Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) P75s and 5.1



On 29 January 1998, Kevin A. Smith <kevin@ascend.com> wrote:
> At 08:26 PM 1/28/98 +0100, Thomas Falk Claezon wrote:
[Zap]


> >We realy need a stable P75, MAX 4K and Radius setup for our 
> >telecomuting users. We are close, but there are still some annoying
> >problems with the P75 and Radius.
> 
> I'll check into those....
 
  We thought that our final Radius problem was solved by TR 250124 in
  the 971105 release of Ascend Radius. But unfortunally there was a
  new problem introduced in that release. 
  Anyway it's now in Ticket # 260788

> 
> >---------------------------- Begin included text
> -----------------------------
> >Ticket # 260750
> >
> >Description: P75+NAT, Can't start new TCP-sessions after several hours
> uptime!
> >
> >We have an "old" Pipeline 75 (S/N 721xxxx), running 5.1Ap6 (b.p75) and
> >configured for single adress NAT. The problem usually occours after more
> >than 8 hours of usage, and usually shortly after renewed authentication.
> 
> Aha....that's probably related then. Mine does add/drop the second channel
> during the 16 hours, but auth is straight PAP.
> 
> >We use SAFEWORD and CACHE-TOKEN to authenticate our users. This makes the
> >problem worse, because we can *not* do a "system reset" within an
> >"authentication period" without loosing the "session shared secret" used by 
> >the P75 and Radius. If we in this case do a system reset, then we must wait
> >untill the cached "session shared secret" expires from the radius cache,
> >before the P75 can be used again (in our setup this can be upto 8 hours).
> 
> How is that? Why 8 hours?

A "normal workday" is 8 hours, and the user authenticates his/hers workday
with the SAFEWORD token card. The CACHE-TOKEN feature enables Radius to 
cache the initial password for "re-use" in autenticating channels as they
are added to the call, or when a new call is made, within the defined period.

The Radius cache period is specified by the Ascend-Token-Expiry parameter. 
You can add the Ascend-Token-Idle parameter to force an earlier
expiration of the cached password for idle users (doesn't work in
my current radius release).


Example radius user (using it right now with a working Framed-Address etc):

falk Password = "SAFEWORD", Ascend-Token-Expiry=480
	Ascend-Token-Idle = 90,
	Ascend-Idle-Limit = 190,
	Ascend-Receive-Secret = "xxxx",
	User-Service = Framed-User,
	Framed-Protocol = MPP,
	Framed-Address = 1nn.1nn.nn.nnn,
	Framed-Netmask = 255.255.255.0


More detailed information at page 3-19, 3-26 in the MAX RADIUS Configuration
Guide and in the Pipeline Reference guide (page 2-160) available at:
 
 http://www.ascend.com/private/488.html

> 
> >The only circumvention that we have been able to use, are to do a preventive
> >system reset *between* "autentication periods". 
> 
> OK, I am confused. I'll check into the ticket to see who is working on it!

I just got a mail from EMEA-support with some items to check, and requesting
more information regarding my Pipeline problem. 

I guess I will be busy for a while, testing and collecting information :-) !

> 
> 
> Kevin
> 
> 
> ++ Ascend Users Mailing List ++
> To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Thanks!

Regards Thomas
-- 
 Thomas Falk Claezon             ERICSSON, AXE Research and Development
 Phone:   +46 8  727 34 12       Box 1505
 Mobile:  +46 70 536 31 01       S-125 25 ALVSJO
 Fax:     +46 8  647 82 76       SWEDEN
 Email:   falk@uab.ericsson.se

 URL:             http://www.elfi.adbkons.se/~falk/
 PGP Public Key:  http://www.elfi.adbkons.se/~falk/PGP.html
 PGP Fingerprint: 0E 0F 39 7C 1D C4 7E 2C  66 DB 20 49 9B DB BB 56
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>


Follow-Ups: References: