Re: (ASCEND) TNT : weakness in authentication process

To: basher@alpha.CES.CWRU.Edu (Tim Basher)
Subject: Re: (ASCEND) TNT : weakness in authentication process
From: Paul Rolland <rol@oleane.net>
Date: Fri, 3 Oct 1997 16:31:09 +0100 (MET)
Cc: ascend-users@max.bungi.com
In-Reply-To: <199710031414.KAA21456@fox.CES.CWRU.Edu> from Tim Basher at "Oct 3, 97 10:14:15 am"
Sender: owner-ascend-users@max.bungi.com

Hello Tim,

Dans son message (In his/her message), Tim Basher ecrivait (wrote) :
> > It seems that the TNT is more "laxist" on the authentication process than
> > the Max4000 : if the login and password match, then that's OK.
> 
> This is also true for the MAX4000.

I agree.

> > The Max4000 seems to also check that the IP address of the remote site
> > is corresponding to what is indicated in the Radius profile...
> 
> The MAX4000 will only do this when you enable the function:
>   Ethernet->Answer->Assign Adrs=Yes
>   Ethernet->Mod Config->Pool only=Yes
> Otherwise, it will accept the IP address requested by the remote system.

This is also correct, and really usefull ;-)

> > As this check is performed by the radius database, this might indicate that
> > some parameters are not transmitted to the Radius by the TNT...
> 
> Actually you are wrong - the check is *not* performed by the RADIUS server.
I thought. This is usually a reason for a LAN Security error message
in the Radius server log file...

> There is a section of documentation for the TNT similar to that found for
> the MAX - "Requiring that a caller accept an IP address from the MAX TNT".
> 
> Briefly [look it up for the full text]:
> 
>   To specify that the MAX TNT try to assign an IP address to a calling
>   device, set Assign- Address=Yes in the IP-Answer subprofile of the
>   Answer-Defaults profile. 
> 
>   The MAX TNT asks the device to accept an assigned address. The address
>   can be a static address or a dynamic address.
>   ...
>   To require a calling station to accept an IP address from the MAX TNT,
>   set Must-Accept-Address-Assign=Yes in the IP-Global profile. 
> 
OK, I mistook about Radius, but here is my TNT config :
admin> list
domain-name = oleane.net
...
must-accept-address-assign = yes
...

and

admin> list ip-answer
enabled = yes
vj-header-prediction = yes
assign-address = yes
routing-metric = 1

Regarding what you have indicated below, the TNT should not accept a P50
to connect with an IP address which is not the one in the Radius
profile, correct ? Anyone else sees this problem ?

Regards,
Paul

Paul Rolland, rol@oleane.net
OLEANE SA/Service Technique/Directeur Technique Adjoint
OLEANE SA/Technical Service/Deputy Technical Manager

--

Support technique et operationnel Oleane :  support@oleane.net
Test du mail                             :  ping@oleane.net

Please no MIME, I don't read it - Pas de MIME, je ne le lis pas
Please no HTML, I'm not a navigator - Pas d'HTML, je ne suis pas un navigateur

"We all want to change the world" - The Beatles - Revolution
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) TNT : weakness in authentication process

From: Tim Basher <basher@alpha.CES.CWRU.Edu>

References:

Re: (ASCEND) TNT : weakness in authentication process

From: Tim Basher <basher@alpha.CES.CWRU.Edu>

Prev by Date: Re: (ASCEND) Max TNT upgrade from 1.2ap12 to 1.3Ap6
Next by Date: RE: (ASCEND) SNMP for CLID number?
Prev by thread: Re: (ASCEND) TNT : weakness in authentication process
Next by thread: Re: (ASCEND) TNT : weakness in authentication process
Index(es):
- Main
- Thread