The unit needs to be given a static IP address (it does not use DHCP). Define the subnet mask, default gateway (which is the route off the network) and define the IP address of your DNS server. This DNS server will be used by the MA100 to resolve names (like when the MA100 sends an administrative email notification) and this address will be given to the dial in RAS users as the DNS they can use. Setup administrative email notification. Setup date and time via SNTP. The unit can be restarted (rebooted) from this menu as well.

The TCP port number used to access the modem is 7000. The Modem Sharing method can be with or without an authentication process. Modem Sharing with authentication means a login prompt will be issued into the socket (to the user) when it is opened. Who (what) ever opened the socket must provide appropriate credentials before access is given to the modem. The database of user’s names and passwords the MA100 will check against can be one of two choices. A local database (defined within the MA100) or a RADIUS database (defined in a RADIUS server external to the MA100).

The type of Telnet connection (mode) can be "Raw" (or not raw). A raw Telnet connection is one that does not respond to or use Telnet and RFC 2217 escape sequences (flags). When RAW is not used, packets of FF will be interpreted as escape flags. The escape routine includes a process of removing and replacing escape flags and subsequent characters normally intended for command and control function between Telnet hosts (RFC 2217 com port control via Telnet).

For RAS (dial in PPP) a second static IP address is needed. This address is for the dial in user (PPP peer). This address is defined in the Remote Host Address field. This address needs to be on the same subnet (network number) as that of the MA100. PAP is the only supported PPP authentication protocol. PAP is used to communicate user credentials from the PPP peer (MS-DUN) to the MA100. CHAP and MS-CHAP protocols are not supported.

The Authentication Type field in this menu only applies to RAS calls. When the type is set to Local, the MA100 will look to match the credentials provided by the caller with credentials listed in the Local Users menu. Additionally, local users can be called back at a fixed pre-defined number that is entered\defined by the "administrator" at the time of setting up the local account or the client (PPP peer) can be called back at a variable (always changing number) that is entered by the "user" at the time of dialing in.

When the type is RADIUS, the MA100 will send the credentials to the RADIUS Server that is defined in this menu.

RADIUS Accounting is a process that starts after successful RADIUS authentication. The MA100 sends an accounting start packet to the accounting server defined in this menu. When the user disconnects, the MA100 sends an accounting stop packet to the accounting server. RADIUS accounting summarizes the time and date, duration, and IP address given to the user, for this particular call. RADIUS Accounting does not track the amount or type of data of the session or the places the user communicates with.

The Secret is an encryption key used by both the RADIUS Server and RADIUS Client and so it must be the same alpha numeric string (including case) defined in both. The MA100 implements MD5 encryption.

The RADIUS Server has to be listening on the same set of UDP ports that the RADIUS Client (MA100) is using.

Add local users when the Authentication Menu has the Authentication Type set to "Local" and when Modem Sharing with Local Authentication is selected. Local users that are added will have dial in and dial out rights, but they will not have administrator rights.

If the IP Address of the unit is not known, two methods are available to retrieve the stored value.

Method A)

For units running version 1.03 or newer, one can use a terminal program to dial in and issue special credentials if the modem is configured to auto answer (the default is to auto answer after two rings). Attach a phone line and Ethernet cable to the unit (the modem is placed out of service if the Ethernet interface does not have a solid Link indication). Dial into the line with a terminal program. After carrier is established a login prompt should appear.

At the prompts, issue the appropriate credentials - which are case sensitive.

login: giveMeIP

password: IPplease

A response of "all.loc_host ###.###.###.###" will be issued and then the call will be disconnected.

Method B)

Use a network packet analyzer to capture Ethernet ARP broadcast packets sent by the MA100. The ARP packets ask "who has IP address ###.###.###.###, tell IP ###.###.###.###". The address to be told is the address you are looking for (is the address of the MA100).

Network analyzers (packet sniffers) have become easy to use and obtain (freeware). The general procedure would be:

With both (the analyzer and MA100) connected to the same Ethernet segment,

Turn off the MA100,

Start capturing network traffic,

Turn on the MA100,

Continue capturing packets for approximately 15 seconds,

Stop the network trace,

Review the packets captured.

Upon finishing the boot up sequence, the MA100 automatically sends an email to the system administrator (stating the MA100 just came online). Which means ARP broadcast packets are generated so the email address can first be resolved (DNS) and then the message can actually be sent (SMTP). Within the configuration of the MA100, it has an IP address associated with a DNS server. An ARP request is sent out in an attempt to learn the hardware address of who has "the IP address of the DNS server". Additionally, there is another (almost simultaneous) ARP sequence (regarding the contacting of the NTP server) that occurs during the same time.

Look for ARP packets that have a hardware source address that begins with 00:08:00:##:##:##. The analyzer may choose to display the name of the registered owner of the Ethernet MAC address range (in this case it would appear as Multitec_:##:##:##).

Assuming either process above has lead you to the IP address of the MA100, you now want to try and browse (http) into the MA100 (so you can re-configure it). Establishing IP communication is dependent on a number of variables that go beyond the scope of this document. The subnet mask value (defined in the MA100 and in the local computer trying to send and receive with it) is an integral part of this equation. In most cases, if you set your computer to an IP address value that is one number off of the MA100 and set your computer’s subnet mask value to the standard mask normally associated with that number range you should be able to communicate with the MA100 in most cases. However this trial and error method may need to be expanded depending on how the net mask values are defined in each computer. You may see one of three scenarios unfold:

Change the netmask value on your PC until scenario C occurs. To know for sure if the MA100 is responding - you need to utilize the network analyzer at the time of launching the http session.

If you do not know the HTTP admin account password (and it’s not the default), then try the admin account again via opening a standard telnet session to the MA100. If you can login via telnet - then cat the main configuration file called "cfgtxtfile" (which happens to contain the HTTP administration account credentials). From the # prompt issue "cat /var/config/cfgtxtfile" (without the quotes). Look for the "userid" and "password" values for the first entry (index 0) in the "phonebook" section near the top of the file.

The MA100 system automatically initializes the MT5634SMIV92 Global modem after certain events. The user can also manually invoke the initialization of the modem from the Current Status menu when the modem is idle and there is not an active telnet 7000 connection. The MA100 system issues two strings for each initialization event:

AT &F E0 %T19,0,34 &D2 M0 S0=n +FCLASS=0

AT *H4 +VCID=n

The Modem Setup menu allows for the user to control the number of rings to answer on (S0=n) and the Country Code (%T19,0,nn). The modem initialization events are:

Upon system boot up (power up or unit reset).

After RAS call disconnects.

After Telnet 7000 connection is closed\terminated.

When the "Initialize Modem" button is pressed in the Current Status menu.

When the "Update" button is pressed in the Modem Setup menu.

The *Hn command controls the On-Hook Delay feature. This feature keeps the line busy (for the duration specified) after each disconnect event (on hook event). This is a safeguard while the system re-initializes for the next call.

*H0 = Feature Disabled (&f command sets *H0).

When the modem in the MA100 is being used via Modem Sharing access, the application using the modem is responsible for the modem’s configuration. Depending on the application, it may be appropriate to disable the *H delay (issue &f or *H0) before establishing calls.

General RADIUS Notes: The RADIUS authentication process involves Client and Server components. The MA100 (be it for Modem Sharing or RAS applications) is a RADIUS Client only. For all RADIUS implementations, the RADIUS Server must be configured with (informed of) the IP address and shared secret password of each RADIUS client (MA100) it is to serve. Which normally means editing the "clients" file on (within) the RADIUS server. The shared secret password is an encryption key used by both RADIUS server and client. When the RADIUS client makes an authentication request to the server, it encrypts the "user’s" password with the shared secret. When the RADIUS server reads the authentication request, it decrypts the password using the same shared secret value. The RADIUS server also has to be listening on the same UDP port the RADIUS client is using. The encryption protocol implemented by the ACS is standard RADIUS encryption MD5.

If the RADIUS server shows the authorization request was rejected, the shared secret is wrong (case sensitive), the user is giving the wrong password, or the user doesn’t have appropriate rights.

If the RADIUS server doesn’t see the authorization request; the MA100 was not added to the clients file within the RADIUS server, or the RADIUS client is not set to the same set of UDP ports as the RADIUS server, or the RADIUS client is pointing to the wrong RADIUS server/IP address, or there is a network problem blocking or dropping the request (RADIUS uses UDP to communicate). When the authorization request is not seen by the RADIUS server, eventually the RADIUS client will report a "RADIUS Timeout" error (no response from the radius server) and disconnect the user.

Dial Up Networking on the remote workstation: The properties applet usually has 5 tabs, with the "Security" and "Networking" tabs addressing the parameters of concern. The type of security must be "Typical" with "Allow Unsecured Password". This description of "typical" and "unsecured" refers to the PPP authentication protocol of PAP (which transfers the credentials as clear text). On the Networking tab, the TCP/IP component must be set to Obtain IP Address and DNS Automatically. The remaining TCP/IP parameters can be left at default. However for some of the options (depending on your network variables), if they are set incorrectly communication at a certain level may not work (like name resolution or routing issues).

IAS (Internet Authentication Service): There are many variables to IAS and it’s interaction with a Windows user database (Local Users or Active Directory) that go beyond the scope of this document (and beyond the control of an IAS Client). Additionally, even though IAS may already be installed and working with other clients (applications and appliances), this does not mean it’s settings and policies are appropriate when serving a new client (i.e. additional RAS gear).

IAS Clients Properties

IAS Policy Properties

Profile Settings:

The MA100 can not tell which application (on the workstation) is opening the TCP port/socket. Redirectors, telnet clients, and proprietary programs all appear the same to the MA100 because they all use TCP/IP to get to the modem in the MA100.

When access to the modem is granted, an "ok" message is issued to the user/socket.

Telnet to the modem and issue AT commands, try to dial out. If responses to AT commands are encountered and the destination rings, the MA100 and the phone line connected to it are working and acting appropriately.

When the MA100 is configured for Modem Sharing with RADIUS Authentication, the user/s must have outbound rights (defined in the RADIUS server). Normally, the attribute of Service Type would be defined as "outbound".

If, from Windows based computer the intention is to use the modem in the MA100 as TAPI resource (i.e. Dial Up Networking or other application using a modem listed in the Phone and Modems applet) a com port redirector program needs to be installed on the workstation and configured appropriately. The appropriate Multi-Tech modem choice (MT5634SMI-V92) needs to be manually assigned to the virtual com port created by the redirector. In most cases, the Phone and Modems applet can not auto detect a redirected modem solution, nor will it’s diagnostics feature be able to communicate with the modem. These is due to the behavior of the Phone and Modems applet. The com port created by the redirector will not be listed in the device manager, because it is not actually a piece of hardware within the PC.

Add 1 MCSI com port to your workstation (configure it and reboot the workstation). Multiple com ports can be installed and configured within the workstation, but only one MCSI2000 com port at a time can be active within the workstation. The properties of the MCSI com port should be:

Connect Time = 0

Direct (not MAG)

Use Line Defaults = Yes

Server IP address is that of the MA100

Protocol = Telnet

Port Number = 7000

Authentication = No (unchecked).