Re: (ASCEND) Using ID Auth to use PAP/CHAP first then CLID?

To: Neil Movold <nmlist@logic.bm>
Subject: Re: (ASCEND) Using ID Auth to use PAP/CHAP first then CLID?
From: Phillip Vandry <vandry@Mlink.NET>
Date: Tue, 1 Jun 1999 15:16:18 -0400 (EDT)
cc: ascend-users@bungi.com
In-reply-to: Your message of "Tue, 01 Jun 1999 14:50:56 EDT." <Pine.OSF.4.10.9906011436070.10802-100000@stormy.ibl.bm>
Sender: owner-ascend-users@max.bungi.com

> I have been using CLID for some time now with great success with our
> Radius Servers.  However, I have come across a situation that I cannot
> seem to figure out if there is any way to make the MAXen re-order the
> radius accounting packets.
> 
> Here is what I see happening today :
> 
> 1) call comes into the MAX
> 2) with ID Auth set to Prefer or First (for 6.1.24 and later)
>    the CALLID value is used as the username and passed in a
>    radius packet to the Radius server
> 3) the username=CALLID is checked in the local profiles
> 4) if a match is made, then an ACK is sent back to the NAS
>    and the call is accepted
> 5) if no match is made to the CALLID, then a NAK is sent to 
>    the NAS and the call is rejected
> 6) if a NAK is received by the NAS for CALLID authentication, then
>    PAP/CHAP authentication is attempted with the Radius Server
> 7) if a match is made, then an ACK is sent back to the NAS and
>    the call is allowed to connect
> 8) if no match is made, then a NAK is sent back to the NAS and
>    the call is rejected
> 
> This all works great, except for one problem.  What if a user calls in
> with the appropriate CALLID, but wants to authenticate with username and
> login?  This is requested by some of our users for accounting reasons so
> that allocation of usage is done correctly.  So, the way I see it
> happening is to get the MAXen to reverse the order from CALLID then PAP to
> PAP then CALLID.

CLID will always happen first, because it happens before the call is even
connected. i.e., if the call is rejected based on Caller ID, then the call
will never even connect to the Max (the user probably gets a BUSY signal).

I think that if you accept the call based on caller ID, but the ACK
contains "Ascend-Requite-Auth = Require-Auth", then the Max can be
forced to request PPP authentication in addition. By default the CLID
will be considered to have been sufficient.

-Phil
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:
- (ASCEND) MRTG
  - From: "David Latter" <dl@river.net.au>

References:
- (ASCEND) Using ID Auth to use PAP/CHAP first then CLID?
  - From: Neil Movold <nmlist@logic.bm>

Prev by Date: Re: (ASCEND) Frequent Disconnects
Next by Date: Re: (ASCEND) New Ascend code
Prev by thread: (ASCEND) Using ID Auth to use PAP/CHAP first then CLID?
Next by thread: (ASCEND) MRTG
Index(es):
- Date
- Thread