Real Time Ascend Maling List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re: (ASCEND) MS-CHAP, radius authentication question
> From: Joel Wittenberg <joelw@ascend.com>
> Date: Tue, 21 Dec 1999 14:42:51 -0800
> Subject: Re: (ASCEND) MS-CHAP, radius authentication question
>
>
> The problem is that MS clients will try to negotiate MS-Chap, and if you
> have some (MS) clients which need to use MS-Chap, and some which don't,
> then you need to set the Answer profile to support MS-Chap, however, then
> all of your MS clients will successfully negotiate for MS-Chap. However,
> if you can reasonably support doing DNIS or CLID authentication in
> addition to name/pwd auth then you can use the Ascend-Auth-Type VSA to
> indicate the type of name/pwd (PPP) auth to use, overriding the ANSWER
> profile selection.
>
> What this means is that the NAS will not allow LCP to negotiate for any
> profile not allowed by the Ascend-Auth-Type VSA; therefore the attempt by
> the MS client to negotiate MS-Chap will be foiled if the DNIS/CLID auth
> returns e.g., Auth-CHAP (so the NAS will negotiate for CHAP and the MS
> client will agree). Since CHAP rather than MS-CHAP will be used, any
> normal Radius server should be able to authenticate such a call.
>
> If you can separate your MS clients into 2 groups (MS-CHAP and CHAP) and
> give then separate numbers to call, then DNIS auth would be a good choice;
> alternatively you can use CLID auth, but that will require all of your MS
> clients to supply CLID (or just the CHAP or just the MS-CHAP ones, if you
> configure for clid-auth-mode = CLID-prefer).
>
> I'm not sure which branches have this capability (I believe 7.0V and 8.0
> branches, possibly other 7.X branches as well) - check with Ascend support.
>
> #
> # Specify the type of auth to use. Initially intended to specify the type
> # of receive authentication, but could also be used to specify the type
> # of send authentication; if adopted for this use we could then obsolete
> # the Ascend-Send-Auth attribute. The Ascend-Auth-Type attribute values
> # are similar to the Ascend-Send-Auth values but are named in such a way
> # as to allow their use for either send or receive auth.
> #
> # Note this this attribute uses the same id as an RFC assigned
> # attribute and therefore must be used only as a VSA.
> #
> ATTRIBUTE Ascend-Auth-Type 81 integer
>
> # Ascend Auth Values
> # Ascend Auth Values
>
> VALUE Ascend-Auth-Type Auth-None 0
> VALUE Ascend-Auth-Type Auth-Default 1
> VALUE Ascend-Auth-Type Auth-Any 2
> VALUE Ascend-Auth-Type Auth-PAP 3
> VALUE Ascend-Auth-Type Auth-CHAP 4
> VALUE Ascend-Auth-Type Auth-MS-CHAP 5
>
> If values other than those just enumerated are passed from Radius to
> the NAS then the NAS will use the configured default (either the
> answer profile [if use-answer-as-default is yes] or else the factory
> default) instead of attempting to use the returned value.
>
> Sample Radius Use:
> 3831 Password = "Ascend-CLID", Service-Type = Dialout-Framed-User,
> Ascend-Require-Auth = Require-Auth,
> Ascend-Auth-Type = Auth-PAP
>
>
> So this would allow you to specify e.g., Auth-CHAP based on CLID
> authentication, even though the normal Answer setting would have the NAS
> allow the connection to negotiate for MS-CHAP. Note that the service type
> is on the first line (important to prevent someone from dialing in and
> specifying their name/pwd as "3831"/"Ascend-CLID") and that you MUST
> return the Ascend-Require-Auth = Require-Auth if you wish to proceed to
> use name/pwd auth.
>
> Hope this helps,
>
> /joeli
I will look into this.
Thank you.
/Lasse
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>