Re: (ASCEND) Resticting Modem users

[Tim Basher <basher@ces.cwru.edu>]

> I was wondering if there were away that one could control a user who had
> bought modem access to only be a modem user, so that if he went and
> bought an internal TA and tried to connect isdn he would  stopped from
> connecting,
> 
> I have tried the Ascend nas type = Anolog or what ever that attribute was
> in Radius but still one could connect with a ISDN TA

This was covered recently on the mailing list, so in the future, you might
first consider searching the archives.  Nexial Systems maintains a searchable
archive on the web.

  <http://www.nexial.com/mailinglists/>

In the future, it would also be useful to include the actual RADIUS user
entry you tried to use rather than an incomplete and apparently confused
recollection of what you tried.  It also helps to mention which RADIUS
server you are using, since this behavior is enforced by the server.

Many Network Access Servers (NAS) include the NAS-Port-Type attribute in
RADIUS Access-Request messages.  You need to configure your RADIUS server
so that it checks the NAS-Port-Type attribute before it returns an
Access-Accept.

Since you are trying to use this to limit the service provided, you do not
want NAS-Port-Type to be a configuration value (a reply-item), you want it
to be checked by the RADIUS server before authorizing service (a check-item).

In a Livingston RADIUS server, the check-items must all be on the first
line of the user entry, along with the Password.  Putting it on a separate
line within the user entry would make it a reply-item.

Example:

username  Password = "passwd", NAS-Port-Type = Async
          User-Service = Framed-User,
          Framed-Protocol = PPP,
          Framed-Netmask = 255.255.255.128,
          Ascend-Assign-IP-Pool = 1

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>