Re: (ASCEND) linux authentication trouble

To: ukeiko <ukeiko@ii-okinawa.ne.jp>
Subject: Re: (ASCEND) linux authentication trouble
From: Neale Banks <neale@idesign.com.au>
Date: Mon, 9 Feb 1998 07:01:24 +1100 (EDT)
cc: Ascend Users <ascend-users@bungi.com>
In-Reply-To: <34DDFF36.6F55@ii-okinawa.ne.jp>
Sender: owner-ascend-users@max.bungi.com

On Mon, 9 Feb 1998, ukeiko wrote:

> Anyway, I'm trying to debug a problem one of our linux users is having
> dialing 
> up.  I've isolated the problem down to the fact that the Max is
> prompting
> for for the low level, system maintance password.  I used mini-com to
> capture
> the session at a Max 4000 (which is giving us the probem) and at a
> Pipeline
> box (which is not causing a problem).

Having encountered this problem too, and being dialed in from a (Debian) 
Linux box right now, I suspect there are two ways this could be fixed 
(and you may wish to implement both):

1. Have the linux caller use PAP rather than scripted login

2. remove the MAX Terminal Server password (not to be confused with 
its Telnet password or Security Profile Password(s)).

> One of the things that I noticed is that there is a delay (about 5
> seconds)
> between the first time I get a connect on the max 4000 and the prompt
> for 
> the maintance password appears.  Perhapse the client (linux) should be
> sending
> some authentication information initially to prevent a timeout to the
> system 
> maintance password prompt, [...] Someone Please enlighten me if I'm way
> off course here.

This sounds *very* much like the MAX is waiting for PAP from the caller, 
the PAP is timing out, the MAX is dropping to the TS and there is a TS 
Password set.

> This had to be a no-brainer (If I only had a...) problem and is probably
> a linux
> configuration problem, but I am a little worried that the Max offers the
> maintance
> login prompt to any old user who dials us up and waits.  Am I paranoid,
> or is this
> normal configuration practice?

As far as I can see from your description, this is the TS Password.  
Having this and doing scripted logins are, AFAIK, mutually exclusive - 
better to have no TS password but have both a Telnet Password and proper 
management of Security Profiles.  Anyone else care to comment?

> I'm also having some trouble connecting a yamaha rt100i (isdn router)
> router to
> the same Max and, although I can't monitor the connection/authentication
> process 
> as closely as I can with linux, I belive the problem to be related.

Yes, could be the same problem.

> I would appreciate any suggestions on configuration items in the
> max/radius 
> database that might need to be changed/added.  Additionally, I would
> like to
> know what other people used to debug/monitor initial connection problems
> other 
> than what the radius database reports to syslog.

I'm pretty sure this is *not* a radius problem: authentication via the 
radius server will take place after the MAX has obtained a username and 
password from the caller - whereas your problem seems more like a problem 
with the MAX getting the username and password.  Can anyone else vouch 
for this reasoning?

> ############## Mini-com script at the max 4000
> ATDT 555-1212
> CONNECT 38400
> Welcome to anynet
> 
> <a delay of about 5 seconds>
> 
> System Password: systemmaintancepassword
> 
> Login: joeuser
> Password: joeuserpassword
>     Entering PPP Session.
>     IP address is xxx.xxx.xxx.xxx
>     MTU is 1524.
> ~ÿ}#À!}!}!} }

> 
> 
> ############## Mini-com script at the Pipeline
> ATDT 555-2121
> CONNECT 38400
> ** Ascend Pipeline Terminal Server **
> 
> 
> Login: joeuser
> Password: joeuserpassword
>     Entering PPP Mode.
>     IP address is xxx.xxx.xxx.xxx
>     MTU is 1500.
> ~ÿ}#À!}!}!} }

This difference could be explained by a TS Password being set in the MAX.

Elaborating on the two points raised initially:

1. PAP and Linux (note that the MAX insisting on CHAP would break this 
too, but IIRC that is unlikely to be your problem as that would break 
Windoze dialups too).  The following coments apply to Debian Linux, YMMV 
with other Linux distributions:

 /etc/chatscript: should *not* have (l)ogin and (p)assword lines, after 
dialing, just look for CONNECT from the modem.

 /etc/ppp.options_out: specify "user <the username>" for connecting in 
this file.  On non-debian this could be required to go in 
/etc/ppp/options (or equivalent file).

 /etc/ppp/pap-secrets: needs a line in the OUTBOUND connections section
associating the correct password with the username being used. 

I hope that helps,
Neale.
(speaking for myself)
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) linux authentication trouble

From: ukeiko <ukeiko@ii-okinawa.ne.jp>

Prev by Date: (ASCEND) FS: Max 4002
Next by Date: (ASCEND) linux authentication trouble
Prev by thread: (ASCEND) linux authentication trouble
Next by thread: (ASCEND) FS: Max 4002
Index(es):
- Main
- Thread