Environment
Novell BorderManager 3.8
Novell BorderManager 3.7
Novell BorderManager 3.6
Novell Modular Authentication Service (NMAS)
Remote Authentication Dial In User Service (RADIUS)
Situation
RADIUS.NLM was moved from
BorderManager to NMAS - see KB 10075544 (https://support.novell.com/docs/Tids/Solutions/10075544.html)
The upgrade process ( https://www.novell.com/documentation/nmas23/radius/data/hosamgbp.html#hosamgbp) uses the phrase once the information has been modified using ConsoleOne, the
BMAS server will no longer be useful. This has been interpreted to mean that the process is all one way with no rollback process.
This TID discusses the background and process of upgrading RADIUS from BorderManager to NMAS.
The upgrade process ( https://www.novell.com/documentation/nmas23/radius/data/hosamgbp.html#hosamgbp) uses the phrase once the information has been modified using ConsoleOne, the
BMAS server will no longer be useful. This has been interpreted to mean that the process is all one way with no rollback process.
This TID discusses the background and process of upgrading RADIUS from BorderManager to NMAS.
Resolution
The version of RADIUS in BorderManager 3.8 is functionally the same
as that supplied with NMAS. Radmig (discussed in the upgrade
process, above) is only required if running BMAS 3.5, 3.6, or
3.7.
Radmig does not overwrite or remove any data. After running Radmig, both a BMAS 3.7 and NMAS RADIUS server can use the same DAS object. Radmig can do this because the data it upgrades for NMAS RADIUS is stored in new attributes that are not used by BMAS 3.7.
Problems only arise when encrypted information stored on the DAS, such as client shared secrets, is modified. This is because the NMAS RADIUS ConsoleOne snap‑in uses NICI for encryption, while the NWAdmin snap‑in for BMAS was statically linked with the BSafe encryption library. Older versions of BMAS were encrypting data with an algorithm that is not available in NICI. Therefore, the NMAS RADIUS ConsoleOne snap‑in can't store encrypted data in the old BMAS 3.7 format.
It is possible for BMAS 3.7 servers and NMAS RADIUS servers to use the same DAS object. To do this use NWAdmin to make modifications to the DAS, then re‑run Radmig to make the modifications available to the NMAS RADIUS servers.
Note that RADIUS in BMAS 3.7 uses two different passwords: the NDS password and the "Dial Access Password". The Dial Access Password is stored under reversible encryption, and is used for CHAP authentications. This is because the CHAP protocol requires the server to have a clear‑text copy of the password.
NMAS RADIUS does not use the Dial Access Password, but instead uses the NMAS Simple Password login method to process CHAP authentications. When Radmig migrates uses passwords, it simply decrypts each user's Dial Access Password and stores it as their NMAS Simple Password. Radmig does not overwrite, delete, or otherwise change a user's existing Dial Access Password.
Therefore, users' passwords only need to be migrated if using the CHAP protocol. This is not necessary if using PAP. If users are authenticating with their NDS passwords, then they are using PAP.
Radmig does nothing with NDS passwords.
The simplest way to upgrade is as follows:
Radmig does not overwrite or remove any data. After running Radmig, both a BMAS 3.7 and NMAS RADIUS server can use the same DAS object. Radmig can do this because the data it upgrades for NMAS RADIUS is stored in new attributes that are not used by BMAS 3.7.
Problems only arise when encrypted information stored on the DAS, such as client shared secrets, is modified. This is because the NMAS RADIUS ConsoleOne snap‑in uses NICI for encryption, while the NWAdmin snap‑in for BMAS was statically linked with the BSafe encryption library. Older versions of BMAS were encrypting data with an algorithm that is not available in NICI. Therefore, the NMAS RADIUS ConsoleOne snap‑in can't store encrypted data in the old BMAS 3.7 format.
It is possible for BMAS 3.7 servers and NMAS RADIUS servers to use the same DAS object. To do this use NWAdmin to make modifications to the DAS, then re‑run Radmig to make the modifications available to the NMAS RADIUS servers.
Note that RADIUS in BMAS 3.7 uses two different passwords: the NDS password and the "Dial Access Password". The Dial Access Password is stored under reversible encryption, and is used for CHAP authentications. This is because the CHAP protocol requires the server to have a clear‑text copy of the password.
NMAS RADIUS does not use the Dial Access Password, but instead uses the NMAS Simple Password login method to process CHAP authentications. When Radmig migrates uses passwords, it simply decrypts each user's Dial Access Password and stores it as their NMAS Simple Password. Radmig does not overwrite, delete, or otherwise change a user's existing Dial Access Password.
Therefore, users' passwords only need to be migrated if using the CHAP protocol. This is not necessary if using PAP. If users are authenticating with their NDS passwords, then they are using PAP.
Radmig does nothing with NDS passwords.
The simplest way to upgrade is as follows:
- Install BorderManager 3.8. (This product includes NMAS
RADIUS)
- One of the BorderManager 3.8 install screens will ask to
migrate old BMAS data. This will run Radmig, and will not overwrite
any old BMAS 3.7 data. BMAS 3.7 servers will continue to
work.
- After the installation completes, use the RADIUS ConsoleOne snap‑in to create a login policy for the DAS. (Use the"Rules" tab on the Login Policy object in the Security container. Note that this will not affect the existing BMAS 3.7 login policy since the NMAS RADIUS login policy is stored in different attributes).
Additional Information
FreeRADIUS is an alternative upgrade path to NMAS RADIUS.
FreeRADIUS does not run on NetWare, but is available on all of the
other eDirectory platforms.
See the documentation website at https://www.novell.com/documentation/edir_radius/index.html?treetitl.html for further details.
See the documentation website at https://www.novell.com/documentation/edir_radius/index.html?treetitl.html for further details.