[Top] [Prev] [Next] [Bottom]
This chapter describes how to configure the PortMaster user table to support dial-in connections. The user table settings define how each dial-in user is authenticated and how dial-in connections are made.
To configure network dial-in connections from other routers, you must define each remote router as a user on the PortMaster.
If you are using RADIUS, you must configure user attributes in individual user files in the RADIUS user database rather than in the PortMaster user table. Refer to the RADIUS Administrator's Guide for more information.
This chapter discusses the following topics:
This section describes how to display user information and how to add users to or delete them from the user table.
You can display the current users in the user table or the complete configuration information for a specified user.
To display the current users in the user table, use the following command:
Table 7-1 shows an example display.
To display configuration information for a user, use the following command:
Table 7-2 shows the configuration information for user marie.
You must add users to the user table before configuring any settings for them. The username is a string of from 1 to 8 printable, nonspace ASCII characters. The optional user password is a string of from 0 to 16 printable ASCII characters. You cannot add users with blank usernames.
To add a login user to the user table, use the following command:
To add a network user to the user table, use the following command:
Note ¯ 
To add a network user, you must use the netuser keyword. Thereafter, you can use either the netuser or the user keyword to configure settings for the network user. You must always use the user keyword when configuring login users.
To delete a user from the user table, use the following command:
User settings define the nature and behavior of dial-in users. The user table contains entries for each defined dial-in user along with the characteristics for the user.
The user table provides login security for users to establish login sessions or network dial-in connections. If you want to allow a network dial-in connection from another router, the router must have an entry in the user table or in RADIUS.
PortMaster products allow you to configure two types of users, network users and login users.
Network users dial in to an asynchronous serial, synchronous serial, or ISDN port on the PortMaster. A connection is established as soon as the user logs in. A PPP or SLIP (on asynchronous ports) session is started. This type of connection can be used for dial-in users or for other routers that need to access and transfer data from the network. Define this type of user when network packets must be sent through the connection.
Login users are allowed to establish PortMaster (in.pmd), rlogin, Telnet, or netdata (TCP clear) connections through an asynchronous serial or ISDN port. A connection is established to the specified host as soon as the user logs in. This type of connection is useful for users who need to access an account on a host running TCP/IP.
The following settings can be configured for either network or login users.
To set a password for either a login or network user, use the following command:
The password can contain between 0 and 16 printable ASCII characters.
The idle timer defines the number of minutes or seconds the line can be idle-in both directions-before the PortMaster disconnects the user. You can set the idle time in seconds or minutes, with any value between 2 and 240. The default setting is 0 minutes. The idle timer is not reset by RIP, keepalive, or SAP packets.
To set the idle timer, use the following command:
To disable the idle timer, set the time to 0 minutes.
You can define the maximum length of a session permitted before the PortMaster disconnects the user. The session length can be set to between 0 and 240 minutes.
To set the session limit, use the following command:
To disable the session limit, set the time to 0.
Network users establish PPP or SLIP connections with the network as soon as they have been authenticated.
You can set the network protocol for the network user to PPP or SLIP as described in Chapter 5, "Configuring an Asynchronous Port." Select a protocol that is compatible with the rest of your network configuration and the user's capabilities.
To set the network protocol for a network user, use the following command:
If you set a nonzero IP address for a network user using PPP, IP is automatically routed. If you set a nonzero IPX network number for the user, IPX is automatically routed.
Do not set an IPX number of all 0s (zeros) or all Fs for the IPX network address.
You must define the IP address or hostname of the remote host or router. Table 7-3 describes three different ways that the user IP address can be determined.
To set the user IP address for a normal network user, use the following command:
Do not set a subnet mask for a network user unless the user is routed to another network from your network. In that case, set the subnet mask to 255.255.255.255.
To set the subnet mask, use the following command:
If you are using the IPX protocol for this user, you must assign a unique IPX number to the network connection between the remote user device and the PortMaster. Each user's connection requires a different IPX network number. If you use fffffffe as the IPX network number, the PortMaster assigns the user an IPX network number based on an IP address from the IP address pool.
Note ¯ 
Do not set a value of all 0s (zeros) or all Fs for the IPX network number.
To set the IPX network number, use the following command,
As described in the PortMaster Routing Guide, PortMaster products automatically send and accept route information as RIP messages.
To configure RIP routing for a network user, use the following command:
Note ¯ 
ComOS releases prior to 3.5 used the keyword routing instead of the rip keyword.
Table 7-4 describes the results of using each keyword.
The PPP protocol supports the replacement of nonprinting ASCII data in the PPP stream. These characters are not sent through the line, but instead are replaced by a special set of characters that the remote site interprets as the original characters. The PPP asynchronous map is a bit map of characters that should be replaced. The lowest-order bit corresponds to the first ASCII character NUL, and so on. In most environments, the asynchronous map should be set to zero to achieve maximum throughput.
To set the PPP asynchronous character map, use the following command:
The maximum transmission unit (MTU) defines the largest frame or packet that can be sent without fragmentation. A packet that exceeds this value is fragmented, if IP, or discarded if IPX. PPP connections can have a maximum MTU of 1520 bytes. SLIP connections can have a maximum MTU of 1006 bytes. PPP can negotiate smaller MTUs when requested by the calling party.
The MTU size is typically set to the maximum allowed for the protocol being used, either 1500 bytes (for PPP) or 1006 bytes (for SLIP). However, smaller MTU values can improve performance for interactive sessions. If you are using IPX, the MTU should be set to at least 600.
To set the MTU for a network user, use the following command:
You can define the number of dial-in ports that a user can use on the PortMaster for Multilink V.120, Multilink PPP, and multiline load-balancing.
If the maximum number of ports is unconfigured, port limits are not imposed and Lucent Remote Access' multiline load-balancing, Multilink V.120, and Multilink PPP sessions are allowed. You can also set the dial-in port limit using the RADIUS Port-Limit attribute.
To set the maximum number of dial-in ports, use the following command:
The Number variable can be set to between 0 and the number of available ports-up to 60.
Compression of TCP/IP headers can increase the performance of interactive TCP sessions over network hardwired asynchronous lines. PortMaster products use Van Jacobson TCP/IP header compression and Stac LZS data compression. Compression is on by default.
Compression cannot be used with multiline load-balancing, but can be used with Multilink PPP.
Compression must be enabled on both ends of the connection if you are using SLIP. With SLIP, TCP packets are not passed if only one side of the connection has compression enabled. For PPP connections, the PortMaster supports both bidirectional and unidirectional compression. Refer to RFC 1144 for more information about header compression.
The PortMaster supports Stac LZS data compression only for PPP connections with bidirectional compression. Stac LZS data compression cannot be used for SLIP connections.
To set header compression for a network user, use the following command:
Table 7-5 describes the results of using each keyword.
Input and output packet filters can be applied to each network user. If an input filter is applied to a user, when the user dials in and establishes a connection, all packets received from the user are evaluated against the rule set for the applied filter. Only packets allowed by the filter can pass through the PortMaster. If an output filter is applied to a user, packets going to the user are evaluated against the rule set for the applied filter. Only packets allowed by the filter are sent out of the PortMaster to the user. If either filter is changed while a user is logged on, the change will not take effect until the user disconnects and logs in again.
Note ¯ 
You must define a filter in the filter table before you can apply it. For more information about filters, see Chapter 9, "Configuring Filters."
To apply an input filter for a network user, use the following command:
To apply an output filter for a network user, use the following command:
Omitting the Filtername removes any filter previously set on the port.
Note ¯ 
Filters will be applied to the user the next time the user dials in.
You can configure the user for callback connections to enhance network security or to simplify telephone charges. When a network user logs in, the PortMaster disconnects the user and then calls back to the location specified for that user. The location is stored in the location table. The PortMaster always calls back using the same port on which the user called in. Network users have PPP or SLIP sessions started for them, as defined in the user table.
To specify the callback location for a network user, use the following command:
To disable callback connections for the user, use the none keyword.
For more information about configuring locations, refer to Chapter 8, "Configuring Dial-Out Connections."
Login users establish connections with hosts using one of the login services-dial-in, dial-out, or two-way-described in Chapter 5, "Configuring an Asynchronous Port."
You must define the host to which the user is connected. The login host can be defined in one of three ways. Table 7-6 shows the login host options.
To set the login host for a login user, use the following command:
An access filter is an input filter that restricts which hosts users can log in to. Access filters work as follows:
All login users must have an associated login service that determines the nature of their connection with the host.
The login service specifies how login sessions are established. Four types of login service are available as described in Table 7-7.
To set the login service type for a login user, use the following command:
You can configure the login user for callback connections to enhance network security or to simplify telephone charges. When a user logs in, the PortMaster disconnects the user and then dials out to the telephone number specified for that user. The user is reconnected to the host specified in the user table, via the same port on which the user dialed in.
To enter the callback telephone number for a login user, use the following command:
To disable callback connections for the user, use the none keyword.
[Top] [Prev] [Next] [Bottom]
spider@livingston.com
Copyright © 1998, Livingston Enterprises, Inc. All rights
reserved.
Only 100 to 200 users can be configured in the user table and stored in the nonvolatile memory of the PortMaster. Therefore, use RADIUS for user authentication when you must configure multiple PortMaster Communication Servers to handle more than a few dozen users.
You must define a filter in the filter table before you can apply it. For more information about filters, see Chapter 9, "Configuring Filters."