[Ascend] (ASCEND) Re: RADIUS authentication of SDSL connections

Thu Aug 24 15:11:32 CDT 2000

> >a static dial-out route, for example. However, I can't for the heck of it
> >get the thing to authenticate either incoming calls, or use RADIUS for the

After a lot of debugging sessions yesterday, I finally found the culprit. I
had Ethernet->Answer->PPP options->Recv Auth=None. The reason why the logins
worked with the local connection profile was the match on the IP address. 
Sigh...

After this change, things seem to work fine. I tried a couple of attributes,
and the dslmax20 finally behaves just like its dial-up friends.

> 1. If you want call accounting information, set the unit to send 
> RADIUS accounting checkpoint records every hour or so. Those records 
> should give you any information you could want to track and will 
> allow you to use a more natural nailed transport such as Frame Relay.

I'll set the checkpoint option, will likely have to tweak some scripts
after that. Oh, I don't consider Frame Relay as to be particular "natural"
though:-) 

> 2. Make sure System>Sys Config>Perm Conn Update=All. IME, this alone 
> seriously breaks RADIUS authentication.

It is.

> 4. If you're doing SDSL over dry copper (as opposed to aggregating 
> from a telco over DS-3 or something), I strongly suggest that you use 
> local profiles and use RADIUS only for accounting. As you can only 

Maxen are dreadful to configure in their "GUI", things get even hairier when
static routes and potentially filters are added. Also, RADIUS profiles can
be generated out of a database (or even reside in a database); things are 
considerably trickier if you want to automatically configure routers 
locally (more so with this GUI, Ciscos I can handle that way).

> have 32 physical connections and TAOS 8.0.3 allows 100 local 
> profiles, you should be able to accomplish anything you need without 
> resorting to RADIUS authentication.
> 5. If you use interface-based routing in RADIUS profiles, routing 
> will fail whenever you change anything related to routes, as I've 
> posted here before. One word: don't.

Not using that, just point-to-point or "unnumbered" routes.

> In summary, these units are quite decent... unless you use RADIUS 
> authentication.
> 
> If you insist on using RADIUS authentication (God help you), feel 
> free to post a sample profile and RADIUS logs and permconn output.

The immediate problem has been resolved so far, I'll keep you informed
whether we'll run into problems later with more active accounts. Thanks for
the reply!

Markus
-- 
KPNQwest Switzerland Ltd
P.O. Box 1600, Hohlstrasse 550, CH-8048 Zuerich
Tel: +41-1-439-4390, Fax: +41-1-439-4391
Markus Wild, Manager Engineering, e-mail: markus.wild at kpnqwest.ch
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request at bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>