Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Ascend configuration
> With all of the Ascend hardware and software we've examined, they always
> send CHAP requests before PAP requests, which can lead to some problems
> when authenticating against a UNIX-style user database.
That is because *if* a NAS is going to offer PAP and CHAP authentication,
it is explicitly required to offer CHAP first.
To quote from RFC 1334:
   Any implementations which include a stronger authentication method
   (such as CHAP, described below) MUST offer to negotiate that method
   prior to PAP.
   MUST
      This word, or the adjective "required", means that the definition
      is an absolute requirement of the specification.
To fail to do this would be insecure and a violation of the relevant
standards.
If you want to have PAP offered "first", for compatibility with UNIX
passwords, then you are restricted to *only* offering PAP.
You can configure an Ascend MAX to use only PAP by modifying the Recv Auth
parameter to PAP (Ethernet>Answer>PPP options...>Recv Auth) and making sure
you have the "Use Answer as Default" parameter set to Yes.
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>