[RadiusNT] Ascend filters and RadiusNT

Josh Hillman ( (no email) )
Thu, 26 Aug 1999 14:16:27 -0400

One of my coworkers has been trying to get Ascend filtering working and
wanted me to foward this message on to the group to see if anyone here knows
what's going on...

I am attempting to configure filtering in our Max4002, 4004, and 4048
machines through RADIUS settings as defined in the RADIUS manuals from
Ascend. All Max boxes are using System 7.0.22, and the units are being used
to allow dial-up internet connection via PPP, using PAP authentication with
Emerald 2.5 and RadiusNT.

I successfully configured a filter profile in one of our Max boxes, and used
it for testing. It's my intention to have the ability to filter out
machines or subnets that are responsible for DoS attacks on various users on
our network, but I run into three limitations: only 12 in/out filters can be
defined per profile, only one profile can be active at one time, and
assignment of dynamic IPs locally could interfere with the operation of the
filters, unless I setup a static IP to block to, or let it block to all
dialups. Because of this, it seems RADIUS session settings are the way to

Based on the Ascend RADIUS configuration manual, I set up this filter in
Emerald for RadiusNT:

Ascend-Data-Filter: ip in drop srcip xxx.xxx.xxx.xxx 0

This setting was intended to drop ALL packets (0 in the proto position) from
source IP xxx.xxx.xxx.xxx. This setting made NCP negotiations fail. To see
if I misunderstood the dir parameter, I changed that to out and had the same

So then, going back to a single, easy to overlook sentence in the ISP
Configuration Guide, section 6 on filters, I remember that ~"For security
purposes, the Max will not automatically forward packets that do not match
filter definitions." Hence:

Ascend-Data-Filter: ip in drop srcip xxx.xxx.xxx.xxx 0
Ascend-Data-Filter: ip in forward 0
Ascend-Data-Filter: ip out forward 0

The last two entries were to tell the Max that it is okay to forward all
other packets, regardless of source/destination IP, or the protocol type.
This filter setting also made NCP negotiations fail. Again to be sure I
understood the dir parameter properly, I reversed in and out, still to no

Once I can get this to work properly with a single IP, I am sure that I will
need to work with entire subdomains. no rest for the weary! Any
information to help my plight would be greatly appreciated.

--Alan W. Rateliff, II  (via Josh Hillman -- hillman@talstar.com)

RadiusNT 2.5.175 (ODBC)Emerald 2.5.278SQL 6.5various Ascend (Lucent) Max 40xx NASes with TAOS 7.0.22

For more information about this list (including removal) go to:http://www.iea-software.com/support/maillists/liststart