Re: (ASCEND) Virtual Logins

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) Virtual Logins
From: basher@alpha.ces.cwru.edu (Tim Basher)
Date: Thu, 3 Sep 98 11:15:18 EDT
Sender: owner-ascend-users@max.bungi.com

> I have several Max's, 4004's 4048's and 4002's.  All are running 6.1.7.
> My radius is receiving thousands of requests an hour from the each Max
> with UserID's like...
> 
> bridge-max1-1
...
> Does anyone have any idea why it is doing this,

Each MAX is trying to get configuration information by sending RADIUS
Access-Request messages for pseudo-user entries which use usernames
related to the function.

This is a standard feature of TAOS and has been in software for the MAX 
since at least release 4.6.

> how to stop it,

The MAX is supposed to stop on its own, after failing to receive a RADIUS
Access-Accept from the RADIUS server.

It sounds like there may be a change in the 6.1.7 software that causes
the MAX to continue retrying.  I would recommend you contact the Ascend
Technical Assistance Center that is nearest you.  You will be assigned
a trouble ticket.  If this is a bug, then you should make sure that you
get the TR number for the problem, so you can watch for a fix in the
release notes.

> is it a radius problem or an Ascend problem.

There is not enough information in your message to decide if the problem
is with the RADIUS server or the MAX.

Since, from your description, the behavior changed when you updated the
software on the MAX, I would guess that any problem may be on the MAX.

> It is not causing any downtime, just makes for huge logs, eats up bandwidth
> and it is a problem to sort thru all of these logins in the logs looking
> for a user with a problem.

Depending upon the messages that are being logged, there are some workarounds
you can make on the RADIUS server.

For instance, if the problem is that the RADIUS server is recording
a message because the user entries do not exist, you can just create
dummy user entries.

You might try the following example user entry (this example is for 
"bridge-max1-1".  You would need to create similar entries for 
"frdlink-max2-1", "permconn-max1-1", "pools-max2", etc.)

bridge-max1-1  Password = "noway", NAS-Port = 66000 

By having a matching entry in the users file, you will stop the log messages.
By using a password that differs from the pseudo-user password, you will cause
the RADIUS server to send an Access-Reject message.
By using an "invalid" NAS-Port, you prevent the entries from being used
inappropriately to login to the NAS.
You do not need any reply-items because you are not going to configure
anything.

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: Re: (ASCEND) Virtual Logins
Next by Date: (ASCEND) Firewall Debug Mode
Prev by thread: RE: (ASCEND) Virtual Logins
Next by thread: Re: (ASCEND) Virtual Logins
Index(es):
- Main
- Thread