(RADIATOR) Value of Attribute replacement
Dmitry Kopylov
Dmitry.Kopylov at bbned.nl
Mon Dec 3 04:47:06 CST 2001
Hello Hugh,
I know this is not a best approach, and as you asked here is design:
We termanate L2TP tunnels from Worldcom LAC (Max TNT) on our Cisco LNS.
Worldcom can only support IETF Radius Tunnelling attributes. The idea is to
keep one radius profile combining both L2TP and PPP stuff:
#
#Test account for WorldCom L2TP service
#uunoc User-Password = "xxxxxx",Service-Type = Framed-User
# Tunnel-Type = L2TP,
# Tunnel-Medium-Type = IP,
# Tunnel-Server-Endpoint = 195.129.20.13,
# Tunnel-Password = xxxxx,
# Tunnel-Client-Auth-ID = WCOM01,
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 62.177.172.10,
# Framed-IP-Netmask = 255.255.255.255
Fisrt time Worldcom's LAC looks up our radius and gets Tunnel attributes and
establishes l2tp tunnel. The problem starts when LNS looks up Radius for the
second time for PPP attributes. At that point we have PPP Authorization
problem, it looks like LNS doesn't correctly accept IETF Tunnel attributes.
We have already escalated this issue to Cisco and it seems to be a bug.
The workaround I'm thinking of is to create one generic radius account with
L2TP parameters which is common for all L2TP customers, and separately many
radius profiles with PPP parameters. Than based on the NAS-IP-Address and
the Realm in the Access-Request I can rewrite requests from LAC into generic
L2TP profile name, and from LNS - into normal PPP profiles.
At this point I need to solve problem with password for the generic L2TP
profile. That's why I ment to replace the value of CHAP-Password attributes
in the requests designated for generic L2TP profile.
Best Regards,
Dmitry Kopylov
BBned
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: 30 November, 2001 23:47
> To: Dmitry Kopylov; radiator at open.com.au
> Subject: Re: (RADIATOR) Value of Attribute replacement
>
>
>
> Hello Dmitry -
>
>
> At 19:13 +0100 01/11/30, Dmitry Kopylov wrote:
> >Hi everyone,
> >
> >
> >I've got a standard Access-Request:
> >
> >*** Received from 62.177.143.122 port 1645 ....
> >Code: Access-Request
> >Identifier: 13
> >Authentic: 0<184><145><169><164>,<132>xsz<26>O<168><129><127><237>
> >Attributes:
> > NAS-IP-Address = 62.177.143.122
> > NAS-Port = 1
> > NAS-Port-Type = Virtual
> > User-Name = "uunoc at bbeyond.flatisdn.net"
> > Called-Station-Id = "97532120"
> > Calling-Station-Id = "31235652175"
> > CHAP-Password =
> ><6>~<174><192><10><252>;<23><202>l<20><14>fDQ<142><179>
> > Service-Type = Framed-User
> > Framed-Protocol = PPP
> >
> >
> >I need to replase the value of the CHAP-Password attribute
> before Radiator
> >will check the users file. If it's possible, what is the
> best way to do
> >this?
> >
>
> You could use a PreAuthHook to do it. Have a look at the example
> hooks in the file "goodies/hooks.txt" in the Radiator distribution.
>
> However, I wonder if this is the best approach? If you could describe
> your requirements in a bit more detail, perhaps I can suggest a
> better way.
>
> regards
>
> Hugh
>
> --
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list