[ netinfo/mil-tacacs-instructions.txt
INSTRUCTIONS FOR NETWORK USER REGISTRATION
I. BRIEF OVERVIEW
The Defense Data Network Defense Communications Systems (DCS) has
authorized the DDN Network Information Center (NIC) to register users
on the MILNET and to issue MILNET TAC Access Cards. The NIC maintains
the user registration information in the NIC WHOIS Database. It is
the intent of the DDN DCS that all network users be registered in the
WHOIS Database. This database serves as an online "white pages"
service. The Host Administrator of each host is responsible for
registering the users of that host, and for authorizing individual
account holders to access that host via MILNET TACs. In order to do
this, the Host Adminstrator must be registered in the WHOIS database
and have a network mailbox. This file describes the procedure by
which you, as a Host Administrator, can register your users and
authorize them to access the network via MILNET TACs.
II. GUIDELINES AS TO WHO MAY BE A REGISTERED USER OF THE MILNET
Users of the DDN network should be engaged in U.S. government business
or should be actively involved in providing operations or system
support for government-owned or government-supported MILNET computer
communications equipment. Any MILNET user with a valid account on a
MILNET host may be included in the NIC WHOIS Database.
The intent of the DDN DCS is to let the local hosts manage themselves
responsibly within the guidelines set down by the government. In
accordance, each Host Administrator is responsible for users that he
or she has authorized to use the network. The DDN DCS will work with
the Host Administrators should any problems arise.
III. USERS REQUESTING ACCESS TO MILNET TACS
The MILNET TAC Access System (TACACS), which became operational in
February 1984, controls access to the network by a TAC login
procedure. In order to access the network via a MILNET TAC, each
individual user must have a TAC Access Card issued by the NIC. In
order to receive a TAC Access Card, each individual user must by
registered at the NIC and authorized for TAC access by the Host
Administrator.
Users who request MILNET TAC access constitute a special subset of
registered users. The DDN DCS requires that these users be
individually screened and approved by the authorizing Host
Administrator. Also, no one will be given MILNET TAC access without
first having a valid account on a MILNET host. The NIC has adopted
the policy that a MILNET TAC user is "authorized" if the user
template indicating a need for MILNET TAC access comes to the NIC
from the authorizing Host Administrator's mailbox.
IV. REGISTERING USERS
Use the template in Section X to register individuals with accounts
on your host. Complete a template for each individual and separate
the templates by a blank line. Fill in all the relevant fields
following the guidelines provided under Section IX. It is important
that you use the NIC template and try to adhere to the same data
entry style as we have used. This will allow us to automatically
input the data into our database, and will minimize the amount of
editing required. We will not accept data other than in the template
form specified.
You may send blank templates to your users to fill out. Have them
return the filled-in templates to you. Accumulate them into a single
file. Review the lists (as you are responsible for the
authorization of registered users on your host), and send us the
files as messages to the mailbox,
[email protected]. (See Section
VIII for further discussion on submitting the templates.)
V. OBTAINING LISTS OF USERS CURRENTLY IN THE NIC DATABASE
You may request from the NIC a file of templates of individuals
currently registered in the NIC WHOIS Database whose primary login
name is on your host. The file can be pulled over to your host via
FTP, updated and returned VIA NETWORK MAIL to
[email protected]. To delete a user from the database, fill
in the "Delete" field in the user's template. DO NOT DELETE the
template itself. To add a user to the database, fill out the
template included under Section X. Complete a template for each new
individual. You can add these to the corrected entries or send them
as a separate list, whichever you prefer.
VI. DELETING USERS FROM THE DATABASE
When a user's account is deleted from your host, the user's record
should be deleted from the WHOIS Database. This can be accomplished
by filling in the "Delete" field in the user's template as described
in Section V, or by sending a brief network message to
[email protected] giving the user's full name and account name.
If a user who has been issued a TAC Access Card is deleted from the
database, the NIC will automatically invalidate the user's card during
the annual reregistration of the host. The delay in invalidating the
user's TAC card is due to software limitations of the TACs. If a user
is considered to be a possible security risk, please contact the NIC
immediately with this information; the user's TAC UserID will be
hotlisted (invalidated).
VII. USERS WITH ACCOUNTS ON MORE THAN ONE HOST
A user should ideally be authorized by the Host Administrator of the
user's "primary" host, where "primary" is defined as the "home" host
or the host on which the user has an account to do the primary work
for which he or she is authorized to use the network. Some users
will have several legitimate accounts, in which case the "primary"
host will probably be the one on which they receive electronic mail,
or the one which they themselves identify as their "home" host.
If users do have multiple accounts on more than one MILNET host,
and if each Host Administrator fills in a template for every
user on his or her host, the NIC may well receive multiple templates
for some users. We are prepared to resolve any resulting
duplication.
If a user tells you that a template has already been filled in for
him or her by another Host Administrator, do not fill in another
template unless you are sure that your host is the primary host for
that user. If you are in doubt or don't know, check with the user.
The NIC will screen for duplication.
If the user does not require MILNET TAC access, the template need not
come from the authorizing Host Administrator's mailbox. However, as
stated above, the Host Administrator is responsible for the
appropriateness of all use of the network by users accessing the network
from his or her host. Therefore, it is important that the
"Authorizing Host" field reflect accurately the host which is the
"home" host or on which the user is doing his or her primary work.
VIII. ONLINE MAIL ADDRESS FOR COMPLETED TEMPLATES
Please send user registration templates in a network message to:
[email protected]
Remember, if users require MILNET TAC access, the list of templates
MUST be sent to us from the Host Administrator's mailbox. As stated,
this is our guarantee that the users on this list are authorized to
have MILNET TAC access.
Please send us all the templates via network mail.
If the list is too long for your mail system to process, you may
break the lists arbitrarily (between templates) and send them as a
set of messages. If you do break up the list, please indicate in
the subject field of each message: Part 1 of 4, Part 2 of 4, etc.
To assure that the NIC mail system will be able to process your
message, do not send a message of over 50,000 characters.
IX. SPECIFIC INSTRUCTIONS FOR EACH TEMPLATE FIELD
If all users or a group of users in your list will have identical
data in any field (i.e., same text of address, phone number,
authorizing host, etc.), please enter the full text of the field in
the first template of the group in the list. You may then indicate
that this information is to be repeated by simply entering "*" as the
text of that field in subsequent templates, (* = ditto). The "*"
may be used only in the following fields:
U.S. MAIL ADDRESS:
PHONE:
AUTHORIZING HOST:
PRIMARY LOGIN NAME:
PRIMARY NETWORK MAILBOX:
TERMINATION DATE:
FULL NAME:
The name may be entered in any of the following formats:
Lastname, Firstname I.
Lastname, Firstname
Lastname, I. Middlename
Lastname, Firstname I., Jr.
Lastname, Firstname I., III
where "I." = an initial
Do not include military rank or professional titles.
U.S. MAIL ADDRESS - some standard procedures:
The name of the organization or university should appear on the
first line. Do not use acronyms for the name of the organization.
The second line may contain information such as the department
name, code, or attention line, followed by a line containing the
building name or number, room number if you wish to include any of
these. The next line should contain the street address or Post
Office Box. The last line of the address field should contain the
city, state and zip code. If you commonly use a 9 digit zip code,
enter that.
DO NOT USE ANY ABBREVIATIONS OR ACRONYMS, with the exception of
Incorporated.......Inc.
Limited............Ltd.
Corporation........Corp.
Company............Co.
Post Office Box....P.O. Box
Separate lines of the address by a carriage return.
PHONE:
Up to four phone numbers are allowed. Acceptable formats are:
U.S. numbers
(123) 456-7890
(123) 456-7890 ext 123
(123) 456-7890 (DSN) 567-7890
(123) 456-7890 (DSN) 567-7890 (FTS) 667-7890
(123) 456-7890 or 456-0987
(123) 456-7890 or 456-0987 (DSN) 567-7890 or 567-0987
Overseas numbers
[49] 711-123456 or (DSN) 420-1234 or (M) 8765-1234 (For overseas
numbers, give number through country code with country code in
brackets.)
AUTHORIZING HOST:
This is the name of the host which the user considers his or her
"home" host, or on which the user is doing the primary work for
which he or she is authorized to use the MILNET.
Enter the OFFICIAL HOSTNAME rather than an approved nickname.
PRIMARY LOGIN NAME:
This is the primary login name/username/directory name of the
user on the authorizing host.
If the login name is a part of the security system on your host
and therefore should be kept secret, do not enter it in this
field.
The primary login name may be a group directory name if it is the
only one the individual uses.
PRIMARY NETWORK MAILBOX:
This is the mailbox where this individual prefers to receive
mail. This may or may not be his or her primary login name on
your host. If mail addresses are case dependent on your host,
specify the mailbox string accordingly. Otherwise enter the
string in upper case.
Separate the username and hostname parts of the mailbox by "@".
Format: USERNAME@HOSTNAME, e.g. SMITH@NIC
For those hosts whose official hostname is a Fully Qualified
Domain Name (FQDN), enter the FQDN in the hostname part of the
mailbox. The FQDN is preferred, as in:
[email protected]
MILNET TAC ACCESS? (y/n):
For a user to be authorized for MILNET TAC access, this field must
be filled in with "y" or "yes". This is the means by which you, as
Host Administrator, indicate to us that this user is authorized
for MILNET TAC access and will require a MILNET TAC Access Card.
A TAC Access Card will be automatically generated for each
individual whose template contains "y" or "yes" in this field,
providing that the template is sent to us from the Host
Administrator's mailbox.
TERMINATION DATE:
The DEROS date (Date Eligible for Return from Overseas) for military
users, estimated date of graduation for students, estimated
elapse date for temporary users is requested here for use on
military hosts. Others may use the field if they wish. It is
not currently used in maintenance of the WHOIS database and will
not cause automatic deletion of records from the database.
Format: MO/YR, e.g., 10/83, 02/84
HANDLE:
The handle is the unique identifying label for the record.
This field appears in templates of currently registered users.
DO NOT ALTER THIS FIELD.
This field does not appear in the blank template. Do not specify
a handle for the ADDITIONS. Our program will automatically
generate a unique identifier (handle) for each individual
template.
DELETE? (y/n):
If the individual no longer has a login account on your host, mark
this field with a "y" or "yes". DO NOT DELETE THE WHOLE TEMPLATE.
X. SAMPLE BLANK TEMPLATE
FULL NAME:
U.S. MAIL ADDRESS:
PHONE:
AUTHORIZING HOST:
PRIMARY LOGIN NAME:
PRIMARY NETWORK MAILBOX:
MILNET TAC ACCESS? (y/n):
TERMINATION DATE:
HANDLE: ****DO NOT ALTER THIS FIELD.****
Downloaded From P-80 International Information Systems 304-744-2253
