How to install and configure RADIUS on NMAS

(Last modified: 27Sep2005)

This document (10078616) is provided subject to the disclaimer at the end of this document.


How to install and configure RADIUS on NMAS.


Novell Modular Authentication Services 2.0


Installation Process


(1) The first step is to double click on the NMASINSTALL.EXE located on the NMAS CD.



(2) In order to be able to use the RADIUS component of NMAS we will only need to select and install the NMAS SERVER COMPONENTS option.  In order to do this you must first deselect the AVAILABLE CLIENT COMPONENTS.  Click OK to continue.



(3) Make sure you pay close attention to the NMAS Server Installation Requirements section. Verify that you have the following:

  • NDS  eDirectory 85.0 or later.
  • Novell Certificate Server 2.02 or later
  • NICI 1.5.7 on the server where NMAS is being installed.


(4) Next is the NMAS license agreement.  Click ACCEPT to continue.



(5) For this documentation we will be installing this on a NetWare Server.  Select the REMOTE NETWARE SERVER option and click NEXT to continue.



(6) Next we will select the components that we wish to install. For RADIUS you will need to select all of these services and then hit NEXT to continue.



(7) Select the server you wish to install NMAS to and then press NEXT to continue.



(8) You will probably get a message for you to check your version of ConsoleOne.  You will need to be at Console 1.2d or later. Click OK to continue.



(9) The Summary screen is your last chance to review what is being installed and to go back if needed.  Otherwise click FINISH to continue.



(10) If you get the file conflict then choose the option to NEVER OVERWRITE NEWER FILES. Click OK to continue.



(11) This informational message is simply explaining that you will need to down and restart the server in order for the changes to take place. Click OK to continue.



(12) If you want to review the readme then click on VIEW, otherwise click on the CLOSE button.



(13) At the server console prompt type: DOWN.  Once you get to the DOS prompt then type SERVER.




(1) Launch ConsoleOne and right click on the container where the objects will be created. Go to  NEW | OBJECT and then scroll down and select the RADIUS DIAL ACCESS SYSTEM object.  Click OK to continue.



(2) Now supply the object with the name.  For this example we are just going to call it DAS. Make sure the DEFINE ADDITIONAL PROPERTIES option is checked so that we can go straight into the configuration. Click OK to continue.



(3)  Now you will be asked to supply a Dial Access System Password.  This is the password that will be used in conjunction with the name you gave to the Dial Access System object in order to load RADIUS at the server.



(4) The first thing to do is to configure a client.  Typically the client will point to the RAS box that is handling the incoming connections. In this instance we will be using a freeware utility called NTRADPING that will simulate requests that are being forwarded on by a RAS box. Under the CLIENTS tab, click on the ADD button.



(5) You will be prompted for an information on you client (RAS box).

  • ADDRESS – Typically you would put in the IP address of your RAS box, router, etc, that is forwarding the RADIUS requests to the RADIUS server. In this example we will be putting in the IP address of the workstation that is running NTRADPING.  Again, this workstation will be acting as the RAS box.
  • VENDOR TYPE – It is suggested that you use GENERIC RADIUS as you vendor type. Vendor specific clients may or may not work for RAS box. They are built for specific Vender boxes, which will differ from vendor to vendor, and can even differ within the vendor group itself.
  • SECRET – This is the shared secret that allows communication between your RADIUS server and your RAS box.  This MUST match the secret on your RAS box.  If you are using NTRADPING for testing, then it will need to match the shared secret on NTRADPING. Click OK to continue.



(6) You should now see your client listed under the CLIENTS tab.



(7)  Now we want to move on to the USERNAME RESOLUTION tab. You will only need to set this up if your bindery context is pointing to a different location than where your users exist. If you do need to set this up then you will need to add all contexts where users reside that want to use the RADIUS product. Here we will want to specify the lookup contexts where our users reside. We will select the USE LOOKUP CONTEXTS LIST TO RESOLVE USERNAMES, and add the CONTEXTS to the LOOKUP CONTEXTS window. Once added, you should see the list of contexts listed within the LOOKUP CONTEXTS window.  Click APPLY and then OK to continue.



(9) Now we need to create the Dial Access Profile object. Not all RAS boxes need this object to be created.  We suggest and support two default attributes. Any other attributes are vendor specific and may or may not work for your RAS box. To create the object, launch ConsoleOne and right click on the container where .the objects will be created. Go to  NEW | OBJECT and then scroll down and select the RADIUS PROFILE object.  Click OK to continue.



(10) You will be prompted to name your profile.  We will name it DAP. Select DEFINE ADDITIONAL PROPERTIES and click OK to continue.



(11) We support 2 default attributes. FRAMED PROTOCOL PPP and SERVICE TYPE FRAMED. Click the ADD button to add the attributes.



(12) Here we are selecting FRAMED-PROTOCOL with a value of PPP. Make sure that ADD ANOTHER ATTRIBUTE is selected and then click OK.



(13) The next attribute that we will select is SERVICE-TYPE with a value of FRAMED. Deselect the ADD ANOTHER ATTRIBUTE option and click OK to continue.



(14) You should now show both attribute within the ATTRIBUTES CONFIGURATION tab. Click APPLY and OK to continue.



(15) Now we need to enable the DAS and the DAP object at either the container or user level.  In this example we will have the same DAS and DAP object for everyone so we will enable it at the container level, rather than the user level. To do this we will to the container(s) where the user resides and go into the PROPERTIES of that container. At the DIAL ACCESS SERVICES tab we will make sure that ENABLE DIAL ACCESS is checked, that we select the DAS object within the DIAL ACCESS SYSTEM field, and that we select the DAP object within the CONFIGURED SERVICES section. Click OK to continue.



(16) If you do not have the appropriate rights then you will get a message explaining that they will be assigned.  Click YES to continue.




Configuring the Login Policy Object


** NOTE ** Typically the LPO is used to setup rules for multiple types of authentication.  This could include NDS, Simple Bind (CHAP), Token, etc. The only configuration that will be address with this setup is NDS since it is the most common. The other types will be addressed is a separate document.


(1) If ConsoleOne is not launched then it will need to be launched. You will need to be using the ConsoleOne on which you installed the NMAS and RADIUS snapins. Go to the security container and verify that you have an NDS authentication method listed under the AUTHORIZED LOGIN METHODS container. If you don’t then do NOT proceed without first running the following command at the server console: NMASInst –m admin password


** NOTE ** The admin and password section would be replaced with the admin user name and password.  This should then create the NDS authentication method. This step does not need to be done if the NDS method already exists. If you are performing this on a NetWare 6 box then you will need to look at the logger screen to see if they were created successfully. You will need to use admin’s full context without a leading period. If you get a -610 then you are using a leading period. If you get a -601 then you are not using the full context. You know you are successful if you receive the message NMASInst: NMAS object created successfully. You should now see the NDS login method.



(2) Now we need to setup the Login Policy Object (LPO) To do this we will need to go to the SECURITY container in our tree and double click on the LPO. We will need to create a rule for our RADIUS login. To do this we will click on the plus symbol.


** NOTE ** Do NOT create more than one rule for RADIUS.  RADIUS only allows one set of credentials to be sent. Each rule acts as a separate authentication. If more than one type of authentication needs to be performed then they will first need to be setup under the general tab as a sequence. Again, this will not be covered in this doc. For this example we are only setting up NDS authentication and the sequence for that option is setup during the install.



(3) We will need to do the following, once finished select the SEQUENCES tab.

  • Verify that the ENABLED option is checked.
  • Make sure the SERVICE OBJECT NAME has the DAS object selected.
  • The DESCRIPTION section will be automatically filled out when a container, user, etc is selected.
  • Make sure that you fill out the USERS, CONTAINERS, AND GROUPS section with the appropriate information.  Unlike the username resolutions section located in the DAS object, you only need to put the top organization and rights will flow down.



(4) On the SEQUENCES tab you will add the type of authentication this is being performed. Again, we will only have the option of NDS in this example, we will not be setting up multiple sequences. Since we are only using NDS, it does not matter whether we will be using MANDATORY or ACCEPTABLE.  Either will perform the same function in this instance. Click OK to continue.



(5) You should now see your sequence listed.  Click OK to continue.



(6) Now you will see the rule that you have created.  Click APPLY and OK to finish.



(7) You should get a popup message explaining that rights will need to be given to the LPO object. Click CLOSE to continue.




Starting and Testing Radius


** IMPORTANT ** Verify that your RADIUS.NLM is V 4.0 and dated June 8th, 2001 or later.  If it isn’t then you may get a -854 error when trying to authenticate.  You will need to download the latest at


(1)  At the server console type LOAD RADIUS. You will then be prompted for a name and a password.  Here you will enter the DAS object name and it’s password.


(2) Once loaded you should be able to test RADIUS with NTRADPING.

  • Setup the RADIUS server to point to IP address of the server running RADIUS.
  • The RADIUS SECRET KEY needs to match what you put in the client.
  • Put in a USER NAME and PASSWORD for a user that is enable for RADIUS.
  • Press SEND and you should show a response of ACCESS ACCEPT.






Document Title: How to install and configure RADIUS on NMAS
Document ID: 10078616
Solution ID: NOVL85711
Creation Date: 10Jan2003
Modified Date: 27Sep2005
Novell Product Class:NetWare
Novell BorderManager Services
Novell eDirectory
Security Components


The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.