Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(ASCEND) Radius and CLID security problem




Using a MAX2000 (5.0Ap33) and AscendAccessControl (1.0Ai7).

I had a number of users who were entered in the AccessControl user file
using Caller-ID for authentication.

e.g. (where xxxxxxxxxx is the users telephone id presented by the telco)
xxxxxxxxxxx Password = "Ascend-CLID", Service-Type=Framed
 Ascend-Require-Auth = Not-Require-Auth,
 Ascend-Assign-IP-Pool = 1,
 Ascend-Route-IP = Route-IP-Yes


Unfortunately it appears that if a random user makes a call (I used NT
RAS), from any location, specifying the telephone number as the username
and Ascend-CLID as the password they are authenticated and get a
connection to the network. This is not the desired behaviour :(

If I setup two-tier authentication that requires a password then this
hole doesn't exist, but I then require to enter individual usernames and
passwords for each user and have a separate 2nd-tier entry for each
different Calling-Station-ID. This in turn requires configuring my
remote devices (which is actually quite tricky in my application) to
have an individual identity - i.e. suddenly I have to put in
significantly more support resources...

This doesn't happen when the connection profile is local rather than
using Radius. Is there something obvious I am missing in setting up
Radius, or is this a large security hole I had fallen into?

philip ross
system support
Xerox Research Centre Europe


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>


Follow-Ups: