Symptoms: Setting up NT NOS Authentication

• User cannot get authenticated and got disconnected by the RAS 1500
• PPP session Fail.
• User cannot logon to NT domain
• Cannot connect to Microsoft Windows NT 4.0 domain
• Cannot authenticate through an NT domain
• Cannot log into the Microsoft Windows NT server
• Unable to logon to domain

Facts:

• SuperStack II Remote Access System 1500
• SuperStack 3 Remote Access System 1500
• Microsoft Windows NT 4.0
• Remote Authentication
• NOS
• Microsoft NT Domain Server
• Hyperterminal
• PPP
• RAS 1500
• 3C421600a

Fixes: To Configure NOS to use an NT User Database to authenticate the dial-in user, use the following setups:

1. Install the application provided on the RAS 1500 CD in the client\security\nt directory on the WIN NT Domain Controller.

2. Click “Start>Programs> AccessBuilder WIN NT Security> Enable Authentication”. Follow the directions to turn on the service on the NT Server. This will ensure that this comes up every time this machine is rebooted.

3 On the NT Domain Controller:

• Add the user.
• Assign the user to the appropriate groups.
• Ensure that the user is configured to allow dial-in access.
• Login on the LAN network using this user to ensure that the user is present and operating correctly.
• Reboot the server.

4. Users that that are to have remote access rights through the RAS 1500 must also have “logon locally” rights on the Windows NT Server.

• Log on to the NT Server as Administrator.
• Open the Administrative Tools Program Group.
• Double-click the User Manager for Domains Program Group icon.
• In the User Manager screen, click the single or multiple users you want to assign remote-access rights to.
• In the User Rights from Policies list, select “logon locally” and “access this computer from the network”
• Make sure that the users passwords are set to never expire.
• Click OK.

1. Make sure that the IP network is configured for the device.

2. Type the following commands at the console:

"set authentication type nos" 
"enable authentication remote"
"set authentication primary_server <domain name or IP address of NOS server>"
"set authentication primary_port 888"
"set authentication primary_secret 3com"
"set ppp receive_authentication pap"
"save all"

3. If NT NOS Server is on a different Subnet, a default gateway needs to be added on the RAS 1500.

"add ip defaultroute gateway <IP address> metric <metric #>"
"save all"

Type:

"show authentication" 

to verify the configuration of the RAS 1500.

4. Set the time, date and daylight savings time:

• The time on the NOS authentication server and the RAS 1500 must be within 15 minutes of each other.
• The GMT offset and daylight saving time settings need to be the same on the NOS authentication server and the RAS 1500. If you change the time on a Windows NT Server, it must be rebooted for the change to take effect.

"set time <13:00:00>"  -- Sets the time.  Example shows 1:00 pm.
"set date <dd-mm-yyyy>"  -- Sets the date.
"enable dst"   -- To enable Daylight Saving Time
"show dst"     -- To show the current Daylight Savings Time setting
"set timezone <+/- hour:minute>"   -- offset from GMT Time

For example, to configure for Pacific Standard Time, type “set timezone -8:0”

"save all"

NOTE: To find out what your GMT offset is, click on the clock on the NT server taskbar and then click on the Time Zone tab.

Notes: The RAS1500 NT Security Client (NOS) is not supported in Windows 2000 CHAP authentication with NT NOS Authentication is not supported. Security conscious customers will need to secure their ethernet connections between the RAS 1500 and the PC running the security application to prevent sniffing out the username and password.

NT NOS Authentication is implemented with the following procedure. When using “1.0.27 35001” software, you will need to set your system time to GMT-4 hours. The 1.5.x and 2.0.x versions of software require you to set your local time, and configure your timezone in hours from GMT. You can tell what version of software you are running from the Command Line Interface (CLI) by issuing the command:

show system 

If you are running any 1.0.x version of software you must set the time on your RAS1500 to the Atlantic time zone in the northern hemisphere winter, and the Eastern time zone in the northern hemisphere summer.

If you are running any version of Superstack II RAS1500 software 1.5.11 or later, then configure the time as follows:

set time <HH:MM:SS>
set timezone <Hours:Minutes> 

Offset from GMT (-12:00 to +14:00 inclusive)

enable dst 

(for standard Daylight Savings time, if you have different DST than the US, use the SET DST ON command to configure)

Execute setup.exe from the client\security\nt directory on the RAS1500 Resource CD while on an NT Server or Workstation.

Click Start>programs>Accessbuilder WIN NT Security>Enable Authentication Follow the directions to turn on the service on the NT PC. This will ensure that this comes up every time this machine is rebooted.

On the NT Domain Controller, add the user. Assign the user to the appropriate groups. Ensure that the user is configured to allow dial in access. Login on the LAN network using this user to ensure that it is really in there and working.

On the RAS1500 make sure that the IP network is configured for the device previously, by the command

add ip network ip interface rm0/eth:1 address < Ip_address> 

or in Transcend Remote Access Manager (TRAM) setup wizard.

set authentication type nos 
set authentication primary_server < IP address of your NT Workstation with the application loaded> 
set authentication primary_port 888 
set authentication primary_secret 3com 
set ppp receive_authentication pap 
save all 

Type

show authentication

to verify the authentication configuration is correct.

NOTE: You must let your users logon locally to enable the user to use the NT security with RAS1500. As an example for NT server 3.51, follow these steps (if you use NT Server 4.0 these steps should be similar):

Log on to the NT Server as Administrator. Open the Administrative Tools Program Group and double click on the User Manager for Domains Program Group Icon.

The User Manager screen displays. Click whatever single or multiple users you wish to assign remote access rights and pull down User Rights from Policies menu. In the drop down box, select “logon locally” and click OK. Refer to the readme file provided with the Security application if you insist on changing the primary_secret.

NOTE: You must Start and Stop the service to change the password. Do not use Disable/Enable from the task bar.

There are some very specific things to keep in mind with Novell NOS authentication in the RAS1500. You MUST load the software application on an Novell Server.

The time on the RAS1500 must be within 15 minutes of GMT - 04:00 (for SSII RAS1500 software 1.0.x)and the server must be within 15 minutes of local time adjusted for daylight savings time if applicable.

If you are running any version of Superstack II RAS1500 software 1.5.11 or later, then configure the time as follows:

set time <HH:MM:SS>
set timezone <Hours:Minutes> 
Offset from GMT (-12:00 to +14:00 inclusive)
enable dst 

(for standard Daylight Savings time, if you have different DST than the US, use the SET DST ON command to configure)

The settings for the user called default will be applied for all NOS authenticated users.

Get the application from the RAS1500 CD in the client\security\novell directory and copy to the sys:system directory on the Novell server.

For NDS = SNDS.NLM (Version 1.3 or greater) 
For Bindery = SBINDERY.NLM. 
Add TCP/IP to the Novell server. 
Add the following line under unix services or network service mappings in the SYS:ETC\SERVICES file in the 
sys:etc directory on the novell server. 
crsecacc 888/udp 

On the Novell console enter the following command for NDS systems:

:load snds 3com /c:< context_name> debug 

For bindery systems enter the following line:

:load sbindery < secret_password(key)> 

Note: Add this line to the autoexec.ncf file after TCP/IP and binding IP to an interface for bindery servers. In addition, for NDS servers add this line after TCP/IP, binding IP to an interface and LOAD DSAPI. This will insure the security client will start when the system is reboot.

On the RAS1500 make sure that the IP network is configured for the device. Type the following commands on the RAS1500 console:

set authentication type nos 
set authentication primary_server < IP address of your Novell Server> 
set authentication primary_port 888 
set authentication primary_secret 3com 
set ppp receive_authentication pap 
save all 

Type show authentication to verify what you want is what you got in the RAS1500. You are now configured for Novell NOS Authentication.

For security reasons, the messages communicated between the RAS 1500 and the Novell Security Client are encrypted with an Encryption Key. To change the secret, unload the security client on the Novell server:

UNLOAD SNDS or UNLOAD SBIN “secret”

Then reload the security client on the server with the new secret.

LOAD SNDS “secret_password(key)”/c:“context_name” debug or LOAD SBINDERY “secret_password(key)”

The RAS1500 does NOT support CHAP authentication with Novell NOS Authentication. This means that the password sent by the client to the RAS1500 is not encrypted, the password sent from the RAS1500 to the Novell Security Client is encrypted as described above.

In case of problems, check:

Your time setting on the RAS1500 and the Novell or NT Server is within 15 minutes. Understand that the RAS1500 and Novell or NT Server communicate in GMT Time. Check that you have properly configured the timezone in the NT Server. NOTE: If you change the time on an NT Server, you must reboot the server for the change to take effect. IP Communication between the Novell or NT Server and the RAS1500 with “ping”.

• Product(s): SuperStack II Remote Access System 1500, SuperStack 3 Remote Access System 1500
• Sub Product(s): None set

— David Gonzalez 2021/04/09 10:36