Re: (ASCEND) PAP and CHAP with TNT

To: jaw12@ntrnet.net, jes@nl.demon.net
Subject: Re: (ASCEND) PAP and CHAP with TNT
From: "Joe Max" <max_and_tnt@hotmail.com>
Date: Fri, 14 Apr 2000 09:29:58 PDT
Cc: os@landshut.org, ascend-users@max.bungi.com
Sender: owner-ascend-users@max.bungi.com

The send-auth attribute only works if the TNT was calling the client, not 
the other way around.

Unfortunately, Microsoft hasn't provided a way to disable CHAP on DUN. Other 
PPP implementations (like the old Trumpet Winsock) have knobs to disable 
CHAP or PAP. Even if they did, it may be a little
difficult to convince 9000 people to mess with their registries.

Since authentication is negotiated *before* the TNT knows the identity of 
the user, there is a catch-22 situation here because you can't tell the TNT 
(or any other RAS for that matter) to use different auth protocols for 
different users: LCP negotiates which auth protocol *before* knowing the 
identity of the user, by the time it learns the identity, it's too late to 
negotiate a different auth protocol (old DUNs will crash, some iMac Apples 
will have severe problems).

The only solution is what Joel was talking about: tell the TNT which auth 
protocol to use based on CLID or DNIS, *before* LCP starts its negotiations.

Try to negotiate with UUnet for a DNIS auth cycle with the attribute 
'Ascend-Auth-Type=Auth-PAP'. That's your only solution.

Good luck!
-J

>From: Jim Williams <jaw12@ntrnet.net>
>
>I liked your thought process so I tried it...unfortunately, the CHAP/PAP
>handshaking goes on between the PC and the RAS box (in this case the TNT)
>according to the ppplog file when the modem dials in.  I need to find a
>way to change the information in Dial-Up Networking to tell it to lead
>with PAP.
>
>
>
>On Thu, 13 Apr 2000, Jim Segrave wrote:
>
> > Oliver Stettner wrote:
> >
> > What happens if your Radius server includes in its response:
> >
> > ATTRIBUTE       Ascend-Send-Auth                231     integer
> > with the value set to
> > VALUE   Ascend-Send-Auth                Send-Auth-PAP           1
> >
> > This should, I hope, cause the negotiation to restirct itself to PAP

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: Re: (ASCEND) MAX TAOS 8.0.2 SOFTWARE
Next by Date: Re: (ASCEND) MAX TAOS 8.0.2 SOFTWARE
Prev by thread: Re: (ASCEND) PAP and CHAP with TNT
Next by thread: Re: (ASCEND) Reset config
Index(es):
- Date
- Thread