>From: mw at kpnqwest.ch > >we're starting to deploy a couple of DSLMAX20 to connect customers via >SDSL. We'd like to use the following setup: >- - customer CPE connects to MAX in "switched" (not nailed) mode, running PPP > encapsulation (reason: gathering accounting information for these "calls") >- - MAX authenticates these "calls" via an existing RADIUS (Merit based > originally, somewhat "ascendified":-)) server. This server has been in use > for years for MAX4000 and MAX6000. > >I've set up the MAX with the identical parameters as on the dial-in routers, >and after booting, it nicely asks the RADIUS server for configuration records >(like permanent connections, static routes, etc). It successfully installs >a static dial-out route, for example. However, I can't for the heck of it >get the thing to authenticate either incoming calls, or use RADIUS for the >downloaded dial-out static-route (both are things that work fine on >the dial-up >routers). The RADIUS server doesn't log any packets upon connection attempts >of the CPE. If I configure the identical profile I keep on the RADIUS server >as a local connection profile, things work just fine... The DSL Max 20/DSL Terminator 100 are an absolute nightmare when it comes to RADIUS authentication. However, they can be made to work, albeit with limitations and glitches. Some thoughts: 1. If you want call accounting information, set the unit to send RADIUS accounting checkpoint records every hour or so. Those records should give you any information you could want to track and will allow you to use a more natural nailed transport such as Frame Relay. 2. Make sure System>Sys Config>Perm Conn Update=All. IME, this alone seriously breaks RADIUS authentication. 3. Use debug> permconn to see what the Max 20 is seeing. This is broken too, and will show --- data lost --- if you have a reasonable number of connections. 4. If you're doing SDSL over dry copper (as opposed to aggregating from a telco over DS-3 or something), I strongly suggest that you use local profiles and use RADIUS only for accounting. As you can only have 32 physical connections and TAOS 8.0.3 allows 100 local profiles, you should be able to accomplish anything you need without resorting to RADIUS authentication. 5. If you use interface-based routing in RADIUS profiles, routing will fail whenever you change anything related to routes, as I've posted here before. One word: don't. In summary, these units are quite decent... unless you use RADIUS authentication. If you insist on using RADIUS authentication (God help you), feel free to post a sample profile and RADIUS logs and permconn output. -- Peter Lalor Infoasis plalor at infoasis.com http://www.infoasis.com/ "Where's my burrito?" -- Homer ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com To get FAQ'd: <http://www.nealis.net/ascend/faq>