		 LIVINGSTON RADIUS SERVER 2.0.1 RELEASE NOTE


	INTRODUCTION

This Release Note describes the features and bug fixes in the
Livingston RADIUS server release 2.0.1.

Livingston RADIUS server 2.0.1 is now available in binary form for
BSD/OS 2.0, SGI IRIX 5.2, IRIX 6.3, Linux 1.2.13 (ELF),
Linux 2.0.30, IBM RS6000 AIX 4.1.4, Digital Alpha OSF/1 T3.0,
HP/UX 10.01, SunOS 4.1.4, Solaris 2.5.1, and Solaris x86 2.5.1.

Source code for RADIUS 2.0.1 will be released to Livingston customers
in June. 

Before upgrading, read the WARNING below that usernames with spaces are
now rejected, instead of treated as if the spaces were not present.

This release supports both Linux 1.2 and 2.0, and IRIX 5.2 and 6.3.
The next release after this one, RADIUS 2.1, will be the last release
in binary form for Linux 1.2.13 and SGI IRIX 5.2, although source 
will still compile on those platforms.  Future binary releases
after RADIUS 2.1 will run on Linux 2.0 and IRIX 6.3.

Refer to the RADIUS Administrator's Guide for more details of
Livingston RADIUS server features.  Postscript and PDF formats are
available at ftp://ftp.livingston.com/pub/le/doc/manuals/

Report any problems to Livingston Technical Support; contact information
is at the bottom of this message.

	
	CONTENTS

RADIUS 2.0.1 Features
RADIUS 2.0.1 Bug Fixes
RADIUS 2.0.1 Installation


	RADIUS 2.0.1 FEATURES

RADIUS 2.0.1 includes the following features:

1.  User-names with spaces in them are now rejected, instead of being truncated
    at the space and then compared.   The problem with just truncating is that
    the accounting records would include the space in the username, so unless
    accounting scripts were carefully written the users "fred" "fred " and
    "fred baker" were all treated differently.  In RADIUS 2.0, all three of
    those would be authenticated as "fred".  In RADIUS 2.0.1 the first will
    be authenticated as "fred" and the second and third will be rejected.
 
    WARNING!  If you depended on the previous behavior of truncating usernames
    at the first space, do not upgrade to this release.  Wait for the source
    release so you can modify the code.

2.  When used with ComOS 3.5 or later, the Password
    in the RADIUS user profile can be up to 48 characters long.

3.  Passwords in the users file can now be encrypted using the
    Crypt-Password check item.  This feature can be used with scripted
    logins or PAP, but not with CHAP.  The format of the Crypt-Password
    string is the same as in the UNIX password file.  Here is an example:

    user	Crypt-Password = "ijFYNcSNctBY"
		Service-Type = Framed-User,
		Framed-Protocol = PPP

    This is equivalent to the following entry, except that CHAP cannot
    be used with Crypt-Password.

    user	Password = "abcdefgh"
		Service-Type = Framed-User,
		Framed-Protocol = PPP

4.  Auth-Type = Reject can now be used to automatically fail authentication.
    The following user will always fail authentication:

    fred	Auth-Type = Reject
		Reply-Message = "Please call 555-4777 to pay your bill"

5.  The Group check-item is supported in RADIUS 2.0.1.
    When Group is specified as a check-item in the user profile, only
    users within that UNIX group can be authenticated.

    The Group attribute is a string specifying the name of the group.

    Example of user profile with one Group:

    username	Auth-Type = System, Group = "eng"
		Service-Type = Framed-User,
       		Framed-Protocol = PPP,
       		Framed-IP-Address = 255.255.255.254,
       		Framed-Routing = None,
       		Framed-Compression = Van-Jacobson-TCP-IP,
       		Framed-MTU = 1500

6.  The Connect-Rate check-item is supported in RADIUS 2.0.1.
    If Connect-Rate is specified as a check-item, that user will fail
    authentication if he attempts to connect to a PortMaster 3 at a
    faster downstream connect speed than that.  The use of this
    check-item requires the PortMaster to send Connect-Info in the
    Access-Request, so it requires a PortMaster 3 running ComOS 3.5.1
    or later.  If Connect-Info is not present in the Access-Request
    packet, the Connect-Rate check-item is ignored.  The following
    example would allow a user to connect at 28800bps but not at 33600
    or 56000.

    user	Auth-Type = System, Connect-Rate = 28800
		Service-Type = Framed-User,
		Framed-Protocol = PPP

7.  Support For Administrative Logins

    When used with ComOS 3.5 or later, RADIUS 2.0.1 can authenticate
    administrative logins with two classes of users:

    * administrative users with full configuration ability
      (everything that !root can do)

    * read-only administrative users who cannot change the
      configuration, but can reset ports, reboot, set debug flags, 
      and show status.

    With this feature, rather than requiring everyone in a Network 
    Operations Center (NOC) to know the global administrative passwords 
    on all the PortMasters, an individual account to track 
    access and limit configuration changes to appropriate personnel
    can be created.

    In ComOS 3.5 and later, if a RADIUS Access-Accept returns a
    Service-Type of Administrative-User (6), the PortMaster treats it 
    as a !root login. If a RADIUS Access-Accept returns a Service-Type of
    NAS-Prompt-User, a restricted administrative login is granted that has
    permission to use the following commands:

   * ifconfig
   * ping
   * ptrace
   * reboot
   * reset
   * set console
   * set debug
   * show
   * traceroute
   * Any other commands that do not affect the configuration

   A NAS-Prompt-User does not have access to the following commands: add,
   delete, erase, save, tftp, or any set commands other than "set debug"
   and "set console".

   Following are examples of NAS-Prompt-User and Administrative-User
   in the users file:

   !pmmon          Password = "dontuseth1s"
                   Service-Type = NAS-Prompt-User

   !pmconfig	   Auth-Type = System, Prefix = "!"
                   Service-Type = Administrative-User
   
  Caution - If you are using your RADIUS server with a combination of
  Livingston products and other vendors' products, confirm the following:

  *  Make sure that these two Service-Types are not used or
  *  Other vendor implementation of these two Service-Types is
     compatible with Livingston's implementation

8. builddbm now prints the number of users file entries and identifies
   the line number of any duplicate entries it finds, instead of quitting
   when it finds duplicates.


	RADIUS 2.0.1 BUG FIXES

radiusd on Linux 1.2, Linux 2.0, and BSD/OS 2.0 would exit on signal 100 when
the accounting server died in find_client().  This has been fixed.

Unknown RADIUS packet types would cause the server to dump core.
It now prints an error message and ignores the packet.

Some non-Livingston RADIUS clients incorrectly pad RADIUS requests with
garbage data at the end of the packet.  The server now ignores such
padding.

Exiting from menus with Menu="EXIT" used to print Invalid Login and present
another login prompt.  It now hangs up the line, as it should.

There was a race condition when spawning and reaping child processes
that could cause excess "Dropping duplicate ID" messages on some
machines.  This has been fixed.

In 2.0, changes to the clients file were not reflected in the client
cache until the second access-request packet came in.  In 2.0.1, the
cache will be updated as soon as the next access-request comes in.

The SecurID support in 2.0.1 now calls sd_close() properly.


	RADIUS 2.0.1 INSTALLATION

FTP the RADIUS distribution for your platform from
ftp://ftp.livingston.com/pub/le/software/Platform/radius_2.0.1_Platform.tar.Z
and then follow the installation instructions in the RADIUS
Administrator's Guide.  Use caution when updating to avoid overwriting
your existing users or clients files!

The following example shows the commands to update an existing 
RADIUS 2.0 server on SunOS 4.1.4.

mkdir /var/tmp/rad201
cd /var/tmp/rad201
ftp ftp.livingston.com
(enter anonymous)
(enter your e-mail address; it will not echo)
binary
cd /pub/le/software/sun4
get radius_2.0.1_sun4_4.1.tar.Z rad.tar.Z
quit
uncompress rad.tar.Z
tar xvf rad.tar
rm rad.tar
mv /etc/radiusd /etc/radiusd.old
mv /etc/raddb/dictionary /etc/raddb/dictionary.old
mv sun4_4.1/radiusd /etc/radiusd
mv radius/raddb/dictionary /etc/raddb/dictionary

(kill the existing radiusd)
/etc/radiusd

If you are using the DBM version of radiusd (recommended), after
killing the existing radiusd, instead of running /etc/radiusd use
these three commands:

cd /etc/raddb
/etc/raddb/builddbm
/etc/radiusd -b	

If you have any problems, report them to Livingston Technical Support,
and be sure to mention that you're running radiusd version 2.0.1.

ftp://ftp.livingston.com/pub/le/software/	Platform
alpha/radius_2.0.1_alpha_T3.0.tar.Z		Digital Alpha OSF/1 T3.0
bsdi/radius_2.0.1_BSDOS_2.0.tar.Z		BSD/OS 2.0
hp/radius_2.0.1_hp9000_10.01.tar.Z		HP/UX 10.01
linux/radius_2.0.1_Linux_1.2.tar.Z		Linux 1.2.13 (ELF)
linux/radius_2.0.1_Linux_2.0.tar.Z		Linux 2.0.30 (ELF) (new)
rs6000/radius_2.0.1_RS6000_4.1.tar.Z		AIX 4.1
sgi/radius_2.0.1_IRIX_5.2.tar.Z			IRIX 5.2
sgi/radius_2.0.1_IRIX_6.3.tar.Z			IRIX 6.3 (new)
sun4/radius_2.0.1_sun4_4.1.tar.Z		SunOS 4.1.4
sun4/radius_2.0.1_sun4_5.5.tar.Z		Solaris 2.5.1
sun86/radius_2.0.1_sun86_5.5.tar.Z		Solaris x86 2.5.1



___________________________________________________________________________

Copyright and Trademarks
 
Copyright 1997 Livingston Enterprises, Inc. All rights reserved.

The Livingston logo and the names Livingston, PortMaster, ComOS,
RADIUS, ChoiceNet, PMconsole, IRX, True Digital, and RAMP are
trademarks of Livingston Enterprises, Inc.  ProVision is a service mark
of Livingston Enterprises, Inc. All other marks are the property of
their respective owners.

Notices

Livingston Enterprises, Inc. makes no representations or warranties
with respect to the contents or use of this manual, and specifically
disclaims any express or implied warranties of merchantability or
fitness for any particular purpose. Further, Livingston Enterprises,
Inc. reserves the right to revise this publication and to make changes
to its content, any time, without obligation to notify any person or
entity of such revisions or changes.

Contacting Livingston Technical Support

Livingston Enterprises provides technical support via voice, FAX, and
electronic mail. Technical support is available Monday through Friday
6am-5pm Pacific Time (GMT-8).

To contact Livingston Technical Support by voice, dial 1-800-458-9966
within the US or 1-510-737-2100 outside the US; by FAX, dial
1-510-737-2110; by electronic mail, send mail to
support@livingston.com; and through the World Wide Web at
http://www.livingston.com/.

