I am testing using a win2K client. I have tried several settings under the security tab for the dialup connection. This is the event that is triggered when I try to authenticate. Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 5/18/2001 Time: 7:24:16 AM User: N/A Computer: NAVCE Description: User drosette was denied access. Fully-Qualified-User-Name = SYCAMORE\drosette NAS-IP-Address = 10.1.1.24 NAS-Identifier = <not present> Called-Station-Identifier = 2770 Calling-Station-Identifier = 9782440103 Client-Friendly-Name = MAX6000 Client-IP-Address = 10.1.1.24 NAS-Port-Type = Async NAS-Port = 20223 Policy-Name = Radius attributes for Ascend NAS Authentication-Type = PAP EAP-Type = <undetermined> Reason-Code = 66 Reason = The user attempted to use an unauthorized authentication method. We have set the Ethernet/Answer/PPP Options/Recv Auth on the MAX to MS-CHAP as suggested, and it still defaults to PAP. Thanks to everyone for your help. I am on the list digest so I can only see the responses I have received directly. Dave -----Original Message----- From: Alan Spicer [mailto:aspicer at ifxcorp.com] Sent: Friday, May 18, 2001 10:07 AM To: ascend-users at bungi.com; Rosette, David; Troy Settle; pinerose at ix.netcom.com Cc: Viraj Alankar; Juana Villa Subject: RE: (ASCEND) CHAP fails on Radius server and MAX 6000 Importance: High Ahhh! This man is on to something. Now I am remembering that Windows had a setting that we had to have everyone change, which is why we had stuck with PAP ... And I believe it was a setting not easy to find in Windows. This was why there was a confusion between the Windows CHAP implementation and certain Radius Servers. Anyone have a knowledge of where these settings are in MS Win 98, Win ME, and Win 2000? --- Alan G. Spicer - Network Administrator - CCNA (aspicer at ifxcorp.com) IFX Communications Ventures, Inc. 15050 N.W. 79 Court Suite 200 Miami Lakes, FL. 33016 (305) 512-1100 x 134 (512-1134) Cell (305) 525-5914 -----Original Message----- From: owner-ascend-users at max.bungi.com [mailto:owner-ascend-users at max.bungi.com]On Behalf Of Troy Settle Sent: Friday, May 18, 2001 7:32 AM To: Rosette, David; ascend-users at bungi.com Subject: RE: (ASCEND) CHAP fails on Radius server and MAX 6000 David, First off, I dislike CHAP and have never even tried to use it, but here's a couple things that may help: On the Max, check the value of Ethernet/Answer/PPP Options/Recv Auth. If this is set to 'Either', try setting "use encrypted password" in the peer's DUN settings. HTH, -- Troy Settle Pulaski Networks 540.994.4254 ** -----Original Message----- ** From: owner-ascend-users at max.bungi.com ** [mailto:owner-ascend-users at max.bungi.com]On Behalf Of Rosette, David ** Sent: Thursday, May 17, 2001 4:03 PM ** To: 'ascend-users at bungi.com' ** Subject: (ASCEND) CHAP fails on Radius server and MAX 6000 ** ** ** I am setting up a radius server using Microsoft's IAS. I can ** authenticate ** using PAP only. ** I have gone through the list archives and found some config ** information. I ** entered this additional setting: "VALUE Ascend-Auth-Type = Auth-MS-CHAP" ** This gives the same result I can only authenticate using PAP. ** If I disable ** PAP on the radius server all tries result in Bad Password. ** ** ** These are the other setting in the profile: ** ** ** User-Service = Framed-User, Framed-Protocol = PPP, ** Framed-Netmask = 255.255.255.255, ** Ascend-Assign-IP-Pool = 1, ** Ascend-Route-IP = Route-IP-Yes, ** Ascend-Idle-Limit = 1200, ** VALUE Ascend-Auth-Type = Auth-MS-CHAP, ** ** ** As far as I can tell the settings on the radius server are correct. Is ** there anything on the MAX that can be checked? ** ** Thanks, ** ** Dave Rosette ** Information Systems ** Sycamore Networks ** 150 Apollo Drive ** Chelmsford, MA 01824 ** Direct: 978-367-7379 ** ** ** > > From: Joel Wittenberg <joelw at ascend.com> ** > > Date: Tue, 21 Dec 1999 14:42:51 -0800 ** > > Subject: Re: (ASCEND) MS-CHAP, radius authentication question ** > > ** > > ** > > The problem is that MS clients will try to negotiate ** MS-Chap, and if you ** > > have some (MS) clients which need to use MS-Chap, and some ** which don't, ** > > then you need to set the Answer profile to support MS-Chap, however, ** then ** > > all of your MS clients will successfully negotiate for ** MS-Chap. However, ** > > if you can reasonably support doing DNIS or CLID authentication in ** > > addition to name/pwd auth then you can use the ** Ascend-Auth-Type VSA to ** > > indicate the type of name/pwd (PPP) auth to use, overriding ** the ANSWER ** > > profile selection. ** > > ** > > What this means is that the NAS will not allow LCP to ** negotiate for any ** > > profile not allowed by the Ascend-Auth-Type VSA; therefore ** the attempt ** by ** > > the MS client to negotiate MS-Chap will be foiled if the ** DNIS/CLID auth ** > > returns e.g., Auth-CHAP (so the NAS will negotiate for CHAP ** and the MS ** > > client will agree). Since CHAP rather than MS-CHAP will be used, any ** > > normal Radius server should be able to authenticate such a call. ** > > ** > > If you can separate your MS clients into 2 groups (MS-CHAP ** and CHAP) and ** > > give then separate numbers to call, then DNIS auth would be a good ** choice; ** > > alternatively you can use CLID auth, but that will require ** all of your ** MS ** > > clients to supply CLID (or just the CHAP or just the MS-CHAP ones, if ** you ** > > configure for clid-auth-mode = CLID-prefer). ** > > ** > > I'm not sure which branches have this capability (I believe ** 7.0V and 8.0 ** > > branches, possibly other 7.X branches as well) - check with Ascend ** > support. ** > > ** > > # ** > > # Specify the type of auth to use. Initially intended to specify the ** type ** > > # of receive authentication, but could also be used to ** specify the type ** > > # of send authentication; if adopted for this use we could ** then obsolete ** > > # the Ascend-Send-Auth attribute. The Ascend-Auth-Type ** attribute values ** > > # are similar to the Ascend-Send-Auth values but are named ** in such a way ** > > # as to allow their use for either send or receive auth. ** > > # ** > > # Note this this attribute uses the same id as an RFC assigned ** > > # attribute and therefore must be used only as a VSA. ** > > # ** > > ATTRIBUTE Ascend-Auth-Type 81 integer ** > > ** > > # Ascend Auth Values ** > > # Ascend Auth Values ** > > ** > > VALUE Ascend-Auth-Type Auth-None 0 ** > > VALUE Ascend-Auth-Type Auth-Default 1 ** > > VALUE Ascend-Auth-Type Auth-Any 2 ** > > VALUE Ascend-Auth-Type Auth-PAP 3 ** > > VALUE Ascend-Auth-Type Auth-CHAP 4 ** > > VALUE Ascend-Auth-Type Auth-MS-CHAP 5 ** > > ** > > If values other than those just enumerated are passed from Radius to ** > > the NAS then the NAS will use the configured default (either the ** > > answer profile [if use-answer-as-default is yes] or else the factory ** > > default) instead of attempting to use the returned value. ** > > ** > > Sample Radius Use: ** > > 3831 Password = "Ascend-CLID", Service-Type = Dialout-Framed-User, ** > > Ascend-Require-Auth = Require-Auth, ** > > Ascend-Auth-Type = Auth-PAP ** > > ** > > ** > > So this would allow you to specify e.g., Auth-CHAP based on CLID ** > > authentication, even though the normal Answer setting would ** have the NAS ** > > allow the connection to negotiate for MS-CHAP. Note that the service ** type ** > > is on the first line (important to prevent someone from ** dialing in and ** > > specifying their name/pwd as "3831"/"Ascend-CLID") and that you MUST ** > > return the Ascend-Require-Auth = Require-Auth if you wish to ** proceed to ** > > use name/pwd auth. ** > > ** > > Hope this helps, ** > > ** > > /joeli ** ++ Ascend Users Mailing List ++ ** To unsubscribe: send unsubscribe to ascend-users-request at bungi.com ** Archives: http://www.nexial.com/mailinglists/ ** ** ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com Archives: http://www.nexial.com/mailinglists/ ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com Archives: http://www.nexial.com/mailinglists/