[Top][Contents][Prev][Next][Last]Search

Setting Up Virtual Private Networks in RADIUS

This chapter contains:
Introducing ATMP
Overview of RADIUS attributes for ATMP
Overview of MAX configuration parameters for ATMP
Setting up a tunnel in router mode for an IP network
Setting up a tunnel in gateway mode for an IP network
Tunneling ATMP between two IP networks
Tunneling IPX across the Internet
Setting up the MAX as a multi-mode agent
Setting up ATMP to bypass a foreign agent
Configuring call routing to PPTP servers

Introducing ATMP

Ascend Tunnel Management Protocol (ATMP) is a UDP/IP-based protocol that provides a tunnelling mechanism between two Ascend units across the Internet or a frame relay network. Each Ascend unit can be a MAX or a Pipeline 400. The protocol uses standard Generic Routing Encapsulation (GRE).

ATMP provides a Virtual Private Network (VPN) solution over the backbone resources of Internet Service Providers (ISPs) and carriers. Without ATMP, each mobile node and remote user has to dial directly into the network, resulting in long-distance charges. With ATMP, these users can make a local call and have the transmission securely tunnelled across the Internet or frame relay network.

As described in RFC 1701, GRE hides packet contents and enables transmission of packets that would otherwise be unacceptable on the Internet. These include IP packets that use unregistered addresses or IPX packets from roaming clients.

ATMP creates and tears down the tunnel between two Ascend units. In effect, the tunnel collapses the Internet cloud and provides what looks like direct access to a home network from a remote node. ATMP applies only to IP or IPX networks.

You can also set up RADIUS accounting so that the Accounting Stop packet indicates if a session authenticated and encapsulated using the ATMP tunneling protocol. See Non-accounting attributes in accounting records.

How ATMP connections work

Figure 7-1 shows a sample ATMP tunnel connection.

Figure 7-1. Sample cross-Internet ATMP tunnel

Table 7-1 lists the network elements that work together in an ATMP connection.

Table 7-1. ATMP network elements

Element

Description
Home network

 The home network is a private corporate network. A private network is one that cannot communicate directly on the Internet. It might be an IPX network, or an IP network with an unregistered network number.

Mobile node

 A mobile node is a user who accesses a private home network across the Internet. The mobile node could be a salesperson on the road who wants to dial into a local ISP and log into his or her home network.

Foreign agent

 The foreign agent is an Ascend unit that the mobile node dials into. It is the starting point of the ATMP tunnel. The foreign agent must be able to bring up an IP connection to the home agent, and it must authenticate the mobile node using a RADIUS user profile that includes ATMP attributes.

Home agent

 The home agent is an Ascend unit that represents the terminating part of the tunnel. It must be able to communicate with the home network directly, through another router, or across a nailed-up WAN connection.

When a mobile node wants to establish an ATMP connection with the home network, these events take place:

  1. The mobile node dials a connection to the foreign agent.

  2. The foreign agent authenticates the mobile node using a RADIUS user profile.

  3. The foreign agent locates a Connection profile or RADIUS user profile for the home agent based on the Ascend-Primary-Home-Agent or Ascend-Secondary-Home-Agent attribute in the mobile node's RADIUS user profile.

    The Ascend-Primary-Home-Agent attribute specifies the IP address or hostname of the first home agent the foreign agent tries to reach when setting up an ATMP tunnel. The Ascend-Secondary-Home-Agent specifies the home agent the foreign agent tries to reach if the primary home agent is unavailable.

  4. The foreign agent connects to the home agent using a regular IP connection.

    The MAX authenticates the connection in the usual way (for example, by using CHAP).

  5. The foreign agent informs the home agent that the mobile node has connected, and requests a tunnel.

    The foreign agent sends up to ten RegisterRequest messages at two-second intervals, timing out and logging a message if it receives no response to those requests.

  6. The home agent requests authentication of the mobile node by sending a challenge request to the foreign agent.

  7. The foreign agent sends back a challenge reply to the home agent.

    This reply includes an encrypted version of the Ascend-Home-Agent-Password value in the mobile node's RADIUS profile. This password must match the value of the home agent's Password parameter in the Ethernet > Mod Config > ATMP Options menu.

  8. The home agent returns a RegisterReply with a number that identifies the tunnel.

    If registration fails, the home agent logs a message and the foreign agent disconnects the mobile node. If registration succeeds, the MAX creates a tunnel between the foreign agent and the home agent. At this point, the mobile node connects to the home network as though it had dialed locally, and can transfer data across the tunnel.

  9. When the mobile node disconnects from the foreign agent, the foreign agent sends a DeregisterRequest to the home agent to close down the tunnel.

    The foreign agent can send its request a maximum of ten times, or until it receives a DeregisterReply. If the foreign agent receives packets for a mobile node whose connection has gone down, the foreign agent silently discards the packets.

ATMP router and gateway modes

 You can configure the home agent as a router or a gateway to the home network.

Router mode

When you configure the home agent as a router, the home agent's routing module forwards packets it receives from the foreign agent onto the local network. The network can be the home network, or it can support another router that can connect to the home network. In either case, packet delivery relies on a routing mechanism, such as a static or dynamic route, and not on a WAN connection.

In the case of routing an IPX packet from the mobile node, the home agent must see the mobile node as connected to another IPX network. ATMP adds this virtual IPX network to the home agent's routing table based on the IPX attributes it receives from the foreign agent. The RADIUS user profile for the mobile node must specify the IPX network number unique within the enterprise.

Gateway mode

When you configure the home agent as a gateway, the home agent tunnels packets from the foreign agent to the home network across an open WAN connection. The WAN connection must be on line. The home agent does not bring up a WAN connection to the home network based on a packet it receives through the tunnel. For this reason, the home agent must have a nailed-up WAN connection to the home network.

Overview of RADIUS attributes for ATMP

The foreign agent must have a RADIUS user profile that authenticates the mobile node and specifies the attributes listed Table 7-2. The IPX attributes shown in Table 7-2 are not ATMP-specific, but may be required for ATMP connections to an IPX home network.

Table 7-2. RADIUS attributes required for ATMP connections

Attribute

Description

Possible values
Ascend-Home-Agent-Password (184)

 Indicates the password that the foreign agent sends to the home agent during ATMP operation. This password must match the home agent's ATMP password.

 Text string containing up to 20 characters. The default value is null.

Ascend-Home-Agent-UDP-Port (186)

 Specifies the UDP port number for communicating ATMP messages between the foreign agent and the home agent.

 Integer between 0 and 65535. The default value is 5150.

You need not specify a value for Ascend-Home-Agent-UDP-Port if you specify a UDP port number for Ascend-Primary-Home-Agent or Ascend-Secondary-Home Agent, or if you accept the default for either of these attributes.

Ascend-Home-Network-Name (185)

 Specifies the name of the home agent's nailed-up Connection profile to the home network (required only if the home agent is operating in gateway mode).

 Text string. The default value is null.

Ascend-IPX-Node-Addr (182)

 Indicates a unique IPX node address on the network specified by Framed-IPX-Network. This value completes the IPX address of a mobile node.

 12-digit ASCII string. The default value is 000000000001.

Framed-IPX-Network (23)

 Specifies a virtual IPX network required for the home agent to route IPX packets to the mobile node. This network must be unique in the IPX routing domain.

 Decimal value representing the IPX network number of the IPX router at the remote end of the connection. The default value is null.

Ascend-Primary-Home-Agent (129)

 Specifies the first home agent the foreign agent tries to reach when setting up an ATMP tunnel, and indicates the UDP port the foreign agent uses for the link.

 A symbolic hostname, or an IP address in dotted decimal notation n.n.n.n, where n is an integer between 0 and 255. You can also specify an optional UDP port number.

The default IP address is 0.0.0.0. The default UDP port number is 5150.

Note: You can use Ascend-Home- Agent-IP-Addr in the user profile for the same purpose as Ascend- Primary-Home-Agent, but it is preferable to use Ascend-Primary- Home-Agent and Ascend- Secondary-Home-Agent to provide additional information in the user profile.

Ascend-Secondary-Home-Agent (130)

 Specifies the secondary home agent the foreign agent tries to reach when the primary home agent (specified by Ascend-Primary-Home-Agent) is unavailable. Also indicates the UDP port the foreign agent uses for the link.

 A symbolic hostname, or an IP address in dotted decimal notation n.n.n.n, where n is an integer between 0 and 255. You can also specify an optional UDP port number.

The default IP address is 0.0.0.0. The default UDP port number is 5150.

For information on non-ATMP attributes

The home agent and the foreign agent must have their own outgoing RADIUS user profiles in order to connect to each other. Each user profile must enable IP routing, and make use of non-ATMP attributes. In addition, if you are tunneling IPX, you must set IPX attributes. This chapter provides the basic steps for setting up these profiles. For complete information on each attribute you can set, see Chapter 9, Reference to RADIUS Attributes.

Overview of MAX configuration parameters for ATMP

Both the foreign agent and home agent require some ATMP configuration on the MAX. The related parameters appear in Table 7-3.

Table 7-3. ATMP parameters

Location

Parameter

Description
Ethernet > Connections >
Any Connection profile >
Session Options

 ATMP Gateway

 Specifies whether the home agent acts as a gateway in its connection to the home network.

Ethernet > Mod Config \> ATMP Options

ATMP Mode

 Specifies whether the unit is a foreign agent or a home agent.

 Type

 Specifies whether the home agent acts as a gateway or a router.

 Password

 On the home agent, specifies the password the mobile node must specify in the Ascend-Home-Agent-Password attribute.

 UDP Port

 Specifies the port to use for ATMP communications. Both ends of the tunnel must specify the same port number.

For information on non-ATMP parameters

A home agent in gateway mode must have its own Connection profile to the home network. Except for the ATMP Gateway setting, this profile uses non-ATMP parameters. The present chapter provides the basic steps for setting up the Connection profile. For complete information on each non-ATMP Connection profile parameter you can set in the MAX configuration interface, see the MAX Reference Guide.

Setting up a tunnel in router mode for an IP network

A private IP network is a network with an unregistered IP address. An ATMP tunnel enables a remote user to log into a private IP network across the Internet using a local ISP connection.

Figure 7-2 shows a tunnel in which the home agent is in router mode.

Figure 7-2. ATMP router mode

When the home agent is in router mode, it receives GRE-encapsulated IP packets from the foreign agent, strips off the encapsulation, and passes the packets to its bridge/router software. It also adds a host route to the mobile node in its routing table.

This section describes how to set up a foreign agent and a home agent in router mode.

Configuring the foreign agent in router mode

To configure the foreign agent in router mode, you must perform these tasks:

Configuring ATMP in the foreign agent's Ethernet profile

 To configure ATMP in the foreign agent's Ethernet profile, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set these parameters:

  5. Save your changes.

Configuring the foreign agent to authenticate via RADIUS

 Follow the instructions in Configuring the MAX to use the RADIUS server.

Configuring an incoming RADIUS profile for the mobile node

To create a RADIUS users profile for the mobile node, follow these steps:

  1. On the first line of the profile, specify the User-Name and Password attributes:

  2. To specify the type of encapsulation in use for the call, set the Framed-Protocol attribute.

  3. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  4. To specify the mobile node's IP address, set the Framed-Address attribute, and optionally, the Framed-Netmask attribute.

  5. Set the Ascend-Primary-Home-Agent attribute.

    This attribute specifies the first home agent the foreign agent tries to reach when setting up the ATMP tunnel, and indicates the UDP port the foreign agent uses for the link.

    Specify the primary home agent using this syntax:

    Ascend-Primary-Home-Agent="hostname | ip_address [:udp_port]"

  6. Set the Ascend-Secondary-Home-Agent attribute.

    This attribute specifies the secondary home agent the foreign agent tries to reach when the primary home agent (specified by Ascend-Primary-Home-Agent) is unavailable. The attribute also indicates the UDP port the foreign agent uses for the link.

  7. For the Ascend-Home-Agent-Password attribute, specify the home agent's password.

    You must specify the same password indicated by the Password parameter in the Ethernet > Mod Config > ATMP Options menu on the home agent.

  8. To specify the UDP port for ATMP operation, set the Ascend-Home-Agent-UDP-Port attribute.

    By default, ATMP uses UDP port 5150 for communicating ATMP messages between the foreign and home agents. Both the foreign and home agent must agree on the UDP port number. If you specify a non-default UDP port number in one unit's configuration, make sure that the other end of the tunnel specifies the same number.

    You need not specify a value for Ascend-Home-Agent-UDP-Port if you specify a UDP port number for Ascend-Primary-Home-Agent or Ascend-Secondary-Home Agent, or if you accept the default for any of these attributes.

This user profile specifies a mobile node named Node1 and a single home agent at the IP address 10.9.8.10:

When the mobile node logs into the foreign agent with the password Top-secret, the foreign agent authenticates the mobile node. The foreign agent then looks for a profile with an IP address that matches the Ascend-Primary-Home-Agent value, so it can bring up an IP connection to the home agent.

Configuring an outgoing RADIUS user profile for the foreign agent

For the foreign agent, you must create an outgoing user profile to the home agent. Follow these steps:

  1. On the first line of the user profile, specify the User-Name, Password, and User-Service attributes.

    Set the attributes on the first line in this way:

    For example, you might enter this first line in the profile for the foreign agent Alameda:

  2. On the second line of the user profile, set the User-Name attribute to the name of the foreign agent.

  3. To specify the encapsulation type in use on the line, set the Framed-Protocol attribute.

  4. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  5. If the receiving end (the home agent) requires an IP address, and does not assign one dynamically, specify the foreign agent's IP address using the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

    The values of the Framed-Address and Framed-Netmask attributes for the local MAX must match the value of the NAS-Identifier attribute on the home agent. If there is no match, the home agent clears the call.

  6. To indicate the phone number the MAX dials to reach the home agent, set the Ascend- Dial-Number attribute.

  7. To specify the type of phone number the MAX dials, set the Ascend-PRI-Number-Type attribute.

  8. Set the Ascend-Send-Auth attribute.

    The Ascend-Send-Auth attribute specifies the authentication protocol that the MAX requests when initiating a connection using PPP or MP+ encapsulation. The answering side of the connection determines which authentication protocol, if any, the connection uses.

  9. If you request PAP or CHAP authentication, you must also specify a password using Ascend-Send-Secret or Ascend-Send-Passwd.

    Both of these attributes specify the password that the MAX sends to the remote end of a connection on outgoing calls. If the value you specify for Ascend-Send-Secret or Ascend-Send-Password does not match the value of the remote end's Ascend-Receive-Secret attribute (in a RADIUS user profile) or Recv PW parameter (in a Connection profile), the remote system rejects the call.

    Use Ascend-Send-Passwd only if your version of the MAX does not support Ascend-Send-Secret.

This user profile enables a MAX called Alameda to dial calls to the MAX at 1-800-555-5555:

Alameda-Out Password="Ascend", User-Service=Dialout-Framed-User

     User-Name="Alameda",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Ascend-Metric=2,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-5555,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Configuring the home agent in router mode

 To configure the home agent in router mode, you must perform these tasks:

Configuring ATMP in the home agent's Ethernet profile

 To configure ATMP in the home agent's Ethernet profile, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set these parameters:

    The value you specify for Password must match the value of the Ascend-Home-Agent-Password attribute in the mobile node's RADIUS user profile. All mobile node profiles that access this home agent must specify the same password for Ascend-Home-Agent-Password.

  5. Save your changes.

Configuring an outgoing RADIUS user profile to the foreign agent

 For the home agent, you must create an outgoing user profile with the foreign agent as its destination. Follow these steps:

  1. On the first line of the user profile, specify the User-Name, Password, and User-Service attributes.

    Set the attributes on the first line in this way:

    For example, you might enter this first line in the profile for the home agent Boston:

  2. On the second line of the user profile, specify the name of the home agent by indicating a value for the User-Name attribute.

  3. To specify the encapsulation type in use on the line, set the Framed-Protocol attribute.

  4. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  5. If the receiving end (the foreign agent) requires an IP address, and does not assign one dynamically, specify the home agent's IP address using the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

    The values of the Framed-Address and Framed-Netmask attributes for the local MAX must match the value of the NAS-Identifier attribute on the foreign agent. If there is no match, the home agent clears the call.

  6. To indicate the phone number the MAX dials to reach the foreign agent, set the Ascend- Dial-Number attribute.

  7. To specify the type of phone number the MAX dials, set the Ascend-PRI-Number-Type attribute.

  8. Set the Ascend-Send-Auth attribute.

  9. If you request PAP or CHAP authentication, you must also specify a password using Ascend-Send-Secret or Ascend-Send-Passwd.

This user profile enables a MAX called Boston to dial calls to the MAX at 1-800-555-1111:

Boston-Out Password="Ascend", User-Service=Dialout-Framed-User

     User-Name="Boston",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Ascend-Metric=2,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-1111,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Ensuring that other hosts can route to the mobile node

 When the home agent receives packets through the ATMP tunnel, it adds a host route to the mobile node in its IP routing table. It then handles routing in the usual way. To ensure that other hosts or networks can route to the mobile node, you can use one of the routing mechanisms described in Table 7-4.

Table 7-4. Routing mechanisms

Mode

Description
Routing Information Protocol (RIP)

 If you enable RIP on the home agent's Ethernet interface, other routers learn about the host route in RIP updates. Enabling RIP is particularly useful if the home network is one or more hops away from the home agent's Ethernet.

Static route

 If you turn off RIP on the home agent's Ethernet interface, other routers require static routes that specify the home agent as the route to the mobile node.

Proxy Address Resolution Protocol (ARP)

 If the home agent's Ethernet interface is the home network (a direct connection), you should turn on proxy ARP (Proxy ARP=Always). Then, when local hosts ARP for the mobile node, the home agent responds on behalf of the mobile node.

Setting up a tunnel in gateway mode for an IP network

In gateway mode, the home agent forwards packets it receives through the tunnel to the home network across an open WAN connection. The home agent must have a nailed-up connection to the home network, because it will not dial the WAN connection based on packets it receives through the tunnel.

Figure 7-3 shows an ATMP gateway mode setup:

Figure 7-3. ATMP gateway mode

When the home agent is in gateway mode, it receives GRE-encapsulated IP packets from the foreign agent, strips off the encapsulation, and passes the packets across a nailed-up WAN connection to the home network.

To enable hosts and routers on the home network to reach the mobile node, you must configure a static route on the Customer Premises Equipment (CPE) router on the home network (not on the home agent). The static route must specify the home agent as the route to the mobile node. For information on setting up static IP routes, see Configuring static IP routes.

Configuring the foreign agent in gateway mode

To configure the foreign agent in gateway mode, you must perform these tasks:

Configuring ATMP in the foreign agent's Ethernet profile

 To configure ATMP in the foreign agent's Ethernet profile, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set these parameters:

  5. Save your changes

Configuring the foreign agent to authenticate via RADIUS

 Follow the instructions in Configuring the MAX to use the RADIUS server.

Configuring an incoming RADIUS user profile for the mobile node

To create a RADIUS users profile for the mobile node, follow these steps:

  1. On the first line of the profile, specify the User-Name and Password attributes:

  2. To specify the type of encapsulation in use for the call, set the Framed-Protocol attribute.

  3. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  4. To specify the mobile node's IP address, set the Framed-Address attribute, and optionally, the Framed-Netmask attribute.

  5. Set the Ascend-Primary-Home-Agent attribute.

    This attribute specifies the first home agent the foreign agent tries to reach when setting up the ATMP tunnel, and indicates the UDP port the foreign agent uses for the link.

    Specify the primary home agent using this syntax:

    Ascend-Primary-Home-Agent="hostname | ip_address [:udp_port]"

  6. Set the Ascend-Secondary-Home-Agent attribute.

    This attribute specifies the secondary home agent the foreign agent tries to reach when the primary home agent (specified by Ascend-Primary-Home-Agent) is unavailable. The attribute also indicates the UDP port the foreign agent uses for the link.

  7. For the Ascend-Home-Agent-Password attribute, specify the home agent's password.

    You must specify the same password indicated by the Password parameter in the Ethernet > Mod Config > ATMP Options menu on the home agent.

  8. To identify the home agent's resident Connection profile to the home network, set the Ascend-Home-Network-Name attribute.

    The Connection profile must have the ATMP Gateway parameter set to Yes in the Session Options submenu.

  9. To specify the UDP port for ATMP operation, set the Ascend-Home-Agent-UDP-Port attribute.

    By default, ATMP uses UDP port 5150 for communicating ATMP messages between the foreign and home agents. Both the foreign and home agent must agree on the UDP port number. If you specify a non-default UDP port number in one unit's configuration, make sure that the other end of the tunnel specifies the same number.

    You need not specify a value for Ascend-Home-Agent-UDP-Port if you specify a UDP port number for Ascend-Primary-Home-Agent or Ascend-Secondary-Home Agent, or if you accept the default for any of these attributes.

The following profile specifies a mobile node named Node3 and a single home agent at the IP address 10.9.8.10. The home agent uses the Homenet Connection profile to the home network.

When the mobile node logs into the foreign agent with the password Top-secret, the foreign agent authenticates the mobile node. The foreign agent then looks for a RADIUS user profile with an IP address that matches the Ascend-Primary-Home-Agent value, so it can bring up an IP connection to the home agent. Note that for an ATMP gateway mode connection, you must specify the name of the home agent's Connection profile to the home network using Ascend-Home-Network-Name.

Configuring an outgoing RADIUS user profile for the foreign agent

To configure an outgoing RADIUS user profile for the foreign agent with the home agent as the destination of the call, follow these steps:

  1. On the first line of the user profile, specify the User-Name, Password, and User-Service attributes.

    Set the attributes on the first line in this way:

    For example, you might enter this first line in the profile for the foreign agent Alameda:

    Alameda-Out Password="Ascend", User-Service=Dialout-Framed-User

  2. On the second line of the user profile, set the User-Name attribute to the name of the foreign agent.

  3. To specify the encapsulation type in use on the line, set the Framed-Protocol attribute.

  4. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  5. If the receiving end (the home agent) requires an IP address, and does not assign one dynamically, specify the foreign agent's IP address using the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

    The values of the Framed-Address and Framed-Netmask attributes for the local MAX must match the value of the NAS-Identifier attribute for the home agent. If there is no match, the home agent clears the call.

  6. To indicate the phone number the MAX dials to reach the home agent, set the Ascend- Dial-Number attribute.

  7. To specify the type of phone number the MAX dials, set the Ascend-PRI-Number-Type attribute.

  8. Set the Ascend-Send-Auth attribute.

    The Ascend-Send-Auth attribute specifies the authentication protocol that the MAX requests when initiating a connection using PPP or MP+ encapsulation. The answering side of the connection determines which authentication protocol, if any, the connection uses.

  9. If you request PAP or CHAP authentication, you must also specify a password using Ascend-Send-Secret or Ascend-Send-Passwd.

    Both of these attributes specify the password that the MAX sends to the remote end of a connection on outgoing calls. If the value you specify for Ascend-Send-Secret or Ascend-Send-Password does not match the value of the remote end's Ascend-Receive-Secret attribute (in a RADIUS user profile) or Recv PW parameter (in a Connection profile), the remote system rejects the call.

    Use Ascend-Send-Passwd only if your version of the MAX does not support Ascend-Send-Secret.

This user profile enables a MAX called Alameda to dial calls to the MAX at 1-800-555-5555:

Alameda-Out Password="Ascend", User-Service=Dialout-Framed-User

User-Name="Alameda",

        Framed-Protocol=PPP,

        Framed-Address=10.0.100.1,

        Framed-Netmask=255.255.255.0,

        Ascend-Route-IP=Route-IP-Yes,

        Ascend-Metric=2,

        Framed-Routing=None,

        Ascend-Idle-Limit=30,

        Ascend-Dial-Number=1-800-555-5555,

        Ascend-PRI-Number-Type=National-Number,

        Ascend-Send-Auth=Send-Auth-PAP,

        Ascend-Send-Secret="Password1"

Configuring the home agent in gateway mode

 To configure the home agent in gateway mode, you must perform these tasks:

Configuring ATMP in the home agent's Ethernet profile

 To configure ATMP in the home agent's Ethernet profile, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set these parameters:

    The value you specify for Password must match the value of the Ascend-Home-Agent-Password attribute in the mobile node's RADIUS user profile. All mobile node profiles that access this home agent must specify the same password for Ascend-Home-Agent-Password.

  5. Save your changes.

Configuring an outgoing RADIUS user profile to the foreign agent

 For the home agent, you must create an outgoing user profile with the foreign agent as its destination. Follow these steps:

  1. On the first line of the user profile, specify the User-Name, Password, and User-Service attributes.

    Set the attributes on the first line in this way:

    For example, you might enter this first line in the profile for the home agent Boston:

    Boston-Out Password="Ascend", User-Service=Dialout-Framed-User

  2. On the second line of the user profile, specify the name of the home agent by indicating a value for the User-Name attribute.

  3. To specify the encapsulation type in use on the line, set the Framed-Protocol attribute.

  4. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  5. If the receiving end (the foreign agent) requires an IP address, and does not assign one dynamically, specify the home agent's IP address using the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

    The values of the Framed-Address and Framed-Netmask attributes for the local MAX must match the value of the NAS-Identifier attribute on the foreign agent. If there is no match, the home agent clears the call.

  6. To indicate the phone number the MAX dials to reach the foreign agent, set the Ascend- Dial-Number attribute.

  7. To specify the type of phone number the MAX dials, set the Ascend-PRI-Number-Type attribute.

  8. Set the Ascend-Send-Auth attribute.

  9. If you request PAP or CHAP authentication, you must also specify a password using Ascend-Send-Secret or Ascend-Send-Passwd.

This user profile enables a MAX called Boston to dial calls to the MAX at 1-800-555-1111:

Boston-Out Password="Ascend", User-Service=Dialout-Framed-User

     User-Name="Boston",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Ascend-Metric=2,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-1111,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Configuring a Connection profile for a nailed-up connection

 To configure a Connection profile for a nailed-up connection to the home network, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Connections menu.

  3. Open a Connection profile.

  4. For the Station parameter, specify the name of the home agent.

    The value you enter becomes the name of the Connection profile. The name of this Connection profile must match the name specified by the Ascend-Home-Network-Name attribute in the mobile node's RADIUS user profile.

  5. To activate the profile, set Active=Yes.

  6. Set Encaps=FR.

  7. To specify the type of phone number the MAX dials, set the PRI # Type parameter

  8. Set Route IP=Yes.

  9. Set Bridge=No.

  10. In the Encaps Options submenu, set the FR Prof parameter to specify the name of the Frame Relay profile this connection uses.

  11. For the DLCI parameter, specify the name of the DLCI used for the connection.

  12. In the IP Options submenu, specify the IP address of the home agent.

  13. In the Session Options submenu, set ATMP Gateway=Yes.

  14. Close the Connection profile, saving your changes.

Your specifications might look like these:

Station=homenet

Active=Yes

Encaps=FR

PRI # Type=National

Dial #=N/A

Calling #=N/A

Route IP=Yes

Route IPX=N/A

Bridge=No

Dial brdcast=N/A

Encaps options...

        FR Prof=Pac Bell

        DLCI=18

IP options...

        LAN Adrs=10.9.8.32/24

Session options...

        ATMP Gateway=Yes

Tunneling ATMP between two IP networks

Typically, the mobile node at the remote end of an ATMP tunnel is a dial-in user. If the home network is an IP network, ATMP can also enable LAN-to-LAN connectivity through the tunnel. An IP router can connect as a mobile node. This functionality does not apply to IPX home networks.

When configuring ATMP for LAN-to-LAN connectivity, you follow the same steps as when you configure ATMP for a dial-in user, keeping in mind the additional instructions in this section.

For details on configuring a tunnel when the home agent is a router, see Setting up a tunnel in router mode for an IP network. For details on configuring a tunnel when the home agent is a gateway, see Setting up a tunnel in gateway mode for an IP network.

Specifying the mobile node's subnet mask

To enable an IP router to connect as a mobile node, the foreign agent's RADIUS entry for the mobile node must specify the same subnet mask as the home network.

For example, to connect to a home network whose router has the address 10.168.3.1/28, the foreign agent's RADIUS entry for the remote router must contain these lines:

Framed-Address=10.168.6.21,

Framed-Netmask=255.255.255.240,
With this address for the mobile node router, the connecting LAN can support up to 14 hosts.

Configuring route handling between IP networks

 The MAX handles routes to and from the mobile node's LAN in different ways, depending on whether the home agent is in router mode or gateway mode.

Home agent in router mode

If the home agent connects directly to the home network, you must configure it to respond to ARP requests for the mobile node by setting Proxy ARP=Always.

If the home agent does not connect directly to the home network, the situation is the same as for any remote network-you must enable the router to learn about routes through dynamic updates, or you must configure static routes.

The mobile node always requires static routes to the home agent as well as to other networks it reaches through the home agent. (It cannot learn routes from the home agent.)

Home agent in gateway mode

If the home agent forwards packets from the mobile node across a nailed-up WAN link to the home IP network, the answering unit on the home network must have a static route to the mobile node's LAN.

In addition, because the mobile node and the home agent do not exchange routing information, the mobile node's LAN can only support local subnets that fall within the network specified in the RADIUS entry.

For example, a mobile node router at the address 10.168.6.21/28 could support two subnets with a subnet mask of 255.255.255.248-one at the 10.168.6.16 address and the other at the 10.168.6.24 address. The answering unit on the home network would have only one route to the router itself (10.168.6.21/28).

Tunneling IPX across the Internet

ATMP tunnels enable remote NetWare clients to log into corporate IPX networks across the Internet by using a local ISP connection.

You can configure the home agent in an IPX routing connection in ATMP router mode or gateway mode, as defined in ATMP router and gateway modes. The example in this section shows router mode.

Configuring the foreign agent

For the home agent to route correctly to the mobile node, the foreign agent must specify a virtual IPX network number for its mobile nodes. This network number must be unique within the IPX routing domain. Typically, the foreign agent's RADIUS profiles for mobile nodes all use the same virtual IPX network, with unique IPX node addresses on that virtual network. When the home agent receives IPX packets through the ATMP tunnel, it adds the unique virtual network number to its routing table.

To configure the foreign agent, you must perform these tasks:

Configuring ATMP in the foreign agent's Ethernet profile

 To configure ATMP in the foreign agent's Ethernet profile, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set these parameters: 

ATMP options...

        ATMP Mode=Foreign

        Type=N/A

        Password=N/A

        UDP Port=5150
  1. Save your changes.

Configuring the foreign agent to authenticate via RADIUS

 Follow the instructions in Configuring the MAX to use the RADIUS server.

Configuring an incoming RADIUS user profile for the mobile node

To create a RADIUS users profile for the mobile node, follow these steps:

  1. On the first line of the profile, specify the User-Name and Password attributes:

  2. To specify the type of encapsulation in use for the call, set the Framed-Protocol attribute.

  3. To enable IPX routing, set Ascend-Route-IPX=Route-IPX-Yes.

  4. To specify whether the mobile node is an IPX router or a device dialing in without an Ethernet interface, see the IPX-Peer-Dialin attribute.

  5. To specify a virtual IPX network number that is unique within the enterprise, set the Framed-IPX-Network attribute.

    You must specify the IPX network number in decimal format, not hexadecimal. (IPX network numbers are typically specified in hexadecimal.) It must be unique in the IPX routing domain. All mobile nodes logging into an IPX home network through the same foreign agent typically use the same Framed-IPX-Network number.

  6. To assign the mobile node a unique IPX node address on the network specified by Framed-IPX-Network, set the Ascend-IPX-Node-Addr attribute.

    The number you indicate must be unique for each mobile node on the virtual IPX network. Specify the number as a 12-digit string enclosed in double quotes. This value completes the IPX address of a mobile node.

  7. Set the Ascend-Primary-Home-Agent attribute.

    This attribute specifies the first home agent the foreign agent tries to reach when setting up the ATMP tunnel, and indicates the UDP port the foreign agent uses for the link.

    Specify the primary home agent using this syntax:

    Ascend-Primary-Home-Agent="hostname | ip_address [:udp_port]"

  8. Set the Ascend-Secondary-Home-Agent attribute.

    This attribute specifies the secondary home agent the foreign agent tries to reach when the primary home agent (specified by Ascend-Primary-Home-Agent) is unavailable. The attribute also indicates the UDP port the foreign agent uses for the link.

  9. For the Ascend-Home-Agent-Password attribute, specify the home agent's password.

    You must specify the same password indicated by the Password parameter in the Ethernet > Mod Config > ATMP Options menu on the home agent.

  10. To identify the home agent's resident Connection profile to the home network, set the Ascend-Home-Network-Name attribute.

    The named Connection profile must have the ATMP Gateway parameter set to Yes in the Session Options submenu.

  11. To specify the UDP port for ATMP operation, set the Ascend-Home-Agent-UDP-Port attribute.

    By default, ATMP uses UDP port 5150 for communicating ATMP messages between the foreign and home agents. Both the foreign and home agent must agree on the UDP port number. If you specify a non-default UDP port number in one unit's configuration, make sure that the other end of the tunnel specifies the same number.

    You need not specify a value for Ascend-Home-Agent-UDP-Port if you specify a UDP port number for Ascend-Primary-Home-Agent or Ascend-Secondary-Home Agent, or if you accept the default for any of these attributes.

The following profile specifies a mobile node named Node2 and a single home agent at the IP address 10.9.8.10. The home agent uses the Homenet Connection profile to the home network:

Node2 Password="Top-secret"

   Ascend-Metric=2,

   Framed-Protocol=PPP,

   Ascend-Route-IPX=Route-IPX-Yes,

   Ascend-IPX-Peer-Mode=IPX-Peer-Dialin,

   Framed-IPX-Network=4999,

   Ascend-IPX-Node-Addr="001122334567",

   Ascend-Route-IPX=Route-IPX-Yes

   Ascend-Primary-Home-Agent=10.8.9.10,

   Ascend-Home-Agent-Password="private", 

   Ascend-Home-Network-Name="Homenet"
When the mobile node logs into the foreign agent with the password Top-secret, the foreign agent looks for a Connection profile or RADIUS profile with an IP address that matches the Ascend-Primary-Home-Agent value, so it can bring up an IP connection to the home agent.

Configuring an outgoing RADIUS user profile for the foreign agent

To configure an outgoing RADIUS user profile for the foreign agent, follow these steps:

  1. On the first line of the user profile, specify the User-Name, Password, and User-Service attributes.

    Set the attributes on the first line in this way:

    For example, you might enter this first line in the profile for the foreign agent Alameda:

  2. On the second line of the user profile, set the User-Name attribute to the name of the foreign agent.

  3. To specify the encapsulation type in use on the line, set the Framed-Protocol attribute.

  4. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  5. If the receiving end (the home agent) requires an IP address, and does not assign one dynamically, specify the foreign agent's IP address using the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

    The values of the Framed-Address and Framed-Netmask attributes for the local MAX must match the value of the NAS-Identifier attribute on the home agent. If there is no match, the home agent clears the call.

  6. To indicate the phone number the MAX dials to reach the home agent, set the Ascend- Dial-Number attribute.

  7. To specify the type of phone number the MAX dials, set the Ascend-PRI-Number-Type attribute.

  8. Set the Ascend-Send-Auth attribute.

    The Ascend-Send-Auth attribute specifies the authentication protocol that the MAX requests when initiating a connection using PPP or MP+ encapsulation. The answering side of the connection determines which authentication protocol, if any, the connection uses.

  9. If you request PAP or CHAP authentication, you must also specify a password using Ascend-Send-Secret or Ascend-Send-Passwd.

    Both of these attributes specify the password that the MAX sends to the remote end of a connection on outgoing calls. If the value you specify for Ascend-Send-Secret or Ascend-Send-Password does not match the value of the remote end's Ascend-Receive-Secret attribute (in a RADIUS user profile) or Recv PW parameter (in a Connection profile), the remote system rejects the call.

    Use Ascend-Send-Passwd only if your version of the MAX does not support Ascend-Send-Secret.

This user profile enables a MAX called Alameda to dial calls to the MAX at 1-800-555-5555:

Alameda-Out Password="Ascend", User-Service=Dialout-Framed-User

     User-Name="Alameda",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes, 

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Ascend-Metric=2,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-5555,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Configuring the home agent

 The home agent adds an entry to its IPX routing table for the virtual IPX network number that the foreign agent sends in the Framed-IPX-Network attribute. This entry enables the home agent to route IPX packets from the home network back to mobile nodes.

To configure the home agent in router mode, you must perform these tasks:

Configuring ATMP in the home agent's Ethernet profile

 To configure ATMP in the home agent's Ethernet profile, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set these parameters:

    The value you specify for Password must match the value of the Ascend-Home-Agent-Password attribute in the mobile node's RADIUS user profile. All mobile node profiles that access this home agent must specify the same password for Ascend-Home-Agent-Password.

  5. Save your changes.

Configuring an outgoing RADIUS user profile to the foreign agent

 For the home agent, you must create an outgoing user profile with the foreign agent as its destination. Follow these steps:

  1. On the first line of the user profile, specify the User-Name, Password, and User-Service attributes.

    Set the attributes on the first line in this way:

    For example, you might enter this first line in the profile for the home agent Boston:

  2. On the second line of the user profile, specify the name of the home agent by indicating a value for the User-Name attribute.

  3. To specify the encapsulation type in use on the line, set the Framed-Protocol attribute.

  4. Enable IP routing for the profile by setting Ascend-Route-IP=Route-IP-Yes.

  5. If the receiving end (the foreign agent) requires an IP address, and does not assign one dynamically, specify the home agent's IP address using the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

    The values of the Framed-Address and Framed-Netmask attributes for the local MAX must match the value of the NAS-Identifier attribute on the foreign agent. If there is no match, the home agent clears the call.

  6. To indicate the phone number the MAX dials to reach the foreign agent, set the Ascend- Dial-Number attribute.

  7. To specify the type of phone number the MAX dials, set the Ascend-PRI-Number-Type attribute.

  8. Set the Ascend-Send-Auth attribute.

  9. If you request PAP or CHAP authentication, you must also specify a password using Ascend-Send-Secret or Ascend-Send-Passwd.

This user profile enables a MAX called Denver to dial calls to the MAX at 1-800-555-7777:

Denver-Out Password="Ascend", User-Service=Dialout-Framed-User

     User-Name="Denver",

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.0.100.1,

     Framed-Netmask=255.255.255.0,

     Ascend-Metric=2,

     Framed-Routing=None,

     Ascend-Idle-Limit=30,

     Ascend-Dial-Number=1-800-555-7777,

     Ascend-PRI-Number-Type=National-Number,

     Ascend-Send-Auth=Send-Auth-PAP,

     Ascend-Send-Secret="Password1"

Setting up the MAX as a multi-mode agent

You can configure the MAX to act as a home agent or a foreign agent on a tunnel-by-tunnel basis. A typical network topology appears in Figure 7-4.

Figure 7-4. The MAX acting as a home agent and a foreign agent

To configure the MAX to act as a foreign agent and home agent on a tunnel-by-tunnel basis, follow these steps:

  1. Open the Ethernet menu.

  2. Open the Mod Config menu.

  3. Open the ATMP Options menu.

  4. Set ATMP Mode=Both.

    This setting indicates that the MAX will function as both a home agent and foreign agent on a tunnel-by-tunnel basis.

  5. Set the Type parameter to Router or Gateway, as appropriate.

  6. For the Password parameter, specify a password.

    The mobile node must specify this password only when the unit acts as its home agent.

  7. Set SAP Reply to Yes or No.

    This parameter applies only when the unit is acting as a home agent. It enables or disables a home agent's ability to reply to the mobile node's IPX Nearest Server Query. If you set SAP Reply=Yes, the home agent replies to the mobile node's Nearest Server Query if it knows about a server on the home network. If you set SAP Reply=No, the home agent simply tunnels the mobile node's request to the home network.

  8. For the UDP Port parameter, specify the UDP port or accept the default of 5150.

  9. Save your changes.

Setting up ATMP to bypass a foreign agent

If a home agent MAX has the appropriate RADIUS entry for a mobile node, the mobile node can connect directly to the home agent, bypassing the foreign agent entirely.

An ATMP-based RADIUS entry local to the home agent enables the mobile node to bypass a foreign agent connection, but it does not preclude a foreign agent. If both the home agent and the foreign agent have local RADIUS profiles for the mobile node, the node can choose between a direct connection or a tunneled connection through the foreign agent.

For information about how to set up a RADIUS user profile for the mobile node in router mode, see Configuring an incoming RADIUS profile for the mobile node. For information about how to set up a RADIUS user profile for the mobile node in gateway mode, see Configuring an incoming RADIUS user profile for the mobile node.

In this example, the RADIUS user profile authenticates a mobile NetWare client that connects directly to a home agent in gateway mode.

Mobile-IPX Password="unit"

        User-Service=Framed-User,

        Ascend-Route-IPX=Route-IPX-Yes,

        Framed-Protocol=PPP,

        Ascend-IPX-Peer-Mode=IPX-Peer-Dialin,

        Framed-IPX-Network=40000000,

        Ascend-IPX-Node-Addr=12345678,

        Ascend-Primary-Home-Agent=192.168.6.18,

        Ascend-Home-Network-Name="Dave's Max",

        Ascend-Home-Agent-Password="Pipeline"
If the home agent were in router mode, you would not include the Ascend-Home-Network-Name line in the user entry. The Ascend-Home-Network-Name attribute specifies the name of the answering unit across the WAN on the home IPX network.

Configuring call routing to PPTP servers

You can use RADIUS to route PPP calls to the Point-to-Point Tunneling Protocol (PPTP) server based on the calling or dialed number, and access more than four PPTP servers.

Creating tunnels on a per-user basis

In previous releases, when a client dialed into the MAX and wanted to use a PPTP tunnel, the MAX chose a tunnel on the basis of the Route Line n parameters. Each T1 PRI line was associated with a different Route Line n parameter. Each parameter specified a particular PPTP server at the end of the PPTP tunnel. The MAX simply created a tunnel for each T1 line on which the user connected.

While you can still use the Route Line n parameters to create tunnels on the basis of the T1 line, you can now create a tunnel on a per-user basis as well. In a RADIUS user profile, you specify the IP address or host name of a PPTP server. The profile creates a tunnel between the MAX and the PPTP server. When the name and password of an incoming call match the name and password in a RADIUS user profile set up for PPTP, the MAX creates the PPTP tunnel to the PPTP server.

The changes to PPTP functionality affect PPP connections and terminal-server users. This release includes the following new RADIUS attributes:

Attributes for routing PPTP on the basis of CLID or DNIS

 You can use PPP authentication (CLID and DNIS) to tunnel to PPTP. You are not required to dedicate a T1 line to each destination PNS address, and you are not limited to four PPTP servers, as was the case in previous releases.

Note: It is still possible to dedicate a WAN line to PPTP.

When a PPP call comes in on any WAN line and the authentication process begins, the MAX will first check whether the line is a dedicated PPTP line (the same behavior as previously).

However, if the line is not a PPTP line, the MAX will check the data returned from RADIUS to determine whether:

If the call is a PPTP call and CLID or DNIS is supported, the RADIUS information returned will specify a server endpoint and MAX will route the call through PPTP to the endpoint server. The PPTP server then communicates with the caller.

Example RADIUS entries

The following examples show RADIUS entries for CLID and DNIS. The MAX must have RADIUS user entries that specify DNIS.

CLID RADIUS entry

5105551212 Password = "Ascend-CLID"

        Tunnel-Server-Endpoint = "192.168.6.199",

        Tunnel-Type = PPTP,

        Tunnel-Medium-Type = IP

DNIS RADIUS entry

7894 Password = "Ascend-DNIS"

        Tunnel-Server-Endpoint = "eng-lab-199",

        Tunnel-Type = PPTP,

        Tunnel-Medium-Type = IP


[Top][Contents][Prev][Next][Last]Search

techpubs@eng.ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.