Re: (ASCEND) Radius

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) Radius
From: Tim Basher <basher@alpha.CES.CWRU.Edu>
Date: Tue, 14 Oct 97 10:09:46 EDT
Sender: owner-ascend-users@max.bungi.com

> I am using a version of livingston radius for all our term servers.

What version?  Version 1.X or 2.X?

> Since we have now added Ascend to our growing diversity of equipment,
> we are seeing multiple accounting records (which is causing many problems).
> Reading through the manuals (yet again), I find an obscure reference to 
> the ascend buffering (and obviously re-sending repeatedly) the records until
> they are acknowledged.

This is true for _all_ NAS vendors.  It is a rquirement for the proper
operation of RADIUS.  RADIUS is based on UDP.  UDP is unreliable.  The
RADIUS standards require the NAS to resend requests until a response
is received or the NAS gives up.  Since accounting is considered critical
data, a NAS will typically never give up when sending Accounting-Requests
(unless configured to do so - check out the "Acct Max Retry" parameter).

> According to the Ascend manual, they are never acked by
> a "livingston" radius. 

This is true of the Livingston 1.X RADIUS servers because they did not
properly calculate and include the authenticator in accounting messages.

This meant that the MAX never received a valid Accounting-Response.

> Does anyone have a way around this? The idea of re-doing almost 2 years 
> worth of scripts to accommodate the Ascends does *not* endear them to me.

This is not just a matter of changing your scripts.  You need to fix your
RADIUS server.  You can do this by (a) modifying the source code of your
RADIUS server or (b) upgrading to a more recent server that does the right
thing [this would be the best idea].  Just about any current RADIUS server,
including Livingston 2.X should work.

While there are things that Ascend does with RADIUS [using attribute numbers
that were reserved for the standard] that are obnoxious, this is one place
where Ascend does the _right_ thing.  Ascend is just following the current
RFC (RFC2139) about checking the authenticator that is included with
Accounting-Responses.  This is a _good_ thing, not a bad one.  The problem
is not the MAX, it is the RADIUS server.
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) Radius

From: Edward Henigin <ed@texas.net>

Prev by Date: (ASCEND) Problems with Ascend Access Control
Next by Date: (ASCEND) numbered interfaces
Prev by thread: (ASCEND) Radius
Next by thread: Re: (ASCEND) Radius
Index(es):
- Main
- Thread