Below are some notes that may be useful to others configuring similar equipment for purposes of public access to the internet.
From [email protected] Fri Aug 28 11:00:10 1998 Date: Fri, 21 Aug 1998 17:18:27 -0700 (PDT) From: Jason CurrellTo: [email protected] Cc: Peter Royce Subject: New Phone lines (How they will work). I have a radius server installed on garfield for now and I think I have finally figured this whole thing out. So here goes. Basically we have purchased 2 T1-PRI's from Metronet. These lines consist of 47 B channels and 1 D channel for signaling. In order to access these phone lines we have what are called "common pilot numbers". Each B channel does not have it's own phone number there is one phone number which can be used to hunt over all channels in the group. Now what we have done is actually assign serveral seperate numbers which access the entire set of B channels. We have also setup one special number which call forwards all calls that come into in to one of the common pilot numbers. This is called a virtual facilities group number. We can setup this particular number so that it never call forwards more than 41 seperate phone calls at one time. So here is what we have: Common Pilot Numbers 638-0195 (This is the number we give out to IP's) 638-???? (This number is kept secret and nobody ever uses it) 638-**** (This is the number that we use to connect with ISDN) Virtual Facilities Group Number 638-0189 (This call forwards to 638-????) The only two numbers that will ever be public are 638-0195 (For IP's) and 638-0189 (for everybody else). Nobody will ever dial into 638-????. Only the office will ever dial into 638-****. (By the way ???? and **** will be actual numbers Metronet just hasn't assigned them to us yet because I just figured this out today). Now, in order to have different security on these lines we have to use DNIS (dialed number information service). Whenever you put a call through to the Ascend box it can see what number the user dialed into and change how it authenticates based upon what number the user dialed. So for example, if a user comes in on the 0189 number they will be given telnet only access. If the user comes in on 0195 the user will be given telnet or PPP access. (It all depends upon how you set it up). Now to complicate the whole issue if we have a virtual number call forwarding to an actual number then DNIS is going to see the call as comming from the real number not the one that is being forwarded. So if somebody calls in on 638-0189 the Ascend box will think the call is coming in from 638-????. This is the reason why we need 638-???? instead of just having 638-0189 forward to 638-0195 (The way Metronet set it up). Now the key to this entire security arrangement is that nobody can ever know what 638-???? is. Because if they find out this number, they will have access to all 47 B channels. (Remeber we only want to give them a maximum of 41 channels). Securing the Phone Lines ------------------------ So basically we can either secure the phone lines or not secure the phone lines. There is no way to set it up so that one phone number tests for security and another number does not test for security. Either both numbers test or none of them test. Not having then test is fine if we have the ascend box only telnet people directly to vcn.bc.ca and we aren't worried about seperate modem pools. However these are issues so we do need this security. The problem is, if we have phone line security and then login security anybody going into the main modem pool is essentially going to have to login twice. Once for the phone lines and ascend box and then once again when they telnet to the VCN. Unfortunately there isn't any way around this. The way that things will be setup, we will have radius running on opus.vcn.bc.ca. The DEFAULT entry will be: DEFAULT Password = "UNIX", Client-Port-DNIS="638????" User-Service = Login-User, Login-Service = Telnet, Login-Host = 207.102.64.2 What happens is, if a user is not listed in the users file then radius tries to see if their login and password match that of the box that radius is running on. If they do then it authenticates them. The Client-Port-DNIS="638????" means only let in people who have dialed the number 638????. (Remember 638-0189 forwards to 638-????). So basically if somebody dials into 638-0189 they will be given a login and a password prompt. If their login and password match one in the password file on opus then they have made it through the first layer of authentication. They are allowed to use the phone line. After this the ascend box starts up a telnet session to vcn.bc.ca. Once they reach vcn.bc.ca they will then have to login one more time to get into the CommunityNet. Now for the 638-0195 number. Anybody who dials into this number must have an entry in the radius users file which looks as follows: currell Password="currellXXX", Client-Port-DNIS="6380195" Blah, Blah, Blah... These entries are before the default entry. What this means is these entries take precedence over the password file entries. The Blah, Blah part of the message basically will allow them whatever services we wish to give them. My guess is we will give them a prompt where they can either choose PPP or telnet. The Client-Port-DNIS="6380195" means that these users can only use the 638-0195 number to get into the VCN. They will not be able to use 638-0189. Also we will have to create a password changing program which works on both the radius users file and the password file other wise they will have to maintain two different passwords which is really ugly... For public access sites that want to offer telnet only access we will do something yet again different. We will setup an entry: publicaccess Password="fdsafds", Client-Port-DNIS="6380195" User-Service = Login-User, Login-Service = Telnet, Login-Host = 207.102.64.2 This means the public access site will be setup to dial in to 638-0189 with telix and it will do the following authentication for the phone lines Login: publicaccess Password: fdsafds After the computer puts in that info the user will see the VCN login screen where they will be able to log in. Finally for the ISDN line to the office we will setup one entry in the users file: office-phone Password="fdsafds", Client-Port-DNIS="638****" Blah, Blah This means that only one user named office-phone will be allowed access to that number. So, that is how I see things working. It is a HELL of a lot more complex than I ever thought it would be however it should work. The only really big issue from our standpoint is that normal users will have to login twice (since resolved pr28/8/98) to start-up a vcn session. Everything else should be fairly smooth... ------------------------------------------------------------- System Administrator for the Vancouver Community Network Jason Currell | [email protected] voice #: (604)257-3811 | modem #: (604) 257-8778