[Top][Contents][Prev][Next][Last]Search

Setting Up User Authorization

Setting up terminal-server security
Setting up SNMP security
Setting up a Domain Name System (DNS)
Disabling remote management access
Password-protecting Telnet access
Understanding secure Dynamic Bandwidth Allocation

Setting up terminal-server security

A terminal-server connection is a host-to-host connection that uses analog modem, ISDN Terminal Adapter (using V.110 or V.120 encapsulation), or raw TCP. This section also applies to locally connected terminal-server users, and describes how to limit access to the terminal-server features such as Telnet server, raw-TCP, Rlogin server, and modem dialout. (For more information about the authentication required before a remote user can get access to any of these features, see Setting up authentication for dial-in terminal server users.)

When the MAX receives an analog modem, ISDN TA, or raw TCP call, it determines whether the call is PPP-encapsulated. If it is, the MAX forwards the call to the router. If the call is not PPP-encapsulated, the MAX establishes a terminal-server connection.

In Figure 6-1, a PC running SoftComm initiates an incoming modem call. The MAX directs the call to its digital modems, then forwards the call to its terminal-server software. In Figure 6-1, the MAX immediately directs the call to a Telnet host.

Figure 6-1. A remote terminal-server connection

You can customize and limit access to the terminal-server interface in the following ways:

Table 6-1 lists the parameters you can use to customize and restrict access to the terminal-server environment.

Table 6-1. terminal-server security parameters

Location

Parameters with sample values
Ethernet \> Mod Config \> TServ Options

Note: The Passwd and Imm. Modem Pwd parameter values appear only when you view them with a Full Access Security profile in effect. Otherwise, they appear as *SECURE* and *password*, respectively.

TS Enabled=Yes
Passwd=newcorpPW
Login Prompt=
Password Prompt=
3rd Prompt=Service?
3rd Prompt Seq=First
Initial Scrn=Cmd
Toggle Scrn=No
Security=None
Telnet=Yes
Rlogin=No
PPP=No
SLIP=No
Host #n Addr=0.0.0.0
Host #n Text=
Immed Host=0.0.0.0
Immed Port=0
Immed Service=Telnet
Imm. Modem Pwd=secure3me
Imm Modem Auth=Yes

For complete information about setting up terminal-server connections in the MAX configuration interface, see the MAX Network Configuration Guide. For complete information on setting up terminal-server connections in RADIUS, see the RADIUS Configuration Guide.

Turning terminal-server operation on or off

To specify whether users can access the terminal-server interface, proceed as follows:

  1. Open the Ethernet > Mod Config > TServ Options menu.

  2. To enable terminal-server access, set TS Enabled to Yes. To disable terminal-server access, set TS Enabled to No.

  3. Save your changes.

Table 6-2. Characters used in the terminal-server prompt specification

Character combination

Description
\n

 Carriage return/line feed

\t

 Tab

\\

 Displays a double backslash (\\)

Note: Any characters other than \n and \t that have a single backslash (\) in front of them are removed.

For example, you could enter

Welcome to\n\t\\Ascend Remote Server\\\Enter your user name:

to display the following on the terminal-server screen:

Welcome to

\\Ascend Remote Server\\

Enter your user name:

  1. Set Prompt Format to Yes.

    This is the field that determines whether you are able to use the multi-line format for the terminal-server prompt. If Prompt Format is set to No, the MAX does not interpret the line feed/carriage return character or the tab character.

  2. Set the Login Timeout parameter.

    This value is an integer representing a value from 0 to 300 seconds. The default value is 300 seconds.

    Users are disconnected if they have not completed logging in when the number of seconds set in the Login Timeout field has elapsed. A user has the total number of seconds indicated in the Login Timeout field to attempt a successful login. The timer begins when the login prompt appears on the terminal-server screen, and it continues (is not reset) when the user makes unsuccessful login attempts.

  3. To customize the password prompt, set the Password Prompt parameter.

    This parameter specifies the prompt the terminal server displays when asking the user for his or her password. You can specify up to 80 characters. The default value is Password:.

  4. Enter a prompt string in the 3rd Prompt parameter to specify a third prompt to follow the login and password prompts.

    You can specify up to 20 characters. The default value is null. If you accept the default, the MAX does not display an additional prompt.

    The remote terminal-server user can enter up to 80 characters after this prompt. The MAX passes the information the user enters to the RADIUS server as an attribute called Ascend-Third-Prompt. This attribute appears in the Access-Request packet. If the user enters more than 80 characters, RADIUS truncates the data before assigning a value to the Ascend-Third-Prompt attribute.

    The 3rd Prompt parameter does not apply if the Auth parameter has a value other than RADIUS or RADIUS/LOGOUT. If authentication occurs through a local Connection profile, and not through the RADIUS server, the MAX ignores the 3rd Prompt specification.

  5. Set the 3rd Prompt Seq parameter to First or Last to specify whether the additional prompt appears at the beginning or the end of the login sequence.

    The 3rd Prompt Seq parameter works with any authentication method except Auth=None.

    The default is Last. The parameter is N/A if TS Enabled is set to No or 3rd Prompt is null.

    The third-prompt feature works slightly differently depending on whether you specify that it appear in the Last position (a prompt issued after the login and password prompts) or the First position (a prompt issued before login and password prompts). For more complete information, see Understanding how the third login prompt works.

  6. Save your changes.

Sample prompts

 Suppose you accept the default settings for the Login Prompt and Password Prompt parameters, and specify the following setting for 3rd Prompt:

3rd Prompt=Password2>>
The terminal server displays the following prompts:

Login:

Password:

Password2>>

Understanding how the third login prompt works

 You can configure a prompt by specifying the string that appears with the prompt and where the prompt appears in the login sequence (first or last). A prompt can emulate an existing terminal-server login prompt sequence, depending upon what you specify in the prompt string.

The third prompt feature works differently depending upon whether you select First or Last as the value of the 3rd Prompt Seq parameter.

Similarities in the way the third prompt works in either First or Last position are:

Differences in the way the third prompt works, depending on whether 3rd Prompt Seq is set to First or Last, are:

Restricting the use of terminal-server commands and protocols

 To specify whether users can initiate Telnet, Rlogin, PPP, or SLIP sessions from the terminal-server interface, proceed as follows:

  1. Open the Ethernet > Mod Config > TServ Options menu.

  2. Set the Telnet parameter to specify whether a user can start a Telnet session.

  3. Set the Rlogin parameter to specify whether a user can initiate an Rlogin session.

  4. Set the PPP parameter to specify whether a client can use asynchronous PPP.

    The default value is No.

  5. Set the SLIP parameter to specify whether a user can initiate a Serial Line IP (SLIP) session.

    SLIP is a protocol that enables your computer to send and receive IP packets over a serial link.

  6. Save your changes.

Dial-in calls with no login host specified in RADIUS

 You can configure the MAX to accept dial-in calls when Login-Service is set to TCP-CLEAR or Telnet and no Login Host is specified in the RADIUS users file. Such a configuration does not apply to PPP encapsulated calls, because the MAX does not accept dial-in PPP calls with the Login-Service set either to Telnet or TCP-CLEAR.

To set up the MAX to accept dial-calls when no login server is specified, set Auth TS Secure to No in the Ethernet > Mod Config > Auth menu. The default is Auth TS Secure set to Yes, which means the MAX drops dial-in calls if there is no login server and Login-Server is Telnet or TCP-CLEAR.

Configuring per-user access to terminal-server commands

The Framed Only parameter in the Answer profile and the Connection profile enables you to limit specific users to the PPP, SLIP, CSLIP, and Quit commands in the MAX terminal-server interface.You can configure per-user access to the terminal-server commands in the Answer profile or in the Connection profile:

To configure per-user access to the terminal server:

  1. Select Ethernet > Answer > Session Options or

    Ethernet > Connections > a Connection profile > Session Options

  2. Specify one of the following values for Framed Only:

  3. Save and exit the profile.

Dealing with unauthorized Telnet and terminal-server sessions

 When a user activates a Security profile, the MAX generates a Syslog message notifying you that the event occurred (if Syslog is enabled). A user can activate a Security profile in a Telnet session or a serial-line COM port session by selecting the Security profile and specifying the proper password. When a user activates a Security profile, new Syslog messages show the name of the Security profile, the IP address of the Telnet client or the COM port number, and the local IP address.

The EventSyslog message is at the notice level and it has one of the following formats:

^DP(assword)ASCEND: "profile_name" ... for remote_IP on local_IP

ASCEND: "profile_name" ... from COM_port on local_IP
On system login, the MAX does not generate a Syslog message for the Default Security profile. But it does generate a Syslog message if the Default Security profile is accessed for anything other than system login.

The following two messages signal that a Telnet client has enabled a Security profile:

Jan 10 10:05:17 eng-lab-141 ASCEND: "Full Access" security profile 
enabled for 206.65.212.9 on 192.168.6.141.

Jan 10 10:07:26 eng-lab-141 ASCEND: "Default" security profile enabled 
for 206.65.212.23 on 192.168.6.141.
The following message signals that a COM port user has enabled the Full Access profile:

Jan 10 10:03:52 eng-lab-141 ASCEND: "Full Access" security profile 
enabled from com port 0 on 192.168.6.141.

Restricting access to the Immediate Modem feature

 The Immediate Modem feature enables local terminal-server users (who have not dialed into the MAX and have not been authenticated) to Telnet to a MAX to access the unit's modems, so that they can place outgoing calls without going through MAX terminal-server interface. You can choose to restrict access to the Immediate Modem feature on a per-user basis, or you can specify a global password for all users. You can also disable call restriction for the Immediate Modem feature, so that all users can place outgoing calls.

To use Immediate Modem service, users specify the port number configured in the Imm. Modem Port parameter when opening a Telnet session to the MAX. For example, a user can access a digital modem on port 5000 in a MAX unit named max1 by typing the following command:

When the modem responds, the user can begin entering AT commands to dial out.

Understanding per-user Immediate Modem access restriction

When per-user Immediate Modem is enabled, the MAX does the following:

  1. Requests a login name before enabling any user to access the Immediate Modem feature.

  2. Attempts to find a profile with the name provided by the user, looking first for a local Connection profile, then for a simple Name/Password profile, and finally for a RADIUS profile.

  3. If the user enters the correct password, the MAX checks the Dialout-OK parameter of the appropriate profile.

Understanding password restriction for Immediate Modem

 The Immediate Modem password separately governs whether a user is allowed to use the Immediate Modem functionality. If Telnet is password protected, a user must know the Telnet password as well as the Immediate Modem password to dial out. To use Telnet but not the dialout functionality, a user only needs to know the Telnet password.

Configuring access to the Immediate Modem feature

To restrict access to the Immediate Modem feature, proceed as follows:

  1. Open the Ethernet > Mod Config > TServ Options menu.

  2. Set TS Enabled to Yes.

    If TS Enabled is set to No, the Imm. Modem Pwd field is N/A and you cannot specify a password for the Immediate Modem feature.

  3. Set the Modem Dialout parameter to specify whether the user can use this MAX unit's V.34 digital modems to dial out.

  4. Set the Immediate Modem parameter to enable or disable the Immediate Modem feature.

  5. Set the Imm. Modem Access parameter to specify whether the access is restricted on a global or per-user basis, or unrestricted.

  6. Specify a password in the Imm. Modem Pwd. parameter if you set Imm. Modem Access to Global,

    This parameter is N/A if Imm. Modem Access is set to None or User.

    Note: To enable unlimited access to the Immediate Modem feature, set Imm. Modem Access to None. Do not set Imm. Modem Access to Global and leave the Imm. Modem Pwd parameter null.

  7. Close the Ethernet > Mod Config > TServ Options menu.

  8. Open the Telco options submenu of the appropriate Connection profile.

  9. Set the Dialout OK parameter to specify whether modem dialout is enabled for this Connection profile.

Disconnecting a user's terminal-server session

You can disconnect, by session ID, a user who establishes a Telnet connection with the Ascend unit. The disconnect code that results is identical to the RADIUS disconnect code, enabling you to track all administrative disconnects.

Displaying a list of active terminal-server sessions

To display a list of active user sessions on an Ascend MAX, enter:

show users
Note: At the terminal-server prompt, show users displays a list of user sessions active on a system. Each user session is identified by the sessionID, which is followed by additional information about the session. The Show Users command is included in the online help for the Show command.

You can detect multiple concurrent sessions for the same user with the sessionActiveTable in the Ascend MIB.

Killing an active terminal-server session

To terminate a Telnet session, enter the following command line at the terminal-server prompt:

kill session ID
where session ID is the session ID as displayed by the terminal-server Show Users command. The disconnect reason for the session is reported as DIS_LOCAL_ADMIN.

The active Security Profile must have Edit All Calls set to Yes. If Edit All Calls is set to No, the following message appears when you issue the kill command:

Insufficient security level for that operation.
If you issue the kill command without the session ID argument, the following message appears:

kill command requires an argument
When the session is properly terminated, a message similar to the following appears: 

Session 216747095 killed.
When the session is not terminated, a caution similar to the following appears:

Unable to kill session 216747095.

Setting up SNMP security

Simple Network Management Protocol (SNMP) provides a way for computers to share networking information. SNMP recognizes two types of communicating devices: agents and managers. An agent (such as the MAX) provides networking information to a manager application running on another computer. The agents and managers share a database of information, called the Management Information Base (MIB).

A trap is a mechanism in SNMP for reporting system change in real time. To report system change, the MAX sends a traps-PDU across the Ethernet interface to the SNMP manager. A complete list specifying the events that cause the MAX to send a traps-PDU appears in the Ascend Enterprise Traps MIB.

You can set up SNMP security in the following ways:

Table 6-3 shows the parameters for protecting access to SNMP on the MAX. The values shown are examples.

Table 6-3. SNMP security parameters

Location

Parameters with sample values
Ethernet > Mod Config > SNMP Options

 Read Comm=new-string
R/W Comm=unique-string
Security=Yes
RD Mgr1=10.21.4.5
RD Mgr2=10.21.4.7
RD Mgr3=10.21.4.55
RD Mgr4=10.21.4.103
RD Mgr5=10.21.4.64
WR Mgr1=10.21.4.11
WR Mgr2=0.0.0.0
WR Mgr3=0.0.0.0
WR Mgr4=0.0.0.0
WR Mgr5=0.0.0.0

Ethernet > SNMP Traps > any SNMP Traps profile

 Name=
Alarm=Yes
Port=No
Security=No
Comm=
Dest=0.0.0.0

Password-protecting SNMP

An SNMP manager application residing on a workstation on the local or remote network can access management information, set alarm thresholds, and change some settings on the MAX. To password protect this type of network access, you must assign the Read and Read/Write SNMP community strings. To assign Read and Read/Write SNMP community strings, proceed as follows:

  1. Open the Ethernet > Mod Config > SNMP Options menu.

  2. Set the Read Comm parameter to specify the Read community string.

    This string authenticates an SNMP manager accessing the MAX to perform read commands, that is, the Get and Get Next commands. The Get command requests information. The Get Next command enables an SNMP manager to obtain a table of information, such as a routing table. After you enter a string for the Read Comm parameter, users must supply it to use the Get and Get Next commands.

  3. Set the R/W Comm parameter to specify the Read/Write community string.

    This string authenticates an SNMP manager accessing the MAX to perform read and write commands, that is, the Get, Get Next, and Set commands. The Set command enables an SNMP manager to change information maintained by the MAX. After you enter a string for the R/W Comm parameter, users must supply it to use the Get, Get Next, and Set commands. You can use the original SNMPv1 definition of the community string (a string of octets that is compared to a similar string in the receiving SNMP entity). If the string in the packet received exactly matches a community string in the receiving entity, the packet is considered "authentic."

    The defaults for SNMP v1 (without authentication) are:

    Ethernet > Mod Config > SNMP Options > Read Comm=public

    Ethernet > Mod Config > SNMP Options > R/W Comm=write

    If you wish to use SNMP authentication, you use a new version of the Read/Write community string:

    where:

    Note: You cannot turn SNMP write off, so you must set a secret R/W Comm string. The default R/W Comm string is write. Anyone who has used an Ascend product probably knows this default string, so it does not provide any real security.

  4. If you are using authenticated SNMP, configure the SNMP management station to communicate with a MAX through authenticated SNMP (as described in Configuring the SNMP manager to use SNMP authentication).

  5. Save your changes.

Configuring the SNMP manager to use SNMP authentication

 To communicate with an Ascend unit that has been configured to use authenticated SNMP, an SNMP management station must construct an SNMP packet in the new format for the Read/Write community string, including the secret key:

name|secretkey

If you configure the Ascend unit to use authenticated SNMP, it does not accept packets from an SNMP management station that uses the string format without the vertical bar/pipe.

Setting up SNMP traps

To configure parameters related to SNMP traps security, proceed as follows:

  1. Open the Ethernet > SNMP Traps menu.

  2. Open a blank SNMP Traps profile.

  3. For the Name parameter, specify the SNMP manager to which the MAX sends traps-PDUs.

    You can specify up to 31 characters. The default value is null. The value you specify becomes the name of the profile.

  4. Set the Alarm parameter to specify whether the MAX sends a traps-PDU to the SNMP manager when an alarm event occurs.

    Alarm events are defined in RFC 1215 and include the following:

  5. Set the Port parameter to specify whether the MAX traps serial host port state changes and sends traps-PDUs to the SNMP manager.

    The MAX can record the following serial host port events:

  6. Set the Security parameter to specify whether the MAX traps these events:

  7. Set the Comm parameter to specify a community name.

    The string you specify becomes a password that the MAX sends to the SNMP manager when an SNMP trap event occurs. The password authenticates the sender identified by the IP address in the IP Adrs parameter.

    For the community name, you can enter an alphanumeric string of up to 31 characters. The default value is null. To turn off SNMP traps, leave the Comm parameter blank and set Dest to 0.0.0.0.

  8. Set the Dest parameter to specify the IP address of the SNMP manager to which the MAX sends traps-PDUs.

    Specify an IP address in dotted decimal notation. An IP address consists of four numbers from 0 to 255, separated by periods. If a subnet mask is in use, you must specify it. Separate a subnet mask from the IP address with a slash. The default value is 0.0.0.0/0.

    The MAX ignores any digits in the IP address hidden by a subnet mask. For example, the address 200.207.23.1/24 becomes 200.207.23.0. To specify a route to a specific host, use a mask of 32.

    The Dest parameter does not apply if the MAX does not support IP (Route IP=No) or if Combinet encapsulation is in use (Encaps=COMB).

  9. Save your changes.

Restricting the hosts that can issue SNMP commands

 The MAX is an SNMP-enabled device that supports a variety of MIBs. For large networks, you should specify which stations can use SNMP manager applications to initiate read or read/write access to those MIBs.

You can specify up to five IP hosts that can read traps and other information from the Ascend unit, and five hosts that can access MIB read-write access. The MAX checks the version and community strings before making source IP address comparisons.

To restrict the hosts that can issue SNMP commands, proceed as follows:

  1. Open the Ethernet > Mod Config > SNMP Options menu.

  2. Make sure that the Security parameter is set to Yes.

    This parameter specifies that the MAX must compare the source IP address of packets containing SNMP commands against a list of qualified IP addresses.

  3. Specify the IP addresses of hosts that have SNMP read permission.

    For example, you might enter the following settings:

    If the Security parameter is set to Yes, only SNMP managers at the specified IP addresses can execute the SNMP Get and Get Next commands.

  4. Specify the IP addresses of hosts that have SNMP write permission.

    For example, you might enter the following settings:

    If the Security parameter is set to Yes, only SNMP managers at the specified IP addresses can execute the SNMP Get, Get Next, and Set commands.

  5. Save your changes.

Setting up a Domain Name System (DNS)

DNS is a TCP/IP service that enables you to specify a symbolic name instead of an IP address. A symbolic name consists of a username and a domain name using the format username@domain name. The username corresponds to the host number in the IP address; the domain name corresponds to the network number in the IP address. A symbolic name might be steve@abc.com or joanne@xyz.edu.

DNS maintains a database of network numbers and corresponding domain names on a domain name server. When you use a symbolic name, DNS translates the domain name into an IP address, and sends it over the network. When the Internet service provider receives the message, it uses its own database to look up the username corresponding to the host number.

You can set up two types of DNS configurations:

Table 6-4 lists the parameters you can set.

Table 6-4. DNS parameters

Location

Parameters with sample values
Ethernet > Mod Config > DNS

 Domain Name=abc.com
Sec Domain Name=xyz.com
Pri DNS=10.2.3.56/24
Sec DNS=10.2.3.107/24
List Attempt=No
List Size=6
Client Pri DNS=101.10.10.1
Client Sec DNS=101.10.10.2
Allow as Client DNS=Yes
Sec Domain Name=xyz.com

Ethernet > Connections > any Connection profile > IP Options

 Client Pri DNS
Client Sec DNS

Setting global DNS parameters

To set global DNS parameters, proceed as follows:

  1. Open the Ethernet > Mod Config > DNS menu.

  2. Set the Domain Name parameter to specify a primary domain name to use for lookups.

    The MAX searches for the DNS Server(s) in the Domain Name parameter first, and then in the domain specified in the Sec Domain Name parameter.

  3. Set the Sec Domain Name parameter to specify a secondary domain name to use for lookups.

  4. Set the Pri DNS parameter to specify the IP address of the primary domain name server for use on connected local interfaces.

    The address consists of four numbers from 0 to 255, separated by periods. The default value is 0.0.0.0. Accept this default if you do not have a domain name server.

  5. Set the Sec DNS parameter to specify the IP address of the secondary domain name server for use on connected local interfaces.

    The address consists of four numbers from 0 to 255, separated by periods. The default value is 0.0.0.0. Accept this default if you do not have a secondary domain name server.

    The MAX uses the secondary server only if the primary one is inaccessible. The Sec DNS parameter applies only to Telnet and raw TCP connections running under the MAX unit's terminal-server interface.

  6. Set List Attempt to Yes.

    DNS can return multiple addresses for a hostname in response to a DNS query, but it does not include information about availability of those hosts. Users typically attempt to access the first address in the list. If that host is unavailable, the user must try the next host, and so forth. However, if the access attempt occurs automatically as part of immediate services, the physical connection is torn down when the initial connection fails.

    The DNS List Attempt feature helps the MAX avoid tearing down physical links. The user can try one entry in the DNS list of hosts when logging in through Telnet from the terminal server or immediate Telnet, and, if that connection fails, the user can try each succeeding entry.

    You can specify one of the following settings:

    The default value is No.

  7. If you set List Attempt to Yes, set the List Size parameter.

  8. The List Size parameter specifies the maximum number of hosts the MAX can list in response to a DNS query. You can specify a number from 0 to 35. The default value is 6.

Setting client DNS parameters

 To set up client DNS, in which connection-specific DNS parameters are applied, proceed as follows:

  1. Open the Ethernet > Connections menu.

  2. Open a Connection profile

  3. Open the IP Options menu.

  4. Set the Client Pri DNS parameter.

  5. Set the Client Sec DNS parameter.

    The default value is 0.0.0.0. Accept this default if you do not have a secondary client DNS server.

  6. Set the Allow As Client DNS parameter to Yes or No.

Example of DNS configuration

 This sample shows how to specify two local DNS servers and enable the DNS list feature.

  1. Open the Ethernet > Mod Config > DNS menu.

  2. Specify your domain name.

  3. Specify the IP addresses of a primary and secondary DNS server, and turn on the DNS list attempt feature. For example:

  4. Save your changes.

Disabling remote management access

To prevent an operator from accessing the MAX from a remote Ascend unit by means of AIM or MP+ remote management, set System > Sys Config > Remote Mgmt to No. Proceed as follows:

  1. Open the System > Sys Config menu.

  2. Set Remote Mgmt to No.

  3. Exit and save your changes.

For related information about remote management, see the chapter about system administration in the MAX Network Configuration Guide.

Password-protecting Telnet access

You can assign a Telnet password to restrict operators from accessing the MAX across the network from a remote PC running Telnet. Proceed as follows:

  1. Open the Ethernet > Mod Config menu.

  2. Set the Telnet PW parameter.

    Specify up to 20 characters. Any user who initiates an incoming Telnet session to the MAX must supply this password before the Telnet session is established.

    If a user initiates the Telnet session from the WAN, the connection must first be authenticated as specified in a Connection profile.

    For additional information about restricting Telnet in the terminal-server interface. see Restricting Telnet, raw TCP, and Rlogin access to the terminal server.

  3. Set the Telnet Security parameter to specify whether or not you allow a single authentication process when users initiate a telnet session.

  4. Save your changes.

Note: The Telnet password does not automatically grant access to the Immediate Modem feature, which allows a user to dial out through the MAX modems without going through the terminal-server interface. For more information, see Restricting access to the Immediate Modem feature.

Understanding secure Dynamic Bandwidth Allocation

Dynamic Bandwidth Allocation (DBA) enables the MAX to increase bandwidth as needed and drop bandwidth when it is no longer required. MP+ is the only PPP-based encapsulation method that supports DBA.

When the system adds additional channels, the MAX must authenticate each one. You can secure each circuit by one of the following methods:

Authentication method

Description
Static passwords

 Before the MAX dials a new circuit, it prompts the user to enter a static, reusable password as specified in the Connection profile, Password profile, RADIUS user profile, or TACACS/TACACS+ profile. To prevent intruders from capturing the password as it travels across the WAN, you can specify that the MAX use the Challenge Handshake Authentication Protocol (CHAP). This protocol uses encryption to protect the password and verify the identity of the caller.

For information about specifying a static password and requiring CHAP authentication in the MAX configuration interface, see Configuring PAP, CHAP, or MS-CHAP for PPP, MP, and MP+ calls. For information about configuring static passwords and CHAP in RADIUS, see the RADIUS Configuration Guide.

Dynamic passwords

 Using PAP-TOKEN authentication, the MAX can require a user to specify a one-time-only password, generated by a security-card server, for each additional channel.

For information about setting up PAP-TOKEN authentication in the MAX configuration interface, see Requesting PAP-TOKEN authentication. For information about setting up PAP-TOKEN authentication in RADIUS, see the RADIUS Configuration Guide.

Combination of static and dynamic password

 In the MAX configuration interface, you can indicate that the user need only specify a dynamic password for the initial channel, and that all other channels are authenticated by CHAP. Whenever the MAX adds channels to a PPP or MP+ call using PAP-TOKEN-CHAP authentication, the calling unit sends the encrypted value of Aux Send PW (found in the Connection profile used to dial the call), and the answering unit checks this password against the value of Recv Auth (in a Connection profile) or Ascend-Receive-Secret (in a RADIUS user profile). The answering unit receives the password when the first channel of the call connects.

For details about setting up PAP-TOKEN-CHAP authentication in the MAX configuration interface, see Requesting PAP-TOKEN-CHAP authentication. For information about setting up PAP-TOKEN-CHAP authentication in RADIUS, see the RADIUS Configuration Guide.

Cached passwords

 You can configure the MAX to reuse a password dynamically generated during session initiation. In this case, both the user and the MAX cache the password. Then, when the MAX needs to add bandwidth, the user provides the CHAP-encrypted password automatically and the MAX uses an internal key to authenticate the additional channels. You can specify a timeout value for the cached password, or configure the MAX to maintain the password throughout the session.

For details about setting up cached passwords in the MAX configuration interface, see Requesting CACHE-TOKEN authentication. For information about setting up cached passwords in RADIUS, see the RADIUS Configuration Guide.


[Top][Contents][Prev][Next][Last]Search

techpubs@ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.