Configuring Dial-In Users   5

  This chapter describes how to configure the PortMaster 4 user table to support dial-in connections. The user table settings define how each dial-in user is authenticated and how dial-in connections are made.

  To configure network dial-in connections from other routers, you must define each remote router as a user on the PortMaster.

  If you are using RADIUS, you must configure user attributes in individual user files in the RADIUS user database rather than in the PortMaster user table. Refer to the RADIUS for Windows NT Administrator's Guide  and RADIUS for UNIX Administrator's Guide  for more information.

  This chapter discusses the following topics:

•  "Configuring the User Table" on page 5-1
•  "User Types" on page 5-2
•  "Configuring Settings for Network and Login Users" on page 5-3
•  "Configuring Network Users" on page 5-4
•  "Configuring Login Users" on page 5-8

   

    Note ¯ Only 100 to 200 users can be configured in the user table and stored in the nonvolatile memory of the PortMaster. Therefore, use RADIUS for user authentication when you must configure multiple PortMaster products to handle more than a few dozen users.

  See the PortMaster 4 Command Line Reference, the RADIUS for Windows NT Administrator's Guide,  and RADIUS for UNIX Administrator's Guide  for more detailed command descriptions and instructions.

  You can also configure the PortMaster 4 using the PMVision application for Microsoft Windows, UNIX, and other platforms supporting the Java Virtual Machine (JVM). PMVision replaces the PMconsole interface to ComOS.

       Configuring the User Table

  This section describes how to display user information and how to add users to or delete them from the user table.

       Displaying User Information

  You can display the current users in the user table or the complete configuration information for a specified user.

  To display the current users in the user table, for example, enter the following command:

  Command> show table user 

  Name Type Address/Host Netmask/Service RIP

  ---------------------------------------------------------------------------

  jozef Netuser negotiated 0000000000

  adele Login User default Telnet

  elena Netuser assigned 255.255.255.255 No

  taffy Login User defaults PortMaster

  john Netuser 192.168.7.8 0000000000 No

  To display configuration information for a particular user, for example, use the following command:

  Command> show user  elena

  Username: elena Type: Dial-in Network User

  Address: Assigned Netmask: 255.255.255.255

  Protocol: PPP Options: Quiet, compressed

  MTU: 1500 Async Map: 00000000

       Adding Users to the User Table

  You must add users to the user table before configuring any settings for them. The username is a string of from 1 to 8 printable, nonspace ASCII characters. The optional user password is a string of from 0 to 16 printable ASCII characters. You cannot add users with blank usernames.

  To add a login user to the user table, use the following command:

  Command> add user  Username [password  Password]

  To add a network user to the user table, use the following command:

  Command> add netuser  Username [password  Password]

  Note ¯ To add a network user, you must use the netuser  keyword. Thereafter, you can use either the netuser  or the user  keyword to configure settings for the network user. You must always use the user  keyword when configuring login users.

       Deleting Users from the User Table

  To delete a user from the user table, use the following command:

  Command> delete user  Username

       User Types

  User settings define the nature and behavior of dial-in users. The user table contains entries for each defined dial-in user along with the characteristics for the user.

  The user table provides login security for users to establish login sessions or network dial-in connections. If you want to allow a network dial-in connection from another router, the router must have an entry in the user table or in RADIUS.

  PortMaster products allow you to configure two types of users, network users and login users.

       Network Users

  Network users dial in to an asynchronous serial, synchronous serial, or ISDN port on the PortMaster. A connection is established as soon as the user logs in. A PPP or SLIP (on asynchronous ports) session is started. This type of connection can be used for dial-in users or for other routers that need to access and transfer data from the network. Define this type of user when network packets must be sent through the connection.

       Login Users

  Login users are allowed to establish PortMaster (in.pmd ), rlogin , Telnet, or netdata  (TCP clear) connections through an asynchronous serial or ISDN port. A connection is established to the specified host as soon as the user logs in. This type of connection is useful for users who need to access an account on a host running TCP/IP.

       Configuring Settings for Network and Login Users

  The following settings can be configured for either network or login users.

       Setting a Password

  To set a password for either a login or network user, use the following command:

  Command> set user  Username password  Password

  The password can contain between 0 and 16 printable ASCII characters.

       Setting the Idle Timer

  The idle timer defines the number of minutes or seconds the line can be idle--in both directions--before the PortMaster disconnects the user. You can set the idle time in seconds or minutes, with any value between 2 and 240. The default setting is 0 minutes. The idle timer is not reset by RIP, keepalive, or SAP packets.

  To set the idle timer, use the following command:

  Command> set  user  Username idle  Number [minutes |seconds ]

  To disable the idle timer, set the time to 0 minutes.

       Setting the Session Limit

  You can define the maximum length of a session permitted before the PortMaster disconnects the user. The session length can be set to between 0 and 240 minutes.

  To set the session limit, use the following command:

  Command> set user  Username session-limit  Minutes

  To disable the session limit, set the time to 0.

       Configuring Network Users

  Network users establish PPP or SLIP connections with the network as soon as they have been authenticated.

       Setting the Protocol

  You can set the network protocol for the network user to PPP, SLIP, or X.75. Select a protocol that is compatible with the rest of your network configuration and the user's capabilities.

  To set the network protocol for a network user, use the following command:

  Command> set user  Username protocol  slip |ppp |x75-sync 

  If you set a nonzero IP address for the user, IP is automatically routed. If you set a nonzero IPX network number for the user, IPX is automatically routed.

 

  Do not set a value of all 0s (zeros) or all Fs for the IPX network number.

 

       Setting the User IP Address

  You must define the IP address or hostname of the remote host or router. Table 5-1 describes three different ways that the user IP address can be determined.

  Table 5-1 User IP Address Options 

 

IP Address Type	Description
assigned	This option allows the PortMaster to assign a temporary IP address that is used for the current session only. The address used comes from a pool of addresses set up during global configuration.  This method for assigning IP addresses to users is most commonly used when a large number of users are authorized to dial in.
negotiated	This option is used only for PPP sessions. Here, the PortMaster learns the IP address of the remote host using IPCP negotiation.
Ipaddress	This option allows you to define a specific IP address for the remote host or router. This method for assigning an IP address to a user is most commonly used for routers that establish a connection with the PortMaster.

  To set the user IP address for a normal network user, use the following command:

  Command> set user  Username address|destination assigned |negotiated |Ipaddress

  The address  and destination  keywords are synonymous.

       Setting the Subnet Mask

  Do not set a subnet mask for a network user unless the user is routed to another network from your network. In that case, set the subnet mask to 255.255.255.255.

  To set the subnet mask, use the following command:

  Command> set user  Username netmask  Ipmask

       Setting the IPX Network Number

  Note ¯ The PortMaster 4 supports the IPX protocol if it is running ComOS 4.1 or later. IPX is not supported in ComOS 4.0.

  If you are using the IPX protocol for this user, you must assign a unique IPX number to the network connection between the remote user device and the PortMaster. Each user's connection requires a different IPX network number. If you use fffffffe  as the IPX network number, the PortMaster assigns the user an IPX network number based on an IP address from the IP address pool.

  Note ¯ Do not set a value of all 0s (zeros) or all Fs for the IPX network number.

  To set the IPX network number, use the following command:

  Command> set user  Username ipxnet  Ipxnetwork

       Configuring RIP Routing

  As described in the PortMaster Routing Guide, PortMaster products automatically send and accept route information as RIP messages.

  Note ¯ ComOS 4.1 and later releases support both RIP-1 and RIP-2. Earlier releases of ComOS support only RIP-1.

  To configure RIP routing for a network user, use the following command:

  Command> set user Username rip on| off| broadcast| listen| v2 { broadcast|on| v1-compatibility| multicast} 

  Refer to the PortMaster 4 Command Line Reference for a description of the keywords in this command. Refer to the PortMaster Routing Guide for a discussion of routing with RIP, and for OSPF and BGP routing configuration instructions.

       Setting the Asynchronous Character Map

  The PPP protocol supports the replacement of nonprinting ASCII data in the PPP stream. These characters are not sent through the line, but instead are replaced by a special set of characters that the remote site interprets as the original characters. The PPP asynchronous map is a bit map of characters that must be replaced. The lowest-order bit corresponds to the first ASCII character NUL, and so on. In most environments, the asynchronous map must be set to zero to achieve the maximum data transfer rate.

  To set the PPP asynchronous character map, use the following command:

  Command> set user  Username map  Hex

       Setting the MTU Size

  The maximum transmission unit (MTU) defines the largest frame or packet that can be sent without fragmentation. A packet that exceeds this value is fragmented, if IP, or discarded if IPX. PPP connections can have a maximum MTU of 1520 bytes. SLIP connections can have a maximum MTU of 1006 bytes. PPP can negotiate smaller MTUs when requested by the calling party.

  The MTU size is typically set to the maximum allowed for the protocol being used, either 1500 bytes (for PPP) or 1006 bytes (for SLIP). However, smaller MTU values can improve performance for interactive sessions.  If you are using IPX, the MTU must be set to at least 600.

  To set the MTU for a network user, use the following command:

  Command> set user  Username mtu  MTU

       Setting the Maximum Number of Dial-In Ports

  You can define the number of dial-in ports that a user can use on the PortMaster for Multilink V.120, Multilink PPP (only on ISDN), and multiline load balancing.

  If the maximum number of ports is unconfigured, port limits are not imposed and PortMaster multiline load balancing, Multilink V.120, and Multilink PPP sessions are allowed. You can also set the dial-in port limit using the RADIUS Port-Limit attribute.

  To set the maximum number of dial-in ports, use the following command:

  Command> set  user  Username maxports  Number

  The Number variable can be set to between 0 and the number of available ports--up to 95.

       Setting Compression

  Compression of TCP/IP headers can increase the performance of interactive TCP sessions over network hardwired asynchronous lines. Lucent implements Van Jacobson TCP/IP header compression and Stac LZS data compression. Compression is on by default.

  Compression cannot be used with multiline load balancing, but can be used with Multilink PPP.

  Compression must be enabled on both ends of the connection if you are using SLIP. With SLIP, TCP packets are not passed if only one side of the connection has compression enabled. For PPP connections, the PortMaster supports both bidirectional and unidirectional compression. Refer to RFC 1144 for more information about header compression.

  The PortMaster supports Stac LZS data compression only for PPP connections with bidirectional compression. Stac LZS data compression cannot be used for SLIP connections.

  To set header compression for a network user, use the following command:

  Command> set user  Username compression on |off 

  Table 5-2 describes the results of using each keyword.

  Table 5-2 Keywords for Configuring Compression

 

Keyword	Description
on	Enables compression. The PortMaster tries to negotiate both Van Jacobson and Stac LZS compression. This is the default.
off	Disables compression.

  To find out what type of compression was negotiated for the user, enter the following command:

  Command> show S0

       Setting Filters

  Input and output packet filters can be applied to each network user. If an input filter is applied to a user, when the user dials in and establishes a connection, all packets received from the user are evaluated against the rule set for the applied filter. Only packets allowed by the filter can pass through the PortMaster. If an output filter is applied to a user, packets going to the user are evaluated against the rule set for the applied filter. Only packets allowed by the filter are sent out of the PortMaster to the user.

  If either filter is changed while a user is logged on, the change does not take effect until the user disconnects and logs in again.

  Note ¯ You must define a filter in the filter table before you can apply it. For more information about filters, see Chapter 8, "Configuring Filters."

  To apply an input filter for a network user, use the following command:

  Command> set user  Username ifilter  [Filtername]

  To apply an output filter for a network user, use the following command:

  Command> set user  Username ofilter  [Filtername]

  Omitting the Filtername removes any filter previously set for this user.

  Note ¯ Filters are applied to the user the next time the user dials in.

 

       Specifying a Callback Location

  You can configure the user for callback connections to enhance network security or to simplify telephone charges. When a network user logs in, the PortMaster disconnects the user and then calls back to the location specified for that user. The location is stored in the location table. The PortMaster always calls back using the same port on which the user called in. Network users have PPP or SLIP sessions started for them, as defined in the user table.

  To specify the callback location for a network user, use the following command:

  Command> set user  Username dialback  Locname|none 

  To disable callback connections for the user, use the none  keyword.

       Configuring Login Users

  To configure a login user, you must set the login host, apply an optional access filter, set the login service type, and specify a callback telephone number.

       Setting the Login Host

  You must define the host to which the user is connected. The login host can be defined in one of three ways. Table 5-3 shows the login host options.

  To set the login host for a login user, use the following command:

  Command> set user  Username host  default |prompt |Ipaddress

  Table 5-3 Login Host Options 

 

Host Option	Description
default	This option allows the user to log in to the default or alternate host specified for this PortMaster. You can specify the default host with the set host  command. For more information see the PortMaster 4 Command Line Reference.
prompt	This option allows the user to log in to a host by IP address or name at the time the login session is established.
Ipaddress	This option allows the user to connect only to the host specifically named. A valid 39-character hostname or IP address must be entered.  This configuration is used when you want to allow a user to access a specific host. For example, this configuration can be used to allow the user carmela  to always be connected with the host sales .

       Applying an Optional Access Filter

  An access filter is an input filter that restricts hosts users can log in to. Access filters work as follows:

•  The user logs in and specifies a host.
•  The host address is compared against the access filter.
•  If the address is permitted by the filter, the connection is established.
•  If the address is not permitted, the connection is denied.

  To apply an access filter to a login user, use the following command:

  Command> set user  Username ifilter  [Filtername]

  Note ¯ You must define a filter in the filter table before you can apply it. For more information about filters, see Chapter 8, "Configuring Filters."

       Setting the Login Service Type

  All login users must have an associated login service that determines the nature of their connection with the host.

  The login service  specifies how login sessions are established. Four types of login service are available as described in Table 5-4.

  Table 5-4 Types of Login Service 

 

Login Services	Function
portmaster	PortMaster is the default login service and can be used to access any host that has the PortMaster in.pmd  daemon installed. This type of login service is preferred because it makes the PortMaster port operate like a serial port attached to the host. This service is the most cost-effective in terms of host resources.
rlogin	The remote login service rlogin  uses the rlogin protocol to establish a login session to the specified host. Generally, rlogin  is used on mixed UNIX networks where the PortMaster login service is impractical to use.
telnet	Telnet is supported on most TCP/IP hosts. This login service should be selected when the PortMaster and rlogin protocols are not available.  The default port number is 23, but you can enter another number.
netdata	The netdata  login service creates a virtual connection between the PortMaster port and another serial port on another PortMaster, or between the PortMaster port and a host. This login service creates a clear-channel TCP connection. To connect to another PortMaster port using netdata , you must configure that port as /dev/network  with the netdata  device service and the same TCP port number.  The default netdata  port is 6000; however, you can specify any TCP port number between 1 and 65535. This range allows TCP/IP to be used with a hardwired connection using an RS232 cable. However, some serial communications protocols, such as FAX, might have potential latency problems.

  To set the login service type for a login user, use the following command:

  Command> set user  Username service portmaster |rlogin |telnet |netdata  [Tport]

       Specifying a Callback Telephone Number

  You can configure the login user for callback connections to enhance network security or to simplify telephone charges. When a user logs in, the PortMaster disconnects the user and then dials out to the telephone number specified for that user. The user is reconnected to the host specified in the user table, via the same port on which the user dialed in.

  To enter the callback telephone number for a login user, use the following command:

  Command> set user  Username dialback  String|none 

  To disable callback connections for the user, use the none  keyword.