Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) TNT : weakness in authentication process
Hello Tim,
Dans son message (In his/her message), Tim Basher ecrivait (wrote) :
> > It seems that the TNT is more "laxist" on the authentication process than
> > the Max4000 : if the login and password match, then that's OK.
>
> This is also true for the MAX4000.
I agree.
> > The Max4000 seems to also check that the IP address of the remote site
> > is corresponding to what is indicated in the Radius profile...
>
> The MAX4000 will only do this when you enable the function:
> Ethernet->Answer->Assign Adrs=Yes
> Ethernet->Mod Config->Pool only=Yes
> Otherwise, it will accept the IP address requested by the remote system.
This is also correct, and really usefull ;-)
> > As this check is performed by the radius database, this might indicate that
> > some parameters are not transmitted to the Radius by the TNT...
>
> Actually you are wrong - the check is *not* performed by the RADIUS server.
I thought. This is usually a reason for a LAN Security error message
in the Radius server log file...
> There is a section of documentation for the TNT similar to that found for
> the MAX - "Requiring that a caller accept an IP address from the MAX TNT".
>
> Briefly [look it up for the full text]:
>
> To specify that the MAX TNT try to assign an IP address to a calling
> device, set Assign- Address=Yes in the IP-Answer subprofile of the
> Answer-Defaults profile.
>
> The MAX TNT asks the device to accept an assigned address. The address
> can be a static address or a dynamic address.
> ...
> To require a calling station to accept an IP address from the MAX TNT,
> set Must-Accept-Address-Assign=Yes in the IP-Global profile.
>
OK, I mistook about Radius, but here is my TNT config :
admin> list
domain-name = oleane.net
...
must-accept-address-assign = yes
...
and
admin> list ip-answer
enabled = yes
vj-header-prediction = yes
assign-address = yes
routing-metric = 1
Regarding what you have indicated below, the TNT should not accept a P50
to connect with an IP address which is not the one in the Radius
profile, correct ? Anyone else sees this problem ?
Regards,
Paul
Paul Rolland, rol@oleane.net
OLEANE SA/Service Technique/Directeur Technique Adjoint
OLEANE SA/Technical Service/Deputy Technical Manager
--
Support technique et operationnel Oleane : support@oleane.net
Test du mail : ping@oleane.net
Please no MIME, I don't read it - Pas de MIME, je ne le lis pas
Please no HTML, I'm not a navigator - Pas d'HTML, je ne suis pas un navigateur
"We all want to change the world" - The Beatles - Revolution
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: