In article <3ACE4734.63E5D909 at lucentradius.com> you wrote: >> >> However, as before the APX establishes the connection as soon as negotiation >> is complete without requiring any authentication. > > Ensure that the RADIUS server and APX are in the same mode (OLD/VSA/16-Bit). If > the APX and server are in different modes the attributes will be ignored. Hi all (again), I've got the box (almost) up and running, however I'm still having the following problem: I want to use CLID authentication prior to picking up the call - purely to Reject abusers of our network (as a Free ISP, we get lots). Otherwise I want the call to be picked up and authenticated via normal PAP. It looks like I should use CLID-Prefer, but as I can only return an Accept or Reject from RADIUS the APX is assuming the caller is already authenticated and going straight to LCP / IPCP and logging them in with the username of their CLID. I found (after spending many days searching the web) a post by Joel Wittenburg at http://www2.real-time.com/rte-ascend/1999/Dec/msg00167.html which seems to suggest all I need. However, this doesn't make any difference: I have ensured that the APX is in VSA mode: set rad-auth-client auth-radius-compat = vendor-specific set rad-acct-client acct-radius-compat = vendor-specific set rad-auth-server auth-radius-compat = vendor-specific My Radius server is Radiator and am using the Ascend dictionary (with a few manual mods to make it compatible with the attributes the Portmaster expects, e.g. Framed-Address - > Framed-IP-Address). The Radius server by default handles the VSAs I have added Joel's suggested Attribute Ascend-Auth-Type 81 and the Values into my dictionary file and setup the DEFAULT user in my users file (In Radiator, I use Handlers, so Call-Check / CLID checking uses a file called users.call-check which is different from normal user authentication). In users.call-check I have: DEFAULT Service-Type = Call-Check, NAS-Identifier = "212.108.64.104" Ascend-Require-Auth = Require-Auth, Ascend-Auth-Type = Auth-PAP DEFAULT Service-Type = Call-Check, NAS-Identifier = "212.108.64.100" DEFAULT Service-Type = Call-Check, NAS-Identifier = "212.108.64.101" .104 is the APX, 100/101 is PM4. And it appears to work - Radiator logs show that in the CLID check the APX gets the correct response back. The APX cheerfully ignores it :-( Anyone have any advice on where to go next? Paul. PS. Relevent sections of my config are below: new ANSWER-DEFAULTS set clid-auth-mode = clid-prefer set clid-selection = secure-prefer set ppp-answer receive-auth-mode = pap-ppp-auth set ip-answer assign-address = yes set session-info idle-timer = 1800 set session-info max-call-duration = 360 write -f new EXTERNAL-AUTH set auth-type = RADIUS set acct-type = radius set rad-auth-client auth-server-1 = x.x.x.x set rad-auth-client auth-port = 1645 set rad-auth-client auth-key = xxxxxxxx set rad-auth-client auth-timeout = 5 set rad-auth-client auth-radius-compat = vendor-specific set rad-auth-client auth-keep-user-name = keep-realm-name set rad-auth-client allow-auth-config-rqsts = no set rad-acct-client acct-server-1 = y.y.y.y set rad-acct-client acct-port = 1646 set rad-acct-client acct-key = yyyyyyyy et rad-acct-client acct-timeout = 5 set rad-acct-client acct-radius-compat = vendor-specific set rad-auth-server auth-radius-compat = vendor-specific write -f ; new TERMINAL-SERVER set enabled = yes set security-mode = full set terminal-mode-configuration system-password = xxxxxx set terminal-mode-configuration banner = "* * * The Internet Business Ltd * * *" set ppp-mode-configuration ppp = yes set ppp-mode-configuration delay = 1 write -f ; new IP-GLOBAL set domain-name = tibus.net set dns-primary-server = 212.108.64.5 set dns-secondary-server = 212.108.64.27 set system-ip-addr = 212.108.64.104 set must-accept-address-assign = yes set pool-summary = yes set pool-base-address 1 = 212.108.67.192 set assign-count 1 = 63 set rarp-enabled = yes set telnet-password = xxxxxxxx set shared-prof = yes set client-primary-dns-server = 212.108.64.27 set client-secondary-dns-server = 212.108.64.6 set ignore-icmp-redirects = yes set tcp-syn-flood-protect = yes write -f -- | Paul Gregg |T: +44 (0) 28 90424190 | Technical Director |F: +44 (0) 28 90424709 | The Internet Business Ltd |W: http://www.tibus.com | Holywood House, Innis Court |E: info at tibus.com | Holywood, Co Down, BT18 9HF |P: pgregg at tibus.com ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com To get FAQ'd: <http://www.nealis.net/ascend/faq>