






            Disclaimer

            DISCLAIMER OF WARRANTY

            THIS SOFTWARE AND MANUAL ARE SOLD "AS IS" AND WITHOUT
            WARRANTIES AS TO PERFORMANCE OF MERCHANTABILITY OR ANY OTHER
            WARRANTIES WHETHER EXPRESSED OR IMPLIED.  BECAUSE OF THE
            VARIOUS HARDWARE AND SOFTWARE ENVIRONMENTS INTO WHICH THIS
            PROGRAM MAY BE PUT, NO WARRANTY OF FITNESS FOR A PARTICULAR
            PURPOSE IS OFFERED.  GOOD DATA PROCESSING PROCEDURE DICTATES
            THAT ANY PROGRAM BE THOROUGHLY TESTED WITH NON-CRITICAL DATA
            BEFORE RELYING ON IT.  THE USER MUST ASSUME THE ENTIRE RISK
            OF USING THE PROGRAM.  ANY LIABILITY OF THE SELLER WILL BE
            LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR REFUND OF
            PURCHASE PRICE.






                          Copyright 1996 by Richard Wagner



































                                                                       i






























































                                                                      ii






            Table of Contents

            Disclaimer................................................i


            Introduction..............................................1

               How it works............................................1
               Requirements............................................1

            NetWare Directory Services................................2

               Installation............................................2
               Access Control..........................................2
                 Setting up your first user (Windows).................3
                 Setting up your first user (DOS).....................7
               Authentication.........................................10
               Shortcuts..............................................10

            Bindery Servers..........................................12

               Installation...........................................12
               Authentication.........................................12
                 Group Membership....................................12

            Operation................................................13

               The Status Window......................................13
               Statistics Window......................................13
               Online Log.............................................14

            Options..................................................15


            Tips.....................................................16


            Problems.................................................17


            Technical Support........................................18


            Uninstalling.............................................19



















                                                                     iii






























































                                                                      iv







            Introduction


            TACACS Server is a NLM based server that responds to
            username/password requests via the Extended TACACS (XTACACS)
            protocol. It is specifically designed to work with cisco
            terminal servers, but should work with any TACACS client.


            How it works

            When a user authenticates into a cisco server, they enter
            username@machine.name followed by a password. The cisco
            server then authenticates the username/password with the
            machine specified via the TACACS protocol. If the
            username/password is valid the cisco server allows the
            connection. At certain times after this connection is
            opened, the cisco server may send or request additional
            information to the authorizing machine. Once TACACS Server
            is installed on the NetWare server and the NetWare server is
            specified as a valid host within the cisco servers, users
            can authenticate with their NDS or bindery usernames. No
            Un*x host is required.



            Requirements

            TACACS Server for NetWare requires either a NetWare 4.1 or
            NetWare 3.12 file server.  Under NetWare 4.1 a single server
            can service requests for an entire NDS tree.

            The server memory requirements for TACACS Server for NetWare
            vary.  The base NLM requires 500K of memory.  Each handler
            requires an additional 50K and each queue requires 5K.
            Therefore, in the default configuration the memory
            requirement would be Base (500K) +  Handlers (5 * 50K) +
            Queues (20 * 5K) for a total of 850K.




















                                                                       1







            NetWare Directory Services


            Installation

                 1. 
                    Configure your cisco servers to allow requests from
                    your NetWare servers registered DNS name. Please
                    consult your printed cisco manuals, UniverCD, or
                    http://www.cisco.com for assistance.

                     Make a note of the IP addresses that you want to
                      allow TACACS authentication from.

                 2. 
                    With NWAdmin (Windows) or NetAdmin (DOS) create a
                    user for TACACS Server to login as. A suggested name
                    is TACACS.

                     For this user, make sure to set login restrictions
                      so that the user can only login from the NetWare
                      server. Do so by specifying the NetWare servers
                      internal network number as the network number, and
                      1 as the node number. You should see something
                      like 00004000:000000000001 as the complete network
                      address when completed.

                     Set the user to have unlimited number of logins.

                     A password is not required and is not recommended.
                      If you choose to use a password please record it,
                      as it will need to be entered into the TACACS.RSP
                      file.

                 3. 
                    Copy TACACS.NLM and TACACS.RSP to SYS:SYSTEM.

                 4. 
                    Copy your license file, TACACS.LIC to either
                    SYS:SYSTEM or SYS:ETC.  SYS:ETC is recommended for
                    better security.

                 5. 
                    Edit TACACS.RSP.  See OPTIONS for details.

                 6. 
                    Installation is now complete. To start TACACS
                    Server, type LOAD TACACS.NLM @TACACS.RSP on NetWare
                    server console.


            Access Control

            Granting and removing TACACS access is extremely easy as all
            management is done through tools you already know, either
            NWAdmin for Windows users or NetAdmin for DOS users.

            Access control for a user is determined by the TACACS user
            NDS rights.  To authorize a user grant the TACACS user Read
            rights to [All Properties Rights] for the user your want to
            authorize.  Unless the TACACS user has these rights users
            will not be authenticated and requests will always be
            denied.




                                                                       2






            With Directory Services powerful flow down and inheritance
            filters you can configure just about any combination of user
            access.  For example: To grant everybody in a container
            TACACS authorization, make the TACACS user a trustee of the
            container itself. The trustee rights will flow down to all
            users in that container and all sub-containers.  If you
            later want to disallow access to a guest user then make the
            TACACS user a trustee of the guest user, but set the [All
            Properties Rights] to None.


            Setting up your first user (Windows)

            If you are not already logged in as a user with sufficient
            rights to manipulate the Access Control Lists of objects, do
            so now.  If in doubt, login as Admin.

            In the following screen images the TACACS user is
            tacacs.cafe.tc.umn_edu and the user we are giving
            authorization to is PatUser.admin.cafe.tc.umn_edu.

                 1. 
                    Start NWAdmin.  This should be located in
                    SYS:PUBLIC.

                 2. 
                    Locate the user to grant TACACS access and highlight
                    them. From the Object menu select Trustees of this
                    Object.
































                                                                       3






                 3. 
                    Grant the TACACS user rights to the user by pressing
                    the Add Trustee button.






















































                                                                       4






                 4. 
                    Walk the tree and locate the TACACS user.  Highlight
                    the TACACS user and press the OK button.






















































                                                                       5






                 5. 
                    By default the TACACS user is assigned Object
                    Rights-Browse and All Properties-Compare/Read.
                    Verify that the rights are correct.


























                 6. 
                    Click OK.  The user is now authorized to use the
                    TACACS server.


























                                                                       6







            Setting up your first user (DOS)

            If you are not already logged in as a user with sufficient
            rights to manipulate the Access Control Lists of objects, do
            so now.  If in doubt, login as Admin.

                 1. 
                    Start NetAdmin by typing

                      NETADMIN

                 2. 
                    From NetAdmin menu select Manage Objects.

















                 3. 
                    You will be presented with a list of the objects in
                    your current context. Locate and highlight the user
                    that you wish to have access.
                    Note: You may also type Insert again and walk the
                    tree to locate the user.

























                                                                       7






                 4. 
                    Once you have located your user, hit Enter to edit
                    the user and select View or edit the trustees of
                    this object.


















                 5. 
                    Now select Trustees.



































                                                                       8






                 6. 
                    You are now presented with a list of the current
                    trustees for the user.  Hit Insert and enter the
                    complete name of the TACACS Server user.
                    Note: You may also type Insert again and walk the
                    tree to locate the TACACS user.


















                 7. 
                    Highlight [All Properties Rights] and hit Enter.

































                                                                       9






                 8. 
                    By default the new trustee assignment contains Read.
                    This is all the rights that are required!


















                 9. 
                    You may now exit or repeat this procedure for
                    additional users.


            Authentication

            When the user connects to the cisco server they must enter
            their full context name. (e.g., rwagner.dept.umn) unless
            using shortcuts (see below).

            With multiple authorized TACACS servers, users must also
            enter a machine name (e.g.,
            rwagner.dept.umn@nw41.is.umn.edu). It's recommended in these
            situations to add an additional DNS name for your Novell
            server (e.g., nds.umn.edu).


            Shortcuts

            Shortcuts are a method of simplifying the user names that
            are entered for authentication (see Options below for
            syntax).  With shortcuts, you can configure your system so
            users can just enter their Common Name instead of their full
            context names.

            When the username is received by the server it is first
            treated as a full context name.  If that user does not exist
            then each shortcut is appended to the user name and checked
            for existence.  The first user object located with that name
            is the user that will be processed.

            Example:

            To shorten the login names for Provo.Utah.Company.USA users,
            define a shortcut of Provo.Utah.Compary.USA.  With that set
            the user Pat.Provo.Utah.Company.USA can just enter Pat for
            the username.



                                                                      10






            Note: To guarantee adequate performance with shortcuts,
            ensure that the server running TACACS Server has replicas of
            all the partitions that have shortcuts defined.





















































                                                                      11







            Bindery Servers


            Installation

                 1. 
                    Configure your cisco servers to allow requests from
                    your NetWare servers registered DNS name. Please
                    consult your printed cisco manuals, UniverCD, or
                    http://www.cisco.com for assistance.

                     Make a note of the IP addresses that you want to
                      allow TACACS authentication from.

                 2. 
                    Copy TACACS.NLM and TACACS.RSP to SYS:SYSTEM on the
                    destination server.

                 3. 
                    Copy your license file, TACACS.LIC to either
                    SYS:SYSTEM or SYS:ETC.  SYS:ETC is recommended for
                    better security.

                 4. 
                    Edit TACACS.RSP.  See OPTIONS for details.

                 5. 
                    Create either a TACACS or NOTACACS group as defined
                    below.

                 6. 
                    Installation is now complete. To start TACACS
                    Server, type LOAD TACACS.NLM @TACACS.RSP on the
                    NetWare server console.


            Authentication

            When the user connects to the cisco server they must enter
            their normal bindery username.

            With multiple authorized TACACS servers, users must also
            enter a machine name (e.g., rwagner@nw312.is.umn.edu). In
            these situations I highly recommend adding an additional DNS
            name for each Novell server that is easy for people to
            remember.


            Group Membership

            Authentication is based on one of two methods.

                 1. 
                    Only explicitly authorized users.  To utilize this
                    method create a TACACS group (with SYSCON).  You may
                    then authorize individual users by making them group
                    members.

                 2. 
                    Everybody except those explicitly denied. To utilize
                    this method create a NOTACACS group (with SYSCON).
                    At this point everybody on your server is
                    authorized.  To revoke users (such as GUEST or
                    PUBLIC) add those users to the NOTACACS group.

            Please note that only one of the two groups may exist.  If
            you decide at some point to switch methods, you must delete
            the initial group before creating the new group.



                                                                      12







            Operation



















            The Status Window

                Busy Handlers consists of  two numbers.  The first
                 number is the number of handlers that are currently
                 busy handling requests.  The second number is the
                 number of handlers that are available.  New handlers
                 are started when there are no available handlers for a
                 newly arrived request.

                Queued Requests is the number of requests waiting for
                 an available handler.  When the buffers are full, new
                 requests are discarded.

                Maximum handlers is the maximum number of handlers that
                 will be allocated.  You may increase this number while
                 running by pressing the INSERT key.




            Statistics Window

                Total is the total number of requests that have been
                 serviced since TACACS Server was last started.

                Discarded is the number of requests that have been
                 thrown away due to no queue buffers available.  If this
                 is larger consider increasing the number of queues and
                 the number of handlers.  If it continues to be a
                 problem then either the NetWare server is under powered
                 or it is time to add another server running TACACS
                 Server.







                                                                      13






            Online Log

                This window contains the running long.  The information
                 displayed here is identical to the log files contents.
                 You can watch authentication requests as they are
                 received, processed and responded to.



















































                                                                      14







            Options

            TACACS Server has a powerful set of options available.  Any
            of the options can be given in the response file
            (TACACS.RSP) or on the command line during the LOAD. When
            entering parameters do not include [  ].

               /Min=[n]         The initial number of authentication
                                handlers.  Default = 2, Maximum = 64

               /Max=[n]         The maximum number of handlers that will
                                be allocated. Default = 5, Maximum=64

               /M=[n]           Log level. Normal = 1, Warnings only =
                                2, Errors only = 3. Default = 1.

               /User=[text]     The DS user that TACACS Server will use.
                                This username must be the full context
                                name.

               /PW=[text]       Sets the password for the TACACS Server
                                user.  Make sure to keep the response
                                file secure.

               /IP=[ipaddress]  Authorized TACACS client. This may be
                                either of the form 128.98.97.1 for a
                                single station or 128.98.97.255 for a
                                complete subnet. Multiple addresses may
                                be entered with multiple /IPs.

               /AllowNULLPassw  Normally, accounts with no passwords are
               ords             always denied access.  This parameter
                                will enable accounts with no passwords
                                to be used.

               /Shortcut=[NDS   Sets a shortcut (see section for
               context]         details).

               /Log=[path]      Path on server where the log files will
                                be written.  Must be in VOL:PATH\ format
                                (i.e.: SYS:TACACS\LOGS).  Default is
                                SYS:SYSTEM

               /QueueLength=[n  Sets the size of the request queue.
               ]                Default = 20.














                                                                      15







            Tips

                  Whenever in doubt about whether a user is authorized
                    or not, check Effective Rights through either
                    NWAdmin or NetAdmin.

                  If you use shortcuts, ensure that usernames are
                    unique within defined shortcuts. No attempt is made
                    to continue checking other contexts if the first
                    user located with that name fails authentication.

                  TACACS Server will not allow anybody to authenticate
                    with the same user as the server is currently using.

                  In situations where many authentications are being
                    performed from replicas on other servers, to
                    increase performance set the number of handlers to
                    at least 15.

                  If the statistics screen shows that packets are
                    being lost, increase the size of the queue.  50 has
                    been shown to be a good number for heavily loaded
                    servers.


































                                                                      16







            Problems

                  You may see reports about unsupported scrambled
                    passwords (CHAP and ARAP).  If so, you must set your
                    cisco servers to use normal passwords (this is  the
                    default).

                  NDS does not handle low memory situations very well.
                    You may see many failures to authenticate when
                    NetWare runs out of memory.

                  For NetWare 4.1, make sure you're running the latest
                    version of DS.NLM and appropriate patches
                    (41PT*.EXE).  There are many problems with earlier
                    versions of DS.NLM that may cause abends, especially
                    in high load situations.









































                                                                      17







            Technical Support

            Technical support is currently available via email to
            rwagner@tc.umn.edu or through the address and phone number
            given below.

                      Richard Wagner
                      14600 34th Avenue N, Suite 211
                      Plymouth, MN  55447

            You may also reach the author at (612) 559-4591.  Please be
            aware that I have a day job but will return messages
            promptly.











































                                                                      18







            Uninstalling

                  Delete TACACS.NLM, TACACS.RSP, TACACS.LIC and
                    TAC*.LOG from your SYS:SYSTEM directory.  TACACS.LIC
                    may be installed in SYS:ETC instead.



















































                                                                      19
