Ascend was using a proprietary encryption algorithm which was munging passwords greater than 16 characters in length. Changing to vendor-specific will indeed address this issue, however you must make sure that you update your dictionaries and client-types to use Ascend-VSA, as old vendor extended attributes of value 92 or greater will no longer applied unless they are encapsulated within the vendor-specific attribute of type 26. I suggest shying away from the 16-bit-vendor-specific option on the TNTs and choose the RFC-compliant vendor-specific choice instead. -Nick # If you got two copies, I apologize. I was told to trim all the signature nonsense and resend. At 11:43 AM 6/4/2002 -0700, Joe Max wrote: >There is a well-known incompatibility in the encoding of the Password >attribute with the RFC if you use auth-radius-compat = old-ascend. It is >noticeable with some passwords more than others. > >If you haven't done so already, try changing this to either >'vendor-specific' or '16-bit-vendor-specific'. You will need to adjust >your radius server as well since all Ascend attributes will need to be >sent with vendor id = 529. > > >>From: Stephen Hovey <shovey at buffnet.net> >>To: Jason Straight <jason at blazeconnect.net> >>CC: ascend-users at max.bungi.com >>Subject: Re: (ASCEND) LAN security error, username [MBID 21] >>Date: Mon, 3 Jun 2002 14:20:08 -0400 (EDT) >> >> >>Ive had similar weirdness, where if I went and re-assigned the user the >>SAME password (we have it set where radius uses unix for password >>verification), it would work fine again. To me this smells like a crypt >>bug in one or more places. >> >>On Mon, 3 Jun 2002, Jason Straight wrote: >> >> > >From syslog: >> > LAN security error, username [MBID 21] >> > >> > >From radius.log: >> > Error: Acct: Invalid STOP record. [] STOP record but zero session length? >> > >> > Can anyone tell me what this means? I'm getting this now and then on a few >> > accounts and of course the user cannot login. I also get the accompanying >> > stop record with zero lenght error in radius logs after the connection. >> > >> > The connection is established, IP# and DNS are assigned and then the >> > connection drops before allowing any traffic to pass. >> > >> > >> > The last user it happened to I was able to reboot the NAS and he could >> then >> > login. The odd part is that it was happening to him based on user account. >> > His username/pwd would yeild the same results when we tried from his >> windows >> > box, or my linux. Both could log in with my username which has the same >> > radius check and reply options. ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com Archives: http://www.nexial.com/mailinglists/