From 50b37d4a27d3295a29afca2286f1a5a086142cec Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 11:49:46 +0200 Subject: Adding upstream version 3.2.1+dfsg. Signed-off-by: Daniel Baumann --- doc/vendor/ascend | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 doc/vendor/ascend (limited to 'doc/vendor/ascend') diff --git a/doc/vendor/ascend b/doc/vendor/ascend new file mode 100644 index 0000000..57a44be --- /dev/null +++ b/doc/vendor/ascend @@ -0,0 +1,57 @@ + Ascend Radius Options + or + What happens when a big vendor ignores an RFC + + + FreeRADIUS uses Vendor-Specific attributes to send the Ascend attributes. +By default, Ascend NASes send the Ascend specific attributes as NON VSA's, +which conflict with new RADIUS attributes assigned by the IETF. This was +a very bad screw-up by Ascend that still causes many headaches, but sometimes +we have to live with it, so we try to cope the best we can. + + If you see a large number of messages about invalid Message-Authenticator +attribute, you most likely are affected by this problem, and should implement +the first option. + +You have two options: + +o Enable VSA's on the Ascend/Lucent MAX: + + This is by far the preferred method ( as it solves many other problems ). + + Max6000/4000 Series TAOS with Menued Interface: + + Go to Ethernet->Mod Config->Auth. + At the bottom of the menu, change Auth-Compat from "OLD" to "VSA". + Save your changes, no reboot is needed. + + Go to Ethernet->Mod Config->Acct. + At the bottom of the menu, change Acct-Compat from "OLD" to "VSA". + Save your changes, no reboot is needed. + + Max TNT/Apex 8000 Series TAOS with CLI: + + nas> read external-auth + nas> set rad-auth-client auth-radius-compat = vendor-specific + nas> set rad-acct-client acct-radius-compat = vendor-specific + nas> write + +o Enable OLD attributes in FreeRADIUS + + One note on this, Ciscos have an Ascend compatibility mode that + accepts only the OLD style Ascend attributes, just to make life more + interesting. :) + + You can make FreeRADIUS send the OLD style attributes by prefixing the + Ascend attributes with 'X-' in the 'users' file, sql table, ldap directory, + attr_filter module, etc... + + Thus the VSA Ascend attribute: + + Ascend-Data-Filter + + becomes the OLD Ascend attribute: + + X-Ascend-Data-Filter + +$Id$ -- cgit v1.2.3