Setting Up RADIUS Authentication
This chapter discusses how to configure the RADIUS server to authenticate MAX clients. This chapter contains:
This chapter discusses authentication only. It does not discuss how to configure RADIUS attributes to restrict user access to MAX features and services. For information on specifying the MAX features users can access, see Chapter 4, Setting Up WAN Connections in RADIUS.
Overview of RADIUS authentication
This section describes how the MAX uses RADIUS authentication when answering a call.
By default, when you require a profile for authentication, the MAX always checks for a Connection profile. If it cannot find one, it checks for a Password profile. If neither a Connection profile nor a Password profile exists, the MAX checks for a remote RADIUS, TACACS, or TACACS+ profile.
However, you can change this default by setting Local Profile First=No in the Ethernet > Mod Config > Auth menu. When Local Profile First=No, the MAX first looks for a remote profile. If it cannot find one, the MAX looks for a local Connection profile. If none exists, the MAX looks for a Password profile.
This section assumes that the MAX looks for a local profile first. For an incoming call, the MAX carries out these steps:
- Before the MAX answers a call, it checks its Answer profile to see whether either CLID
authentication or called-number authentication is required.
When CLID authentication is required, the caller's phone number must match a phone number specified in a local Connection profile or RADIUS user profile.When called-
number authentication is required, the number called must match a phone number is a local Connection profile or RADIUS user profile. Called-Number authentication is also known as Dialed Number Information Service (DNIS) authentication.
- If CLID authentication is required (Id Auth=Require in the Answer profile) or if called-
number authentication is required (Id Auth=Called Require in the Answer profile), the
MAX first looks for a matching phone number in a local Connection profile.
If one does not exist, it then looks for a matching phone number in a RADIUS user profile. If it cannot find the correct phone number, the MAX hangs up.
- If CLID or called-number authentication is not required (Id Auth=Prefer, Fallback, Ignore,
or Called Prefer in the Answer profile), or if the MAX finds a matching phone number in
a local Connection profile or RADIUS user profile, it answers the call.
- The MAX checks its other Answer profile settings.
- If the Answer profile specifies the type of link encapsulation the call uses, the MAX
continues checking Answer profile parameters.
If the Answer profile does not enable the type of link encapsulation the call uses, the MAX drops the call.
- The MAX checks the value of the Profile Reqd parameter in the Answer profile.
If Profile Reqd=Yes, the MAX must find a Connection profile, Password profile, RADIUS user profile, TACACS profile, or TACACS+ profile to authenticate the call.
- If a profile is required, the MAX checks to see whether the profile must contain a
matching user name and password.
These Answer profile settings require a matching name and password as a condition of authentication:
- Recv Auth=PAP, CHAP, MS-CHAP, or Either (for PPP, MP, and MP+ calls)
- Password Reqd=Yes (for Combinet calls)
- If name and password authentication is required, the MAX attempts to match the caller's
name and password to a local Connection profile.
If authentication succeeds using a local Connection profile, the MAX uses the parameters specified in the profile to build the connection.
- If it cannot find a matching Connection profile, the MAX looks for a Password profile.
If the MAX finds a Password profile, it uses the name and password in the Password profile and builds the connection using the settings in the Answer profile. The Password profile applies only to ARA, PPP, MP, MP+, and terminal server calls.
- If it cannot find a matching Password profile, the MAX looks for a RADIUS, TACACS,
or TACACS+ profile containing a matching name and password.
If authentication succeeds using a RADIUS user profile, the MAX uses the specified RADIUS attributes to build the connection. The MAX can then forward the call to its bridge/router or other destination. For example, the MAX might forward a terminal server call to a Telnet or TCP host.
If authentication succeeds using a TACACS or TACACS+ profile, the MAX must make a request to the server for information on the resources and services the user can access.
- If name and password authentication is not required (Recv Auth=None or Password
Reqd=No in the Answer profile), the MAX can match IP-routed PPP calls using the IP
address specified by the Connection profile.
- If the Answer profile does not require a profile (Profile Reqd=No), the MAX uses Answer
profile parameters to build the connection.
Overview of RADIUS authentication attributes
Table 3-1 summarizes the attributes you can use to set up RADIUS authentication. For more detail on these attributes, see Reference to RADIUS Attributes.
Table 3-1. RADIUS authentication attributes
Attribute
|
Description
|
Possible values
|
---|
Ascend-Ara-PW (181)
|
Indicates the password of the incoming caller over AppleTalk Remote Access (ARA).
|
Text string containing up to 20 characters. The default value is null.
If the caller is to be authenticated by a SecurID server and Auth=RADIUS/LOGOUT, the username must be "SecurID," and there must be no password.
|
Ascend-Authen-Alias (203)
|
Sets this MAX unit's login name during PPP authentication.
|
Text string containing up to 16 characters. The default is the value of the Name parameter in the System profile.
|
Ascend-Callback (246)
|
Enables or disables callback.
|
Callback-No (0) Callback-Yes (1)
The default value is Callback-No.
|
Ascend-CBCP-Enable (112)
|
Specifies how the MAX responds to requests by callers to support CBCP.
| - CBCP-Enabled (0)-Specifies that the MAX will positively acknowledge, during LCP negotiations, support for CBCP.
- CBCP-Not-Enabled (1)-Specifies that the MAX will reject any request to support CBCP.
|
Ascend-CBCP-Mode (113)
|
Specifies what method of callback the MAX offers the incoming caller.
| - CBCP-No-Callback (1)-Applies for Windows NT or Windows 95 clients who must not be called back. Because CBCP has been negotiated initially, the Windows clients must have validation from the MAX that no callback is used for this connection.
- CBCP-User-Callback (2)-Specifies that the caller will supply the number the MAX uses for the callback.
- CBCP-Profile-Callback (3)-Specifies that the MAX will use the number in Ascend-Dial-Number for the callback
- CBCP-User-Or-No (7)-Specifies that the caller has the option of either supplying the number to dial or specifying that no callback is used for the call. If no callback is chosen, the call will not be disconnected by the MAX.
|
Ascend-CBCP-Trunk-Group (115)
|
Assigns the callback to a MAX trunk group. This attribute is used only when the caller is specifying the phone number the MAX uses for the callback. The value in Ascend-CBCP-Trunk-Group is prepended to the caller-supplied number when the MAX calls back.
|
Specify a number between 4 and 9, inclusive. The default is 9.
|
Ascend-Dial-Number (227)
|
Specifies the phone number the MAX dials to reach the bridge, router, or node at the remote end of the link.
|
A telephone number containing up to 21 characters, limited to the following:
1234567890()[]!z-*#|
The MAX sends only the numeric characters to place a call. The default value is null.
|
Ascend-PW-Expiration (21)
|
Specifies an expiration date for the user's password.
|
A date in the format month day year.
The default is no expiration date.
|
Ascend-PW-Lifetime (208)
|
Indicates on a per-user basis the number of days that a password is valid.
|
Integer. The default is the value of Lifetime-In-Days from the Ascend dictionary.
|
Ascend-Require-Auth (201)
|
Indicates whether the MAX requires additional authentication after CLID authentication or called-number authentication. Called-number authentication is also known as Dialed Number Information Service (DNIS) authentication.
|
Not-Require-Auth (0) Require-Auth (1)
The default value is Not-Require-Auth.
|
Ascend-Receive-Secret (215)
|
Specifies a value that the RADIUS server uses to authenticate incoming calls from a user while his or her token is cached and alive. The cached token resides on the MAX during the initial security-card authentication process.
|
Text string containing up to 20 characters. The default value is null.
|
Ascend-Send-Auth (231)
|
Specifies the authentication protocol that the MAX requests when initiating a connection using PPP or MP+ encapsulation. The answering side of the connection determines which authentication protocol, if any, the connection uses.
|
Send-Auth-None (0) Send-Auth-PAP (1) Send-Auth-CHAP (2)
The default value is Send-Auth-None.
|
Ascend-Send-Passwd (232)
|
Specifies the password that the MAX sends to the remote end of a connection on outgoing calls.
|
Text string containing up to 20 characters. The default value is null.
|
Ascend-Send-Secret (214)
|
Specifies that the system encrypts the password when passing it between the RADIUS server and the MAX on outgoing calls.
|
Text string containing up to 20 characters. The default value is null.
|
Ascend-Token-Expiry (204)
|
Sets the lifetime of a cached token in minutes-that is, the lifetime of hand-held security card authentication.
|
Integer. The default value is 0 (zero). This setting specifies that token caching is not allowed.
|
Ascend-Token-Idle (199)
|
Specifies the maximum length of time in minutes a cached token can remain alive between authentications if a call is idle.
|
Integer. By default, the token remains alive until the value of Ascend-Token-Expiry is reached.
|
Ascend-Token-Immediate (200)
|
Establishes how RADIUS treats the password it receives from a login-user when the user profile specifies a hand-held security card server.
|
Tok-Imm-No (0) Tok-Imm-Yes (1)
The default value is Tok-Imm-No.
|
Caller-Id (31)
|
Specifies the calling party number, indicating the phone number of the user that wants to connect to the MAX.
|
A telephone number containing up to 37 characters, limited to the following:
1234567890()[]!z-*#|
The default value is null.
|
Challenge-Response (3)
|
Indicates the password that a Challenge Handshake Authentication Protocol (CHAP) user enters in response to a password challenge.
|
Alphanumeric string containing up to 252 characters. The default value is null.
|
Change-Password (17)
|
Specifies the expired password in an Access-Password-Request packet.
When a user specifies an expired password, RADIUS prompts the user for a new password. When the user enters the new password, the MAX sends an Access-Password-Request packet that contains both the old password (as the value of the Change-Password attribute), and the new password (as the value of the Password attribute).
|
Alphanumeric string containing up to 252 characters. This attribute has no default value, because it does not appear in a user profile.
|
Class (25)
|
Enables access providers to classify their user sessions, such as for the purpose of billing users depending on the service option they choose. The MAX sends the Class attribute in Access-Request packets under CLID authentication.
Suppose the MAX starts CLID authentication by sending an Access-Request packet and receives the Class attribute in an Access-Accept packet. If the MAX requires further authentication, it includes Class in the Access-Request packet.
|
Alphanumeric text string containing up to 253 characters. The default value is null.
|
Client-Port-DNIS (30)
|
Specifies the called-party number, indicating the phone number the user dialed to connect to the MAX. DNIS stands for Dialed Number Information Service. You use this attribute to set up called-number authentication, also known as DNIS authentication.
|
A telephone number containing up to 18 characters, limited to the following:
1234567890()[]!z-*#|
The default value is null.
|
Framed-Protocol (7)
|
Specifies the type of framed protocol allowed to the user.
|
PPP (1) SLIP (2) MPP (256) EURAW (257) EUUI (258) COMB (260) FR (261) ARA (262) FR-CIR (263)
By default, the MAX does not restrict the type of protocol a user can access.
|
NAS-Identifier (4)
|
Indicates the IP address of the MAX.
|
IP address in dotted decimal notation n.n.n.n/nn, where n is an integer between 0 and 255, and nn is a subnet mask between 8 and 32. The default value is 0.0.0.0/0.
|
NAS-Port (5)
|
Specifies the interface and service the session is using.
|
A 5-digit value in this format:
service line channel
The default value for the RADIUS daemon appears in the /etc/services/file.
|
Password (2)
|
Specifies the user's password. The RADIUS server uses this attribute to authenticate an inbound call using Password Authentication Protocol (PAP) or terminal server authentication.
|
Alphanumeric string containing up to 252 characters. The default value is null.
|
User-Name (1)
|
Specifies the user's name.
|
Alphanumeric string containing up to 252 characters. The default value is null.
|
User-Service (6)
|
Specifies the type of services the user can access.
|
Login-User (1) Framed-User (2) Dialout-Framed-User (5)
By default, the MAX does not restrict a user's access to services.
|
Specifying a user name
You can specify a user name using the Ascend-Authen-Alias and User-Name attributes, as described in Table 3-2.
Because the MAX uses the first matching name for an incoming caller, you must not specify a duplicate user name in any RADIUS user profile.
Setting the User-Name attribute
The following sections describe the specifications you can make for the User-Name attribute.
Using the caller's name
In most instances, the User-Name attribute specifies the name of the calling device or dial-in user. Consider this first line in a user profile:
Emma Password="pwd", Ascend-PW-Expiration="Jan 30 1997"
The user name is Emma. The RADIUS server tests the user's name and password against the values the user provides when making a request for access. If the RADIUS server does not find a match, it denies the request for access.
Using the caller's MAC address (for Combinet calls)
When Password Reqd=Yes in the Answer profile for a Combinet call, the MAX compares the caller's MAC address to the value of the User-Name attribute, and the value of the caller's password to the value of the Password attribute. When Password Reqd=No, the MAX uses the caller's MAC address only.
Consider this first line in a user profile:
000145CFCF01 Password="m2dan", User-Service=Framed-User
The user name is the MAC address 000145CFCF01.
Note that Combinet bridging cannot use PAP, CHAP, or MS-CHAP authentication. The MAX must use the caller's MAC address and password to authenticate calls.
Using the keyword Default
The RADIUS server uses the Default profile to determine the kind of access it grants to users who do not appear in the users file. You can configure only one Default profile. It must specify the user name Default, and it must be the last profile in the users file.
For example, this first line in a profile enables a terminal server user to log in using his or her UNIX account name or password:
Default Password="UNIX"
Make sure that the Default profile is last one in the file. RADIUS ignores any profiles that follow the Default profile.
Using the incoming phone number (for CLID authentication)
You can require RADIUS to authenticate incoming calls by checking the calling party's phone number. The RADIUS server performs Calling Line ID (CLID) authentication before enabling the MAX to answer an incoming call. You can thereby ensure that the call originates at a known location.
For complete information on configuring CLID authentication, see Setting up CLID authentication.
Using the called number (for called-number authentication)
Called-number authentication works much like CLID authentication, except that the MAX uses the number the remote end calls to authenticate the connection. The called number appears in an ISDN message as part of the call when Dialed Number Information Service (DNIS) is in use. Called-number authentication is also known as DNIS authentication.
For complete information on called-number authentication, see Setting up called-number authentication.
Using a keyword representing a pseudo-user profile
A pseudo-user profile contains information that the MAX can query. It does not exist for the purpose of authenticating a user. Rather, it enables you to specify static route configurations, Frame Relay profile information, bridging entries, and other types of data. For information on pseudo-user profiles, see one or more of the sections listed in Table 3-3.
Setting the Ascend-Authen-Alias attribute
When the MAX places an outgoing call, it identifies itself by a login name and password. The login name is either its system name (as specified by the Name parameter in the System profile) or the value you specify for the Ascend-Authen-Alias attribute.
This example uses the Ascend-Authen-Alias attribute in an outgoing profile:
Homer-Out Password="Ascend", User-Service=Dialout-Framed-User
User-Name="Homer",
Ascend-Authen-Alias="myMAXcallingU",
Ascend-Send-Auth=Send-Auth-PAP,
Ascend-Send-Secret="passwrd1",
Ascend-Dial-Number="31",
Framed-Protocol=PPP,
Framed-Address=10.0.100.1,
Framed-Netmask=255.255.255.0,
Ascend-Metric=2,
Framed-Routing=None,
Framed-Route="10.5.0.0/24 10.0.100.1 1",
Ascend-Idle-Limit=30
Specifying a password
A user profile-an entry in the RADIUS users file-must contain an encrypted password to authenticate the caller. You can specify a password using the attributes described in Table 3-4.
Setting the Password attribute
Table 3-5 lists the specifications you can make for the Password attribute.
Setting the Ascend-Send-Passwd and Ascend-Send-Secret attributes
When the MAX places an outgoing call, it identifies itself by a login name and password. The login name is either the system name (as specified by the Name parameter in the System profile) or the value you specify for the Ascend-Authen-Alias attribute. The password is the value of Send PW (in the local Connection profile) or the value of Ascend-Send-Passwd or Ascend-Send-Secret (in the outgoing RADIUS user profile).
This example uses the Ascend-Send-Secret attribute:
Homer-Out Password="Ascend", User-Service=Dialout-Framed-User
User-Name="Homer",
Ascend-Authen-Alias="myMAXcallingU",
Ascend-Send-Auth=Send-Auth-PAP,
Ascend-Send-Secret="passwrd1",
Ascend-Dial-Number="31",
Framed-Protocol=PPP,
Framed-Address=10.0.100.1,
Framed-Netmask=255.255.255.0,
Ascend-Metric=2,
Framed-Routing=None,
Framed-Route="10.5.0.0/24 10.0.100.1 1",
Ascend-Idle-Limit=30
Setting the Ascend-Ara-PW attribute
When you set up an ARA connection, you specify a User-Name and Password. Then, you set the Ascend-Ara-PW attribute to the same value specified by the Password attribute. The MAX requires both the Password and the Ascend-Ara-PW attributes. The ARA software in the Ascend unit uses DES to encrypt and decrypt the ARA password. If the caller is to be authenticated by a SecurID server and Auth=RADIUS/LOGOUT, the username must be "SecurID," and there must be no password.
For more information on configuring an ARA link, see Setting up an ARA connection.
Configuring password expiration
The Ascend RADIUS daemon supports password aging and expiration, and includes a method for enabling dial-in users to replace expired passwords. A dial-in user can replace expired passwords under these conditions:
The Ascend RADIUS daemon supports password aging and expiration using the attributes listed in Table 3-6.
To set up password expiration, follow these steps:
- On the first line of a RADIUS user profile, specify the Ascend-PW-Expiration attribute.
Ascend-PW-Expiration specifies an expiration date for a user's password in a user profile. Specify a date in the format month day year.
- For the month
specification, enter the first three letters of the month in which you want the password to expire. Or, you can specify the entire name of the month. The month must begin with a capital letter.
- For the day specification, enter one or more digits indicating a valid day of the month. The values 2, 02, 002, and 0021 are all valid, but 32 is not.
- For the year specification, enter a four-digit year. The year must start with the
number 19.
- Separate each part of the date specification using one or more spaces, tabs, or
commas.
You must specify Ascend-PW-Expiration when you first create a user and it must appear on the first line of the user profile. If it appears after the first line, RADIUS does not check the expiration date and could accept an expired password. Your specification might look like this one:
Emma Password="pwd", Ascend-PW-Expiration="Jan 1, 1997"
When the MAX makes an authentication request, the RADIUS server checks the current date against the value of Ascend-PW-Expiration. If the date of the authentication request is the same date or a later date than the value of Ascend-PW-Expiration, the user receives a message saying that the password has expired.
- On any line other than the first line of the user profile, set the Ascend-PW-Lifetime
attribute.
Ascend-PW-Lifetime specifies the number of days that a password is valid. Your specification might look like this one:
Emma Password="pwd", Ascend-PW-Expiration="Jan 1, 1997"
Ascend-PW-Lifetime=30.
...
Ascend-PW-Lifetime applies only to the process of renewing an expired password. When the user wants to renew the password, the MAX adds the value you specify for Ascend-PW-Lifetime to the current date and updates the user profile.
How Ascend-PW-Expiration and Ascend-PW-Lifetime work
If a password expires and the user resets it, the RADIUS server adds the value of
Ascend-PW-Lifetime to the date on which the user resets the password. The resulting date becomes the new value for Ascend-PW-Expiration.
For example, suppose that today's date is March 1, 1997 and these lines appear in a user profile:
Emma Password="pwd", Ascend-PW-Expiration="Jan 1, 1997"
Ascend-PW-Lifetime=30,
...
If the user resets the password today, the value of Ascend-PW-Expiration becomes today's date + Ascend-PW-Lifetime, or March 31, 1997.
If the password has not expired, the value of Ascend-PW-Lifetime is irrelevant. For example, suppose that today's date is January 1, 1997 and these lines appear in a user profile:
Emma Password="pwd", Ascend-PW-Expiration="Jan 15, 1997"
Ascend-PW-Lifetime=30
...
The password expires on January 15, 1997.
If Ascend-PW-Lifetime is absent, the value of Lifetime-In-Days determines the password duration. The Lifetime-In-Days value in the RADIUS dictionary is the default value for
Ascend-PW-Lifetime. By default, Lifetime-In-Days is 0 (zero). This value means that passwords do not expire.
Note: If you run the Ascend RADIUS daemon with a flat ASCII file, RADIUS accepts a
user's replacement for an expired password only if you start the daemon with the -p option. For
details, see Running the daemon with a flat ASCII users file. If you run the daemon in DBM
mode, RADIUS accepts a user's replacement for an expired password if you specify the -p
option, but does not recognize the new password until you rebuild the users file database by
running builddbm again. For information, see Creating the DBM database.
Changing a non-expired password
The MAX supports a password command that enables a RADIUS-authenticated terminal server user to change his or her password. To change a password, follow these steps:
- Enable password expiration in the user profile.
When you change a non-expired password, the MAX uses the same mechanism that enables you to enter a new password when an older one has expired. To enable password expiration, follow the instructions in Configuring password expiration.
- At the terminal server prompt, enter this command:
ascend% password
This text displays:
ascend% password
Enter old password:
Enter new password:
Re-type new password:
- At the
Enter
old password
prompt, specify the current password.
- At the
Enter
new password
and Re-type new password
prompts, enter the
new password.
The new password cannot be null, and must differ from the old password. If the password change is successful, this message displays:
Password Updated
If the update fails for any reason, this text displays:
Password NOT Changed
There is no indication of why the password change failed. You may have entered the old password incorrectly. Or, you might be trying to change a UNIX password. You cannot change a UNIX password using the password command, because a UNIX password does not reside in the RADIUS database.
Changing an expired password
When a user attempts to establish a terminal server connection using an expired password, these events take place:
- The MAX informs the user that the authentication failed because the password has
expired.
- The MAX prompts the user for a new password.
If the new password is null or matches the old password, the MAX prompts the user again for a new password.
If the new password is valid, the MAX asks the user to re-enter it for confirmation. If the two entries do not match, the MAX prompts again for a new password.
- After receiving a valid confirmation of the new password, the MAX contacts the RADIUS
server for acceptance of the new password.
If the RADIUS server accepts the new password, it reports the successful change.
If the RADIUS server rejects the new password, it informs the user and prompts again for a new password. The RADIUS server can reject the password change for any of these reasons:
Specifying the MAX unit's IP address
When the MAX sends an Access-Request packet, it uses the NAS-Identifier attribute to indicate its IP address to the RADIUS server. Table 3-7 describes this attribute.
NAS-Identifier example
In most cases, you never need to specify the NAS-Identifier attribute in a user profile.
However, you might want to specify it if multiple MAX units use a single RADIUS server, and you want to specify the MAX to which a particular user can connect. In this case, the NAS-Identifier value in the Access-Request packet and the NAS-Identifier value in the user profile must match for the RADIUS server to authenticate the connection. The NAS-Identifier value must appear in the first line of the user profile.
Suppose that the user Emma is allowed to dial into the MAX at IP address 200.65.212.46. The first line of the user profile might look like this one:
Emma Password="pwd", NAS-Identifier=200.65.212.46
Setting up the MAX for callback
There are two types of callback security: Ascend callback and Microsoft's callback security.
Ascend callback security
Callback security instructs the MAX to hang up and call back when it receives an incoming call. You can require callback to ensure that the MAX makes a connection with a known device. You can specify callback for switched lines only.
To set up the MAX for callback, use the attributes listed in Table 3-8.
To set up the MAX for callback, follow these steps:
- Set Ascend-Callback=Callback-Yes.
- Set Ascend-Dial-Number to the phone number of the remote device.
The MAX can also use the CLID in order to reach the remote end of the connection, if the CLID is available.
- Set Ascend-Send-Secret or Ascend-Send-Passwd.
Both of these attributes specify the password that the MAX sends to the remote end of a connection on outgoing calls. If the value you specify for Ascend-Send-Secret or Ascend-Send-Password does not match the remote end's value for Ascend-Receive-Secret (in a RADIUS user profile) or Recv PW (in a Connection profile), the remote system rejects the call.
Use Ascend-Send-Passwd only if your version of the MAX does not support Ascend-Send-Secret.
When you set Ascend-Callback=Callback-Yes, these events occur:
- The MAX hangs up after receiving an incoming call that matches the one specified in the
RADIUS user profile.
- The MAX then calls back the device at the remote end of the link using these values:
- The number specified by the Ascend-Dial-Number attribute or the CLID
- The password specified by Ascend-Send-Passwd or Ascend-Send-Secret
Note: If you set up a RADIUS user profile for callback and CLID-only authentication, the
MAX never answers the call. The caller can therefore avoid billing charges.
Callback example
Consider these lines from a user profile:
Emma Password="pwd"
Ascend-Callback=Callback-Yes,
Ascend-Dial-Number=555-1213,
Ascend-Send-Secret="mysecret",
...
When a user named Emma dials in, the MAX hangs up and calls the number 555-1213.
Microsoft's Callback Control Protocol (CBCP)
Microsoft developed CBCP to address a need for greater security with PPP connections. The standardized callback option defined in RFC 1570 has a potential security risk because the authentication is performed after the callback. CBCP callback like Ascend's proprietary callback, occurs after authentication, leaving no potential security hole.
CBCP also offers features not available with the standard callback defined in RFC 1570. The client side supports a configurable time delay to allow users to initialize modems or enable supportive software before the MAX calls the client. You can configure the MAX with a phone number to use for the callback, or you can configure it to allow the client to specify the phone number used for the callback.
Currently, Microsoft's Windows NT 4.0 and Windows 95 software support client-side authentication using CBCP. The MAX now supports a CBCP central-site solution.
Ascend's implementation of CBCP
CBCP is an option negotiated during the LCP negotiation of a PPP session. While support for CBCP is configured systemwide on the MAX, not every connection must negotiate its use. Parameters for configuring CBCP on the MAX are in the Answer Profile under Ethernet > Answer > PPP Options, and in each User Profile. The calling and called sides of a PPP session initiate authentication after acknowledging that CBCP is to be used.
Note: Currently, the MAX does not initiate LCP negotiation of CBCP. The MAX responds to
caller requests to configure CBCP.
The MAX employs the user name and password to link a caller with a specific RADIUS User profile. Configured CBCP parameters in that User profile specify variables for the callback. If, at any point, the client and the MAX disagree about any CBCP variables, the MAX drops the connection.
Both sides of the connection must agree on whether the callback phone number is supplied by the client or by the MAX. The trunk group parameter Ascend-CBCP-Trunk-Group, configured on the MAX, supplies a trunk group that is prepended to phone numbers supplied by the client.
Table 3-9
lists Microsoft's callback parameters on the MAX.
Negotiation of CBCP
Following are the steps from initial connection to MAX callback:
- Caller connects to MAX.
- LCP negotiations begin.
Caller and MAX must agree to use CBCP. Otherwise, the MAX terminates the connection.
- After successful LCP negotiation, both sides have acknowledged that CBCP will be used.
- Caller authenticates itself to the MAX. If authentication fails, the MAX terminates the
connection.
- CBCP begins if the MAX verifies that the profile has Ascend-CBCP-Mode set.
- The MAX sends a request to determine if a callback is to occur. The caller's configuration
must match the Ascend-CBCP-Mode value on the MAX.
The client also supplies to the MAX the number of seconds it should delay before initiating the callback, and, if applicable, the phone number.
- If both sides agree on which phone number the MAX will dial, the client clears the
connection.
- The MAX delays the callback on the basis of the previous negotiation.
- The MAX dials the client, by applying information from the same profile used in previous
negotiation.
Configuring Microsoft's CBCP to use a User Profile
To configure CBCP to work with a User profile:
- Open the Ethernet > Answer > PPP Options menu.
- Set CBCP Enable = Yes.
- Find the user profile you want to add callback.
- Set Ascend-CBCP-Mode to the callback mode to be offered the caller.
- If the caller is supplying the phone number, set Ascend-CBCP-Trunk Group to the value
(4 through 9) that the MAX prepends to the number when calling back.
- Save your changes.
Specifying an access protocol for incoming calls
The answering unit always determines the authentication method to use for the call. By default, the MAX allows incoming calls without authentication. This section summarizes different types of authentication protocols you can require for incoming calls.
Requiring PAP, CHAP, or MS-CHAP for PPP, MP, and MP+ calls
To specify an authentication protocol for name and password authentication of PPP, MP, and MP+ calls, set the Recv Auth parameter in the Ethernet > Answer > PPP Options menu to one of the values listed in Table 3-10.
If the incoming PPP call does not include a source IP address, the MAX requires PAP, CHAP, or MS-CHAP authentication. PAP, CHAP, and MS-CHAP authentication is not available for Combinet, ARA, modem, V.110, V.120 calls, or X.75 calls.
For PAP, CHAP, and MS-CHAP authentication, the calling unit and the MAX share a different secret with the RADIUS server:
- The calling unit's secret is called the remote secret. The MAX does not know the value of this secret.
- The MAX unit's secret is called the NAS secret (because the MAX is an NAS). The calling unit does not know the value of this secret.
How PAP works
For PAP authentication, these events take place:
- The calling unit sends the remote secret in the clear to the MAX.
- The MAX encrypts the remote secret using the NAS secret.
- The RADIUS server decrypts the remote secret using the NAS secret.
- The RADIUS server validates the remote secret, or passes the clear copy of the remote
secret to a UNIX or other password validation system.
How CHAP and MS-CHAP work
For CHAP and MS-CHAP authentication, these events take place:
- The MAX sends a random, 128-bit challenge to the calling unit.
- The calling unit calculates an MD5 digest using the remote secret, the challenge, and the
PPP packet ID.
- The calling unit sends the MD5 digest, the challenge, and the PPP packet ID (but not the
remote secret) to the MAX.
The MAX never has the remote secret.
- The MAX forwards the digest, along with the original challenge and PPP packet ID to
RADIUS.
No encryption is necessary, because MD5 creates a one-way code that cannot be decoded. In addition, RADIUS cannot extract the remote secret. Therefore, it cannot provide a password to a UNIX password system. For this reason, CHAP and UNIX authentication cannot work together.
- The RADIUS server looks up the remote secret from a local database, and calculates an
MD5 digest using the local version of the remote secret, along with the challenge and the
PPP packet ID it received from the MAX.
- The RADIUS server compares the calculated MD5 digest with the digest it received from
the MAX.
If the digests are the same, the remote secrets used by the calling unit and the RADIUS server are the same, and the MAX authenticates the call.
Requiring PAP-TOKEN, CACHE-TOKEN, or PAP-TOKEN-CHAP
You can set up SafeWord and ACE security-card authentication of incoming calls using
PAP-TOKEN, CACHE-TOKEN, or PAP-TOKEN-CHAP authentication. This section provides an overview of these access methods. For details on configuring security-card authentication, see Setting up security-card authentication.
How PAP-TOKEN works
PAP-TOKEN specifies an extension of PAP authentication. In PAP-TOKEN, the user authenticates his or her identity by entering a password derived from a hardware device, such as a hand-held security card. The MAX prompts the user for this password, possibly along with a challenge key. It obtains the challenge key from a security server that it accesses through RADIUS.
For information on setting up PAP-TOKEN authentication, see Configuring PAP-TOKEN authentication.
How CACHE-TOKEN works
CACHE-TOKEN authentication uses a shared secret, and simplifies the authentication process by caching the user's token for the fixed length of time specified by the Ascend-Token-Expiry attribute. During the lifetime of the token, subsequent calls by the user require only CHAP authentication without the use of a hand-held security card.
For information on setting up CACHE-TOKEN authentication, see Configuring CACHE-TOKEN authentication.
How PAP-TOKEN-CHAP works
PAP-TOKEN-CHAP authentication uses an encrypted CHAP password with which the answering unit authenticates the second and subsequent channels of an MP+ call. You verify only the initial connection using a hand-held security card. CHAP verifies any additional channels. For information on setting up PAP-TOKEN-CHAP authentication, see Configuring PAP-TOKEN-CHAP authentication.
Note: You can also set up an ACE server to authenticate multiple users behind a remote
router. For information on carry out this task, see Configuring ACE authentication for remote
bridge/router users.
Using different access methods with local authentication
Some authentication methods do not work the same way with a local Connection profile as with a RADIUS user profile. Table 3-11 shows the specific information you need to consider if you use a particular method with a local profile.
Requesting an access protocol for outgoing calls
To request an authentication protocol for an outgoing PPP or MP+ call, use the attributes described in Table 3-12.
To specify an authentication protocol for an outgoing PPP or MP+ call, follow these steps:
- Set the Ascend-Send-Auth attribute.
The Ascend-Send-Auth attribute specifies the authentication protocol that the MAX requests when initiating a connection using PPP or MP+ encapsulation. The answering side of the connection determines which authentication protocol, if any, the connection uses. You can set Ascend-Send-Auth to one of these values:
- Send-Auth-None (0) specifies that the MAX does not request an authentication
protocol for outgoing calls. This setting is the default.
- Send-Auth-PAP (1) specifies that the MAX requests Password Authentication
Protocol (PAP). If you choose this setting, the MAX requests PAP authentication, but uses CHAP authentication if the called unit requires CHAP. Choose this setting for non-token card authentication if you want to send your password unencrypted.
- For details on how PAP operates, see How PAP works
- Send-Auth-CHAP (2) specifies that the MAX requests Challenge Handshake Authentication Protocol (CHAP). If you choose this setting, the MAX does not bring up the connection using PAP. Choose this setting for non-token card authentication if you do not wish to send your password unencrypted-that is, if you do not wish to use PAP authentication.
- For details on how CHAP operates, see How CHAP and MS-CHAP work.
- If you request PAP or CHAP authentication, you must also specify a password using
Ascend-Send-Secret or Ascend-Send-Passwd.
Both of these attributes specify the password that the MAX sends to the remote end of a connection on outgoing calls. If the value you specify for Ascend-Send-Secret or Ascend-Send-Password does not match the remote end's value for Ascend-Receive-Secret (in a RADIUS user profile) or Recv PW (in a Connection profile), the remote system rejects the call.
Use Ascend-Send-Passwd only if your version of the MAX does not support Ascend-Send-Secret.
For complete information on setting up an outgoing call in RADIUS, see Setting up outgoing calls.
CHAP example
In this example, the user profile requests CHAP as the authentication method for an outgoing PPP call:
Homer-Out Password="Ascend", User-Service=Dialout-Framed-User
User-Name="Homer",
Ascend-Send-Auth=Send-Auth-CHAP,
Ascend-Send-Secret="passwrd1",
Ascend-Dial-Number="31",
Framed-Protocol=PPP,
Framed-Address=10.0.100.1,
Framed-Netmask=255.255.255.0,
Ascend-Metric=2,
Framed-Routing=None,
Framed-Route="10.5.0.0/24 10.0.100.1 1",
Ascend-Idle-Limit=30
Setting up security-card authentication
This section covers the following topics:
- Introducing security-card authentication
- Configuring the MAX to recognize the authentication server
- Configuring the MAX to recognize the APP Server utility on each workstation
- Configuring PAP-TOKEN authentication
- Configuring CACHE-TOKEN authentication
- Configuring PAP-TOKEN-CHAP authentication
Note: You can use RADIUS to set up security-card authentication of incoming calls only. If
you want to configure the MAX as the calling unit and enable local security-card users to call a
remote site, you must configure a Connection profile in the MAX configuration interface. For
details, see the MAX Security Supplement.
Introducing security-card authentication
You can set up your network site to require that users change passwords very frequently, many times per day. When you do so, you use an external authentication server, such as a Security Dynamics ACE/Server or an Enigma Logic SafeWord server.The external server syncs up with hand-held personal security "cards", devices the size and shape of a credit card. The security card provides a user with a current password in real time. The LCD on the user's card displays the current, one-time-only password required to gain access at that moment to the secure network.
Figure 3-1 illustrates an environment that includes an Ascend Pipeline as the calling unit, an NAS (the MAX), a RADIUS server, and an external authentication server.
Figure 3-1. Using an external authentication server
When you use security-card authentication, these events take place:
- A user attempts to open a connection to the MAX, sending his or her user name.
This user is a client of the MAX. The user can be in terminal server mode or use the APP Server utility during the authentication phase. When authentication is complete, the user can switch to PPP mode.
- The MAX determines that it must use a RADIUS user profile to authenticate the user.
- The MAX sends the user connection request to the RADIUS server in an Access-Request
packet.
The MAX is a client of the RADIUS server.
- The RADIUS server forwards the connection request to the ACE or SafeWord client
residing on the same system as RADIUS.
- The ACE client forwards the information to the ACE/Server authentication server, and the
SafeWord client forwards the information to the SafeWord authentication server.
In these cases, the RADIUS server is a client of the authentication server.
- The authentication server sends an Access-Challenge packet back through the RADIUS
server and the MAX to the user dialing in.
- The user sees the challenge message and obtains the current password from his or her
security card.
If the authentication server is an ACE/Server, the user has a SecurID token card that displays a randomly generated access code. This code changes every 60 seconds.
If the authentication server is a SafeWord server, the user can have one of these types of token cards:
- ActivCard
- CryptoCard
- DES Gold
- DES Silver
- SafeWord SofToken
- SafeWord MultiSync
- DigiPass
- SecureNet Key
- WatchWord
- The user enters the current password he or she obtained from the security card in response
to the challenge message.
This password travels back through the NAS and the RADIUS server to the authentication server.
- The authentication server sends a response to the RADIUS server, specifying whether the
user has entered the proper user name and password.
Note: If the caller is using AppleTalk Remote Access (ARA) there must be no password,
and the username must be "SecurID." Once the user makes the initial connection, SecurID
authentication begins with a pop-up screen on the Macintosh. At this point, the user must
enter the "User ID" and "Passcode". If the user enters incorrect values, he or she gets two
more tries to authenticate before the connection fails.
If the user enters an incorrect password, the ACE/Server or SafeWord server returns another challenge and the user can again attempt to enter the correct password. The server sends up to three challenges. After three incorrect entries, the MAX terminates the call.
- The RADIUS server sends an authentication response to the MAX.
If authentication is unsuccessful, the MAX receives an Access-Reject packet. If authentication is successful, the MAX receives an Access-Accept packet containing a list of attributes from the user profile in the RADIUS server's database. The MAX then establishes network access for the caller.
Configuring the MAX to recognize the authentication server
For the MAX to communicate with the authentication server, you must set the parameters in Table 3-13.
All of the parameters apply only to outgoing calls using security-card authentication. For the parameters to work, you must meet these conditions:
To configure the MAX to recognize the authentication server, follow these steps:
- Open the Ethernet menu.
- Open the Mod Config menu.
- Open the DNS menu.
- For the Password Host parameter, specify the IP address of the authentication server on
the remote network.
- Return to the Mod Config menu and open the Auth menu.
- For the Password Port parameter, specify the User Datagram Protocol (UDP) port number
that the server indicated by Password Host is monitoring.
Valid port numbers range from 0 to 65535. The default value is 0 (zero). This setting indicates that the authentication server is not monitoring a UDP port.
- Set Password Server=Yes.
This setting specifies that callers use security-card authentication rather than terminal server authentication.
- Save your changes.
Configuring the MAX to recognize the APP Server utility
To allow users to supply token passwords from a PC or UNIX host on the local network, you must configure the MAX to communicate with the APP Server utility on that host. Table 3-14 lists the parameters to set.
Ascend Password Protocol (APP) is a UDP protocol whose default port is 7001. The communication between the MAX and the host running the APP Server may be unicast (when both the MAX and the host have an IP address) or broadcast (when the host may not have an IP address)
To setup the MAX to communicate with the APP Server utility, follow these steps:
- Open the Ethernet menu.
- Open the Mod Config menu.
- Open the Auth menu.
- Set APP Server=Yes.
This setting enables the MAX to communicate password challenges to the host running the APP Server utility.
- Specify the IP address of the host running the APP Server utility.
For example, you must enter this setting:
APP Host=10.65.212.1
If the host obtains its address at boot time from a BOOTP or DHCP server, or if it has no IP address, you can specify the IP broadcast address (255.255.255.255).
- Specify the UDP port to use for communicating with the host running the APP Server.
7001 is the default UDP port for the APP Server. If you change this number, you must specify the new UDP port number in the APP Server utility (DOS), the WIN.INI file (Windows), or the /etc/services file (UNIX). The MAX and the host running the APP Server utility must agree about the UDP port number.
- Save your changes.
Configuring PAP-TOKEN authentication
To set up PAP-TOKEN authentication, use the attributes listed in Table 3-15.
To set up PAP-TOKEN authentication, follow these steps:
- Set the User-Name attribute to the remote bridge/router's system name.
- Set the Password attribute to SAFEWORD or ACE.
You can request validation from the Enigma Logic SafeWord dynamic password library by setting the Password attribute to SAFEWORD, as shown in this first line of a user profile:
Mike Password="SAFEWORD"
You can request validation from the Security Dynamics ACE dynamic password library by setting the Password attribute to ACE, as shown in this first line of a user profile:
Connor Password="ACE"
PAP-TOKEN example for Security Dynamics ACE/Server
This example shows how to set up RADIUS for use with the Security Dynamics ACE/Server. The remote end consists of a PC running Appserv and a Pipeline 50 unit. The local end consists of a MAX and a UNIX device running RADIUS, ACE/Client, and ACE/Server. Figure 3-2 shows the WAN configuration.
Figure 3-2. ACE/Server configuration
At the remote end, the Appserv process constantly monitors for authentication requests. When it receives one from the Pipeline 50, it sends the request to the MAX. The MAX tries to match the caller's Name to the value of the Station parameter in a Connection profile. If the MAX does not find a match, it forwards the request to RADIUS. RADIUS then checks its profiles. If it finds one whose password is set to ACE, it requests that Appserv prompt the Pipeline 50 for a passcode.
To modify an existing profile for ACE/Server authentication, simply change the password to ACE, as in this example:
Connor Password="ACE"
User-Service=Framed-User,
Framed-Protocol=MPP,
Framed-Address=200.72.138.1,
Framed-Netmask=255.255.255.0,
Ascend-Idle-Limit=300,
Framed-Routing=None
Configuring CACHE-TOKEN authentication
To set up CACHE-TOKEN authentication, use the attributes listed in Table 3-16.
To set up CACHE-TOKEN authentication, follow these steps:
- Set the User-Name attribute to the remote bridge/router's system name.
- Set the Password attribute to SAFEWORD or ACE.
You can request validation from the Enigma Logic SafeWord dynamic password library by setting the Password attribute to SAFEWORD, as shown in this first line of a user profile:
Mike Password="SAFEWORD"
You can request validation from the Security Dynamics ACE dynamic password library by setting the Password attribute to ACE, as shown in this first line of a user profile:
Connor Password="ACE"
- On the first line of the user profile, set the Ascend-Token-Expiry attribute to a nonzero
value.
The Ascend-Token-Expiry attribute specifies the lifetime in minutes of a cached token. When the cached token is still alive, CHAP authenticates subsequent CACHE-TOKEN access requests from the same user without the use of a hand-held security card. When the cached token has expired, the ACE or SAFEWORD server authenticates CACHE-TOKEN access requests.
If the Ascend-Token-Expiry is not specified in the user profile or is set to 0 (zero), the MAX rejects subsequent calls.
- On the first line of the user profile, set the Ascend-Token-Idle attribute (optional).
The Ascend-Token-Idle attribute specifies the maximum length of time in minutes a cached token can remain alive between authentications. This attribute is useful for enforcing authentication when a connection comes up again after an idle period. If you do not specify this attribute, the cached token remains alive until the value of the Ascend-Token-Expiry attribute causes it to expire. Typically, the value of Ascend-Token-Idle is lower than the value of Ascend-Token-Expiry.
- On the first line of the user profile, set the Ascend-Token-Immediate attribute.
The Ascend-Token-Immediate attribute establishes how RADIUS treats the password it receives from a login user when the user profile specifies a hand-held security card server. Use this attribute in an ACE or SAFEWORD user profile that contains the setting User-Service=Login-User.
Ascend-Token-Immediate can have one of the following values:
- Tok-Imm-No (0) indicates that RADIUS ignores the password. Choose this value for a security server that requires that a user enter a challenge using a security card before the security server derives a password.
- Tok-Imm-Yes (1) specifies that RADIUS sends the password to the security server for authentication.
- On any line of the profile after the first one, set the Ascend-Receive-Secret attribute to the
same password as the Send PW parameter in the Connection profile that places the
incoming call.
The RADIUS server uses this value to authenticate incoming calls from a user while his or her token is cached and alive. The cached token resides on the MAX during the initial security-card authentication process.
- When you start the radius daemon, specify the -c option to enable cache-token
authentication.
CACHE-TOKEN example for Enigma Logic server
The following example shows the settings necessary for a user called John to use an Enigma Logic server. After MP+ authentication, the user receives the IP address 200.0.5.1 and subnet mask 255.255.255.0. The profile specifies a 90-minute token cache and an 80-minute idle limit. Notice that the Ascend-Token-Expiry, Ascend-Token-Idle, and Ascend-Token-Immediate attributes must appear on the first line of the profile, along with the user name and ACE or SAFEWORD password. RADIUS sends the password to the security server for authentication.
John Password="SAFEWORD", Ascend-Token-Expiry=90, Ascend-
Token-Idle=80, Ascend-Token-Immediate=Tok-Imm-Yes
Ascend-Receive-Secret="shared-secret",
User-Service=Framed-User,
Framed-Protocol=MPP,
Framed-Address=200.0.5.1,
Framed-Netmask=255.255.255.0
Configuring PAP-TOKEN-CHAP authentication
To set up PAP-TOKEN-CHAP authentication, use the attributes listed in Table 3-17.
To set up PAP-TOKEN-CHAP authentication, follow these steps:
- Set the User-Name attribute to the remote bridge/router's system name.
- Set the Password attribute to SAFEWORD or ACE.
You can request validation from the Enigma Logic SafeWord dynamic password library by setting the Password attribute to SAFEWORD, as shown in this first line of a user profile:
Mike Password="SAFEWORD"
You can request validation from the Security Dynamics ACE dynamic password library by setting the Password attribute to ACE, as shown in this first line of a user profile:
Connor Password="ACE"
- Set Ascend-Receive-Secret to the value of the Aux Send PW parameter in the Connection
profile the remote end uses to dial the call.
The RADIUS server sends this value to your MAX in order to verify an encrypted password.
In PAP-TOKEN-CHAP authentication, you need to verify only the initial connection using a hand-held security card. CHAP verifies any additional channels. That is, whenever the MAX adds channels to a PPP or MP+ call using PAP-TOKEN-CHAP, the calling unit sends the encrypted value of Aux Send PW, and the answering unit checks this password against Ascend-Receive-Secret. The answering unit receives Ascend-Receive-Secret from the RADIUS server when the first channel of the call connects.
PAP-TOKEN-CHAP example for Enigma Logic server
The following example shows the settings necessary for a user called Emma to use an Enigma Logic server. After authentication, the user can open an MP+ (or PPP) session. The user receives the IP address 200.0.5.1 and subnet mask 255.255.255.0. Because this profile includes the attribute Ascend-Receive-Secret, the MAX can authenticate additional channels through CHAP without having to go to the SAFEWORD server for authentication.
Emma Password="SAFEWORD"
User-Service=Framed-User,
Framed-Protocol=MPP,
Framed-Address=200.0.5.1,
Framed-Netmask=255.255.255.0,
Ascend-Receive-Secret="b5XSAM"
Configuring ACE authentication for remote bridge/router users
To set up ACE authentication for users behind a remote bridge/router, use the attributes listed in Table 3-18.
To specify that the RADIUS server use an ACE profile to authenticate multiple users behind a single remote bridge/router (such as an Ascend Pipeline unit), follow these steps:
- Set the User-Name attribute to the remote router's system name.
- Set the Password attribute to ACE.
When the user enters the dynamic password from a security card, he or she must enter it in this format:
password.realname
realname is the user's real name. The RADIUS server presents the realname argument, rather than the name of the Pipeline, to the ACE server. Token caching still functions normally. All users share the same profile, and all accounting uses the Pipeline name, not the real user name.
Setting up CLID authentication
You can require RADIUS to authenticate incoming calls by checking the calling party's phone number. The RADIUS server performs Calling Line ID (CLID) authentication before enabling the MAX to answer an incoming call. You can thereby ensure that the call originates at a known location.
This section describes how to set up a RADIUS user profile for CLID authentication. You can choose from these configurations:
- Authenticate all callers using name, password, and caller ID. For details, see Scenario 1: Authentication using name, password, and caller ID.
- Authenticate all callers using a caller ID only. For details, see Scenario 2: Authentication using a caller ID only.
- Use an external authentication server, such as a token-card authentication server, to authenticate users after CLID authentication. For details, see Scenario 3: External authentication after CLID authentication.
- Request PAP, CHAP, or MS-CHAP after CLID authentication. For details, see Scenario 4: PAP, CHAP, or MS-CHAP after CLID authentication.
Before you begin
Before you set up CLID in RADIUS, you must set parameters in the MAX configuration interface that affect CLID authentication. Follow these steps:
- Open the Ethernet menu.
- Open the Answer menu.
- If you want to authenticate callers by name, password, and caller ID, set Id Auth=Prefer.
This setting specifies that whenever CLID is available, the MAX checks the calling party's phone number against the value of the Caller-Id attribute in a RADIUS user profile. If it finds a match, and the profile does not require any further authentication, the MAX accepts the call. If the CLID is not available, or if the MAX cannot find a match to the calling party number, the MAX applies authentication using the Recv Auth parameter in the PPP Options menu.
- If you want to authenticate callers by caller ID only, set Id Auth=Require or Fallback.
The Require setting indicates that the calling party's phone number must match the value of the Caller-Id attribute before the MAX can answer the call. If CLID is not available, the MAX does not answer the call.
The Fallback setting handles the case of RADIUS server timeouts. If the RADIUS server query times out so that the MAX cannot complete CLID authentication, the MAX does not drop the call. Instead it looks for a resident Connection profile to use for standard PAP, CHAP, MS-CHAP, or terminal server authentication. Therefore, if you set Id Auth=Fallback, you must also set up a Connection profile. For details, see the MAX Security Supplement.
- Open the PPP Options menu.
- If you plan to use PAP, CHAP, or MS-CHAP after CLID authentication, set the Recv Auth
parameter to the appropriate value.
- Open the Ethernet > Mod Config > Auth menu.
- Specify the value of the Disconnect message the MAX returns when CLID authentication
fails.
When CLID authentication fails in an ISDN connection, the MAX sends a Disconnect message. The Cause element in the Disconnect message can indicate why CLID authentication failed. You can set two parameters that affect Disconnect messages:
- The CLID Timeout Busy parameter specifies whether to return User Busy when CLID authentication fails due to a RADIUS timeout. You can specify Yes or No. The default value is No, which indicates Normal Call Clearing.
- The CLID Fail Busy parameter specifies whether to return User Busy when CLID authentication fails for reasons other than a RADIUS timeout. You can specify Yes or No. The default value is No, which indicates Normal Call Clearing.
General guidelines
Before you set up CLID authentication, keep these limitations in mind:
Scenario 1: Authentication using name, password, and caller ID
To set up CLID authentication in this scenario, use the attributes listed in Table 3-19.
Although you can configure local Connection profiles to authenticate using name, password, and caller ID, we recommend that you perform this function in RADIUS. To require all callers to authenticate using name, password and caller ID, follow these steps:
- If you have not done so already, set Id Auth=Prefer in the Ethernet > Answer menu on the
MAX.
- Ensure that the first line of all dial-in RADIUS user profiles has the following format:
username Password="password", Caller-Id="phonenum"
username
is the user name.
password
is the user's password.
phonenum
is the caller ID.
Example using name, password, and caller ID
Here is an example user profile for authentication using name, password, and caller ID:
Emma Password="test", Caller-Id="123456789"
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=255.255.255.254,
Framed-Netmask=255.255.255.255,
Ascend-Assign-IP-Pool=1,
Ascend-Route-IP=Route-IP-Yes,
Ascend-Idle-Limit=30
Scenario 2: Authentication using a caller ID only
To set up CLID authentication in this scenario, use the attributes listed in Table 3-20.
Although you can configure local Connection profiles to authenticate using a caller ID only, we recommend that you perform this function in RADIUS. To require all callers to authenticate using a caller ID only, follow these steps:
- If you have not done so already, set Id Auth=Require or Id Auth=Fallback in the Ethernet
> Answer menu on the MAX.
- Verify that the first line of all dial-in RADIUS user profiles has the following format:
phonenum Password="Ascend-CLID"
- phonenum
represents the calling party's phone number.
- The Password value specifies that RADIUS authenticates the caller by caller ID only.
- Set the Ascend-Require-Auth attribute to Not-Require-Auth.
This setting specifies that after CLID authentication, the MAX does not require any additional authentication. If you want to include name and password authentication in addition to CLID authentication, see Scenario 1: Authentication using name, password, and caller ID or Scenario 3: External authentication after CLID authentication.
Example using a caller ID only
Here is an example user profile for authentication using a caller ID only:
5551212 Password="Ascend-CLID"
Ascend-Require-Auth=Not-Require-Auth,
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=255.255.255.254,
Framed-Netmask=255.255.255.255,
Ascend-Assign-IP-Pool=1,
Ascend-Route-IP=Route-IP-Yes,
Ascend-Idle-Limit=30
Scenario 3: External authentication after CLID authentication
This scenario entails using an external authentication server, such as a token-card server, to authenticate callers after CLID authentication. All users must pass caller-ID authentication and token-card authentication. The configuration uses a two-tiered setup.
To set up this two-tiered authentication, use the attributes listed in Table 3-21.
To perform external authentication after CLID authentication, follow these steps:
- If you have not done so already, set Id Auth=Require in the Ethernet > Answer menu on
the MAX.
- Configure the first tier of a two-tiered dial-in setup.
The first-tier dial-in user profile has the following two-line format:
phonenum Password="Ascend-CLID"
Ascend-Require-Auth=Require-Auth
- Configure the second tier of the two-tiered dial-in setup.
The second-tier user profile has the following format for the first line, with the characteristics of the call specified by the second and succeeding lines:
Default Password="SAFEWORD"
Example using token-card server after CLID authentication
Here is an example of two-tiered user profile entries:
5551212 Password="Ascend-CLID"
Ascend-Require-Auth=Require-Auth
Default Password="SAFEWORD"
User-Service=Login-User,
Login-Host=10.0.4.1,
...
The first pass checks the caller ID. The second pass checks the name and password through the token-card server. If the caller passes both authentications, the MAX grants access. The Default user profile specifies the characteristics of the call.
Scenario 4: PAP, CHAP, or MS-CHAP after CLID authentication
Following CLID authentication, you can indicate whether the MAX should request Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Microsoft CHAP (MS-CHAP) authentication for incoming calls on a PPP or MP+ connection. You specify PAP, CHAP, or MS-CHAP authentication using a two-tiered method with the attributes listed in Table 3-22.
Table 3-22. Attributes for PAP, CHAP, or MS-CHAP after CLID authentication
Attribute
|
Possible values
|
---|
Ascend-Require-Auth (201)
|
Not-Require-Auth (0) Require-Auth (1)
The default is Not-Require-Auth.
In this instance, specify Require-Auth in the first-tier user profile-the one that sets up CLID authentication.
|
Caller-Id (31)
|
A telephone number containing up to 37 characters, limited to the following:
1234567890()[]!z-*#|
The default value is null. In the second-tier profile, specify the same value for Caller-Id as you specified for User-Name in the first-tier profile.
|
Framed-Protocol (7)
|
PPP (1) SLIP (2) MPP (256) EURAW (257) EUUI (258) COMB (260) FR (261) ARA (262) FR-CIR (263)
By default, the MAX does not restrict the type of protocol a user can access.
In this instance, specify PPP in the second-tier profile.
|
User-Name (1)
|
Text string containing up to 252 characters. The default value is null.
In the first tier, the user name is the calling party's phone number. In the second tier, the user name is the one associated with the user being authenticated.
|
User-Service (6)
|
Login-User (1) Framed-User (2) Dialout-Framed-User (5)
By default, the MAX does not restrict user access to services.
Specify Framed-User in the second-tier profile.
|
Password (2)
|
Text string containing up to 252 characters. The default value is null.
Set the password to Ascend-CLID in the first tier and to the user's password in the second tier.
|
To request PAP, CHAP, or MS-CHAP authentication after CLID authentication, you must set up two RADIUS user profiles. Follow these steps:
- If you have not done so already, set Recv Auth to PAP, CHAP, MS-CHAP, or Either in the
Ethernet > Answer > PPP Options menu.
- In RADIUS, set up a first-tier profile specifying CLID authentication.
- Set the User-Name attribute to the calling party's phone number.
- Set the Password attribute to Ascend-CLID.
- Set the Ascend-Require-Auth attribute to Require-Auth. Calls that have been CLID authenticated undergo no further authentication unless the matching RADIUS profile has Ascend-Require-Auth=Require Auth. If Ascend-Require-Auth=Require Auth, the parameters of the call are initially set by CLID authentication, but are subject to change by any authentication that might follow.
For example, the first-tier CLID authentication profile might look like this one:
5551212 Password="Ascend-CLID"
Ascend-Require-Auth=Require-Auth
Do not include any other attributes in this profile. You must specify the characteristics of the call in the second-tier user profile.
- In the first line of the second-tier user profile, specify these attributes:
- user name
- Password
- Caller-Id. The value you specify for the Caller-Id attribute must match the phone number you specified for User-Name in the first-tier user profile.
- On any succeeding lines of the second-tier user profile, set these attributes:
- User-Service=Framed-User
- Framed-Protocol=PPP
- Specify any additional attributes in the second-tier user profile.
The characteristics of the call appear in this user profile.
Example using CHAP after CLID authentication
This example shows a two-tiered approach. The first user profile specifies CLID authentication, and indicates that additional CHAP authentication will follow. The second user profile sets up other attributes for the call.
5551212 Password="Ascend-CLID"
Ascend-Require-Auth=Require-Auth
Emma Password="pwd", Caller-Id="5551212"
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=200.11.12.10,
Framed-Netmask=255.255.255.248,
Ascend-Send-Secret="pwd",
...
Setting up called-number authentication
Called-number authentication works much like CLID authentication, except that the MAX uses the number called by the remote end to authenticate the connection. The called number appears in an ISDN message as part of the call when Dialed Number Information Service (DNIS) is in use. Called-number authentication is also known as DNIS authentication.
This section describes how to set up a RADIUS user profile for called-number authentication. You can choose from these configurations:
Before you begin
Before you set up called-number authentication in RADIUS, you must follow these steps using the MAX configuration interface:
- Open the Ethernet menu.
- Open the Answer menu.
- If you want to authenticate callers by name, password, and called number, set Id
Auth=Called Prefer.
This setting specifies that whenever the called number is available, the MAX checks the called number against the value of the Client-Port-DNIS attribute in a RADIUS user profile. If it finds a match, and the profile does not require any further authentication, the MAX accepts the call. If the called number is not available, or if the MAX cannot find a match to the called number, the MAX applies authentication using the Recv Auth parameter in the PPP Options menu.
- If you want to authenticate callers by called number only, set Id Auth=Called Require
This setting indicates that the called number must match the value of the Client-Port-DNIS attribute before the MAX can answer the call. If the called number is not available, the MAX does not answer the call.
Configuring DNIS numbers in RADIUS
This feature addresses those locations in North America that charge significantly higher rates for digital bearer service than voice bearer service. In addition, this feature can be used by larger ISPs that resell services to smaller ISPs, identifying them by DNIS number. To configure DNIS numbers in RADIUS, follow these steps:
- Create the first line of a pseudo-user entry using the User-Name and Password attributes.
You create a pseudo-user to store information that the Ascend unit can query-in this case, in order to store DNIS numbers. You can configure pseudo-users for both global and Ascend unit-specific configuration control of DNIS numbers The Ascend unit adds the unit-specific information in addition to the global information.
For a unit-specific DNIS configuration, specify the first line of a pseudo-user entry in this format:
dovbs-<unit_name>
-<num>
Password="ascend"
For a global DNIS configuration, specify the first line of a pseudo-user entry in this format:
dovbs-<num>
Password="ascend"
<unit_name> is the system name of the Ascend unit-that is, the name specified by the Name parameter in the System Profile. <num> is a number in a sequential series, starting at 1.
- For each pseudo-user entry, specify one or more DNIS numbers using the Client-Port-
DNIS attribute.
Specify each DNIS number in this format:
Client-Port-DNIS="<DNIS number>
"
Client-Port-DNIS specifies the called-party number, indicating the phone number dialed by the user to connect to the Ascend unit. You can specify up to 100 DNIS numbers; if you specify more than 100, the remaining numbers are ignored.
Consider this example:
Five small ISPs connect to a larger ISP using DOVBS with the following numbers:
- 4165551111
- 4165552222
- 4165553333
- 4165554444
- 4165555555
The pseudo-user profile for an Ascend unit named "Toronto" looks like this one:
dovbs-Toronto-1 Password = "ascend"
Client-Port-DNIS = "5105551111"
Client-Port-DNIS = "5105552222"
Client-Port-DNIS = "5105553333"
Client-Port-DNIS = "5105554444"
Client-Port-DNIS = "5105555555"
How the Ascend unit learns about DNIS entries
When you have properly configured the pseudo-user profile, RADIUS loads DNIS numbers whenever you power on or reset the Ascend unit, when you select the Upd Rem Cfg command from the Sys Diag menu, or when you use an update command in SNMP. RADIUS loads the numbers in this way:
- RADIUS looks for entries having the format dovbs-<unit_name>-1, where <unit_name>
is the system name.
- If at least one entry exists, RADIUS loads all existing entries with the format dovbs-
<unit_name>-<num>.
The variable <num> is a number in a sequential series, starting with 1.
- The Ascend unit queries dovbs-<unit_name>-1, then dovbs-<unit_name>-2, and so on,
until it receives an authentication reject from RADIUS.
- Once the host-specific numbers are loaded, RADIUS loads the global configuration
entries; these configurations have the format dovbs-<num>.
- The Ascend unit queries dovbs-1, then dovbs-2, and so on, until it receives an
authentication reject from RADIUS.
The Ascend unit checks the DNIS number of each incoming call against the phone numbers it has loaded.
Scenario 1: Authentication using name, password, and called number
To set up called-number authentication in this scenario, use the attributes listed in Table 3-23.
Although you can configure local Connection profiles to authenticate using a name, password, and called number, we recommend that you perform this function in RADIUS. To require all callers to authenticate using name, password and called number, follow these steps:
- If you have not done so already, set Id Auth=Called Prefer in the Ethernet > Answer menu
on the MAX.
- Ensure that the first line of all dial-in RADIUS user profiles has the following format:
username Password="password", Client-Port-DNIS="phonenum"
- username is the user name.
- password is the user's password.
- phonenum is the called number.
Example using name, password, and called number
Here is an example user profile for authentication using name, password, and called number:
Emma Password="test", Client-Port-DNIS="123456789"
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=255.255.255.254,
Framed-Netmask=255.255.255.255,
Ascend-Assign-IP-Pool=1,
Ascend-Route-IP=Route-IP-Yes,
Ascend-Idle-Limit=30
Scenario 2: Authentication using the called number only
To set up called-number authentication in this scenario, use the attributes listed in Table 3-24.
Although you can configure local Connection profiles to authenticate using the called number only, we recommend that you perform this function in RADIUS. To require all callers to authenticate using the called number only, follow these steps:
- If you have not done so already, set Id Auth=Called Require in the Ethernet > Answer
menu on the MAX.
- Verify that the first line of all dial-in RADIUS user profiles has the following format:
phonenum Password="Ascend-DNIS"
Example using the called number only
Here is an example user profile for authentication using the called number only:
5551212 Password="Ascend-DNIS"
Ascend-Require-Auth=Not-Require-Auth,
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=255.255.255.254,
Framed-Netmask=255.255.255.255,
Ascend-Assign-IP-Pool=1,
Ascend-Route-IP=Route-IP-Yes,
Ascend-Idle-Limit=30
Scenario 3: External authentication after called-number authentication
This scenario entails using an external authentication server, such as a token-card server, to authenticate callers after called-number authentication. All users must pass called-number authentication and token-card authentication. The configuration uses a two-tiered setup.
To set up this two-tiered authentication, use the attributes listed in Table 3-25.
To perform external authentication after called-number authentication, follow these steps:
- If you have not done so already, set Id Auth=Called Require in the Ethernet > Answer
menu on the MAX.
- Configure the first tier of a two-tiered dial-in setup.
The first-tier dial-in user profile has the following two-line format:
phonenum Password="Ascend-DNIS"
Ascend-Require-Auth=Require-Auth
- phonenum represents the called number.
- The Password setting specifies that RADIUS authenticates the caller by called number.
- The Ascend-Require-Auth setting specifies that after called-number authentication, the MAX requires additional authentication. When you set Ascend-Require-Auth=Require-Auth, you should not include any other attributes in the user profile. You must specify the characteristics of the call in the second-tier user profile.
- Configure the second tier of the two-tiered dial-in setup.
The second-tier user profile has the following format for the first line, with the characteristics of the call specified by the second and succeeding lines:
Default Password="SAFEWORD"
Example using token server after called-number authentication
Here is an example of two-tiered user profile entries:
5551212 Password="Ascend-DNIS"
Ascend-Require-Auth=Require-Auth
Default Password="SAFEWORD"
User-Service=Login-User,
Login-Host=10.0.4.1,
...
The first pass checks the called number. The second pass checks the name and password through the token-card server. If the caller passes both authentications, the MAX grants access. The Default user profile specifies the characteristics of the call.
Putting it all together
This section discusses different ways in which users can dial into the MAX, and the kinds of authentication you can set up.
Analog dial-in with terminal server authentication
If a customer is dialing in over an analog line and will undergo terminal server authentication, you can must carry out these tasks:
- Set the User-Service attribute in the customer's RADIUS user profile.
If the user will make use of the terminal server interface and then use PPP, set
User-Service=Login-User. If the user will bypass the terminal server interface and use PPP, set User-Service=Framed-User.
- If User-Service=Login-User, set PPP=Yes in the Ethernet > Mod Config > TServ Options
menu.
- If User-Service=Login-User, make sure that your customer's PPP software has an expect-
send script in this format:
expect "Login:"
send $username
expect "Password:"
send $password:
At the end of the script, the user starts sending PPP packets.
For analog dial-in, these events take place:
- The client calls with an analog modem, and the MAX answers.
- The MAX waits for PPP packets, while the client software expects the terminal server
login prompt.
- The MAX times out on PPP, and sends the login prompt.
- The client software sees the login prompt, enters a user name, and waits, expecting the
password prompt.
- The MAX sends the password prompt, and the client sends a password.
- The MAX authenticates the user name and password against a RADIUS profile or local
Connection profile.
- If User-Service=Framed-User in the RADIUS user profile, the MAX does not present the
ascend%
prompt, but sends PPP packets.
- If User-Service=Login-User in the RADIUS user profile, the MAX presents the
ascend%
prompt and then sends PPP packets.
- The client software and the MAX communicate using PPP over the asynchronous serial
analog line.
Digital dial-in using terminal server authentication
If a customer is dialing in using an ISDN terminal adapter (TA) and will undergo terminal server authentication, you must carry out these tasks:
- Set the User-Service attribute in the customer's RADIUS user profile.
If the user will make use of the terminal server interface and then use PPP, set
User-Service=Login-User. If the user will bypass the terminal server interface and use PPP, set User-Service=Framed-User.
- If User-Service=Login-User, set PPP=Yes in the Ethernet > Mod Config > TServ Options
menu.
- In the Answer profile, set V.120=Yes.
- Make sure that your customer's TA is configured for V.120 encapsulation.
You can set most TAs in automatic mode so that the TA looks for a PPP packet from the host. If it finds one, it starts PPP negotiations. If it does not find one, it tries V.120 authentication. Once the call connects, the TA uses asynch/PPP mode for the duration of the call.
For digital dial-in, these events take place:
- The client calls using an ISDN TA and the MAX answers the call.
- The MAX waits for PPP packets, while the client software expects the terminal server
login prompt.
- The MAX times out on PPP, and sends the login prompt.
- The client software sees the login prompt, enters a user name, and waits, expecting the
password prompt.
- The MAX sends the password prompt, and the client sends a password.
- The MAX authenticates the user name and password against a RADIUS profile or local
Connection profile.
- If User-Service=Framed-User in the RADIUS user profile, the MAX does not present the
ascend%
prompt, but sends PPP packets.
- If User-Service=Login-User in the RADIUS user profile, the MAX presents the
ascend%
prompt and then sends PPP packets.
- The client software and the MAX communicate using PPP over an asynchronous line-
asynchronous from the workstation to the TA, and asynchronous over V.120 from the TA
to the MAX.
In this scenario, you cannot use two channels because the MAX tries to authenticate the second channel using the user name presented at the terminal server login prompt. The client software does not run an expect-send script over V.120 and the second channel, so the second channel cannot connect. Without this connection, MP or MP+ fails.
Most ISDN TAs support either V.120 clear text or asynchronous-to-PPP conversion, but not both. Therefore, if you log into a PPP server in terminal and/or scripted (ASCII text) mode, the TA goes into V.120 mode and should not dial the second B channel. If for some reason the TA does dial the second channel, it will fail to bind the two channels together and will probably drop the first channel.
In order to get the second channel connected, you must use the Authentication area, fill out the Auth. ID:
field and the Password:
field, and choose the appropriate authentication method, usually PAP or CHAP. If you want a second channel, you cannot use a script or the terminal.
PPP login with PAP, CHAP, or MS-CHAP authentication
These types of equipment allow a customer to communicate via PPP using PAP, CHAP, or MS-CHAP authentication:
These events take place:
- The client calls and the MAX answers.
- The MAX waits for PPP packets, based on the RADIUS user profile or a local Connection
profile.
- The client sends PPP packets.
- The MAX responds with PPP, and LCP negotiation starts.
- The MAX carries out PAP, CHAP, or MS-CHAP authentication.
- After authentication, upper layer NCPs (IPCP, IPXCP, CCP) are negotiated.
- The client device and the MAX communicate using PPP over the ISDN line.
techpubs@eng.ascend.com
Copyright © 1998, Ascend Communications, Inc. All rights
reserved.