iPass Help
 
 
 

Installation

This section contains instructions on how to install or upgrade NetServer. The following details are available:

Preparation

Before installing NetServer, you should have already installed your RADIUS AAA server or NAS, and configured and tested the appropriate databases to authenticate your own local users.

You should have the following information:

  • The IP address of the host on which you plan to install NetServer. This should be the Public IP Address registered to your iPass account which will be used to connect to the iPass AAA fabric. Your certificate cannot be validated until iPass places this IP address into our database.
  • The IP address, port numbers and secrets of RADIUS servers which forward requests to the netserver.
  • The iPass ISP Code given to your company when it signed up with iPass. If you do not have this code, please contact your iPass NetServer Installation Engineer.
  • Your username and password for the iPass FTP site where you will download the software. If you do not have these credentials, please contact your iPass NetServer Installation Engineer.

In addition, you should make sure that you have access to the following:

  • A Mail Transfer Agent (such as Sendmail) installed and configured to allow you to send the certificate request.
  • Root access on the NetServer host.

System Requirements

Host Requirements

A host running NetServer 6.0.0 must meet these requirements:

  • Pentium II processor (or equivalent RISC processor)
  • 512 MB RAM
  • 128 MB free RAM, 256 MB recommended
  • 256 MB permanent disk space, 500 MB recommended

Installation Requirements

The NetServer installation process requires these system resources:

  • 60 MB temporary disk space
  • SMTP services for transmitting the certificate request
  • Enrollment requests can be sent using FTP if SMTP services are not available.

Supported Platforms

NetServer 6.0.0 is supported on following platforms:

  • Linux RHEL 5.5 32-Bit
  • Linux RHEL 5.5 64-Bit
  • CentOS 5.7 32-Bit
  • CentOS 5.7 64-Bit
  • Ubuntu 12.04.2 LTS 32-Bit
  • Ubuntu 12.04.2 LTS 64-Bit
  • Solaris 10 Sparc 32-Bit
  • Solaris 10 Sparc 64-Bit

Interoperable RADIUS Servers

The list of RADIUS servers with which NetServer is interoperable includes, but is not limited to:

  • FreeRADIUS (recommended)
  • RADIATOR (recommended)
  • Cistron RADIUS
  • DTC RADIUS, v2.02 and later
  • Interlink Networks Advanced Server (AAA)
  • FUNK Steel-Belted RADIUS v3.0 and later
  • Ascend Access Control (Extended RADIUS)
  • Ascend RADIUS 960112, 970224
  • Vircom RADIUS
  • Navis RADIUS
  • Merit (Enterprise Editions only)

Additional Operational Requirements

Additional operational requirements include:

  • Connectivity to a primary RADIUS capable of proxying authentication and accounting packets.
  • Domain Name Server (DNS) installed and configured to work with the NetServer host.
  • Connectivity to the iPass Transaction Servers. The TCP/IP protocol is required to support the SSL-encrypted connection between the NetServer and the iPass Transaction Centers.
  • Other processes, such as a firewall or authentication server, can be run on the platform concurrently with NetServer.

Firewall Rules

If NetServer 6.0.0 is installed behind a firewall or other network address translation device, you must enable the firewall rules shown in the following table. Notes at the end of the table give more information.

Purpose Inbound Source IP(s) Destination IP(s) IP Port Protocol
iPass Transaction Center auth-apac.ipass.com(Hong Kong,CN) x 216.239.98.126 9101 TCP/IP
iPass Transaction Center auth-sjc.ipass.com(San Jose,CA) x 216.239.108.126 9101 TCP/IP
iPass Transaction Center auth7.ipass.com(Atlanta,US) x 216.239.111.126 9101 TCP/IP
iPass Transaction Center auth8.ipass.com(London,UK) x 216.239.105.126 9101 TCP/IP
iPass Transaction Center auth5.ipass.com(Santa Clara, US) x 216.239.99.126 9101 TCP/IP
Purpose Inbound Outbound Source IP(s) Destination Port Protocol Notes
Monitoring x 216.239.99.200 1984 TCP/IP
Monitoring x 216.239.99.200 1984 ICMP(ping)
Monitoring x 216.239.100.200 1984 TCP/IP
Monitoring x 216.239.100.200 1984 ICMP(ping)
Configuration Upload Server x 216.239.111.209 216.239.111.200 9101 TCP/IP NetServer sends its configuration file on a regular basis to the Configuration Upload Servers.
Software Update Server x 216.239.99.209 216.239.99.200 9101 TCP/IP NetServer periodically checks for software updates on Update Server.
SSH access for troubleshooting and routine maintenance. x 216.239.97.227 22 TCP/IP SSH access from the iPass Operations Center should be allowed for troubleshooting and routine maintenance.

Supported RADIUS Attributes

NetServer 6.0.0 supports the following RADIUS attributes:

  • All attributes form RFC 2865 and 2866
  • From RFC 2869: EAP-Message, Message-Authenticator, NAS-Port-Id
  • From RFC 4372: Chargeable-User-Identity (CUI)
  • From RFC 2546: ms-mppe-send-key, ms-mppe-recv-key

Graceful Forwarding: NetServer authentication and accounting will drop attributes that are not listed in RFC 2865 and 2866, but packets are still forwarded.

NetServer Default Ports

  • SSL port=11811
  • Authorization port=11812(NetServer uses a different port than RADIUS)
  • Accounting port=11813
  • Proxy authorization port=11817
  • Proxy accounting port=11818

Installation Process

The installation process consists of downloading the installation file and then installing the software.

Downloading

You will need to download NetServer installation file from our secure FTP site. Contact your iPass installation engineer for your FTP username and password.

To download the NetServer installation file:

  1. At a command line, type: ftp ftp.ipass.com
  2. At the username prompt, type your FTP username.
  3. At the password prompt, type your FTP password.
  4. Type: cd NS/6.0.0
  5. Type: bin
  6. Type: get <correct version for your OS>
  7. When the download is complete, type: bye.
Directory names and filenames are case-sensitive.

Installing the Software

This guide uses the term <NS_Home> for the NetServer 6.0.0 installation directory. The default is /usr/ipass/netserver/current_version.

To install the NetServer 6.0.0 directories:

  1. The iPass Products directory /usr/ipass should be created and owned by root or the appropriate “ipass” service account with sudoer permission. If your partitioning scheme does not provide enough space for /usr/ipass, create a symbolic link for the /usr/ipass directory to the intended installation volume.
  2. Copy the downloaded NS 6.0.0 installation file “netserver_6.0.0_<platform>.tar.gz” under '/usr/ipass/',where <platform> is the platform of your NetServer.
  3. Type: cd /usr/ipass/
  4. Type: gunzip netserver_6.0.0_<platform>.tar.gz to uncompress the installation file.
  5. Type: tar -xvf netserver_6.0.0_<platform>.tar. By default, this will create a hierarchy in “/usr/ipass/netserver/6.0.0” with all the necessary directories and files. In order for NetServer to run correctly,you must keep the file hierarchy as it is installed.
  6. Run ./create_link script from the directory path “/usr/ipass/netserver/6.0.0/.scripts” to create a softlink /usr/ipass/netserver/current_version → /usr/ipass/netserver/6.0.0
  7. Type: ipassconfig.csh -conf under /usr/ipass/netserver/current_version/bin to generate ipassNS.properties file. For detailed information regarding configuration, refer to Configuration section. Once configuration is complete, your NetServer is ready to be started.
  8. Run init.sh script under /usr/ipass/netserver/current_vesrion/bin directory to create RC scripts.
  9. Review the End User License Agreement from the file “<NS_Home>/license.txt”.

Migration Tool

Migrating from NetServer 5.x to NetServer 6.0.0

If you are upgrading to NetServer 6.0.0 from version 5.x, the Migration Tool has to run manually post installation process. The Migration Tool will convert your old configuration file into the new ipassNS.properties adding newly added properties in 6.0.0, and copy certificates and keys from the old installation into KeyStores.

Manual Migration

  • Untar NetServer 6.0.0 build under /usr/ipass/ to create a hierarchy /usr/ipass/netserver/6.0.0

1. Migrating from NetServer 5.x to 6.0.0: Type ./ns_migration_tool.csh under /usr/ipass/netserver/6.0.0/bin

For example, cd /usr/ipass/netserver/6.0.0/bin and run : ./ns_migration_tool.csh. It will prompt you for the path to migrate files from. Enter NS5.x path /usr/ipass/netserver/5.x. It should migrate ipassNS.properties file,certs and keys from 5.x version to 6.0.0 and it will add new attributes to ipassNS.properties as below:

  • 'strip' flag is added for Routing Realms and for realms 'ipass' and 'ipasv' it is set to 'yes' by default and for other realms it is set to 'no' by default.
  • 'AdminKeyStoreProperty' is added to ipassNS.properties.
  • All .pem keystore files are migrated to .keystore extension

2. Once migration is done run create_link.sh script from the path “/usr/ipass/netserver/6.0.0/.scripts” to create soft link( It will create soft link under “/usr/ipass/netserver/current_version”).

3. Run init.sh script from /usr/ipass/netserver/current_version/bin to create RC scripts.

The NetServerd Script

The script NetServerd is not included in the Migration Tool process, so command line options it contains will not be carried over to the new version of NetServer. This may trigger the following issues:

Non-Default Ports: The NetServer 6.0.0 Migration Tool assumes that your NetServer runs on the default port of 11811. If this is not the case, after you run the Migration Tool, you will need to edit the following attributes in the ipassNS.properties file:

  • Listener1=Type=RADIUS,Port=<port number>
  • Listener2=Type=RADIUSProxy,Port=<port number>
  • Dual-Homed Hosts: If NetServer 5.x runs on a dual-homed host, the Migration Tool may not bind NetServer to the correct IP address. You will need to check that the ipassNS.properties file reflects your correct IP address.
  • Port Settings: The migration tool will automatically migrate your previous port settings from NetServer 5.x to 6.0.0.

Rollback Procedure

If you need to roll back your NetServer 6.0.0 installation to a previous 5.x version, follow the appropriate procedures listed here.

These instructions assume that NetServer 5.x is installed in /usr/ipass/netserver/5.x, and NetServer 6.0.0 is installed in /usr/ipass/netserver/current_version.

To rollback NetServer 6.0.0:

  1. If necessary, stop NetServer 6.0.0 as follows:
    • Type: cd /usr/ipass/netserver/current_version/bin
    • Type: ./netserverd stop
    • Check if the process stopped by typing: ps -auxwww | grep netserver
    • If the process did not die, execute: ./netserverd kill
    • Verify that the process stopped by typing: ps -auxwww | grep netserver
  2. Change the softlink file /usr/ipass/netserver/current_version to point back to the previous NetServer directory /usr/ipass/netserver/<NS Version>, as follows:
    • cd to /usr/ipass/netserver/
    • rm current_version
    • ln –s /usr/ipass/netserver/5.x current_version
  3. Start the old NetServer:
    • cd to /usr/ipass/netserver/<NS Version>/bin
    • run ./netserverd start

Uninstalling NetServer 6.0.0

  • Type: cd /usr/ipass/netserver
  • Type: rm –rf 6.0.0

NetServer Binding

To bind to a local IP for outgoing requests to the Transaction Servers, you need to configure the LocalIpAddress attribute of your IpassServers property:

To view iPass Transaction Server information, type: <NS_HOME>/bin>ipassconfig.csh -help IpassServer

Sample format ofIpassServer:

IpassServer1 = name11=value11,name12=value12,…

IpassServer2 = name21=value21,name

See the Property Glossary for more information on configuring this value.

Go to: Other Product Documents > NetServer Admin Guide

, ,


 

©2015 iPass Inc. All rights reserved. Terms of Use