NavisRadius 4.5.7 Release Notes

Last revised: 02/27/2006

Java Version

NavisRadius version 4.5 requires version 1.4.2 or later of Java. Please see http://java.sun.com to get the latest version of Java. There are minor focus issues in the SMT when using version 1.5 of Java.

Contents

These release notes are intended for NavisRadius 4 programmers and administrators. They cover the following information:

• New Product Features
• Installation and Upgrade Notes
• Operational Notes
• Known Issues
• Contacting Lucent Technical Support

These release notes supercede all other user documentation for the NavisRadius 4 product. Periodically check the release notes for the latest information. Click Release Notes under the Documentation menu while visiting http://www.lucentradius.com/.

New Product Features

NavisRadius 4.5.7 includes the following new features:

• The ReadHlrAuth plug-in has a new property: ReadHlrAuth-FlattenVectors, which allows more convenient generation of authentication vectors for the AuthEapSim and AuthEapAka plug-ins.

NavisRadius 4.5.6 includes the following new features:

• The USDS sample policy flow was updated.

NavisRadius 4.5.5 includes the following new features:

• Add support for setting traffic class (TOS, or type-of-service) on all sockets used for RADIUS I/O. Note: on some windows platforms the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableUserTOSSetting must be added as a REG_DWORD with a value of 0 in order for this feature to work. A reboot is required.

NavisRadius 4.5.4 includes the following new features:

• Complies with TIA/EIA/IS-835-C. A simple sample has been included.
• Access to RSA SecureID is now available on all platforms through the new plug-in AuthRsaAce. Supported in the PolicyAssistant.

NavisRadius 4.5.3 includes the following new features:

• No new major features.

NavisRadius 4.5.2 includes the following new features:

• AKA authentication is now supported through the new experimental AuthEapAka plug-in.
• AuthHttpDigest plug-in in no longer considered experimental.

NavisRadius 4.5.1 includes the following new features:

• SIM authentication is now supported through the new AuthEapSim plug-in.
• Reading HLR data through an Ulticom MAP gateway is now supported through the ReadMapGateway plug-in.

NavisRadius 4.5.0 includes the following new features:

• SSL support has been added to the Ldap plug-in for secure communications with an LDAP server.
• Support RFC 3576.
• The SMT supports stopping/clearing an active USS session.
• Improve compliance with RFC 3579.
• Add 3GPP VSAs 12-19 to the dictionary.
• Add the Address plug-in, a simple IP address pool manager.
• USS: Add trigger support to allow execution of arbitrary actions on USS state transitions, and missed events .
• Support draft-sterman-aaa-sip-04.txt.
• Logging: Remove the confusing use of the 'OFF' log level. Add levels 'ALWAYS' and 'NEVER' to be used by log generators WriteLog and Return.
• QueryUss experimental plug-in added. This allows the USS to be queried for entries given an index value, rather than the primary key.

NavisRadius 4.4.4 includes the following new feature:

• Platform specific options can be specified in the nrexec.cfg file. Embedded comments in the file give more information.

NavisRadius 4.4.3 includes the following new features:

• An optional map, specified by client and server properties 'Wire_Decode_Map', allows special processing of the request attributes before the standard packet variable group augmentation takes place. If the map is not specified, the entire decoded RADIUS packet is placed in the request variable group. The syntax of this map is like the Radius plug-in Radius-ReplyMap method property.
• A safety check to prevent setting the number of engine threads higher than 50 has been added.

NavisRadius 4.4.2 includes the following new features:

• An improved and clarified tunnel/transport UI in the SMT PolicyAssistant wizard.

NavisRadius 4.4.1 includes the following new features:

• A command servlet has been added to allow injection of admin interface commands and options from a form using the internal NavisRadius web server.

NavisRadius 4.4.0 includes the following new features:

• Complies with TR45 cdma2000 Wireless IP Network Standard PN-3-4732-RV2 (to be published as TIA/EIA/IS-835-B).
• CIDR and HASHCODE modes in Branch, ReadDelimitedText, and ReadColumnarText plug-ins. CIDR mode allows selection based on an IPv4 address search key. HASHCODE mode allows selection based on a hashcode of the search key. These features were added to assist in dynamic home agent selection. For more information, see the plug-in documentation for these plug-ins.
• New dictionary types for 3GPP2 vendor specific attributes. There are a number of attributes defined for vendor code 5535 (3GPP2) that require special dictionary types. The following new dictionary types were added to NavisRadius 4.4 to support 3GPP2 attributes: byte, byte-enumeration, cdma-group, cdma-accounting-container, cdma-service-profile, ip-address, and short-enumeration.
• The Admin Interface available through telnet has been reorganized. Many commands have been changed to be be more regular in syntax. See Admin Command Migration for more details.
• ReadDns and UpdateDns plug-ins. In order to support IP Reachability requirements of IS-835-B, the UpdateDns plug-in was added to NavisRadius. The UpdateDns plug-in allows NavisRadius to add and delete DNS records for mobile nodes. The ReadDns plug-in is not required for IS-835-B but was added for completeness. The ReadDns plug-in allows records to be read from a DNS server. For more information, see the plug-in documentation for each of the plug-ins.
• ReadCachedKey plug-in. The ReadCachedKey plug-in was added to support dynamic key generation for use in establishing security associations between Foreign and Home Agents. Keys have a configurable lifetime. This lifetime is used to determine how long they should be maintained in memory. For more information, see the plug-in documentation.
• ReadSecureRandom plug-in. The ReadSecureRandom plug-in was added to support dynamic key generation. This plug-in could be used if the ReadCachedKey plug-in does not meet the needs of PolicyFlow. For more information see the plug-in documentation.
• IS-835-B Sample. An IS-835-B sample is provided in the samples directory in the is835b folder.
• Add security and system variable groups to maps. The security map allows one to retrieve entries in the security_properties without hard-coding it in the policy flow. The system map allows access to JVM system properties.
• The server propertyLog_By_Item has been added. It defaults to TRUE, the old behavior, but if disabled, log messages are not accumulated by transaction.
• Add the ability to visually graph policy flows. Requires a third party program, GraphViz, which is available for free from AT&T.
• PolicyAssistant: Make Database Accounting Schema selectable. This allows one to use the improved schema without using the embedded database.
• Add a Certificate tool to the SMT. This allows the creation of self-signed certificates, or building a request for another certificate authority.
• Log rules support simultaneously an area condition and a variable expression condition. The previous versions would only allow one or the other in a log rule.
• Support for IS-878 for the RAN/RNC A12 interface in 3G/1XEV-DO mobile communications. Added two new dictionary attribute modifiers, "ToMnId" and "FromMnId," to use in mapping variables. Added a new value type, mn-id, for use in the NavisRadius dictionary to allow automatic conversion from a BCD formatted value and a simple string of decimal digits. Added the attribute 3GPP2-HRPD-Access-Authentication to the dictionary as a VSA for vendor 3GPP2.

NavisRadius 4.3.10 includes the following new features:

• Plug-ins which require certficates in their configuration can now read PKCS#7 formatted certificate files. These include AuthEapTls, AuthEapTtls, and AuthEapPeap.
• A new Admin Interface command, 'cache dump'is available. This splits functionality from the cache list command which used to output a full dump for a single item, and a summary for multiple items. The current release has 'cache list' always output a summary, while 'cache dump' always outputs a complete entry dump.
• The overhead associated with server monitoring has been reduced in this release. This would affect people using the SMT server statistics panel, or the 'cache list' command, or the 'stats' command.

NavisRadius 4.3.9 includes the following new features:

• nrcert now has the ability to create root, server, and client certificates. Run 'nrcert -gui' to access the expanded tool.
• Ldap plug-in adds the ability to access normally non-retrieved fields for the read and search operations.

NavisRadius 4.3.8 includes the following new features:

• Data writen to the cache by the WriteCache plug-in can persist across server restarts.
• Client properties are now available to independently specify which dictionary to use for either AUTH or ACCT methods.
• The Return plug-in now supports the ability to specify which log channel to send its log message.
• The WriteMail plug-in can send mail to multiple recipients.

NavisRadius 4.3.7 includes no new features.

NavisRadius 4.3.6 includes the following new features:

• NavisRadius is now supported on the Windows Server 2003 platform.
• Setup in directory with ! in path is now disallowed. The setup program will no longer allow NavisRadius to be installed in a directory with an ! in the path name. This works around intractable problems in Java XML libraries.
• Binary data in LDAP entries. The Ldap plug-in now supports attributes in the LDAP server that are binary format.
• AttributeFilter plug-in Minimum Length. The AttributeFilter plug-in now supports checking for a minium length. Please see the on-line help in the SMT for more infomation on the AttributeFilter-MinLength plug-in property.
• nrtest prompt support. The prompt feature of nrtest now supports quoting and escaping. Enter "" to send empty for a prompted attribute or just enter to skip the attribute.
• Support for selecting java to use. You can now specify the java version to use in the nrexec.cfg file for starting all NavisRadius programs and on the nr and nrexec commands.
• HA-USS RMI Timeout support. The amount of time to wait while replicating a block of entries to a remote StateServer is now configurable.

NavisRadius 4.3.5 includes no new features.

NavisRadius 4.3.4 includes no new features.

NavisRadius 4.3.3 includes the following new features:

• The EapNotification plug-in is now available. This plug-in allows one to send a textual message to an EAP client and wait for the EAP client to acknowledge that message.
• The AuthNt plug-in now support auto-detection of the NT server for a configured domain. The method property AuthNt-LookupServer allows the configuration of whether the plug-in will attempt to detect the global group, local group, and RAS server based on the domain specified.

NavisRadius 4.3.2 includes the following new features:

• Support for MS-ChapV2 in AuthNt

NavisRadius 4.3.0 includes the following new features:

• Supports Windows XP. For further platform support information, refer to the NavisRadius Quick Start guide and the Installation and Upgrade Notes section of these release notes.
• New plug-ins provide added functionality.NavisRadius has the following new plug-ins:
• • AuthEapMsChapV2—Authenticates users using EAP-MS-CHAP-V2.
  • AuthEapPeap—Authenticates users using EAP-PEAP (Protected EAP).
  • AuthEapTtls—Authenticates users using EAP-TTLS (Tunneled-TLS).
  • CheckX509Crl—Checks the serial number of a X.509 certificate in a CRL.
  • Ldap—Replaces the ReadLdap plug-in and provides additional functionality for interacting with an LDAP server.
  • WriteMail—Creates, formats, and sends and Email message.
  • WriteSnmpTrap—Sends an SNMP version 1 trap.
  • WriteSyslog—Writes messages to a syslog server.
  • WriteUmtsCdr—Writes records to a file using Abstract Syntax Notation and encodes the records using Basic Encoding Rules to support UMTS billing.
• Existing plug-ins have been improved. Many of the NavisRadius plug-ins have been enhanced to provide support for AAA advancements. These plug-ins include:
• • AuthEapTls—Method properties can now be specified dynamically.
  • AuthLocal—Now supports MS-CHAP (version 2) user authentication.
  • AuthNative—Added support as an accounting method type.
  • AuthSecurId—Supports version 5 of the RSA SecurID system with ACE/Server.
  • Classic—Method properties can now be specified dynamically.
  • Dhcp—New method properties enable use of arbitrary DHCP options. Refer to the Operational Notes section below for further information.
  • Jdbc—New method properties to support username and password for connection to a JDBC database.
  • PatternMatch—Now supports multiple search modes (Key, Glob, and Regex) and branching.
• The PolicyAssistant has been enhanced. The improvements include:
• • Can now install the PolicyAssistant from a command line.
  • Now supports EAP authentication.
  • Redesign improves usability.
• Client MIB support. NavisRadius now supports the RADIUS client MIBs (RFC 2618 and 2620).
• New control property supports EAP authentication plug-ins. Use the Method-On-Eap-Nak control property to specify the next method in the PolicyFlow if the NavisRadius server receives a NAK in an EAP-Message attribute.
  If Method-On-Eap-Nak is not specified and the server receives an EAP-Message containing a NAK, the EAP authentication plug-in follows the Method-On-Error path.
  The EAP authentication plug-ins are:
  • AuthEapLeap
  • AuthEapMd5
  • AuthEapMsChapV2
  • AuthEapPeap
  • AuthEapTls
  • AuthEapTtls

NavisRadius 4.2.10 includes no new features.

NavisRadius 4.2.9 includes the following new features:

• The AuthEapLeap now provides the ability to authenticate users stored in the Windows NT DOMAIN or Windows 2000 Active Directory. For more information, refer to the plug-in online Help topic in the Server Management Tool.

NavisRadius 4.2.8 includes no new features.

NavisRadius 4.2.7 includes no new features.

NavisRadius 4.2.6 includes the following new features:

• The Radius plug-in now provides the ability to return a failure message. The Radius plug-in now supports the Method-On-Failure control property. Set the Radius-InauthenticFailure method property to TRUE to follow Method-On-Failure. If the server receives an inauthentic response packet and does not receive an authentic response before the timeout, the server follows Method-On-Failure. For more information, refer to the plug-in online Help topic in the Server Management Tool.

NavisRadius 4.2.5 includes the following new features:

• The WriteSyslog plug-in now provides the ability to send messages to a syslog server. For more information, refer to the plug-in online Help topic in the Server Management Tool.

NavisRadius 4.2.4 includes no new features.

NavisRadius 4.2.3 includes no new features.

NavisRadius 4.2.2 includes the following new features:

• The WriteFixedFile plug-in now provides the ability to specify a padding character. The WriteFixedFile plug-in writes accounting records to a file with a constant record length, defined by the value you assign to the WriteFixedFile-RecordLength method property. Prior to this release, the null character (ASCII 0) was added to records that were shorter than the desired record length. Adding characters to a record is called "padding" and helps to ensure that all records are the same length. Use the WriteFixedFile-FillCharacter to specify the padding character.
• The EAP plug-ins now return an error message for unsupported EAP requests. The EAP plug-ins (AuthEapLeap, AuthEapMd5, AuthEapTls) now return an error message when they receive a negative acknowledgement to EAP requests that they do not support.

NavisRadius 4.2.1 includes the following new features:

• Enables the detection of compromised X.509 certificates. The following values (Serial-Number, Subject-DN, and Issuer-DN) passed in an X.509 certificate can be used to check the validity of a X.509 certificate upon receipt. Use the AuthEapTls-CertificateMap method property to specify an association between certificate values (Serial-Number, Subject-DN, Issuer-DN, Not-After,
  Not-Before, Sig-Alg-Name, and Sig-Alg-OID) and NavisRadius variables.
• Proxy EAP-MD5 authentication attributes as CHAP. The AuthEapMd5 plug-in can now proxy certain attributes of EAP-MD5 messages as CHAP attributes. Use the AuthEapMd5-ChapMode method property to specify the conversion of the identifier, response and challenge values into CHAP attributes.

NavisRadius 4.2.0 includes the following new features:

• Improved Universal State Server. The StateLimits plug-in and the Universal State Server (USS) have been replaced with the StateClient and StateServer plug-ins. The USS is now part of the NavisRadius server, it is not a stand-alone server.
• New certificate request tool for EAP support. In addition to the AuthEapTls plug-in, NavisRadius now provides a command line tool that generates a key pair and a PKCS#10 certificate request. Most Certificate Authorities accept PKCS#10 certificate requests for X.509 certificates.
• Supports Cisco's proprietary EAP extension—LEAP. In addition to the new AuthEapLeap plug-in, the NavisRadius server can now correctly proxy Cisco attribute value pairs (AVPs) that contain LEAP session information.
• New plug-ins provide added functionality. NavisRadius has new plug-ins to provide broad EAP support, enhanced state server performance, and other features. The new plug-ins include:
• • Cipher—Encrypts or decrypts data using a Java Cryptography Extension (JCE) 1.2.1 Provider.
  • Continue—Provides a means for the NavisRadius server to maintain information about an Access-Accept.
  • AuthEapLeap—Enables authentication of users requesting network access through a Cisco Aironet access point.
  • AuthEapMd5—Provides support for EAP MD5 challenge.
  • AuthEapTls—Provides support for EAP-TLS as defined by the Internet RFC 2716.
  • EapIdentity—Retrieves EAP identity of a user from an authenticating peer.
  • ReadPropertyFile—Maps values read as properties in a file.
  • StateClient—Forwards authentication and accounting requests to a remote state server and processes the response.
  • StateServer—Interacts with the internal NavisRadius Universal State Server.
  
  
• Extend support for the MS-CHAP protocol. NavisRadius 4.2 provides support for the MS-CHAP protocol in the AuthLocal and AuthNt plug-ins and through the RADIUS TestClient. Currently RadiusClient supports both MS-CHAP version 1 and version 2. The plug-ins only support version 1. For more information on MS-CHAP and MS-CHAP-PPE-Keys see: http://www.ietf.org/rfc/rfc2548.txt
• New XML Dictionary format. NavisRadius 4.2 introduces a new dictionary based on XML. The new dictionary supports 64-bit integer and IPv6 address data types and signed-integer and signed-long value types. You can now edit the NavisRadius Dictionary through the Server Management Tool. The RADIUS Dictionary panel provides a table to edit the Vendor and attribute lists.
• Enhanced usability for the SMT. The Server Management Tool (SMT) has been enhanced for usability and to address significant changes to the NavisRadius architecture. Refer to the NavisRadius 4.2 Addendum for more information.
• Existing plug-ins have been improved. Many of the NavisRadius plug-ins have been enhanced to provide support for AAA advancements. These plug-ins include:
• • AuthNt—Supports MS-CHAP user authentication.
  • AuthSecurId—The new method property, AuthSecurId-Option provides the ability to map the user's shell to a variable as returned from the SecurId server.
  • Dhcp—Supports DHCP option 118 to set the pool subnet and verifies access to UDP port 67 at server initialization.
  • Jdbc—The Jdbc-URL and Jdbc-Driver method properties can be specified dynamically.

Installation and Upgrade Notes

This section describes installation and upgrade notes applicable to this version of NavisRadius. For more information about installing the product, supported platforms, and supported Java environments, refer to the NavisRadius Quick Start guide.

• NavisRadius requires the Java Runtime Environment v1.4. NavisRadius requires the Java Runtime Environment or the Java Developer Kit. For more information about platform support, refer to the NavisRadius Quick Start guide.
• Upgrading NavisRadius from 4.1.x? PolicyFlows that access the Universal State Server (USS) require a manual upgrade. All existing PolicyFlows (except PolicyAssistant generated PolicyFlows) that access the USS must be manually upgraded to use one of the plug-ins introduced with release 4.2.0: StateClient or StateServer. Contact your technical support representative for further information.

Operational Notes

This section describes the following topics that are applicable to the NavisRadius product.

Accessing the NavisRadius 4 User Documentation Online

The NavisRadius product provides the following user documentation:

• NavisRadius 4.3 Quick Start Guide
• NavisRadius 4.3 Addendum
• NavisRadius 4.3, Using the PolicyAssistant and Server Management Tool: A Guide to Configuring and Managing NavisRadius
• Context sensitive Help for most Server Management Tool (SMT) panels
• Embedded Help for the plug-ins and log channels through the SMT

The manuals can be accessed through the installed product. The manuals use Adobe's PDF format and require the Adobe Acrobat Reader. Click the link on the NavisRadius Web site to download the latest Acrobat Reader.

Access the SMT online Help by selecting Help Contents from the Help menu.

All NavisRadius documentation is available from our product Web site.

Operational Notes

This section covers operational notes that are applicable to NavisRadius 4.4.x:

• AI commands have been renamed as follows:
  • reload -> file reload
  • view -> file view
  • files -> file reload
  • log files -> file open
  • log close -> file close
  • log delete -> file delete
  • log rename -> file rename
  • file list (new command)
  • log areas -> logrule areas
  • log add -> logrule add
  • log ins -> logrule insert
  • log del -> logrule delete
  • log move -> logrule move
  • log swap -> logrule swap
  • log clear -> logrule clear
  • log list -> logrule list
  • log load -> logrule load
  • log save -> logrule save
  • sinfo -> session info
  • codes -> session codes on
  • nocodes -> session codes off
  • echo -> session echo on
  • noecho -> session echo off
  • keys -> state keys
  • subkeys -> state subkeys
  • index -> state index
  • diag -> state diag
  • list -> state list
  • fastlist -> state fastlist
  • statestats -> state stats
  • repl -> state repl
  • stop -> state stop
  • entry -> state entry
  • counts -> state counts
  • shutdown -> server shutdown
  • property -> server property
  • version -> server version
  • uptime -> server uptime
  • vmstat -> java memory
  • gc -> java gc
  • system -> java properties
  • threads -> java threads
  • java version (new command)
  • sinfo -> session info
  • codes -> session codes on
  • nocodes -> session codes off
  • echo -> session echo on
  • noecho -> session echo off
  • script exec -> session exec
  • hostname -> system hostname
  • hostaddr -> system hostaddr
  • time -> system time
  • date -> system time
  • system version (new command)
  • chrono -> diag chrono
  • fuse -> diag fuse
  • normal -> diag normal
  • queues -> diag queue
  • engine -> diag engine
  • authmethodstats -> diag method stats
  • acctmethodstats -> diag method stats
  • serverstats (deleted)

• To access the CommandServlet post to the URL "/command" on your NavisRadius server's internal web server.   The form passes three options into the servlet:

  1. command_prefix
  2. command
  3. command_suffix

  When the form is posted all three options are combined into a single admin interface command with each part separated by a space.

  Below is an example of use:

          <form ACTION="/command" METHOD="post">
          <input TYPE="hidden" NAME="command_prefix" VALUE="">
          Enter Command:
          <input type="text" name="command" size="60">
          <input TYPE="hidden" NAME="command_suffix" VALUE="">
          <input TYPE="submit" NAME="submit">
          </form>
      

This section covers operational notes that are applicable to NavisRadius 4.3.x:

• In order to support having WriteCache data persists between server runs, the Cache_DataFile server property must be set to a file name to keep the data in. If the file name ends in ".ser" the data in writen as a Java serialized object. Otherwise, it's writen in user file format. In addition, the administrative commands, cache load FILE and cache save FILE have been added.
• Client properties Client-Auth-Dictionary and Client-Acct-Dictionary have been added. These allow one the ability to specify different dictionaries to use for AUTH and ACCT policy flows.
• If LDAP attribute ends in ;binary, the Ldap plug-in will treat as the attributes value as a binary value. For LDAP ADD operation, NavisRadius variables in a map must be of a type that supports getting the data as bytes like Hexed-Opaque. For LDAP READ operation, attribute is mapped to a HexedOpapueValue.

  An example of an LDAP Map using binary data:
  ${objectClass}="person";
${objectClass}="strongAuthenticationUser";
${cn}=${packet.Base-User-Name};
${sn}="add";
${userPassword}=${request.password};
${userCertificate;binary}=${user.certificate};


• When multiple java versions are installed on a computer the version of Java to use can be specified on the command line or in the nrexec.cfg file using the -java option. The -java option is used to point to the directory that contains the java program to use.
• A new property has been added 'StateServer_RmiTimeout', which defaults to 15000 milliseconds. This property configures how long the StateServer will wait when trasfering a block of entries to a remote server. If this time is exceeded the trasfer of the block of entries is cancled.
• The Dhcp plug-in now supports arbitrary DHCP options. Three new method properties have been added to support use of arbitrary DHCP options. Use the Dhcp-OptionDictionary method property to specify the association between RADIUS attributes and DHCP options. Use the Dhcp-RequestMap method property to set options in a DHCP packet and the Dhcp-ReplyMap method property to get options from a DHCP packet.

  The following method properties have been removed: Dhcp-ClassIdentifier, Dhcp-ClientFQDN, Dhcp-HostName, Dhcp-DomainName, and Dhcp-SubnetSelection. However, NavisRadius 4.3 automatically migrates values found in these legacy method properties to the appropriate maps when upgrading from earlier releases of NavisRadius.

• NavisRadius 4.3 provides additional support for the NR-AVPair attribute. Use the NR-AVPair attribute to send and receive configuration AVPs to remote NavisRadius servers. Release 4.2 added support for sending this attribute, release 4.3 now supports receipt and processing of this attribute from a remote State Server.

  The NR-AVPair attribute eliminates the need to forward all attributes in the RADIUS dictionary.

• The PatternMatch plug-in allows jumping to a specific method by the use of the special variable ${goto} in the map for a case. If that case is matched NavisRadius will then goto the method specified. For example: ${goto} := "myMethod" where myMethod is the method to goto.

The following notes are applicable to NavisRadius 4.2.0 and subsequent releases:

• Using the Method-Timeout control property to remove "zombie" threads. As of NavisRadius  4.2, the NavisRadius server uses the Method-Timeout control property (if the plug-in is configured with this property) to create a new worker thread that replaces a blocked thread in a zombie state. When a zombie thread is no longer blocked, the thread removes itself from the queue.
  It is possible for the total number of worker threads to exceed the value of the Engine_Threads property when they are in a zombie state.
  
  The server marks threads as unresponsive or in the zombie state because a method took longer to complete than allowed by the Method-Timeout control property. Use the engine stats command to find the number of threads marked as "zombies." For more information on the engine command, refer to the section "Changes to the Administrator Interface" in the NavisRadius 4.3 Addendum.
• Setting the Server Management Tool to Expert mode. Expert Mode enables the following features:
  • RADIUS Dictionary editor
  • Tail panel (under File Tools)
  • Server Statistics panel displays Authentication and Accounting method statistics
  • User File editor displays DEFAULT entries under a separate tab

  Note: The Tail panel that displays while in Expert Mode provides the ability to tail any of the NavisRadius files. The SMT always provides the ability to tail NavisRadius and Configuration server log files whether in Expert Mode or not. To tail either of these logs, open a log from the Monitoring Tools folder.

  To set the SMT to Expert Mode, select Preferences from the Edit menu. Select Expert Mode from the menu pane, and click Run In Expert Mode. Click Close to activate this feature and close the dialog. Close and reopen the SMT to activate the changes to the navigation pane.

• Using the AuthSecurId plug-in on Windows platforms. The sdconf.rec file must be located in the System32 subdirectory of the Windows install directory. Note: the VAR_ACE environment variable is not used on Windows.
• Using the Dhcp Plug-in. If you plan to use the Dhcp plug-in within a PolicyFlow, do not install the DHCP server and the NavisRadius server on the same machine.
• Using the Calculate Plug-in with Large Numbers. The Calculate plug-in uses signed (twos-complement) 64-bit numbers. Operations using this plug-in can result in values that are inaccurate if greater than 9223372036854775807 or less than -9223372036854775808.
• Using the Universal State Server with a RedBack NAS. RedBack equipment includes a virtual port and session number in the NAS-Port attribute. This causes the USS to create a new resource record for each session number the server receives. If using RedBack equipment, configure the StateServer plug-in to check the Redback-NAS-Real-Port attribute first to create a key for the USS session. For further information, refer to the NavisRadius 4.3 Addendum.
• NavisRadius 4.2 supports NAS-Port normalization for Ascend. NavisRadius supports NAS-Port normalization for the Ascend-Nas-Port-Format of 1_2_3_3.
• NavisRadius supports the (*) value for all selector types. NavisRadius selector types now support a value of (*). Using (*) causes a method select file entry to match all packets and starts PolicyFlow at the specified authentication or accounting method.

  The NavisRadius server determines if a request is an authentication or accounting request using the UDP port on which the server receives the request as opposed to using the code point.

  The (*) entry is always checked after all other entries within the method select file are evaluated. Only one (*) entry can exist in the method select file.

• NavisRadius 4.2 provides support for the NR-AVPair attribute. Use the NR-AVPair attribute to tunnel AVPs to remote NavisRadius servers. Setting
  NR-AVPair to Attribute=value causes the NavisRadius server to create an additional attribute in the packet variable group.

  For example, sending NR-AVPair = "DNIS-Limit=10" to a remote NavisRadius server creates the following on the remote server:
  
  ${request.NR-AVPair} = "DNIS-Limit=10"
  ${packet.DNIS-Limit) = "10"

  The NR-AVPair attribute is useful to send configuration information to a remote State Server as it eliminates the need to have all the attributes forwarded in the RADIUS dictionary.

Known Issues

This section describes known issues with NavisRadius 4.3.x:

• The NavisRadius server can unexpectedly terminate when running on Micrsoft Windows 2003 server.
• The NavisRadius server will not run from a directory with an ! in the path name. The setup program will no alonger allow the software to be installed in a directory that has an ! in the path name.
• The data file created by the "state save" admin interface command from version 4.3.0 and later is not compatiable with the file created by NavisRadius versions 4.3.4 and 4.3.5. All other versions of the data file from NavisRadius versions 4.3.0 and later are compatiable and can be used to preserve state when upgrading.
• When using the Japanese version of the SMT, Japanese characters do not print. Printing to either a PDF or HTML file does not work when printing from the Japanese version. You can only print directly to the printer or view a print preview. This issue is also present in the Japanese version 4.2.0 release.
• The Sybase database, included in previous releases of NavisRadius has been replaced with an embeded database inside the NavisRadius server. JDBC drivers for the new database are included in the lib subdirectory of the NavisRadius install.

  Note for administrators upgrading to 4.3 who wish to continue to use the Sybase database you must install over the top of an existing NavisRadius install and the previous database files will not be deleted.

Contacting Lucent Technical Support

To contact us for technical support, select the right support channel for you.

• Support Channel 1: If you have purchased a NavisRadius support contract, contact Lucent Technologies World-Wide Services (LWS):
  • Customers in the USA and Canada, call 1-866-LUCENT8, Prompt 3
  • Customers in other international locations, call +1-510-747-2000 or
    +1-410-381-3484
  • Lucent Online Customer Support Web Site: http://www.lucent.com/support/
  • Send questions to: access@lucent.com

  If you are a first time LWS support user or if you have not yet registered your NavisRadius service contract, follow the registration instructions at http://www.lucent.com/support/howtoreg.html to register.

• Support Channel 2: If you have purchased NavisRadius within the last 90 days, you can contact Lucent Technologies World-Wide Services (LWS) for email support:

  Send questions to: access@lucent.com

  If you are a first time LWS support user OR if you have not yet registered your NavisRadius service contract, contact LWS.

• Support Channel 3: If you are evaluating NavisRadius for purchase or if you need sales information, or if you need technical support but do not have a support contract, or if you have any other questions, contact us for:
  
  
  • Technical support questions, review the NavisRadius Discussion Forum:
    http://www.lucentradius.com/cgi-bin/dcforum/dcboard.cgi
  • Pre-sales product questions, send an email to: tech-sales@lucentradius.com
  • Sales information, send an email to: sales@lucentradius.com
  • Queries from Lucent employees, Sales Teams, VARS and Resellers, send an email to: radius-internal@lucentradius.com
  • Other non-technical requests, send an email to:
    tech-sales@lucentradius.com

Copyright and Trademarks
©Copyright 2005 Lucent Technologies Inc. All rights reserved.
Other trademarks, service marks, and trade names mentioned in this publication belong to their respective owners.

Notices

Lucent Technologies Inc., makes no representations or warranties with respect to the contents or use of this publication, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.