Re: (ASCEND) about Ascend Radius and M4k

To: Tim Basher <basher@alpha.CES.CWRU.Edu>
Subject: Re: (ASCEND) about Ascend Radius and M4k
From: Steve Camas <stevec@liii.com>
Date: Wed, 8 Oct 1997 16:29:18 -0400 (EDT)
cc: ascend-users@max.bungi.com
In-Reply-To: <199710081932.PAA06171@fox.CES.CWRU.Edu>
Sender: owner-ascend-users@max.bungi.com



On Wed, 8 Oct 1997, Tim Basher wrote:

> > Does anyone know that Ascend Max4000 support standard Radius Attribute
> > Framed-Filter (11) ? if it does, from which version ?
> 
> No, the Ascend MAX does not support the RADIUS Framed-Filter attribute.
> I am told that it is coming, but it is not in any released version yet.
> 
> > I only know that Ascend Supports Ascend-Data-Filter (242) attribute, I'm
> > not sure Ascend Max4000 support it.
> 
> Yes, the MAX 4000 supports the Ascend-Data-Filter (and Ascend-Call-Filter)
> attribute.


Case in point... A typical radius entry on our system looks like this:

swm     Password = "KERBEROS"
        Framed-Address = 204.180.230.150,
        Framed-Netmask = 255.255.255.255,
        Ascend-Data-Filter = "ip in forward srcip 204.180.230.150/32",
        Ascend-Menu-Item="rlogin rowan;rowan      Start shell on
rowan;rowan",
        Ascend-Menu-Item="rlogin oak;oak        Start shell on oak;oak",
        Ascend-Menu-Item="slip;slip       Start SLIP;slip",
        Ascend-Menu-Item="ppp;ppp        Start PPP;ppp",
        Ascend-Menu-Item="quit;quit       Hangup;quit",
        Ascend-Menu-Selector="LIII Service: "


We wanted to add filtering so that our ppp dialup customers could not
login with linux boxes and spoof IPs on our network.  To do this, we use
static IPs and add a filter that let's packets through *only* if the
source IP is equal to their IP.  For customers who have a network behind
the ppp, we add a seconf filter which allows packets from that network..
Example:

opus    Password = "KERBEROS"
        Framed-Address = 204.180.230.92,
        Framed-Netmask = 255.255.255.255,
        Framed-Route="205.160.0.64/28 204.180.230.92 4",
        Ascend-Data-Filter = "ip in forward srcip 204.180.230.92/32",
        Ascend-Data-Filter = "ip in forward srcip 205.160.0.64/28",
        Ascend-Menu-Item="rlogin rowan;rowan      Start shell on
rowan;rowan",
        Ascend-Menu-Item="rlogin oak;oak        Start shell on oak;oak",
        Ascend-Menu-Item="slip;slip       Start SLIP;slip",
        Ascend-Menu-Item="ppp;ppp        Start PPP;ppp",
        Ascend-Menu-Item="quit;quit       Hangup;quit",
        Ascend-Menu-Selector="LIII Service: "




This all works very well....

Here's a question... If the max is setup to give out random IPs, does it
setup such a filter?  If not, bozos can IP spoof at will on their
network..

- Steve


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

Re: (ASCEND) about Ascend Radius and M4k

From: Tim Basher <basher@alpha.CES.CWRU.Edu>

Prev by Date: Re: (ASCEND) Ap27
Next by Date: Re: (ASCEND) Processor to Max4000
Prev by thread: Re: (ASCEND) about Ascend Radius and M4k
Next by thread: (ASCEND) DEVASTATING BUG in P130's
Index(es):
- Main
- Thread