(ASCEND) Re: [aaa-support #2868] Ascend Max TNT + Merit AAA <-> Merit AAA Proxy trouble

To: Alan Spicer <aspicer@satelnet.org>
Subject: (ASCEND) Re: [aaa-support #2868] Ascend Max TNT + Merit AAA <-> Merit AAA Proxy trouble
From: "H.Michael Abraha" <abraha@merit.edu>
Date: Tue, 21 Dec 1999 11:13:19 -0500
Cc: aaa-support@merit.edu, ascend-users@max.bungi.com, Alan Spicer <aspicer@ifxcorp.com>
References: <LPBBKIFOLGGAFEFHFFIGIEJDCBAA.aspicer@satelnet.org>
Sender: owner-ascend-users@max.bungi.com

Alan Spicer wrote:
> 
> * Hello,

Hello,

> We are using Ascend Max TNT software load v. 7.2.3
> 
> Merit AAA (basic server) version 3.6b
> 
> We have a remote server (Merit 3.6b) and the local
> (realm) server (Merit 3.6b)
> 

Ok,

> So we are basically trying to proxy. Manual tests
> give results as follows:
> 
> radpwtst - authenticates OK [sends to realm server
> which ok's it and sends back the reply OK]
> 

Ok,

> on the tnt:
> admin> radauth maxell@unete uva
> ...radauth request queued, awaiting response
> admin> radauth: 2 - seems to work ok?
> 

Ok,

> But when a dial-in modem user does the same test, the
> authentication fails. Logs failure in the realm server,
> logs failure in the remote server, and returns failure
> to the tnt and the user is disconnected.
> 
> * I wonder if anyone has done this proxying with TNT,
> or other recent Ascend products and can offer some
> advice of what could be wrong? It seems as if there
> is some other encryption of the passwords that are
> not agreeing when it comes from a dial-up user to the
> TNT.
> 

We don't have this NAS to test our server here at Merit.

> Also note that local users (not realm) are authenticated
> via the "users" file of Merit AAA 3.6b just fine. So
> it seems that Merit AAA understands the auth requests (?)
> 

I can only think of two things:

1. The NAS (TNT) may not be configured properly.
   This is normally the case when you have the test utilities work and
the 
   actual dial-up fails.

2. The (NAS-IP-Address or NAS-Identifier) and (NAS-Port) must be
transmitted
   along with the Access-Request. It is a requirement in our
implementation.
	

You may run both servers in a 2 level debug mode and send us the output,
or you can see it yourself and spot the problem.


> Thanks for any help,
> 

You are welcome.

> Alan Spicer (AGS14)
> aspicer@ifxcorp.com
> 
> P.S. We have other proxy's working, but the remote
> end is not Merit, they are Cistron and such. Again
> the local (realm) auth server is Merit AAA 3.6b
> basic server.

I see.
-- 

Regards,

Michael.

Hailemichael Abraha
Systems Research Programmer II  e-mail abraha@merit.edu
Merit Network, Inc.             direct (734) 647-8646
4251 Plymouth Rd.               main   (734) 764-9430
Ann Arbor, MI 48105             FAX    (734) 647-3185
http://www.merit.edu
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:
- (ASCEND) Ascend Max TNT + Merit AAA <-> Merit AAA Proxy trouble
  - From: "Alan Spicer" <aspicer@satelnet.org>

Prev by Date: RE: (ASCEND) Protection Violation(2nd Try)
Next by Date: (ASCEND) Hunt group not working on Data calls to Max 1800
Prev by thread: (ASCEND) Ascend Max TNT + Merit AAA <-> Merit AAA Proxy trouble
Next by thread: (ASCEND) Serial (RS232) tunnel with Max 4000?
Index(es):
- Date
- Thread