8950 AAA 6.5.2 Release Notes

Last revised: April 5, 2010

Product Name Change

The VitalAAA product has been rebranded as 8950 AAA. The product was also known as NavisRadius.

Java Version

8950 AAA requires Java 2 Standard Edition (J2SE) version 6.0 (also known as version 1.6.0) or later to run on all platforms. Both the J2SE JDK and the JRE are supported. Please see http://java.sun.com to get the latest version of Java.

64-bit Operating Systems

Several of the supported operating systems have 64-bit versions. Currently 8950 AAA has full 64 bit support on Solaris (both Sparc, and X86), Linux on x64, and partial support on Microsoft Windows. The following limitations exists when using a 64 bit JVM on an unsupported platform.

• GetPWNam does not work on Unix systems. (Except Solaris and Linux)
• Kill does not work. (Except Solaris, Linux and Windows)
• NT Authentication does not work.

Contents

These release notes are intended for 8950 AAA 6 programmers and administrators. They cover the following information:

• Deprecated Product Features
• New Product Features
• Known Issues
• Diameter Implementation Limitations
• StateServer (USS) Changes
• Changes to accommodate addition of the TACACS+ protocol
• Changes to AuthLocal plug-in to support MS-CHAPv2 with user names with realms

These release notes supersede all other included documentation for the 8950 AAA product. Further information can be found at http://www.8950aaa.com/.

Deprecated Product Features

• The AuthNt plug-in is deprecated. Consider using the Microsoft IAS RADIUS server using proxy instead. Similarly, the UseNtAuth properties in AuthEapMsChapV2 and AuthEapLeap are deprecated.

New Product Features

8950 AAA 6.5.0 includes the following features:

• Now supports LDAP workflow injection. This allows one to write a policyFlow that processes an LDAP request. Possible uses include proxy, and protocol conversion.
• TAL: Support reference indirection. Each addition of a '$' to the reference adds a level of indirection. The indirect value may either be the full reference, or the id list.

8950 AAA 6.4.0 includes the following features:

• Add a 'binary packing' feature to the USS2, which reduces both the memory footprint and the object count needed to record entries.
• Add a light-weight alert monitoring system that can inform the operator when certain conditions have been exceeded. Any variable available through the statistics collector can be monitored this way.

8950 AAA 6.3.0 includes the following features:

• Now supports the 64 bit Java Virtual Machine (JVM) on Linux hosted on AMD/Intel platforms.
• USS2 Resource Broker: A major feature was added to the 8950 AAA in 6.3 called the USS2 Resource Broker. The Broker is a function that manages allotment of resources to a set of USS2 clients. Currently, there are two types of resources that can be managed: prefixes and counter limits. As part of this implementation, USS2 will be integrated with the current IPAMv2 to allow USS2 to allocate IP prefixes. The USS2 IPAMv2 client allocates "chunks" from the broker and the AAA clients subsequently allocate physical prefixes from the USS2 IPAMv2.
• IPAM Configuration Support: This feature will allow the customer to configure the current IPAM module with in the USS2. The goal is to move this functionality from the PolicyServer using LDAP as the update protocol, to reside within the Config Server, and to be accessed using either SOAP or the Command Line. The support of SOAP within the Config Server requires including our Tomcat feature within this process.
• Diameter State Model For USS2: This feature enhances the diameter work flow that is needed for USS2 functionality. The primary difference between 'diameter' and 'radius' state models is that unlike 'radius' the 'diameter' model is not driven by accounting events. Instead, 'Session-Terminate' and 'Re-Auth' messages are used.
• WiMAX W4.2 Support Ph 1: Release 6.3.0 provides improvements to our ALU WiMAX W4 solution to provide basic support for release W4.2 features including roaming and wholesale deployments. In addition, our ALU WiMAX W4 solution was redesigned to allow additional flexibility in selecting different policies based on data received in requests.
• WiMAX Assistant for W3: This feature will add the functionality in the current 6.2.0 W4 PolicyFlow into the WiMAX Assistant. The WiMAX assistant now supports EAP-SIM and EAP-AKA.
• WiMAX migration: The purpose of this feature is to automate the migration from our 8950 AAA W3, and W4 Standalone to the new WiMAX Assistant, and migrate W4 Compact WAC solutions to the latest W4 Compact WAC solution. This migration includes multiple property file migration, database schema migration, User Provisioning system migration, and SMT and Setup program UI migration.
• Remote Configuration: Release 6.3.0 provides enhancements to the Remote Configuration feature to add the ability to notify slave servers to update their configuration, server startup optimizations, and SMT integration enhancements.
• User Provisioning System: Release 6.3.0 provides enhancements to the web-based User Provisioning System to allow better administrative control for User and Device records, and better validation of Users, Devices and Services.
• Motive Integration The Motive Integration Feature will allow Motive Device Provisioning Server and 8950 AAA to work with each other, specifically the support of WiMAX Over-The-Air (OTA) Device Management. A custom notification protocol will need to be designed and implemented to allow Motive Device Provisioning Server to register for network status events for specific WiMAX devices so that these devices can be reconfigured over the air. Also required is the provisioning of new WiMAX devices that have not been provisioned along with new subscriber data entered in AAA database by Motive subscription portal.
• USS Trigger Support: Allow per-model trigger handlers.

• Iterate plug-in: Make the Iterate-Method property optional.
• ReadPropertyFile plug-in: Allow multiple occurences of the same property.
• ReadUserFile, ReadPropertyFile, ReadStanzaText plug-ins: Add a property 'CacheMap' that allows a hook to manipulate the file data as it is cached for later use.

8950 AAA 6.2.0 includes the following features:

• Diameter can be now transported over SCTP or TLS/SCTP.
• The internal database (Derby) now support a replicated (redundant) deployment model.
• The WiMAX Assistant solution has been added. A solution is a policy flow and support GUI for configuration. This solution is intended to address the RAN share problem, and to simplify configuration of the older W3 policy flow.
• The radius tool has been re-architected to allow better utilization of multi-CPU hardware, and to allow alternative authentication types within the NasLoad scenario.

8950 AAA 6.1.5 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.4 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.3 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.2 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 1 delivery.
• Remainder of the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.1 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 1 milestone.
• Portions of the WiMAX W4.1 pkg 2 milestone.
• A custom dictionary that will not be over-written during an upgrade install.

8950 AAA 6.1.0 includes the following features:

• The WiMAX W4.1 pkg 1 milestone.
• A graphic interface to the WiMAX W3 policy set.

8950 AAA 6.0.0 includes the following features:

• USSv2 now available. This second generation USS supports active/active deployment scenario, and allows multiple instances of the session database.
• Remote Configuration file load available. Allows centralizing of server configuration.
• Derby has replaced Hypersonic as the embedded database.
• Tomcat server container technology has been integrated into the policy server.
• A web-based user provisioning feature is available.
• The PolicyAssistant now supports a more general rule based policy selection phase.
• Alcatel-Lucent WiMAX support is now more fully integrated.
• SMT PolicyFlow editor enhancements.
• SMT->Server, and HA-USS replicas connections can be secured using TLS.

Known Issues

• SCR-5691: Some RADIUS event and transition counts are not updated appropriately in the USS2 RADIUS state machine group.
• SCR-5702: [Not verified] The Ldap-Refuse-Slow-Search property is not interpreted correctly for some types of indexed searches.
• SCR-5703: [Not verified] History sometimes missing from "uss2 entry dump" output for replication events.
• SCR-5722: Occasional negative number for Inactive count from "uss2 model stats" command.
• USS2 IPAM may fail auth requests if one of the pools in a pool-selector is disabled.
• The left hand side assignment of IP prefixes used during IP Address handover scenarios in USS2 IPAM doesn't work.
• Modified Granularity value not always honored.
• USS2 Radius state model server statistics are not reset by the reset button in the SMT.
• USS2 commands are not available if USS2 is not active.

Diameter Implementation Restrictions

This initial Diameter release has some limitations that may be removed in subsequent releases.

• TCP/IP, TLS/TCP/IP are the only transports generally available. SCTP/IP and TLS/SCTP/IP are available only on Solaris 10 systems. Any of these transports can be run over IPSEC, if available.
• Dynamic peer discovery is not supported.

StateServer (USS) Changes

In versions of VitalAAA (NavisRadius) before 5.0, the StateServer plug-in automatically copied a few attributes into the USS entry, even if they were not specified in the requestMap property. In 5.0, in order to accomodate the new Diameter feature, only entries explicitly in the requestMap will be copied.

The upgrade process will automatically convert the requestMap if converting from a pre-5.0 version.

The attributes involved are Acct-Status-Type, Acct-Session-Id, and Acct-Delay-Time.

TACACS+ accommodation changes

• The RADIUS clients file has been renamed 'radius_clients', and is now in the user file format, rather than the traditional columnar format.
• The TACACS+ clients file has been added as 'tacacsplus_clients', and is in same format as 'radius_clients'.
• The admin interface command 'file reload clients' retains the ability to read the old format RADIUS clients file 'clients'.
• The Diameter peers file has been renamed 'diameter_peers'. This file has always been in the user file format.

Changes to AuthLocal plug-in to support MS-CHAPv2 with user names with realms

Before VitalAAA release 5.2.7, the default value used in calculating MS-CHAP2-Response was ${packet.base-user-name}. This value was fine if user-name was EXAMPLE\bob but is not okay if user-name is in the form bob@example.com. Testing with Microsoft IAS RADIUS server showed that user names with realm must be used 'as is' in calculation of MS-CHAP2-Response. In VitalAAA release 5.2.7, the default value for method property AuthLocal-UserName was changed to ${request.user-name} and AuthLocal-StripMsDomain method property was added to strip DOMAIN\ from the value provided by AuthLocal-UserName. The default for the AuthLocal-StripMsDomain method property is true. If upgrading to release 5.2.7 breaks existing policies, old behavior can be restored by setting AuthLocal-UserName to ${packet.base-user-name} and AuthLocal-StripMsDomain to false. The change in calculating MS-CHAP2-Response in VitalAAA release 5.2.7 should also match how FreeRADIUS generates MS-CHAP2-Response when authenticating users.