Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) TNT : weakness in authentication process
> It seems that the TNT is more "laxist" on the authentication process than
> the Max4000 : if the login and password match, then that's OK.
This is also true for the MAX4000.
> The Max4000 seems to also check that the IP address of the remote site
> is corresponding to what is indicated in the Radius profile...
The MAX4000 will only do this when you enable the function:
Ethernet->Answer->Assign Adrs=Yes
Ethernet->Mod Config->Pool only=Yes
Otherwise, it will accept the IP address requested by the remote system.
Check out "Requiring that a caller accept an IP address from the MAX" in
the RADIUS Supplement of the MAX documentation.
> As this check is performed by the radius database, this might indicate that
> some parameters are not transmitted to the Radius by the TNT...
Actually you are wrong - the check is *not* performed by the RADIUS server.
In RADIUS, Authentication (verifying username and password) always takes place
before authorization (configuring the interface) whether it is done via the
terminal server or via PAP/CHAP. In PPP, authentication must be successful
before the NCP negotiations start. This means that there is no way for the
TNT (or MAX or ...) to pass over the IP address in the RADIUS Access-Request.
There is a section of documentation for the TNT similar to that found for
the MAX - "Requiring that a caller accept an IP address from the MAX TNT".
Briefly [look it up for the full text]:
To specify that the MAX TNT try to assign an IP address to a calling
device, set Assign- Address=Yes in the IP-Answer subprofile of the
Answer-Defaults profile.
The MAX TNT asks the device to accept an assigned address. The address
can be a static address or a dynamic address.
...
To require a calling station to accept an IP address from the MAX TNT,
set Must-Accept-Address-Assign=Yes in the IP-Global profile.
This setting requires the calling station to accept the static address
you specify (in a Connection profile or RADIUS user profile), or a
dynamic address. If the calling station rejects the assignment, the
MAX TNT ends the call.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups: