---

Setting Up User Authentication

This chapter covers the following topics:

Introducing user authentication

Setting up CLID authentication

Setting up called number authentication

Setting up callback security

Setting up call authentication on serial AIM ports

Setting up authentication of PPP, MP, and MP+ calls

Setting up authentication for dial-in terminal server users

Setting up Combinet authentication

Setting up ARA authentication

Setting up X.25 authentication

Setting up IP addressing

Setting up an authentication server

Introducing user authentication

Types of Authentication

CLID (Calling Line ID)

Called Number

Callback

Name and password

Table 3-1. Call types authenticated by name and password requirements

Call Type	Description
PPP, MP, and MP+	You can specify Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Microsoft Challenge Authentication Protocol (MS-CHAP) authentication for name and password verification of incoming and outgoing PPP, MP, or MP+ calls. For details, see "Setting up authentication of PPP, MP, and MP+ calls" on page 3-15.
Terminal server	You can specify that users logging into the terminal server through a V.34, V.42, V.110, or V.120 connection must supply a username and password before gaining admission to the terminal server. For instructions, see "Setting up authentication for dial-in terminal server users" on page 3-23.
Combinet	Combinet authentication uses the remote station's MAC address as its username and allows you to require a password for incoming calls. For details, see "Setting up Combinet authentication" on page 3-28.
ARA	You can specify name and password authentication for AppleTalk callers dialing in through a V.34, V.42, V.120, or X.75 connection. For details, see "Setting up ARA authentication" on page 3-31.
IP Address	You can specify that the MAX authenticate an incoming connection by checking the user's IP address or, you can specify that the MAX assign an IP address to each incoming call. For details, see "Setting up IP addressing" on page 3-38.

How user authentication works?

By default, when you require a profile for authentication the MAX always checks for a Connection profile. If a Connection profile does not exist, the MAX checks for a remote RADIUS, TACACS, or TACACS+ profile. However, you can change this default by setting Local Profile First=No in the External-Auth profile. When Local Profile First=No, the MAX first looks for a remote profile. If it cannot find one, the MAX looks for a local Connection profile.

This section describes how the MAX authenticates an incoming call, the following events take place:

1. Before the MAX answers a call, it checks whether the Answer-Defaults profile requires Calling Line ID (CLID) authentication, called number authentication, or both.

   The CLID is the phone number of the calling device, which is not always provided by the WAN carrier. When the profile requires CLID authentication, the caller's phone number must match a phone number specified in a local Connection profile or RADIUS user profile.

   The called-party number is the phone number the remote device called to connect to the MAX, but does not include a trunk group or dialing prefix specification. This number is always available if specified in a profile. When the profile requires called-number authentication, the number called must match a called-party number in a local Connection profile or RADIUS user profile.

2. If CLID authentication is required or preferred (Id Auth=Require or Prefer) in the Answer profile, or called number authentication is required (Id Auth=Called Require or Called Prefer), the MAX first looks for a matching phone number in a local Connection profile.

   If unsuccessful, the MAX then looks for a matching phone number in a RADIUS user profile. If it still cannot find the correct phone number, the MAX hangs up.

   If CLID authentication is set to Fallback, the MAX must receive a CLID in the incoming call. The MAX answers the call if the CLID matches the local Connection profile or a RADIUS user profile. If the MAX does not receive a response from RADIUS, it uses the authentication set up in the Answer profile.

3. If a matching profile to the CLID or called number is found, the call is answered and further authentication is normally not required. If a matching profile to the CLID or called number is not found and ID Auth=Require or Called Require, the call is not answered.

   Note: The RADIUS attribute Ascend-Require-Auth specifies whether additional authentication is required. For more information, see the MAX RADIUS Configuration Guide.

4. If CLID authentication and called number authentication are not required, or if a matching phone number is found in a local Connection profile or RADIUS user profile, the MAX answers the call.

5. The MAX checks its other Answer profile settings.

6. If the Answer profile specifies the type of link encapsulation the call uses, the MAX continues checking Answer profile parameters. If the Answer profile does not enable the type of link encapsulation the call uses, the MAX drops the call.

7. The MAX checks the value of the Profile Reqd parameter in the Answer profile.

   If Profile Reqd=Yes, the MAX must find a Connection profile, Names/Passwords profile, RADIUS user profile, or TACACS/TACACS+ profile to authenticate the call. Setting up Profile Reqd configures user authentication for the following:

   • Unencapsulated calls

   • Calls using ARA or any other encapsulation listed in step 7

8. The MAX prompts the user for a login name and password. If the name and password match a local Connection profile or Names/Passwords profile, the call is authenticated. If no match is found and RADIUS or TACACS remote authentication has been enabled, the MAX requests authentication from the remote server. The MAX clears the call if authentication fails.

9. If name and password authentication is required, the MAX attempts to match the caller's name and password to a local Connection profile.

   If authentication using a local Connection profile succeeds, the MAX uses the parameters specified in the profile to build the connection.

10. If it cannot find a matching Connection profile, the MAX looks for a Names/Passwords profile.

    If the MAX finds the user's name and password in a Names/Passwords profile, them to build the connection with the settings in the Answer profile.

    Note: The Names/Passwords profile applies only to ARA, PPP, MP, and MP+ calls. It does not apply to terminal server users.

11. If it cannot find a matching Names/Passwords profile, the MAX looks for a RADIUS, TACACS, or TACACS+ profile containing a matching name and password.

    If authentication using a RADIUS user profile succeeds, the MAX uses the specified RADIUS attributes to build the connection. The MAX can then forward the call to its bridge/router or other destination. For example, the MAX might forward a terminal server call to a Telnet or TCP host.

    If authentication using a TACACS or TACACS+ profile succeeds, the MAX must make a request to the server for information about the resources and services the user can access.

12. If name and password authentication is not required (Recv Auth=None or Password Reqd=No in the Answer profile), the MAX can match IP-routed PPP calls by using the IP address specified by the Connection profile.

13. If the Answer profile does not require a profile (Profile Reqd=No), the MAX uses Answer profile parameters to build the connection.

No matter which authentication method you choose, you can access authentication and user configuration data stored locally or remotely. You have the following options:

• Local authentication using a Connection profile or a Names/Passwords profile.

• Remote authentication using a TACACS, TACACS+, or RADIUS server. (For details of configuring the MAX to use a TACACS or TACACS+ server, see "Setting up an authentication server" on page 3-42. For details of configuring the MAX to use a RADIUS server, see the MAX RADIUS Configuration Guide.)

• Remote authentication using a AssureNet Defender server. For details of configuring the MAX to use a Defender server, see "Configuring direct Defender server authentication" on page 5-24.

• Security-card authentication. You use an external authentication server, such as an ACE or SafeWord server, and set up your network site to require that users change passwords very frequently (many times per day). For details, see Chapter 3, "Setting Up User Authentication."

Setting up CLID authentication

Table 3-2. CLID authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Id Auth=Require Profile Reqd=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=Either
Ethernet > Answer > COMB Options	Password Reqd=Yes
Ethernet > Connections > any Connection profile	Station=Emma Calling #=555-1213
Ethernet > Connections > any Connection profile > Encaps Options	Recv PW=office-pw
Ethernet > Ethernet > Mod Config > Auth menu	CLID Timeout Busy=No CLID Fail Busy=No

When you set up CLID authentication, you can choose one of the following configurations:

• Authenticate all callers using name, password, and calling line ID.

  For details, see "Setting up authentication using a name, password, and calling line ID" on page 3-7.

• Authenticate all callers using a calling line ID only. (For details, see "Setting up authentication using a calling line ID only" on page 3-8.)

• Use an external authentication server, such as a token-card authentication server, to authenticate users after CLID authentication. (For details, see the MAX RADIUS Configuration Guide.)

• Request PAP, CHAP, or MS-CHAP after CLID authentication. (For details, see the MAX RADIUS Configuration Guide.)

• In some installations, the WAN provider might not be able to deliver CLIDs, or a caller might choose to keep a CLID private.

• CLID authentication applies only for connections in which CLID is available end-to-end and ANI (Automatic Number Identification) applies to the call.

• T1 access lines and Switched-56 lines do not support CLID.

• When a user dials into the MAX for a MP or MP+ connection, the calling device might have more than one phone number associated with it. In this type of situation, the CLID is the phone number associated with the channel in use.

• If you set up a RADIUS user profile for callback and CLID-only authentication, the MAX never answers the call, and the caller therefore avoids possible billing charges.

When you set up CLID authentication either in RADIUS or in a MAX Connection profile, you must specify what the MAX requires for the CLID authentication. Table 3-3 lists the available options:

Table 3-3. CLID authentication requirement options

Option	Description
Require	The MAX must receive a CLID from the incoming call. The CLID must match a Calling # parameter in a local Connection profile or in a RADIUS user profile that has Password set to Ascend-CLID (For more information, see the MAX RADIUS Configuration Guide). If the MAX does not receive a CLID or if it cannot match the CLID, the call is not answered. Note: The matching user profile in RADIUS can require name and password authentication in addition to CLID, depending on the value of the Ascend-Require-Auth attribute.
Prefer	The MAX does not require a CLID from the incoming call. If a CLID is received, the MAX compares the CLID with a Calling # parameter in a local Connection profile or with a RADIUS user profile that has Password set to Ascend-CLID. If the MAX does not receive a CLID from the incoming call, it uses the authentication configured in the Answer profile.
Fallback	The MAX must receive a CLID in the incoming call. If no CLID is received, the MAX does not answer the call. If a CLID is received, the MAX compares the CLID with a Calling # parameter in a local Connection profile or with a RADIUS user profile with Password set to Ascend-CLID. If the CLID does not match that has the Connection profile and the MAX does not receive a response from the RADIUS server, it uses the authentication configured in the Answer profile.

Setting up authentication using a name, password, and calling line ID

To require all callers to pass name, password, and CLID, authentication, proceed as follows:

1. In the Ethernet > Answer menu, set Id Auth=Prefer.

   The Prefer setting specifies that, whenever CLID is available, the MAX compares the calling party's phone number to the value of the Calling # parameter in the Connection profile or a RADIUS user profile set up for Ascend-CLID.

   • If a match is found, and no further authentication is required, the MAX accepts the call.

   • If a match is found and the MAX requires further authentication (Profile Reqd=Yes in the Answer profile), the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

   • If the CLID is not available, or if the MAX cannot find a match to the calling party number, the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

   Note: You can also set Id Auth=Require or Id Auth=Fallback.

2. Verify that no local profiles are set up for CLID authentication.

3. Set Profile Reqd=Yes.

4. For PPP calls, set Recv Auth to the authentication protocol.

5. For Combinet calls, set Password Reqd=Yes.

6. Set the CLID Timeout Busy parameter to specify whether the MAX returns User Busy when CLID authentication fails because of a RADIUS timeout.

   Set CLID Timeout Busy=Yes, to specify that MAX returns User Busy as the disconnect cause when CLID authentication fails because of a RADIUS timeout.

   The default value is No. When CLID Timeout Busy=No, the MAX returns Normal Call Clearing as the disconnect cause.

7. Set the CLID Fail Busy parameter to specify whether the MAX returns User Busy when CLID authentication fails for any reason other than a RADIUS timeout.

   Set CLID Fail Busy=Yes to specify that the MAX returns User Busy when CLID authentication fails for any reason other than a RADIUS timeout.

   The default is No. CLID Fail Busy=No specifies that the MAX returns Normal Call Clearing.

1. Save your changes.

Setting up authentication that uses a calling-line-ID only

To require all callers to authenticate by a calling-line-ID only, proceed as follows:

1. In the System > Sys Config menu, specify the name of the MAX as the Name parameter.

2. In the Ethernet > Answer menu, set Profile Reqd=Yes.

3. In the Ethernet > Answer menu, set Id Auth=Require.

   The Require setting specifies that the calling party's phone number must match the value of the Calling # parameter in the Connection profile before the MAX can answer the call. If CLID is not available, the MAX does not answer the call.

4. Open the Ethernet > Connections menu.

5. In the Connection profile, specify the caller's phone number by setting the Calling # parameter.

6. Save your changes.

Setting up called number authentication

To set up called-number authentication, use the parameters listed in Table 3-4.

Table 3-4. Called Number authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Id Auth=Called Require Profile Reqd=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=Either
Ethernet > Answer > COMB Options	Password Reqd=Yes
Ethernet\>Connections\>ny Connection profile	Station=Emma Called #=555-1213
Ethernet\>Connections\>ny Connection profile > Encaps Options	Recv PW=office-pw

Setting up called-number authentication options

• Authenticate all callers with name, password, and called number. (For details, see "Setting up authentication using a name, password, and called number" on page 3-10.)

• Authenticate all callers by called-number only. (For details, see "Setting up authentication using the called number only" on page 3-10.)

• Authenticate with an external authentication server, such as a token-card authentication server, to authenticate users after called number authentication.

Table 3-5. Called Number authentication options

Option	Description
Called Require	The MAX must receive a called number from the incoming call. The called number must match a Called-number parameter, in a local Connection profile or in a RADIUS user profile (For more information, see the MAX RADIUS Configuration Guide). If the MAX does not receive a called number or if it cannot match the called number, the call is not answered. Note: The matching user profile in RADIUS can require name and password authentication in addition to called number, depending on the Ascend-Require-Auth attribute.
Called Prefer	The MAX does not require a called number from the incoming call. If a called number is received, however, the MAX compares the called number with a Called # parameter in a local Connection profile or with a RADIUS user profile. If the MAX does not receive a called number from the incoming call, it uses the authentication configured in the Answer profile.

Setting up authentication using a name, password, and called number

To require all callers to pass name, password, and called number authentication. Proceed as follows:

1. In the Ethernet > Answer menu, set Id Auth=Called Prefer.

   The Prefer setting specifies that whenever the called number is available, the MAX compares the phone number called to the value of Called # in the Connection profile.

   • If a match is found, and no further authentication is required, the MAX accepts the call.

   • If a match is found and the MAX requires further authentication (Profile Reqd=Yes in the Answer profile), the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

   • If the called number is not available, or if the MAX cannot find a match to the calling party number, the MAX applies authentication using the Recv Auth or Password Reqd parameters in the Answer profile.

2. Verify that no Connection profiles are set up to authenticate users by called number.

3. Set Profile Reqd=Yes.

4. For PPP calls, set Recv Auth to the authentication protocol.

5. For Combinet calls, set Password Reqd=Yes.

6. Save your changes.

To require all callers to pass a called-number authentication only, proceed as follows:

1. In the System > Sys Config menu, set the Name parameter to specify the name of the MAX.

2. In the Ethernet > Answer menu, set Profile Reqd=Yes.

3. In the Ethernet > Answer menu, set Id Auth=Called Require.

   The Called Require setting specifies that the called number must match the value of the Called # parameter in the Connection profile before the MAX can answer the call. If the called number is not available, the MAX does not answer the call.

4. Open the Ethernet > Connections menu.

5. In the Connection profile, specify the called number by setting the Called # parameter.

6. Save your changes.

Setting up callback security

Ascend callback security

For outgoing calls, you can configure the MAX to expect a callback from the machine that is called. This prevents problems that arise when CLID is set to Required (ID Auth=Required) on the machine that is expected to call back.

For example, in Figure 3-1 Ping or Telnet is initiated through a MAX to a Pipeline, and CLID is set to Required on the Pipeline (the side that is calling back). The Pipeline rejects the incoming call before answering it. To the MAX (the initiating side), it appears as if the call never got through.

Figure 3-1. Callback connection failure

The Callback process is disrupted when protocols like Ping and Telnet continuously try to open a connection.

When Expect Callback is set to Yes, calls that dial out and do not connect (for any reason) are put on a list that disallows any further calls to that destination for 90 seconds. This gives the far end an opportunity to complete the callback. If a call fails for any reason, regardless of whether or not the called machine requires CLID and is attempting a callback, the call initiator must still wait 90 seconds before attempting to call the same number again.

Table 3-6 lists the Ascend callback parameters on the MAX.

Table 3-6. Ascend callback security parameters

Location	Parameters with sample values
Ethernet\>Connections\>any Connection profile	Calling #=555-1213 Dial #=555-1213
Ethernet\>Connections\>any Connection profile > Telco Options	Callback=Yes Exp Callback=Yes AnsOrig=Both

For information about setting up callback security in RADIUS, see the MAX RADIUS Configuration Guide.

To set callback security on the MAX, proceed as follows:

1. Open the Ethernet > Connections menu.

2. Open a Connection profile.

3. Set the Dial # parameter to specify the number the MAX dials to reach the remote end of the connection.

   For example:

   Dial #=555-1213
   

   Note: The MAX can also use the CLID to reach the remote end of the connection, if the CLID is available.

4. Set the Calling # parameter to specify the number the remote device dials to call the MAX.

   For example:

   Calling #=555-1213
   

5. Open the Telco Options submenu of the Connection profile.

6. Turn on callback security by setting the following parameters as shown:

   Callback=Yes
   Exp Callback=Yes
   AnsOrig=Both
   

   Note: Callback does not apply to leased lines (if Call Type=Nailed).

   When you set Callback=Yes, you must also set AnsOrig=Both, because the Connection profile must both answer the call and call back the device requesting access. Similarly, the calling device must be able to both dial to and accept calls from the MAX.

   To prevent a problem when CLID on the called machine is set to Required, set Exp Callback to Yes.

7. Save your changes.

Microsoft's Callback Control Protocol (CBCP)

CBCP also offers features not available with the standard callback defined in RFC 1570. The client side supports a configurable time delay to allow users to initialize modems or enable supportive software before the MAX calls the client. You can configure the MAX with a phone number to use for the callback, or you can configure it to allow the client to specify the phone number used for the callback.

Currently, Microsoft's Windows NT 4.0 and Windows 95 software support client-side authentication using CBCP. The MAX supports a CBCP central-site solution.

Ascend's implementation of CBCP

The MAX employs the username and password to link a caller with a specific Connection profile or RADIUS User profile. Configured CBCP parameters in that Connection profile specify variables for the callback. If, at any point, the client and the MAX disagree about any CBCP variables, the MAX might drop the connection.

Both sides of the connection must agree on whether the callback phone number is supplied by the client or by the MAX. A new trunk group parameter, configured on the MAX, supplies a trunk group that is prepended to phone numbers when they are supplied by the client.

Table 3-7

Table 3-7. Microsoft's CBCP parameters on the MAX

Location	Sample parameters
Ethernet > Answer > PPP options	CBCP Enable
Ethernet > Connections > any Connection profile > Encaps options	CBCP Mode
Ethernet > Connections > any Connection profile > Encaps options	CBCP Trunk Group

lists the MAX parameters for CBCP.

For information about setting up callback security in RADIUS, see the MAX RADIUS Configuration Guide.

Negotiation of CBCP

1. Caller connects to MAX.

2. LCP negotiations begin.

   Caller and MAX must agree to use CBCP. Otherwise, the MAX terminates the connection.

3. After successful LCP negotiation, both sides have acknowledged that CBCP will be used, and CBCP begins after authentication.

4. Caller authenticates itself to MAX. If authentication fails, the MAX terminates the connection.

5. The MAX verifies that the profile has CBCP Mode set. CBCP begins.

6. The MAX sends a request to determine if a callback is to occur. The caller's configuration must match the CBCP Mode value on the MAX.

   The client also supplies to the MAX the number of seconds it should delay before initiating the callback, and, if applicable, the phone number.

7. If both sides agree on which phone number the MAX will dial, and the client clears the connection.

8. The MAX delays the callback on the basis of the previous negotiation.

9. The MAX dials the client, by applying information from the same profile used during negotiation.

1. Open the Ethernet > Answer > PPP Options menu.

2. Set CBCP Enable = Yes.

3. Open the Ethernet > Connections > any Connection profile > Encaps Options menu.

4. Set CBCP Mode to the callback mode to be offered the caller.

5. If the caller is supplying the phone number, set CBCP Trunk Group to the value (4-9) that the MAX prepends to the number when calling back.

6. Save your changes.

Setting up call authentication on serial AIM ports

Understanding serial call authentication

Upon initial connection of the first channel, the originating unit passes the Call profile password to the authenticating unit. The authenticating unit compares the password received with stored in the Port profile. If the password received matches the stored password, the session is established normally for the remainder of the call. If there is no match, the authenticating unit sends a message back to the originator and drops the session. The port status screen in Host > Dual\>portname\>Message Log indicates that the call failed authentication.

Configuring serial port passwords

1. For outgoing AIM or BONDING calls, specify the DBA call password as the Call Password setting in the Host/Dual (or Host/6) \>Port N Menu\>Directory\>appropriate Call profile.

   Dynamic Bandwidth Allocation (DBA) enables the MAX to increase bandwidth as needed and drop bandwidth when it is no longer required.

2. For incoming AIM and BONDING calls, specify the port password as the Port Password setting in Host/Dual (or Host/6) \>Port N Menu\>Port Config (the Port profile)

Setting up authentication of PPP, MP, and MP+ calls

The only MS-CHAP format Ascend units support is the Windows NT version, with DES and MD4 encryption. An Ascend unit can authenticate a Windows NT system and a Windows NT system can authenticate an Ascend unit. For more specific information about the MS-CHAP format, see Microsoft's Web site at:

ftp://ftp.microsoft.com/DEVELOPR/RFC/chapexts.txt

For information about how PPP, MP, and MP+ authentication works, see "How does user authentication work?" on page 3-3. For complete information about setting up PPP, MP, and MP+ calls on the MAX, see the Network Configuration Guide for your MAX. For complete information about setting up PPP, MP, and MP+ calls and authentication in RADIUS, see the MAX RADIUS Configuration Guide.

Understanding PPP, MP, and MP+

A PPP connection is usually a bridged or routed network connection initiated in PPP dialup software. Figure 3-2 shows the MAX with a PPP connection to a remote user running Windows 95 with the TCP/IP stack and PPP dialup software.

Figure 3-2. A PPP connection

MP and MP+ are enhancements to PPP for supporting multichannel links.

MP supports a fixed number of multichannel links. The base channel count determines the number of calls to place, and the number of channels does not change. In addition, MP requires that all channels in the connection share the same phone number. That is, the channels on the answering side of the connection must be in a hunt group.

MP+ supports multichannel links and Dynamic Bandwidth Allocation (DBA). DBA enables the MAX to increase bandwidth as needed and drop bandwidth when it is no longer required. MP+ is the only PPP-based encapsulation method that supports DBA. An MP+ connection can combine up to 30 channels into a single high-speed connection.

Understanding PAP, CHAP, and MS-CHAP

• The calling unit's secret is called the remote secret. The MAX does not know the value of this secret.

• The MAX unit's secret is called the NAS secret (because the MAX is an Network Access Server). The calling unit does not know the value of this secret.

How PAP works

For PAP authentication, the following events take place:

1. The calling unit sends the remote secret in the clear to the MAX.

2. The MAX uses the NAS secret to encrypt the remote secret.

3. The RADIUS server uses the NAS secret to decrypt the remote secret.

4. The RADIUS server passes the clear copy of the remote secret to a UNIX or other password validation system.

For CHAP authentication, the following events take place:

1. The MAX sends a random, 128-bit challenge to the calling unit.

2. The calling unit uses the remote secret, the challenge, and the PPP packet ID to calculate an MD5 digest.

3. The calling unit sends the MD5 digest, the challenge, and the PPP packet ID (but not the remote secret) to the MAX. The MAX never has the remote secret.

4. The MAX forwards the digest, along with the original challenge and PPP packet ID to RADIUS.

   No encryption is necessary, because MD5 creates a one-way code that cannot be decoded. In addition, RADIUS cannot extract the remote secret. Therefore, it cannot provide a password to a UNIX password system. For this reason, CHAP and UNIX authentication cannot work together.

5. The RADIUS server looks up the remote secret from a local database and uses the local version of the remote secret, along with the challenge and the PPP packet ID it received from the MAX, to calculate an MD5 digest.

6. The RADIUS server compares the calculated MD5 digest with the digest it received from the MAX.

   If the digests are the same, the remote secrets used by the calling unit and the RADIUS server are the same, and the call is authenticated.

ftp://ftp.microsoft.com/DEVELOPR/RFC/chapexts.txt

Configuring PAP, CHAP, or MS-CHAP for PPP, MP, and MP+ calls

• Set systemwide System, Answer, and Ethernet profile parameters. These parameters specify the name of the MAX, the types of encapsulation allowed, the kind of authentication required, and the contents of one or more IP address pools.

• Set up a Connection profile, Names/Passwords profile, or RADIUS user profile containing settings for each individual connection.

  Note: You only need to set up one of these profiles.

Table 3-8. Parameters for incoming connections using PAP, CHAP, or MS-CHAP

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>Encaps	PPP=Yes MP=Yes MPP=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=PAP, CHAP, MS-CHAP, or Either
Ethernet\>Mod Config\>WAN Options	Pool#1 Start=100.0.0.20 Pool#1 Count=90 Pool Only=Yes
Ethernet\>Connections > any Connection profile	Station=dialmax Encaps=PPP, MP, or MPP
Ethernet\>Connections > any Connection profile > Telco Options	Dialout OK=Yes
Ethernet\>Connections\>any Connection profile\> Encaps Options	Recv PW=office-pw
Ethernet\>Names/Passwords\>any Names/Passwords profile	Name=Fred Recv PW=office-pw

Setting systemwide parameters

1. To specify the name of the MAX used for making outgoing calls, set the Name parameter in the System > Sys Config menu.

2. In the Ethernet > Answer menu, set Profile Reqd=Yes.

   This setting specifies that the MAX rejects incoming calls for which it can find no Connection profile, no Names/Passwords profile, and no entry on a remote authentication server.

   For an ARA connection, setting Profile Reqd=Yes prohibits Guest access.

3. In the Ethernet > Answer > Encaps menu, specify that the unit can receive PPP, MP, or MP+ calls or any combination of PPP, MP, and MP+ calls.

   Note: PAP, CHAP, and MS-CHAP authentication is available only if you choose MP, MPP, or PPP.

   • To specify that the unit can receive PPP calls, set PPP=Yes.

   • To specify that the unit can receive MP calls, set MP=Yes.

   • To specify that the unit can receive MP+ calls, set MPP=Yes.

4. In the Ethernet > Answer > PPP Options menu. Set Recv Auth to PAP, CHAP, MS-CHAP, or Either.

   When you specify Either, the MAX allows authentication if the remote peer can authenticate with any of the designated authentication schemes. If you specify a protocol, the MAX allows authentication only if the remote peer uses that protocol for authentication.

5. If you are using a Names/Passwords profile for an IP routing connection, open the Ethernet > Mod Config > WAN Options menu to begin setting up one or more IP address pools.

   Unlike Connection profiles and RADIUS user profiles, Names/Passwords profiles cannot specify an IP address for the calling station. When you use a Names/Passwords profile to authenticate an IP routing connection, the MAX automatically assigns the PPP caller a dynamic IP address as the connection is established. For a call configured in a Names/Passwords profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

6. Set up address pools by setting the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools by setting the Ascend-IP-Pool-Definition attribute. For details, see the MAX RADIUS Configuration Guide.

7. Set Pool Only=Yes.

   The Pool Only parameter determines whether a caller can reject an IP address assignment and use his or her own IP address. To eliminate the possibility of a caller rejecting the automatic dynamic assignment and spoofing a local, trusted address, set Pool Only=Yes when using Names/Passwords profiles to authenticate IP routing connections.

   For a call configured in a Names/Passwords profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

   If the calling station rejects the assignment, the MAX ends the call.

8. Save your changes.

1. Open the Ethernet > Connections menu.

2. Open a Connection profile.

3. Set the Station parameter to the name of the user or device making the incoming call.

4. Set the Encaps parameter to the type of encapsulation used on the link:

   • PPP, which specifies Point-to-Point Protocol, ensures basic compatibility with non-Ascend devices. For this setting to work, both the dialing side and the answering side of the link must support PPP.

   • MP specifies Multilink Protocol.

   • MPP specifies Multilink Protocol Plus (MP+). Both the dialing side and the answering side of the link must support MP+. If only one side supports MP+, the connection attempts to use MP. If MP is not available, the connection uses standard single-channel PPP.

   MP+ calls cannot combine an ISDN BRI channel with a channel on a T1 access line or a T1 PRI line.

5. Open the Encaps Options submenu of the Connection profile.

6. Set the Recv PW parameter to specify the password that the remote end of the link must send.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or Ascend-Send-Passwd (in a RADIUS user profile), the MAX disconnects the link.

7. Save your changes.

You have to set Names/Passwords profile parameters, including the Template Connection # parameter and then activate the profile.

Setting the names and passwords profile parameters

1. Open the Ethernet menu.

2. Open the Names/Passwords menu.

3. Open a Names/Passwords profile.

4. Set the Name parameter to the name of the user or device making the incoming call.

   In a Names/Passwords profile, the Name parameter specifies the username associated with the profile. The name you specify also becomes the name of the profile.

5. Set the Recv PW parameter to specify the password that the remote end of the link must send.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or its equivalent, the MAX disconnects the link.

• Use the default, Template Connection=#0 (the Answer profile), to specify that the Names/Passwords Profile use the Answer Profile as a template.

This mode supports clients dialing in over PPP and ARA, but does not support a router dialing in.

• Enter a profile number from 1 to 31 to specify the Connection Profile to which the number refers.

In this mode the Names/Passwords profile functions as an alias for the Connection profile.

1. Set Active=Yes.

2. Save your changes.

Disabling groups of dial-in calls with the Names/Passwords profile

For example, you can set up a Connection profile for the Sales group to use when dialing in, then set up a Names/Passwords profile for each individual salesperson. To prevent a user (or users) from dialing in, use one of the following two methods:

• To prevent a single salesperson from dialing in, deactivate the Names/Passwords profile for that salesperson by setting the Names/Passwords Active flag for the user's Names/Passwords profile to No.

• De-activate the entire Sales group by setting the Connection profile Active flag for the Sales group to No.

Using a RADIUS user profile

Requesting PAP, CHAP, or MS-CHAP for outgoing calls

Table 3-9. Parameters for outgoing connections using PAP, CHAP, or MS-CHAP

Parameter	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Connections\>any Connection profile	Encaps=PPP, MP, or MPP
Ethernet\>Connections\>any Connection profile\> Encaps Options	Send Auth=PAP, CHAP, or MS-CHAP Send PW=office-pwd

To specify PAP, CHAP, or MS-CHAP for an outgoing PPP, MP, or MP+ call, proceed as follows:

1. Set the Name parameter in the System > Sys Config menu to specify the name of the MAX,

2. Open the Ethernet > Connections menu.

3. In the Connection profile, set the Encaps parameter to the type of encapsulation used on the link:

   • PPP specifies that Point-to-Point Protocol, which ensures basic compatibility with non-Ascend devices. For this setting to work, both the dialing side and the answering side of the link must support PPP.

   • MP specifies Multilink Protocol.

   • MPP specifies Multilink Protocol Plus. Both the dialing side and the answering side must support MP+. If only one side supports MP+, the connection attempts to use MP. If MP is not available, the connection uses standard single-channel PPP.

   MP+ calls cannot combine an ISDN BRI channel with a channel on a T1 access line or a T1 PRI line.

4. In the Encaps Options submenu of the Connection profile, set Send Auth=PAP, CHAP, or MS-CHAP.

   This parameter specifies the authentication protocol that the MAX requests when initiating a connection using PPP, MP, or MP+ encapsulation. The answering side of the connection determines which authentication protocol the connection uses (if any).

5. In the Encaps Options submenu, set the Send PW parameter to the password that the MAX sends to the remote end of a connection on outgoing calls.

   If the password specified by Send PW does not match the remote end's value for Recv PW (in a Connection profile), Ascend-Receive-Secret (in a RADIUS user profile), or its equivalent the remote end disconnects the link.

6. Save your changes.

Setting up authentication for dial-in terminal server users

A remote-terminal-server session uses one of the following types of encapsulation:

Table 3-10. Dial-in terminal-server encapsulation types

Encapsulation Type	Description
Modem calls	The calls originate from either analog or digital modems. Incoming modem calls and incoming digital calls come over the same digital line to the MAX unit's integrated V.34 or V.42 digital modem. An incoming modem call could be initiated from a PC running a communication program like Soft Comm, which causes the user's modem to dial into the MAX. The MAX directs the call to its digital modems, and then forwards the calls to its terminal-server software. The terminal server either displays one of its interfaces to the caller or forwards the call to a Telnet or TCP host on the local network, depending on how it is configured.
V.110	A V.110 card provides eight V.110 modems, each of which enables the MAX to communicate with an asynchronous device over synchronous digital lines. An asynchronous device such as an ISDN modem encapsulates its data in V.110. The V.110 module in the MAX removes the encapsulation and enables an asynchronous session, that is, a terminal server session.
V.120 calls	V.120 terminal adapters such as the BitSurfer (also known as ISDN modems) asynchronous calls with CCITT V.120 encapsulation. The MAX handles V.120 encapsulation in software, so it does not require installed devices to process these calls. After removing the link encapsulation, the MAX forwards these calls to its terminal-server software. The terminal server either displays one of its interfaces to the caller or forwards the call to a Telnet or TCP host on the local network, depending on how it is configured. Or, if it detects PPP encapsulation, it can forward the call to the bridge/router software for an async PPP session.

How terminal server authentication works

For more general information about how authentication works in the MAX, see "How does user authentication work?" on page 3-3.

Standard terminal server authentication

• The Passwd parameter in the Ethernet > Mod Config > TServ Options menu

• Connection profile parameters

1. A caller initiates a terminal-server session that uses a V.34, V.42, V.110, or V.120 connection.

2. If Security=Full or Partial and Initial Scrn=Cmd in the TServ Options menu, the MAX compares the password to the Passwd parameter.

3. If the caller enters the wrong password, the MAX hangs up.

4. If the caller enters the proper password or if no password is assigned to the Passwd parameter, the MAX attempts to verify the caller by using Connection profile information.

5. If Security=None or Partial and Initial Scrn=Menu, the MAX skips the Passwd parameter and attempts to verify the caller by using the Connection profile information.

1. Before the MAX answers a call, it checks whether the Answer-Defaults profile requires Calling Line ID (CLID) authentication, called number authentication, or both.

   The CLID is the phone number of the calling device, which is not always provided by the WAN carrier. When the profile requires CLID authentication, the caller's phone number must match a phone number specified in a local Connection profile or RADIUS user profile.

   Note: The called-party number is the phone number the remote device called to connect to the MAX, but does not include a trunk group or dialing prefix specification.

   This number is always available if specified in a profile. When the profile requires called- number authentication, the number called must match a called-party number in a local Connection profile or RADIUS user profile.

2. If CLID authentication is required (Id Auth=Require in the Answer profile) or called-number authentication is required (Id Auth=Called Require), the MAX first looks for a matching phone number in a local Connection profile.

   If one does not exist, it then looks for a matching phone number in a RADIUS user profile. If it cannot find the correct phone number, the MAX hangs up.

3. If CLID authentication and called-number authentication are not required, or if the MAX finds a matching phone number in a local Connection profile or RADIUS user profile, it answers the call.

4. Terminal-server sessions can require a system-terminal-server password in addition to the per-user password.Whether a system-terminal-server user password is required depends upon how the Security and Initial Scrn parameters in the Ethernet profile have been set:

   • If Security=None, no authentication is performed.

   • If Security=Partial, The MAX checks the value of the Profile Reqd parameter in the Answer profile. If Profile Reqd=Yes, the MAX must find a Connection profile, Names/Passwords profile, RADIUS user profile, or TACACS/TACACS+ profile to authenticate the call.

   • If Security=Full, the MAX must find a Connection profile, Names/Passwords profile, RADIUS user profile, or TACACS/TACACS+ profile to authenticate the call, and then prompt the user for the correct name.

5. If the name matches a local Connection profile or Names/Passwords profile, the call is authenticated. If no match is found and RADIUS or TACACS remote authentication has been enabled, the MAX requests authentication from the remote server. The MAX clears the call if authentication fails.

Modem calls

For dial-in users using modems, V.120, or V.110 devices to transport asynchronous PPP, see "Setting up authentication of PPP, MP, and MP+ calls" on page 3-15. In these cases, none of the above steps apply. Asynchronous PPP and synchronous PPP sessions are treated identically by the MAX, except that asynchronous PPP sessions do not allow the user access to the MAX unit's terminal-server menus or commands.

This section describes first-level authentication using the Passwd parameter. For information about authentication using a Connection profile, see "Setting Connection profile parameters" on page 3-20.

Dial-in calls with no login host specified

To set up the MAX to accept dial-calls when no login server is specified, set Auth TS Secure=No in the Ethernet > Mod Config > Auth menu. The default is Auth TS Secure=Yes, which means the MAX drops dial-in calls if there is no login server and Login-Server is Telnet or TCP-Clear.

Immediate Service

Configuring terminal server authentication

Table 3-11. Terminal server security parameters

Location	Parameters with sample values
Ethernet\>Mod Config\>TServ Options	TS Enabled=Yes Passwd=office-paswd Security=Full Login Timeout=300 Login Prompt: Login: Password Prompt: Password Prompt: Toggle Scrn=No

To set up password authentication for the terminal-server interface, proceed as follows:

1. Open the Ethernet > Mod Config > TServ Options menu.

2. Set TS Enabled=Yes.

   This setting enables users to access the terminal server interface. If you set this parameter to No, no one can access the terminal server interface.

3. Set the Passwd parameter to specify the password a user must enter to begin a terminal- server session.

   You can enter up to 20 characters. The password is case sensitive

4. Set Security either to Full or Partial.

   The Security parameter specifies whether a user must enter a password under different circumstances.

   • Partial specifies that the user must enter the system-terminal-server password (as specified by the Passwd parameter) before entering the terminal-server command line mode, but the user is not prompted for a login name or password. The user must enter a terminal-server password when changing between menu-driven mode and command-line mode if Initial Scrn=Cmd or Toggle Scrn=Yes in the TServ Options menu.

   • Full specifies that the user must enter the system terminal server password (in the Passwd parameter) before entering the terminal server command line mode. When making the initial connection, the user must enter a login name and password that match a local Connection profile or a RADIUS or TACACS profile. The user must enter a terminal server password when changing between menu-driven mode and command-line mode if Initial Scrn=Cmd or Toggle Scrn=Yes in the TServ Options menu. For information about restricting the options available from the menu-driven interface, see "Restricting Telnet, raw TCP, and Rlogin access to the terminal server" on page 3-28.

5. Set the Login Timeout parameter. to specify the number of seconds the MAX waits for a user to complete logging in before disconnecting the user.

   You can enter any integer from 0 to 300 seconds. The default is 300 (seconds).

   The timer starts when the login prompt appears on the terminal-server screen. It does not reset when the user makes an unsuccessful login attempt. If the user has not logged in successfully by the time indicated by Login Timeout has elapsed, the MAX disconnects the call.

6. Set the Login Prompt parameter to specify the prompt the terminal-server displays when asking the user for a login name.

   A login prompt can consist of up to 31 characters.

7. Set the Password Prompt parameter.

   Specify the prompt the terminal-server displays when asking the user for a password.

   A login prompt can consist of up to 31 characters.

8. Save your changes.

If you prefer, you can authenticate a terminal-server user with the name and password from a Names/Passwords profile, with any additional required parameter settings from the Answer or Connection profile. Because the Names/Passwords profile does not include all the parameters a terminal-server session might require, the MAX uses the settings from the Answer profile or Connection profile named in the Template parameter for the additional parameters.

Restricting Telnet, raw TCP, and Rlogin access to the terminal server

• Give users a menu of specific hosts to which they can establish a Telnet, raw TCP, or Rlogin session. For information about menu mode, see the Network Configuration Guide for your MAX.

• Specify that users establish a Telnet, raw TCP, or Rlogin session with a device immediately after login, bypassing the terminal server interface altogether. For information about immediate mode, see the Network Configuration Guide for your MAX.

1. Open the Ethernet > Mod Config > TServ Options menu.

2. Set the Host #n Addr and Host #n Text parameters to specify the hosts to which users can establish Telnet, raw TCP or Rlogin sessions.

   These parameters specify the IP addresses and descriptions of the first, second, third, and fourth hosts to which an operator can Telnet. The user sees a list of hosts only if he or she has access to the menu-driven interface. For details of granting such access, see "Restricting Telnet, raw TCP, and Rlogin access to the terminal server" on page 3-28.

   For example, you might specify the following settings:

   Host #1 Addr=10.2.3.1/24
   

   Host #1 Text=host1.abc.com
   

   Host #2 Addr=10.2.3.2/24
   

   Host #2 Text=host2.abc.com
   

   Host #3 Addr=10.2.3.3/24
   

   Host #3 Text=host3.abc.com
   

   Host #4 Addr=10.2.3.4/24
   

   Host #4 Text=host4.abc.com
   

   The MAX ignores the Host #n Addr parameter if a RADIUS server supplies the list of Telnet hosts, that is, if you set Remote Conf=Yes. For information about setting up a list of hosts in RADIUS, see the MAX RADIUS Configuration Guide.

3. Save your changes.

Setting up Combinet authentication

Figure 3-3. A Combinet connection

Combinet bridging uses a physical Media Access Control (MAC) address and a password to authenticate calls. For information about how MAX authentication works, see "How does user authentication work?" on page 3-3.

Table 3-12 lists the Combinet authentication parameters with sample values.

Table 3-12. Combinet authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>PPP Options	Bridge=Yes
Ethernet\>Answer\>Encaps	COMB=Yes
Ethernet\>Answer\>COMB Options	Password Reqd=Yes
Ethernet\>Mod Config	Bridging=Yes
Ethernet\>Connections\>any Connection profile	Station=000145CFCF01 Encaps=COMB Bridge=Yes MAX Call Duration=0
Ethernet\>Connections\>any Connection profile > Telco Options	Dialout OK=Yes
Ethernet\>Connections\>any Connection profile\>Encaps Options	Recv PW=office-pw Send PW=office-pwd Password Reqd=Yes

This section describes how to set up authentication for Combinet calls in the MAX configuration interface. For complete information about setting up Combinet calls on the MAX, see the MAX Network Configuration Guide. For information about setting up Combinet calls and Combinet authentication in RADIUS, see the MAX RADIUS Configuration Guide.

Understanding Combinet authentication

• Set systemwide System, Answer, and Ethernet profile parameters specifying the name of the MAX, the type of encapsulation allowed, and whether a password is required.

• Set up a Connection profile or a RADIUS user profile containing settings for each individual connection.

  Note: You only need to set up one of these profiles.

If it cannot find a matching Connection profile, the MAX looks for a RADIUS user profile, a TACACS profile, or a TACACS+ profile.

Setting systemwide parameters

1. Set the Name parameter in the System > Sys Config menu to specify the name of the MAX.

2. Open the Ethernet > Answer menu.

3. To disable Guest access via Combinet, set Profile Reqd=Yes.

   Note that Combinet does not support PAP, CHAP, or MS-CHAP authentication.

4. In the Ethernet > Answer > PPP Options menu, set Bridge=Yes.

5. In the Ethernet > Answer > Encaps menu, set COMB=Yes.

6. To require a password in addition to a MAC address, set Password Reqd=Yes in the Ethernet > Answer > COMB Options menu.

   When Password Reqd=Yes, the MAX compares the caller's MAC address to each of these values until it finds a match:

   • Station parameter in a Connection profile

   • User-Name attribute in a RADIUS user profile

     The MAX also compares the value of the caller's password to one of these values:

   • Recv PW in a Connection profile

   • Password attribute in a RADIUS user profile

     When Password Reqd=No, the MAX uses the caller's MAC address only.

7. Set Bridging=Yes in the Ethernet > Mod Config menu.

8. Save your changes.

To set Connection profile parameters for authenticating a Combinet connection, follow these steps:

1. Open the Ethernet > Connections menu.

2. Open the Connection profile.

3. Set the Station parameter to the MAC address of the device making the call.

4. Set Encaps=COMB.

5. Set Bridge=Yes.

6. To limit the duration of calls that use this Connection profile, specify a value for the MAX Call Duration parameter.

   You can specify from 1 to 1440 minutes. The connection is checked once per minute, so the actual time of the call is slightly longer (usually less than a minute longer) than the actual time you set.

   The default is MAX Call Duration=0. With this setting, incoming calls are not timed. They can be of unlimited duration.

1. Open the Encaps Options submenu of the Connection profile.

2. If Password Reqd=Yes in the Ethernet > Answer menu, set the Recv PW parameter in the Connection profile to specify the password that the remote end of the link must send.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), Ascend-Send-Secret (in a RADIUS user profile), or its equivalent the MAX disconnects the link.

3. For outgoing calls, set the Password Reqd and Send PW parameters.

   • To require the MAX to send a password for outgoing connections, set Password Reqd=Yes.

   • Set the Send PW parameter to specify the password that the MAX sends to the remote end of a connection on outgoing calls.

     If the password specified by Send PW does not match the remote end's value for Recv PW (in a Connection profile), Ascend-Receive-Secret (in a RADIUS user profile), or its equivalent the remote end disconnects the link.

4. Close the Encaps Options submenu.

5. To grant access to the Immediate Modem feature, open the Telco options submenu of the Connections profile and set Dialout OK=Yes.

   For more information about restricting the Immediate Modem feature, see "Restricting access to the Immediate Modem feature" on page 6-7.

6. Save your changes.

Setting up ARA authentication

For a pure AppleTalk connection, a Macintosh user must have ARA Client software and an asynchronous modem. For a TCP/IP connection through ARA, the Macintosh must also be running TCP/IP software, such as MacTCP or Open Transport.

ARA is an asynchronous protocol. It supports V.34, V.42, and V.120 calls only. It does not support V.110 calls or synchronous connections.

For more information about how authentication works on the MAX, see "How does user authentication work?" on page 3-3.

This section describes how to set up ARA authentication in the MAX configuration interface. Figure 3-4 shows a Macintosh with an internal modem dialing into the MAX. The Macintosh uses the ARA Client software to communicate with an IP host on the Ethernet.

Figure 3-4. An ARA connection

Table 3-13 shows ARA authentication parameters on the MAX. The values shown are examples.

Table 3-13. ARA authentication parameters

Location	Parameters with sample values
System\>Sys Config	Name=mygw
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>Encaps	ARA=Yes
Ethernet\>Mod Config	Appletalk=Yes
Ethernet\>Mod Config\>AppleTalk	Zone Name=Berkeley
Ethernet\>Mod Config\>WAN Options	Pool#1 Start=10.0.0.20 Pool#1 Count=90 Pool Only=Yes
Ethernet\>Connections\>any Connection profile	Station=Ted Encaps=ARA
Ethernet\>Connections\>any Connection profile\>Encaps Options	Password=office-pw
Ethernet\>Names/Passwords\>any Names/Passwords profile	Name=Ted Recv PW=office-pw

For complete information about setting up ARA calls on the MAX, see the MAX Network Configuration Guide. For complete information on setting up ARA calls and authentication in RADIUS, see the MAX RADIUS Configuration Guide.

Understanding ARA authentication

• Set systemwide System, Answer, and Ethernet profile parameters specifying the name of the MAX, the type of encapsulation allowed, the type of authentication in use, and the contents of one or more IP address pools.

• Set up a Connection profile, or a Names/Passwords profile, or a RADIUS user profile, a TACACS profile, or a TACACS+ profile containing settings for each individual connection.

If the MAX cannot find a matching Connection profile, it looks for a Names/Passwords profile. If it cannot find a matching Names/Passwords profile, the MAX looks for a RADIUS user profile, TACACS profile, or TACACS+ profile.

Setting systemwide parameters

1. In the System > Sys Config menu, set the Name parameter to the name of the MAX.

2. To disable Guest access via ARA, set Profile Reqd=Yes in the Ethernet > Answer menu.

   Note that ARA does not support PAP, CHAP, or MS-CHAP authentication.

3. Enable ARA encapsulation by setting ARA=Yes in the Ethernet > Answer > Encaps menu.

4. Set Appletalk=Yes in the Ethernet > Mod Config menu.

5. If the local Ethernet supports an AppleTalk router with configured zones, set the Zone Name parameter in the Ethernet > Mod Config > AppleTalk menu.

6. If you are using a Names/Passwords profile for an IP routing connection, open the Ethernet > Mod Config > WAN Options menu to begin setting up one or more IP address pools.

   Unlike Connection profiles and RADIUS user profiles, Names/Passwords profiles cannot specify an IP address for the calling station. When you use a Names/Passwords profile to authenticate an IP routing connection, the MAX automatically assigns the PPP caller a dynamic IP address as the connection is established. For a call configured in a Names/Passwords profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

7. Designate address pools by setting the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also designate address pools by setting the Ascend-IP-Pool-Definition attribute. For details, see the MAX RADIUS Configuration Guide.

8. Set Pool Only=Yes.

   The Pool Only parameter determines whether a caller can reject an IP address assignment and use his or her own IP address. To eliminate the possibility of a caller rejecting the automatic dynamic assignment and spoofing a local, trusted address, set Pool Only=Yes when using Names/Passwords profiles to authenticate IP routing connections.

   For a call configured in a Names/Passwords profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

   If the calling station rejects the assignment, the MAX ends the call.

9. Save your changes.

To set Connection profile parameters for ARA authentication, proceed as follows:

1. Open the Ethernet > Connections menu.

2. Open the Connection profile.

3. Set the Station parameter to the name of the remote device.

4. Set Encaps=ARA.

5. Open the Encaps Options submenu of the Connection profile.

6. Set the Password parameter to specify the ARA password.

7. Save your changes.

To set Names/Passwords profile parameters for ARA authentication, proceed as follows:

1. Open the Ethernet menu.

2. Open the Names/Passwords menu.

3. Open a Names/Passwords profile.

4. Set the Name parameter to specify the name of the remote device.

   In a Names/Passwords profile, the Name parameter specifies the username associated with the profile. The name you specify also becomes the name of the profile.

5. Set the Recv PW parameter to specify the password that the remote end of the link must send.

   If the password specified by Recv PW does not match the remote end's value for Send PW (in a Connection profile), Ascend-Send-Passwd (in a RADIUS user profile), or Ascend-Send-Secret (in a RADIUS user profile), the MAX disconnects the link.

6. Set the value for Template Connection #:

   • Use the default, Template Connection#=0 (the Answer profile), to specify that the Name/Names/Passwords profile uses the Answer Profile as a template.

   This mode supports clients dialing in over PPP and ARA, but does not support a router dialing in.

   • Specify a Connection Profile profile by setting the parameter to a profile number between 1 and 31.

     In this mode the Names/Passwords profile functions as an alias for the Connection Profile.

7. Save your changes.

Preventing dial-in calls with the Name/Password profile

For example, you can set up a Connection profile for the Sales group to use when dialing in, then set up a Names/Passwords profile for each individual salesperson. To prevent a user from dialing in using one of the two following methods:

• De-activate the Names/Passwords profile for a single salesperson, to prevent that salesperson from dialing in, by setting the Names/Passwords Active flag for the user's Names/Passwords profile to No.

• De-activate the entire Sales group by setting the Connection profile Active flag for the Sales group to No.

Using a SecurID server with AppleTalk Remote Access (ARA)

• Connection profile (described in "Setting Connection profile parameters" on page 3-30)

• Password profile (described in "Setting Names/Passwords profile parameters" on page 3-34)

• RADIUS user profile

The SecurID client module must be version 1.3 or later.

Once the user makes the initial connection, SecurID authentication begins with a pop-up screen on the Macintosh. At this point, the user must enter the User ID and Passcode. When Auth=LOGOUT/RADIUS, the username must be SecurID, and no password should be entered. If the user enters incorrect values, he or she gets two more tries to authenticate before the connection fails.

If the user is required to enter a new PIN, a pop-up screen prompts for this information. The user has three chances to enter the correct PIN. Once the new PIN is accepted, a pop-up screen instructs the Macintosh user to first wait for the token code to change, then log in with the new PIN and token code.

Setting up X.25 authentication

X.25 terminals can connect to the MAX in an X.25/PAD or X.25/IP session. The MAX unit's X.25/PAD implementation allows users to access a packet-switched network over a leased line or a nailed-up ISDN connection.

A Packet Assembler/Disassembler (PAD) is an asynchronous terminal concentrator that enables several asynchronous devices to share a single network line. The PAD assembles data from terminals into packets for transmission to an X.25 network, and disassembles incoming packets from the network into a separate data stream for each terminal. In addition to this multiplexing function, the PAD also provides a nearly error-free connection.

The MAX unit's X.25/IP implementation supports the use of IP routing over an X.25 link. It does not support bridging or other routing protocols. Ascend's implementation of IP over X.25 follows the specification for IETF RFC1356 encapsulation. This implementation connects two or more IP networks linked to a public or private packet-switched network (PSPDN).

Table 3-14 lists the parameters for X.25 authentication. The values shown are examples.

.

Table 3-14. X.25 authentication parameters

Location	Parameters with sample values
Ethernet\>Answer	Profile Reqd=Yes
Ethernet\>Answer\>Encaps	X25/PAD=Yes X25/IP=Yes
Ethernet\>Answer\>PPP Options	Recv Auth=Either
Ethernet > Mod Config/TServ Options	Immed Service=X25/PAD Immed Host=311021755555
Ethernet\>Connections > any Connection profile	Station=dialmax Encaps=X25/PAD or X25/IP
Ethernet\>Connections\>any Connection profile\>Encaps Options	Recv PW=office-pw

This section describes how to set up X.25 authentication in the MAX configuration interface. For complete information about setting up X.25 connections on the MAX, see the Network Configuration Guide for your MAX. For complete information about setting up X.25 calls and authentication in RADIUS, see the MAX RADIUS Configuration Guide.

To set up X.25 authentication, proceed as follows:

1. Open the Ethernet > Answer menu.

2. Set Profile Reqd=Yes.

3. Open the Ethernet > Answer > Encaps menu.

4. Set X25/PAD=Yes and X25/IP=Yes.

5. Open the Ethernet > Answer > PPP Options menu.

6. For an X.25/IP user, set Recv Auth=Either.

7. Open the Ethernet > Mod Config > TServ Options menu.

8. If you want terminal-server users to begin an X.25/PAD session immediately, upon authentication:

   • Set Immed Service=X.25/PAD.

   • Set the Immed Host parameter to the X.121 address of the remote device.

     Terminal server users must pass authentication according to the terminal-server parameters you set. For instructions, see "Setting up authentication for dial-in terminal server users" on page 3-23.

9. Open the Ethernet > Connections menu.

10. Open the X.25 user's Connection profile.

11. For an X.25/PAD connection, set Encaps=X.25/PAD. For an X.25/IP connection, set Encaps=X.25/IP.

12. For an X.25/IP connection, set the Station name parameter to the name of the remote device.

13. Open the Encaps Options submenu of the Connection profile.

14. For an X.25/PAD or an X.25/IP connection, set the Recv PW parameter to the password the remote user must enter.

15. Save your changes.

Setting up IP addressing

• Static address

  A static address is specified by the LAN Adrs parameter in the Connection profile or by the Framed-Address attribute in the RADIUS user profile.

• Dynamic address

  A dynamic address comes from the pool of addresses set by the Pool #n Start and Pool #n Count parameters or by the Ascend-IP-Pool-Definition attribute.

  If the calling end accepts the IP address, the MAX sets the LAN Adrs parameter or Framed-Address attribute to the assigned address, depending on whether a Connection profile or RADIUS user profile is in use. If a static address is already set in a Connection profile or RADIUS user profile, it overrides any IP address from an IP address pool.

• If the caller's PPP software presents an IP address and the MAX does not require dynamic IP address assignment, the MAX must find a Connection profile or RADIUS user profile that matches that address. If it finds a profile, the MAX establishes the connection if the call passes PAP, CHAP, or MS-CHAP authentication. If the MAX does not find a matching profile, it ends the call without attempting PAP, CHAP, or MS-CHAP authentication.

• If the caller's PPP software specifies dynamic IP address assignment, the MAX must obtain an available IP address from pools defined in the Ethernet profile or in RADIUS. If the MAX successfully assigns an address, it establishes the connection if the call passes PAP, CHAP, or MS-CHAP authentication. If no addresses are available, the MAX ends the call.

• If the caller's PPP software presents an IP address and the MAX requires dynamic IP address assignment, the calling station must accept the IP address. If it does, the MAX establishes the connection if the call passes PAP, CHAP, or MS-CHAP authentication. If the calling station does not accept the IP address assignment, the MAX ends the call without attempting PAP, CHAP, or MS-CHAP authentication.

  For more information about how authentication works on the MAX, see "How does user authentication work?" on page 3-3.

Table 3-15. IP address parameters

Location	Parameters with sample values
Ethernet\>Answer	Assign Adrs=Yes
Ethernet\>Answer\>PPP Options	Route IP=Yes
Ethernet\>Connections\>any Connection profile\>IP Options	LAN Adrs=10.5.6.7/24 (or) Pool=2
Ethernet\>Mod Config\>WAN Options	Pool #n Count=10 Pool #n Start=0.0.0.0 Pool Only=Yes

You can set additional parameters in Name/Password profile.

See the Network Configuration Guide for your MAX for related information on setting up IP routing connections in the MAX configuration interface. See the MAX RADIUS Configuration Guide for related information on setting up IP routing connections in RADIUS.

Specifying a static IP address

1. Open the Ethernet > Answer > PPP Options menu.

2. Set Route IP=Yes.

3. Open the Ethernet > Connections menu.

4. Open the Connection profile for the caller.

5. Open the IP Options submenu of the Connection profile.

6. To specify a static address, set the LAN Adrs parameter.

7. Save your changes.

1. Open the Ethernet > Answer menu.

2. Set Assign Adrs=Yes.

   When you specify this setting, the MAX asks the device to accept an address chosen from the pool of addresses specified by the Pool #n Start and Pool #n Count parameters or by the Ascend-IP-Pool-Definition attribute. If the calling end accepts the IP address, the MAX sets the LAN Adrs parameter in the Connection profile to the assigned address.

   Note: In some TCP/IP implementations, when the workstation needs the MAX to set the IP address, you must set the workstation's address to 0.0.0.0. Setting the address to any other value tells the workstation to use that value and notify the MAX.

3. Open the Ethernet > Answer > PPP Options menu.

4. Set Route IP=Yes.

5. Open the Ethernet > Mod Config > WAN Options menu.

6. Specify up address pools by setting the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Assign a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Assign an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also specify address pools by setting the Ascend-IP-Pool-Definition attribute in RADIUS. For details, see the MAX RADIUS Configuration Guide.

7. Open the Ethernet > Connections menu.

8. Open a Connection profile.

9. In the Connection profile, set the Pool parameter to the number of the pool to use for the call.

10. Save your changes.

1. Open the Ethernet > Answer menu.

2. Set Assign Adrs=Yes.

   When you specify this setting, the MAX asks the device to accept an chosen address specified from the pool of addresses by the Pool #n Start and Pool #n Count parameters or by the Ascend-IP-Pool-Definition attribute. If the calling end accepts the IP address, the MAX sets the LAN Adrs parameter in the Connection profile to the assigned address.

3. Open the Ethernet > Answer > PPP Options menu.

4. Set Route IP=Yes.

5. Open the Ethernet > Mod Config > WAN Options menu.

6. If the assigned address is to be chosen dynamically, specify address pools by setting the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Specify a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Assign an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also set up address pools by setting the Ascend-IP-Pool-Definition attribute in RADIUS. For details, see the MAX RADIUS Configuration Guide.

7. To require a calling station to accept an IP address from the MAX, set Pool Only=Yes.

   This setting requires the calling station to accept the static address specified in a Connection profile or RADIUS user profile, or a dynamic address. If the calling station rejects the assignment, the MAX ends the call.

   If you set Pool Only=No, the MAX accepts the IP address specified by the caller.

8. Open the Ethernet > Connections menu.

9. Open a Connection profile.

10. In the Connection profile, set the LAN Adrs parameter to specify a static address, or set the Pool parameter to the number of the pool to use for assigning a dynamic IP address.

11. Save your changes.

Unlike Connection profiles and RADIUS user profiles, Names/Passwords profiles cannot specify an IP address for the calling station. When you use a Names/Passwords profile to authenticate an IP routing connection, the MAX automatically assigns the PPP caller a dynamic IP address as the connection is established, ensuring that the user is not spoofing the address. Table 3-16 shows the relevant parameters on the MAX.

Table 3-16. Names/Passwords profile address restriction parameters

Location	Parameters with sample values
Ethernet\>Mod Config\>WAN Options	Pool#1 Start=10.0.0.20 Pool#1 Count=90 Pool Only=Yes
Ethernet\>Names/Passwords > Any Names/Passwords profile	Name=Ted Recv PW=office-pw

To set parameters to prevent IP spoofing, proceed as follows:

1. Open the Ethernet menu.

2. Open the Names/Passwords menu.

3. Open a Names/Passwords profile.

4. Set the Name parameter to the name of the user or device making the incoming call.

   In a Names/Passwords profile, the Name parameter specifies the username associated with the profile. The name you specify also becomes the name of the profile.

5. Set the Recv PW parameter to specify the password that the remote end of the link must send.

   If the password specified by Recv PW does not match the remote end's value for Send PW, the MAX disconnects the link.

6. Open the Ethernet > Mod Config > WAN Options menu.

7. Specify address pools by setting the Pool #n Count and Pool #n Start parameters.

   The Pool #n Count parameter specifies the number of IP addresses in the IP address pool. Assign a number between 0 and 254. The default value is 0 (zero).

   The Pool #n Start parameter specifies the first IP address in the address pool. Specify an IP address in dotted decimal notation. The default value is 0.0.0.0.

   You can also specify up address pools by setting the Ascend-IP-Pool-Definition attribute. For details, see the MAX RADIUS Configuration Guide.

8. Set Pool Only=Yes.

   The Pool Only parameter determines whether a caller can reject an IP address assignment and use his or her own IP address. To eliminate the possibility of a caller rejecting the automatic dynamic assignment and spoofing a local, trusted address, set Pool Only=Yes.

   For a call configured in a Names/Passwords profile, the address assignment is always from the pool of addresses defined as Pool #1, if Pool #1 exists and has available addresses. If Pool #1 does not exist or does not have available addresses, the MAX assigns an address from Pool #2.

   If the calling station rejects the assignment, the MAX ends the call.

9. Save your changes.

Setting up an authentication server

Understanding authentication servers

Configuring the MAX to use a TACACS or TACACS+ server

1. Open the Ethernet > Mod Config > Auth menu.

   X0-X00 Mod Config
   

     Auth...
     >Auth=TACACS
       Auth Host #1=10.23.45.11
       Auth Host #2=10.23.45.12
       Auth Host #3=10.23.45.13
       Auth Port=1645
       Auth Timeout=5
       Auth Key=N/A
       Auth Pool=N/A
       Auth Req=Yes
       Local Profile First=Yes
       APP Server=No
       APP Host=N/A
       APP Port=N/A
       CLID Timeout Busy=No
       CLID Fail Busy=No
       SecurID DES encryption=N/A
       SecurID host retries=N/A
       SecurID NodeSecret=N/A
   

2. Set Auth=TACACS or TACACS+.

3. Set each Auth Host parameter, to specify the IP address of a TACACS or TACACS+ host.

   You can specify up to three addresses. The MAX first tries to connect to Auth Host #1. If it receives no response within the time specified by the Auth Timeout parameter, it tries again to connect to Auth Host #1 and waits for the same amount of time. If the MAX does not receive a response within the specified timeout, it sends a request for authentication to Auth Host #2. If it again receives no response within the time specified by Auth Timeout, it tries to connect to the next server on the Auth Host List and repeats the process. If the MAX unit's request again times out, it reinitiates the process with Auth Host #1. The MAX can complete this cycle of requests a maximum of ten times. If the MAX is unsuccessful in obtaining a response from any of the servers on the list, the connection fails.

   When it successfully connects to an authentication server, the MAX uses that machine until it fails to serve requests. The MAX does not use the first host until the second machine fails, even if the first host has come back online.

   You can specify the same address for all three Auth Host parameters. If you do so, the MAX keeps trying to create a connection to the same server.

4. For the Auth Port parameter, enter the UDP port number used by the TACACS or TACACS+ software. For example:

   Auth Port=1645
   

   The MAX and the TACACS or TACACS+ software must agree about which UDP port to use for communication, so make sure that the number you specify for the Auth Port parameter matches the number specified in the TACACS or TACACS+ configuration file.

5. Set the Auth Timeout parameter to specify the number of seconds the MAX waits for a response to an authentication request.

   If the MAX does not receive a response within the time specified by Auth Timeout, it sends the authentication request to the next authentication server specified by the Auth Host parameter.

6. Specify whether to use remote authentication before local. The default is Yes.

   If you enter No, the MAX tries remote authentication and the MAX waits for authentication to succeed or for the timeout specified in Auth Timeout to expire. This can take longer than the timeout specified for the connection. If the connection times out, all connection attempts to fail.

   To prevent this set the value for Auth Timeout low enough not to cause the line to be dropped, but still high enough to permit the unit to respond if it is able to. The recommended time is 3 seconds.

   Some authentication methods do not work the same without a remote authenticator as they do with one. Table 3-17 shows authentication methods and the specific information you should consider if you use a particular method with Local Profile First=No.

1. Enter the port number for the source port for remote authentication requests.

   Type a port number between 0 and 65535. The default value is 0 (zero). If you accept this value, the Ascend unit can use any port number between 1024 and 2000.

   You can specify the same port for authentication and accounting requests.

2. Save your changes.

The MAX supports RADIUS RFC-compliance for the Vendor-Specific Attribute (VSA) and the RFC-defined User-Password encryption algorithm. Ascend maintains backward compatibility by making VSA compatibility mode configurable. However, attributes of Type 91 or smaller are supported only in VSA compatibility mode. Attributes of Type 92 or higher are supported in both VSA compatibility mode and the default mode, which is compatible with older Ascend implementations.

About the Vendor-Specific attribute

The format of Ascend vendor attributes in a request or response is new. The older Ascend format for all attributes is as follows:

 0                   1                   2
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|     Type      |    Length     | Value ...	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |  Length       |            Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Vendor-Id (cont)           | Vendor type   | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

The Vendor Type, Vendor Length, and Attribute-Specific Value are the same as the Type, Length, and Value of the unencapsulated Ascend attribute found in the current dictionary. For example, the Type of the Ascend-Xmit-Rate attribute is 255. Because it is an integer, it has a Length of 6. The Value is the transmit rate of the connection. So, the fields of the VSA will specify the following values:

• Type = 26

• Length = 12

• Vendor-Id = 529

• Vendor Type = 255

• Vendor Length = 6

• Attribute-Specific Value = transmit-rate

Configuring the MAX for VSA compatibility mode

When you configure the MAX not to support VSA, which is the default setting, the MAX does not send the Vendor-Specific attribute to the RADIUS server and does not recognize it if the server sends it. The MAX uses the Ascend algorithm when encrypting and decrypting the User-Password attribute, and the Ascend algorithm differs from the RFC-defined algorithm, because it does not null fill the password string to a multiple of 16 bytes before encryption, and the Ascend algorithm does not use the previous segment's hash to calculate the next intermediate value when the password is longer than 16 bytes.

Because you can configure four different functions for RADIUS with each function operating independently of the others and possibly interacting with different RADIUS servers (or clients), the MAX displays four separate VSA-related parameters for specifying whether to operate in the older Ascend mode or in VSA-compatible mode. Following are the relevant parameters, shown with their default settings:

 



 Parameter

 Description


 Ethernet > Mod Config > Auth > Auth Compat Mode


Enables or disables VSA support when the MAX supports RADIUS for authentication. OLD is the default which disables VSA support.



 Ethernet > Mod Config > Accounting > Acct Compat Mode


Enables or disables VSA support when the MAX supports RADIUS for accounting. OLD is the default which disables VSA support.



 Ethernet > Mod Config > RADIUS Server > Compat Mode


Enables or disables VSA support when the MAX acts as a RADIUS server that is able to accept some requests for certain limited purposes; for example, to change filters or disconnect a user. OLD is the default which disables VSA support.



 Ethernet > Mod Config > Call Logging > Compat Mode


Enables or disables VSA support when the MAX supports RADIUS for call logging to NavisAccess. OLD is the default which disables VSA support.

For additional details, see the MAX Reference Guide.

---

Copyright © 1998, Ascend Communications, Inc. All rights reserved.