![[Top]](../../images/home.jpg)
![[Contents]](../../images/contents.jpg)
![[Prev]](../../images/previous.jpg)
![[Next]](../../images/next.jpg)
![[Last]](../../images/index.jpg)
Getting Acquainted with RADIUS
This chapter introduces RADIUS authentication and accounting, and provides an overview of the files and attributes that the RADIUS server uses. This chapter contains:
How does the MAX use RADIUS?
RADIUS provides a central location for storing these types of information:
- Authentication attributes
- Configuration data for establishing a WAN connection for an incoming call
- Dialout information
- Static routes and filters
- Accounting information
RADIUS maintains authentication, incoming call configuration, dialout, routing, and filter information in individual user profiles. Each user profile consists of a series of attributes. These attributes indicate a user name and password, and enable you to configure routing, bridging, call management, and restrictions on the types of MAX resources a caller can access.
How does RADIUS authentication work?
A single RADIUS server can administer multiple security systems, maintaining profiles for thousands of users. RADIUS vastly increases the number of authentication entries that the MAX can support. Without RADIUS, you must limit yourself to the number of local Connection profiles the MAX supports.
When you use RADIUS authentication, these events take place:
- A user dialing in from a modem, ISDN terminal adaptor, or bridge/router attempts to open
a connection to the MAX, and the MAX determines that it must use a RADIUS user
profile to authenticate the user.
- The MAX sends the user connection request to the RADIUS server.
- The RADIUS server carries out one or more of these tasks:
- Performs Calling Line ID (CLID) authentication on incoming calls by checking the calling party's phone number.
- Performs called-number authentication on incoming calls by checking the number the user dialed to reach the MAX. Called-number authentication is also known as Dialed Number Information Service (DNIS) authentication.
- Obtains the user's name and password using Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Microsoft CHAP (MS-CHAP) authentication. PAP is a PPP authentication protocol that provides a simple method for a host to establish its identity in a two-way handshake. Authentication takes place only upon initial link establishment, and does not use encryption. CHAP is also a PPP authentication protocol, but it is more secure than PAP. CHAP provides a way to periodically verify the identity of a host using a three-way handshake and encryption. Authentication takes place upon initial link establishment. The MAX can repeat the authentication process any time after the connection takes place. MS-CHAP is the Windows NT version of CHAP, which uses DES and MD4 encryption. Using MS-CHAP, an Ascend unit can authenticate a Windows NT system, and a Windows NT system can authenticate an Ascend unit.
- Performs a UNIX login.
- Forwards the connection request to an external authentication server, such as a Security Dynamics ACE/Server or Enigma Logic SafeWord server.
- The RADIUS server sends an authentication response to the MAX.
If authentication is unsuccessful, the MAX refuses the connection. If authentication is successful, the MAX receives a list of attributes from the user profile in the RADIUS server's database and establishes network access for the caller.
- The MAX notifies the RADIUS server that the session has begun.
The MAX also notifies the RADIUS when the session ends. If you enable accounting, the RADIUS server can generate accounting records.
How does RADIUS accounting work?
RADIUS accounting is a way to log information about three types of events:
When the MAX recognizes one of these events, it sends an accounting request to RADIUS. When the accounting server receives the request, it combines the information into a record and timestamps it. Each type of accounting record contains attributes associated with an event type, and can show the number of packets the MAX transmitted and received, the protocol in use, the user name and IP address of the client, and so on.
You can use RADIUS accounting for either of these purposes:
What types of applications does RADIUS support?
This section describes some common RADIUS applications.
Simple RADIUS authentication and accounting
In Figure 1-1, the RADIUS server performs both authentication and accounting. This configuration does not use a backup server.
Figure 1-1. Simple RADIUS authentication and accounting
This configuration is ideal for cost-conscious service providers and corporations that do not want to invest in different machines for security and backup.
RADIUS authentication and accounting with a backup server
In Figure 1-2, a service provider or corporate office has a second RADIUS server acting as a backup. If the primary RADIUS server fails, the MAX automatically contacts the secondary RADIUS server to authenticate a user. If the secondary server fails, you can bring in a third RADIUS server as a backup. You can use the secondary server as a backup accounting server as well.
Figure 1-2. RADIUS authentication and accounting with a backup server
RADIUS with an external security-card server
For more secure networks, a service provider or corporate office can use RADIUS as a front end to a security-card authentication server, such as Security Dynamics ACE/Server or Enigma Logic's SafeWord server.
Figure 1-3 illustrates an environment that includes an Ascend Pipeline as the calling unit, an NAS (the MAX), a RADIUS server, and an external authentication server.
Figure 1-3. RADIUS with an external security-card server
For complete information on configuring RADIUS to work with security-card authentication servers, see Setting up security-card authentication.
Using RADIUS to sign up new customers
In Figure 1-4, the server provider has a RADIUS server and a separate registration server. When a new customer connects to the network using the name and password specified in the company's advertising, the MAX passes the request to the registration server. The server prompts the user to enter sign-up information.
Figure 1-4. Using RADIUS to sign up new customers
A user cannot access any other resource on the system until he or she provides all the registration details and signs up for the service. After a user completes the registration procedure, the server issues a permanent user name and password.
What files does RADIUS use?
The RADIUS server uses the files listed in Table 1-1.
Table 1-1. RADIUS files
File name
|
Default location
|
Description
|
|---|
|
radiusd
|
/etc/raddb
|
The RADIUS daemon you use with a flat ASCII users file.
If you require RADIUS accounting or any of the attributes provided by Ascend as extensions to the Livingston RADIUS daemon, you must use the Ascend RADIUS daemon, version 1.16 (dated 7/25/95) or later.
For information on running the radiusd daemon, see Running the daemon with a flat ASCII users file.
|
|
radiusd.dbm
|
/etc/raddb
|
The RADIUS daemon you use with a UNIX DBM database.
If you require RADIUS accounting or any of the attributes provided by Ascend as extensions to the Livingston RADIUS daemon, you must use the Ascend RADIUS daemon, version 1.16
(dated 7/25/95) or later.
For information on running the radiusd.dbm daemon, see Running the daemon with a UNIX DBM database.
|
|
dictionary
|
/etc/raddb
|
The Ascend RADIUS dictionary. This file contains a list of all the attributes the daemon supports, along with the possible values for each attribute.
You must install the dictionary on your RADIUS server in the same directory as the Ascend RADIUS daemon, and it must have the same date as the Ascend RADIUS daemon. The RADIUS daemon reads the dictionary when it starts up. If you update the dictionary file while the daemon is running, you must stop the daemon process and then restart it to make the new attributes available.
For further information about the dictionary file, see Dictionary file.
|
|
clients
|
/etc/raddb
|
A file that identifies each client permitted to send requests to the RADIUS server. For overview information about the clients file, see Clients file. For details on setting up the clients file, see step 8.
|
|
users
|
/etc/raddb
|
A file that contains a set of user profiles. Each user profile consists of attributes describing the user's name, his or her password, and the MAX features to which the user has access. For introductory information on the users file, see Users file.
|
|
logfile
|
/etc/raddb
|
A file containing error messages. You must create this file
yourself.
|
|
detail
|
/usr/adm/NAS-name/radacct
|
A file containing accounting records.
|
Dictionary file
Every attribute has an associated name, ID, and value type. The dictionary file provides a complete list of attributes, and contains the information described in Table 1-2.
The first several lines of a typical dictionary file might look like this:
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE Challenge-Response 3 string
ATTRIBUTE NAS-Identifier 4 string
ATTRIBUTE NAS-Port 5 string
Clients file
A client is the MAX or another machine that sends requests to the RADIUS server. The RADIUS clients file defines the client machines permitted to make requests to the RADIUS server. For the RADIUS daemon to respond to client requests from the MAX, you must specify the MAX unit's name and password in the clients file.
A sample line in the clients file looks like this one:
Ascend3 bXSAMpy
Users file
The users file contains an entry for each user that RADIUS will authenticate. Each entry is called a user profile, and consists of attributes describing a user and the services he or she can access. A users file can contain comment lines, user profiles, and blank lines. Table 1-3 lists each element.
Table 1-3. Users file elements
Element
|
Description
|
|---|
|
Comment line
|
A comment line begins with the # character at column one, with text that extends to the end of the line. You can embed a comment line anywhere in a user profile.
|
|
User profile
|
A user profile consists of a first line (also called an authentication line), followed by the rest of the profile, followed by a final line.
The first line consists of a user name, followed by a space or tab, followed by an attribute list containing authentication information, such as the user's password and the password's expiration date. The attributes on the first line are called check attributes because RADIUS must check the attributes before it can grant access to the MAX.
Any characters can appear at columns one and two except the # character, a space, or a tab. Starting at the third column, the first line can contain one or more spaces or tabs, followed by an attribute list (without a trailing comma) and a newline.
Each subsequent line in the rest of the record has a space or tab in the first column, followed by zero or more spaces or tabs, an attribute list, a comma, and a newline.
The final line is identical to each line after the first one, except that it contains no trailing comma.
|
|
Blank line
|
A blank line cannot appear within a user profile, but can be present anywhere outside a user profile. It must end with a newline.
|
This portion of a users file contains two comment lines, a blank line, and a user profile:
# This user profile is for PPP sessions only, and uses a # local password.
Ascend1 Password="Pipeline"
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=10.0.1.1,
Framed-Netmask=255.255.255.0,
Ascend-Metric=2,
Framed-Routing=None,
Ascend-Idle-Limit=30
The user profile consists of a first line containing the user name (Ascend1) and password (Pipeline) that the RADIUS server uses for authentication. Subsequent lines contain attributes describing the type of service the user can access, the type of protocol in use, and so on. Note that each line of the profile, except the first line and last line, contains a trailing comma.
Overview of RADIUS attributes
Attributes associated with authentication, connection setup, and user sessions can appear in the following types of packets:
- Access-Request
- Access-Accept
- Access-Reject
- Access-Terminate-Session
- Ascend-Access-Event-Request
- Ascend-Access-Event-Response
The sections that follow describe the attributes in the packets listed above. For information on attributes associated with accounting, see Understanding accounting records.
Access-Request attributes
When it receives an incoming call, the MAX first checks its local Connection profiles. If it doesn't find a Connection profile for the call and you configured the MAX to communicate with RADIUS, the MAX sends an Access-Request packet to the RADIUS server.
The Access-Request packet includes the caller's name and password, and may also include the other attributes shown in Table 1-4.
Access-Accept attributes
If the attribute values that the MAX submits to RADIUS match the attribute values in the user profile, the RADIUS server authenticates the call and returns an Access-Accept packet containing a list of attributes characterizing that user. Table 1-5 lists the RADIUS attributes defined in the Livingston RADIUS draft.
Table 1-5. Livingston/Ascend RADIUS Access-Accept attributes
Attribute
|
Description
|
Default
|
|---|
|
Caller-Id (31)
|
Specifies the calling party number, indicating the phone number of the user that wants to connect to the MAX.
|
The default value is null.
|
|
Change-Password (17)
|
Specifies a value used internally by the MAX and the RADIUS server to change an expired password.
When a user specifies an expired password, RADIUS prompts the user for a new password. When the user enters the new password, the MAX sends an Access-Password-Request packet that contains both the old password (as the value of the Change-Password attribute), and the new password (as the value of the Password attribute).
If the RADIUS server accepts the new password, it tries to edit the users file and replace the expired password with the new one. Note that the RADIUS server can make this change in the user profile only in the flat file. It cannot make this change in the database version of the users file.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Class (25)
|
Enables access providers to classify their user sessions, such as for the purpose of billing users depending on the service option they choose. If you include the Class attribute in the RADIUS user profile, the RADIUS server sends it to the MAX in the Access-Accept packet when the session begins.
|
The default value is null.
|
|
Client-Port-DNIS (30)
|
Specifies the called-party number, indicating the phone number the user dialed to connect to the MAX.
|
The default value is null.
|
|
Framed-Address (8)
|
Indicates the IP address of the user.
|
The default value is 0.0.0.0.
|
|
Framed-Compression (13)
|
Turns TCP/IP header compression on or off.
|
By default, the MAX turns compression on.
|
|
Framed-MTU (12)
|
Specifies the maximum number of bytes the MAX can receive in a single packet on a PPP, Frame Relay, EU-UI, or EU-RAW link.
|
The default value is 1524.
|
|
Framed-Netmask (9)
|
Indicates the subnet mask associated with the IP address of a station or router at the remote end of the link.
|
The default value is 0.0.0.0.
|
|
Framed-IPX-Network (23)
|
Indicates a virtual IPX network required for the home agent to route IPX packets to the mobile node.
|
The default value is null.
|
|
Framed-Protocol (7)
|
Specifies the type of protocol a link can use.
|
By default, the MAX does not restrict the type of protocol a link can use.
|
|
Framed-Route (22)
|
Indicates a static IP route when User-Service= Dialout-Framed User.
|
host_ipaddr=0.0.0.0
/subnet_mask=/0
router_ ipaddr=0.0.0.0
metric=8
private= "n"
profile_name=null
preference=120
|
|
Framed-Routing (10)
|
Specifies whether the MAX sends RIP packets, receives RIP packets, or both.
|
By default, the MAX neither sends nor receives RIP packets.
|
|
Login-Host (14)
|
Specifies the host to which the automatically connects when you set User-Service=Login-User and specify a value for the Login-Service attribute.
|
The default value is 0.0.0.0. This setting specifies no host.
|
|
Login-Service (15)
|
Specifies the type of terminal service connection to an IP host that occurs immediately after authentication.
|
By default, the MAX does not grant immediate access to any type of terminal server session.
|
|
Login-TCP-Port (16)
|
Specifies the port number to which a TCP session connects.
|
The default value is null.
|
|
Reply-Message (18)
|
Specifies text that appears to the terminal server operator who is using the menu-driven interface. You can specify up to 16 entries per user profile.
|
The default value is null.
|
|
User-Service (6)
|
Indicates whether the link can use framed or unframed services. You can specify Framed-User, Login-User, or Dialout-Framed-User.
|
By default, the MAX does not limit the services that a link can use.
|
Table 1-6 lists Ascend extensions to the RADIUS attributes. These are defined only in the Ascend RADIUS dictionary file and require the Ascend RADIUS daemon.
Table 1-6. Ascend RADIUS Access-Accept attributes
Attribute
|
Description
|
Default
|
|---|
|
Ascend-Add-Seconds (240)
|
Specifies the number of seconds that average line utilization (ALU) for transmitted data must exceed the threshold indicated by the Ascend-Target-Util attribute before the MAX begins adding bandwidth to a session.
|
The default value is 5.
|
|
Ascend-Ara-PW (181)
|
Indicates the password of the incoming caller over AppleTalk Remote Access (ARA).
|
The default value is null.
|
|
Ascend-Assign-IP-Client (144)
|
Specifies the IP address of an Ascend unit that can use global IP address pools.
|
The default value is 0.0.0.0.
|
|
Ascend-Assign-IP-Global-Pool (146)
|
Specifies the global address pool from which RADIUS should assign a user an address.
|
The default value is null.
|
|
Ascend-Assign-IP-Pool (218)
|
Specifies the address pool that incoming calls use.
|
The default value is 1.
|
|
Ascend-Assign-IP-Server (145)
|
Specifies the IP address of the host running radipad.
|
The default value is 0.0.0.0.
|
|
Ascend-Authen-Alias (203)
|
Sets the MAX unit's login name during PPP authentication.
|
The default is the value of the Name parameter in the System profile.
|
|
Ascend-backup (176)
|
Specifies the name of a backup profile for a nailed-up link.
|
The default value is null.
|
|
Ascend-BACP-Enable (134)
|
Specifies whether Bandwidth Allocation Control Protocol (BACP) is enabled for the link.
|
The default is BACP-No.
|
|
Ascend-Base-Channel-Count (172)
|
Specifies the initial number of channels the MAX sets up when originating calls for a PPP, MP+, MP, or Combinet multichannel link.
|
The default value is 1.
|
|
Ascend-Billing-Number (249)
|
Indicates a billing number for charges incurred on the line.
|
The default value is null.
|
|
Ascend-Bridge (230)
|
Enables or disables protocol- independent bridging for the link.
|
The default it to disable bridging.
|
|
Ascend-Bridge-Address (168)
|
Specifies a bridge entry.
|
MAC_address=000000000000
profile_name=null
IP_address=0.0.0.0
|
|
Ascend-Callback (246)
|
Enables or disables callback.
|
By default, the MAX disables callback.
|
|
Ascend-Call-By-Call (250)
|
Specifies the T1 PRI service that the MAX uses when placing a call.
|
By default, the MAX uses ACCUNET Switched Digital Services from AT&T.
|
|
Ascend-Call-Filter (243)
|
Defines a call filter.
|
The default value is null.
|
|
Ascend-Call-Type (177)
|
Specifies the type of nailed-up connection in use.
|
The default value is Nailed.
|
|
Ascend-Client-Gateway (132)
|
Specifies the default route for IP packets coming from the user on this connection.
|
The default value is 0.0.0.0.
|
|
Ascend-Data-Filter (242)
|
Defines a data filter.
|
The default value is null.
|
|
Ascend-Data-Svc (247)
|
Specifies the type of data service the link uses.
|
The default value is Switched-56 service.
|
|
Ascend-DBA-Monitor (171)
|
Specifies how the MAX monitors traffic on an MP+ call.
|
By default, the MAX adds or subtracts bandwidth based on the amount of data it transmits-that is, the default value is DBA-Transmit.
|
|
Ascend-Dec-Channel-Count (237)
|
Indicates the number of channels the MAX removes when bandwidth changes either manually or automatically during a call.
|
The default value is 1.
|
|
Ascend-DHCP-Maximum-Leases
|
Specifies the maximum number of dynamic addresses to assign to NAT clients using a connection
|
The default value is 4.
|
|
Ascend-DHCP-Pool-Number (148)
|
Specifies the address pool to use for allocating an IP address to a Dynamic Host Configuration Protocol (DHCP) client or a NAT client on a connection.
|
The default value is 0 (zero).
|
|
Ascend-DHCP-Reply (147)
|
Specifies whether the MAX processes Dynamic Host Configuration Protocol (DHCP) packets and acts as a DHCP server on this connection.
|
The default is to disable DHCP functionality (DHCP-Reply-No).
|
|
Ascend-Dial-Number (227)
|
Specifies the phone number the MAX dials to reach the bridge, router, or node at the remote end of the link.
|
The default value is null.
|
|
Ascend-Dialout-Allowed (131)
|
Specifies whether the user associated with the RADIUS user profile can dial out using one of the MAX unit's digital modems.
|
The default value is Dialout-Not Allowed.
|
|
Ascend-Expect-Callback (149)
|
Specifies whether a user calling out should expect the remote end to call back.
|
The default value is no callback (Expect-Callback-No).
|
|
Ascend-First-Dest (189)
|
Specifies the destination IP address of the first packet the MAX receives on a connection after it has authenticated the link.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-Force-56 (248)
|
Indicates whether the MAX uses only the 56-Kbps portion of a channel, even when all 64 Kbps appear to be available.
|
By default, the MAX attempts to use all 64 Kbps (Force-56-No).
|
|
Ascend-FR-Circuit-Name (156)
|
Indicates the Permanent Virtual Connection (PVC) for which the user profile is an endpoint.
|
The default value is null.
|
|
Ascend-FR-DCE-N392 (162)
|
Specifies the number of errors during Ascend-FR-DCE-N393-monitored events that cause the network side to declare the user side's procedures inactive.
|
The default value is 3.
|
|
Ascend-FR-DCE-N393 (164)
|
Specifies the DCE-monitored event count.
|
The default value is 4.
|
|
Ascend-FR-Direct (219)
|
Specifies whether the MAX uses a gateway connection or a redirect connection.
|
By default, the MAX uses a gateway connection (FR-Direct-No).
|
|
Ascend-FR-Direct-DLCI (221)
|
Identifies the user profile to the frame relay switch as a logical link on a physical circuit for a redirect connection.
|
The default value is 16.
|
|
Ascend-FR-Direct-Profile (220)
|
Specifies the name of the Frame Relay profile that carries the redirect connection to the frame relay switch.
|
The default value is null.
|
|
Ascend-FR-DLCI (179)
|
Indicates the Data Link Connection Indicator (DLCI) that identifies the RADIUS user profile to the frame relay switch as a logical link on a physical circuit in a gateway connection.
|
The default value is 16.
|
|
Ascend-FR-DTE-N392 (163)
|
Specifies the number of errors during Ascend-FR-DTE-N393-monitored events that cause the network side to declare the user side's procedures inactive.
|
The default value is 3.
|
|
Ascend-FR-DTE-N393 (165)
|
Specifies the DTE-monitored event count.
|
The default value is 4.
|
|
Ascend-FR-Link-Mgt (160)
|
Specifies the type of frame relay link management in use for the profile.
|
By default, the MAX does not use link management (Ascend-FR-No-Link-Mgt).
|
|
Ascend-FR-LinkUp (157)
|
Indicates whether a link comes up automatically.
|
By default, the link does not come up automatically.
|
|
Ascend-FR-N391 (161)
|
Specifies the interval at which the MAX requests a Full Status Report.
|
The default value is 6.
|
|
Ascend-FR-Nailed-Grp (158)
|
Indicates the nailed channel number for a frame relay datalink.
|
The default value is 1.
|
|
Ascend-FR-Profile-Name (180)
|
Specifies the name of the Frame Relay profile the MAX uses in building a gateway connection.
|
The default value is null.
|
|
Ascend-FR-T391 (166)
|
Sets up the Link Integrity Verification polling time.
|
The default value is 10.
|
|
Ascend-FR-T392 (167)
|
Sets up the timer for the verification of the polling cycle- the length of time the unit should wait between Status Enquiry messages. An error results if the MAX does not receive a Status Enquiry message within the number of seconds you specify for this attribute.
|
The default value is 15.
|
|
Ascend-FR-Type (159)
|
Specifies the type of frame relay connection.
|
By default, the MAX assumes a UNI-to-DTE connection (Ascend-FR-DTE).
|
|
Ascend-FT1-Caller (175)
|
Indicates whether the MAX initiates an FT1-AIM or an FT1-B&O call, or whether it waits for the remote end to initiate these types of calls.
|
By default, the MAX waits for the remote end to initiate the call (FT1-No).
|
|
Ascend-Group (178)
|
Points to the nailed-up channels that the WAN link uses.
|
The default value is 1.
|
|
Ascend-Handle-IPX (222)
|
Specifies how the MAX handles NCP watchdog requests on behalf of IPX clients during IPX bridging.
|
By default, the MAX does not handle NCP watchdog requests (Handle-IPX-None).
|
|
Ascend-History-Weigh-Type (239)
|
Indicates which Dynamic Bandwidth Allocation (DBA) algorithm to use for calculating average line utilization (ALU) of transmitted data.
|
The default value is History-Quadratic.
|
|
Ascend-Home-Agent-Password (184)
|
Indicates the password that the foreign agent sends to the home agent during ATMP operation.
|
The default value is null.
|
|
Ascend-Home-Agent-UDP-Port (186)
|
Specifies the UDP port number to use when the foreign agent sends ATMP packets to the home agent.
|
The default value is 5150.
|
|
Ascend-Home-Network-Name (185)
|
Indicates the name of the Connection profile through which the home agent sends all packets it receives from the mobile node during ATMP operation.
|
The default value is null.
|
|
Ascend-Host-Info (252)
|
Specifies the IP address and description of the first, second, third, and fourth hosts to which a user can establish a Telnet session as listed in the terminal server menu-driven interface.
|
The default address is 0.0.0.0/0 and the default description is null.
|
|
Ascend-Idle-Limit (244)
|
Indicates the number of seconds the MAX waits before clearing a call when a session is inactive.
|
The default value is 120 seconds.
|
|
Ascend-IF-Netmask (154)
|
Specifies the subnet mask in use for the local numbered interface.
|
The default value is 0.0.0.0.
|
|
Ascend-Inc-Channel-Count (236)
|
Specifies the number of channels the MAX adds when bandwidth changes either manually or automatically during a call.
|
The default value is 1.
|
|
Ascend-IP-Direct (209)
|
Indicates the IP address to which the MAX redirects packets from the user.
|
The default value is 0.0.0.0. This setting specifies that the MAX does not perform IP redirection.
|
|
Ascend-IP-Pool-Definition (217)
|
Specifies the first IP address in an IP address pool and the number of addresses in the pool.
|
The default number of the pool is 1. The default for the first address is 0.0.0.0. The default number of addresses is 0 (zero).
|
|
Ascend-IPX-Alias (224)
|
Indicates an IPX network number to use when connecting to IPX routers that require numbered interfaces.
|
The default value is 00000000.
|
|
Ascend-IPX-Node-Addr (182)
|
Specifies a unique IPX node address on the Framed-IPX-Network. This value completes the IPX address of a mobile node.
|
The default value is 000000000001.
|
|
Ascend-IPX-Peer-Mode (216)
|
Specifies whether the caller is an Ethernet client with its own IPX network address or a dial-in PPP client.
|
By default, the MAX assumes an Ethernet client with its own IPX network address (IPX-Peer-Router).
|
|
Ascend-IPX-Route (174)
|
Defines a static IPX route.
|
profile_name=null
network#=00000000
node#=0000000000001
socket#=0000
server_type=0000
hop_count=1
tick_count=12
server_name=null
|
|
Ascend-Link-Compression (233)
|
Turns data compression on or off for a PPP link.
|
The default is no compression.
|
|
Ascend-Maximum-Call- Duration (125)
|
Specifies the maximum number of minutes an incoming call can remain online.
|
The default value is 0 (zero).
|
|
Ascend-Maximum-Channels (235)
|
Specifies the maximum number of channels allowed on an MP+ call.
|
The default value is 1.
|
|
Ascend-Maximum-Time (194)
|
Indicates the maximum length of time in seconds that any session is allowed.
|
The default value is 0 (zero), which specifies no time limit.
|
|
Ascend-Menu-Item (206)
|
Defines a single menu item for a user profile.
|
By default, the MAX uses the standard terminal server menu.
|
|
Ascend-Menu-Selector (205)
|
Specifies a string as a prompt for user input in the terminal server menu interface.
|
The default value is Enter Selection (1-num, q), where num is the number of items on the menu.
|
|
Ascend-Metric (225)
|
Indicates the virtual hop count of the route.
|
The default value is 7.
|
|
Ascend-Minimum-Channels (173)
|
Specifies the minimum number of channels an MP+ call maintains.
|
The default value is 1.
|
|
Ascend-MPP-Idle-Percent (254)
|
Specifies a percentage of bandwidth utilization below which the MAX clears a single-channel MP+ call.
|
The default value is 0 (zero).
|
|
Ascend-Multicast-Client (152)
|
Specifies whether the user is a multicast client of the MAX.
|
The default value is Multicast-No.
|
|
Ascend-Multicast-Rate-Limit (153)
|
Specifies how many seconds the MAX waits before accepting another packet from a multicast client.
|
The default value is 100.
|
|
Ascend-Multilink-ID (187)
|
Indicates the ID number of the Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-Netware-timeout (223)
|
Indicates the number of minutes the MAX responds to NCP watchdog requests on behalf of IPX clients on the other side of an offline IPX bridging or routing connection.
|
The default value is 0 (zero).
|
|
Ascend-Num-In-Multilink (188)
|
Indicates the number of sessions remaining in a Multilink bundle when the session closes.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-PPP-Address (253)
|
Specifies the IP address reported to the calling unit during PPP IPCP negotiations.
|
The value of this attribute is always negotiated.
|
|
Ascend-PPP-Async-Map (212)
|
Gives the Ascend PPP code the async control character map for the PPP session.
|
The default value is the standard async control character.
|
|
Ascend-PPP-VJ-1172 (211)
|
Instructs the Ascend PPP code whether to use the 0x0037 value for the VJ compression type.
|
By default, the MAX uses VJ compression type 0x002d.
|
|
Ascend-PPP-VJ-Slot-Comp (210)
|
Instructs the Ascend PPP code whether to use slot compression when sending VJ-compressed packets.
|
By default, the MAX uses slot compression (VJ-Slot-Comp-Yes).
|
|
Ascend-Preempt-Limit (245)
|
Specifies the number of idle seconds the MAX waits before using one of the channels of an idle link for a new call.
|
The default value is 60 seconds.
|
|
Ascend-Pre-Input-Octets (190)
|
Records the number of input octets before authentication.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-Pre-Input-packets (192)
|
Specifies the number of input packets before authentication.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-Pre-Output-Octets (191)
|
Indicates the number of output octets before authentication.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-Pre-Output-packets (193)
|
Records the number of output packets before authentication.
|
This attribute has no default value, because it does not appear in a user profile.
|
|
Ascend-Primary-Home-Agent
|
Specifies the first home agent the foreign agent tries to reach when setting up an ATMP tunnel, and indicates the UDP port the foreign agent uses for the link.
|
The default IP address is 0.0.0.0. and the default UDP port is 5150.
|
|
Ascend-PRI-Number-Type (226)
|
Indicates the type of phone number the MAX dials under the extended dial plan.
|
The default value is National-Number.
|
|
Ascend-PW-Expiration (21)
|
Specifies an expiration date for the user's password.
|
The default is no expiration date.
|
|
Ascend-PW-Lifetime (208)
|
Indicates on a per-user basis the number of days that a password is valid.
|
The default is the value of the Lifetime-In-Days attribute from the Ascend dictionary.
|
|
Ascend-Receive-Secret (215)
|
Specifies a value the MAX receives from a dial-in user in order to verify an encrypted password.
|
The default value is null.
|
|
Ascend-Remote-Addr (155)
|
Specifies the IP address of the link's remote interface to the WAN.
|
The default value is 0.0.0.0.
|
|
Ascend-Remove-Seconds (241)
|
Specifies the number of seconds that average line utilization (ALU) for transmitted data must fall below the threshold indicated by the Ascend-Target-Util attribute before the MAX begins removing bandwidth from a session.
|
The default value is 10.
|
|
Ascend-Require-Auth (201)
|
Indicates whether additional authentication is required for calls that have already passed CLID or called-number authentication. Called-number authentication is also known as Dialed Number Information Service (DNIS) authentication.
|
By default, the MAX does not require additional authentication (Not-Require-Auth).
|
|
Ascend-Route-IP (228)
|
Enables or disables the routing of IP data packets over the link.
|
By default, the MAX enables IP routing.
|
|
Ascend-Route-IPX (229)
|
Enables or disables IPX routing.
|
By default, the MAX disables IPX routing.
|
|
Ascend-Secondary-Home-Agent
|
Specifies the secondary home agent the foreign agent tries to reach when the primary home agent (Ascend-Primary-Home-Agent) is unavailable. Also indicates the UDP port the foreign agent uses for the link.
|
The default IP address is 0.0.0.0. and the default UDP port is 5150.
|
|
Ascend-Seconds-Of-History (238)
|
Specifies the number of seconds the MAX uses as a sample for calculating average line utilization (ALU) of transmitted data.
|
The default value is 15.
|
|
Ascend-Send-Auth (231)
|
Indicates the protocol to use for name-password authentication.
|
By default, the MAX does not use an authentication protocol.
|
|
Ascend-Send-Passwd (232)
|
Specifies the password that the MAX sends to the remote end of a connection on outgoing calls.
|
The default value is null.
|
|
Ascend-Send-Secret (214)
|
Specifies that the system encrypts the password when passing it between the RADIUS server and the MAX on outgoing calls.
|
The default value is null.
|
|
Ascend-Target-Util (234)
|
Specifies the percent bandwidth utilization at which the MAX adds or subtracts bandwidth dynamically.
|
The default value is 70.
|
|
Ascend-Third-Prompt (213)
|
Indicates an additional prompt for user input after the login and password prompts.
|
By default, the MAX does not display an additional prompt.
|
|
Ascend-Token-Expiry (204)
|
Sets the lifetime of a cached token-that is, the lifetime of hand-held security-card authentication.
|
The default value is 0 (zero). This setting specifies that token caching is not allowed.
|
|
Ascend-Token-Idle (199)
|
Specifies the maximum length of time in minutes a cached token can remain alive between authentications if a call is idle.
|
By default, the token remains alive until the value of Ascend-Token-Expiry is reached.
|
|
Ascend-Token-Immediate (200)
|
Establishes how RADIUS treats the password it receives from a Login-User when the user profile specifies a hand-held security card server.
|
By default, the MAX does not use a cached token (Tok-Imm-No).
|
|
Ascend-Transit-Number (251)
|
Specifies the U.S. Interexchange Carrier (IEC) to use for long-distance calls over a T1 PRI or E1 PRI line.
|
The default value is null.
|
|
Ascend-TS-Idle-Limit (169)
|
Specifies the number of seconds that a terminal server connection must be idle before the MAX disconnects the session.
|
The default value is 120.
|
|
Ascend-TS-Idle-Mode (170)
|
Specifies whether the MAX uses a terminal server idle timer and, if so, whether both the user and host must be idle before the MAX disconnects the session.
|
By default, the MAX disconnects the session if the user is idle for a length of time greater than the value of the Ascend-TS-Idle-Limit attribute.The default value is TS-Idle-Input.
|
Access-Reject attributes
If the attribute values submitted to RADIUS do not match the attribute values in the user profile, the RADIUS server does not authenticates the call and returns an Access-Reject packet containing one or more of the values listed in Table 1-7.
Access-Terminate-Session attributes
If the RADIUS server determines that the MAX should terminate the session, it sends an Access-Terminate-Session packet containing the Reply-Message attribute. This attribute carries message text from the RADIUS server to RADIUS clients such as the MAX.
Ascend-Access-Event-Request attributes
The MAX can report the number of sessions by class to the RADIUS authentication server specified by Auth Host #n when Auth=RADIUS/LOGOUT in the Ethernet > Mod Config > Auth menu. In addition, the MAX can report on sessions to the RADIUS accounting server specified by the Acct Host #n parameter in the Ethernet > Mod Config > Accounting menu.
The MAX reports the number of sessions by sending an Ascend-Access-Event-Request (33) packet type at the interval defined by the Sess Timer parameter in the Ethernet > Mod Config > Auth menu (for authentication requests) or in the Ethernet > Mod Config > Accounting menu (for accounting requests).
Table 1-8 lists the attributes in an Ascend-Access-Event-Request packet.
Ascend-Access-Event-Response attributes
Table 1-9 lists the attributes in an Ascend-Access-Event-Response packet.
Overview of RADIUS packet formats
Each RADIUS packet consists of the fields listed in Table 1-10.
Table 1-11 lists the packet types that can appear in the code field.
techpubs@eng.ascend.com
Copyright © 1998, Ascend Communications, Inc. All rights
reserved.