NAS-Group? - different replies to different NASes?

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 26 20:54:43 CET 2008


Ivan Kalik wrote:
>> A: I have a set of "master" tunnel attributes that I always have to send to
>> this Telco.
>> i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password,
>> Tunnel-Server-Endpoint..etc
>> The way this Telco obtains these attributes is by sending the
>> Username/Password combination my way. (i.e. I need to authenticate
>> userxyz at telco.com).  Once I see that user come through from their boxes (3
>> Static IPs) I have to send back to them the tunnel attributes above.  Once
>> the tunnel attributes were sent, they establish an L2TP tunnel to my LNS and
>> my LNS now asks my Radius server again to authenticate the user.  So I see
>> the same userxyz at telco.com requesting to be authenticated.  Since I
>> currently cannot distinguish between NASes I am sending the same Tunnel
>> Attributes to my LNS which causes my LNS to try to initiate a tunnel back to
>> itself (because the Tunnel-Server-Endpoint attribute is the actual LNS).
>> ++++++++++++++++++++++++++++++++++++++
>>
> 
> This is very strange. 

No, that's a pretty standard setup for resold ADSL, certainly in the UK 
and I think other countries as well.

 > That information should be on telco radius server,
 > not yours. It should not have to proxy requests to you. They ought to
 > know the tunnel endpoint - *they* gave you the IP to set on your
 > router when they leased you the line.

 From the sound of it, it's not a leased line or similar; as I say, 
resold ADSL generally works this way.



More information about the Freeradius-Users mailing list