(RADIATOR) Value of Attribute replacement

Hugh Irvine hugh at open.com.au
Mon Dec 3 17:09:38 CST 2001 

Hello Dmitry -

The simplest way to deal with the Password problem is to just ignore it.

Something like this:

#Test account for WorldCom L2TP service
uunoc  Service-Type = Framed-User
       Tunnel-Type = L2TP,
       .....

regards

Hugh

On Mon, 3 Dec 2001 21:47, Dmitry Kopylov wrote:
> Hello Hugh,
>
> I know this is not a best approach, and as you asked here is design:
>
> We termanate L2TP tunnels from Worldcom LAC (Max TNT) on our Cisco LNS.
> Worldcom can only support IETF Radius Tunnelling attributes. The idea is to
> keep one radius profile combining both L2TP and PPP stuff:
>
> #
> #Test account for WorldCom L2TP service
> #uunoc  User-Password = "xxxxxx",Service-Type = Framed-User
> #       Tunnel-Type = L2TP,
> #       Tunnel-Medium-Type = IP,
> #       Tunnel-Server-Endpoint = 195.129.20.13,
> #       Tunnel-Password = xxxxx,
> #       Tunnel-Client-Auth-ID = WCOM01,
> #       Service-Type = Framed-User,
> #       Framed-Protocol = PPP,
> #       Framed-IP-Address = 62.177.172.10,
> #       Framed-IP-Netmask = 255.255.255.255
>
> Fisrt time Worldcom's LAC looks up our radius and gets Tunnel attributes
> and establishes l2tp tunnel. The problem starts when LNS looks up Radius
> for the second time for PPP attributes. At that point we have PPP
> Authorization problem, it looks like LNS doesn't correctly accept IETF
> Tunnel attributes. We have already escalated this issue to Cisco and it
> seems to be a bug.
>
> The workaround I'm thinking of is to create one generic radius account with
> L2TP parameters which is common for all L2TP customers, and separately many
> radius profiles with PPP parameters. Than based on the NAS-IP-Address and
> the Realm in the Access-Request I can rewrite requests from LAC into
> generic L2TP profile name, and from LNS - into normal PPP profiles.
>
> At this point I need to solve problem with password for the generic L2TP
> profile. That's why I ment to replace the value of CHAP-Password attributes
> in the requests designated  for generic L2TP profile.
>
>
> Best Regards,
>
> Dmitry Kopylov
> BBned
>
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: 30 November, 2001 23:47
> > To: Dmitry Kopylov; radiator at open.com.au
> > Subject: Re: (RADIATOR) Value of Attribute replacement
> >
> >
> >
> > Hello Dmitry -
> >
> > At 19:13 +0100 01/11/30, Dmitry Kopylov wrote:
> > >Hi everyone,
> > >
> > >
> > >I've got a standard Access-Request:
> > >
> > >*** Received from 62.177.143.122 port 1645 ....
> > >Code:       Access-Request
> > >Identifier: 13
> > >Authentic:  0<184><145><169><164>,<132>xsz<26>O<168><129><127><237>
> > >Attributes:
> > >         NAS-IP-Address = 62.177.143.122
> > >         NAS-Port = 1
> > >         NAS-Port-Type = Virtual
> > >         User-Name = "uunoc at bbeyond.flatisdn.net"
> > >         Called-Station-Id = "97532120"
> > >         Calling-Station-Id = "31235652175"
> > >         CHAP-Password =
> > ><6>~<174><192><10><252>;<23><202>l<20><14>fDQ<142><179>
> > >         Service-Type = Framed-User
> > >         Framed-Protocol = PPP
> > >
> > >
> > >I need to replase the value of the CHAP-Password attribute
> >
> > before Radiator
> >
> > >will check the users file. If it's possible, what is the
> >
> > best way to do
> >
> > >this?
> >
> > You could use a PreAuthHook to do it. Have a look at the example
> > hooks in the file "goodies/hooks.txt" in the Radiator distribution.
> >
> > However, I wonder if this is the best approach? If you could describe
> > your requirements in a bit more detail, perhaps I can suggest a
> > better way.
> >
> > regards
> >
> > Hugh
> >
> > --
> >
> > NB: I am travelling this week, so there may be delays in our
> > correspondence.
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list