Real Time Ascend Maling List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) PAP and CHAP with TNT
- To: ascend-users@max.bungi.com
- Subject: Re: (ASCEND) PAP and CHAP with TNT
- From: Joel Wittenberg <joelw@ascend.com>
- Date: Thu, 13 Apr 2000 09:52:18 -0700
- In-Reply-To: <200004130545.WAA22177@max.bungi.com>; from owner-ascend-users-digest@max.bungi.com on Wed, Apr 12, 2000 at 10:45:01PM -0700
- Mail-Followup-To: ascend-users@max.bungi.com
- References: <200004130545.WAA22177@max.bungi.com>
- Sender: owner-ascend-users@max.bungi.com
Jim -
From June of last year on this list (substitute TNT for MAX):
As has already been mentioned, the problem presumably stems from the fact
that the MS client cannot be configured to refuse CHAP if it is offered to
it, and the NAS (the MAX) is configured to Either, which means it is
_required_ by the PPP rfc to offer CHAP before offering to do CHAP. This
is not itself a problem since with both ends agreeing on CHAP you should
be okay, except for one thing - CHAP requires that the authenticating entity
have a clear-text representation of the password. A local profile will
meet this requirement, as will a Radius profile which includes the
password. What won't work is using a Radius profile entry which does not
include the clear text password (e.g., it references a Unix passwd file
entry, or in some other fashion contains an encrypted password). Since
apparently you have some clients which do want to use CHAP, then assuming
that the MS clients are using a Radius auth record without a plain-text
password, you have the option of making a (very limited) set of MS
clients use local profiles, or modifying the relevent Radius profiles to
use a clear-text password entry, OR, in very recent Ascend SW releases
(and I'm not sure which ones; perhaps only including releases which are
not suitable for you. I do know that the feature I am about to describe
is slated for general availabilty, but that won't necessarily help you
right now), IF you are using (or can use) CLID authentication in addition
to name/pwd authentication, you can include a Reply-Attribute in the CLID
auth record which will override (for this call only) the default
None/Pap/Chap/Either setting in the Max Answer profile. This
Ascend-Specific (and therefore VSA-only) attribute was added specifically
to address the situation just described. Please contact your sales rep to
see if it is available in a release suitable for your needs. The Radius
attribute and associated values are:
#
# Note that this attribute uses the same id as an RFC assigned
# attribute and therefore must be used only as a VSA.
#
ATTRIBUTE Ascend-Auth-Type 81 integer
# Ascend Auth Values
VALUE Ascend-Auth-Type Auth-None 0
VALUE Ascend-Auth-Type Auth-Default 1
VALUE Ascend-Auth-Type Auth-Any 2
VALUE Ascend-Auth-Type Auth-PAP 3
VALUE Ascend-Auth-Type Auth-CHAP 4
VALUE Ascend-Auth-Type Auth-MS-CHAP 5
Thus, returning an Ascend-Auth-Type = Auth-PAP in the CLID authorisation
will allow this call to use PAP for name/pwd auth regardless of the Answer
profile Recv Auth setting. You must configure the MAX to use VSAs for
this attribute to be recognised (note that configuring the MAX to use VSAs
means that it will NOT recognise non-RFC-standard attributes which are not
explictly marked as an Ascend-VSA. Also, the Radius server must recognise
incoming Ascend-VSAs since the Max will also send all non-RFC-standard
Ascend attributes as Ascend-VSAs).
I hope this information helps you.
/joel
> ------------------------------
>
> From: "Jim Williams" <jaw12@ntrnet.net>
> Date: Wed, 12 Apr 2000 13:41:47 -0400
> Subject: (ASCEND) PAP and CHAP with TNT
>
> We have signed up to resell UUnet dialup nationwide. We are running into a
> problem however. UUnet says that they have their TNT boxes set to do both
> CHAP and PAP. Problem we are running in to is that when anyone dials in
> with Windows 9x it tries to use ONLY CHAP (it does not seem to fall back to
> PAP when CHAP fails and I know that Microsoft leads with CHAP) and then
> fails because we really need PAP. How has everyone gotten around this
> problem or have you?
>
> Jim Williams
> President
> Ntrnet Systems, Inc.
> jaw12@ntrnet.net
> 919.484.0504 x122
> fax: 919.484.0782
>
>
>
> ++ Ascend Users Mailing List ++
> To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd: <http://www.nealis.net/ascend/faq>
>
> ------------------------------
--
joel wittenberg
InterNetworking Systems
joelw@lucent.com
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>