Upgrading RADIUS from BorderManager to NMAS

  • 3008272
  • 09-Jan-2007
  • 26-Apr-2012


Novell BorderManager 3.8
Novell BorderManager 3.7
Novell BorderManager 3.6
Novell Modular Authentication Service (NMAS)
Remote Authentication Dial In User Service (RADIUS)


RADIUS.NLM was moved from BorderManager to NMAS - see KB 10075544 (https://support.novell.com/docs/Tids/Solutions/10075544.html)

The upgrade process ( https://www.novell.com/documentation/nmas23/radius/data/hosamgbp.html#hosamgbp) uses the phrase once the information has been modified using ConsoleOne, the
BMAS server will no longer be useful. This has been interpreted to mean that the process is all one way with no rollback process.

This TID discusses the background and process of upgrading RADIUS from BorderManager to NMAS.


The version of RADIUS in BorderManager 3.8 is functionally the same as that supplied with NMAS. Radmig (discussed in the upgrade process, above) is only required if running BMAS 3.5, 3.6, or 3.7.

Radmig does not overwrite or remove any data. After running Radmig, both a BMAS 3.7 and NMAS RADIUS server can use the same DAS object. Radmig can do this because the data it upgrades for NMAS RADIUS is stored in new attributes that are not used by BMAS 3.7.

Problems only arise when encrypted information stored on the DAS, such as client shared secrets, is modified. This is because the NMAS RADIUS ConsoleOne snap‑in uses NICI for encryption, while the NWAdmin snap‑in for BMAS was statically linked with the BSafe encryption library. Older versions of BMAS were encrypting data with an algorithm that is not available in NICI. Therefore, the NMAS RADIUS ConsoleOne snap‑in can't store encrypted data in the old BMAS 3.7 format.

It is possible for BMAS 3.7 servers and NMAS RADIUS servers to use the same DAS object. To do this use NWAdmin to make modifications to the DAS, then re‑run Radmig to make the modifications available to the NMAS RADIUS servers.

Note that RADIUS in BMAS 3.7 uses two different passwords: the NDS password and the "Dial Access Password". The Dial Access Password is stored under reversible encryption, and is used for CHAP authentications. This is because the CHAP protocol requires the server to have a clear‑text copy of the password.

NMAS RADIUS does not use the Dial Access Password, but instead uses the NMAS Simple Password login method to process CHAP authentications. When Radmig migrates uses passwords, it simply decrypts each user's Dial Access Password and stores it as their NMAS Simple Password. Radmig does not overwrite, delete, or otherwise change a user's existing Dial Access Password.

Therefore, users' passwords only need to be migrated if using the CHAP protocol. This is not necessary if using PAP. If users are authenticating with their NDS passwords, then they are using PAP.

Radmig does nothing with NDS passwords.

The simplest way to upgrade is as follows:
  1. Install BorderManager 3.8. (This product includes NMAS RADIUS)

  2. One of the BorderManager 3.8 install screens will ask to migrate old BMAS data. This will run Radmig, and will not overwrite any old BMAS 3.7 data. BMAS 3.7 servers will continue to work.

  3. After the installation completes, use the RADIUS ConsoleOne snap‑in to create a login policy for the DAS. (Use the"Rules" tab on the Login Policy object in the Security container. Note that this will not affect the existing BMAS 3.7 login policy since the NMAS RADIUS login policy is stored in different attributes).

Additional Information

FreeRADIUS is an alternative upgrade path to NMAS RADIUS. FreeRADIUS does not run on NetWare, but is available on all of the other eDirectory platforms.

See the documentation website at https://www.novell.com/documentation/edir_radius/index.html?treetitl.html for further details.