Ascend Customer Service

Obtaining Technical Assistance

Information you will need

How to contact Ascend Customer Service

Need information about new features and products?

How to use this guide

What you should know

Documentation conventions

Manual set

Related publications

Related RFCs

Information about PPP connections

Information about IPX routing

Information about IP routers

Information about OSPF routing

Information about multicast

Information about firewalls and packet filtering

Information about general network security

Information about external authentication

ITU-T recommendations

Related books

What is RADIUS?

How does RADIUS authentication work?

How does RADIUS accounting work?

What types of applications does RADIUS support?

Simple RADIUS authentication and accounting

RADIUS authentication and accounting with a backup server

RADIUS with an external token-card server

Using RADIUS to sign up new customers

What files does RADIUS use?

The dictionary file

The clients file

The users file

Overview of RADIUS packet formats

Using the RADIUS interface

Before you begin

System requirements

Configuring the MAX TNT

Overview of RADIUS installation tasks

Installing the RADIUS daemon

Obtaining and compiling the RADIUS daemon

Installing the Ascend RADIUS dictionary

Creating and configuring the clients file

Creating the users file

Creating the log file

Specifying the MAX TNT unit's name and IP address

Specifying the RADIUS daemon's authentication port

Configuring the MAX TNT to use the RADIUS server

Performing the required configuration steps

Performing the optional configuration steps

Configuring distinct ID sequences for packet IDs

Fine-tuning the interaction between the MAX TNT and RADIUS

Specifying the duration of a RADIUS timeout

Specifying the message resulting from a RADIUS timeout

Using SNMP to specify the primary RADIUS server

Configuring the MAX TNT for RADIUS client requests

Performing the required steps for client requests

Specifying the clients permitted to make RADIUS requests

Specifying the shared secret

Performing the optional steps for client requests

Specifying the UDP port

Specifying session key parameters

Starting the RADIUS daemon

Running the daemon with a flat ASCII users file

Running the daemon with a UNIX DBM database

Creating the executable files

Creating the DBM database

Starting the RADIUS daemon for a DBM database

Before you begin

Requiring the MAX TNT to use a profile for authentication

Configuring the MAX TNT to check for a RADIUS profile first

Configuring the MAX TNT for E1 Chinese signaling

Specifying User Busy (17) in ISDN Disconnect packets

Overview of RADIUS authentication

Overview of RADIUS authentication tasks

Setting up name and password authentication

Specifying a user name

Using the caller's name

Using the Default keyword

Specifying a password

Configuring password expiration

Conditions for replacing expired passwords

Setting the password expiration attributes

Changing a nonexpired password

Changing an expired password

Configuring the name and password in pseudo-user profiles

Examples of setting up name and password authentication

Specifying the MAX TNT unit's name and password

Specifying whether multiple callers can use a profile

Specifying an access protocol for incoming calls

How PAP works

How CHAP and MS-CHAP work

Requesting an access protocol for outgoing calls

Setting up the MAX TNT for callback

Setting up CLID authentication

Configuring CLID authentication at the MAX TNT interface

General guidelines for CLID authentication

CLID authentication using a name, password, and caller ID

CLID authentication using a caller ID only

External authentication after CLID authentication

PAP, CHAP, or MS-CHAP after CLID authentication

Configuring the first-tier profile

Configuring the second-tier profile

Setting up called-number authentication

Configuring called-number authentication at the MAX TNT interface

Authentication using a name, password, and called-party number

Authentication using the called-party number only

External authentication after called-number authentication

Setting up token-card authentication

Introducing token-card authentication

Configuring PAP-Token authentication

Configuring Cache-Token authentication

Configuring PAP-Token-CHAP authentication

Configuring ACE authentication for remote router users

Setting up authentication for terminal-server calls

Configuring terminal-server calls with PAP, CHAP, or MS-CHAP

Configuring asynchronous PPP and terminal-server authentication

Configuring digital dial-in with terminal-server authentication

Before you begin

Specifying system-wide settings

Enabling the encapsulation method

Specifying an authentication protocol

Setting up the MAX TNT to accept client requests

Overview of PPP, MP, and MP+

What is PPP?

What is MP?

What is MP+?

Overview of PPP, MP, and MP+ configuration tasks

Setting up a dial-in PPP, MP, or MP+ connection

Overview of PPP, MP, and MP+ attributes

Configuring required attributes for a PPP, MP, or MP+ connection

Setting the User-Name, Password, and User-Service attributes

Setting the Framed-Protocol attribute

Setting the Framed-Address attribute

Configuring optional attributes for a PPP, MP, or MP+ connection

Specifying the MAX TNT unit's IP address

Specifying the async control character map

Specifying the maximum packet size

Specifying compression settings

Setting up an outgoing PPP, MP, or MP+ connection

Overview of outgoing-call attributes

Configuring required outgoing call attributes

Specifying a name, password, and user service for outgoing calls

Specifying the phone number the MAX TNT dials

Specifying an IP address and subnet mask

Configuring optional outgoing call attributes

Specifying an encapsulation method for an outgoing call

Specifying a data service

Specifying a billing number

Specifying the T1 PRI service

Specifying the type of number the MAX TNT dials (T1 PRI only)

Specifying the long-distance carrier (T1 PRI only)

Setting up a Nailed/MPP connection

Overview of Nailed/MPP attributes

Configuring attributes for a Nailed/MPP connection

Setting up a nailed-up connection

Overview of nailed-up connection attributes

Configuring attributes for a nailed-up connection

Managing bandwidth

How Dynamic Bandwidth Allocation (DBA) works

How RADIUS authenticates multiple channels

Static passwords

Tokens

Combination of static passwords and tokens

Cached tokens

Overview of DBA attributes

Configuring DBA in RADIUS

Guidelines for optimum use of DBA

Configuring a time limit and idle connection attributes

Guidelines for optimum use of idle connection attributes

Limiting access to devices and services

Restricting access to ports, lines, and channels

When New-NAS-Port-ID-Format=Yes

When New-NAS-Port-ID-Format=No

Setting up disconnects

Overview of disconnect-request attributes

Configuring attributes for disconnect requests

How the MAX TNT handles disconnect requests

Before you begin

Overview of AppleTalk connections

Configuring an AppleTalk connection

Before you begin

Specifying system-wide settings for a terminal-server connection

Enabling the encapsulation method for a terminal-server connection

Specifying Terminal-Server profile settings

Overview of terminal-server connections

Overview of terminal-server configuration tasks

Enabling Telnet, TCP, and Rlogin connections

Setting the terminal-server idle timer

Setting up a custom menu and an input prompt

Specifying the Ascend-Menu-Item attribute

Specifying the Ascend-Menu-Selector attribute

Setting up the message text and a list of hosts

Creating the first line of a pseudo-user profile for the message and list

Specifying the message text

Specifying the list of hosts

Controlling access to digital modems

Specifying the Ascend-Dialout-Allowed attribute

Understanding accounting for modem dialout

An extended terminal-server example

Before you begin

Using the MAX TNT as a Frame Relay concentrator

Overview of Frame Relay configuration tasks

Setting up the logical link to a Frame Relay switch

Types of logical links between the MAX TNT and a Frame Relay switch

UNI-DCE interfaces

UNI-DTE interfaces

Overview of Frame Relay profile attributes

Configuring the required attributes for a Frame Relay profile

Specifying the User-Name, Password, and User-Service attributes

Specifying nailed-up attributes

Specifying the type of Frame Relay link

Configuring optional attributes for a Frame Relay profile

Specifying the link-management protocol

Specifying DCE attributes

Specifying DTE attributes

Specifying the maximum packet size

Specifying the data service

Sample RADIUS Frame Relay profile configurations

Specifying a UNI-DCE interface

Specifying a UNI-DTE interface

Setting up Frame Relay user connections

Types of Frame Relay user connections

Gateway connections

Circuit connections

Direct connections (rarely used)

Overview of Frame Relay connection attributes

Configuring any type of Frame Relay user connection

Configuring a Frame Relay gateway connection

Configuring a Frame Relay circuit connection

Configuring a Frame Relay direct connection

Sample RADIUS Frame Relay user profile configurations

Specifying a gateway connection

Specifying a circuit connection

Specifying a direct connection

Before you begin

Introducing ATMP

How ATMP connections work

ATMP router and gateway modes

Router mode

Gateway mode

Overview of ATMP configuration tasks

Overview of ATMP attributes

Setting up an ATMP tunnel for an IP network

Configuring the MAX TNT as a foreign agent

Configuring the foreign agent's ATMP profile

Configuring the foreign agent to authenticate through RADIUS

Configuring an outgoing RADIUS user profile to the home agent

Configuring an incoming RADIUS profile for the mobile client

Configuring the MAX TNT as a home agent

Configuring the home agent's ATMP profile

Configuring an outgoing RADIUS user profile to the foreign agent

Configuring a nailed-up connection to the home network

Tunneling ATMP between two IP networks

Home agent in router mode

Home agent in gateway mode

Setting up the MAX TNT as a multimode agent

Setting up ATMP to bypass a foreign agent

Before you begin

Preliminary MAX TNT tasks

Requiring a user to accept an IP address from the MAX TNT

Providing DNS access

Turning on the pool-summary feature

Setting multicast forwarding parameters

Preliminary RADIUS tasks

Introducing IP routing

Types of IP routes

Static routes

Multipath routes

Dynamic routes

How the MAX TNT builds the routing table

How the MAX TNT routes IP packets

Overview of IP-routing configuration tasks

Enabling IP routing

Specifying a caller's IP address

When the remote device is a dial-in PPP host

When the remote device is an IP router

Specifying whether RIP sends and receives updates

Setting the Framed-Routing attribute

Special considerations

Requiring that a caller accept an IP address

Defining a pool of addresses for dynamic assignment

Introducing IP address pools

Overview of attributes for IP address pools

Configuring IP address pools

Creating the first line of a pseudo-user profile for IP address pools

Defining the IP address pools in the pseudo-user profile

Specifying an IP address pool in a RADIUS user profile

Setting up IP redirection

Setting up access to specific DNS servers

What is client DNS?

Overview of attributes for setting up access to specific DNS servers

Specifying DNS servers in a RADIUS user profile

Setting up default routes on a per-user basis

Setting up static IP routes

Overview of static-route configuration tasks

Configuring static IP routes in a pseudo-user profile

Creating the first line of a pseudo-user profile for static IP routes

Specifying static IP routes with the Framed-Route attribute

How RADIUS adds static IP routes to the routing table

Configuring multipath static IP routes in a pseudo-user profile

Configuring static IP routes in a dial-in user profile

Summarizing host routes in an IP address pool

Making sure that each IP address pool is network aligned

Configuring the static route for each summarized address pool

Guidelines for specifying the router

Setting the Framed-Route attribute

Setting up an interface-based IP routing connection

Special considerations

Configuring interface-based IP routing attributes

Setting up IP multicast forwarding

What is the MBONE?

What is a multicast network?

How does the MAX TNT interact with the MBONE?

Configuring multicast forwarding attributes

Before you begin

Preliminary MAX TNT tasks

Setting up the MAX TNT as an IPX router

Specifying an authentication protocol

Specifying a network number for dial-in clients

Preliminary RADIUS tasks

Introducing IPX routing

Overview of IPX-routing configuration tasks

Setting up IPX routing in a user profile

Setting up static IPX routes

Recommended configurations

Configuring static IPX routes in a pseudo-user profile

Creating the first line of a pseudo-user profile for static IPX routes

Specifying static IPX routes with the Ascend-IPX-Route attribute

How the MAX TNT adds IPX dialout routes to the routing table

Before you begin

Overview of packet filters

Types of packet filters

Generic filters

IP filters

Ways to apply packet filters

Data filters for dropping or forwarding certain packets

Call filters for managing connections

How packet filters work

Overview of filter configuration tasks

Configuring an IP filter

Configuring a generic filter

Understanding generic filters

Determining whether inbound or outbound data is examined

Specifying an offset to the bytes in a packet to be examined

Linking the filter to the next one in sequence

Masking the value before comparison

Examples of using generic call filters

Setting up filter changes

Overview of filter-change attributes

Configuring attributes for filter-change requests

How the MAX TNT handles filter-change requests

Before you begin

Overview of accounting configuration tasks

Setting up system-wide RADIUS accounting values

Performing required accounting configuration tasks

Specifying system-wide accounting parameters on the MAX TNT

Specifying the accounting port

Specifying the accounting directory

Performing optional accounting configuration tasks

Generating RADIUS accounting IDs based on source port number

Specifying the source for RADIUS accounting requests

Specifying a timeout value

Specifying a retry limit

Specifying the interval for sending session reports

Specifying the numeric base for the session ID

Specifying the reset time

Specifying whether to send Stop packets when authentication fails

Specifying whether to send Stop packets with no user name

Setting up accounting on a per-user basis

Overview of per-user accounting attributes

Specifying per-user accounting attributes

Setting up accounting with dynamic IP addressing

Classifying user sessions in RADIUS

Using the Class attribute

Using the Ascend-Number-Sessions attribute

Generating periodic accounting requests

Using SNMP to specify the primary accounting server

Starting the RADIUS daemon with accounting enabled

When using a flat ASCII file

When using a UNIX DBM database

Understanding accounting records

What type of information appears in accounting records?

Where are accounting records stored?

What kinds of packets does RADIUS accounting use?

Accounting Start packets

Accounting Stop packets

Non-accounting attributes in Start and Stop records

Accounting attributes in Start records

Accounting attributes in Stop records

Accounting attributes in Failure-to-start records

Proxy RADIUS accounting

How proxy RADIUS accounting works

Contents of the Stop record sent by proxy

Sample accounting records

A Pipeline 25 dialing into a MAX TNT

A modem calling into a MAX TNT

A Stop record sent by proxy

Before you begin

Understanding call logging

Overview of call-logging configuration tasks

Setting up system-wide call-logging values

Performing required call-logging configuration tasks

Specifying system-wide call-logging parameters on the MAX TNT

Specifying the call-logging port

Specifying the call-logging directory

Performing optional call-logging configuration tasks

Specifying a timeout value

Specifying a retry limit

Specifying the numeric base for the session ID

Specifying the reset time

Specifying whether to send Stop packets with no user name

Setting up call logging with dynamic IP addressing

Starting the RADIUS daemon with call logging enabled

When using a flat ASCII file

When using a UNIX DBM database

Understanding call-logging records

What type of information appears in call-logging records?

Where are call-logging records stored?

What kinds of packets does call logging use?

Start packets

Stop packets

Non-call-logging attributes in Start and Stop records

Call-logging attributes in Start records

Call-logging attributes in Stop records

Call-logging attributes in Failure-to-start records

Sample call-logging records

A Pipeline 25 dialing into a MAX TNT

A modem calling into a MAX TNT

RADIUS authentication problems

Isolating the problem to the RADIUS server

Checking the RADIUS configuration and program files

Checking the MAX TNT parameters

Running the RADIUS daemon in debug mode

Checking the log file

Determining whether all users are failing authentication

RADIUS accounting problems

General accounting errors

Duplicate or deleted records

Backoff-queue error message

Connect progress codes

Disconnect cause codes

Parameters and analogous attributes

Attributes and parameters in numerical order

Attributes and parameters in alphabetical order

Access-Request (1)

Access-Accept (2)

Access-Reject (3)

Access-Password-Request (7)

Access-Password-Ack (8)

Access-Password-Reject (9)

Access-Challenge (11)

Access-Password-Expired (32)

Ascend-Access-Event-Request (33)

Ascend-Access-Event-Response (34)

Ascend-Disconnect-Request (40)

Ascend-Disconnect-Ack (41)

Ascend-Disconnect-Nak (42)

Ascend-Change-Filters-Request (43)

Ascend-Change-Filters-Ack (44)

Ascend-Change-Filters-Nak (45)

Copyright © 1998, Ascend Communications, Inc. All rights reserved.