NAS-Group? - different replies to different NASes?

Adrian adrian at dsl4u.ca
Fri Feb 22 02:13:58 CET 2008


Hello Everyone,

Further to my post late last year I'm hoping to get more help on my issue
which still remains un-resolved.

Is there a wild card I can use all the time with one NAS that will match on
any domain while NAS2 needs to have a specific user?

Let me first present the flow just in case I don't explain myself correctly:

1PPPOE User -> 2Telco LAC -> 3Telco Radius -> 4Our Radius -> 5Telco Radius
-> 6Telco LAC -> 7Our LNS -> 8Our Radius

1. User initiates a PPPOE request
2. Telco LAC sees the request and forwards it to their Radius server
3. Telco Radius server proxies the request to our Radius expecting us to
respond with Tunnel information to aid their LAC establish a L2TP tunnel to
our LNS
4. Our radius sends the Tunnel information back to Telco Radius
5. Telco radius forwards the Tunnel information to the Telco LAC
6. Telco LAC uses that tunnel info to initiate an L2TP tunnel to our LNS
7. After the tunnel is established our LNS then forwards the PPPOE request
to our Radius server for authenticating the user and get the IP information

The flow above seems to be doing a double level authentication which gives
me issues.  The reason I have issues is because the same reply I'm sending
to the Telco's LAC/Radius I'm now sending to my LNS thus creating a loop
(Tunnel parameters that should not go to my LNS at all)

Can anyone think of a way to remedy this? My solution might be to only
respond with the Tunnel info to the Telco's LAC/Radius while I respond with
the IP info to the PPPOE request from my LNS only.

Any help is appreciated.  (I'm currently using groups to achieve this but it
does not work yet)

Thank you
Adrian

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
DeKok
Sent: Friday, November 02, 2007 8:45 AM
To: FreeRadius users mailing list
Subject: Re: NAS-Group? - different replies to different NASes?

Adrian wrote:
> Since both requests are addressed to domain.com how can I selectively
allow
> only certain responses to NAS A and others to NAS B? 

  Match on the Client-IP-Address, or on the NAS-IP-Address attribute.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list