Ascend Customer Service

How to use this guide

What this guide contains

Who should read this guide

Documentation conventions

Manual set

Related publications

How does the MAX use RADIUS?

How does RADIUS authentication work?

How does RADIUS accounting work?

What types of applications does RADIUS support?

Simple RADIUS authentication and accounting

RADIUS authentication and accounting with a backup server

RADIUS with an external security-card server

Using RADIUS to sign up new customers

What files does RADIUS use?

Dictionary file

Clients file

Users file

Overview of RADIUS attributes

Access-Request attributes

Access-Accept attributes

Access-Reject attributes

Access-Terminate-Session attributes

Ascend-Access-Event-Request attributes

Ascend-Access-Event-Response attributes

Overview of RADIUS packet formats

What is RADIUS?

What you need before you start

Installing the RADIUS daemon

Installing radipad for global IP pools

Configuring the MAX to use the RADIUS server

Using SNMP to specify the primary RADIUS server

Starting the RADIUS daemon

Running the daemon with a flat ASCII users file

Running the daemon with a UNIX DBM database

Creating the executable files

Creating the DBM database

Starting the RADIUS daemon for a DBM database

Overview of RADIUS authentication

Overview of RADIUS authentication attributes

Specifying a user name

Setting the User-Name attribute

Using the caller's name

Using the caller's MAC address (for Combinet calls)

Using the keyword Default

Using the incoming phone number (for CLID authentication)

Using the called number (for called-number authentication)

Using a keyword representing a pseudo-user profile

Setting the Ascend-Authen-Alias attribute

Specifying a password

Setting the Password attribute

Setting the Ascend-Send-Passwd and Ascend-Send-Secret attributes

Setting the Ascend-Ara-PW attribute

Configuring password expiration

How Ascend-PW-Expiration and Ascend-PW-Lifetime work

Changing a non-expired password

Changing an expired password

Specifying the MAX unit's IP address

NAS-Identifier example

Setting up the MAX for callback

Ascend callback security

Callback example

Microsoft's Callback Control Protocol (CBCP)

Ascend's implementation of CBCP

Negotiation of CBCP

Configuring Microsoft's CBCP to use a User Profile

Specifying an access protocol for incoming calls

Requiring PAP, CHAP, or MS-CHAP for PPP, MP, and MP+ calls

How PAP works

How CHAP and MS-CHAP work

Requiring PAP-TOKEN, CACHE-TOKEN, or PAP-TOKEN-CHAP

How PAP-TOKEN works

How CACHE-TOKEN works

How PAP-TOKEN-CHAP works

Using different access methods with local authentication

Requesting an access protocol for outgoing calls

CHAP example

Setting up security-card authentication

Introducing security-card authentication

Configuring the MAX to recognize the authentication server

Configuring the MAX to recognize the APP Server utility

Configuring PAP-TOKEN authentication

PAP-TOKEN example for Security Dynamics ACE/Server

Configuring CACHE-TOKEN authentication

CACHE-TOKEN example for Enigma Logic server

Configuring PAP-TOKEN-CHAP authentication

PAP-TOKEN-CHAP example for Enigma Logic server

Configuring ACE authentication for remote bridge/router users

Setting up CLID authentication

Before you begin

General guidelines

Scenario 1: Authentication using name, password, and caller ID

Example using name, password, and caller ID

Scenario 2: Authentication using a caller ID only

Example using a caller ID only

Scenario 3: External authentication after CLID authentication

Example using token-card server after CLID authentication

Scenario 4: PAP, CHAP, or MS-CHAP after CLID authentication

Example using CHAP after CLID authentication

Setting up called-number authentication

Before you begin

Configuring DNIS numbers in RADIUS

How the Ascend unit learns about DNIS entries

Scenario 1: Authentication using name, password, and called number

Example using name, password, and called number

Scenario 2: Authentication using the called number only

Example using the called number only

Scenario 3: External authentication after called-number authentication

Example using token server after called-number authentication

Putting it all together

Analog dial-in with terminal server authentication

Digital dial-in using terminal server authentication

PPP login with PAP, CHAP, or MS-CHAP authentication

Limiting access to services and protocols

Service access example

Restricting users to specific lines and channels

Line and channel example

Setting up a PPP connection

Before you begin

Configuring a PPP connection in RADIUS

PPP connection example

Setting up an MP or MP+ connection

Before you begin

Configuring an MP or MP+ connection in RADIUS

MP+ connection example

Setting up a BACP connection

Setting up a Nailed/MPP connection

Before you begin

Configuring a Nailed/MPP connection in RADIUS

Nailed/MPP connection example

Setting up a nailed-up connection

Before you begin

Configuring a nailed-up connection in RADIUS

Nailed-up connection example

Modifying or deleting nailed-up profiles

Setting up a Combinet connection

Before you begin

Configuring a Combinet connection in RADIUS

Combinet connection example

Setting up an AppleTalk connection

Example of AppleTalk connection with static route

Setting up an ARA connection

Before you begin

Configuring an ARA connection in RADIUS

ARA connection example

Setting up a terminal server connection

Before you begin

Overview of terminal server attributes

Enabling Telnet, TCP, and Rlogin connections

Terminal service access examples

Setting the terminal server idle timer

Configuring a custom menu and an input prompt

Custom terminal server menu examples

Configuring the message text and a list of hosts

Message text and host list example

Controlling access to the unit's digital modems on a per-user basis

Digital modem dialout example

An extended terminal server example

Setting up a TCP connection between two MAX units

Before you begin

Overview of TCP connection attributes

Configuring the MAX at the central switch

Configuring the MAX at the ISP

TCP connection example

Managing bandwidth

Setting up Dynamic Bandwidth Allocation (DBA)

How DBA works

How RADIUS authenticates multiple channels

Configuring DBA in RADIUS

Guidelines for optimal use of DBA

DBA example

Specifying a time limit and idle connection attributes

Setting up outgoing calls

Outgoing call example

Setting up packet filters

How packet filters work

Ways to apply packet filters

Data filters for dropping or forwarding certain packets

Call filters for managing connections

Overview of filter configuration tasks

Configuring IP filters

IP filter example

Configuring IPX filters

Two IPX filter examples

Dropping outbound IPX packets with specific destination network

Dropping outbound IPX packets with specific source network

Configuring a generic filter

Generic filter example

Configuring a RADIUS user profile to use a filter defined on the MAX

How firewalls work with the Filter-Id RADIUS attribute

Filter ID numbering

Local filter use example

Firewall example

Configuring filter changes

Before you begin

Specifying filter changes in RADIUS

How RADIUS uses Change-Filter-Request packet attributes

Setting up disconnects

Before you begin

Configuring disconnects in RADIUS

How RADIUS uses Disconnect-Request packet attributes

Disconnect example

Setting up multicast forwarding

Before you begin

Configuring multicast forwarding in RADIUS

Using the MAX as a Frame Relay concentrator

Types of logical links between the MAX and a Frame Relay switch

NNI interfaces

UNI-DCE interfaces

UNI-DTE interfaces

Types of Frame Relay user connections

Gateway connections

Circuit connections

Redirect connections

Setting up the logical link to a Frame Relay switch

Overview of RADIUS attributes for a Frame Relay profile

Configuring a RADIUS Frame Relay profile

Sample RADIUS Frame Relay profile configurations

Specifying an NNI interface

Specifying a UNI-DCE interface

Specifying a UNI-DTE interface

Setting up Frame Relay user connections

Before you begin

Overview of RADIUS attributes for a Frame Relay connection

Configuring a Frame Relay gateway connection

Configuring a Frame Relay circuit connection

Configuring a Frame Relay redirect connection

Sample RADIUS Frame Relay user profile configurations

Specifying a gateway connection

Specifying a circuit connection

Specifying a redirect connection

Setting up a backup profile for a Frame Relay link

Setting up a system-based IP routing connection

Before you begin

Introducing system-based IP routing

Overview of RADIUS attributes for IP routing

Specifying IP routing and RIP behavior

Host-to-router connection example

Router-to-router connection example

Requiring that a caller accept an IP address from the MAX

Defining a pool of IP addresses for dynamic assignment

Before you begin

Configuring MAX-specific IP address pools in RADIUS

Configuring global IP address pools shared by several MAX units

Configuring IP redirection

IP direct example

Specifying default routes on a per-user basis

Configuring static IP routes

Specifying static IP routes in a pseudo-user profile

Specifying static IP routes in a dial-in user profile

Summarizing host routes in an IP address pool

Before you begin

Configuring host route summaries in RADIUS

Setting up an interface-based IP routing connection

Before you begin

Overview of RADIUS attributes for interface-based routing

Configuring interface-based routing in RADIUS

If both the system and interface addresses are known

If only the interface address is known

If you do not specify the remote interface address

Setting up an IPX routing connection

Before you begin

Introducing IPX routing

Overview of RADIUS attributes for IPX routing

Specifying IPX routing

Dial-in client connection example

Configuring static IPX routes

Static IPX route configuration examples

Setting up a bridging connection

Before you begin

Introducing bridging

Overview of special IPX bridging requirements

Bridging when only the local network supports NetWare clients

Bridging when only the local network supports NetWare servers

Bridging when both sides of the link support NetWare servers

IPX routing and bridging on the same connection

Overview of RADIUS bridging attributes

Specifying protocol-independent bridging

IPX client bridge example (local clients)

IPX server bridge example (local servers)

Configuring bridge entries

Bridge profile configuration examples

Setting up a DHCP connection

Overview of DHCP attributes

Configuring a DHCP connection

Setting up Network Address Translation (NAT) for LAN

Before you begin

Configuring the Pipeline for NAT for LAN

Configuring the MAX for NAT for LAN

Introducing ATMP

How ATMP connections work

ATMP router and gateway modes

Router mode

Gateway mode

Overview of RADIUS attributes for ATMP

For information on non-ATMP attributes

Overview of MAX configuration parameters for ATMP

For information on non-ATMP parameters

Setting up a tunnel in router mode for an IP network

Configuring the foreign agent in router mode

Configuring ATMP in the foreign agent's Ethernet profile

Configuring the foreign agent to authenticate via RADIUS

Configuring an incoming RADIUS profile for the mobile node

Configuring an outgoing RADIUS user profile for the foreign agent

Configuring the home agent in router mode

Configuring ATMP in the home agent's Ethernet profile

Configuring an outgoing RADIUS user profile to the foreign agent

Ensuring that other hosts can route to the mobile node

Setting up a tunnel in gateway mode for an IP network

Configuring the foreign agent in gateway mode

Configuring ATMP in the foreign agent's Ethernet profile

Configuring the foreign agent to authenticate via RADIUS

Configuring an incoming RADIUS user profile for the mobile node

Configuring an outgoing RADIUS user profile for the foreign agent

Configuring the home agent in gateway mode

Configuring ATMP in the home agent's Ethernet profile

Configuring an outgoing RADIUS user profile to the foreign agent

Configuring a Connection profile for a nailed-up connection

Tunneling ATMP between two IP networks

Specifying the mobile node's subnet mask

Configuring route handling between IP networks

Home agent in router mode

Home agent in gateway mode

Tunneling IPX across the Internet

Configuring the foreign agent

Configuring ATMP in the foreign agent's Ethernet profile

Configuring the foreign agent to authenticate via RADIUS

Configuring an incoming RADIUS user profile for the mobile node

Configuring an outgoing RADIUS user profile for the foreign agent

Configuring the home agent

Configuring ATMP in the home agent's Ethernet profile

Configuring an outgoing RADIUS user profile to the foreign agent

Setting up the MAX as a multi-mode agent

Setting up ATMP to bypass a foreign agent

Configuring call routing to PPTP servers

Creating tunnels on a per-user basis

Attributes for routing PPTP on the basis of CLID or DNIS

Example RADIUS entries

CLID RADIUS entry

DNIS RADIUS entry

What is RADIUS accounting?

Where are accounting records stored?

What kinds of packets does RADIUS accounting use?

Setting up RADIUS accounting

Installing and configuring the RADIUS daemon for accounting

Specifying system-wide accounting parameters on the MAX

Configuring call logging on a system-wide basis

Performing required accounting configuration tasks

Specifying system-wide call logging parameters on the MAX

Specifying the call logging port

Specifying the call logging directory

Performing optional call logging configuration tasks

Specifying a timeout value

Specifying the numeric base for the session ID

Specifying the call logging port

Setting up call logging with dynamic IP addressing

Configuring accounting on a per-user basis

Specifying when the MAX uses the primary accounting server

Configuring accounting with dynamic IP addressing

Classifying user sessions in RADIUS

User session example

Understanding accounting records

Non-accounting attributes in accounting records

Accounting attributes in Start records

Accounting attributes in Stop records

Accounting attributes in Failure-to-start records

Accounting attributes in Checkpoint records

Call logging records

Where are call logging records stored?

What kinds of packets does call logging use?

Call logging Start packets

Call- logging Stop packets

Non-call logging attributes in call logging records

Call logging attributes in Start records

Call logging attributes in Stop records

Call logging attributes in Failure-to-start records

Sample accounting records

A Pipeline 25 dialing into a MAX 4000

A modem calling into a MAX 4000

A Pipeline 25 dialing into a MAX

A modem calling into a MAX

Attribute Name

Acct-Authentic (45)

Acct-Delay-Time (41)

Acct-Input-Octets (42)

Acct-Input-packets (47)

Acct-Output-Octets (43)

Acct-Output-packets (48)

Acct-Session-Id (44)

Acct-Session-Time (46)

Acct-Status-Type (40)

Ascend-Add-Seconds (240)

Ascend-Appletalk-Peer-Mode (117)

Ascend-Appletalk-Route (116)

Ascend-Ara-PW (181)

Ascend-Assign-IP-Client (144)

Ascend-Assign-IP-Global-Pool (146)

Ascend-Assign-IP-Pool (218)

Ascend-Assign-IP-Server (145)

Ascend-Authen-Alias (203)

Ascend-backup (176)

Ascend-BACP-Enable (134)

Ascend-Base-Channel-Count (172)

Ascend-Billing-Number (249)

Ascend-Bridge (230)

Ascend-Bridge-Address (168)

Ascend-Callback (246)

Ascend-Call-By-Call (250)

Ascend-Call-Filter (243)

IP call filter entries

IPX call filter entries

Generic call filter entries

Ascend-Call-Type (177)

Ascend-CBCP-Enable (112)

Ascend-CBCP-Mode (113)

Ascend-CBCP-Trunk-Group (115)

Ascend-Client-Gateway (132)

Ascend-Connect-Progress (196)

Ascend-Data-Filter (242)

IP data filter entries

IPX data filter entries

Generic data filter entries

Ascend-Data-Rate (197)

Ascend-Data-Svc (247)

Ascend-DBA-Monitor (171)

Ascend-Dec-Channel-Count (237)

Ascend-DHCP-Maximum-Leases

Ascend-DHCP-Pool-Number (148)

Ascend-DHCP-Reply (147)

Ascend-Dialout-Allowed (131)

Ascend-Dial-Number (227)

Ascend-Disconnect-Cause (195)

Ascend-Event-Type (150)

Ascend-Expect-Callback (149)

Ascend-First-Dest (189)

Ascend-Force-56 (248)

Ascend-FR-Circuit-Name (156)

Ascend-FR-DCE-N392 (162)

Ascend-FR-DCE-N393 (164)

Ascend-FR-Direct (219)

Ascend-FR-Direct-DLCI (221)

Ascend-FR-Direct-Profile (220)

Ascend-FR-DLCI (179)

Ascend-FR-DTE-N392 (163)

Ascend-FR-DTE-N393 (165)

Ascend-FR-Link-Mgt (160)

Ascend-FR-LinkUp (157)

Ascend-FR-N391 (161)

Ascend-FR-Nailed-Grp (158)

Ascend-FR-Profile-Name (180)

Ascend-FR-T391 (166)

Ascend-FR-T392 (167)

Ascend-FR-Type (159)

Ascend-FT1-Caller (175)

Ascend-Group (178)

Ascend-Handle-IPX (222)

Ascend-History-Weigh-Type (239)

Ascend-Home-Agent-IP-Addr

Ascend-Home-Agent-Password (184)

Ascend-Home-Agent-UDP-Port (186)

Ascend-Home-Network-Name (185)

Ascend-Host-Info (252)

Ascend-Idle-Limit (244)

Ascend-IF-Netmask (154)

Ascend-Inc-Channel-Count (236)

Ascend-IP-Direct (209)

Ascend-IP-Pool-Definition (217)

Ascend-IPX-Alias (224)

Ascend-IPX-Node-Addr (182)

Ascend-IPX-Peer-Mode (216)

Ascend-IPX-Route (174)

Ascend-Link-Compression (233)

Ascend-Maximum-Call-Duration (125)

Ascend-Maximum-Channels (235)

Ascend-Maximum-Time (194)

Ascend-Menu-Item (206)

Ascend-Menu-Selector (205)

Ascend-Metric (225)

Ascend-Minimum-Channels (173)

Ascend-Modem-PortNo (120)

Ascend-Modem-SlotNo (Attribute 121)

Ascend-MPP-Idle-Percent (254)

Ascend-Multicast-Client (152)

Ascend-Multicast-Rate-Limit (153)

Ascend-Multilink-ID (187)

Ascend-Netware-timeout (223)

Ascend-Number-Sessions (202)

Ascend-Num-In-Multilink (188)

Ascend-PPP-Address (253)

Ascend-PPP-Async-Map (212)

Ascend-PPP-VJ-1172 (211)

Ascend-PPP-VJ-Slot-Comp (210)

Ascend-Pre-Input-Octets (190)

Ascend-Pre-Input-packets (192)

Ascend-Pre-Output-Octets (191)

Ascend-Pre-Output-packets (193)

Ascend-Preempt-Limit (245)

Ascend-Preference (126)

Ascend-PreSession-Time (198)

Ascend-Primary-Home-Agent (129)

Ascend-PRI-Number-Type (226)

Ascend-PW-Expiration (21)

Ascend-PW-Lifetime (208)

Ascend-Receive-Secret (215)

Ascend-Remote-Addr (155)

Ascend-Remove-Seconds (241)

Ascend-Require-Auth (201)

Ascend-Route-Appletalk (118)

Ascend-Route-IP (228)

Ascend-Route-IPX (229)

Ascend-Secondary-Home-Agent (130)

Ascend-Seconds-Of-History (238)

Ascend-Send-Auth (231)

Ascend-Send-Passwd (232)

Ascend-Send-Secret (214)

Ascend-Session-Svr-Key (151)

Ascend-Shared-Profile-Enable (128)

Ascend-Target-Util (234)

Ascend-Third-Prompt (213)

Ascend-Token-Expiry (204)

Ascend-Token-Idle (199)

Ascend-Token-Immediate (200)

Ascend-Transit-Number (251)

Ascend-TS-Idle-Limit (169)

Ascend-TS-Idle-Mode (170)

Ascend-User-Acct-Base (142)

Ascend-User-Acct-Host (139)

Ascend-User-Acct-Key (141)

Ascend-User-Acct-Port (140)

Ascend-User-Acct-Time (143)

Ascend-User-Acct-Type (138)

Ascend-Xmit-Rate (255)

Caller-Id (31)

Challenge-Response (3)

Change-Password (17)

Class (25)

Client-Port-DNIS (30)

Filter-Id (11)

Framed-Address (8)

Framed-Compression (13)

Framed-IPX-Network (23)

Framed-MTU (12)

Framed-Netmask (9)

Framed-Protocol (7)

Framed-Route (22)

Framed-Routing (10)

Login-Host (14)

Login-Service (15)

Login-TCP-Port (16)

NAS-Identifier (4)

NAS-Port (5)

NAS-Port-Type (61)

Password (2)

Reply-Message (18)

Tunnel-Client-Endpoint (Attribute 66)

Tunnel-ID (Attribute 68)

Tunneling-Protocol (127)

Tunnel-Medium-Type (Attribute 65)

Tunnel-Server-Endpoint (67)

Tunnel-Type (64)

User-Name (1)

User-Service (6)

RADIUS authentication problems

General authentication failures

Checking the logfile

RADIUS accounting problems

General accounting failures

Duplicate or deleted records

Backoff queue error message

Understanding V.110 module call status information

Connect progress codes

Disconnect progress codes

Parameters and analogous attributes

Attributes and parameters in numerical order

Attributes and parameters in alphabetical order

Copyright © 1998, Ascend Communications, Inc. All rights reserved.