Setting Up User Authentication

This chapter contains:

Introducing user authentication

Setting up CLID authentication

Setting up called number authentication

Setting up callback security

Setting up call authentication via serial AIM ports

Setting up authentication of PPP, MP, and MP+ calls

Setting up authentication for dial-in terminal server users

Setting up Combinet authentication

Setting up ARA authentication

Setting up X.25 authentication

Setting up IP addressing

Setting up an authentication server

Introducing user authentication

Types of Authentication

CLID (Calling Line ID)

Called Number

Callback

Name and password

Table 3-1. Call types authenticated by name and password requirements

Call Type	Description
PPP, MP, and MP+	You can specify PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS-CHAP (Microsoft Challenge Authentication Protocol) authentication for name and password verification of incoming and outgoing PPP, MP, or MP+ calls. For details, see Setting up authentication of PPP, MP, and MP+ calls
Terminal server	You can specify that users logging into the terminal server via a V.34, V.42, V.110, or V.120 connection must supply a username and password before gaining admission to the terminal server. See Setting up authentication for dial-in terminal server users.
Combinet	Combinet authentication uses the remote station's MAC address as its username, and allows you to require a password for incoming calls. For details, see Setting up Combinet authentication.
ARA	You can specify name and password authentication for AppleTalk callers dialing in using a V.34, V.42, V.120, or X.75 connection. For details, see Setting up ARA authentication.
IP Address	You can specify that the MAX authenticate an incoming connection by checking the user's IP address; or, you can specify that the MAX assign an IP address to each incoming call. For details, see Setting up IP addressing.

How does user authentication work?

By default, when you require a profile for authentication the MAX always checks for a Connection profile. If a Connection profile does not exist, the MAX checks for a remote RADIUS, TACACS, or TACACS+ profile. However, you can change this default by setting Local Profile First=No in the External-Auth profile. When Local Profile First=No, the MAX first looks for a remote profile. If it cannot find one, the MAX looks for a local Connection profile.

This section describes how the MAX authenticates an incoming call. These events take place:

1. Before the MAX answers a call, it checks whether the Answer-Defaults profile requires Calling Line ID (CLID) authentication, called number authentication, or both.

   The CLID is the phone number of the calling device, which is not always provided by the WAN carrier. When the profile requires CLID authentication, the caller's phone number must match a phone number specified in a local Connection profile or RADIUS user profile.

   The called-party number is the phone number the remote device called to connect to the MAX, but without a trunk group or dialing prefix specification. This number is always available if specified in a profile. When the profile requires called number authentication, the number called must match a called-party number in a local Connection profile or RADIUS user profile.

2. If CLID authentication is required or preferred (Id Auth=Require or Prefer) in the Answer profile) or called number authentication is required (Id Auth=Called Require or Called Prefer), the MAX first looks for a matching phone number in a local Connection profile.

   If one does not exist, it then looks for a matching phone number in a RADIUS user profile. If it cannot find the correct phone number, the MAX hangs up.

   If CLID authentication is set to Fallback, the MAX must receive a CLID in the incoming call. The MAX answers the call if the CLID matches the local Connection profile or a RADIUS user profile. If the MAX does not receive a response from RADIUS, it uses the authentication set up in the Answer profile.

3. If a matching profile to the CLID or called number is found, the call is answered and further authentication is normally not required. If a matching profile to the CLID or called number is not found, and ID Auth=Require or Called Require, the call is not answered.

   Note: The RADIUS attribute Ascend-Require-Auth specifies whether additional authentication is required. See the RADIUS Configuration Guide for more information.

4. If CLID authentication and called number authentication are not required, or if the MAX finds a matching phone number in a local Connection profile or RADIUS user profile, it answers the call.

5. The MAX checks its other Answer profile settings.

6. If the Answer profile specifies the type of link encapsulation the call uses, the MAX continues checking Answer profile parameters; if the Answer profile does not enable the type of link encapsulation the call uses, the MAX drops the call.

7. The MAX checks the value of the Profile Reqd parameter in the Answer profile.

   If Profile Reqd=Yes, the MAX must find a Connection profile, Name/Password profile, RADIUS user profile, or TACACS/TACACS+ profile to authenticate the call. Setting up Profile Reqd configures user authentication for the following:

   • unencapsulated calls

   • calls using ARA or any other encapsulation listed in step 7

8. The MAX prompts the user for a login name and password. If the name and password match a local Connection profile or Name/Password profile, the call is authenticated. If no match is found and RADIUS or TACACS remote authentication has been enabled, the MAX requests authentication from the remote server. The MAX clears the call if authentication fails.

9. If name and password authentication is required, the MAX attempts to match the caller's name and password to a local Connection profile.

   If authentication succeeds using a local Connection profile, the MAX uses the parameters specified in the profile to build the connection.

10. If it cannot find a matching Connection profile, the MAX looks for a Name/Password profile.

    If the MAX finds a Name/Password profile, it uses the name and password in the Name/Password profile and builds the connection using the settings in the Answer profile.

    Note: The Name/Password profile applies only to ARA, PPP, MP, and MP+ calls. It does not apply to terminal server users.

11. If it cannot find a matching Name/Password profile, the MAX looks for a RADIUS, TACACS, or TACACS+ profile containing a matching name and password.

    If authentication succeeds using a RADIUS user profile, the MAX uses the specified RADIUS attributes to build the connection. The MAX can then forward the call to its bridge/router or other destination. For example, the MAX might forward a terminal server call to a Telnet or TCP host.

    If authentication succeeds using a TACACS or TACACS+ profile, the MAX must make a request to the server for information on the resources and services the user can access.

12. If name and password authentication is not required (Recv Auth=None or Password Reqd=No in the Answer profile), the MAX can match IP-routed PPP calls using the IP address specified by the Connection profile.

13. If the Answer profile does not require a profile (Profile Reqd=No), the MAX uses Answer profile parameters to build the connection.

No matter which authentication method you choose, you can access authentication and user configuration data stored locally or remotely. These are your options:

• Local authentication using a Connection profile or a Name/Password profile.

• Remote authentication using a TACACS, TACACS+, or RADIUS server.

  For details on configuring the MAX to use a TACACS or TACACS+ server, see Setting up an authentication server. For details on configuring the MAX to use a RADIUS server, see the MAX RADIUS Configuration Guide.

• Remote authentication using a AssureNet Defender server.

  For details on configuring the MAX to use a Defender server, see Configuring direct Defender server authentication.

• Security-card authentication.

  You can set up your network site to require that users change passwords very frequently, many times per day. When you do so, you use an external authentication server, such as an ACE or SafeWord server. For details, see Chapter 3, Setting Up User Authentication.

Setting up CLID authentication

Table 3-2. CLID authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Id Auth=Require Profile Reqd=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=Either
Ethernet > Answer > COMB Options	Password Reqd=Yes
Ethernet > Connections > Any Connection profile	Station=Emma Calling #=555-1213
Ethernet > Connections > Any Connection profile > Encaps Options	Recv PW=*SECURE*
Ethernet > Ethernet > Mod Config > Auth menu	CLID Timeout Busy=No CLID Fail Busy=No

When you set up CLID authentication, you can choose one of these configurations:

• Authenticate all callers using name, password, and calling line ID.

  For details, see Setting up authentication using a name, password, and calling line ID.

• Authenticate all callers using a calling line ID only.

  For details, see Setting up authentication using a calling line ID only.

• Use an external authentication server, such as a token-card authentication server, to authenticate users after CLID authentication.

  For details, see the MAX RADIUS Configuration Guide.

• Request PAP, CHAP, or MS-CHAP after CLID authentication.

  For details, see the MAX RADIUS Configuration Guide.

• In some installations, the WAN provider might not be able to deliver CLIDs, or a caller might choose to keep a CLID private.

• CLID authentication applies only where CLID is available end-to-end and ANI (Automatic Number Identification) applies to the call.

• T1 access lines and Switched-56 lines do not support CLID.

• When a user dials into the MAX using MP or MP+, the calling device may have more than one phone number associated with it; in these types of cases, the CLID is the phone number associated with the channel in use.

• If you set up a RADIUS user profile for callback and CLID-only authentication, the MAX never answers the call; the caller can therefore avoid billing charges.

When you set up CLID authentication either in RADIUS or in a MAX Connection profile, you must specify what the MAX requires for the CLID authentication. There are three options:

Table 3-3. CLID authentication requirement options

Option	Description
Require	The MAX must receive a CLID from the incoming call. The CLID must match a Calling # parameter in a local Connection profile or in a RADIUS user profile with Password = Ascend-CLID (see the RADIUS Configuration Guide for more information). If the MAX does not receive a CLID or if it cannot match the CLID, the call is not answered. Note: The matching user profile in RADIUS can require name and password authentication in addition to CLID. See the Ascend-Require-Auth attribute.
Prefer	The MAX does not require a CLID from the incoming call. If a CLID is received, however, the MAX compares the CLID with a Calling # parameter in a local Connection profile or with a RADIUS user profile with Password = Ascend-CLID. If the MAX does not receive a CLID from the incoming call, it uses the authentication configured in the Answer profile.
Fallback	The MAX must receive a CLID in the incoming call. If no CLID is received, the MAX does not answer the call. If a CLID is received, the MAX compares the CLID with a Calling # parameter in a local Connection profile or with a RADIUS user profile with Password = Ascend-CLID. If the CLID does not match either the Connection profile and the MAX does not receive a response from the RADIUS server, it uses the authentication configured in the Answer profile.

Setting up authentication using a name, password, and calling line ID

To require all callers to authenticate using name, password, and CLID, follow these steps:

1. In the Ethernet > Answer menu, set Id Auth=Prefer.

   The Prefer setting specifies that whenever CLID is available, the MAX compares the calling party's phone number to the value of the Calling # parameter in the Connection profile or a RADIUS user profile set up for Ascend-CLID.

   • If a match is found, and no further authentication is required, the MAX accepts the call.

   • If a match is found and the MAX requires further authentication (Profile Reqd=Yes in the Answer profile), the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

   • If the CLID is not available, or if the MAX cannot find a match to the calling party number, the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

   Note: You can also set Id Auth=Require or Id Auth=Fallback.

2. Verify no local profiles are set up for CLID authentication.

3. Set Profile Reqd=Yes.

4. For PPP calls, set Recv Auth to the authentication protocol.

5. For Combinet calls, set Password Reqd=Yes.

6. Set the CLID Timeout Busy parameter to specify whether the MAX returns User Busy when CLID authentication fails due to a RADIUS timeout.

   Set CLID Timeout Busy=Yes, to specify that MAX returns User Busy as the disconnect cause when CLID authentication fails due to a RADIUS timeout.

   The default value is No. When CLID Timeout Busy=No, the MAX returns Normal Call Clearing as the disconnect cause.

7. Set the CLID Fail Busy parameter to specify whether the MAX returns User Busy when CLID authentication fails for any reason other than a RADIUS timeout.

   Set CLID Fail Busy=Yes to specify that the MAX returns User Busy when CLID authentication fails to any reason other than a RADIUS timeout.

   The default is No. CLID Fail Busy=No specifies that the MAX return Normal Call Clearing.

   Note: You can choose the value for this field regardless of the Server setting since the occurrence of this failure does not depend upon using a RADIUS server.

8. Save your changes.

Setting up authentication using a calling line ID only

To require all callers to authenticate using a calling line ID only, follow these steps:

1. In the System > Sys Config menu, specify the name of the MAX in the Name parameter.

2. In the Ethernet > Answer menu, set Profile Reqd=Yes.

3. In the Ethernet > Answer menu, set Id Auth=Require.

   The Require setting indicates that the calling party's phone number must match the value of the Calling # parameter in the Connection profile before the MAX can answer the call. If CLID is not available, the MAX does not answer the call.

4. Open the Ethernet > Connections menu.

5. In the Connection profile, specify the caller's phone number using the Calling # parameter.

6. Save your changes.

Setting up called number authentication

To set up called number authentication, use the parameters listed in Table 3-4.

Table 3-4. Called Number authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Id Auth=Called Require Profile Reqd=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=Either
Ethernet > Answer > COMB Options	Password Reqd=Yes
Ethernet\>Connections\>Any Connection profile	Station=Emma Called #=555-1213
Ethernet\>Connections\>Any Connection profile > Encaps Options	Recv PW=*SECURE*

Setting up called number authentication options

• Authenticate all callers using name, password, and called number.

  For details, see Setting up authentication using a name, password, and called number.

• Authenticate all callers using the called number only.

  For details, see Setting up authentication using the called number only.

• Authenticate using an external authentication server, such as a token-card authentication server, to authenticate users after called number authentication.

Table 3-5. Called Number authentication options

Option	Description
Called Require	The MAX must receive a called number from the incoming call. The called number must match a Called # parameter in a local Connection profile or in a RADIUS user profile (see the RADIUS Configuration Guide for more information). If the MAX does not receive a called number or if it cannot match the called number, the call is not answered. Note: The matching user profile in RADIUS can require name and password authentication in addition to called number. See the Ascend- Require-Auth attribute.
Called Prefer	The MAX does not require a called number from the incoming call. If a called number is received, however, the MAX compares the called number with a Called # parameter in a local Connection profile or with a RADIUS user profile. If the MAX does not receive a called number from the incoming call, it uses the authentication configured in the Answer profile.

Setting up authentication using a name, password, and called number

For further information, see the RADIUS Configuration Guide.

To require all callers to authenticate using name, password, and called number, follow these steps:

1. In the Ethernet > Answer menu, set Id Auth=Called Prefer.

   The Prefer setting specifies that whenever the called number is available, the MAX compares the phone number called to the value of Called # in the Connection profile.

   • If a match is found, and no further authentication is required, the MAX accepts the call.

   • If a match is found and the MAX requires further authentication (Profile Reqd=Yes in the Answer profile), the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

   • If the called number is not available, or if the MAX cannot find a match to the calling party number, the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

2. Verify no Connection profiles are set up to authenticate users via called number.

3. Set Profile Reqd=Yes.

4. For PPP calls, set Recv Auth to the authentication protocol.

5. For Combinet calls, set Password Reqd=Yes.

6. Save your changes.

To require all callers to authenticate using a called number only, follow these steps:

1. In the System > Sys Config menu, set the Name parameter to specify the name of the MAX.

2. In the Ethernet > Answer menu, set Profile Reqd=Yes.

3. In the Ethernet > Answer menu, set Id Auth=Called Require.

   The Called Require setting indicates that the called number must match the value of the Called # parameter in the Connection profile before the MAX can answer the call. If the called number is not available, the MAX does not answer the call.

4. Open the Ethernet > Connections menu.

5. In the Connection profile, specify the called number using the Called # parameter.

6. Save your changes.

Setting up callback security

Ascend callback security

You can configure the MAX to expect a callback from the machine that is called. This prevents problems that arise when CLID is set to Required (ID Auth=Required) on the machine that is expected to callback.

For example, in Figure 3-1 ping or Telnet is initiated through a MAX to a Pipeline and CLID is set to Required on the Pipeline (the side that is doing the callback), the Pipeline rejects the incoming call before answering it. To the MAX (the initiating side), it appears as if the call never got through at all.

Figure 3-1. Callback connection failure

The Callback process is disrupted when protocols like ping and telnet continuously try to open a connection.

When Expect Callback is set to Yes, calls that dialout and do not connect (for any reason) are put on a list that disallows any further calls to that destination for 90 seconds. This gives the far end an opportunity to complete the callback.

If a call fails for any reason, regardless of whether or not the called machine requires CLID and is attempting a callback, the call initiator must still wait 90 seconds before attempting the call the same number again if Expect Callback is set to Yes.

Table 3-6 lists the Ascend callback parameters on the MAX.

Table 3-6. Ascend callback security parameters

Location	Parameters with sample values
Ethernet\>Connections\>Any Connection profile	Calling #=555-1213 Dial #=555-1213
Ethernet\>Connections\>Any Connection profile > Telco Options	Callback=Yes Exp Callback=Yes AnsOrig=Both

For information on setting up callback security in RADIUS, see the MAX RADIUS Configuration Guide.

To set callback security on the MAX, follow these steps:

1. Open the Ethernet > Connections menu.

2. Open a Connection profile.

3. Using the Dial # parameter, specify the number the MAX dials to reach the remote end of the connection.

   For example, you might enter this setting:

   Dial #=555-1213
   

   Note: The MAX can also use the CLID in order to reach the remote end of the connection, if the CLID is available.

4. Using the Calling # parameter, specify the number the remote device uses to call the MAX.

   For example, you might enter this setting:

   Calling #=555-1213
   

5. Open the Telco Options submenu of the Connection profile.

6. Turn on callback security by setting these parameters:

   Callback=Yes
   Exp Callback=Yes
   AnsOrig=Both
   

   Note: Callback does not apply to leased lines (if Call Type=Nailed).

   When you set Callback=Yes, you must also set AnsOrig=Both, because the Connection profile must both answer the call and call back the device requesting access. Similarly, the calling device must be able to both dial to and accept incoming calls from the MAX.

   To prevent a problem when CLID on the called machine is set to Required, set Exp Callback to Yes.

7. Save your changes.

Microsoft's Callback Control Protocol (CBCP)

CBCP also offers features not available with the standard callback defined in RFC 1570. The client side supports a configurable time delay to allow users to initialize modems or enable supportive software before the MAX calls the client. You can configure the MAX with a phone number to use for the callback, or you can configure it to allow the client to specify the phone number used for the callback.

Currently, Microsoft's Windows NT 4.0 and Windows 95 software support client-side authentication using CBCP. The MAX now supports a CBCP central-site solution.

Ascend's implementation of CBCP

The MAX employs the user name and password to link a caller with a specific Connection profile or RADIUS User profile. Configured CBCP parameters in that Connection profile specify variables for the callback. If, at any point, the client and the MAX disagree about any CBCP variables, the MAX might drop the connection.

Both sides of the connection must agree on whether the callback phone number is supplied by the client or by the MAX. A new trunk group parameter, configured on the MAX, supplies a trunk group that is prepended to phone numbers when supplied by the client.

Table 3-7

Table 3-7. Microsoft's CBCP parameters on the MAX

Location	Sample parameters
Ethernet > Answer > PPP options	CBCP Enable
Ethernet > Connections > Any Connection profile > Encaps options	CBCP Mode
Ethernet > Connections > Any Connection profile > Encaps options	CBCP Trunk Group

lists Microsoft's callback parameters on the MAX.

For information on setting up callback security in RADIUS, see the MAX RADIUS Configuration Guide.

Negotiation of CBCP

1. Caller connects to MAX.

2. LCP negotiations begin.

   Caller and MAX must agree to use CBCP. Otherwise, the MAX terminates the connection.

3. After successful LCP negotiation, both sides have acknowledged that CBCP will be used, and CBCP begins after authentication.

4. Caller authenticates itself to MAX. If authentication fails, the MAX terminates the connection.

5. The MAX verifies that the profile has CBCP Mode set. CBCP begins.

6. The MAX sends a request to determine if a callback is to occur. The caller's configuration must match the CBCP Mode value on the MAX.

   The client also supplies to the MAX the number of seconds it should delay before initiating the callback, and, if applicable, the phone number.

7. If both sides agree on which phone number the MAX will dial, the client clears the connection.

8. The MAX delays the callback on the basis of the previous negotiation.

9. The MAX dials the client, by applying information from the same profile used in previous negotiation.

1. Open the Ethernet > Answer > PPP Options menu.

2. Set CBCP Enable = Yes.

3. Open the Ethernet > Connections > Any Connection profile > Encaps Options menu.

4. Set CBCP Mode to the callback mode to be offered the caller.

5. If the caller is supplying the phone number, set CBCP Trunk Group to the value (4-9) that the MAX prepends to the number when calling back.

6. Save your changes.

Setting up call authentication via serial AIM ports

Understanding serial call authentication

Upon initial connection of the first channel, the originating unit passes the Call profile password to the authenticating unit. The authenticating unit compares the password received with that stored in the Port configuration profile. If the password received matches the stored password, the session is established normally for the remainder of the call. If there is no match, the authenticating unit sends a message back to the originator and drops the session. The port status screen in Host > Dual\>portname\>Message Log indicates that the call failed authentication.

Configuring serial port passwords

1. For outgoing AIM or BONDING calls, enter the DBA call password at Call Password in the Host/Dual (or Host/6) \>Port N Menu\>Directory\>any Call profile.

   Dynamic Bandwidth Allocation (DBA) enables the MAX to increase bandwidth as needed and drop bandwidth when it is no longer required.

2. For incoming AIM and BONDING calls, enter the Port password at Port Password in Host/Dual (or Host/6) \>Port N Menu\>Port Config (the Port profile)

Setting up authentication of PPP, MP, and MP+ calls

For information on how PPP, MP, and MP+ authentication works, How does user authentication work?.

This section describes the following tasks:

• Setting up PAP, CHAP, and MS-CHAP authentication of incoming PPP, MP, and MP+ calls

  The only MS-CHAP format Ascend units support is the Windows NT version, DES and MD4 encryption. An Ascend unit can authenticate a Windows NT system and a Windows NT system can authenticate an Ascend unit. For more specific information on the MS-CHAP format, see Microsoft's Web site at:

  ftp://ftp.microsoft.com/DEVELOPR/RFC/chapexts.txt
  

• Requesting an authentication protocol for outgoing PPP, MP, and MP+ calls

Understanding PPP, MP, and MP+

A PPP connection is usually a bridged or routed network connection initiated in PPP dialup software. Figure 3-2 shows the MAX with a PPP connection to a remote user running Windows 95 with the TCP/IP stack and PPP dialup software.

Figure 3-2. A PPP connection

Both MP and MP+ are enhancements to PPP for supporting multichannel links.

• MP supports multichannel links.

  The base channel count determines the number of calls to place, and the number of channels does not change. In addition, MP requires that all channels in the connection share the same phone number-that is, the channels on the answering side of the connection must be in a hunt group.

• MP+ enables the MAX to support multichannel links and Dynamic Bandwidth Allocation (DBA). DBA enables the MAX to increase bandwidth as needed and drop bandwidth when it is no longer required. MP+ is the only PPP-based encapsulation method that supports DBA.

  An MP+ connection can combine up to 30 channels into a single high-speed connection.

Figure 3-3. An MP+ connection

Understanding PAP, CHAP, and MS-CHAP

• If the incoming PPP call does not include a source IP address, PAP, CHAP, or MS-CHAP authentication is required.

• PAP, CHAP, and MS-CHAP authentication is not available for Combinet, ARA, V.34, V.42, V.110, or V.120 calls.

• The calling unit's secret is called the remote secret; the MAX does not know the value of this secret.

• The MAX unit's secret is called the NAS secret (because the MAX is an Network Access Server); the calling unit does not know the value of this secret.

For PAP authentication, these events take place:

1. The calling unit sends the remote secret in the clear to the MAX.

2. The MAX encrypts the remote secret using the NAS secret.

3. The RADIUS server decrypts the remote secret using the NAS secret.

4. The RADIUS server passes the clear copy of the remote secret to a UNIX or other password validation system.

For CHAP authentication, these events take place:

1. The MAX sends a random, 128-bit challenge to the calling unit.

2. The calling unit calculates an MD5 digest using the remote secret, the challenge, and the PPP packet ID.

3. The calling unit sends the MD5 digest, the challenge, and the PPP packet ID (but not the remote secret) to the MAX; the MAX never has the remote secret.

4. The MAX forwards the digest, along with the original challenge and PPP packet ID to RADIUS.

   No encryption is necessary, because MD5 creates a one-way code that cannot be decoded. In addition, RADIUS cannot extract the remote secret. Therefore, it cannot provide a password to a UNIX password system; for this reason, CHAP and UNIX authentication cannot work together.

5. The RADIUS server looks up the remote secret from a local database, and calculates an MD5 digest using the local version of the remote secret, along with the challenge and the PPP packet ID it received from the MAX.

6. The RADIUS server compares the calculated MD5 digest with the digest it received from the MAX.

   If the digests are the same, the remote secrets used by the calling unit and the RADIUS server are the same, and the call is authenticated.

ftp://ftp.microsoft.com/DEVELOPR/RFC/chapexts.txt

Configuring PAP, CHAP, or MS-CHAP for PPP, MP, and MP+ calls

• Set system-wide System, Answer, and Ethernet profile parameters.

  These parameters specify the name of the MAX, the types of encapsulation allowed, the kind of authentication required, and the contents of one or more IP address pools.

• Set up a Connection profile, Name/Password profile, or RADIUS user profile containing settings for each individual connection.

  Note: You only need to set up one of these profiles.

Table 3-8. Parameters for incoming connections using PAP, CHAP, or MS-CHAP

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>Encaps	PPP=Yes MP=Yes MPP=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=PAP, CHAP, MS-CHAP, or Either
Ethernet\>Mod Config\>WAN Options	Pool#1 Start=100.0.0.20 Pool#1 Count=90 Pool Only=Yes
Ethernet\>Connections > Any Connection profile	Station=dialmax Encaps=PPP, MP, or MPP
Ethernet\>Connections > Any Connection profile > Telco Options	Dialout OK=Yes
Ethernet\>Connections\>Any Connection profile\> Encaps Options	Recv PW=*SECURE*
Ethernet\>Names/Passwords\>Any Name/Password profile	Name=Fred Recv PW=*SECURE*

Setting system-wide parameters

1. To specify the name of the MAX used for making outgoing calls, set the Name parameter in the System > Sys Config menu.

2. In the Ethernet > Answer menu, set Profile Reqd=Yes.

   This setting specifies that the MAX rejects incoming calls for which it can find no Connection profile, no Name/Password profile, and no entry on a remote authentication server.

   For an ARA connection, setting Profile Reqd=Yes prohibits Guest access.

3. In the Ethernet > Answer > Encaps menu, specify that the unit can receive any combination of PPP, MP, and MP+ calls.

   Note: PAP, CHAP, and MS-CHAP authentication is available only if you choose MP, MPP, or PPP.

4. To specify that the unit can receive PPP calls, set PPP=Yes.

5. To specify that the unit can receive MP calls, set MP=Yes.

6. To specify that the unit can receive MP+ calls, set MPP=Yes.

7. In the Ethernet > Answer > PPP Options menu, set Recv Auth=PAP, CHAP, MS-CHAP, or Either.

   When you specify Either, the MAX allows authentication if the remote peer can authenticate using any of the designated authentication schemes. If you specify a protocol, the MAX allows authentication only if the remote peer uses that protocol for authentication.

8. If you are using a Name/Password profile for an IP routing connection, open the Ethernet > Mod Config > WAN Options menu to begin setting up one or more IP address pools.

   Unlike Connection profiles and RADIUS user profiles, Name/Password profiles cannot specify an IP address for the calling station. When you use a Name/Password profile to authenticate an IP routing connection, the MAX automatically assigns the PPP caller a dynamic IP address as the connection is established. For a call configured in a Name/Password profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

9. Set up address pools using the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools using the Ascend-IP-Pool-Definition attribute. For details, see the RADIUS Configuration Guide.

10. Set Pool Only=Yes.

    The Pool Only parameter determines whether a caller can reject an IP address assignment and use his or her own IP address. To eliminate the possibility of a caller rejecting the automatic dynamic assignment and spoofing a local, trusted address, set Pool Only=Yes when using Name/Password profiles to authenticate IP routing connections.

    For a call configured in a Name/Password profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

    If the calling station rejects the assignment, the MAX ends the call.

11. Save your changes.

To set Connection profile parameters for PAP, CHAP, or MS-CHAP authentication, follow these steps:

1. Open the Ethernet > Connections menu.

2. Open the Connection profile.

3. Set the Station parameter to the name of the user or device making the incoming call.

4. Set the Encaps parameter to the type of encapsulation used on the link.

   • PPP specifies that Point-to-Point Protocol is used on the link.
     This setting ensures basic compatibility with non-Ascend devices. For this setting to work, both the dialing side and the answering side of the link must support PPP.

     MP specifies that Multilink Protocol is used on the link.

     MPP specifies that Multilink Protocol Plus (MP+) is used on the link.

     Both the dialing side and the answering side of the link must support MP+. If only one side supports MP+, the connection attempts to use MP. If MP is not available, the connection uses standard single-channel PPP.

     MP+ calls cannot combine an ISDN BRI channel with a channel on a T1 access line or a T1 PRI line.

5. Open the Encaps Options submenu of the Connection profile.

6. To specify the password that the remote end of the link must send, set the Recv PW parameter.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or Ascend-Send-Passwd (in a RADIUS user profile), the MAX disconnects the link.

7. Save your changes.

The Name/Password profile applies only to ARA, PPP, MP, and MP+ calls and to terminal server users.

To set Name/Password profile parameters for PAP, CHAP, or MS-CHAP authentication, follow these steps:

1. Open the Ethernet menu.

2. Open the Names/Passwords menu.

3. Open a Name/Password profile.

4. Set the Name parameter to the name of the user or device making the incoming call.

   In a Name/Password profile, the Name parameter specifies the username associated with the profile; the name you specify also becomes the name of the profile.

5. To specify the password that the remote end of the link must send, set the Recv PW parameter.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or Ascend-Send-Passwd (in a RADIUS user profile), the MAX disconnects the link.

6. Set the value for Template Connection #.

   • Use the default, Template Connection=#0 (the Answer profile), to specify that the Name/Password Profile use the Answer Profile as a template.
     This mode supports clients dialing in over PPP and ARA, but does not support a router dialing in.

     Specify a profile number between 1 and 31 to use the Connection Profile to which the number refers.

     In this mode the Name/Password Profile functions as an alias for the Connection Profile.

7. Set Active=Yes.

8. Save your changes.

Disabling groups of dial-in calls with the Name/Password profile

For example, you can set up a Connection Profile for the Sales group to use when dialing in, then set up a Name/Password Profile for each individual salesperson. To prevent a user (or users) from dialing in using one of the two following methods:

• De-activate the Name/Password profile for a single salesperson to prevent that salesperson from dialing in by setting the Name/Password Active flag for the user's Name/Password profile to No.

• De-activate the entire Sales group (by setting the Connection Profile Active flag for the Sales group to No).

Requesting PAP, CHAP, or MS-CHAP for outgoing calls

Table 3-9. Parameters for outgoing connections using PAP, CHAP, or MS-CHAP

Parameter	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Connections\>Any Connection profile	Encaps=PPP, MP, or MPP
Ethernet\>Connections\>Any Connection profile\> Encaps Options	Send Auth=PAP, CHAP, or MS-CHAP Send PW=*SECURE*

To specify PAP, CHAP, or MS-CHAP for an outgoing PPP, MP, or MP+ call, follow these steps:

1. To specify the name of the MAX, set the Name parameter in the System > Sys Config menu.

2. Open the Ethernet > Connections menu.

3. In the Connection profile, set the Encaps parameter to the type of encapsulation used on the link.

   • PPP specifies that Point-to-Point Protocol is used on the link.
     This setting ensures basic compatibility with non-Ascend devices. For this setting to work, both the dialing side and the answering side of the link must support PPP.

     MP specifies that Multilink Protocol is used on the link.

     MPP specifies that Multilink Protocol Plus is used on the link.

     Both the dialing side and the answering side of the link must support MP+. If only one side supports MP+, the connection attempts to use MP. If MP is not available, the connection uses standard single-channel PPP.

     MP+ calls cannot combine an ISDN BRI channel with a channel on a T1 access line or a T1 PRI line.

4. In the Encaps Options submenu of the Connection profile, set Send Auth=PAP, CHAP, or MS-CHAP.

   This parameter specifies the authentication protocol that the MAX requests when initiating a connection using PPP, MP, or MP+ encapsulation. The answering side of the connection determines which authentication protocol the connection uses (if any).

5. In the Encaps Options submenu, set the Send PW parameter to the password that the MAX sends to the remote end of a connection on outgoing calls.

   If the password specified by Send PW does not match the remote end's value for Recv PW (in a Connection profile) or Ascend-Receive-Secret (in a RADIUS user profile), the remote end disconnects the link.

6. Save your changes.

Setting up authentication for dial-in terminal server users

A remote terminal server session uses one of these types of encapsulation:

Table 3-10. Dial-in terminal server encapsulation types

Encapsulation Type	Description
Modem calls	These types of calls originate from either analog or digital modems. Incoming modem calls and incoming digital calls come over the same digital line to the MAX unit's integrated V.34 or V.42 digital modem. An incoming modem call could be initiated from a PC running a communication program like Soft Comm, which causes the user's modem to dial into the MAX. The MAX directs the call to its digital modems, and then forwards the calls to its terminal server software. The terminal server either displays one of its interfaces to the caller or forwards the call to a Telnet or TCP host on the local network, depending on how it is configured.
V.110	A V.110 card provides eight V.110 modems, each of which enables the MAX to communicate with an asynchronous device over synchronous digital lines. An asynchronous device such as an ISDN modem encapsulates its data in V.110. The V.110 module in the MAX removes the encapsulation and enables an asynchronous session-that is, a terminal server session.
V.120 calls	V.120 terminal adapters such as the BitSurfer (also known as ISDN modems) are asynchronous calls with CCITT V.120 encapsulation. The MAX handles V.120 encapsulation in software, so it does not require installed devices to process these calls. After removing the link encapsulation, it forwards these calls to its terminal server software. The terminal server either displays one of its interfaces to the caller or forwards the call to a Telnet or TCP host on the local network, depending on how it is configured. Or, if it detects PPP encapsulation, it can forward the call to the bridge/router software for an async PPP session.

How terminal server authentication works

More general information on how authentication works in the MAX is in How does user authentication work?. See"Per-user terminal server authentication" for the differences between standard terminal server authentication and per-user terminal server authentication, such as CLID and Called-party authentication.

Standard terminal server authentication

• The Passwd parameter in the Ethernet > Mod Config > TServ Options menu

• Connection profile parameters

1. A caller initiates a terminal server session using a V.34, V.42, V.110, or V.120 connection.

2. If Security=Full or Partial and Initial Scrn=Cmd in the TServ Options menu, the MAX compares the password to the Passwd parameter.

3. If the caller enters the wrong password, the MAX hangs up.

4. If the caller enters the proper password or if no password is assigned to the Passwd parameter, the MAX attempts to verify the caller by using Connection profile information.

5. If Security=None or Partial and Initial Scrn=Menu, the MAX skips the Passwd parameter and attempts to verify the caller by using the Connection profile information.

1. Before the MAX answers a call, it checks whether the Answer-Defaults profile requires Calling Line ID (CLID) authentication, called number authentication, or both.

   The CLID is the phone number of the calling device, which is not always provided by the WAN carrier. When the profile requires CLID authentication, the caller's phone number must match a phone number specified in a local Connection profile or RADIUS user profile.

   The called-party number is the phone number the remote device called to connect to the MAX, but without a trunk group or dialing prefix specification. This number is always available if specified in a profile. When the profile requires called number authentication, the number called must match a called-party number in a local Connection profile or RADIUS user profile.

2. If CLID authentication is required (Id Auth=Require in the Answer profile) or called number authentication is required (Id Auth=Called Require), the MAX first looks for a matching phone number in a local Connection profile.

   If one does not exist, it then looks for a matching phone number in a RADIUS user profile. If it cannot find the correct phone number, the MAX hangs up.

3. If CLID authentication and called number authentication are not required, or if the MAX finds a matching phone number in a local Connection profile or RADIUS user profile, it answers the call.

4. Terminal server sessions can require a system terminal server password in addition to the per-user password.Whether a system terminal server user password is required depends upon how the Security and Initial Scrn parameters in the Ethernet profile have been set.

   • If Security=None, no authentication is performed.

   • If Security=Partial, The MAX checks the value of the Profile Reqd parameter in the Answer profile. If Profile Reqd=Yes, the MAX must find a Connection profile, Name/Password profile, RADIUS user profile, or TACACS/TACACS+ profile to authenticate the call.

   • If Security=Full, the MAX must find a Connection profile, Name/Password profile, RADIUS user profile, or TACACS/TACACS+ profile to authenticate the call, and then prompt the user for the correct name.

5. If the name matches a local Connection profile or Name/Password profile, the call is authenticated. If no match is found and RADIUS or TACACS remote authentication has been enabled, the MAX requests authentication from the remote server. The MAX clears the call if authentication fails.

Modem calls

For users dialing in using modems, V.120, or V.110 devices to transport asynchronous PPP, see the section, Setting up authentication of PPP, MP, and MP+ calls. In these cases, none of the above steps apply. Asynchronous PPP and synchronous PPP sessions are treated identically by the MAX, except that asynchronous PPP sessions do not allow the user access to the MAX's terminal server menus or commands.

This section describes first-level authentication using the Passwd parameter. For information on authentication using a Connection profile, see Setting Connection profile parameters.

Dial-in calls with no login host specified

To set up the MAX to accept dial-calls when no login server is specified, set Auth TS Secure=No in the Ethernet > Mod Config > Auth menu. The default is Auth TS Secure=Yes, which means the MAX drops dial-in calls if there is no login server and Login-Server is Telnet or TCP-CLEAR.

Immediate Service

Configuring terminal server authentication

Table 3-11. Terminal server security parameters

Location	Parameters with sample values
Ethernet\>Mod Config\>TServ Options	TS Enabled=Yes Passwd=*SECURE* Security=Full Login Timeout=300 Login Prompt Password Prompt Toggle Scrn=No

To set up password authentication for the terminal server interface, follow these steps:

1. Open the Ethernet > Mod Config > TServ Options menu.

2. Set TS Enabled=Yes.

   This setting enables users to access the terminal server interface. If you set this parameter to No, no one can access the terminal server interface.

3. For the Passwd parameter, specify the password a user must enter to begin a terminal server session.

   You can enter up to 20 characters. The password is case sensitive

4. Set Security=Full or Partial.

   The Security parameter specifies whether a user must enter a password under different circumstances.

   • Partial specifies that the user must enter the system terminal server password (in the Passwd parameter) before entering the terminal server command line mode, but the user is not prompted for a login name or password. The user must enter a terminal server password when changing between menu-driven mode and command-line mode if Initial Scrn=Cmd or Toggle Scrn=Yes in the TServ Options menu.

   • Full specifies that the user must enter the system terminal server password (in the Passwd parameter) before entering the terminal server command line mode. When making the initial connection, the user must enter a login name and password that match a local Connection profile or a RADIUS or TACACS profile. The user must enter a terminal server password when changing between menu-driven mode and command-line mode if Initial Scrn=Cmd or Toggle Scrn=Yes in the TServ Options menu. For information on restricting the options available from the menu-driven interface, see Restricting Telnet, raw TCP, and Rlogin access to the terminal server.

5. Set the Login Timeout parameter.

   Specify the number of seconds the MAX waits for a user to complete logging in before disconnecting the user in the Login Timeout field.

   You can enter any integer between 0 and 300 seconds. 300 seconds is the default.

   The user has the total number of seconds indicated in the Login Timeout field to attempt a successful login. This means that the timer begins when the login prompt appears on the terminal server screen, and continues (is not reset) when the user makes unsuccessful login attempts. If the user has not logged in successfully by the time indicated by Login Timeout has elapsed, the MAX disconnects the call.

6. Set the Login Prompt parameter.

   Specify the prompt the terminal server displays when asking the user for a login name.

   A login prompt can contain up to 31 characters.

7. Set the Password Prompt parameter.

   Specify the prompt the terminal server displays when asking the user for a password.

   A login prompt can contain up to 31 characters.

8. Save your changes.

If you prefer, you can authenticate a terminal server user with the name and password from a profile constructed a name and password from the Name/Password profile, with any additional required parameter settings from the Answer or Connection profile. Since the Name/Password profile does not supply all the parameters a terminal server session might need, the MAX uses the settings from the Answer profile or Connection profile named in the Template parameter for these additional parameters.

Restricting Telnet, raw TCP, and Rlogin access to the terminal server

• Give users a menu of specific hosts to which they can establish a Telnet, raw TCP, or
  Rlogin session.

• Specify that users establish a Telnet, raw TCP, or Rlogin session with a device immediately after login, bypassing the terminal server interface altogether.

1. Open the Ethernet > Mod Config > TServ Options menu.

2. To specify the hosts to which users can Telnet, set the Host #n Addr and Host #n Text parameters.

   These parameters specify the IP addresses and descriptions of the first, second, third, and fourth hosts to which an operator can Telnet. The user sees a list of hosts only if he or she has access to the menu-driven interface. For details on granting this access, see Restricting Telnet, raw TCP, and Rlogin access to the terminal server.

   For example, you might make these settings:

   Host #1 Addr=10.2.3.1/24
   

   Host #1 Text=host1.abc.com
   

   Host #2 Addr=10.2.3.2/24
   

   Host #2 Text=host2.abc.com
   

   Host #3 Addr=10.2.3.3/24
   

   Host #3 Text=host3.abc.com
   

   Host #4 Addr=10.2.3.4/24
   

   Host #4 Text=host4.abc.com
   

   The MAX ignores the Host #n Addr parameter if a RADIUS server supplies the list of Telnet hosts-that is, if you set Remote Conf=Yes. For information on setting up a list of hosts in RADIUS, see the MAX RADIUS Configuration Guide.

3. Save your changes.

Setting up Combinet authentication

Figure 3-4. A Combinet connection

Combinet bridging uses a physical MAC (Media Access Control) address and a password to authenticate calls. For information on how MAX authentication works, see How does user authentication work?.

Table 3-12 lists the Combinet authentication parameters.

Table 3-12. Combinet authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>PPP Options	Bridge=Yes
Ethernet\>Answer\>Encaps	COMB=Yes
Ethernet\>Answer\>COMB Options	Password Reqd=Yes
Ethernet\>Mod Config	Bridging=Yes
Ethernet\>Connections\>Any Connection profile	Station=000145CFCF01 Encaps=COMB Bridge=Yes Max Call Duration=0
Ethernet\>Connections\>Any Connection profile > Telco Options	Dialout OK=Yes
Ethernet\>Connections\>Any Connection profile\>Encaps Options	Recv PW=*SECURE* Send PW=*SECURE* Password Reqd=Yes

This section describes how to set up authentication for Combinet calls in the MAX configuration interface. For complete information on setting up Combinet calls on the MAX, see the MAX ISP & Telecommuting Configuration Guide. For information on setting up Combinet calls and Combinet authentication in RADIUS, see the MAX RADIUS Configuration Guide.

Understanding Combinet authentication

• Set system-wide System, Answer, and Ethernet profile parameters specifying the name of the MAX, the type of encapsulation allowed, and whether a password is required.

• Set up a Connection profile or RADIUS user profile containing settings for each individual connection.

  Note: You only need to set up one of these profiles.

If it cannot find a matching Connection profile, the MAX looks for a RADIUS user profile, a TACACS profile, or a TACACS+ profile.

Setting system-wide parameters

1. Set the Name parameter in the System > Sys Config menu to specify the name of the MAX.

2. Open the Ethernet > Answer menu.

3. To disable Guest access via Combinet, set Profile Reqd=Yes.

   Note that Combinet does not support PAP, CHAP, or MS-CHAP authentication.

4. In the Ethernet > Answer > PPP Options menu, set Bridge=Yes.

5. In the Ethernet > Answer > Encaps menu, set COMB=Yes.

6. To require a password in addition to a MAC address, set Password Reqd=Yes in the Ethernet > Answer > COMB Options menu.

   When Password Reqd=Yes, the MAX compares the caller's MAC address to each of these values until it finds a match:

   • Station parameter in a Connection profile

   • User-Name attribute in a RADIUS user profile

   The MAX also compares the value of the caller's password to one of these values:

   • Recv PW in a Connection profile

   • Password attribute in a RADIUS user profile

   When Password Reqd=No, the MAX uses the caller's MAC address only.

7. Set Bridging=Yes in the Ethernet > Mod Config menu.

8. Save your changes.

To set Connection profile parameters for authenticating a Combinet connection, follow these steps:

1. Open the Ethernet > Connections menu.

2. Open the Connection profile.

3. Set the Station parameter to the MAC address of the device making the call.

4. Set Encaps=COMB.

5. Set Bridge=Yes.

6. To limit the duration of calls that use this Connection profile, specify a value for the Max Call Duration parameter.

   You can specify between 1 and 1440 minutes. The connection is checked once per minute, so the actual time of the call is slightly longer (usually less than a minute longer) than the actual time you set.

   The default is Max Call Duration=0. This means that incoming calls is not timed and can be of unlimited duration.

   Note: If you have set this call to use the Answer profile for authentication, you must set the Max Call Duration value in the Answer profile.

7. Open the Encaps Options submenu of the Connection profile.

8. For incoming calls, set the Recv PW parameter.

   The Recv PW parameter specifies the password that the remote end of the link must send;

   if the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or Ascend-Send-Secret (in a RADIUS user profile), the MAX disconnects the link.

   You set the Recv PW parameter only if Password Reqd=Yes in the Ethernet > Answer menu.

9. For outgoing calls, set the Password Reqd and Send PW parameters.

   • To require the MAX to send a password for outgoing connections, set Password Reqd=Yes.

   • Using the Send PW parameter, specify the password that the MAX sends to the remote end of a connection on outgoing calls.

   If the password specified by Send PW does not match the remote end's value for Recv PW (in a Connection profile) or Ascend-Receive-Secret (in a RADIUS user profile), the remote end disconnects the link.

10. Close the Encaps Options submenu.

11. To grant access to the Immediate Modem feature, open the Telco options submenu of the Connections profile and set Dialout OK=Yes.

    For more information on restricting the Immediate Modem feature, seeRestricting access to the Immediate Modem feature.

12. Save your changes.

Setting up ARA authentication

For a pure AppleTalk connection, a Macintosh user must have ARA Client software and an asynchronous modem. For a TCP/IP connection through ARA, the Macintosh must also be running TCP/IP software, such as MacTCP or Open Transport.

ARA is an asynchronous protocol. It supports V.34, V.42, and V.120 calls only. It does not support V.110 calls or synchronous connections.

For more information on how authentication works on the MAX, see How does user authentication work?.

Figure 3-5 shows a Macintosh with an internal modem dialing into the MAX. The Macintosh uses the ARA Client software to communicate with an IP host on the Ethernet.

Figure 3-5. An ARA connection

Table 3-13 shows ARA authentication parameters on the MAX.

Table 3-13. ARA authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>Encaps	ARA=Yes
Ethernet\>Mod Config	Appletalk=Yes
Ethernet\>Mod Config\>AppleTalk	Zone Name=Berkeley
Ethernet\>Mod Config\>WAN Options	Pool#1 Start=10.0.0.20 Pool#1 Count=90 Pool Only=Yes
Ethernet\>Connections\>Any Connection profile	Station=Ted Encaps=ARA
Ethernet\>Connections\>Any Connection profile\>Encaps Options	Password=*SECURE*
Ethernet\>Names/Passwords\>Any Name/Password profile	Name=Ted Recv PW=*SECURE*

This section describes how to set up ARA authentication in the MAX configuration interface. For complete information on setting up ARA calls on the MAX, see the MAX ISP & Telecommuting Configuration Guide. For complete information on setting up ARA calls and authentication in RADIUS, see the MAX RADIUS Configuration Guide.

Understanding ARA authentication

• Set system-wide System, Answer, and Ethernet profile parameters specifying the name of the MAX, the type of encapsulation allowed, the type of authentication in use, and the contents of one or more IP address pools.

• Set up a Connection profile, Name/Password profile, or RADIUS user profile containing settings for each individual connection.

  Note: You only need to set up one of these profiles.

If it cannot find a matching Connection profile, the MAX looks for a Name/Password profile. If it cannot find a matching Name/Password profile, the MAX looks for a RADIUS user profile, TACACS profile, or TACACS+ profile.

Setting system-wide parameters

1. In the System > Sys Config menu, set the Name parameter to the name of the MAX.

2. To disable Guest access via ARA, set Profile Reqd=Yes in the Ethernet > Answer menu.

   Note that ARA does not support PAP, CHAP, or MS-CHAP authentication.

3. To enable ARA encapsulation, set ARA=Yes in the Ethernet > Answer > Encaps menu.

4. Set Appletalk=Yes in the Ethernet > Mod Config menu.

5. If the local Ethernet supports an AppleTalk router with configured zones, set the Zone Name parameter in the Ethernet > Mod Config > AppleTalk menu.

6. If you are using a Name/Password profile for an IP routing connection, open the Ethernet > Mod Config > WAN Options menu to begin setting up one or more IP address pools.

   Unlike Connection profiles and RADIUS user profiles, Name/Password profiles cannot specify an IP address for the calling station. When you use a Name/Password profile to authenticate an IP routing connection, the MAX automatically assigns the PPP caller a dynamic IP address as the connection is established. For a call configured in a Name/Password profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

7. Set up address pools using the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools using the Ascend-IP-Pool-Definition attribute. For details, see the MAX RADIUS Configuration Guide.

8. Set Pool Only=Yes.

   The Pool Only parameter determines whether a caller can reject an IP address assignment and use his or her own IP address. To eliminate the possibility of a caller rejecting the automatic dynamic assignment and spoofing a local, trusted address, set Pool Only=Yes when using Name/Password profiles to authenticate IP routing connections.

   For a call configured in a Name/Password profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

   If the calling station rejects the assignment, the MAX ends the call.

9. Save your changes.

To set Connection profile parameters for ARA authentication, follow these steps:

1. Open the Ethernet > Connections menu.

2. Open the Connection profile.

3. Set the Station parameter to the name of the remote device.

4. Set Encaps=ARA.

5. Open the Encaps Options submenu of the Connection profile.

6. Set the Password parameter to specify the ARA password.

7. Save your changes.

The Name/Password profile applies only to ARA (AppleTalk Remote Authentication) and PPP-encapsulated calls. It does not apply to terminal server users.

To set Name/Password profile parameters for ARA authentication, follow these steps:

1. Open the Ethernet menu

2. Open the Names/Passwords menu.

3. Open a Name/Password profile.

4. To specify the name of the remote device, set the Name parameter.

   In a Name/Password profile, the Name parameter specifies the username associated with the profile; the name you specify also becomes the name of the profile.

5. To specify the password that the remote end of the link must send, set the Recv PW parameter.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or Ascend-Send-Secret (in a RADIUS user profile), the MAX disconnects the link.

6. Set the value for Template Connection #.

   • Use the default, Template Connection=#0 (the Answer profile), to specify that the Name/Name/Password profile use the Answer Profile as a template.
     This mode supports clients dialing in over PPP and ARA, but does not support a router dialing in.

     Specify a profile number between 1 and 31 to use the Connection Profile to which the number refers.

   In this mode the Name/Password profile functions as an alias for the Connection Profile.

7. Save your changes.

Preventing dial-in calls with the Name/Password profile

For example, you can set up a Connection Profile for the Sales group to use when dialing in, then set up a Name/Password Profile for each individual salesperson. To prevent a user (or users) from dialing in using one of the two following methods:

• De-activate the Name/Password profile for a single salesperson to prevent that salesperson from dialing in by setting the Name/Password Active flag for the user's Name/Password profile to No.

• De-activate the entire Sales group (by setting the Connection Profile Active flag for the Sales group to No).

Using a SecurID server with AppleTalk Remote Access (ARA)

• Connection profile (see Setting Connection profile parameters)

• Password profile (see Setting Name/Password profile parameters)

• RADIUS user profile

The SecurID client module must be version 1.3 or later.

Once the user makes the initial connection, SecurID authentication begins with a pop-up screen on the Macintosh. At this point, the user must enter the User ID and Passcode. When Auth=LOGOUT/RADIUS, the username must be SecurID, and there no password should be given. If the user enters incorrect values, he or she gets two more tries to authenticate before the connection fails.

If the user is required to enter a new PIN, a pop-up screen prompts for this information. The user has three chances to enter the correct PIN. Once the new PIN is accepted, a pop-up screen instructs the Macintosh user to wait for the token code to change and then to log in with the new PIN and token code.

Setting up X.25 authentication

X.25 exchanges packets between a local DTE (Data Terminal Equipment) and a remote DCE (Data Circuit-Terminating Equipment). The remote DCE is itself attached to a remote DTE.

X.25 terminals can connect to the MAX via an X.25/PAD or X.25/IP session. The MAX unit's X.25/PAD (Packet Assembler/Disassembler) implementation allows users to access a packet-switched network over a leased line or a nailed-up ISDN connection.

A PAD is an asynchronous terminal concentrator that enables several asynchronous devices to share a single network line. The PAD assembles data from terminals into packets for transmission to an X.25 network, and disassembles incoming packets from the network into a separate data stream for each terminal. In addition to this multiplexing function, the PAD also provides a nearly error-free connection.

The MAX unit's X.25/IP implementation supports the use of IP routing over an X.25 link; it does not support bridging or other routing protocols. Ascend's implementation of IP over X.25 follows the specification for IETF RFC1356 encapsulation. This implementation connects two or more IP networks linked to a public or private packet-switched network (PSPDN).

Table 3-14 lists the parameters for X.25 authentication

.

Table 3-14. X.25 authentication parameters

Location	Parameters with sample values
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>Encaps	X25/PAD=Yes X25/IP=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=Either
Ethernet > Mod Config/TServ Options	Immed Service=X25/PAD Immed Host=311021755555
Ethernet\>Connections > Any Connection profile	Station=dialmax Encaps=X25/PAD or X25/IP
Ethernet\>Connections\>Any Connection profile\>Encaps Options	Recv PW=*SECURE*

This section describes how to set up X.25 authentication in the MAX configuration interface. For complete information on setting up X.25 connections on the MAX, see the MAX ISP & Telecommuting Configuration Guide. For complete information on setting up X.25 calls and authentication in RADIUS, see the MAX RADIUS Configuration Guide.

To set up X.25 authentication, follow these steps:

1. Open the Ethernet > Answer menu.

2. Set Profile Reqd=Yes.

3. Open the Ethernet > Answer > Encaps menu.

4. Set X25/PAD=Yes and X25/IP=Yes.

5. Open the Ethernet > Answer > PPP Options menu.

6. For an X.25/IP user, set Recv Auth=Either.

7. Open the Ethernet > Mod Config > TServ Options menu.

8. If you want terminal server users to immediately begin an X.25/PAD session, set these parameters:

   • Set Immed Service=X.25/PAD.

   • Set the Immed Host parameter to the X.121 address of the remote device.

   Terminal server users must pass authentication according to the terminal server parameters you set. For information, see Setting up authentication for dial-in terminal server users.

9. Open the Ethernet > Connections menu.

10. Open the X.25 user's Connection profile.

11. For an X.25/PAD connection, set Encaps=X.25/PAD; for an X.25/IP connection, set Encaps=X.25/IP.

12. For an X.25/IP connection, set the Station name parameter to the name of the remote device.

13. Open the Encaps Options submenu of the Connection profile.

14. For an X.25/PAD or an X.25/IP connection, set the Recv PW parameter to the password the remote user must enter.

15. Save your changes.

Setting up IP addressing

• Static address

  A static address is specified by the LAN Adrs parameter in the Connection profile or by the Framed-Address attribute in the RADIUS user profile.

• Dynamic address

  A dynamic address comes from the pool of addresses set by the Pool #n Start and Pool #n Count parameters or by the Ascend-IP-Pool-Definition attribute.

  If the calling end accepts the IP address, the MAX sets the LAN Adrs parameter or Framed-Address attribute to the assigned address, depending on whether a Connection profile or RADIUS user profile is in use. If a static address is already set in a Connection profile or RADIUS user profile, it overrides any IP address from an IP address pool.

• If the caller's PPP software presents an IP address and the MAX does not require dynamic IP address assignment, the MAX must find a Connection profile or RADIUS user profile that matches that address.

  If the MAX finds a profile, it authenticates the connection using PAP, CHAP, or MS-CHAP, and then establishes the connection. If it does not find a matching profile, the MAX ends the call without completing PAP, CHAP, or MS-CHAP authentication.

• If the caller's PPP software specifies dynamic IP address assignment, the MAX must obtain an available IP address from pools defined in the Ethernet profile or in RADIUS.

  If the MAX successfully assigns an address, it authenticates the connection using PAP, CHAP, or MS-CHAP, and then establishes the connection. If no addresses are available, the MAX ends the call.

• If the caller's PPP software presents an IP address and the MAX requires dynamic IP address assignment, the calling station must accept the IP address

  If the calling station accepts the IP address, the MAX authenticates the connection using PAP, CHAP, or MS-CHAP, and then establishes the connection. If the calling station does not accept the IP address assignment, the MAX ends the call without completing PAP, CHAP, or MS-CHAP authentication.

  For more information on how authentication works on the MAX, see How does user authentication work?.

Table 3-15. IP address parameters

Location	Parameters with sample values
Ethernet\>Answer	Assign Adrs=Yes
Ethernet\>Answer\>PPP Options	Route IP=Yes
Ethernet\>Connections\>Any Connection profile\>IP Options	LAN Adrs=10.5.6.7/24 (or) Pool=2
Ethernet\>Mod Config\>WAN Options	Pool #n Count=10 Pool #n Start=0.0.0.0 Pool Only=Yes

The sections that follow describe how to carry out these tasks:

• Specifying an IP address that must match a caller's IP address

• Assigning a dynamic IP address to a caller requesting one

• Requiring that a caller accept an IP address from the MAX

• Using Name/Password profiles to prevent IP spoofing

Specifying a static IP address

1. Open the Ethernet > Answer > PPP Options menu.

2. Set Route IP=Yes.

3. Open the Ethernet > Connections menu.

4. Open the Connection profile for the caller.

5. Open the IP Options submenu of the Connection profile.

6. To specify a static address, set the LAN Adrs parameter.

7. Save your changes.

1. Open the Ethernet > Answer menu.

2. Set Assign Adrs=Yes.

   When you specify this setting, the MAX asks the device to accept an assigned address, choosing an address from the pool of addresses set by the Pool #n Start and Pool #n Count parameters or by the Ascend-IP-Pool-Definition attribute. If the calling end accepts the IP address, the MAX sets the LAN Adrs parameter in the Connection profile to the assigned address.

   Note: In some TCP/IP implementations, when the workstation needs the MAX to set the IP address, you must set the workstation's address to 0.0.0.0. Setting the address to any other value tells the workstation to use that value and notify the MAX.

3. Open the Ethernet > Answer > PPP Options menu.

4. Set Route IP=Yes.

5. Open the Ethernet > Mod Config > WAN Options menu.

6. Set up address pools using the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools using the Ascend-IP-Pool-Definition attribute in RADIUS. For details, see the RADIUS Configuration Guide.

7. Open the Ethernet > Connections menu.

8. Open a Connection profile.

9. In the Connection profile, set the Pool parameter to the number of the pool to use for the call.

10. Save your changes.

1. Open the Ethernet > Answer menu.

2. Set Assign Adrs=Yes.

   When you specify this setting, the MAX asks the device to accept an assigned address, choosing an address from the pool of addresses set by the Pool #n Start and Pool #n Count parameters or by the Ascend-IP-Pool-Definition attribute. If the calling end accepts the IP address, the MAX sets the LAN Adrs parameter in the Connection profile to the assigned address.

3. Open the Ethernet > Answer > PPP Options menu.

4. Set Route IP=Yes.

5. Open the Ethernet > Mod Config > WAN Options menu.

6. Set up address pools using the Pool #n Count and Pool #n Start parameters (optional).

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools using the Ascend-IP-Pool-Definition attribute in RADIUS. For details, see the MAX RADIUS Configuration Guide.

7. To require a calling station to accept an IP address from the MAX, set Pool Only=Yes.

   This setting requires the calling station to accept the static address specified in a Connection profile or RADIUS user profile, or a dynamic address. If the calling station rejects the assignment, the MAX ends the call.

   If you set Pool Only=No, the MAX accepts the IP address specified by the caller.

8. Open the Ethernet > Connections menu.

9. Open a Connection profile.

10. In the Connection profile, set the LAN Adrs parameter to specify a static address, or set the Pool parameter to the number of the pool to use for assigning a dynamic IP address.

11. Save your changes.

Unlike Connection profiles and RADIUS user profiles, Name/Password profiles cannot specify an IP address for the calling station. When you use a Name/Password profile to authenticate an IP routing connection, the MAX automatically assigns the PPP caller a dynamic IP address as the connection is established, ensuring that the user is not spoofing the address. Table 3-16 shows the relevant parameters on the MAX.

Table 3-16. Name/Password profile address restriction parameters

Location	Parameters with sample values
Ethernet\>Mod Config\>WAN Options	Pool#1 Start=10.0.0.20 Pool#1 Count=90 Pool Only=Yes
Ethernet\>Names/Passwords > Any Name/Password profile	Name=Ted Recv PW=*SECURE*

To set parameters to prevent IP spoofing, follow these steps:

1. Open the Ethernet menu.

2. Open the Names/Passwords menu.

3. Open a Name/Password profile.

4. Set the Name parameter to the name of the user or device making the incoming call.

   In a Name/Password profile, the Name parameter specifies the username associated with the profile; the name you specify also becomes the name of the profile.

5. To specify the password that the remote end of the link must send, set the Recv PW parameter.

   If the password specified by Recv PW does not match the remote end's value for Send PW, the MAX disconnects the link.

6. Open the Ethernet > Mod Config > WAN Options menu.

7. Set up address pools using the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools using the Ascend-IP-Pool-Definition attribute. For details, see the MAX RADIUS Configuration Guide.

8. Set Pool Only=Yes.

   The Pool Only parameter determines whether a caller can reject an IP address assignment and use his or her own IP address. To eliminate the possibility of a caller rejecting the automatic dynamic assignment and spoofing a local, trusted address, set Pool Only=Yes when using Name/Password profiles to authenticate IP routing connections.

   For a call configured in a Name/Password profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

   If the calling station rejects the assignment, the MAX ends the call.

9. Save your changes.

Setting up an authentication server

Understanding authentication servers

• RADIUS

  RADIUS is a protocol originally developed by Livingston Enterprises, and extended by Ascend Communications, Inc. The extensions provided by Ascend let you configure most of the features supported by the resident profiles. The information resides in a database on a PC or UNIX system; the RADIUS daemon on that system accesses the data.

  For complete information on installing and configuring a RADIUS server, and on setting up the MAX to operate with a RADIUS server, see the MAX RADIUS Configuration Guide.

• TACACS

  TACACS is a simple query/response protocol that enables the MAX to check a user's password and enable or prevent access. TACACS supports PAP (Password Authentication Protocol), Combinet name and password validation, and terminal server validation. It does not support CHAP authentication.

  For details on setting up a TACACS server, see the documentation that came with your TACACS software. For information on setting up the MAX to operate with a TACACS server, see Configuring the MAX to use a TACACS or TACACS+ server.

• TACACS+

  TACACS+ is an extension of TACACS. For information on setting up the MAX to operate with a TACACS+ server, see Configuring the MAX to use a TACACS or TACACS+ server.

• AssureNet Defender

  The MAX supports terminal server authentication through the Defender server. If the MAX is configured to use Defender authentication, all authenticated users are given service only according to the parameters of the TServ Options submenu for the Ethernet profile.

• ACE

  The MAX can authenticate terminal server users by directly contacting an ACE server, developed by Security Dynamics. Although SecurID ACE authentication is also indirectly supported via RADIUS, direct support for the SecurID ACE server provides a significant advantage. For those installations where other RADIUS features are not required, having direct SecurID ACE support on the Ascend unit decreases the complexity of the system, making the system easier to configure and maintain.

This section describes how to configure the MAX to communicate with a TACACS or TACACS+ server. Follow these steps:

1. Open the Ethernet > Mod Config > Auth menu.

   X0-X00 Mod Config
   

     Auth...
     >Auth=TACACS
       Auth Host #1=10.23.45.11
       Auth Host #2=10.23.45.12
       Auth Host #3=10.23.45.13
       Auth Port=1645
       Auth Timeout=5
       Auth Key=N/A
       Auth Pool=N/A
       Auth Req=Yes
       Local Profile First=Yes
       APP Server=No
       APP Host=N/A
       APP Port=N/A
       CLID Timeout Busy=No
       CLID Fail Busy=No
       SecurID DES encryption=N/A
       SecurID host retries=N/A
       SecurID NodeSecret=N/A
   

2. Set Auth=TACACS or TACACS+.

3. For each Auth Host parameter, specify the IP address of a TACACS or TACACS+ host.

   You can specify up to three addresses. The MAX first tries to connect to Auth Host #1; if it receives no response within the time specified by the Auth Timeout parameter, it tries again to connect to to Auth Host #1 and waits for the same amount of time. If the MAX does not receive a response within the specified timeout, it sends a request for authentication to Auth Host #2; if it again receives no response within the time specified by Auth Timeout, it tries to connect to the next server on the Auth Host List and repeats the process. If the MAX unit's request again times out, it reinitiates the process with Auth Host #1. The MAX can complete this cycle of requests a maximum of ten times. If the MAX is unsuccessful in obtaining a response from any of the servers on the list, the connection fails.

   When it successfully connects to an authentication server, the MAX uses that machine until it fails to serve requests. The MAX does not use the first host until the second machine fails, even if the first host has come online while the second host is still servicing requests.

   You can also specify the same address for all three Auth Host parameters; if you do so, the MAX keep trying to create a connection to the same server.

4. For the Auth Port parameter, enter the UDP port number used by the TACACS or TACACS+ software.

   For example, you might specify this setting:

   Auth Port=1645
   

   The MAX and the TACACS or TACACS+ software must agree about which UDP port to use for communication, so make sure that the number you specify for the Auth Port parameter matches the number specified in the TACACS or TACACS+ configuration file.

5. To specify the number of seconds the MAX waits for a response to an authentication request, set the Auth Timeout parameter.

   If the MAX does not receive a response within the time specified by Auth Timeout, it sends the authentication request to the next authentication server specified by the Auth Host parameter.

6. Specify whether to use remote authentication before local. The default is Yes.

   If you enter No, remote authentication is tried first. The MAX waits for authentication to succeed or for the timeout specified in Auth Timeout to expire. This can take longer than the timeout specified for the connection and causes all connection attempts to fail.

   To prevent this set the value for Auth Timeout low enough not to cause the line to be dropped, but still high enough to permit the unit to respond if it is able to. The recommended time is 3 seconds.

   Some authentication methods do not work the same without a remote authenticator as they do with one. Table 3-17 shows authentication methods and the specific information you should consider if you use a particular method with Local Profile First=No.

1. Enter the port number for the source port for remote authentication requests.

   Type a port number between 0 and 65535. The default value is 0 (zero); if you accept this value, the Ascend unit can use any port number between 1024 and 2000.

   You can specify the same port for authentication and accounting requests.

2. Save your changes.

Copyright © 1998, Ascend Communications, Inc. All rights reserved.