Extract from TAOS 9 manual: - CLID-Auth-Mode Description: Specifies how the TAOS unit uses the telco-provided Calling-Line ID (CLID) and Dialed Number Information Service (DNIS) called number for authenticating incoming calls. Usage: Specify one of the following values: • Ignore (the default) specifies that the TAOS unit does not require a matching ID from incoming calls. • CLID-First specifies that if the CLID is sent by the telco switch, the TAOS unit uses it to authenticate the call. If CLID authentication fails for any reason, or if the telco switch does not provide the CLID, the TAOS unit does not drop the call, but allows negotiations to proceed to password authentication. • CLID-Prefer specifies that the TAOS unit uses the CLID, if available, to authenticate the call. If the CLID is not provided by the switch, the TAOS unit uses the type of authentication specified by the Send-Auth-Mode setting in the Connection profile. If the CLID is provided by the switch but does not match the calling number specified in a local Connection profile or Remote Authentication Dial-In User Service (RADIUS) user profile, or if the CLID succeeds but the encapsulation protocol’s authentication fails, the TAOS unit drops the call. • CLID-Require specifies that the TAOS unit must receive a CLID from the incoming call, and the CLID must match the calling number specified in a local Connection profile or RADIUS user profile. If the TAOS unit does not receive a CLID, or does not find a matching number in a profile, the TAOS unit does not answer the call. A matching RADIUS user profile can require name and password authentication after CLID authentication by setting Ascend-Require-Auth to Require-Auth. • CLID-Fallback specifies that the TAOS unit must receive a CLID in the incoming call. Otherwise, the TAOS unit does not answer the call. If the CLID matches a calling number specified in a local Connection profile or RADIUS user profile, the TAOS unit authenticates the call with the CLID. If the TAOS unit does not receive a response from the RADIUS server, it uses the authentication configured in the Answer-Defaults profile. If you read it carefully, you should be able to work out what attributes to return, Ascend-Auth-Mode or Ascend-Require-Auth It also looks like you are trying to do dialback in the user entries, but contradict this fact in your description. I would get all the dialin CLID/PAP auth to work, then attempt dialback. Cheers James > -----Original Message----- > From: owner-ascend-users at max.bungi.com > [mailto:owner-ascend-users at max.bungi.com]On Behalf Of Paul Gregg > Sent: 05 April 2001 18:39 > To: 'ascend-users at bungi.com' > Subject: (ASCEND) New APX config issues > > > Hi everyone, I'm new to the list, having just received my first Ascend > (derived) box. I've previously used Livingston/Lucent Portmasters for the > last 5 years. > > I'm in the middle of replacing a PM4 with an APX and am having the > following difficulties: > > 1) > On the PM4 I pre-auth dialins by doing a CLI check first via Radius. > > Basically, to prevent abuse (we operate a Free ISP in the UK), we check > the CLID against a list of known abusers and Reject them outright before > even pickingup the line. Otherwise the DEFAULT is to accept the call. > > However on the APX, if I use clid-prefer, I can reject the connection ok, > but the APX simply accepts non-rejected connections without a username > or password. Not good. > If I use clid-first then the APX receives the Reject, but ignores it and > picks up the call allowing the abuser to dial in. > > There doesn't seem to be a way with Taos to make it do what I want. > > > 2) I have a number of dial back users - where during the CLID check, > we recognise the number and do a callback. On PMs it is this: > 1234567890 Service-Type = Call-Check > Service-Type = Callback-Framed-User, > Callback-Id = "dbusername" > Where dbusername is a profile stored in the PM. > > On the APX, it seems I need: > 1234567890 Service-Type = Outbound-User > Framed-Route = "212.108.64.129/28 212.108.64.129 1 n > dbusername-out" > But the APX loads "dbusername-out" via RADIUS, so I add in: > dbusername-out User-Password="xxxxxxx", Service-Type = Outbound-User > User-Name = "dbusername" > Ascend-Dial-Number = "1231231230", > Framed-Protocol = PPP, > Framed-IP-Address = 212.108.64.129, > Framed-IP-Netmask = 255.255.255.240, > Ascend-Send-Auth = Send-Auth-PAP, > Ascend-Send-Secret = "xxxxxxxxxx" > > This doesn't seem to work (despite reading the pdfs very > carefully). Does the > APX need a special hash code just to do dialback? > > > 3) I can successfully dialin and ping the apx, and from the apx ping the > dialled in IP. I can ping the local subnet and the wider internet (and > traceroute) from the APX. However, the dialled in computer cant ping > anything outside the apx. It seems that it isn't routing the > packets through > as the apx doesn't seem to be answering arp requests for the > dialled in IP. > Advice on where to look next? > > Many thanks for any pointers anyone can provide. > > Regards, > > Paul Gregg. > > PS. Whats a good IRC channel for ascend users? [Can't find one on efnet] > -- > | Paul Gregg |T: +44 (0) 28 90424190 > | Technical Director |F: +44 (0) 28 90424709 > | The Internet Business Ltd |W: http://www.tibus.com > | Holywood House, Innis Court |E: info at tibus.com > | Holywood, Co Down, BT18 9HF |P: pgregg at tibus.com > > ++ Ascend Users Mailing List ++ > To unsubscribe: send unsubscribe to ascend-users-request at bungi.com > To get FAQ'd: <http://www.nealis.net/ascend/faq> ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com To get FAQ'd: <http://www.nealis.net/ascend/faq>