			ComOS 3.4.2L Release Note


		Introduction

The new Livingston Enterprises ComOS(tm) 3.4.2L software release is now
available for the PortMaster(tm) OR-M, OR-U, OR-LS, OR-HS, and OR-ST.
This release is provided at no charge to all Livingston customers. The
following document describes the features of the ComOS 3.4.2L software
release and how to upgrade your PortMaster Office Router. Upgrade
instructions are included at the end of this release note.

WARNING! YOU MUST USE PMINSTALL VERSION 3.3.1 OR LATER TO PERFORM THIS
UPGRADE!  If you are upgrading using PMconsole for Windows, you must
use PMconsole for Windows version 1.1 or later.  See "Upgrade
Instructions" below for more information.  If you have any port speeds
set to 115200 and upgrade to ComOS release 3.4.2L and later downgrade
to any earlier release you must set the port speeds again after
downgrading.


		Contents

Introduction
Contents
New Features in ComOS 3.4.2L
Bug Fixes in ComOS 3.4.2L
RADIUS for Outbound Users
RADIUS Accounting Terminate Cause
Upgrade Instructions


		New Features in ComOS 3.4.2L

ComOS 3.4.2L includes the following new features:

 * Support for International ISDN
 * Command to show flash file system
 * Session Termination Cause logging in RADIUS Accounting
 * RADIUS Outbound-User support
 * TCP port number for Login User in RADIUS Accounting
 * Maximum Receive Unit increased to 1520 bytes
 * PAP and CHAP for Dialback PPP users
 * Easier configuration of CHAP for dial-out Locations
 * ChoiceNet without RADIUS
 * Set all command made easier
 * Debug off command

	Support for International ISDN

Support for International ISDN using the OR-ST has been added.  The
OR-ST is the PortMaster ISDN Office Router for use in Europe, Japan,
and other countries using international ISDN standards.  New ISDN
switch type settings for "setisdn-switch" are listed in the following
table.

set isdn-switch Used for
_______________ ________
net3            EuroISDN standard (includes Swiss extensions)
vn2             France - Older switch type
vn3             France - Older switch type
vn4             France - Current National switch type
1tr6            Germany - Older switch type
ntt             Japan
kdd             Japan

A change in switch type does not take effect until the PortMaster is
rebooted.

	Command to show flash file system

The "show files" command has been added to display how much of the 128
KB flash configuration file system is in use. Output also shows file
names. Files are:

File            Contents
________        ________
confdata        Extensions to port configurations, ether1, RADIUS
config          Global configuration and standard port configurations
passwd          User Table
hosttab         Host Table
routes          Static Routes
location        Location Table, except for chat scripts
script          Chat Scripts for the Location Table
snmp            SNMP
filters         IP filters
listnames       ChoiceNet list IDs contained in filters
ipxfilt         IPX filters
sapfilt         SAP filters
netmasks        Static Netmask Table
modem           Modem Table

	Session Termination Cause logging in RADIUS Accounting

RADIUS accounting now reports the reason for session termination.
In addition, the new "set debug termination on" command displays more
detailed port terminations to the system console as well as sending
these messages to syslog. See "RADIUS Accounting Terminate Cause" below
for more information on termination causes and how to edit the RADIUS
dictionary file to take advantage of them.

	RADIUS Outbound-User support

The PortMaster now supports the RADIUS Outbound-User service-type.
In addition, the PortMaster logs outbound user activity to RADIUS
accounting. See "RADIUS for Outbound Users" below for information on
using this feature.

IMPORTANT NOTE: If you are currently using outbound Telnet security
with RADIUS you must change those entries in your RADIUS users file to
use Service-Type=Outbound-User when you upgrade to ComOS release 3.4.2L.

	TCP port number for Login User in RADIUS Accounting

The Telnet and Netdata TCP port number is now identified in RADIUS
accounting. Previously, Login Users sent to a host with Telnet would be
identified only as using the Telnet service even if they were directed
by RADIUS to a TCP port number other than 23. In ComOS release 3.4.2L,
if the user is sent to a port other than 23 RADIUS accounting reports
the TCP port number. This is useful for determining whether the user
was sent to a special service on the identified host. Accounting
records for Login Users using the Netdata (TCP-Clear) login service now
always include the TCP port number.

	Maximum Receive Unit increased to 1520 bytes

LCP now allows the remote end to request (via a NAK) a maximum receive
unit of up to 1520 bytes instead of the previous limit of 1500. This
accommodates some Multilink PPP implementations which use a MRU larger
than 1500 bytes.

	PAP and CHAP for Dialback PPP users

PAP and CHAP authentication support has been added for Dialback PPP users.

	Easier configuration of CHAP for dial-out Locations

The new command "set location Location_Name chap [ on|off ]" has been
added to make outbound CHAP authentication easier to configure. When
"chap on" is set for the location, the PortMaster requires that it be
authenticated using CHAP on an outbound dial. The username and password
entered in the location table are used as the "system identifier" and
"MD5 secret" in the CHAP authentication. Use of this feature eliminates
the need to use the sysname and user table configurations for CHAP
unless the device being dialed to also sometimes dials into the
PortMaster. The default setting is "chap off".

	ChoiceNet without RADIUS

ChoiceNet can now be used without RADIUS, using the commands
"set choicenet Ipaddress" and "set choicenet-secret String".

	Set All command made easier

The "set all" command no longer affects the W1 port
Now it affects only ports S0-2.

The command "set all network dialin" is now supported.

	Debug off command

The command "set debug off" has been added. This command clears all
debug settings which are currently active in the PortMaster.


		Bug Fixes in ComOS 3.4.2L

The following bugs have been fixed in ComOS 3.4.2L.

	Zero Length Filters are now ignored

Zero length filters applied to Ethernet interfaces are now treated as
permit filters. That is, if a filter has no rules at all it now permits
everything through. If it has one or more rules then anything not
explicitly permitted by a rule is denied at the end of the filter.

	Ports using ChoiceNet can be reset safely

Previously, resetting or disconnecting a port which is waiting for
ChoiceNet to upload a dynamic packet filter would cause the PortMaster
to reboot. This has been fixed; ports can now be reset without causing
a problem.

	State Attribute cleared properly

Previously the RADIUS State attribute could be inadvertently retained
between login sessions, displaying the wrong RADIUS menu when users
logged on. This has been fixed. (RADIUS menus are supported in the
RADIUS 2.0 server, to be released later.)

	Too-long Filter-Id Attributes now truncate

Previously, a RADIUS Filter-Id attribute longer than 12 characters for
PPP users would cause the PortMaster to reboot. This has been fixed. A
Filter-Id longer than 12 characters is now truncated to 12 characters
before appending the ".in" and ".out" to the filter name.

	Host Prompt now works over ISDN

Previously an ISDN port set for host prompt would not echo characters
back to the user. This has been fixed.

	Location username now deletes properly

Previously, adding a username to a location, deleting the location, and
adding the location again would bring back the username entry. The
username is now properly deleted when the location is deleted.

	Extraneous console message removed

If a user dials in and negotiates IPX while the console is set, the
console gets a burst of "e_getpacket: no packet available" messages at
the end of negotiations. These are harmless, but have been removed.

	Commands fixed

The usage statement for ptrace has been fixed.

Previously, only the command "save host" would save the PortMaster
Hosts Table. The plural form "save hosts" is now supported as well.

	RADIUS for Outbound Users

RADIUS on the PortMaster now supports Service-Type=Outbound-User, used
to authenticate users gaining outbound access to network device ports.

If you do not have any ports set to "device /dev/network" or "twoway
/dev/network" you can ignore this entire section, it does not apply to
you. If you do have any ports set to "device /dev/network" or "twoway
/dev/network" and have been using RADIUS to authenticate outbound
users, you should read this section carefully and understand it
completely before upgrading to this release, because things will work
differently after the upgrade.

In ComOS release 3.4.1L and earlier, to allow users to access the modems
for outbound dialing across your network but require a password for
such access, you set the port up like this (after first moving your
telnet administration port to something other than 23 with a command
like "set telnet 24"):

set s1 device /dev/network
set s1 service_device telnet 10000
save s1
reset s1

And then set up a user like this in the PortMaster User Table:

add user fred
set user fred password What4ever
set user fred service telnet 10000
set user fred host &gt;PortMaster ether0 IP address&lt;
save user

A user can then telnet to the PortMaster at the usual telnet port of
23, get a login prompt, enter "fred", get a password prompt, enter
"What4ever", and would be connected to the device connected to port s1,
typically a modem. You can pool multiple ports together by setting
their service device telnet port to the same number. Any port number
between 10000 and 10100 has this special property.

In ComOS 3.4.2L and later this behavior has changed. In 3.4.2L, you set up
the port the same way as before, but now when the user telnets to port
23 and gives his username and password, the PortMaster first checks the
local User Table, as it did before. If the user is not found in the
local User Table and the PortMaster is configured to use a RADIUS
server, the PortMaster sends a RADIUS Access-Request to the RADIUS
server with the hint that Service-Type (6) = Outbound-User (5).

If the PortMaster receives back an Access-Accept from the RADIUS server
with Service-Type = Outbound-User, it allows the user to connect to the
port. Check your /etc/raddb/dictionary file for the exact spelling of
attribute 6 and value 5.

An example entry in the /etc/raddb/users file for an Outbound-User
follows:

fred    Password = "What4ever", Service-Type = Outbound-User
        Service-Type = Outbound-User,
        Login-Service = Telnet,
        Login-TCP-Port = 10000

Note that the user file can only have one entry named "fred". If fred
is already used in the RADIUS users file as a different kind of user,
you must use a different username to dial out with. RADIUS 2.0 will
make this easier.


		RADIUS Accounting Terminate Cause

Release 3.4.2L has added support for the RADIUS Accounting
Acct-Terminate-Cause attribute to provide information on the cause of
session termination. In addition, if termination debugging is turned on
using the "set debug termination on" command, additional termination
information is sent to syslog (auth.info) and the system console.

Before upgrading the PortMaster, update your /etc/raddb/dictionary file
by adding the following lines, kill your radiusd and restart it. An
updated dictionary file is available at
ftp://ftp.livingston.com/pub/le/radius/dictionary.

ATTRIBUTE       Acct-Terminate-Cause    49      integer

VALUE           Acct-Terminate-Cause    User-Request            1
VALUE           Acct-Terminate-Cause    Lost-Carrier            2
VALUE           Acct-Terminate-Cause    Lost-Service            3
VALUE           Acct-Terminate-Cause    Idle-Timeout            4
VALUE           Acct-Terminate-Cause    Session-Timeout         5
VALUE           Acct-Terminate-Cause    Admin-Reset             6
VALUE           Acct-Terminate-Cause    Admin-Reboot            7
VALUE           Acct-Terminate-Cause    Port-Error              8
VALUE           Acct-Terminate-Cause    NAS-Error               9
VALUE           Acct-Terminate-Cause    NAS-Request             10
VALUE           Acct-Terminate-Cause    NAS-Reboot              11
VALUE           Acct-Terminate-Cause    Port-Unneeded           12
VALUE           Acct-Terminate-Cause    Port-Preempted          13
VALUE           Acct-Terminate-Cause    Port-Suspended          14
VALUE           Acct-Terminate-Cause    Service-Unavailable     15
VALUE           Acct-Terminate-Cause    Callback                16
VALUE           Acct-Terminate-Cause    User-Error              17
VALUE           Acct-Terminate-Cause    Host-Request            18

The following simple script produces a list of termination causes seen.
Note that this script does not remove duplicates, so it provides only
an approximate count.

cat /var/adm/radacct/*/detail | grep Acct-Terminate-Cause | \ sort | uniq -c


Here are the syslog messages and their meanings. Where a message would
also go to RADIUS Accounting, the Acct-Terminate-Cause is included in
the syslog message before the dash. In normal operation you would
expect to see User-Request, Host-Request, and Lost-Carrier, although
Lost-Carrier can be caused by the user hanging up his end of the
connection or by line or modem problems.

	Admin Reset

Port was reset by administrator. Also sent to RADIUS Accounting if a
session was active on the port.

	Callback

Callback User is disconnected so the port can be used to call user
back.

	Cause Unknown

Contact Livingston Technical Support.

	Host Request - PMD

Disconnected or logged out from host using in.pmd service. This can
mean either normal termination of a login session, or the remote host
has crashed or become unreachable. Also sent to RADIUS Accounting.

	Host Request

Disconnected or logged out from host. This can mean either normal
termination of a login session, or the remote host has crashed or
become unreachable. Also sent to RADIUS Accounting.

	Idle Timeout

Idle timer expired for user or port. Also sent to RADIUS Accounting.

	Login Timeout

The login:, password:, or host: prompt is set to timeout after five
minutes with no input and has done so.

	Lost Carrier

Session terminated when modem dropped DCD. This can either mean the
user or his modem hung up the phone from their end, in which case there
is no problem, or can mean that the line was dropped or took a noise
hit too severe for the modems to recover from, or can mean that the
local modem dropped DCD for some other reason. Also sent to RADIUS
Accounting.

	Lost Service - Interface Down

Contact Livingston Technical Support.

	Lost Service - Interface Error

Contact Livingston Technical Support.

	Lost Service - Invalid Network Handle

Contact Livingston Technical Support.

	Lost Service - LMI

A Frame Relay interface missed six consecutive LMI replies.

	Lost Service - No netbufs

No netbufs are available for service. Contact Livingston Technical
Support.

	NAS Error - PPP Unknown State

The PortMaster could not determine state of PPP. Contact Livingston
Technical Support.

	NAS Request - Modem Config Complete

The Modem table entry has finished initializing the modem attached to
the port.

	NAS Request - PPP Maximum Retransmissions

PPP negotiations failed after the PortMaster sent 10 configuration
requests. This is caused by a configuration error on the client,
PortMaster, or RADIUS user entry.

	No Event Identified

Contact Livingston Technical Support.

	Port Error - PPP Couldn't Send

The PortMaster could not send PPP negotiation. Check that the port and
modems at both ends are properly configured for hardware flow control
(RTS/CTS); if the problem still occurs, contact Livingston Technical
Support.

	Port Error - PPP Loop Detect

The PortMaster saw its own Magic Number in an LCP Configuration
Request. The two most likely causes are either that our modem is in
echo mode or that we dialed into a UNIX system and it is echoing our
packets back to us. In the former case, correct the configuration in
the modem. In the latter case, change the chat script in the location
table entry on the PortMaster to expect "~" instead of "PPP".

	Port Error - Spurious Interrupts

Attached device is causing too many interrupts, so the PortMaster reset
the port. Also sent to RADIUS Accounting if a session was active on the
port.

	Port Error - Unknown State

Contact Livingston Technical Support.

	Port Error - Wrong Type

Port is configured for login users only and a network user is trying to
log in, or vice versa. To configure ports appropriately:

set all login                           Login users only
set all network dialin                  Network users only
set all login network dialin            Both

	Service Unavailable - Access Denied

The port Access Filter does not permit connection to requested host. If
you get this message and you wish to allow a connection to the host:

 * If you did not intend to use an access filter, remove the
ifilter from the port with "set Port ifilter".
 * If you are using an access filter, check your filter rules.

	Service Unavailable - Auth Failed

Three attempts by the user to authenticate at the login: prompt have
failed, so the user is disconnected.

	Service Unavailable - Device

Port is set for host device but in.pmd or the pseudo-tty configured is
unavailable. This gets logged once per second until the situation is
corrected.

	Service Unavailable - Host

Login session was unable to connect to host. The most common cause is
that the host is down or refusing connections or not running in.pmd or
rlogind.

	Service Unavailable - PPP Auth Failed

Contact Livingston Technical Support.

	Service Unavailable - PPP CHAP Auth Failed

The user's PPP CHAP authentication failed.

	Service Unavailable - PPP No Protocol

Neither IP nor IPX was negotiated for PPP, so no service can be
provided. This is a configuration error for either the dial-in client
or the user entry.

	Service Unavailable - PPP Outbound PAP Auth Failed

PortMaster dialed out to another site and was being authenticated by
PAP but failed, so the PortMaster is hanging up. (Note that if we are
authenticated by CHAP and fail, it is the responsibility of the other
end to hang up.)

	Service Unavailable - PPP PAP Auth Failed

The user's PPP PAP authentication failed.

	Session Timeout

Session timer expired for user. Also sent to RADIUS Accounting.

	User Error - PPP LCP Protocol Reject

The PortMaster received a LCP Protocol Reject. This should never
happen; it indicates there is a bug in the software of the remote
system since the remote system is claiming it does not support LCP.

	User Error - PPP NCP Active to Reply

PortMaster received a PPP Configuration ACK when a session was already
established, so it terminated the session. This is caused by a PPP
implementation error in the dial-in client. Also sent to RADIUS
Accounting.

	User Error - PPP NCP Active to Request

PortMaster received a PPP Configuration Request when a session was
already established, so it terminated the session. This is caused by a
PPP implementation error in the dial-in client. Also sent to RADIUS
Accounting.

	User Request - Admin Quit

Quit command issued from the command line interface.

	User Request - PPP Term Ack

Dial-in client requested that we terminate immediately without sending
an acknowledgment. This message is expected from a proper PPP client
termination. Also sent to RADIUS Accounting.

	User Request - PPP Term Req

Dial-in client requested that we send a Termination ACK and then
terminate. This message is expected from a proper PPP client
termination. Also sent to RADIUS Accounting.

	Upgrade Instructions

WARNING! YOU MUST USE PMINSTALL VERSION 3.3.1 OR LATER TO PERFORM THIS
UPGRADE!  If you are upgrading using PMconsole for Windows, you must
use PMconsole for Windows version 1.1 or later.

If you have any port speed set to 115200 and downgrade from ComOS release
3.4.2L to any earlier release you will need to set the port
speed again after downgrading.

The 3.4.2L upgrade image is available for the PortMaster Office Router at
ftp://ftp.livingston.com/pub/le/upgrades/or_3.4.2L.

An updated RADIUS dictionary file is available at
ftp://ftp.livingston.com/pub/le/radius/dictionary.  If you are using
RADIUS you should FTP that file and copy it to /etc/raddb/dictionary on
your RADIUS server host, then kill and restart the RADIUS server daemon
(radiusd).

If you do not have pminstall installed you can FTP the PMconsole
tarfile from ftp://ftp.livingston.com/pub/le/software/ and install it
as follows:

umask 22
mkdir /usr/portmaster
cd /usr/portmaster
ftp.ftp.livingston.com
    anonymous
    (enter your email address)
    binary
    cd pub/le/radius
    get dictionary
    cd ../upgrades
    get or_3.4.2L
    cd ../software/sun4
    get pm2_3.3.1_sun4.tar
    quit
tar xf pm2_3.3.1_sun4.tar
mv or_3.4.2L data/or_3.4.2L
./pminstall
cp dictionary /etc/raddb/dictionary
mv dictionary radius/raddb/dictionary

Choose the Upgrade PortMaster option in pminstall, choose pm2_3.4.2L
from the menu of upgrade choices, enter your PortMaster's hostname or
IP address, and enter your PortMaster's administrative password.
pminstall upgrades your PortMaster to ComOS 3.4.2L.

The upgrade does not affect your stored configuration in the
PortMaster; however if you would like to backup your PortMaster
configuration before upgrading, run pmreadconf:

cd /usr/portmaster
./pmreadconf Pmname Pmpassword data/Pmname.conf
chmod 600 data/pmname.conf


		Copyright and Trademarks

Copyright 1996 Livingston Enterprises, Inc. All rights reserved.

The product names, "ComOS," "IRX," "PortMaster," "PMconsole," and
"TelePath" are trademarks belonging to Livingston Enterprises, Inc.

All brand product names mentioned in this document are trademarks or
registered trademarks of their respective manufacturers.


		Notices

Livingston Enterprises, Inc. makes no representations or warranties
with respect to the contents or use of this manual, and specifically
disclaims any express or implied warranties of merchantability or
fitness for any particular purpose. Further, Livingston Enterprises,
Inc. reserves the right to revise this publication and to make changes
to its content, any time, without obligation to notify any person or
entity of such revisions or changes.


		Contacting Livingston Technical Support

Every Livingston PortMaster or IRX product comes with free lifetime
software technical support and a one year hardware warranty. Livingston
Enterprises provides free technical support via voice, FAX, and
electronic mail. Technical support is available Monday through Friday
6am-5pm Pacific Time (GMT-8).

To contact Livingston technical support by voice, dial 1-800-458-9966
within the US or 1-510-426-0770 outside the US, by FAX, dial
1-510-426-8951, by electronic mail, send mail to support@livingston.com,
and through the World Wide Web at http://www.livingston.com/.
