[Top][Contents][Prev][Next][Last]Search


Getting Acquainted with RADIUS


This chapter introduces RADIUS authentication and accounting, and provides an overview of the files and attributes that the RADIUS server uses. This chapter contains:
How does the MAX use RADIUS?
How does RADIUS authentication work?
How does RADIUS accounting work?
What types of applications does RADIUS support?
What files does RADIUS use?
Overview of RADIUS attributes
Overview of RADIUS packet formats

How does the MAX use RADIUS?

RADIUS provides a central location for storing these types of information:

RADIUS maintains authentication, incoming call configuration, dialout, routing, and filter information in individual user profiles. Each user profile consists of a series of attributes. These attributes indicate a user name and password, and enable you to configure routing, bridging, call management, and restrictions on the types of MAX resources a caller can access.

How does RADIUS authentication work?

A single RADIUS server can administer multiple security systems, maintaining profiles for thousands of users. RADIUS vastly increases the number of authentication entries that the MAX can support. Without RADIUS, you must limit yourself to the number of local Connection profiles the MAX supports.

When you use RADIUS authentication, these events take place:

  1. A user dialing in from a modem, ISDN terminal adaptor, or bridge/router attempts to open a connection to the MAX, and the MAX determines that it must use a RADIUS user profile to authenticate the user.

  2. The MAX sends the user connection request to the RADIUS server.

  3. The RADIUS server carries out one or more of these tasks:

  4. The RADIUS server sends an authentication response to the MAX.

    If authentication is unsuccessful, the MAX refuses the connection. If authentication is successful, the MAX receives a list of attributes from the user profile in the RADIUS server's database and establishes network access for the caller.

  5. The MAX notifies the RADIUS server that the session has begun.

    The MAX also notifies the RADIUS when the session ends. If you enable accounting, the RADIUS server can generate accounting records.

How does RADIUS accounting work?

RADIUS accounting is a way to log information about three types of events:

When the MAX recognizes one of these events, it sends an accounting request to RADIUS. When the accounting server receives the request, it combines the information into a record and timestamps it. Each type of accounting record contains attributes associated with an event type, and can show the number of packets the MAX transmitted and received, the protocol in use, the user name and IP address of the client, and so on.

You can use RADIUS accounting for either of these purposes:

What types of applications does RADIUS support?

This section describes some common RADIUS applications.

Simple RADIUS authentication and accounting

In Figure 1-1, the RADIUS server performs both authentication and accounting. This configuration does not use a backup server.

Figure 1-1. Simple RADIUS authentication and accounting

This configuration is ideal for cost-conscious service providers and corporations that do not want to invest in different machines for security and backup.

RADIUS authentication and accounting with a backup server

In Figure 1-2, a service provider or corporate office has a second RADIUS server acting as a backup. If the primary RADIUS server fails, the MAX automatically contacts the secondary RADIUS server to authenticate a user. If the secondary server fails, you can bring in a third RADIUS server as a backup. You can use the secondary server as a backup accounting server as well.

Figure 1-2. RADIUS authentication and accounting with a backup server

RADIUS with an external security-card server

For more secure networks, a service provider or corporate office can use RADIUS as a front end to a security-card authentication server, such as Security Dynamics ACE/Server or Enigma Logic's SafeWord server.

Figure 1-3 illustrates an environment that includes an Ascend Pipeline as the calling unit, an NAS (the MAX), a RADIUS server, and an external authentication server.

Figure 1-3. RADIUS with an external security-card server

For complete information on configuring RADIUS to work with security-card authentication servers, see Setting up security-card authentication.

Using RADIUS to sign up new customers

In Figure 1-4, the server provider has a RADIUS server and a separate registration server. When a new customer connects to the network using the name and password specified in the company's advertising, the MAX passes the request to the registration server. The server prompts the user to enter sign-up information.

Figure 1-4. Using RADIUS to sign up new customers

A user cannot access any other resource on the system until he or she provides all the registration details and signs up for the service. After a user completes the registration procedure, the server issues a permanent user name and password.

What files does RADIUS use?

The RADIUS server uses the files listed in Table 1-1.

Table 1-1. RADIUS files

File name

Default location

Description

radiusd

/etc/raddb

The RADIUS daemon you use with a flat ASCII users file.

If you require RADIUS accounting or any of the attributes provided by Ascend as extensions to the Livingston RADIUS daemon, you must use the Ascend RADIUS daemon, version 1.16 (dated 7/25/95) or later.

For information on running the radiusd daemon, see Running the daemon with a flat ASCII users file.

radiusd.dbm

/etc/raddb

The RADIUS daemon you use with a UNIX DBM database.

If you require RADIUS accounting or any of the attributes provided by Ascend as extensions to the Livingston RADIUS daemon, you must use the Ascend RADIUS daemon, version 1.16
(dated 7/25/95) or later.

For information on running the radiusd.dbm daemon, see Running the daemon with a UNIX DBM database.

dictionary

/etc/raddb

The Ascend RADIUS dictionary. This file contains a list of all the attributes the daemon supports, along with the possible values for each attribute.

You must install the dictionary on your RADIUS server in the same directory as the Ascend RADIUS daemon, and it must have the same date as the Ascend RADIUS daemon. The RADIUS daemon reads the dictionary when it starts up. If you update the dictionary file while the daemon is running, you must stop the daemon process and then restart it to make the new attributes available.

For further information about the dictionary file, see Dictionary file.

clients

/etc/raddb

A file that identifies each client permitted to send requests to the RADIUS server. For overview information about the clients file, see Clients file. For details on setting up the clients file, see step 8.

users

/etc/raddb

A file that contains a set of user profiles. Each user profile consists of attributes describing the user's name, his or her password, and the MAX features to which the user has access. For introductory information on the users file, see Users file.

logfile

/etc/raddb

A file containing error messages. You must create this file
yourself.

detail

/usr/adm/NAS-name/radacct

A file containing accounting records.

Dictionary file

Every attribute has an associated name, ID, and value type. The dictionary file provides a complete list of attributes, and contains the information described in Table 1-2.

Table 1-2. Dictionary file format

Attribute element

Description

Name

An ASCII string denoting the attribute, such as User-Name or Password.

ID

A number between 1 and 255 associated with each attribute. For example, the User-Name attribute is attribute 1 and the Password attribute is attribute 2.

Value type

A specification denoting the type of values the attribute can contain:

string-A character sequence, not necessarily null terminated (0-253 bytes).

abinary-An Ascend binary filter (0-253 bytes).

ipaddr-An IP address in network-byte order (4 bytes).

integer-A 32-bit value in big-endian order (4 bytes).

date-The number of seconds that have elapsed since 00:00:00 GMT, January 1, 1970 (4 bytes).

The first several lines of a typical dictionary file might look like this:

ATTRIBUTE      User-Name           1             string
ATTRIBUTE      Password            2             string
ATTRIBUTE      Challenge-Response  3             string
ATTRIBUTE      NAS-Identifier      4             string
ATTRIBUTE      NAS-Port            5             string

Clients file

A client is the MAX or another machine that sends requests to the RADIUS server. The RADIUS clients file defines the client machines permitted to make requests to the RADIUS server. For the RADIUS daemon to respond to client requests from the MAX, you must specify the MAX unit's name and password in the clients file.

A sample line in the clients file looks like this one:

Users file

The users file contains an entry for each user that RADIUS will authenticate. Each entry is called a user profile, and consists of attributes describing a user and the services he or she can access. A users file can contain comment lines, user profiles, and blank lines. Table 1-3 lists each element.

Table 1-3. Users file elements

Element

Description

Comment line

A comment line begins with the # character at column one, with text that extends to the end of the line. You can embed a comment line anywhere in a user profile.

User profile

A user profile consists of a first line (also called an authentication line), followed by the rest of the profile, followed by a final line.

The first line consists of a user name, followed by a space or tab, followed by an attribute list containing authentication information, such as the user's password and the password's expiration date. The attributes on the first line are called check attributes because RADIUS must check the attributes before it can grant access to the MAX.

Any characters can appear at columns one and two except the # character, a space, or a tab. Starting at the third column, the first line can contain one or more spaces or tabs, followed by an attribute list (without a trailing comma) and a newline.

Each subsequent line in the rest of the record has a space or tab in the first column, followed by zero or more spaces or tabs, an attribute list, a comma, and a newline.

The final line is identical to each line after the first one, except that it contains no trailing comma.

Blank line

A blank line cannot appear within a user profile, but can be present anywhere outside a user profile. It must end with a newline.

This portion of a users file contains two comment lines, a blank line, and a user profile:

# This user profile is for PPP sessions only, and uses a # local password.

Ascend1 Password="Pipeline"
User-Service=Framed-User,
Framed-Protocol=PPP,
Framed-Address=10.0.1.1,
Framed-Netmask=255.255.255.0,
Ascend-Metric=2,
Framed-Routing=None,
Ascend-Idle-Limit=30

The user profile consists of a first line containing the user name (Ascend1) and password (Pipeline) that the RADIUS server uses for authentication. Subsequent lines contain attributes describing the type of service the user can access, the type of protocol in use, and so on. Note that each line of the profile, except the first line and last line, contains a trailing comma.

Overview of RADIUS attributes

Attributes associated with authentication, connection setup, and user sessions can appear in the following types of packets:

The sections that follow describe the attributes in the packets listed above. For information on attributes associated with accounting, see Understanding accounting records.

Access-Request attributes

When it receives an incoming call, the MAX first checks its local Connection profiles. If it doesn't find a Connection profile for the call and you configured the MAX to communicate with RADIUS, the MAX sends an Access-Request packet to the RADIUS server.

The Access-Request packet includes the caller's name and password, and may also include the other attributes shown in Table 1-4.

Table 1-4. Access-Request attributes

Attribute

Description

Default

Ascend-Send-Passwd (232)

Specifies the password that the MAX sends to the remote end of a connection on outgoing calls.

The default value is null.

Ascend-Send-Secret (214)

Specifies that the system encrypts the password when passing it between the RADIUS server and the MAX on outgoing calls.

The default value is null.

Caller-Id (31)

Specifies the calling party number, indicating the phone number of the user that wants to connect to the MAX.

The default value is null.

Challenge-Response (3)

Indicates the password that a Challenge Handshake Authentication Protocol (CHAP) user enters in response to a password challenge.

The default value is null.

Class (25)

Enables access providers to classify their user
sessions, such as for the purpose of billing users depending on the service option they choose. The MAX sends the Class attribute in Access-Request packets under CLID authentication.

The default value is null.

Client-Port-DNIS (30)

Specifies the called-party number, indicating the phone number the user dialed to connect to the MAX.

The default value is null.

Framed-Protocol (7)

Specifies the type of protocol a link can use.

This attribute does not appear in an Access-Request packet if Auth Send Attr 6, 7=No in the Ethernet > Mod Config > Auth menu.

By default, the MAX does not restrict the type of protocol a link can use.

NAS-Identifier (4)

Indicates the IP address of the MAX.

The default value is 0.0.0.0/0.

NAS-Port (5)

Specifies the interface and service the session is using.

The default value for the RADIUS daemon appears in the /etc/services file.

NAS-Port-Type (61)

Specifies the type of physical port the MAX is using to authenticate the client.

The default value is Async.

Password (2)

Specifies the user's password for an incoming or outgoing call.

The default value is null.

User-Name (1)

Specifies the user's name.

The default value is null.

User-Service (6)

Indicates whether the link can use framed or unframed services. You can specify Framed-User, Login-User, or Dialout-Framed-User.

This attribute does not appear in an Access-Request packet if Auth Send Attr 6, 7=No in the Ethernet > Mod Config > Auth menu.

By default, the MAX does not restrict the services that a link can use.

Access-Accept attributes

If the attribute values that the MAX submits to RADIUS match the attribute values in the user profile, the RADIUS server authenticates the call and returns an Access-Accept packet containing a list of attributes characterizing that user. Table 1-5 lists the RADIUS attributes defined in the Livingston RADIUS draft.

Table 1-5. Livingston/Ascend RADIUS Access-Accept attributes

Attribute

Description

Default

Caller-Id (31)

Specifies the calling party number, indicating the phone number of the user that wants to connect to the MAX.

The default value is null.

Change-Password (17)

Specifies a value used internally by the MAX and the RADIUS server to change an expired password.

When a user specifies an expired password, RADIUS prompts the user for a new password. When the user enters the new password, the MAX sends an Access-Password-Request packet that contains both the old password (as the value of the Change-Password attribute), and the new password (as the value of the Password attribute).

If the RADIUS server accepts the new password, it tries to edit the users file and replace the expired password with the new one. Note that the RADIUS server can make this change in the user profile only in the flat file. It cannot make this change in the database version of the users file.

This attribute has no default value, because it does not appear in a user profile.

Class (25)

Enables access providers to classify their user sessions, such as for the purpose of billing users depending on the service option they choose. If you include the Class attribute in the RADIUS user profile, the RADIUS server sends it to the MAX in the Access-Accept packet when the session begins.

The default value is null.

Client-Port-DNIS (30)

Specifies the called-party number, indicating the phone number the user dialed to connect to the MAX.

The default value is null.

Framed-Address (8)

Indicates the IP address of the user.

The default value is 0.0.0.0.

Framed-Compression (13)

Turns TCP/IP header compression on or off.

By default, the MAX turns compression on.

Framed-MTU (12)

Specifies the maximum number of bytes the MAX can receive in a single packet on a PPP, Frame Relay, EU-UI, or EU-RAW link.

The default value is 1524.

Framed-Netmask (9)

Indicates the subnet mask associated with the IP address of a station or router at the remote end of the link.

The default value is 0.0.0.0.

Framed-IPX-Network (23)

Indicates a virtual IPX network required for the home agent to route IPX packets to the mobile node.

The default value is null.

Framed-Protocol (7)

Specifies the type of protocol a link can use.

By default, the MAX does not restrict the type of protocol a link can use.

Framed-Route (22)

Indicates a static IP route when User-Service= Dialout-Framed User.

host_ipaddr=0.0.0.0

/subnet_mask=/0

router_ ipaddr=0.0.0.0

metric=8

private= "n"

profile_name=null

preference=120

Framed-Routing (10)

Specifies whether the MAX sends RIP packets, receives RIP packets, or both.

By default, the MAX neither sends nor receives RIP packets.

Login-Host (14)

Specifies the host to which the automatically connects when you set User-Service=Login-User and specify a value for the Login-Service attribute.

The default value is 0.0.0.0. This setting specifies no host.

Login-Service (15)

Specifies the type of terminal service connection to an IP host that occurs immediately after authentication.

By default, the MAX does not grant immediate access to any type of terminal server session.

Login-TCP-Port (16)

Specifies the port number to which a TCP session connects.

The default value is null.

Reply-Message (18)

Specifies text that appears to the terminal server operator who is using the menu-driven interface. You can specify up to 16 entries per user profile.

The default value is null.

User-Service (6)

Indicates whether the link can use framed or unframed services. You can specify Framed-User, Login-User, or Dialout-Framed-User.

By default, the MAX does not limit the services that a link can use.

Table 1-6 lists Ascend extensions to the RADIUS attributes. These are defined only in the Ascend RADIUS dictionary file and require the Ascend RADIUS daemon.

Table 1-6. Ascend RADIUS Access-Accept attributes

Attribute

Description

Default

Ascend-Add-Seconds (240)

Specifies the number of seconds that average line utilization (ALU) for transmitted data must exceed the threshold indicated by the Ascend-Target-Util attribute before the MAX begins adding bandwidth to a session.

The default value is 5.

Ascend-Ara-PW (181)

Indicates the password of the incoming caller over AppleTalk Remote Access (ARA).

The default value is null.

Ascend-Assign-IP-Client (144)

Specifies the IP address of an Ascend unit that can use global IP address pools.

The default value is 0.0.0.0.

Ascend-Assign-IP-Global-Pool (146)

Specifies the global address pool from which RADIUS should assign a user an address.

The default value is null.

Ascend-Assign-IP-Pool (218)

Specifies the address pool that incoming calls use.

The default value is 1.

Ascend-Assign-IP-Server (145)

Specifies the IP address of the host running radipad.

The default value is 0.0.0.0.

Ascend-Authen-Alias (203)

Sets the MAX unit's login name during PPP authentication.

The default is the value of the Name parameter in the System profile.

Ascend-backup (176)

Specifies the name of a backup profile for a nailed-up link.

The default value is null.

Ascend-BACP-Enable (134)

Specifies whether Bandwidth Allocation Control Protocol (BACP) is enabled for the link.

The default is BACP-No.

Ascend-Base-Channel-Count (172)

Specifies the initial number of channels the MAX sets up when originating calls for a PPP, MP+, MP, or Combinet multichannel link.

The default value is 1.

Ascend-Billing-Number (249)

Indicates a billing number for charges incurred on the line.

The default value is null.

Ascend-Bridge (230)

Enables or disables protocol- independent bridging for the link.

The default it to disable bridging.

Ascend-Bridge-Address (168)

Specifies a bridge entry.

MAC_address=000000000000

profile_name=null

IP_address=0.0.0.0

Ascend-Callback (246)

Enables or disables callback.

By default, the MAX disables callback.

Ascend-Call-By-Call (250)

Specifies the T1 PRI service that the MAX uses when placing a call.

By default, the MAX uses ACCUNET Switched Digital Services from AT&T.

Ascend-Call-Filter (243)

Defines a call filter.

The default value is null.

Ascend-Call-Type (177)

Specifies the type of nailed-up connection in use.

The default value is Nailed.

Ascend-Client-Gateway (132)

Specifies the default route for IP packets coming from the user on this connection.

The default value is 0.0.0.0.

Ascend-Data-Filter (242)

Defines a data filter.

The default value is null.

Ascend-Data-Svc (247)

Specifies the type of data service the link uses.

The default value is Switched-56 service.

Ascend-DBA-Monitor (171)

Specifies how the MAX monitors traffic on an MP+ call.

By default, the MAX adds or subtracts bandwidth based on the amount of data it transmits-that is, the default value is DBA-Transmit.

Ascend-Dec-Channel-Count (237)

Indicates the number of channels the MAX removes when bandwidth changes either manually or automatically during a call.

The default value is 1.

Ascend-DHCP-Maximum-Leases

Specifies the maximum number of dynamic addresses to assign to NAT clients using a connection

The default value is 4.

Ascend-DHCP-Pool-Number (148)

Specifies the address pool to use for allocating an IP address to a Dynamic Host Configuration Protocol (DHCP) client or a NAT client on a connection.

The default value is 0 (zero).

Ascend-DHCP-Reply (147)

Specifies whether the MAX processes Dynamic Host Configuration Protocol (DHCP) packets and acts as a DHCP server on this connection.

The default is to disable DHCP functionality (DHCP-Reply-No).

Ascend-Dial-Number (227)

Specifies the phone number the MAX dials to reach the bridge, router, or node at the remote end of the link.

The default value is null.

Ascend-Dialout-Allowed (131)

Specifies whether the user associated with the RADIUS user profile can dial out using one of the MAX unit's digital modems.

The default value is Dialout-Not Allowed.

Ascend-Expect-Callback (149)

Specifies whether a user calling out should expect the remote end to call back.

The default value is no callback (Expect-Callback-No).

Ascend-First-Dest (189)

Specifies the destination IP address of the first packet the MAX receives on a connection after it has authenticated the link.

This attribute has no default value, because it does not appear in a user profile.

Ascend-Force-56 (248)

Indicates whether the MAX uses only the 56-Kbps portion of a channel, even when all 64 Kbps appear to be available.

By default, the MAX attempts to use all 64 Kbps (Force-56-No).

Ascend-FR-Circuit-Name (156)

Indicates the Permanent Virtual Connection (PVC) for which the user profile is an endpoint.

The default value is null.

Ascend-FR-DCE-N392 (162)

Specifies the number of errors during Ascend-FR-DCE-N393-monitored events that cause the network side to declare the user side's procedures inactive.

The default value is 3.

Ascend-FR-DCE-N393 (164)

Specifies the DCE-monitored event count.

The default value is 4.

Ascend-FR-Direct (219)

Specifies whether the MAX uses a gateway connection or a redirect connection.

By default, the MAX uses a gateway connection (FR-Direct-No).

Ascend-FR-Direct-DLCI (221)

Identifies the user profile to the frame relay switch as a logical link on a physical circuit for a redirect connection.

The default value is 16.

Ascend-FR-Direct-Profile (220)

Specifies the name of the Frame Relay profile that carries the redirect connection to the frame relay switch.

The default value is null.

Ascend-FR-DLCI (179)

Indicates the Data Link Connection Indicator (DLCI) that identifies the RADIUS user profile to the frame relay switch as a logical link on a physical circuit in a gateway connection.

The default value is 16.

Ascend-FR-DTE-N392 (163)

Specifies the number of errors during Ascend-FR-DTE-N393-monitored events that cause the network side to declare the user side's procedures inactive.

The default value is 3.

Ascend-FR-DTE-N393 (165)

Specifies the DTE-monitored event count.

The default value is 4.

Ascend-FR-Link-Mgt (160)

Specifies the type of frame relay link management in use for the profile.

By default, the MAX does not use link management (Ascend-FR-No-Link-Mgt).

Ascend-FR-LinkUp (157)

Indicates whether a link comes up automatically.

By default, the link does not come up automatically.

Ascend-FR-N391 (161)

Specifies the interval at which the MAX requests a Full Status Report.

The default value is 6.

Ascend-FR-Nailed-Grp (158)

Indicates the nailed channel number for a frame relay datalink.

The default value is 1.

Ascend-FR-Profile-Name (180)

Specifies the name of the Frame Relay profile the MAX uses in building a gateway connection.

The default value is null.

Ascend-FR-T391 (166)

Sets up the Link Integrity Verification polling time.

The default value is 10.

Ascend-FR-T392 (167)

Sets up the timer for the verification of the polling cycle- the length of time the unit should wait between Status Enquiry messages. An error results if the MAX does not receive a Status Enquiry message within the number of seconds you specify for this attribute.

The default value is 15.

Ascend-FR-Type (159)

Specifies the type of frame relay connection.

By default, the MAX assumes a UNI-to-DTE connection (Ascend-FR-DTE).

Ascend-FT1-Caller (175)

Indicates whether the MAX initiates an FT1-AIM or an FT1-B&O call, or whether it waits for the remote end to initiate these types of calls.

By default, the MAX waits for the remote end to initiate the call (FT1-No).

Ascend-Group (178)

Points to the nailed-up channels that the WAN link uses.

The default value is 1.

Ascend-Handle-IPX (222)

Specifies how the MAX handles NCP watchdog requests on behalf of IPX clients during IPX bridging.

By default, the MAX does not handle NCP watchdog requests (Handle-IPX-None).

Ascend-History-Weigh-Type (239)

Indicates which Dynamic Bandwidth Allocation (DBA) algorithm to use for calculating average line utilization (ALU) of transmitted data.

The default value is History-Quadratic.

Ascend-Home-Agent-Password (184)

Indicates the password that the foreign agent sends to the home agent during ATMP operation.

The default value is null.

Ascend-Home-Agent-UDP-Port (186)

Specifies the UDP port number to use when the foreign agent sends ATMP packets to the home agent.

The default value is 5150.

Ascend-Home-Network-Name (185)

Indicates the name of the Connection profile through which the home agent sends all packets it receives from the mobile node during ATMP operation.

The default value is null.

Ascend-Host-Info (252)

Specifies the IP address and description of the first, second, third, and fourth hosts to which a user can establish a Telnet session as listed in the terminal server menu-driven interface.

The default address is 0.0.0.0/0 and the default description is null.

Ascend-Idle-Limit (244)

Indicates the number of seconds the MAX waits before clearing a call when a session is inactive.

The default value is 120 seconds.

Ascend-IF-Netmask (154)

Specifies the subnet mask in use for the local numbered interface.

The default value is 0.0.0.0.

Ascend-Inc-Channel-Count (236)

Specifies the number of channels the MAX adds when bandwidth changes either manually or automatically during a call.

The default value is 1.

Ascend-IP-Direct (209)

Indicates the IP address to which the MAX redirects packets from the user.

The default value is 0.0.0.0. This setting specifies that the MAX does not perform IP redirection.

Ascend-IP-Pool-Definition (217)

Specifies the first IP address in an IP address pool and the number of addresses in the pool.

The default number of the pool is 1. The default for the first address is 0.0.0.0. The default number of addresses is 0 (zero).

Ascend-IPX-Alias (224)

Indicates an IPX network number to use when connecting to IPX routers that require numbered interfaces.

The default value is 00000000.

Ascend-IPX-Node-Addr (182)

Specifies a unique IPX node address on the Framed-IPX-Network. This value completes the IPX address of a mobile node.

The default value is 000000000001.

Ascend-IPX-Peer-Mode (216)

Specifies whether the caller is an Ethernet client with its own IPX network address or a dial-in PPP client.

By default, the MAX assumes an Ethernet client with its own IPX network address (IPX-Peer-Router).

Ascend-IPX-Route (174)

Defines a static IPX route.

profile_name=null

network#=00000000

node#=0000000000001

socket#=0000

server_type=0000

hop_count=1

tick_count=12

server_name=null

Ascend-Link-Compression (233)

Turns data compression on or off for a PPP link.

The default is no compression.

Ascend-Maximum-Call- Duration (125)

Specifies the maximum number of minutes an incoming call can remain online.

The default value is 0 (zero).

Ascend-Maximum-Channels (235)

Specifies the maximum number of channels allowed on an MP+ call.

The default value is 1.

Ascend-Maximum-Time (194)

Indicates the maximum length of time in seconds that any session is allowed.

The default value is 0 (zero), which specifies no time limit.

Ascend-Menu-Item (206)

Defines a single menu item for a user profile.

By default, the MAX uses the standard terminal server menu.

Ascend-Menu-Selector (205)

Specifies a string as a prompt for user input in the terminal server menu interface.

The default value is Enter Selection (1-num, q), where num is the number of items on the menu.

Ascend-Metric (225)

Indicates the virtual hop count of the route.

The default value is 7.

Ascend-Minimum-Channels (173)

Specifies the minimum number of channels an MP+ call maintains.

The default value is 1.

Ascend-MPP-Idle-Percent (254)

Specifies a percentage of bandwidth utilization below which the MAX clears a single-channel MP+ call.

The default value is 0 (zero).

Ascend-Multicast-Client (152)

Specifies whether the user is a multicast client of the MAX.

The default value is Multicast-No.

Ascend-Multicast-Rate-Limit (153)

Specifies how many seconds the MAX waits before accepting another packet from a multicast client.

The default value is 100.

Ascend-Multilink-ID (187)

Indicates the ID number of the Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call.

This attribute has no default value, because it does not appear in a user profile.

Ascend-Netware-timeout (223)

Indicates the number of minutes the MAX responds to NCP watchdog requests on behalf of IPX clients on the other side of an offline IPX bridging or routing connection.

The default value is 0 (zero).

Ascend-Num-In-Multilink (188)

Indicates the number of sessions remaining in a Multilink bundle when the session closes.

This attribute has no default value, because it does not appear in a user profile.

Ascend-PPP-Address (253)

Specifies the IP address reported to the calling unit during PPP IPCP negotiations.

The value of this attribute is always negotiated.

Ascend-PPP-Async-Map (212)

Gives the Ascend PPP code the async control character map for the PPP session.

The default value is the standard async control character.

Ascend-PPP-VJ-1172 (211)

Instructs the Ascend PPP code whether to use the 0x0037 value for the VJ compression type.

By default, the MAX uses VJ compression type 0x002d.

Ascend-PPP-VJ-Slot-Comp (210)

Instructs the Ascend PPP code whether to use slot compression when sending VJ-compressed packets.

By default, the MAX uses slot compression (VJ-Slot-Comp-Yes).

Ascend-Preempt-Limit (245)

Specifies the number of idle seconds the MAX waits before using one of the channels of an idle link for a new call.

The default value is 60 seconds.

Ascend-Pre-Input-Octets (190)

Records the number of input octets before authentication.

This attribute has no default value, because it does not appear in a user profile.

Ascend-Pre-Input-packets (192)

Specifies the number of input packets before authentication.

This attribute has no default value, because it does not appear in a user profile.

Ascend-Pre-Output-Octets (191)

Indicates the number of output octets before authentication.

This attribute has no default value, because it does not appear in a user profile.

Ascend-Pre-Output-packets (193)

Records the number of output packets before authentication.

This attribute has no default value, because it does not appear in a user profile.

Ascend-Primary-Home-Agent

Specifies the first home agent the foreign agent tries to reach when setting up an ATMP tunnel, and indicates the UDP port the foreign agent uses for the link.

The default IP address is 0.0.0.0. and the default UDP port is 5150.

Ascend-PRI-Number-Type (226)

Indicates the type of phone number the MAX dials under the extended dial plan.

The default value is National-Number.

Ascend-PW-Expiration (21)

Specifies an expiration date for the user's password.

The default is no expiration date.

Ascend-PW-Lifetime (208)

Indicates on a per-user basis the number of days that a password is valid.

The default is the value of the Lifetime-In-Days attribute from the Ascend dictionary.

Ascend-Receive-Secret (215)

Specifies a value the MAX receives from a dial-in user in order to verify an encrypted password.

The default value is null.

Ascend-Remote-Addr (155)

Specifies the IP address of the link's remote interface to the WAN.

The default value is 0.0.0.0.

Ascend-Remove-Seconds (241)

Specifies the number of seconds that average line utilization (ALU) for transmitted data must fall below the threshold indicated by the Ascend-Target-Util attribute before the MAX begins removing bandwidth from a session.

The default value is 10.

Ascend-Require-Auth (201)

Indicates whether additional authentication is required for calls that have already passed CLID or called-number authentication. Called-number authentication is also known as Dialed Number Information Service (DNIS) authentication.

By default, the MAX does not require additional authentication (Not-Require-Auth).

Ascend-Route-IP (228)

Enables or disables the routing of IP data packets over the link.

By default, the MAX enables IP routing.

Ascend-Route-IPX (229)

Enables or disables IPX routing.

By default, the MAX disables IPX routing.

Ascend-Secondary-Home-Agent

Specifies the secondary home agent the foreign agent tries to reach when the primary home agent (Ascend-Primary-Home-Agent) is unavailable. Also indicates the UDP port the foreign agent uses for the link.

The default IP address is 0.0.0.0. and the default UDP port is 5150.

Ascend-Seconds-Of-History (238)

Specifies the number of seconds the MAX uses as a sample for calculating average line utilization (ALU) of transmitted data.

The default value is 15.

Ascend-Send-Auth (231)

Indicates the protocol to use for name-password authentication.

By default, the MAX does not use an authentication protocol.

Ascend-Send-Passwd (232)

Specifies the password that the MAX sends to the remote end of a connection on outgoing calls.

The default value is null.

Ascend-Send-Secret (214)

Specifies that the system encrypts the password when passing it between the RADIUS server and the MAX on outgoing calls.

The default value is null.

Ascend-Target-Util (234)

Specifies the percent bandwidth utilization at which the MAX adds or subtracts bandwidth dynamically.

The default value is 70.

Ascend-Third-Prompt (213)

Indicates an additional prompt for user input after the login and password prompts.

By default, the MAX does not display an additional prompt.

Ascend-Token-Expiry (204)

Sets the lifetime of a cached token-that is, the lifetime of hand-held security-card authentication.

The default value is 0 (zero). This setting specifies that token caching is not allowed.

Ascend-Token-Idle (199)

Specifies the maximum length of time in minutes a cached token can remain alive between authentications if a call is idle.

By default, the token remains alive until the value of Ascend-Token-Expiry is reached.

Ascend-Token-Immediate (200)

Establishes how RADIUS treats the password it receives from a Login-User when the user profile specifies a hand-held security card server.

By default, the MAX does not use a cached token (Tok-Imm-No).

Ascend-Transit-Number (251)

Specifies the U.S. Interexchange Carrier (IEC) to use for long-distance calls over a T1 PRI or E1 PRI line.

The default value is null.

Ascend-TS-Idle-Limit (169)

Specifies the number of seconds that a terminal server connection must be idle before the MAX disconnects the session.

The default value is 120.

Ascend-TS-Idle-Mode (170)

Specifies whether the MAX uses a terminal server idle timer and, if so, whether both the user and host must be idle before the MAX disconnects the session.

By default, the MAX disconnects the session if the user is idle for a length of time greater than the value of the Ascend-TS-Idle-Limit attribute.The default value is TS-Idle-Input.

Access-Reject attributes

If the attribute values submitted to RADIUS do not match the attribute values in the user profile, the RADIUS server does not authenticates the call and returns an Access-Reject packet containing one or more of the values listed in Table 1-7.

Table 1-7. Access-Reject attributes

Attribute

Description

Default

Login-TCP-Port (16)

Specifies the port number to which a TCP session connects.

The default value is null.

Reply-Message (18)

Specifies text that appears to the terminal server operator who is using the menu-driven interface. You can specify up to 16 entries per user profile.

The default value is null.

Access-Terminate-Session attributes

If the RADIUS server determines that the MAX should terminate the session, it sends an Access-Terminate-Session packet containing the Reply-Message attribute. This attribute carries message text from the RADIUS server to RADIUS clients such as the MAX.

Ascend-Access-Event-Request attributes

The MAX can report the number of sessions by class to the RADIUS authentication server specified by Auth Host #n when Auth=RADIUS/LOGOUT in the Ethernet > Mod Config > Auth menu. In addition, the MAX can report on sessions to the RADIUS accounting server specified by the Acct Host #n parameter in the Ethernet > Mod Config > Accounting menu.

The MAX reports the number of sessions by sending an Ascend-Access-Event-Request (33) packet type at the interval defined by the Sess Timer parameter in the Ethernet > Mod Config > Auth menu (for authentication requests) or in the Ethernet > Mod Config > Accounting menu (for accounting requests).

Table 1-8 lists the attributes in an Ascend-Access-Event-Request packet.

Table 1-8. Ascend-Access-Event-Request attributes

Attribute

Description

Default value

NAS-Identifier (4) (for both authentication and accounting requests)

Indicates the IP address of the MAX.

The default value is 0.0.0.0/0.

Password (2) (for authentication requests only)

Specifies the user's password for an incoming or outgoing call.

The default value is null.

Ascend-Event-Type (150) (for both authentication and accounting requests)

Specifies that the MAX is informing the RADIUS server of a coldstart (for an accounting request), or sending a session report (for an authentication request).

The default is Ascend-Coldstart (1) for an accounting request and Ascend-Session-Event (2) for an authentication request.

Ascend-Number-Sessions (202) (for both authentication and accounting requests)

Specifies the number of active user sessions of a given class (as specified by the Class attribute). In the case of multichannel calls, such as MP+ calls, each separate connection counts as a session.

The default value is 0 (zero).

Ascend-Access-Event-Response attributes

Table 1-9 lists the attributes in an Ascend-Access-Event-Response packet.

Table 1-9. Ascend-Access-Event-Response attributes

Attribute

Description

Default value

NAS-Identifier (4) (for both authentication and accounting responses)

Indicates the IP address of the MAX.

The default value is 0.0.0.0/0.

Ascend-Event-Type (150) (for both authentication and accounting responses)

Specifies that the MAX is informing the RADIUS server of a coldstart (for an accounting request), or sending a session report (for an authentication request).

The default is Ascend-Coldstart (1) for an accounting request and Ascend-Session-Event (2) for an authentication request.

Ascend-Number-Sessions (202) (for both authentication and accounting responses)

Specifies the number of active user sessions of a given class (as specified by the Class attribute). In the case of multichannel calls, such as MP+ calls, each separate connection counts as a session.

The default value is 0 (zero).

Overview of RADIUS packet formats

Each RADIUS packet consists of the fields listed in Table 1-10.

Table 1-10. RADIUS packet fields

Element

Description

Code (8 bits)

Specifies the packet type. For a list of packet types, see Table 1-11.

Identifier (8 bits)

Enables RADIUS to match requests with responses. Each new request has a unique identifier. Each response carries the identifier of the corresponding request.

Length (16 bits)

Indicates the total packets size in bytes.

wAuthenticator (16 bytes)

Authenticates packets between the NAS and the authentication server. The NAS and the authentication server share a secret. The MAX uses this shared secret with the authenticator field to provide password encryption and packet authentication. The shared secret resides in the clients file on the authentication host.

The MAX checks all authentication and accounting packets to ensure that they come from known sources. This checking makes use of the shared secret, the authenticator field, and MD5 encoding. In addition, all passwords that the MAX sends are encrypted with MD5, CHAP, or DES. Passwords that the authentication server sends can be encrypted with MD5.

Attribute list (variable length)

Consists of zero or more attributes. Each attribute consists of these fields:

Attribute ID (8 bits)-These IDs are listed in the dictionary file.

Attribute length (8 bits)-This field shows the combined length of the ID, length, and value fields.

Attribute value (variable length)-The length and format of this value depend on the attribute type.

Table 1-11 lists the packet types that can appear in the code field.

Table 1-11. Code field packet types

Number

Name

Description

1

Access-Request

A request for access that the MAX sends to the RADIUS server on behalf of a client attempting to establish a connection.

2

Access-Accept

A packet that the RADIUS server sends to inform the MAX that it has granted a client's request for access.

3

Access-Reject

A packet that the RADIUS server sends to inform the MAX that it has not granted a client's request for access. The RADIUS server can send this packet for one of the following reasons:

The user entered an unknown user name.

The user failed to enter the correct password.

The user entered an expired password.

4

Accounting-Request

A request for accounting information that the MAX sends to the RADIUS accounting server.

5

Accounting-Response

A packet containing accounting information that the RADIUS accounting server sends to the MAX.

7

Access-Password-Request

A request for a password change that the MAX sends to the RADIUS server.

8

Access-Password-Ack

A response from the RADIUS server informing the MAX that it has accepted the new password.

9

Access-Password-Reject

A response from the RADIUS server informing the MAX that it has rejected the new password.

11

Access-Challenge

A request for the user to enter a password using a hand-held security card. The authentication server sends this packet through the RADIUS server and the NAS to the user dialing in.

29

Ascend-Access-Next-Code

A response from the RADIUS server informing the MAX that it should request access again, but with the next password in the sequence.

30

Ascend-Access-New-Pin

A response from the RADIUS server informing the MAX that it should request access again, but with the next PIN in the sequence.

31

Ascend-Terminate-Session

A response from the RADIUS server informing the MAX that it should terminate the session and display the message sent in the packet.

32

Ascend-Password-Expired

A response from RADIUS server to the MAX indicating that the password the user entered matches the one in the user profile, but has expired. (That is, the Access-Request packet sent a valid but expired password.)

When a user specifies an expired password, RADIUS prompts the user for a new password. When the user enters the new password, the MAX sends an Access-Password-Request packet that contains both the old password (as the value of the Change-Password attribute), and the new password (as the value of the Password attribute).

33

Ascend-Access-Event-Request

A packet containing a notification that the MAX has started up, or a request for the RADIUS server to record the number of open sessions.

34

Ascend-Access-Event-Response

A response from the RADIUS server reporting the number of open sessions or the fact that the MAX has started up, and informing the MAX that it has received and recorded the MAX unit's ID.

40

Disconnect-Request

A message from a client of the MAX asking to disconnect the session.

41

Disconnect-Request-ACKed

A message that the MAX sends to the client if it found at least one session to disconnect.

42

Disconnect-Request-NAKed

A message that the MAX sends to the client if it could not find a session to disconnect.

43

Change-Filter-Request

A request to change the filters for a bridging/routing session.

44

Change-Filter-Request-ACKed

A message that the MAX sends if it found at least one bridging/routing session for which it could change filters.

45

Change-Filter-Request-NAKed

A message that the MAX sends if could not find a bridging/routing session for which it could change filters.



[Top][Contents][Prev][Next][Last]Search

techpubs@eng.ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.