[Ascend] Re: (ASCEND) LAN security error, username [MBID 21]

Tue Jun 4 16:04:02 CDT 2002

Ascend was using a proprietary encryption algorithm which was munging 
passwords greater than 16 characters in length. Changing to vendor-specific 
will indeed address this issue, however you must make sure that you update 
your dictionaries and client-types to use Ascend-VSA, as old vendor 
extended attributes of value 92 or greater will no longer applied unless 
they are encapsulated within the vendor-specific attribute of type 26.

I suggest shying away from the 16-bit-vendor-specific option on the TNTs 
and choose the RFC-compliant vendor-specific choice instead.

-Nick

# If you got two copies, I apologize.  I was told to trim all the signature 
nonsense and resend.

At 11:43 AM 6/4/2002 -0700, Joe Max wrote:
>There is a well-known incompatibility in the encoding of the Password 
>attribute with the RFC if you use auth-radius-compat = old-ascend. It is 
>noticeable with some passwords more than others.
>
>If you haven't done so already, try changing this to either 
>'vendor-specific' or '16-bit-vendor-specific'. You will need to adjust 
>your radius server as well since all Ascend attributes will need to be 
>sent with vendor id = 529.
>
>
>>From: Stephen Hovey <shovey at buffnet.net>
>>To: Jason Straight <jason at blazeconnect.net>
>>CC: ascend-users at max.bungi.com
>>Subject: Re: (ASCEND) LAN security error, username [MBID 21]
>>Date: Mon, 3 Jun 2002 14:20:08 -0400 (EDT)
>>
>>
>>Ive had similar weirdness, where if I went and re-assigned the user the
>>SAME password  (we have it set where radius uses unix for password
>>verification), it would work fine again.  To me this smells like a crypt
>>bug in one or more places.
>>
>>On Mon, 3 Jun 2002, Jason Straight wrote:
>>
>> > >From syslog:
>> > LAN security error, username [MBID 21]
>> >
>> > >From radius.log:
>> > Error: Acct: Invalid STOP record. [] STOP record but zero session length?
>> >
>> > Can anyone tell me what this means? I'm getting this now and then on a few
>> > accounts and of course the user cannot login. I also get the accompanying
>> > stop record with zero lenght error in radius logs after the connection.
>> >
>> > The connection is established, IP# and DNS are assigned and then the
>> > connection drops before allowing any traffic to pass.
>> >
>> >
>> > The last user it happened to I was able to reboot the NAS and he could 
>> then
>> > login. The odd part is that it was happening to him based on user account.
>> > His username/pwd would yeild the same results when we tried from his 
>> windows
>> > box, or my linux. Both could log in with my username which has the same
>> > radius check and reply options.

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request at bungi.com
Archives: http://www.nexial.com/mailinglists/