[ netinfo/mil-tacacs-instructions.txt [ 2/86, APP ] INSTRUCTIONS FOR NETWORK USER REGISTRATION I. BRIEF OVERVIEW The Defense Data Network Defense Communications Systems (DCS) has authorized the DDN Network Information Center (NIC) to register users on the MILNET and to issue MILNET TAC Access Cards. The NIC maintains the user registration information in the NIC WHOIS Database. It is the intent of the DDN DCS that all network users be registered in the WHOIS Database. This database serves as an online "white pages" service. The Host Administrator of each host is responsible for registering the users of that host, and for authorizing individual account holders to access that host via MILNET TACs. In order to do this, the Host Adminstrator must be registered in the WHOIS database and have a network mailbox. This file describes the procedure by which you, as a Host Administrator, can register your users and authorize them to access the network via MILNET TACs. II. GUIDELINES AS TO WHO MAY BE A REGISTERED USER OF THE MILNET Users of the DDN network should be engaged in U.S. government business or should be actively involved in providing operations or system support for government-owned or government-supported MILNET computer communications equipment. Any MILNET user with a valid account on a MILNET host may be included in the NIC WHOIS Database. The intent of the DDN DCS is to let the local hosts manage themselves responsibly within the guidelines set down by the government. In accordance, each Host Administrator is responsible for users that he or she has authorized to use the network. The DDN DCS will work with the Host Administrators should any problems arise. III. USERS REQUESTING ACCESS TO MILNET TACS The MILNET TAC Access System (TACACS), which became operational in February 1984, controls access to the network by a TAC login procedure. In order to access the network via a MILNET TAC, each individual user must have a TAC Access Card issued by the NIC. In order to receive a TAC Access Card, each individual user must by registered at the NIC and authorized for TAC access by the Host Administrator. Users who request MILNET TAC access constitute a special subset of registered users. The DDN DCS requires that these users be individually screened and approved by the authorizing Host Administrator. Also, no one will be given MILNET TAC access without first having a valid account on a MILNET host. The NIC has adopted the policy that a MILNET TAC user is "authorized" if the user template indicating a need for MILNET TAC access comes to the NIC from the authorizing Host Administrator's mailbox. IV. REGISTERING USERS Use the template in Section X to register individuals with accounts on your host. Complete a template for each individual and separate the templates by a blank line. Fill in all the relevant fields following the guidelines provided under Section IX. It is important that you use the NIC template and try to adhere to the same data entry style as we have used. This will allow us to automatically input the data into our database, and will minimize the amount of editing required. We will not accept data other than in the template form specified. You may send blank templates to your users to fill out. Have them return the filled-in templates to you. Accumulate them into a single file. Review the lists (as you are responsible for the authorization of registered users on your host), and send us the files as messages to the mailbox, REGISTRAR@NIC.DDN.MIL. (See Section VIII for further discussion on submitting the templates.) V. OBTAINING LISTS OF USERS CURRENTLY IN THE NIC DATABASE You may request from the NIC a file of templates of individuals currently registered in the NIC WHOIS Database whose primary login name is on your host. The file can be pulled over to your host via FTP, updated and returned VIA NETWORK MAIL to REGISTRAR@NIC.DDN.MIL. To delete a user from the database, fill in the "Delete" field in the user's template. DO NOT DELETE the template itself. To add a user to the database, fill out the template included under Section X. Complete a template for each new individual. You can add these to the corrected entries or send them as a separate list, whichever you prefer. VI. DELETING USERS FROM THE DATABASE When a user's account is deleted from your host, the user's record should be deleted from the WHOIS Database. This can be accomplished by filling in the "Delete" field in the user's template as described in Section V, or by sending a brief network message to REGISTRAR@NIC.DDN.MIL giving the user's full name and account name. If a user who has been issued a TAC Access Card is deleted from the database, the NIC will automatically invalidate the user's card during the annual reregistration of the host. The delay in invalidating the user's TAC card is due to software limitations of the TACs. If a user is considered to be a possible security risk, please contact the NIC immediately with this information; the user's TAC UserID will be hotlisted (invalidated). VII. USERS WITH ACCOUNTS ON MORE THAN ONE HOST A user should ideally be authorized by the Host Administrator of the user's "primary" host, where "primary" is defined as the "home" host or the host on which the user has an account to do the primary work for which he or she is authorized to use the network. Some users will have several legitimate accounts, in which case the "primary" host will probably be the one on which they receive electronic mail, or the one which they themselves identify as their "home" host. If users do have multiple accounts on more than one MILNET host, and if each Host Administrator fills in a template for every user on his or her host, the NIC may well receive multiple templates for some users. We are prepared to resolve any resulting duplication. If a user tells you that a template has already been filled in for him or her by another Host Administrator, do not fill in another template unless you are sure that your host is the primary host for that user. If you are in doubt or don't know, check with the user. The NIC will screen for duplication. If the user does not require MILNET TAC access, the template need not come from the authorizing Host Administrator's mailbox. However, as stated above, the Host Administrator is responsible for the appropriateness of all use of the network by users accessing the network from his or her host. Therefore, it is important that the "Authorizing Host" field reflect accurately the host which is the "home" host or on which the user is doing his or her primary work. VIII. ONLINE MAIL ADDRESS FOR COMPLETED TEMPLATES Please send user registration templates in a network message to: REGISTRAR@NIC.DDN.MIL Remember, if users require MILNET TAC access, the list of templates MUST be sent to us from the Host Administrator's mailbox. As stated, this is our guarantee that the users on this list are authorized to have MILNET TAC access. Please send us all the templates via network mail. If the list is too long for your mail system to process, you may break the lists arbitrarily (between templates) and send them as a set of messages. If you do break up the list, please indicate in the subject field of each message: Part 1 of 4, Part 2 of 4, etc. To assure that the NIC mail system will be able to process your message, do not send a message of over 50,000 characters. IX. SPECIFIC INSTRUCTIONS FOR EACH TEMPLATE FIELD If all users or a group of users in your list will have identical data in any field (i.e., same text of address, phone number, authorizing host, etc.), please enter the full text of the field in the first template of the group in the list. You may then indicate that this information is to be repeated by simply entering "*" as the text of that field in subsequent templates, (* = ditto). The "*" may be used only in the following fields: U.S. MAIL ADDRESS: PHONE: AUTHORIZING HOST: PRIMARY LOGIN NAME: PRIMARY NETWORK MAILBOX: TERMINATION DATE: FULL NAME: The name may be entered in any of the following formats: Lastname, Firstname I. Lastname, Firstname Lastname, I. Middlename Lastname, Firstname I., Jr. Lastname, Firstname I., III where "I." = an initial Do not include military rank or professional titles. U.S. MAIL ADDRESS - some standard procedures: The name of the organization or university should appear on the first line. Do not use acronyms for the name of the organization. The second line may contain information such as the department name, code, or attention line, followed by a line containing the building name or number, room number if you wish to include any of these. The next line should contain the street address or Post Office Box. The last line of the address field should contain the city, state and zip code. If you commonly use a 9 digit zip code, enter that. DO NOT USE ANY ABBREVIATIONS OR ACRONYMS, with the exception of Incorporated.......Inc. Limited............Ltd. Corporation........Corp. Company............Co. Post Office Box....P.O. Box Separate lines of the address by a carriage return. PHONE: Up to four phone numbers are allowed. Acceptable formats are: U.S. numbers (123) 456-7890 (123) 456-7890 ext 123 (123) 456-7890 (DSN) 567-7890 (123) 456-7890 (DSN) 567-7890 (FTS) 667-7890 (123) 456-7890 or 456-0987 (123) 456-7890 or 456-0987 (DSN) 567-7890 or 567-0987 Overseas numbers [49] 711-123456 or (DSN) 420-1234 or (M) 8765-1234 (For overseas numbers, give number through country code with country code in brackets.) AUTHORIZING HOST: This is the name of the host which the user considers his or her "home" host, or on which the user is doing the primary work for which he or she is authorized to use the MILNET. Enter the OFFICIAL HOSTNAME rather than an approved nickname. PRIMARY LOGIN NAME: This is the primary login name/username/directory name of the user on the authorizing host. If the login name is a part of the security system on your host and therefore should be kept secret, do not enter it in this field. The primary login name may be a group directory name if it is the only one the individual uses. PRIMARY NETWORK MAILBOX: This is the mailbox where this individual prefers to receive mail. This may or may not be his or her primary login name on your host. If mail addresses are case dependent on your host, specify the mailbox string accordingly. Otherwise enter the string in upper case. Separate the username and hostname parts of the mailbox by "@". Format: USERNAME@HOSTNAME, e.g. SMITH@NIC For those hosts whose official hostname is a Fully Qualified Domain Name (FQDN), enter the FQDN in the hostname part of the mailbox. The FQDN is preferred, as in: SMITH@AI.AI.MIT.EDU MILNET TAC ACCESS? (y/n): For a user to be authorized for MILNET TAC access, this field must be filled in with "y" or "yes". This is the means by which you, as Host Administrator, indicate to us that this user is authorized for MILNET TAC access and will require a MILNET TAC Access Card. A TAC Access Card will be automatically generated for each individual whose template contains "y" or "yes" in this field, providing that the template is sent to us from the Host Administrator's mailbox. TERMINATION DATE: The DEROS date (Date Eligible for Return from Overseas) for military users, estimated date of graduation for students, estimated elapse date for temporary users is requested here for use on military hosts. Others may use the field if they wish. It is not currently used in maintenance of the WHOIS database and will not cause automatic deletion of records from the database. Format: MO/YR, e.g., 10/83, 02/84 HANDLE: The handle is the unique identifying label for the record. This field appears in templates of currently registered users. DO NOT ALTER THIS FIELD. This field does not appear in the blank template. Do not specify a handle for the ADDITIONS. Our program will automatically generate a unique identifier (handle) for each individual template. DELETE? (y/n): If the individual no longer has a login account on your host, mark this field with a "y" or "yes". DO NOT DELETE THE WHOLE TEMPLATE. X. SAMPLE BLANK TEMPLATE FULL NAME: U.S. MAIL ADDRESS: PHONE: AUTHORIZING HOST: PRIMARY LOGIN NAME: PRIMARY NETWORK MAILBOX: MILNET TAC ACCESS? (y/n): TERMINATION DATE: HANDLE: ****DO NOT ALTER THIS FIELD.****