background image

  Using SMS with RADIUS Server 

TUT Systems, Inc 

Page 79 of 104 

P/N 

220-06288-20

 

 
If no connect information is provided, connect information defaults to that specified for 
the default group (called “*” or “star”). This information can be specified at the 
SMS2000. If no bandwidth management is specified at the SMS2000, then users without 
“Connect-Info” parameters have no bandwidth limits.

 

 

Using Real IP Addresses 

Subscribers can use real Internet routable IP addresses when connected to the SMS2000 
and authenticated via RADIUS.   The easiest way to do this is to configure the default 
group with the static IP type in SMS, providing an optional DHCP pool of real IP 
addresses available via DHCP. 
 
If only a few users are going to connect using static IP addresses which are not 
configured via DHCP, while the rest of your users will be NATed, use the “Framed-IP-
Addr” attribute to indicate the expected address in the user’s entry.  
 
If the subscriber’s PC is configured with the given address, the SMS2000 passes  traffic 
through directly to the subscriber once the subscriber is authenticated without using 
NAT. If the subscriber’s PC is configured for DHCP or is configured with the wrong IP 
address, the SMS2000 will NAT the subscriber as normal. 
 
For example: 

Postel Password = “Postel” 

Framed-IP-Address = “18.181.0.29” 
Connect-Info = “3000000/1000000” 

 
When Postel connects to the SMS2000, he will initially be NAT-ed and redirected to the 
SMS2000’s RADIUS login page. After properly authenticating himself with his user 
name and password, the SMS2000 will check his PC’s IP address against the one 
returned via RADIUS. If they match, the SMS2000 will pass traffic from Postel directly 
through itself, without using NAT. If they don’t, Postel will be NATed.  Also note that 
Postel is limited to 3Mbps upstream and 1Mbps downstream. The use of static IP 
addressing is independent of the quality of service parameters. They may or may not be 
included together in any subscriber’s entry. 
 

RADIUS Ports 

 

The official assigned RADIUS ports are 1812 for authentication and 1813 for accounting.  
A typical /etc/services file shows the RADIUS ports this way: 
 

radius 1812/tcp  

 

 

# radius 

radius 1812/udp  

 

 

# radius 

 

radius-acct 1813/tcp  radacct  

# radius Accounting 

radius-acct 1813/udp  radacct  

# radius Accounting 

 
SMS2.3.5 and earlier used ports 1645 and 1646.  Any SMS that currently has a RADIUS 
server configured will retain ports 1645 and 1646 when upgrading to SMS2.3.6. 
 
By default, any new RADIUS configuration with SMS2.3.6 will use ports 1812 and 
1813, unless the systems administrator specifies another set of ports. 

Summary of Contents for SMS2000

Page 1: ...TUT Systems Inc Page 1 of 104 P N 220 06288 20 TUT Systems SMS2000 User Guide ...

Page 2: ...t Linus Torvalds and others Linux GNU General Public License Version 2 June 1991 Copyright 1989 1991 Free Software Foundation Inc Linux kernel src usr src linux drivers net Copyright 1993 United States Government as represented by the Director National Security Agency loadkmap tarcat various fixes Copyright 1998 Enrique Zanardi more v2 various fixes Copyright 1998 Dave Cinege Remaining code Copyri...

Page 3: ...TUT Systems Inc Page 3 of 104 P N 220 06288 20 SMS User s Guide SMS Software Release 2 3 6 ...

Page 4: ...uration 19 Establishing a Connection with the SMS2000 19 Establishing a Connection Via a Serial Interface 19 Establishing a Connection Via Telnet 20 Initial Configuration 22 Changing Your Password 22 Setting the Quick Configuration 22 Disabling Authentication 23 Saving the Configuration 23 Rebooting the System 24 Verifying the Configuration 24 Chapter4 System Administration 25 Configuration E Mail...

Page 5: ... Specialized System Options 33 Defining Ports 34 Setting and Deleting Static Ports 34 Disconnecting a Session on a Port 35 Event Tracking 35 Setting the Syslog Server 35 Displaying Log Messages 35 System Administration Tools 36 Displaying Version Information 36 Exiting the Management Session 36 Rebooting the System 36 Changing a Password 37 Displaying Control Keys 37 SNMP Management 38 SNMP Agent ...

Page 6: ...equest Throttle 49 Setting the HTTP Request Throttle 49 Deleting the HTTP Request Throttle 49 Allow Nets 49 Setting an Allow Net 50 Deleting an Allow Net 51 Automatic Redirection URLs 51 Setting the Automatic Redirection URL 51 Deleting the authok Page 52 Authentication with RADIUS 52 Adding a RADIUS Server 52 Set NAS port type parameter 55 show status radius 56 Testing Authentication on the RADIU...

Page 7: ...ter 11 IP Addressing 69 IP Addressing 69 Plug and Play With NAT 69 Static Routable Addresses 70 DHCP Pools 70 Static Non Routable Addresses 71 IP Multicasting 71 Configuring a Control Network for Additional Client IP Addresses 72 Understanding 1to1 and 1to1 Unique IP Types 72 Configuring IP Types 72 Source Nets 73 Setting a Source Net 73 Deleting a Configured Source Net 73 DHCP 74 Creating DHCP Po...

Page 8: ...E 84 ACK NAK MODE 84 ENQ ACK NAK MODE 85 Chapter 15 Customizing SMS2000 Web Authentication with RADIUS 86 Loading and Deleting Customized Web Pages 86 Files For Groups 86 Loading Web Pages or Files 86 Path Components 87 Image Links 87 Upgrading 88 Deleting Web Pages or Files 88 Customizing Web Pages 88 Preserving the Web Form 88 Size For Web Pages and External Links 89 Web Page Redirection 89 Acti...

Page 9: ...02 Exclusive Remedies 102 Assistance 103 FCC Radio Frequency Interference Statement 103 Electrical Safety Advisory 103 Tut Systems Inc Customer Service Department 103 List of Tables Table 2 1 Documentation Conventions 17 Table 2 2 Cursor Motion Keystrokes 18 Table 5 1 Authentication 45 Table 6 1 Authorization 57 Table 7 1 Accounting 58 Table 8 1 Provisioning 60 Table 9 1 Billing 61 Table 11 1 Stat...

Page 10: ...ence The audience includes Network architects who design Internet services Network administrators who manage networks Network operations center NOC operators who handle subscriber calls and manage customer service related calls Documentation available for this Release The following documentation is available for the SMS2000 and OCS systems SMS2000 Command Reference SMS2000 User s Guide OCS User s ...

Page 11: ...ss netmask or gateway address required That means for example laptops hooked up in hotel rooms by guests need not be reconfigured prior to use Firewall protection Clients attached to the SMS2000 can be protected from many types of Internet hacking by making them invisible from the outside using Network Address Translation NAT Authentication authorization accounting Using the SMS2000 with tradition...

Page 12: ...P passthrough Point to point tunneling protocol can be used by subscribers even if the subscriber s IP address is shared via NAT Service management Service providers can use the OCS to offer multiple custom service levels to entice customers with a diverse set of connectivity needs and demands targeted specifically to individual users and or time periods Reports OCS is equipped with many useful re...

Page 13: ... 20 Subscriber Management Components The SMS2000 can interact with a number of external software and hardware components Figure 1 1 shows the subscriber management components which are described in SMS2000 Tutorials Figure 1 1 Subscriber Management Components ...

Page 14: ...oftware runs on either a Microsoft Windows 2000 Server or on a Linux server It handles authorization authentication accounting provisioning and billing for up to 300 SMS2000s simultaneously OCS is normally deployed in a service provider s data center although it can be placed directly on a property OCS can be configured and managed entirely from any location through its advanced HTML interface usi...

Page 15: ...nagement System PMS The OCS software performs various functions Authenticates and authorizes individual users Manages specific policies for users and properties Handles self subscription allowing users to choose their own service levels Handles credit card billing Stores accounting information Delivers Web content Sends billing information to a hotel PMS connected to an SMS2000 Offers subscribers ...

Page 16: ... Use the CLI to navigate through the system Become familiar with the CLI conventions used in this guide The User Interface The command line interface CLI allows you configure your SMS2000 system The interface looks the same whether you are communicating with the SMS2000 through the console port a modem or a telnet connection Listed below are other things to consider when using the SMS2000 CLI The ...

Page 17: ...g You must use one of the keywords inside the braces The vertical bar separates the choices Note In the above case the keywords are the actual values that you type If they were in italic the words are variables for which you supply the actual values Courier Courier plain shows an example of information displayed on the screen boldface Courier Boldface courier shows an example of information you mu...

Page 18: ...sor Left arrow Moves the cursor back one character Right arrow Moves the cursor forward one character Up arrow Recalls the previous command in the command history Down arrow Recalls the next command in the command history Control A Moves cursor to the first character at the beginning of the line Control B Moves cursor backward to the beginning of the previous word to the first character at the beg...

Page 19: ...32 console port connector on the SMS2000 using the DB 9 RS 232 null modem cable supplied 2 Using Microsoft Windows 95 or later from the Windows task bar click Start 3 From the Start menu select Programs 4 From the Programs menu select the Accessories Communication menu and then select the HyperTerminal folder 5 Click the HyperTerminal icon The Connection Description dialog box displays 6 Enter a n...

Page 20: ...gin Display screen does not appear Make sure that you entered the correct settings Verify that you are using the correct cable and that the cable is not damaged Check that you have good cable connections and connector If you are still unable to view the Login Display screen call your Tut Systems Customer Service representative 4 Log on using the username manager and the password manager Note The p...

Page 21: ...MS2000 from the rest of your network Perform the following steps to gain access to an unconfigured SMS2000 1 From the Windows task bar click Start 2 From the Start menu select Run 3 In the Run dialog box enter Telnet 4 Click OK 5 Click Connect and select Remote System The Connect dialog box displays 6 Enter 35 42 42 42 for the host name Note 35 42 42 42 is the internal factory default IP address f...

Page 22: ...ial configuration password manager after your initial login to the SMS2000 Perform the following steps to change your password 1 At the system prompt enter sms2000 passwd 2 Press Enter 3 Enter your new password 4 Press Enter The system asks you to verify your password 5 Reenter your password 6 Press Enter Note If you forget your password at any time please call your Tut Systems Customer Service re...

Page 23: ...he OCS and as the SMS2000 command prompt Each SMS2000 in a network should have a unique host name Note Host names cannot contain spaces unprintable characters quotation marks or apostrophes To set the system hostname use this command set hostname hostname For example to set the host name of the local system to ParkPlace type sms2000 set hostname ParkPlace Disabling Authentication The command auth ...

Page 24: ...then restart use this command reboot For example to reboot the system type sms2000 reboot Verifying the Configuration 1 Login to the system 2 Ping a known site sms2000 ping www yahoo com 3 Press CTRL C to stop the pinging 4 Ping another known site sms2000 ping www apple com 5 Press CTRL C to stop the pinging If the SMS2000 cannot ping these sites try to ping a known external IP Address check your ...

Page 25: ...he SMS2000 can automatically send an e mail with the new configuration to a specified recipient The set config mail command allows you to specify the recipient Note The SMTP server must be the DNS name or IP address of the destination mail server If the IP address is not provided the server name in the e mail address is used which is normally not the desired behavior To configure the SMS2000 to se...

Page 26: ...settings and mail the SMS2000 configuration to the specified e mail address using the given local email server use this command config mail recipient_e mail SMTP_server For example to override the default configuration e mail settings and send the config e mail to billy chung com using chung com as a valid e mail server that accepts e mail directly from the SMS2000 type sms2000 config mail billy c...

Page 27: ...ng to the system administrator and disables the automatic commitment of commands Note You can determine the state of the autocommit feature by checking its value at the bottom of the show config screen Disabling Automatic Configuration Changes Use the commit noauto command to disable the commit auto command and revert to using commit manually This allows commands that are not already dynamic insta...

Page 28: ...0 up and running and load config to restore the complete old configuration file This minimizes the risk associated with missing a minor configuration parameter when you replace a SMS2000 Note No integrity checking is performed besides checking the file header A corrupt configuration file can be loaded and hang the system To troubleshoot possible system failure use the show startup command To load ...

Page 29: ...n install a mail server that accepts mail from each SMS2000 When a subscriber wants to send mail the SMS2000 can automatically proxy the mail to the ISP s mail server which can then cleanly forward it to its final destination Many SMTP servers do not forward e mail from hosts outside the local network It is recommended that you use a local SMTP server For example if you have a computer with an IP ...

Page 30: ... help subscribers send e mail messages without changing any configuration items on their PCs Configuring NTP The Network Time Protocol NTP server is used to synchronize the clock on the SMS2000 with the true time Using an NTP server ensures that the SMS2000 accurately time stamps data to other servers such as syslog If an NTP server is not configured the SMS2000 like many other devices may experie...

Page 31: ...e undone by exiting without saving Note If a time zone is not set time can be specified based on the local time If a time zone is set the time must be specified in terms of GMT Greenwich Mean Time To set a new time and date use this command set time mm dd cc yy hh mm ss month day hh mm ss year For example to set the time to 9 39 43 PM April 12 2002 type sms2000 set time 04 12 2002 21 39 43 Note Ti...

Page 32: ...igured SNMP server s for the location of a device with the specified MAC address To test if the SMS2000 can perform an SNMP poll of the Expresso GS MDU Chassis and MDU Lites that were last configured and saved use this command snmp poll mac_address This example polls for a subscriber with the specified MAC address If the subscriber is connected to a configured Expresso GS MDU Chassis orMDULite and...

Page 33: ...ctivity with a remote computer By using a host name instead of an IP address ping also verifies that your DNS server is working and properly configured by doing a DNS lookup on the specified host name The ping can be interrupted by pressing CTRL C To test connectivity with a remote computer use this command ping ip_address hostname For example to test connectivity with a computer with an IP addres...

Page 34: ...NMP information which is useful in error situations where addressing information fails when a subscriber is connected bymeans of an Expresso GS MDU Chassis behind a VLAN switch type sms2000 port definition tut Setting and Deleting Static Ports Use the set port command to specify port types for all ports and to set a port or a range of ports as static dynamic or disabled or to delete ports For stat...

Page 35: ...an_id For example to disconnect the subscriber using slot 4 line 1 of the Expresso GS MDU Chassis at 192 168 254 211 type sms2000 disc snmp 192 168 254 211 004 001 Event Tracking Setting the Syslog Server To specify the host to which system log messages are sent or to disable this function use the following command set syslog hostname facility off For example to send diagnostic syslog messages to ...

Page 36: ...version For example to see version information type sms2000 version Exiting the Management Session Use the exit command to exit a management session If you are using telnet SMS2000 terminates the connection If you have made configuration changes during the session SMS2000 prompts you to save the unsaved changes if you do not save them the changes are lost To exit the management session use this co...

Page 37: ...ters in a password that is at least seven characters long The default password is manager You should change the default as soon as possible in order to secure the SMS2000 To change the SMS2000 password use this command passwd For example to set a new password type sms2000 passwd Note No characters are displayed when entering the new password Displaying Control Keys To display a summary of the vali...

Page 38: ...e the SNMP agent type snmp disable To view the SNMP agent status type show snmp status SNMP System Contact To specify the SNMP System Contact type snmp system contact system contact string For example SMS2000 snmp system contact Some Person Note Place the system contact in quotes if it includes spaces To view SNMP System Contact information type SMS000 show snmp system contact SNMP System Location...

Page 39: ...s to a particular Management IP address SMS2000 snmp add community donttell 10 240 1 50 To delete an SNMP community type snmp delete community community name For example SMS2000 snmp delete community donttell To view the SNMP Community configuration type show snmp community To support a community with more than one configured management station add it twice SMS2000 snmp add community donttell 10 2...

Page 40: ...he system to a specified address when SMS2000 has a fatal error use this command dump info recipient_ _server recipient_server off For example to configure the e mail address of Tut Systems Technical Support to receive notification of system failures type sms2000 dump info support tutsys com itsmail tutsys com Setting a Software Watchdog Use the set soft watchdog command to enable or disable the s...

Page 41: ...ARP requests are sent type sms2000 set arp fails 10 Setting the ARP Polling Period The SMS2000 uses unsolicited ARP requests to verify client connectivity This allows you to select theminimum polling period and response time in seconds for client ARP requests To set the ARP polling period in seconds type set arp time seconds For example to configure the SMS2000 to wait 10 seconds between intervals...

Page 42: ... is on the Tut Systems web site 7 Log in to the SMS2000 and type in the load sys command that you obtained from the Tut Systems website Downloading the SMS2000 Firmware from the Tut Systems Website 1 Go to the Tut Systems website at http www tutsys com 2 On the Support pull down menu click SMS OCS 3 Click Downloads 4 Enter your Company s name and product serial number as printed on your invoice wh...

Page 43: ...p www tutsys com sms sms 2 3 2b4 bin Loaded Thur Sept 30 11 35 17 2001 sms2000 3 Use the show status command to verify that the system is operating normally sms2000 show status If you see connect var run ppctl Connection refused the SMS2000 is not operating normally and the upgrade has failed If for any reason the upgrade is unsuccessful contact your support Representative Returning to an Older Fi...

Page 44: ...f 104 P N 220 06288 20 new firmware because the SMS2000 will not boot the older firmware it will continue to fail to boot the newer firmware upon each subsequent boot attempt Always download the newer firmware again in the event of upgrade problems ...

Page 45: ... rules Table 5 1 shows how authentication is performed with no external server with RADIUS and with the OCS Table 5 1 Authentication Server Functionality With No External Server The SMS2000 has no database capable of authentication however it can be used to authorize machines based on source MAC address sometimes called machine authentication VLAN ID SNMP information IP address or any combination ...

Page 46: ...and delete cmd serv ip_address For example to delete the command server with the IP address 10 228 10 251 use this command sms2000 delete cmd serv 10 228 10 251 Note This is normally not necessary if you use the auth delete web command Authentication Adding the OCS as the Authentication Server Use the auth add web command to configure a Web based authentication server OCS When subscribers connect ...

Page 47: ...donttell cmd serv Note This feature can be used to create an allow net of sites that are accessable without authentication Note A shared secret is similar to a password Deleting an Authentication Server Use the auth delete command to automatically remove an allow net for the IP address of the Web server with a 32 bit subnet mask If the same server is used as theWeb server and the cmd server auth d...

Page 48: ...forcedweb authok_url blockall For example to disable authentication for the current group but send subscribers to the tutsys com page type sms2000 auth off forcedweb http www tutsys com Setting the Authentication Interval Note This is only used when authentication is turned off for the group and forced web is enabled To set the interval used for recurring authentication in minutes use this command...

Page 49: ...equests request_rate For example to enable an HTTP request throttle for each unauthenticated session starting with 10 requests and with requests available to that session at one request per second use sms2000 set http request throttle 10 1 If the subscriber generates 11 HTTP requests in less than one second it is ignored After using all available requests only 1 request per second is handled and a...

Page 50: ...e if an Internet service provider placed a page for a hotel called Central Park Hotel at the following URL http www notarealserver com CentralParkHotel index html And this embedded remote content directly in the page script language JavaScript src http dynamic notasyndicate com newsphoto photo js With the following DNS entries www notarealserver com 192 168 1 1 dynamic notasyndicate com 192 168 25...

Page 51: ...e is also the forcedweb page specified when authentication is off Note The authok URL can include replaceable parameters such as the port id subscriber MAC address and VLAN ID It can include a sequence number and be optionally signed using the sig parameter and either the secret on this command or the secret used previously when adding the OCS Note When using RADIUS authentication with an authok p...

Page 52: ...nects if authentication is off use this command delete authok For example To delete the URL for subscriber access type sms2000 delete authok Authentication with RADIUS Note A RADIUS accounting server must be separately configured if RADIUS accounting is desired Adding a RADIUS Server Use the auth add radius command to configure a RADIUS server as the authentication server for the current group Whe...

Page 53: ...enticate the SMS2000 with a RADIUS server Auth_port Optional TCP UDP UDP port on which to contact the RADIUS server for RADIUS authentication requests Default is 1812 Acct_port Optional TCP UDP port on which to contact the RADIUS server for RADIUS accounting requests Default is 1813 Retrans times Optional parameter indicating the number of retransmissions to a RADIUS server with no response The to...

Page 54: ...nutes disabled Usage Guidelines Note Select a shared secret as you would a password Example This example configures the SMS2000 to authenticate subscribers in the current group using the RADIUS server at 192 168 254 249 sms2000 auth add radius 192 168 254 249 secret donttell retrans 3 retrans primary only 1 timeout 10 deadtime 5 Alias IP address If the RADIUS servers are configured with a virtual ...

Page 55: ...lue of 5 will be used To set the NAS type parameter type Set nas port type integer For example to set the NAS port type to be used for a Wireless network you will enter the following command Set nas port type 19 NAS port type values are specified in RFC2865 section 5 1 They are 0 Async 1 Sync 2 ISDN Sync 3 ISDN Async V 120 4 ISDN Async V 110 5 Virtual 6 PIAFS 7 HDLC Clear Channel 8 X 25 9 X 75 10 ...

Page 56: ...er Name bob Password Note A RADIUS authentication server must already be active for this command to work Configuring a RADIUS SSL Back Channel To configure a RADIUS SSL back channel so that passwords from subscribers are encrypted when transferred to SMS obtain the tutsystems ssl auth tar gz file and install it and configure it on an SSL capable web server following the instructions in the documen...

Page 57: ...zation Table 6 1 shows how authorization is performed with no external server with RADIUS and with the OCS Table 6 1 Authorization Server Functionality With No External Server No user authentication is possible Groups and rules can be used to authorize subscribers based on their MAC address VLAN ID SNMP information IP address or any combination of these For more information on using groups and rul...

Page 58: ...le UDP transport and depending on network conditions may not be delivered in every case Syslog messages are sent in a similar fashion as standard RADIUS START and STOP messages With RADIUS The SMS2000 sends session information with standard START and STOP records START records are sent upon authorization STOP records are sent when a client is no longer responsive to periodic ARPs sent by the SMS20...

Page 59: ...us radius_server secret secret For example to add 192 168 254 249 as a RADIUS accounting server type sms2000 acct add radius 192 168 254 249 secret donttell Deleting a RADIUS Accounting Server To delete a previously configured RADIUS accounting or syslog server use this command acct delete server For example to delete the previously configured RADIUS accounting server type sms2000 acct delete 192 ...

Page 60: ...nal server with RADIUS with the OCS and internally Table 8 1 Provisioning Server Functionality With No External Server SMS2000 based rules and groups allow you to target services at sets of subscribers For more information on using groups and rules see Chapter 10 Groups and Rules With RADIUS RADIUS may set a user s IP address and traffic shaping parameters The provisioning of user names and servic...

Page 61: ...n on RADIUS see Chapter 13 Using SMS2000 with a RADIUS Server Scenarios for performing these functions in various configurations are described below Table 9 1 shows how billing is performed with no external server with RADIUS and with the OCS Table 9 1 Billing Server Functionality With No External Server Billing must be handled independently With RADIUS The SMS2000 sends RADIUS messages to drive t...

Page 62: ...bers differently depending on the group into which they are placed By default a single group is used for all subscribers but additional groups can be added Group membership controls the following attributes DHCP pool selection Authentication and accounting server selection DNS server for queries Default traffic shaping parameters Groups Many configuration items including authentication type IP typ...

Page 63: ...at Cannot Support Authentication Subscribers who must never be authenticated such as Web servers can be configured in one of the following ways Statically in the SMS2000 using the set port command Dynamically in the OCS using a static IP address service All dynamic ports belong to group by default To set the group on a given dynamic port or range of ports use the set port command Setting Maximum U...

Page 64: ...g a Rule Rules assign a subscriber to a given group Note he OCS also uses these rules to download service offering configurations to the MS2000 To add a rule use this command set rule rule_name groupname priority rule_string For example to provide a user called mary with an address from a DHCP pool type sms2000 group add custdhcp Active group is custdhcp sms2000 auth off sms2000 dhcp pool custnatd...

Page 65: ...e IP address 123 123 123 123 ip 123 123 123 0 255 255 255 0 matches any IP address from 123 123 123 1 to 123 123 123 254 MAC Address Rules can include a single MAC address or a MAC address with some wildcard bytes Every Ethernet card or embedded Ethernet device has a unique MAC address This is normally printed on the material accompanying the device It is also available through the configuration i...

Page 66: ...rt assigned to VLAN id 293 294 295 398 399 400 SNMP INFO When using an Expresso GS MDU Chassis or MDU Lite LR or HR as a wiring solution managers can write rules that apply to users based on their port or to a set of users on a set of ports tut ip_address linenum portnum For example tut 123 123 123 123 001 001 affects any user on slot 1 line 1 of an Expresso GS MDU Chassis or MDU Lite at IP 123 12...

Page 67: ... tut 123 123 123 123 001 001 AND mac 00 11 22 33 44 55 AND ip 123 123 123 5 applies only if a device connects to slot 1 line 1 of an Expresso GS MDU Chassis or MDU Lite at 123 123 123 123 and that device has a MAC of 00 11 22 33 44 55 and that device has an IP of 123 123 123 5 If any one of these is not true then the rule does not apply The OR Operator The OR operator is used to group two or more ...

Page 68: ... running a PC with DHCP and would like to have them receive a real IP address The manager can enter the following commands SMS2000 group add gerstat Active group is gerstat SMS2000 auth off SMS2000 iptype static SMS2000 set rule gerstat5 1 ip 123 123 123 5 and snmp info 123 123 123 123 001 001 SMS2000 set rule gerstat6 1 ip 123 123 123 6 and snmp info 123 123 123 123 001 001 SMS2000 group Active g...

Page 69: ...s The SMS2000 combines several functions of a router DHCP server firewall and network access server as well as new functions into an integrated platform As a result it is possible to create flexible and efficient configurations to deliver networking services The SMS2000 unlike most network devices can treat every client attached to the subscriber side of the network as if it were on a separate LAN...

Page 70: ...o treat each host on the subscriber network as a client For example an Ethernet switch of an Expresso MDU Lite has an SNMP management agent that must be accessed outside of the subscriber network by a static routable IP address In this case the SMS2000 allows an administrator to set up static configurations for given IP addresses No address translation or authentication is performed on static addr...

Page 71: ... No Yes No Yes DHCP Pools No Yes No Yes Fixed No Yes Yes Yes 1to1 Yes No No No 1to1 Unique Yes No No No IP Multicasting Ethernet multicast packets are translated by the SMS2000 before being sent to the subscriber ports The SMS2000 snoops IGMP between a multicast querier such as a multicast router or a content server and hosts The SMS2000 translates Ethernet multicast MAC addresses to unicast MAC a...

Page 72: ... Act DMCA complaints regarding subscribers sharing copyrighted material illegally because they allow you to quickly isolate the specific subscriber illegally sharing the copyrighted material However because complaints may be filed well after a subscriber has disconnected accounting records indicating which subscriber used which IP address at which time must be kept using either Syslog accounting R...

Page 73: ...te The OCS and SMS2000 can work together to provide non NATed service to subscribers who are either assigned a permanent real IP address or given an address from an OCS defined DHCP pool This is NOT the same as the source net feature Use non NATed addresses in cases where the subscriber wants to run a server such as a Web server or use a protocol such as a gaming server that is not NAT friendly Fo...

Page 74: ...reate a dhcp pool called swim starting at 123 123 123 99 and ending at 123 123 123 136 with a subnet mask 255 255 255 0 and a duration of one day type sms2000 dhcp pool swim 123 123 123 99 123 123 123 136 255 255 255 0 lease 1440 Removing a DHCP Assignment To remove a DHCP assignment with a specified hexadecimal MAC address use the following command dhcp server release mac_address For example to r...

Page 75: ... with the IP address 192 168 254 42 type sms2000 delete dns 192 168 254 42 Note Because multiple DNS servers can be configured you must delete each server individually Static Routes Adding Routes The SMS2000 requires local routes for locally configured interfaces Use set port to add these routes The set port command can add a route while configuring the interface and setting up the port Use the se...

Page 76: ... including the name of the LPR host and the maximum number of pages and bytes allowed per job use this command set lpr hostname off queuename maxpages maxbytes For example to set the printer host to the IP address 10 228 10 233 send all printing jobs to the default queue lp set the maximum number of pages to 5 and set the maximum number of bytes per job to 20 000 000 type sms2000 set lpr 10 228 10...

Page 77: ...rt Session Timeout attribute Support Idle Timeout attribute Set the NAS type parameter See Chapter 5 for details on using the auth add radius and set nas port type commands Configuring RADIUS SMS2000 is designed to operate with standard RADIUS authorization and accounting services SMS2000 contains a RADIUS client that functions as if the SMS2000 were a dial in network access server RADIUS authenti...

Page 78: ...er basis from the RADIUS server is service parameters Service providers can use service parameters to limit bandwidth utilization based on the subscriber allowing the ISP to charge different rates for different maximum bandwidths The SMS2000 uses Connect Info id 77 to specify the service parameters for the subscriber connection The format of the Connect Info field is identical to the format of the...

Page 79: ...ess the SMS2000 will NAT the subscriber as normal For example Postel Password Postel Framed IP Address 18 181 0 29 Connect Info 3000000 1000000 When Postel connects to the SMS2000 he will initially be NAT ed and redirected to the SMS2000 s RADIUS login page After properly authenticating himself with his user name and password the SMS2000 will check his PC s IP address against the one returned via ...

Page 80: ...0 Status Attributes and Statistics RADIUS Attributes Sent in Accounting Messages The SMS2000 sends the following attributes in Accounting Start and Accounting Stop records as noted The RADIUS server may choose to ignore any or all of these User Name 1 NAS IP Address 4 NAS Identifier 32 NAS Port Type 61 Tut Client IP Address 1748 5 ipaddr Framed IP Address 8 Connect Info 77 If unique source ports a...

Page 81: ...uthentication Because the OCS in some ways manages the SMS2000 there can be only one OCS server configured on the SMS2000 and it must be for the default group However a RADIUS authentication server can be added to any group and the OCS may be on or off for various groups To configure both RADIUS and the OCS on one SMS2000 enter the following commands sms2000 auth off sms2000 group add radgroup sms...

Page 82: ...ate bits per second allowed for the subscriber To set traffic shaping for a group port use this command shape xbps rbps For example port 801 has previously been set to static This example limits devices on port 801 to 300Kb s downstream and 200Kb s upstream sms2000 shape 300000 200000 port 801 Unless otherwise specified all subscribers are limited to 400Kb s both upstream and downstream sms2000 sh...

Page 83: ...ut there are two circumstances that require setting one or more parameters at the SMS2000 When configured for PMS the SMS2000 uses its second com port to send billing information to the PMS To test the second SMS2000 com port without using other equipment enter the set pms server command with mode tty and tty_debug on Then reboot the SMS2000 A message is printed using the serial mode you specified...

Page 84: ... r n PMS does not reply r is the C program escape for CR Carriage Return which is ASCII code 13 0x0D n is the C program escape for LR Line Feed which is ASCII code 10 0x0A SMS indicates that the SMS2000 sends this message It is not a part of the message The message format is based on the interface type The format is slightly different for standard HOBIC as compared to GEAC ACK NAK MODE In ACK NAK ...

Page 85: ...y tries the SMS2000 gives up on this message and log it as an error in the OCS Note There is an optional second bcc character ENQ ACK NAK MODE ENQ ACK NAK mode provides reliable message delivery It is similar to ACK NAK mode but there is one additional interaction between the SMS2000 and PMS SMS ENQ PMS ACK SMS STX This is the first message ETX bcc PMS ACK SMS ENQ PMS ACK SMS STX This is the secon...

Page 86: ...itself a web based application SMS2000 web pages are customized only when using the SMS2000 with a RADIUS server Loading and Deleting Customized Web Pages Initially a default directory is created which stores the default set of web pages used by the SMS2000 for authentication as well as images and other files that make up the default web pages The default group and any other group added to the SMS...

Page 87: ... DOCUMENT_ROOT directory where web page s are normally stored If you are attempting to load a web page that exists in the DOCUMENT_ROOT directory include the IP address of the server and the name of the file you want to load For example to load a modified version of the authfile html file which resides in the DOCUMENT_ROOT directory of a server with the IP address 192 168 254 249 type sms2000 load...

Page 88: ...ve group For example if a group called CUSTNAT is added to the SMS2000 and a customized web page is loaded for this group a directory named CUSTNAT will be automatically created to hold customized web pages and images for this group If any of the original links to the images are left in the customized pages they will be broken since they are relative links and the images they link to are still loc...

Page 89: ...tive you can place images on an external server You must include an allow net for that server For example given a web server 192 168 254 249 on which the file corplogo jpg exists in the DOCUMENT_ROOT directory you can use the following URL in all of your customized web pages IMG SRC http 192 168 254 249 corplogo jpg Use the following if you run the allow net command sms2000 set allow net 192 168 2...

Page 90: ...nent foo should be used in the following way foo This text and link may not appear a href www this modified by active com may not be here a foo These include ppauth Include text between tags only if user is authenticated ppnoauth Include text between tags only if user is not authenticated Some components should be used by themselves For example a page component bar should be used in the following ...

Page 91: ...ave total access to the proxy server To implement a wall garden or allow nets for a network requires that the subscribers connect to those locations via the proxy server it is possible to supply a different wpad dat proxy configuration file for each group pointing the walled group to a more restrictive proxy server Contact Tut Systems for more information To configure the web proxy auto discovery ...

Page 92: ...ervers configured on subscribers A subscriber may have a proxy server configured with any IP address but the TCP port on which her proxy server is configured must be included in the set of ports configured on the SMS by the set proxy ports command To enable proxy server support use this command set proxy server on For example to enable proxy server support type sms2000 set proxy server on Note Cha...

Page 93: ...connections use this command set proxy ports port For example to add two ports to the set of TCP ports on which the SMS2000 listens for proxy server connections type sms2000 set proxy ports 8080 3129 Deleting TCP Proxy Ports To delete TCP ports from the set of TCP ports on which the SMS2000 listens for subscriber proxy connections use this command delete proxy ports port For example to delete two ...

Page 94: ...bling is correct between the SMS2000 and the router Afterwards diagnose the physical layer IP configuration and routing tables traceroute external address Determine location of the bad route When a subscriber PC is directly connected via x over Ethernet cable to the subscriber interface of the SMS2000 the front panel LEDs will light on the Subscriber side of the LED panel Show status ifconfig Chec...

Page 95: ... status for a user with Tut wiring there should be a line for snmp info nnn nnn nnn nnn xxx xxx If this is missing you must configure snmp poll in the SMS2000 If it is there but the value is unknown the Tut system is not responding to the SMS2000 for the device s MAC address Verify in Expresso that SNMP is enabled and there is a community name of public with read access of 0 0 0 0 Multiple frames ...

Page 96: ... OCS screens off line It is possible to reproduce the subscriber experience from any Web browser This allows the custom screens from the OCS to be tested prior to deploying at a hotel Open browser with URL http ocsipaddress pp welcome php3 host smshostname port portid seq 1234 sig 1234 Verify that the screens are good ...

Page 97: ...he program without specific prior permission and notice be given in supporting documentation that copying and distribution is by permission of Livingston Enterprises Inc Livingston Enterprises Inc makes no representations about the suitability of this software for any purpose It is provided as is without express or implied warranty This file contains dictionary translations for parsing requests an...

Page 98: ...Idle Timeout28integer ATTRIBUTETermination Action29integer ATTRIBUTECalled Station Id30string ATTRIBUTECalling Station Id31string ATTRIBUTENAS Identifier32string ATTRIBUTEProxy State33string ATTRIBUTELogin LAT Service34string ATTRIBUTELogin LAT Node 35string ATTRIBUTELogin LAT Group36string ATTRIBUTEFramed AppleTalk Link37integer ATTRIBUTEFramed AppleTalk Network38integer ATTRIBUTEFramed AppleTalk...

Page 99: ...Types VALUEAcct Status TypeStart1 VALUEAcct Status TypeStop2 VALUEAcct Status TypeAccounting On7 VALUEAcct Status TypeAccounting Off8 Accounting Termination Cause VALUEAcct Terminate CauseUser Request1 VALUEAcct Terminate CauseLost Carrier2 VALUEAcct Terminate CauseLost Service3 VALUEAcct Terminate CauseIdle Timeout4 VALUEAcct Terminate CauseSession Timeout5 VALUEAcct Terminate CauseAdmin Reset6 V...

Page 100: ... AddressAssigned255 255 255 255 Prompt Values VALUEPromptNo Echo0 VALUEPromptEcho1 Tut Vendor Specific Attrs Vendor ID 1748 ATTRIBUTE Tut Port Range Lo 1 integer ATTRIBUTE Tut Port Range Hi 2 integer ATTRIBUTE Tut Mac Address 3 string ATTRIBUTE Tut Configuration Group 4 string ATTRIBUTE Tut Client IP Address 5 ipaddr ...

Page 101: ...stions on the Tut Systems website at http www tutsystems com Telephone If you are unable to resolve a question or problem or believe you have defective equipment contact Tut Systems for customer support as described in your warranty support agreement United States and Canada Toll free 800 998 4888 press 2 International Customers Toll based 925 460 3900 press 2 Equipment Return and Repair If Custom...

Page 102: ...ctions shall be in accordance with those set forth in Tut Systems Standard Terms and Conditions of Sale Limitations of Warranty The foregoing warranty shall not apply to defects resulting from abuse neglect by Buyer improper installation or application by Buyer Buyer supplied software or interfacing unauthorized modification or misuse operation outside of the environmental specifications for the p...

Page 103: ...more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver The equipment and the receiver should be connected to outlets on separate circuits Consult the dealer or an experienced radio television technician for help Changes or modifications not expressly approved by the party responsible for compliance could void the user s ...

Page 104: ...ld make their own evaluation to determine the suitability of each product for their specific application Tut Systems obligations regarding the use or application of its products shall be limited to those commitments to the purchaser set forth in its Standard Terms and Conditions of Sale for a delivered product ...

Reviews: