[Ascend] CLID - Help - was: (ASCEND) New APX config issues

Tue May 1 10:57:06 CDT 2001

In article <3ACE4734.63E5D909 at lucentradius.com> you wrote:
>> 
>> However, as before the APX establishes the connection as soon as negotiation
>> is complete without requiring any authentication.
> 
> Ensure that the RADIUS server and APX are in the same mode (OLD/VSA/16-Bit). If
> the APX and server are in different modes the attributes will be ignored.

Hi all (again),

I've got the box (almost) up and running, however I'm still having the
following problem:

I want to use CLID authentication prior to picking up the call - purely
to Reject abusers of our network (as a Free ISP, we get lots).  Otherwise
I want the call to be picked up and authenticated via normal PAP.

It looks like I should use CLID-Prefer, but as I can only return an
Accept or Reject from RADIUS the APX is assuming the caller is already
authenticated and going straight to LCP / IPCP and logging them in with
the username of their CLID.

I found (after spending many days searching the web) a post by Joel Wittenburg
at http://www2.real-time.com/rte-ascend/1999/Dec/msg00167.html
which seems to suggest all I need.

However, this doesn't make any difference:

I have ensured that the APX is in VSA mode:
set rad-auth-client auth-radius-compat = vendor-specific
set rad-acct-client acct-radius-compat = vendor-specific
set rad-auth-server auth-radius-compat = vendor-specific

My Radius server is Radiator and am using the Ascend dictionary (with a few
manual mods to make it compatible with the attributes the Portmaster expects,
e.g. Framed-Address - > Framed-IP-Address).
The Radius server by default handles the VSAs

I have added Joel's suggested Attribute Ascend-Auth-Type 81 and the Values
into my dictionary file and setup the DEFAULT user in my users file
(In Radiator, I use Handlers, so Call-Check / CLID checking uses a
file called users.call-check which is different from normal user
authentication).

In users.call-check I have:
DEFAULT Service-Type = Call-Check, NAS-Identifier = "212.108.64.104"
        Ascend-Require-Auth = Require-Auth,
        Ascend-Auth-Type = Auth-PAP

DEFAULT Service-Type = Call-Check, NAS-Identifier = "212.108.64.100"
DEFAULT Service-Type = Call-Check, NAS-Identifier = "212.108.64.101"

.104 is the APX, 100/101 is PM4.

And it appears to work - Radiator logs show that in the CLID check the
APX gets the correct response back.

The APX cheerfully ignores it :-(

Anyone have any advice on where to go next?

Paul.

PS.
Relevent sections of my config are below:

new ANSWER-DEFAULTS
set clid-auth-mode = clid-prefer
set clid-selection = secure-prefer
set ppp-answer receive-auth-mode = pap-ppp-auth
set ip-answer assign-address = yes
set session-info idle-timer = 1800
set session-info max-call-duration = 360
write -f

new EXTERNAL-AUTH
set auth-type = RADIUS
set acct-type = radius
set rad-auth-client auth-server-1 = x.x.x.x
set rad-auth-client auth-port = 1645
set rad-auth-client auth-key = xxxxxxxx
set rad-auth-client auth-timeout = 5
set rad-auth-client auth-radius-compat = vendor-specific
set rad-auth-client auth-keep-user-name = keep-realm-name
set rad-auth-client allow-auth-config-rqsts = no
set rad-acct-client acct-server-1 = y.y.y.y
set rad-acct-client acct-port = 1646
set rad-acct-client acct-key = yyyyyyyy
et rad-acct-client acct-timeout = 5
set rad-acct-client acct-radius-compat = vendor-specific
set rad-auth-server auth-radius-compat = vendor-specific
write -f
;
new TERMINAL-SERVER
set enabled = yes
set security-mode = full
set terminal-mode-configuration system-password = xxxxxx
set terminal-mode-configuration banner = "* * *  The Internet Business Ltd  * * 
*"
set ppp-mode-configuration ppp = yes
set ppp-mode-configuration delay = 1
write -f
;
new IP-GLOBAL
set domain-name = tibus.net
set dns-primary-server = 212.108.64.5
set dns-secondary-server = 212.108.64.27
set system-ip-addr = 212.108.64.104
set must-accept-address-assign = yes
set pool-summary = yes
set pool-base-address 1 = 212.108.67.192
set assign-count 1 = 63
set rarp-enabled = yes
set telnet-password = xxxxxxxx
set shared-prof = yes
set client-primary-dns-server = 212.108.64.27
set client-secondary-dns-server = 212.108.64.6
set ignore-icmp-redirects = yes
set tcp-syn-flood-protect = yes
write -f

-- 
| Paul Gregg			|T: +44 (0) 28 90424190
| Technical Director		|F: +44 (0) 28 90424709
| The Internet Business Ltd	|W: http://www.tibus.com
| Holywood House, Innis Court	|E: info at tibus.com
| Holywood, Co Down, BT18 9HF	|P: pgregg at tibus.com

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request at bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>