Technical details on Switch Installation

As part of the Job Seekers Internet Access Project, Industry Canada helped suport the purchase and installation of an upgraded term server and modem pool for Vancouver CommunityNet. The project involves changing from our current analog dial-in lines that access 14.4 USR modems to entirely digital lines and equipment. The CommunityNet had been under considerable pressure, from a number of directions, to make this change for some time. The project provided an opportunity to make the changes and supply the enhanced access required to meet the training and public access goals of the project partners.

Below are some notes that may be useful to others configuring similar equipment for purposes of public access to the internet. 

From [email protected] Fri Aug 28 11:00:10 1998
Date: Fri, 21 Aug 1998 17:18:27 -0700 (PDT)
From: Jason Currell 
To: [email protected]
Cc: Peter Royce 
Subject: New Phone lines (How they will work).

I have a radius server installed on garfield for now and I think I have
finally figured this whole thing out.  So here goes.

Basically we have purchased 2 T1-PRI's from Metronet.  These lines consist
of 47 B channels and 1 D channel for signaling.  In order to access these
phone lines we have what are called "common pilot numbers".  Each B
channel does not have it's own phone number there is one phone number
which can be used to hunt over all channels in the group.  Now what we
have done is actually assign serveral seperate numbers which access the
entire set of B channels.  

We have also setup one special number which call forwards all calls that
come into in to one of the common pilot numbers.  This is called a virtual
facilities group number.  We can setup this particular number so that it
never call forwards more than 41 seperate phone calls at one time.

So here is what we have:

Common Pilot Numbers
638-0195 	(This is the number we give out to IP's)
638-????	(This number is kept secret and nobody ever uses it)
638-****	(This is the number that we use to connect with ISDN)

Virtual Facilities Group Number
638-0189	(This call forwards to 638-????)


The only two numbers that will ever be public are 638-0195 (For IP's) and
638-0189 (for everybody else).  Nobody will ever dial into 638-????.  Only
the office will ever dial into 638-****.  (By the way ???? and **** will
be actual numbers Metronet just hasn't assigned them to us yet because I
just figured this out today).

Now, in order to have different security on these lines we have to use
DNIS (dialed number information service).  Whenever you put a call through
to the Ascend box it can see what number the user dialed into and change
how it authenticates based upon what number the user dialed.  So for
example, if a user comes in on the 0189 number they will be given telnet
only access.  If the user comes in on 0195 the user will be given telnet
or PPP access.  (It all depends upon how you set it up).

Now to complicate the whole issue if we have a virtual number call
forwarding to an actual number then DNIS is going to see the call as
comming from the real number not the one that is being forwarded.  So if
somebody calls in on 638-0189 the Ascend box will think the call is coming
in from 638-????.  This is the reason why we need 638-???? instead of just
having 638-0189 forward to 638-0195 (The way Metronet set it up).

Now the key to this entire security arrangement is that nobody can ever
know what 638-???? is.  Because if they find out this number, they will
have access to all 47 B channels.  (Remeber we only want to give them a
maximum of 41 channels).


Securing the Phone Lines
------------------------
So basically we can either secure the phone lines or not secure the phone
lines.  There is no way to set it up so that one phone number tests for
security and another number does not test for security.  Either both
numbers test or none of them test.  Not having then test is fine if we
have the ascend box only telnet people directly to vcn.bc.ca and we aren't
worried about seperate modem pools.  However these are issues so we do
need this security.  The problem is, if we have phone line security and
then login security anybody going into the main modem pool is essentially
going to have to login twice.  Once for the phone lines and ascend box and
then once again when they telnet to the VCN.  Unfortunately there isn't
any way around this.

The way that things will be setup, we will have radius running on
opus.vcn.bc.ca.  The DEFAULT entry will be:

DEFAULT Password = "UNIX", Client-Port-DNIS="638????"
        User-Service = Login-User,
        Login-Service = Telnet,
        Login-Host = 207.102.64.2

What happens is, if a user is not listed in the users file then radius
tries to see if their login and password match that of the box that
radius is running on.  If they do then it authenticates them.  The
Client-Port-DNIS="638????" means only let in people who have dialed the
number 638????.  (Remember 638-0189 forwards to 638-????).  

So basically if somebody dials into 638-0189 they will be given a login
and a password prompt.  If their login and password match one in the
password file on opus then they have made it through the first layer of
authentication.  They are allowed to use the phone line.  After this the
ascend box starts up a telnet session to vcn.bc.ca.  Once they reach
vcn.bc.ca they will then have to login one more time to get into the
CommunityNet.

Now for the 638-0195 number.   Anybody who dials into this number must
have an entry in the radius users file which looks as follows:

currell   Password="currellXXX",  Client-Port-DNIS="6380195"
	Blah, Blah, Blah...

These entries are before the default entry.  What this means is these
entries take precedence over the password file entries.  The Blah, Blah
part of the message basically will allow them whatever services we wish to
give them.  My guess is we will give them a prompt where they can either
choose PPP or telnet.   The Client-Port-DNIS="6380195" means that these
users can only use the 638-0195 number to get into the VCN.  They will not
be able to use 638-0189.  Also we will have to create a password changing
program which works on both the radius users file and the password file
other wise they will have to maintain two different passwords which is
really ugly...

For public access sites that want to offer telnet only access we will do
something yet again different.  We will setup an entry:

publicaccess    Password="fdsafds", Client-Port-DNIS="6380195"
        User-Service = Login-User,
        Login-Service = Telnet,
        Login-Host = 207.102.64.2

This means the public access site will be setup to dial in to 638-0189 
with telix and it will do the following authentication for the phone lines
Login: publicaccess 
Password: fdsafds
After the computer puts in that info the user will see the VCN login
screen where they will be able to log in.

Finally for the ISDN line to the office we will setup one entry in the
users file:
office-phone    Password="fdsafds", Client-Port-DNIS="638****"
		Blah, Blah

This means that only one user named office-phone will be allowed access to
that number.

So, that is how I see things working.  It is a HELL of a lot more complex
than I ever thought it would be however it should work.  The only really
big issue from our standpoint is that normal users will have to login
twice (since resolved pr28/8/98) to start-up a vcn session.  Everything
else should be fairly smooth... 

-------------------------------------------------------------
 System Administrator for the Vancouver Community Network
 Jason Currell           |  [email protected]
 voice #: (604)257-3811  |  modem #: (604) 257-8778