Real Time Ascend Maling List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) MS-CHAP, radius authentication question
- To: ascend-users@max.bungi.com
- Subject: Re: (ASCEND) MS-CHAP, radius authentication question
- From: Joel Wittenberg <joelw@ascend.com>
- Date: Tue, 21 Dec 1999 14:42:51 -0800
- In-Reply-To: <199912210645.WAA16094@max.bungi.com>; from owner-ascend-users-digest@max.bungi.com on Mon, Dec 20, 1999 at 10:45:01PM -0800
- References: <199912210645.WAA16094@max.bungi.com>
- Sender: owner-ascend-users@max.bungi.com
The problem is that MS clients will try to negotiate MS-Chap, and if you
have some (MS) clients which need to use MS-Chap, and some which don't,
then you need to set the Answer profile to support MS-Chap, however, then
all of your MS clients will successfully negotiate for MS-Chap. However,
if you can reasonably support doing DNIS or CLID authentication in
addition to name/pwd auth then you can use the Ascend-Auth-Type VSA to
indicate the type of name/pwd (PPP) auth to use, overriding the ANSWER
profile selection.
What this means is that the NAS will not allow LCP to negotiate for any
profile not allowed by the Ascend-Auth-Type VSA; therefore the attempt by
the MS client to negotiate MS-Chap will be foiled if the DNIS/CLID auth
returns e.g., Auth-CHAP (so the NAS will negotiate for CHAP and the MS
client will agree). Since CHAP rather than MS-CHAP will be used, any
normal Radius server should be able to authenticate such a call.
If you can separate your MS clients into 2 groups (MS-CHAP and CHAP) and
give then separate numbers to call, then DNIS auth would be a good choice;
alternatively you can use CLID auth, but that will require all of your MS
clients to supply CLID (or just the CHAP or just the MS-CHAP ones, if you
configure for clid-auth-mode = CLID-prefer).
I'm not sure which branches have this capability (I believe 7.0V and 8.0
branches, possibly other 7.X branches as well) - check with Ascend support.
#
# Specify the type of auth to use. Initially intended to specify the type
# of receive authentication, but could also be used to specify the type
# of send authentication; if adopted for this use we could then obsolete
# the Ascend-Send-Auth attribute. The Ascend-Auth-Type attribute values
# are similar to the Ascend-Send-Auth values but are named in such a way
# as to allow their use for either send or receive auth.
#
# Note this this attribute uses the same id as an RFC assigned
# attribute and therefore must be used only as a VSA.
#
ATTRIBUTE Ascend-Auth-Type 81 integer
# Ascend Auth Values
VALUE Ascend-Auth-Type Auth-None 0
VALUE Ascend-Auth-Type Auth-Default 1
VALUE Ascend-Auth-Type Auth-Any 2
VALUE Ascend-Auth-Type Auth-PAP 3
VALUE Ascend-Auth-Type Auth-CHAP 4
VALUE Ascend-Auth-Type Auth-MS-CHAP 5
If values other than those just enumerated are passed from Radius to
the NAS then the NAS will use the configured default (either the
answer profile [if use-answer-as-default is yes] or else the factory
default) instead of attempting to use the returned value.
Sample Radius Use:
3831 Password = "Ascend-CLID", Service-Type = Dialout-Framed-User,
Ascend-Require-Auth = Require-Auth,
Ascend-Auth-Type = Auth-PAP
So this would allow you to specify e.g., Auth-CHAP based on CLID
authentication, even though the normal Answer setting would have the NAS
allow the connection to negotiate for MS-CHAP. Note that the service type
is on the first line (important to prevent someone from dialing in and
specifying their name/pwd as "3831"/"Ascend-CLID") and that you MUST
return the Ascend-Require-Auth = Require-Auth if you wish to proceed to
use name/pwd auth.
Hope this helps,
/joel
> ----------------------------------------------------------------------
>
> From: Lasse Andersson <lasse@netcraft.se>
> Date: Mon, 20 Dec 1999 20:18:03 +0100 (MET)
> Subject: (ASCEND) MS-CHAP, radius authentication question
>
> Hi,
>
> Can Ascend radius server 1.16 freeware version authenticate MS-CHAP requests
> from TNT's/proxy radius ?.
>
> Microsoft client that do dial-out always use MS-CHAP and it seems to be
> no way to disable this in the client!.
>
> So if an ISP/Telco's MAX TNT's is configured to support authentication
> protocols like : PAP, CHAP and MS-CHAP the authentication type becomes MS-CHAP
> when the the Microsoft client connects.
>
> The TNT has to accept different authentication types in order to suite
> different customer demands.
>
> The TNT forward's the Microsoft client's MS-CHAP authentication request to
> proxy radius which in turn forwards it to the right radius server (our radius
> server). Then the radius server then get an authentication request for a
> MS-CHAP authentication.
>
> We tried to use Ascend 1.16 (FreeWare version) to authenticate this MS-CHAP
> requests but could not get it to work.
>
> Probably the answer is that our software do not support MS-CHAP ?.
>
> I have looked in the documentation for several radius software's but have
> seen very very few hints about MS-CHAP support.
> I have also asked around but I'm still confused, can anyone explain this or
> give examples of product's to use (preferebly easy migration to).
>
> It would be great to get the whole picture ...
>
> (The ISP/Telco running the TNT's are not willing to force PAP authentaction
> for us because it affects their other customers.)
>
>
> Best Regards
>
> Lasse Andersson
>
--
joel wittenberg
InterNetworking Systems
joelw@lucent.com
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>