Configuration for more information.
Define the Kerberos Principle	Set/Define Authentication Kerberos Principle	DEFINE AUTH KERBEROS PRINCIPLE "kerbauth"	Defines "kerbauth" as the Kerberos principle. See Configuration for more information.
Define the Kerberos Instance	Set/Define Authentication Kerberos Instance	DEFINE AUTH KERBEROS INSTANCE "lrs_name"	Defines "kerbauth" as the Kerberos instance. See Configuration for more information.
Authentication Databases: Kerberos, cont.
To	Use This Command	Example(s)	What Example Does
Define the Kerberos Authenticator	Set/Define Authentication Kerberos Authenticator	DEFINE AUTH KERBEROS AUTHENTICATOR "passwd"	Defines "passwd" as the Kerberos instance. See Configuration for more information.
Define the Kerberos Key Version Number (KVNO)	Set/Define Authentication Kerberos KVNO	DEFINE AUTHENTICATION KERBEROS KVNO 1	Sets the KVNO to 1. See Configuration for more information.
Authentication Databases: NetWare Bindery
To	Use This Command	Example(s)	What Example Does
Specify the Precedence of the NetWare Bindery	Set/Define Authentication NetWare Precedence	DEFINE AUTHENTICATION NETWARE PRECEDENCE 3	When an incoming caller submits a username/password pair, it will be compared to the databases with precedence numbers 1 and 2, then to the NetWare bindery. See NetWare Bindery for more information.
Designate the Primary NetWare Bindery	Set/Define Authentication NetWare Primary	DEFINE AUTHENTICATION NETWARE PRIMARY doc_server	Designates host "doc_server" as the primary NetWare bindery. See NetWare Bindery for more information.
Designate a Backup NetWare Bindery	Set/Define Authentication NetWare Secondary	DEFINE AUTHENTICATION NETWARE SECONDARY spare_server	Designates host "spare_server" as the backup NetWare bindery. This server will be used when the primary bindery is unavailable. See NetWare Bindery for more information.
Authentication Databases: SecurID
To	Use This Command	Example(s)	What Example Does
Specify the Precedence of the SecurID Server	Set/Define Authentication SecurID Precedence	DEFINE AUTHENTICATION SECURID PRECEDENCE 4	When an incoming caller submits a username/password pair, it will be compared to the databases with precedence numbers 1, 2, and 3, then to the SecurID server. See SecurID for more information.
Designate the Primary SecurID Server	Set/Define Authentication SecurID Primary	DEFINE AUTHENTICATION SECURID PRIMARY 192.0.1.50	Designates host "doc_server" as the primary SecurID server. See SecurID for more information.
Designate a Backup SecurID Server	Set/Define Authentication SecurID Secondary	DEFINE AUTHENTICATION SECURID SECONDARY 192.0.1.51	Designates host "spare_server" as the backup SecurID server. This server will be used when the primary server is unavailable. See SecurID for more information.
Authentication Databases: UNIX Password File
To	Use This Command	Example(s)	What Example Does
Specify the Precedence of the UNIX Password File	Set/Define Authentication TFTP Precedence	DEFINE AUTHENTICATION TFTP PRECEDENCE 5	When an incoming caller submits a username/password pair, it will be compared to the databases with precedence numbers 1, 2, 3, and 4, then to the UNIX password file. See UNIX Password File for more information.
Specify the Primary TFTP Host	Set/Define Authentication TFTP Primary	DEFINE AUTHENTICATION TFTP PRIMARY 192.0.1.50	Designates host 192.0.1.50 as the primary TFTP host. The password file (specified below) will be checked on this host before other hosts. See UNIX Password File for more information.
Designate a Backup TFTP Host	Set/Define Authentication TFTP Secondary	DEFINE AUTHENTICATION TFTP SECONDARY 192.0.1.51	Designates host 192.0.1.51 as the backup TFTP host. This host will be used when the primary host is unavailable. See UNIX Password File for more information.
Specify the Pathname of the Password File	Set/Define Authentication TFTP Filename	DEFINE AUTHENTICATION TFTP FILENAME "/tftpboot/passwd"	When a login attempt is made, the username/password pair will be compared to the "passwd" file in the "tftpboot" directory on the primary or secondary TFTP host. See UNIX Password File for more information.
Outgoing LAN to LAN Authentication: Character Mode Logins
To	Use This Command	Example(s)	What Example Does
Configure a Chat Script	See Chapter 4 - Additional Remote Networking.
Outgoing LAN to LAN Authentication: PPP Logins
To	Use This Command	Example(s)	What Example Does
Use CHAP for Outgoing Authentication	Define Site Authentication CHAP	DEFINE SITE dallas AUTHENTICATION CHAP ENABLED	Enables outgoing CHAP authentication on site "dallas". See PPP Logins for more information.
Use PAP for Outgoing Authentication	Define Site Authentication PAP	DEFINE SITE dallas AUTHENTICATION PAP ENABLED	Enables outgoing PAP authentication on site "dallas". See PPP Logins for more information.
Define the Username Sent to the Remote Host	Define Site Authentication User	DEFINE SITE dallas AUTHENTICATION USER "seattle"	When site "dallas" is used, the LRS will send username "seattle" to the remote host during outgoing authentication. See PPP Logins for more information.
Define the Password Sent to the Remote Host	Define Site Authentication Remote	DEFINE SITE dallas AUTHENTICATION REMOTE "badger"	When site "dallas" is used, the LRS will send password "badger" to the remote host during outgoing authentication. See PPP Logins for more information.
Outgoing LAN to LAN Authentication: SLIP Logins
To	Use This Command	Example(s)	What Example Does
Configure Outgoing SLIP Authentication	All outgoing SLIP authentication must be done with chat scripts before SLIP starts. See Chapter 4 - Additional Remote Networking.
Restricting Users
To	Use This Command	Example(s)	What Example Does
Become the Privileged User/Stop Being the Privileged User	Set Privileged/Noprivileged	SET PRIVILEGED	Establishes privileged (superuser) status. The privileged password must be entered after the Set Privileged command. See Privileged Commands for more information.
		SET NOPRIVILEGED	Restores the session to non-privileged status.
Forcibly Become the Privileged User (Override Another Port's Privileged Status)	Set Privileged/Noprivileged	SET PRIVILEGED OVERRIDE	Removes privileged status from the currently privileged user, and establishes privileged status for the current session. See Privileged Commands for more information.
Enable or Disable PPP on a Port	Define Port PPP	DEFINE PORT 2 PPP DISABLED	Disables PPP on port 2. See Controlling Use of the Set PPP/SLIP Commands for more information.
Enable or Disable SLIP on a Port	Define Port SLIP	DEFINE PORT 2 SLIP DISABLED	Disables SLIP on port 2. See Controlling Use of the Set PPP/SLIP Commands for more information.
Secure a Port	Set/Define Port Security	DEFINE PORT 2 SECURITY ENABLED	Secures port 2. Users on port 2 will be prevented from editing many of the port's settings. See Securing a Port for more information.
Lock a Port	Lock	LOCK	Prompts the user for a password. Once the password is entered, the port is locked. The password must be entered to unlock the port. See Locking a Port for more information.
Unlock a Port Without the Lock Password	Unlock Port	UNLOCK PORT 2	Unlocks port 2. See Locking a Port for more information.
	Logout	LOGOUT PORT 2	Logs out port 2. This will unlock the port and disconnect any current sessions. See Locking a Port for more information.
Restricting Users, cont.
To	Use This Command	Example(s)	What Example Does
Execute a Series of Commands When a User Logs Into the LRS	Set/Define Authentication User Command	DEFINE AUTHENTICATION USER bob COMMAND "SET PPP dialin_users; logout"	When user "bob" logs into the LRS, PPP will automatically be started and site "dialin_users" will be used for the connection. See Forcing Execution of Commands for more information.
Place a Port in Menu Mode	Set/Define Menu	DEFINE MENU 4 "Telnet irvine" "TELNET 192.0.1.53"	Defines a menu item "Telnet irvine"; this item is number 4 on the menu. When "Telnet irvine" is selected from the menu, the user will be telnetted to host 192.0.1.53. See Menu Mode for more information.
	Set/Define Port Menu	DEFINE PORT 2 MENU ENABLED	Places port 2 in menu mode. Users on this port will only be able to choose items from the menu; they cannot enter commands. See Menu Mode for more information.
Restrict Incoming Networking Callers to a Particular IP Address	Define Site IP Remoteaddress	DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.125	Restricts incoming callers to IP address 192.0.1.125. See IP Address Restriction for more information.
Restrict Incoming Remote Networking Callers to a Range of IP Addresses	Define Site IP Remoteaddress	DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.110 192.0.1.250	Restricts incoming callers to IP addresses between 192.0.1.110 and 192.0.1.250. See IP Address Restriction for more information.
Restricting Users, cont.
To	Use This Command	Example(s)	What Example Does
Force Incoming Telnet/Rlogin Users to Enter a Password	Set/Define Server Incoming Password	DEFINE SERVER INCOMING PASSWORD	Requires that incoming Telnet and Rlogin users enter the LRS login password. See Incoming Telnet/Rlogin Connections for more information.
Prevent all Incoming Telnet/Rlogin Connections	Set/Define Server Incoming None	DEFINE SERVER INCOMING NONE	Blocks all incoming Telnet and Rlogin connections. See Incoming Telnet/Rlogin Connections for more information.
Enable/Disable Outgoing Rlogin Connections	Set/Define Server Rlogin	DEFINE SERVER RLOGIN ENABLED	Enables outgoing Rlogin connections. See Outgoing Rlogin Connections for more information.
Restrict Access to a Port	Set/Define Port Access	DEFINE PORT 2 ACCESS LOCAL	Restricts port 2 to local logins. See Port Access for more information.
		DEFINE PORT 2 ACCESS REMOTE	Restricts port 2 to remote logins.
		DEFINE PORT 2 ACCESS DYNAMIC	Permits local and remote logins on port 2.
		DEFINE PORT 2 ACCESS NONE	Prevents all logins to port 2.
Prevent all IP Traffic	Define Site IP	DEFINE SITE irvine IP DISABLED	Prevents all IP traffic on site "irvine". See Preventing all IP or IPX Traffic for more information.
Prevent all IPX Traffic	Define Site IPX	DEFINE SITE irvine IPX DISABLED	Prevents all IPX traffic on site "irvine". See Preventing all IP or IPX Traffic for more information.
Create a Filter List	Set/Define Filter	DEFINE FILTER firewall ADD 1 DENY IP SRC 192.0.1.0 255.255.255.0	Creates a filter named "firewall". This filter has one rule, which denies IP traffic from host 192.0.1.0. See Setting up Filter Lists for more information.
Associate a Filter List With a Particular Site	Define Site Filter	DEFINE SITE dallas FILTER INCOMING firewall	Associates filter list "firewall" with site "dallas". This filter list will be used to filter incoming packet traffic. See Setting up Filter Lists for more information.
Event Logging
To	Use This Command	Example(s)	What Example Does
Specify a Destination for Logging Information	Set/Define Logging Destination	DEFINE LOGGING DESTINATION CONSOLE	Sends logging information to the LRS console port. See Destination for more information.
		DEFINE LOGGING DESTINATION 192.0.1.5	Sends logging information to host 192.0.1.5.
Specify the Events to Log	Set/Define Logging	DEFINE LOGGING AUTHENTICATION 3	Logs authentication events at level 3 (all logins). See Logging Levels for more information.
Disable a Specific Type of Event Logging	Set/Define Logging	DEFINE LOGGING IPX NONE	Disables all IPX event logging. See Logging Levels for more information.
Disable all Event Logging	Set/Define Logging Destination	DEFINE LOGGING DESTINATION NONE	Disables all event logging. See Logging Levels for more information.

LRS Reference Manual - 4 MARCH 1996

Generated with Harlequin WebMaker