ipassNS.properties

The ipassNS.properties file allows configuration of NetServer features. By setting properties in the file, you can enable important NetServer functions. Enabling some features may involve setting more than one property.

NetServer will periodically upload its encrypted ipassNS.properties to an upload server, including at startup. This information will be used for diagnostic and troubleshooting purposes across the iPass network.

Property Help

You can obtain help on any property by running ipassconfig.csh, found in your <NS_Home>/bin directory.

To list all server properties: ipassconfig -listall

To describe usage of a property: ipassconfig -help <property name>

Property Glossary

This glossary defines all properties found in ipassNS.properties, including configurable parameters for each property.

Property Description
AcctLogBackupType AcctLogBackupType=<backupType> where <backupType> is either MultipleWithTimestamp or SingleBackup. The default is MultipleWithTimestamp. AcctLogBackupType sets the accounting log's backup file name when rotation is to be performed on local accounting files.
AcctLogRotationDays AcctLogRotationDays=<days>. Valid range is: 1 to 30 days. the default is 7 days. AcctLogRoatationDays control how often the local accounting file is rotated.
AcctLogRotationMaxSize AcctLogRotationMaxSize=<max size>. Minimum value is 100 kbytes. Maximum value is 20000 kbytes. The default is 10000 kbytes. AcctLogRotationMaxSize limits how large (in kbytes) the local accounting file can get before it is rotated.
AcctLogRotationType AcctLogRotationType=<rotationType> Where <rotationType> is either FileSize or NumberOfDays. AcctLogRotationType sets the type of rotation to be performed on the local accounting files. The default is FileSize.
AdminKeystoreProperty AdminKeyStoreProperty=<KeyStoreProperty> determines which KeyStore will be used for administrative purposes. This property must be specified.
AllowAcctUpdate When AllowAcctUpdate is set to YES, this server will allow accounting Interim-Update requests to be forwarded to the iPass network. The default value is set to NO.
AppendNasPortType Determines if nas_port_type needed to be appended to the called_station_id. If set to true, called_station_id is modified to called_station_id:nas_port_type in both the Auth and Acct packets forwarded to iPass. Default is set to false.
AscendDataFilter AscendDataFilter1=<valid string for ascend-data-filter>. This is used as an anti-spam feature for some providers and will block the email port (25) at the provider.
If the AAA server does not send it to us, we will use the AscendDataFilter(s) specified to send back in the authorization accept packet.
An example entry is: AscendDAtaFilter1=ip in forward tcp est. AcsendDataFilter2=ip in forward dstip xxx.xxx.xxx.xxx/yy. AscendDataFilter3=ip in drop tcp dstport=25. AscendDataFilter4=ip in forward.
The string ip in drop tcp dstport=25 is a mandatory AscendDataFilter attribute. When no AscendDataFilter is configured, this feature is disabled.
AuthCacheDays AuthCacheDays=<# of days> This attribute determines the maximum amount of days an authentication reply is cached by the NetServer. Valid range is 1 to 7 days. The default value of this property is to set to 7 days.
AuthCacheEnabled AuthCacheEnabled=yes/no. Determines if the caching authentication requests is enabled. Default is set to YES.
AuthCacheSize AuthCacheSize=<number of users> This attribute determines the maximum amount of successful user authentication replies cached by the NetServer. Valid range is 60 to 10000 users. The default value of this property is set to 500 users. If an odd value is specified, then the allowed cache size is the next even number.
AutoUpdate AutoUpdate=yes/no. Determines if automatic software update is enabled. Default is set to FALSE.
AutoUpload AutoUpload=TRUE/FALSE. Determines if automatic file upload is enabled. Default is set to TRUE.
CollectStatistics CollectStatistics=yes/no. Determines if statistics should be collected. Default is set to TRUE.
CustomerId CustomerId=<iPass Code>. This is the same number as your iPass portal customer ID. Default value=1.
CuiEnable CuiEnable=yes/no or true/false. If EapNaiCheck is false, a supplier must support attribute 89 in all Radius Accounting. These settings enable reflection of Chargeable-User-Identity Attribute 89 in all Access-Accept. The value of the attribute is the accepted userid negotiated with iPass Transaction Centers unless a CUI is returned by the Home AAA.Default setting is: TRUE.
CuiHashEnable CuiHashEnable=yes/no or true/false. CuiHasEnable encodes the value of the CUI returned in an Access-Accept to create a unique and anonymous identity hash of the user portion of the NAI or of complete NAI. This hash is reversable by iPass for billing correlation. Default setting is: false
CuiHashingStrategy CuiHashingStrategy=<cuiHahingStrategy> Where <cuiHahingStrategy> is either NAI or USER_NAME.The default is USER_NAME.CuiHashingStrategy sets the type of hashing strategy to be performed on CUI hashing.That is, either the complete NAI or just the USER_NAME in an NAI to be hashed.
CuiAcctUserReplace Provides CuiAcctUserReplace information. Sample format of the entries: CuiAcctUserReplace1 = name11=value11,name12=value12,… CuiAcctUserReplace2 = name21=value21,name22=value22,… Below are the list of various CuiAcctUserReplace attributes:Token : CuiAcctUserReplace retrieves the CUI from all Accounting messages and replaces the Anonymous EAP Identity token used for routing the transaction in the User-Name with the value of the CUI returned in the Access-Accept Decode : If CuiHashEnable is yes, CuiAcctUserReplace can optionally leave the User-Name encoded for transmission to iPass for correlation by the Home AAA without CUI.
DebugLevel DebugLevel=<level>. Debug level determines if debug and error messages are logged to the trace file. The following levels are supported.
Debug Level 0- Only severe messages are logged.
Debug level 1-Error messages are logged.
Debug level 2-Error and Debug messages are logged.
Debug level 3-Error, Debug, and Packet parsing information is logged.
Debug level 4-Error, Debug, Packet parsing, and Packet dumping is logged.
Debug level 5-Detailed Packet and debug information is logged.
The default value for this property is 0. Production servers should normally run with debug level 0.
DupFilterCleanupDelay DupFilterCleanupDelay=<# of seconds>. This attribute determines the amount of time in seconds to continue duplicate filtering a completed authentication requests. Valid range is 0 to 60 seconds. The default value of this property is set to 2 seconds.
DupFilterTimeToLive DupFilterTimeToLive=<# of seconds>. This attribute determines the maximum amount of time in seconds to cache all attempted user authentication requests. Valid range is 5 to 60 seconds. The default value of this property is set to 30 seconds.
DuplicateFilterByUid DuplicateFilterByUid=yes/no. When enabled, duplicate detection will be done solely based on the user ID. When disabled, duplicate detection will be based on the source IP Adress, source port, and Identifier of the RADIUS packet. Default is set to: NO.
EapMode EapMode=yes/no or true/false. Determines if the NetServer will do early-termination of EAP_TTLS/PAP requests. All other EAP types will be blocked unless otherwise conifigured to do so. Default setting is:true.
EapNaiCheck EapNaiCheck=yes/no or true/false. Determines if the NetServer will check that the inner NAI contained the Outer NAI of a tunnled request, prior to forwarding to iPass. This only applies to EAP Early-Terminated tunnled protocols. Default setting is: true.
EapNotification EapNotification=yes/no or true/false. Determines if the NetServer will send back the Reply-Message(s) in EAP-Notification Requests prior to sending back the final RadiusAccess-Accept/Access-Reject. Default setting is: NO.
EapNotificationFilter EapNotificationFilter1=<Reply-Message prefix string>.
Expected format is: EapNotificationFilter1=FilterPrefix=<filter string>, KeepPrefix=<yes/no>. This feature is used in conjunction with the EapNotification feature. It is used to filter which Reply-Message(s) can get sent back to EAP-Notifications. It will check if any Reply-Messages begin with the given FilterPrefix string.
FilterPrefix: The string to match at the beginning of the Reply-Message. It is case intensive.
KeepPrefix: Whether to keep that prefix attached to the Reply-Message when sending back as an EAP-Notification.
An example entry is: EapNotificationFilter1= FilterPrefix=“Location=”,KeepPrefix=YES EapNotificationfilter2= FilterPrefix=iPassTAG,KeepPrefix=NO.
When no EapNotificationFilter is configured, then nothing is filtered/blocked. This means the server will send back all Reply-Message(s) as EAP-Notifications, as long as EapNotification has been enabled.
EapPassThroughAllow EapPassThroughAllow=<EAP Protocol Type>. Determines if a NetServer in EAP Mode (early-termination) will allow the mediated pass-through of other EAP protocols end-to-end. The <EAP Protocol Type> can be the either one of the keywords all, or nothing, or a list of EAP type protocol numbers separated by commas. When nothing is configured, then nothing is allowed to pass. Default setting is: nothing.
EapPassThroughDeny EapPassThroughDeny=<EAP Protocol Type>. Determines is a NetServer in EAP Mode (early-termination) will deny the meditated pass-through of certain EAP protocols end-to-end. The <EAP Protocol Type> can be either the keyword. When nothing is configured, then nothing is explicitly denied passage. Default setting is:nothing.
EapEarlyTerminate EapEarlyTerminate=<EAP Protocol Type> Determines if a NetServer in EAP Mode (early-termination) will allow other EAP protocols (other than TTLS) to early-terminate at this server The <EAP Protocol Type> is a list of EAP type protocol numbers separated by commas Valid values are: 4 (EAP-MD5) and 25 (EAP-PEAP) When nothing is configured, then only TTLS will early-terminate Default setting is: null.
EnableEquantDna EnableEquantDna=yes/no. Determines if the NetServer should send the first 4 bytes of Calling-Station-Id as Equant-DNA to the iPass Transaction Center. Default is set to false.
HeartBeatInterval HeartBeatInterval=<number of minutes>. This entry determines the time interval between heartbeat messages. This is an advanced setting. The server may not function properly if this value is set incorrectly. Default value for this property is set to 15 minutes.
HeartBeatMessage HeartBeatMessage=yes/no. This entry determines if the heartbeat is turned on or off. This is an advanced setting. The server may not function properly if the value is set incorrectly. Default value for this property is set to no (heartbeat messages are turned off)
IpassServer Provides iPass Transaction Server information. Sample format of the entries: IpassServer1=name11=value11,name12=value12,… IpassServer2=name21=value21,name22=value22,…
IpassServer attributes:
IpAddress: The iPass Transaction Server's hostname or IP address.
LocalIpAdress: The Local IP address to bind the socket to. (Optional)
Port: The server's port number.
ConnSharing: This is used for persistent SSL connection. If this is set to 1, then the connection is shared between requests. A value of 0 means the feature is disabled. The default value is 0.
SslSessionExpTime: The maximum duration of a persistent SSL connection. Valid range is 10 to 480 minutes. The default value is 10 minutes.
FailureThreshold: Once the failure count exceeds the Failure Threshold, the server is removed form the list. The default value is 4.
InititalPingInterval: A thread will be launched to ping a failed Transaction Server. The first ping is sent out according to the InitialPingInterval. The default value is 60 seconds.
PingBackOffFactor: If there is no response, then the next ping is sent out according to the InitialPingInterval multiplied by the PingBackOffFactor. The default value is 2. FinalPingInterval: This process is continued until the ping time interval reaches the final interval rate, at which time all of the following pings will go out at the preset FinalPingInterval. The default value is 960 seconds.WARNING: Please consult with iPass before changing any default ping interval values. Incorrect settings can significantly impact your network performance.
IdleTimeout: The connection's idle time before it is torn down. Valid range is 60000 to 300000 milliseconds. The default value is 300000 milliseconds (5 minutes).
KeyStoreProperty: This is used for KeyStore configuration for ssl connection. The value is configured as KeyStore<n>, where n starts from 1 If KeyStoreProperty is not configured for a IpassServer, then NS will perform KeyStore failover logic based upon configuration sequence of KeyStore of KeyStoreType=ns. If KeyStoreProperty is configured for a IpassServer, then NS will first make use of the configured KeyStore and then try with the rest of the configured KeyStores of KeyStoreType=ns for KeyStore Fail over. All KeyStores will be iterated in Round Robin manner.
KeyStore Provides KeyStore information. Expected format: KeyStore1 = name11=value11,name12=value12,…KeyStore2 = name21=value21,name22=value22,…
KeyStoreType: This entry determines the java keystore type to genrate keystore for ns (SSL Connection) or eap (EAP-TLS).There can be max n and min 1 KeyStores of type ns There can be max 1 and min 0 KeyStores of type eap
KeyStorePath=This entry determines the java keystore path. Default value for this property is set to /usr/ipass/netserver/current_version/certs/[KeyStoreName]
KeyPassword : This entry determines the password required to get keys from java keystore Default value for this property is set to changeme
KeyAlias : This entry determines the java keystore private key Alias Default value for this property is set to ns for KeyStoreType = NS or eapserver for KeyStoreType = EAP
CertAlias : This entry determines the java keystore trusted certificate Alias Default value for this property is set to ipassca for KeyStoreType = NS or eapca for KeyStoreType = EAP
KeyStorePassword: This entry determines the password required to open java keystore. Default value for this property is set to changeme
Salt: This entry determines the salt used for encrypting KeyPassword and KeyStorePassword. Default value for this property is set to iPassNS
Listener List of the Listeners for this server. Expected format: Listener1=Type=<protocol>,Port=<port number>,IpAddress=<local IP address> Listener2=Type=<protocol>,Port=<port number>,IpAddress=<local IP address>
Default Listeners are: Listener1=Port=11812
Listener2 = Port=11812,Type=Radius
Listener3 = Port=11813,Type=Radius
Listener4 = Port=11817,Type=RadiusProxy
Listener5 = Port=11818,Type=RadiusProxy
NumOfThreads: You can improve connectivity to a NetServer by increasing the number of threads accepting requests on port 11812. This can be helpful for if your NetServer in under heavier stress, such as 10 or more requests per second. For example: Listener1=Port=11812,NumOfThreads=10. This is an advanced setting. The server may not function properly if this value is set incorrectly.
LocalAccounting LocalAccounting=<true>. This attribute, if set to true, enables the server to store the accounting START and STOP records locally. It normally stores in the detail.txt file under ipass.server.home/ipaddress of the machine. If it fails to create this file, it stores under ipass.server.home/logs.
LocalAccountingDir LocalAccountingDir=<local accounting directory> A provider can enable local accounting (i.e. the detail.txt file for each RADIUS client or NAS with the LocalAccounting=true flag. This property allows them to customize the location of those detail.text files. Default value for this property is set to $ipass.server.home/s.
LogDirFileDeletionAge LogDirFileDEletionAge=<age in days>. Valid range is: 0 to 180 days. The default is 90 days. A value of 0 means deletion is disabled. LogDirFileDeletionAge determines how old files in the directory <iPass Server Home>/logs must be before the are deleted. The check for file age is done only when the log file rotation happens.
MaxProxyTime MaxProxyTime=<max proxy time in seconds>. This determines the maximum time for handling proxy requests. If a proxy reply is received that exceeds this limit then the RADIUS packet will be dropped. The property's value must be greater than 0 seconds and within 3600 seconds. Default value for this property is set to 30 seconds.
MultiProvider MultiProvider= YES/NO. Default is set to NO. If enabled, the CustomerId sent to iPass will be that of the RadiusClient that the request came from. If the CustomerId is not set in the RadiusClient info, the main CustomerId of this server is used.
ProxyAcctServer Provides RADIUS Proxy Server information.
Sample format of the entires: ProxyAuthServer1=name11=value11,name12=value12,… ProxyAuthServer2=name21=value21,name22=value22,…
ProxyAcctServer attributes:
IpAddress: The RADIUS proxy server's hostname or IP address.
Port: The proxy server's port number.
SharedSecret: The shared secret used by the RADIUS proxy server.
IncludeDomain: Include the user's domain in the request sent to the proxy server. The default is YES, always keep the domain with the username.
ValidateAuthenticator: Specifies if the RADIUS Authenticator should be validated. Values are YES or No. Default is YES.
ProxyAuthServer Provides RADIUS Proxy Server information.
Sample format of the entries: ProxyAuthServer1=name11=value11,name12=value12,… ProxyServer2=name21=value21,name22=value22,…
ProxyAuthServer attributes:
IpAddress: The RADIUS proxy server's hostname or IP address.
IncludeDomain: Include the user's domain in the request sent to the proxy server. The default is YES, always keep the domain with the username.
ValidateAuthenticator: Specifies if the RADIUS Authenticator should be validated. Values are YES or NO. Default is YES.
RadiusClient1 Provides RADIUS client information. Only RADIUS clients listed here can send requests to this server.
Sample format of the entries:
RadiusClient1=name11=value11.name12=value12,… RadiusClient2=name21=value21,name22=value22,…
RadiusClient attributes:
IpAddress: The RADIUS client's IP address.
SharedSecret: The shared secret used by the RADIUS Client.
CustomerId: Used by multi-providers to specify an alternate iPass CustomerId.
ValidateAuthenticator: Specifies if the RADIUS Authenticato should be validated. Values are YES or NO. Default is YES.
RoutingRealm Specifies where to route the requests.Route either to the iPass Transaction Servers or proxy to a RADIUS server.Below are few examples
RoutingRealm1=realm=IPASS,AuthServer=IpassServer,AcctServer=IpassServer,Strip=Yes
RoutingRealm2=realm=IPASV,AuthServer=IpassServer,AcctServer=IpassServer,Strip=Yes
RoutingRealm3=realm=DEFAULT,AuthServer=IpassServer,AcctServer=IpassServer
RoutingRealm4=realm=NOREALM, AuthServer=ProxyAuthServer1, AcctServer=ProxyAcctServer1.Below is a list of various RoutingRealm attributes:
Realm : The name of the realm to route based on.Use the keyword DEFAULT when specifying the default server(s) to use when the Realm(s) are not matched with the user's realm.Use the keyword NOREALM when specifying the server(s) to use when the username constains no realm/domain at the end of it.
AuthServer: Specify the authentication server to use.When an IpassServer is used, it will use the entire IpassServerX list configured.
AcctServer: Specify the accounting server(s) to use.When an IpassServer is used, it will use the entire IpassServerX list configured.
Strip = Yes/No.Determines if the routing realm (Prefix or Suffix) need to be stripped or not from the NAI before sending the requests to IpassServers and ProxyServers.Default = No.
StartUpMessage StartUpMessage=yes/no. This entry determines if a message is genterated by the server on startup. This is an advanced setting. The server may not function properly if this value is set incorrectly. Default value for this property is set to no(startup messages are turned off)
StatusTraceCollectInterval StatusTraceCollectInterval=<number of minutes>. Minimum value: 60 minutes. Maximum value:1440 minutes. Default value: 60 minutes. StatusTraceCollectInterval determines the time interval between collection of statistics into the StatusTraceFile.
StatusTraceUploadInterval StatusTraceUploadInterval=<upload frequency in minutes>. Minimum value: 120 minutes. Maximum value: 10080 minutes. Default value: 1440 minutes. StatusTraceUploadInterval determines the frequency of upload of status trace file.
StripRealm1 StripRealm1=<realm_name>. Where the <realm_name> is a domain name to be stripped away from the end of the username, such as: user@domain@extraDomain. This feature can be used to remove the extra domain some providers attached to the username.
TraceLogBackupType TraceLogBackupType=<backupType>. Where <backupType> is either MultipleWithTimestamp or SinlgeBackup. The default is SingleBackup. TraceLogBackupType sets thr trace log's backup file name when rotation is to be performed on the local trace files.
TraceLogRotationHours TraceLogRotationHours=<hours>. Valid range is: 1-720 hours. The default is 168 hours (1 week). TraceLogRotationHours controls how often the local trace file is rotated.
TraceLogRotationMaxSize TraceLogRotationMaxSize=<max size>. Minimum value is 100 kB. Maximum value is 20000 kB. The default is 10000 kB. TraceLogRotationType sets the type of rotation to be performed on the local trace file(s).
UpdateInterval UpdateInterval=<DayOfWeek Hour:Minute>. Where DayOfWeek ranges from Sunday to Saturday, and hour of the day is between 0-23. Default value is Monday 2:00. Determines when the Software Update module contacts the update server. The UpdateInterval mechanism resychronizes with the system clock every sixty minutes.
UpdateServer Provides iPass software Update Server information.
Sample format of the entries: UpdateServer1=name11=value11,name12=value12,… UpdaterServer2=name21=value=21,name22=value22,…
UpdateServer attributes:
IpAddress: The URL of the iPass software update server.
RetryDelay: The time delay, in minutes, before retrying a server that recently failed a connection request. When a connection fails to a server, it is reordered to the end of the list. Once the RetryDelay expires, that server is brought back to the top of the list. The default value is 15 minutes. Valid range is: >=0.
FailureThreshold: Once the failure count exceeds the Failurethreshold, the server is reordered to the end of the list. The default value id 0.
UploadAtStartup UploadAtStartup=TRUE/FALSE. Default is set to TRUE. Determines if file upload should be done at startup. Note that this feature works in conjunction with AutoUpload. This feature will be disabled if AutoUpload is disabled.
UploadInterval UploadInterval=<upload frequency in days>. Minimum value: 1 day. Maximum value: 7 days. Default value: 7 days. UploadInterval determines the frequency of upload of config, cert, status trace, and download trace files.
UploadServer Provides iPass software Upload Server information.
Sample format of the entries: UploadServer1=name11=value11, name12=value12,… UploadServer2=name21=value21,name22=value22,…
UploadServer attributes:
IpAdress: The URL of the iPass software update server.
RetryDelay: The time delay, in minutes, before retry a server that recently failed a connection request. When a connection fails to a server, it is reordered to the end of the list. Once the RetryDelay expires, that server is brought back to the top of the list. The default value is 15 minutes. Valid range is: >=0.
FailureThreshold: Once the failure count exceeds the FailureThreshold, the server is reordered to the end of the list. The default value is 0.
UseCalledStationIDForAuthCache UseCalledStationIDForAuthCahce=y/n. This is an advanced setting. If this flag is enabled, Called-Station-ID will also be used for auth cache sensitivity.
UseEquantDnaForAuthCache UseEquantDnaForAuthCache=y/n. This is an advanced setting. If this flag is enabled, equant_dna (first 4 bytes of Calling-Station-Id) will also be used for auth cache sensitivity.
UseIspCodeForAuthCache UseIspCodeForAuthCache=y/n. This is an advanced setting. If this flag is enabled, the CostumerId (provider code) from the properties will also be used for auth cache sensitivity.
UseNasIpForAuthCache UseNasIpForAuthCache=y/n. This is an advanced setting. If this flag is enabled, NAS-IP-Address will also be used for auth cahce sensitivity.
ZipLogFilesEnabled ZipLogFilesEnabled=true/false. Determines whether or not trace and log files are compressed. Default is set to true.


Go to: Other Product Documents > NetServer Admin Guide

 

©2015 iPass Inc. All rights reserved. Terms of Use