RE: Security hole : Radius NT or Ascend MAX4000 ?

Albert Churba ( (no email) )
Sun, 27 Jul 1997 14:42:46 -0400

I too have the same problem. Since we are just moving to K56Flex, there
were never any modems in the MAX before (only ISDN service). We are trying
to migrate from the NT RAS environment (analog) to a full digital service.
Most of the users are temporally entered into the users text file. BOTH
mode is enabled so that the data entry process can commence.

According to the Ascend manual (Ref 2-163), the Ethernet/Answer/Profile
Reqd should be set to Yes. This is the setting on my system.

My findings show that either Win95 or WinNT can connect with the absence of
ANY credentials. The IP address serves as the user name. This is STRANGE.
:(

Writing this caused me to remember something. I just went into the
Ethernet/Names Passwords connection profiles and found two active blank
entries. I have set both to Active=No and cured the problem.

Hope it helps!

Regards,
Albert Churba, President
Dial ISDN, Inc.
http://www.dialisdn.net

----------
From: Sinh Huynh[SMTP:shuynh@socs.uts.edu.au]
Reply To: ntisp@emerald.iea.com
Sent: Sunday, July 27, 1997 11:22 AM
To: Emerald
Subject: Security hole : Radius NT or Ascend MAX4000 ?

-- [ From: Sinh Huynh * EMC.Ver #2.5.02 ] --

Hi everyone
I am using Radius NT and Ascend Max4000. Any Windows 95 users can log into
my system without a user name or password. I found out this problem when
someone accidentally click on F7 button without enter anything.
The problem is when windows 95 users dial the Max4000, the login prompt
will
display and if users click on the F7 key button ( in the bring up terminal
display option ), the system will let the user in without any challenge.
However, if a user enter a login name and with a wrong password, the system
can pickup and rejected. It doesn't happen to Windows 3.X users. Does
anyone has this problem ?

I can tell who log into my system without user name by looking at the
active
session on the Max. Any one who by pass the radius checking will be shown
with IP address number only. User who enters id and password correctly
will
be shown exactly on the Max.

I am very much appreciated if someone can show me where is the problem.

Sinh Huynh shuynh@socs.uts.edu.au

----------------------------------------------------------
NTISP Mailing List listserver@emerald.iea.com

begin 600 WINMAIL.DAT
M>)\^(C(2`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$(@ <`
M& ```$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0F `0`A````-$9%-$9&
M1C4W-S P1#$Q,4$R,C P,# P0S!%031%0T8`+P<!!8 #``X```#-!P<`&P`.
M`"H`+@```%P!`2" `P`.````S0<'`!L`#@`J`"X```!<`0$$D 8`4 $```$`
M```.`````P``, `````+``\.``````(!_P\!````2P````````"!*Q^DOJ,0
M&9UN`-T!#U0"`````"=N=&ES<$!E;65R86QD+FEE82YC;VTG`%--5% `;G1I
M<W! 96UE<F%L9"YI96$N8V]M```>``(P`0````4```!33510`````!X``S !
M````%@```&YT:7-P0&5M97)A;&0N:65A+F-O;0```!X``3 !````& ```"=N
M=&ES<$!E;65R86QD+FEE82YC;VTG``(!]@\!````! `````````#`!4,`0``
M``(!"S !````&P```%--5% Z3E1)4U! 14U%4D%,1"Y)14$N0T]-```>`" Z
M`0```!@````G;G1I<W! 96UE<F%L9"YI96$N8V]M)P`+`$ Z`0````,`_@\&
M`````P``.0`````#`'$Z`````/,_`0V ! `"`````@`"``$$@ $`,@```%)%
M.B!396-U<FET>2!H;VQE(#H@4F%D:75S($Y4(&]R($%S8V5N9"!-05@T,# P
M(#\`30\!`Y &`-0*```>````"P`C``$````+`"D```````,`)@```````P`V
M```````#`"X``````!X`0A !````.@```#Q&0C<S1C!#030X135$,#$Q03(Q
M03 P,#!#,$5!-$5#1CA$1#- 9&]P97DN9&EA;&ES9&XN;F5T/@````(!"1 !
M````"@<```8'``"]# ``3%I&=11_NU #``H`<F-P9S$R-?XR`/\"!@*D`^0%
MZP*#`% 3`U0"`&-H"L!S973^,@8`!L,"@PY0`]4'$P*#NC,3S7T*@ C/"=D[
M%K^]#C U`H *@0YQ"V!N#A 4,#,4X&@%L'ID;VIC```J$E4@`I$:P&PO&O4*
M^Q.R# %C`$ @22 @=&]O(!* =F4E';!H'C!S80> ('!C`V "8&5M+@8`"X!C
M'1XP=QXP"L >,&IU<RL%0 1@=@N 9QVQ($O(-39&'R!X+!Y"(!%S'] @$6YE
M'B %P !P>3L@@0YP;00@"X >0TU!N%@@8@Z !; >,"@"(,)L(O!)4T1.'H $
MD"L@L!^@*1]05Q_D='*2>2#%;6D)P&%T'C#3`U(>0TY4!_!!!? )\/L@L -@
M;@> `C DD !P!T H;V<I(/)A)W!U;/4#(&0G$&D!D ,@)54?4.1-;R!A;V8>
M0R!0!)#W!" F(Q\P< 6P!T DT2D!O2'A9"-Q(0$L""=0> 5 AF8#$"M10D]4
M2",#OR-P!" )\ &@'R M\',N0OLG0!Y#9"= *@`I`29P'M+;'Z $$6,#D06@
M;2CQ*T'S"H4*A4%C!:$J<"#4'E)>003P"? M\ .!=2K!* )2#H @,BTQ-C,R
M*2&C($4APB)P="_F00" (B$O4 -@+U('\/QE<3#A&C J,"WP)# E09LQ81W@
M60>0'U!4:#!1]S!1'E,2P'0@P@(@(( B\-QS>2!@'S$SS$TB\"]0OS7P(,$$
M(#EQ!^ Q,V4JH.<AT27@"X Y-2O /W,H$?4R]&XB<&,%0 /P'E >0X\!H!*P
M'Y(KT4%.63+@GQ;!*0$',3JC'C!)4!_PO&1D%L $$252!Y%A.S1/+$(B8!ZA
M.KA35"A 3J1'11]0.B@SS%<%$/\[PQY0,%$R\"Q!-@$>,1W@_Q; !X &T"*A
M,0`'@$BA&<!_'U =H"!#'] I$2X7-Z=.^QZA!"!01/ #X#31,M% U'YI/!$>
MX2]2+($U\0(0=?TU\71-@!_P3C$>(0)@`'#^:S(#") ZH1V@'@,Z$@;@ST%B
M'> TH% B/4XIX37Q/F,(<"WA'E(>YS/,2&\.<# Q!4 >8&QP<R%+,\PVH&<+
M$7,L-#9LDTH1!4!#: AP8F$AH-LXH >0:4+R"H5$!S$D\RTAH$D?D#.V: )
M<#KH+R]W6_ N*G '0 0`>&1N+C?Q,\P*BUQ@,90X, +1:3;P-#0.L/\,T%]#
M"UE>P J@`V G4$$1OBUA9PJ'8!L,,&#F1@-A/CIB;F#F#((?8D%P2'4">69
M6U--5% Z*SEP9H) ,0!C.J!U=-,ZH F =2Y)`%UB#V,=YS:@"U B\%1O9$]E
M6T,1F'-P0$G1+3%D+@B0_&$N,S%HGV,=!F ",&L?TV5<3X%A>2&@2BHP(O"$
M,C<AH#$Y.3=S8,@Q.C(2X$%-;D]C'3MJ_V4]16UD=$]O7G5BOFI!`79O95P%
MD AQ="+PUQHP./%[(%)$`&D@4"@"GP6Q-;4C\5]@7N @/UUO>5YS,S9?YQ3B
M# %@Z" F6V/U9B@@*C>034,$+E8BH2,R+C4NVC 2X%UA452M:2AP(I'Z>0(@
M90J%': >H"PQ(,+G?@A/(G[687A_<A]0%##W(N$_D1IP=P0@/\$L1#+R_RF!
M+@,*A3Q'03,(8 5 *@#_16<_X@JP362*`1V@3V2-DN](HQ[E'\ >8&X*A4I2
MAO&M3_%C66,M0V-<8&-0L/4\$49SH&)GX!W `Z"-5O\MDR+"2I0*A4.2D(8P
M49$"_T$QBIU<,B.DB:0W1"F!(X'_'N$M`$$B*D *A2IP;2 +8'\B\$\B!I"+
M%I,6'E*3D6O692+PD\4H(W9B!1 @T?1U<"S1<B<`*6&:W560_TY#-S6,YRI!
M'R Q9$5C(X'?C5<BX1)Q*D )\&<K4547_Q_0(I$AH)P!C=64M9FUCD/W3R)!
M0RH`=RC!(.".QJ%:^PJ%,O)PDR&?,4\B%L!ZXI\)@(]"!4 :< >0;B=5X3QA
M<%6@(Y$=X(IV,R[W)! L0XH!1*Q1"H4BT9'R_Q* .S*067_-': R\B=0*D&_
MD0`=X(O&C*\%0(WX8B+P^190;VL@PC%54 211C*Q_TY2G/6)D8H%D?*R<K4!
MCL+_'D,G,'XC$G %D+5CHB,YXO\^D9$V04-#V39 2@,DLHH!_E5%<K)R+9,C
M82WP3R*.QOTS(7(6P$$0)-&:F;L6*'#^>% !)-&W>#NA[&&LB" _G42<!_P
MK.# $0<PJ[&\O^1MC+R/H,>L9$!(!$[)1[G_U2=@XG)Z&<O:#-<_PJR85G_
MS>_._\_LS-8H$"4`0^")D/L#$"#"3 0`!4#2FUQA9_#]1))R;4]_[X#]'/5@
MY@J%!17A`-C ```>`' ``0```#(```!213H@4V5C=7)I='D@:&]L92 Z(%)A
M9&EU<R!.5"!O<B!!<V-E;F0@34%8-# P," _`````@%Q``$````6`````;R:
MO4QI=)S=. 6X$=&ZS ``P-Y7[0``0 `Y`+3;X]^\FKP!`P#Q/PD$```>`!X,
M`0````,```!%6 ``'@`?# $```!/````+T\]5DE25%5!3"!"4D]!1$-!4U0@
M3D545T]22RP@24Y#+B]/53U60DY%5%=/4DLO0TX]1$E!3$E31$XO0TX]04Q"
M15)40$1)04Q)4T1.```#`!E ``````,`_3_D! ```@'Y/P$```!K````````
M`-RG0,C 0A :M+D(`"LOX8(!`````````"]//59)4E1504P@0E)/041#05-4
M($Y%5%=/4DLL($E.0RXO3U4]5D).15173U)++T-./41)04Q)4T1.+T-./4%,
M0D525$!$24%,25-$3@``'@#X/P$````.````06QB97)T($-H=7)B80````(!
M^S\!````:P````````#<IT#(P$(0&K2Y" `K+^&"`0`````````O3SU625)4
M54%,($)23T%$0T%35"!.15173U)++"!)3D,N+T]5/59"3D545T]22R]#3CU$
M24%,25-$3B]#3CU!3$)%4E1 1$E!3$E31$X``!X`^C\!````#@```$%L8F5R
M="!#:'5R8F$```! ``<PIF5>9;F:O % ``@PM-OCW[R:O $>`#40`0```#H`
M```\1D(W,T8P0T$T.$4U1# Q,4$R,4$P,# P0S!%031%0T8Y.3(P0&1O<&5Y
M+F1I86QI<V1N+FYE=#X````#``80EQ6_8 ,`!Q E!P```P`0$ `````#`!$0
M`````!X`"! !````90```$E43T](059%5$A%4T%-15!23T),14U324Y#15=%
M05)%2E535$U/5DE.1U1/2S4V1DQ%6"Q42$5215=%4D5.159%4D%.64U/1$5-
M4TE.5$A%34%80D5&3U)%*$].3%E)4T1.4T4``````P`--/T_```"`10T`0``
K`! ```!4E*' *7\0&Z6'" `K*B47'@`]``$````%````4D4Z( ````"+9@``
`
end