Did you put in all the VALUES too as defined below?
We have two new releases for your PortMastering Pleasure. Please read
the descriptions before running off and grabbing them. Also, please
do not tell anyone where to find them unless you include this note.
============================ ComOS 3.3.1c1 ============================
Behind door number one we have ComOS 3.3.1c1. This release is for the
PM-2 series *only*. If you are running a PM-2 series unit we strongly
recommend upgrading to this release, if you have a PM-2eR we *extremely*
strongly recommend it. We'd require it but we can't force it after all...
It is ComOS 3.3.1 with two changes:
1. The *big* one you've all been waiting for - THE WAN PORT BUG FIX!
Yes, that's right, after many months of toil we have produced a fix for
the WAN port driver. This fix is for the problem a number of users have
encountered, where the WAN port stops sending data despite continuing
to send LMI updates. This required manual resetting of the port to clear
in most cases, in some it would clear up by itself after some period of
time.
It should be noted that this is not a panacea, in our investigations we
found that by far most WAN port problems turned out to be problems with
the CSU/DSU, the telco, cabling, etc - a small percentage actually had
this bug. We solved the rest of the cases, and then focused on the few
we had left. We eventually located a bug in the WAN port driver code. A
few tests sites have been running this release for nearly a month now and
they have been delighted with the performance of the 2eR units. Release
3.3.1c1 definitively fixes this problem.
If you have a PM-2eR and are experiencing any problems with the WAN port,
you should upgrade to this release immediately before attempting to do any
debugging.
2. Many people have been reporting problems with disconnects. Up until now
it has been hard to debug because it is nigh-impossible to catch one in
the act. Well, 3.3.1c1 helps in this area - the RADIUS value for
'Acct-Terminate-Cause' has been implemented. So now RADIUS Accounting will
log the reason for disconnect for each session. In addition the reason
for disconnect will be displayed on the !root console and sent to syslog
if 'set degbug term on' is set. The full set of Terminate values is
listed in the release notes for our other release, just below in the
next section.
If you are experiencing any problems with disconnects, we strongly
recommend upgrading to 3.3.1c1 to aid in debugging efforts.
ComOS 3.3.1c1 may be found in <ftp://ftp.livingston.com/pub/ts/pm2_3.3.1c1>
If you do not have the ability to upgrade locally, we will do the upgrade
for you over the nets if you call support during our business hours.
============================ ComOS 3.3.2b3 ============================
Behind door number two we have a new wide *BETA* release, ComOS 3.3.2b3.
This release is a *BETA* of the next planned full release. It has both
of the features added to 3.3.1c1, plus serveral more. Read the release
notes below for full details. This *BETA* is available for the PM-2 series
as well as the PM-25.
Note that since this is a *BETA* (notice I keep saying this) we will *not*
upgrade you to this remotely. In order to run this you must have the ability
to upgrade and downgrade locally. Why? Because if it breaks you are going
to have to be able to downgrade to fix it. Since this is a beta we want
feedback and problem reports, but we will not be fixing things on the fly.
This is for the adventurous amongst you, not for the timid. If you
experience any show stopping problems, please report them and downgrade to
3.3.1c1 (3.3.1 for PM25 users) to restore operation. We have had a few sites
running this and we are running it internally, so we do not anticipate
problems. But better prepared than not.
ComOS 3.3.2b3 may be found at <ftp://ftp.livingston.com/pub/beta/pm2_3.3.2b3>
and <ftp://ftp.livingston.com/pub/beta/pm25_3.3.2b3>
========================= RELEASE NOTES =========================
These BETA release notes document ComOS 3.3.2b3, which is a BETA
release being made generally available to our customers who choose to
try it. Do not use this release if you cannot upgrade to it without
our assistance. You must use pminstall 3.3.1 (available as part of
PMconsole under ftp://ftp.livingston.com/pub/le/software/) or later to
upgrade to this release.
If you have any ISDN 5 BRI card installed and are upgrading from ComOS
3.1.4 or earlier up to 3.3 or later, FIRST see the "Memory Usage"
caution in the 3.3.1 release notes, available at
ftp://ftp.livingston.com/pub/le/doc/release/release331.txt (or .ps for
PostScript)
The 3.3.2b3 BETA upgrade image is available for for the PortMaster 25
at ftp://ftp.livingston.com/pub/beta/pm25_3.3.2b3 and for all other
PortMasters at ftp://ftp.livingston.com/pub/beta/pm2_3.3.2b3
That's a masked directory; you can do a binary get but you can not do an ls.
The 3.3.1c1 interim release for the PM-2R and PM-2ER is available from
ftp://ftp.livingston.com/pub/ts/pm2_3.3.1c1 in a masked directory;
you can do a binary get but you can not do an ls.
Release Notes for 3.3.1 --> 3.3.2b3
The following enhancements and bug fixes are available in ComOS 3.3.2b3.
Enhancement #4 and Bug Fix #1 are also available in ComOS 3.3.1c1, which is
otherwise identical to ComOS 3.3.1.
Enhancements
1. Support for the MOD-10I-ST expansion board has been added. This is
the 5 BRI expansion module for use in Europe, Japan, and other countries
using these standards.
2. International ISDN support has been added. The PortMaster now
supports ISDN connections in Europe, Japan and other countries which
support these ISDN signaling standards. This support is for use
with the PortMaster versions which contain the ISDN Basic Rate S/T
interface. The PortMaster should be rebooted if the switch type is
changed. New ISDN switch type settings for "set isdn-switch" are:
net3 EuroISDN standard (also includes Swiss extensions)
vn2 France - Older switch type
vn3 France - Older switch type
vn4 France - Current National switch type
1tr6 Germany - Older switch type
ntt Japan
kdd Japan
3. A new command "show files" has been added to display how much of the
128 KB flash configuration file system is in use. Output also shows
file names.
4. Port termination reasons have been added. RADIUS accounting now
reports the reason for session termination. In addition, the new
"set debug termination on" command actively displays even more
detailed port terminations to the system console as well as sending
these messages to syslog. See "RADIUS Accounting Termination
Causes" for more information on termination causes and how to change
your RADIUS dictionary file to take advantage of them. (Also in 3.3.1c1)
6. The "set all" command has been made more restrictive. This command
no longer affects the W1 port, the P0 parallel port or the new
C0 (PM-2i and PM-2Ei only) console port.
7. Outbound CHAP authentication has been enhanced. The new command
"set location Location_Name chap [ on|off ]" has been added. When
used, the PortMaster requires that it be authenticated using
CHAP on an outbound dial. In addition the username and password
entered in the location table are used as the "system identifier"
and "MD5 secret" in the CHAP authentication. Use of this feature
eliminates the need to use the sysname and user table configurations
for CHAP unless the device being dialed to will also be dialing back
into the PortMaster. The default is chap off.
8. Outbound user support. The PortMaster now supports Outbound-User
user types which use telnet. In addition the PortMaster logs
outbound user activity to RADIUS accounting. See "RADIUS for
Outbound Users" for information on using this feature.
IMPORTANT NOTE: IF YOU ARE CURRENTLY USING OUTBOUND TELNET SECURITY
you must change to use RADIUS instead of the PortMaster User Table
when you upgrade to this release.
9. Telnet and Netdata TCP port number is now identified in RADIUS
accounting. Previously Login Users sent to a host with Telnet would
be identified only as using the Telnet service even if they were
directed by RADIUS to a TCP port number other than 23 (the
default). Now if the user is sent to a port other than 23, RADIUS
accounting reports the TCP port number. This is useful for
determining whether the user was sent to a special service on the
identified host. Accounting records for Login Users using the
Netdata (TCP-Clear) login service now always includes the TCP port
number.
10.LCP now allows the remote end to request (via a NAK) a maximum
receive unit of up to 1520 instead of the previous limit of 1500.
This accommodates some MultiLink PPP implementations which desire a
larger MRU.
11.Support has been added for Dialback PPP users which were
authenticated using PAP or CHAP.
12. The command "set all network dialin" is now supported.
13. ChoiceNet now operates independently of RADIUS and can be used
without RADIUS being enabled.
14. "set debug off" has been added. This command clears all debug
settings which are currently active in the PortMaster.
Bug Fixes
1. Fixed W1 lockup problem on PM-2ER. From every few days to every few
weeks the W1 port on the PM-2ER would stop transmitting packets and
would recover after some amount of time or after a port reset. This
software bug has been fixed. (Also in 3.3.1c1)
2. Resetting or disconnecting a port which is waiting for ChoiceNet to
upload a dynamic packet filter would cause the PortMaster to
reboot. This has been fixed and ports can now be reset without
causing a problem.
3. Proper clearing of State Variable when using RADIUS menus.
Previously the State Variable could be inadvertently retained
between login sessions. This would cause users to see the wrong
RADIUS menu when logging on.
4. RADIUS Filter-Id longer than 12 characters for PPP users would
cause the PortMaster to reboot. Now these Filter-Id's are truncated
to 12 characters before appending the ".out" suffix to the filter
name.
5. Zero length filters applied to ethernet interfaces are now treated
as permit filters. That is, if a filter has no rules at all it now
permits everything through. If it has one or more rules then
anything not permitted explicitly by a rule is denied at the end of
the filter, same as before.
6. Host prompt now works over ISDN. Previously an ISDN port set for
host prompt would not echo characters back to the user. This has
been fixed.
7. Adding a username to a location, deleting the location, then adding
the location used to bring back the username entry. The username is
now properly deleted when the location is deleted.
8. The usage statement for ptrace has been fixed.
9. Saving the PortMaster hosts table use to only accept the command
"save host". It now supports the plural "save hosts".
RADIUS for Outbound Users
RADIUS can now be used to authenticate users gaining outbound access to
network device ports, but the User Table can no longer be used for this
purpose. If you do not have any ports set to "device /dev/network" or
"twoway /dev/network" you can ignore this entire section, it does not
apply to you. If you DO have any ports set to "device /dev/network" or
"twoway /dev/network" you should read this section carefully and understand
it completely before upgrading to this release, because things will work
differently after the upgrade.
In ComOS 3.3.1 and before, to allow users to access the modems for outbound
dialing across your network but require a password for such access, you
set the port up like this (after first moving your telnet administration
port to something other than 23 with a command like "set telnet 24"):
set s1 device /dev/network
set s1 service_device telnet 10000
save s1
reset s1
And then set up a user like this in the local User Table of the PortMaster.
add user fred
set user fred password What4ever
set user fred service telnet 10000
set user fred host <PortMaster ether0 IP address>
save user
A user could then telnet to the PortMaster (at the usual telnet port of
23), get a login prompt, enter "fred", get a password prompt, enter
"What4ever", and would be connected to whatever was on port s1,
typically a modem. You could pool any number of ports together by
setting their service device telnet port to the same number. Any
number between 10000 and 10100 had this special property.
In ComOS 3.3.2 and later (3.4.2L and later on the Office Router, 3.4.2R
and later on the IRX) this behavior has changed. In 3.3.2, you set up
the port the same way as before, but now when the user telnets to port
23 and gives his username and password, the PortMaster first checks
the local User Table, and if the user is found there now DENIES access.
If the user is NOT found in the local User Table, and the PortMaster is
configured to use a RADIUS server, the PortMaster sends a RADIUS
Access-Request to the RADIUS server with the hint that
Service-Type (6) = Outbound-User (5)
Check your /etc/raddb/dictionary file for the exact spelling of
attribute 6 and value 5. If the PortMaster receives back an access-accept
then it allows the user to access the port. A typical entry in the RADIUS
/etc/raddb/users file to allow this would be:
fred Password = "What4ever", Service-Type = Outbound-User
Service-Type = Outbound-User,
Login-Service = Telnet,
Login-Service = 10000
Note that the user file can only have ONE entry named "fred", so if
fred is already used in the RADIUS users file you must use a different
username than fred to dial out with. RADIUS 2.0 will make this easier.
RADIUS Accounting Termination Causes
Release 3.3.1c1 and 3.3.2b3 have added support for the RADIUS
Accounting Acct-Terminate-Cause attribute to provide information on the
cause of session termination. In addition, if termination debugging is
turned on with "set debug termination on" additional termination
information is sent to syslog (auth.info) and the system console.
Before upgrading the PortMaster, update your /etc/raddb/dictionary file
by adding the following lines, kill your radiusd and restart it.
ATTRIBUTE Acct-Terminate-Cause 49 integer
VALUE Acct-Terminate-Cause User-Request 1
VALUE Acct-Terminate-Cause Lost-Carrier 2
VALUE Acct-Terminate-Cause Lost-Service 3
VALUE Acct-Terminate-Cause Idle-Timeout 4
VALUE Acct-Terminate-Cause Session-Timeout 5
VALUE Acct-Terminate-Cause Admin-Reset 6
VALUE Acct-Terminate-Cause Admin-Reboot 7
VALUE Acct-Terminate-Cause Port-Error 8
VALUE Acct-Terminate-Cause NAS-Error 9
VALUE Acct-Terminate-Cause NAS-Request 10
VALUE Acct-Terminate-Cause NAS-Reboot 11
VALUE Acct-Terminate-Cause Port-Unneeded 12
VALUE Acct-Terminate-Cause Port-Preempted 13
VALUE Acct-Terminate-Cause Port-Suspended 14
VALUE Acct-Terminate-Cause Service-Unavailable 15
VALUE Acct-Terminate-Cause Callback 16
VALUE Acct-Terminate-Cause User-Error 17
VALUE Acct-Terminate-Cause Host-Request 18
The following simple script produces a list of the causes seen
(note that this script does not remove duplicates, so it provides only an
approximate count).
cat /var/adm/radacct/*/detail | grep Acct-Terminate-Cause | sort | uniq -c
Here are the syslog messages and their meanings. Where a message would
also go to RADIUS Accounting, the Acct-Terminate-Cause is included in
the syslog message before the dash. In normal operation you would
expect to see User-Request, Host-Request, and Lost-Carrier, although
Lost-Carrier can be caused by the user hanging up his end of the
connection OR by line or modem problems.
Admin Reset
Port was reset by administrator. Also logged to RADIUS Accounting if
a session was active on the port.
Callback
Callback User is disconnected so the port can be used to call back.
Cause Unknown
Contact Livingston Technical Support.
Host Request - PMD
Disconnected or logged out from host using in.pmd service.
This can mean either normal termination of a login session, or
the remote host has crashed or become unreachable. Also sent
to RADIUS Accounting.
Host Request
Disconnected or logged out from host. This can mean either
normal termination of a login session, or the remote host has
crashed or become unreachable. Also sent to RADIUS Accounting.
Idle Timeout
Idle timer expired for user or port. Also logged to RADIUS Accounting.
Login Timeout
The login:, password: or host: prompt is set to timeout after five
minutes with no input and has done so.
Lost Carrier
Session terminated when modem dropped DCD. Also logged to
RADIUS Accounting. This can either mean the user or his modem
hung up the phone from their end, in which case there is no
problem, or can mean that the line was dropped or took a noise
hit too severe for the modems to recover from, or can mean that
the local modem dropped DCD for some other reason.
Lost Service - Interface Down
Should never happen. Contact Livingston Technical Support.
Lost Service - Interface Error
Should never happen. Contact Livingston Technical Support.
Lost Service - Invalid Network Handle
Contact Livingston Technical Support.
Lost Service - LMI
A Frame Relay interface missed six consecutive LMI replies.
Lost Service - No netbufs
No netbufs are available for service. This should never
happen. Contact Livingston Technical Support.
NAS Error - PPP Unknown State
The PortMaster could not determine state of PPP. This should never
happen in the normal course of events. Contact Livingston
Technical Support.
NAS Request - Modem Config Complete
The Modem table entry has finished initializing the modem
attached to the port.
NAS Request - PPP Maximum Retransmissions
PPP negotiations failed after the PortMaster sent 10
configuration requests. This is always caused by a
configuration error on either the client, PortMaster, or
RADIUS user entry.
No Event Identified
Contact Livingston Technical Support.
Port Error - PPP Couldn't Send
The PortMaster could not send PPP negotiation. Check that the
port and modems at both end are properly configured for
hardware flow control (RTS/CTS), and if the problem still
occurs contact Livingston Technical Support.
Port Error - PPP Loop Detect
The PortMaster saw its own Magic Number in an LCP Configuration
Request. The two most likely causes are either that our modem
is in echo mode or that we dialed into a UNIX system and it is
echoing our packets back to us. In the former case, correct
the configuration in the modem. In the latter case, change the
chat script in the location table entry on the PortMaster to
look for "~" instead of "PPP".
Port Error - Spurious Interrupts
Attached device is causing too many interrupts, so the
PortMaster reset the port. Also logged to RADIUS Accounting if
a session was active on the port.
Port Error - Unknown State
Should never happen, contact Livingston Technical Support.
Port Error - Wrong Type
Port is configured for login users only, and a network user is
trying to log in, or vice versa. To configure ports appropriately:
set all login Login users only
set all network dialin Network users only
set all login network dialin Both
Service Unavailable - Access Denied
The port Access Filter does not permit connection to
requested host. If you get this message and you wish to allow
a connection to the host: 1) If you are not using access
filters, remove the ifilter from the port with "set Port ifilter"
2) If you are using an access filter, check your filter rules.
Service Unavailable - Auth Failed
Three attempts by the user to authenticate at the login: prompt
have failed, so the user is disconnected.
Service Unavailable - Device
Port is set for host device but in.pmd or the pseudo-tty
configured is unavailable. This gets logged once a second
until the situation is corrected.
Service Unavailable - Host
Login session was unable to connect to host. Most common cause
is that host is down or refusing connections or not running
in.pmd or rlogind.
Service Unavailable - PPP Auth Failed
This error should never happen. Contact Livingston Technical Support.
Service Unavailable - PPP CHAP Auth Failed
The user's PPP CHAP authentication failed.
Service Unavailable - PPP No Protocol
Neither IP nor IPX was negotiated for PPP, so no service can be
provided. This is a configuration error for either the dial-in
client or the user entry.
Service Unavailable - PPP Outbound PAP Auth Failed
PortMaster dialed out to another site and was being
authenticated by PAP but failed, so the PortMaster is hanging
up. (Note that if we are authenticated by CHAP and fail, it is
the responsibility of the other end to hang up.)
Service Unavailable - PPP PAP Auth Failed
The user's PPP PAP authentication failed.
Session Timeout
Session timer expired for user. Also logged to RADIUS Accounting.
User Error - PPP LCP Protocol Reject
The PortMaster received a LCP Protocol Reject. This should
never happen; it indicates there is a bug in the software of the
remote system since it is claiming it does not support LCP.
User Error - PPP NCP Active to Reply
PortMaster received a PPP Configuration ACK when a session was
already established, so it terminated the session. This is
caused by a PPP implementation error in the dial-in client.
Also logged via RADIUS Accounting.
User Error - PPP NCP Active to Request
PortMaster received a PPP Configuration Request when a session
was already established, so it terminated the session. This is
caused by a PPP implementation error in the dial-in client.
Also logged via RADIUS Accounting.
User Request - Admin Quit
Quit command issued from the command line interface.
User Request - PPP Term Ack
Dial-in client requested that we terminate immediately without
sending an acknowledgement. This message is expected from a
proper PPP client termination. Also logged via RADIUS Accounting.
User Request - PPP Term Req
Dial-in client requested that we send a Termination ACK and
then terminate. This message is expected from a proper PPP
client termination. Also logged via RADIUS Accounting.
Copyright and Trademarks
1996 Livingston Enterprises, Inc. All rights reserved.
The product names, "ComOS," "IRX," "PortMaster," "PMconsole," and
"TelePath" are trademarks belonging to Livingston Enterprises, Inc.
All brand product names mentioned in this document are trademarks or
registered trademarks of their respective manufacturers.
Notices
Livingston Enterprises, Inc. makes no representations or warranties
with respect to the contents or use of this manual, and specifically
disclaims any express or implied warranties of merchantability or
fitness for any particular purpose. Further, Livingston Enterprises,
Inc. reserves the right to revise this publication and to make changes
to its content, any time, without obligation to notify any person or
entity of such revisions or changes.
Contacting Livingston Technical Support
Every Livingston PortMaster or IRX product comes with free lifetime
software technical support and a one year hardware warranty. Livingston
Enterprises provides free technical support via voice, FAX, and
electronic mail. Technical support is available Monday through Friday
6am-5pm Pacific Time (GMT-8).
To contact Livingston technical support by voice, dial 1-800-458-9966
within the US or 1-510-426-0770 outside the US, by FAX, dial
1-510-426-8951, by electronic mail, send mail to
support@livingston.com, and through the World Wide Web at
http://www.livingston.com/.