[Ascend] (ASCEND) CHAP fails on Radius server and MAX 6000

Thu May 17 15:02:31 CDT 2001

I am setting up a radius server using Microsoft's IAS.  I can authenticate
using PAP only.
I have gone through the list archives and found some config information.  I
entered this additional setting: "VALUE Ascend-Auth-Type = Auth-MS-CHAP"
This gives the same result I can only authenticate using PAP.  If I disable
PAP on the radius server all tries result in Bad Password.

These are the other setting in the profile:

User-Service = Framed-User, Framed-Protocol = PPP,
Framed-Netmask = 255.255.255.255, 
Ascend-Assign-IP-Pool = 1,
Ascend-Route-IP = Route-IP-Yes,
Ascend-Idle-Limit = 1200, 
VALUE Ascend-Auth-Type = Auth-MS-CHAP,

As far as I can tell the settings on the radius server are correct.  Is
there anything on the MAX that can be checked?

Thanks,

Dave Rosette 
Information Systems 
Sycamore Networks 
150 Apollo Drive 
Chelmsford, MA 01824 
Direct: 978-367-7379

> > From: Joel Wittenberg <joelw at ascend.com>
> > Date: Tue, 21 Dec 1999 14:42:51 -0800
> > Subject: Re: (ASCEND) MS-CHAP, radius authentication question
> > 
> > 
> > The problem is that MS clients will try to negotiate MS-Chap, and if you
> > have some (MS) clients which need to use MS-Chap, and some which don't,
> > then you need to set the Answer profile to support MS-Chap, however,
then
> > all of your MS clients will successfully negotiate for MS-Chap. However,
> > if you can reasonably support doing DNIS or CLID authentication in
> > addition to name/pwd auth then you can use the Ascend-Auth-Type VSA to
> > indicate the type of name/pwd (PPP) auth to use, overriding the ANSWER
> > profile selection.
> > 
> > What this means is that the NAS will not allow LCP to negotiate for any
> > profile not allowed by the Ascend-Auth-Type VSA; therefore the attempt
by
> > the MS client to negotiate MS-Chap will be foiled if the DNIS/CLID auth
> > returns e.g., Auth-CHAP (so the NAS will negotiate for CHAP and the MS
> > client will agree). Since CHAP rather than MS-CHAP will be used, any
> > normal Radius server should be able to authenticate such a call.
> > 
> > If you can separate your MS clients into 2 groups (MS-CHAP and CHAP) and
> > give then separate numbers to call, then DNIS auth would be a good
choice;
> > alternatively you can use CLID auth, but that will require all of your
MS
> > clients to supply CLID (or just the CHAP or just the MS-CHAP ones, if
you
> > configure for clid-auth-mode = CLID-prefer).
> > 
> > I'm not sure which branches have this capability (I believe 7.0V and 8.0
> > branches, possibly other 7.X branches as well) - check with Ascend
> support.
> > 
> > #
> > # Specify the type of auth to use. Initially intended to specify the
type
> > # of receive authentication, but could also be used to specify the type
> > # of send authentication; if adopted for this use we could then obsolete
> > # the Ascend-Send-Auth attribute. The Ascend-Auth-Type attribute values
> > # are similar to the Ascend-Send-Auth values but are named in such a way
> > # as to allow their use for either send or receive auth.
> > #
> > # Note this this attribute uses the same id as an RFC assigned
> > # attribute and therefore must be used only as a VSA.
> > #
> > ATTRIBUTE Ascend-Auth-Type 81 integer
> > 
> > # Ascend Auth Values
> > # Ascend Auth Values
> > 
> > VALUE Ascend-Auth-Type Auth-None 0
> > VALUE Ascend-Auth-Type Auth-Default 1
> > VALUE Ascend-Auth-Type Auth-Any 2
> > VALUE Ascend-Auth-Type Auth-PAP 3
> > VALUE Ascend-Auth-Type Auth-CHAP 4
> > VALUE Ascend-Auth-Type Auth-MS-CHAP 5
> > 
> > If values other than those just enumerated are passed from Radius to
> > the NAS then the NAS will use the configured default (either the
> > answer profile [if use-answer-as-default is yes] or else the factory
> > default) instead of attempting to use the returned value.
> > 
> > Sample Radius Use:
> > 3831 Password = "Ascend-CLID", Service-Type = Dialout-Framed-User,
> > Ascend-Require-Auth = Require-Auth,
> > Ascend-Auth-Type = Auth-PAP
> > 
> > 
> > So this would allow you to specify e.g., Auth-CHAP based on CLID
> > authentication, even though the normal Answer setting would have the NAS
> > allow the connection to negotiate for MS-CHAP. Note that the service
type
> > is on the first line (important to prevent someone from dialing in and
> > specifying their name/pwd as "3831"/"Ascend-CLID") and that you MUST
> > return the Ascend-Require-Auth = Require-Auth if you wish to proceed to
> > use name/pwd auth.
> > 
> > Hope this helps,
> > 
> > /joeli
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request at bungi.com
Archives: http://www.nexial.com/mailinglists/