Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) CHAP, PAP presentation order
In message <B0001954070@148.185.175.58>, "Denning, Richard" writes:
>This problem also occurs with token cards as the response must not be
>CHAP'd (which will occur by default) as the token servers need the
>original passcode. We attach a short script to the windows dial-up
>which forces PAP authentication. The only problems this introduces are
>firstly administrative in getting the script onto all the PCs and
>secondly ISDN must use V.120 so it is restricted to single channel. I
>have looked in detail at Ascend and there is no way to change its
>standard operation (as far as I can see) and I agree with other comments
>that it would open a security hole if there was. I have also looked at
>both Windows 95 and NT to see if CHAP can be disabled - and it can't as
>far as I can tell. Bottom line, if you need both PAP and CHAP on the
>Ascend then you need a script. If someone has a better solution I would
>love to know.
So would I, because I _know_ that a better solution is out there--I'm
just having a hell of a time finding out what that solution is,
exactly. I've dialed into several GTE/BBN and UUNET POPs (and I know
they use MAX TNTs) and seen the following behaviour:
GTE/BBN: Can use a script; if no script is used, requests PAP first,
then CHAP.
UUNET: When dialing in with an analog modem, must use a script for
PAP; if no script used, then requests CHAP first. *However*, for some
reason, when dialing in using ISDN the NAS requests PAP first. (This
is weird!)
--Michael
Michael S. Fischer <otterley@iPass.COM>
|\ Sr. Systems/Network Administrator, iPass Inc. _O_
| require Std::Disclaimer; |
() Voice: +1 650 944 0333 FAX: +1 650 237 7321 |
"From the bricks of shame is built the hope"--Alan Wilder
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>