NAS-Group? - different replies to different NASes?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Feb 26 20:54:43 CET 2008
Ivan Kalik wrote:
>> A: I have a set of "master" tunnel attributes that I always have to send to
>> this Telco.
>> i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password,
>> Tunnel-Server-Endpoint..etc
>> The way this Telco obtains these attributes is by sending the
>> Username/Password combination my way. (i.e. I need to authenticate
>> userxyz at telco.com). Once I see that user come through from their boxes (3
>> Static IPs) I have to send back to them the tunnel attributes above. Once
>> the tunnel attributes were sent, they establish an L2TP tunnel to my LNS and
>> my LNS now asks my Radius server again to authenticate the user. So I see
>> the same userxyz at telco.com requesting to be authenticated. Since I
>> currently cannot distinguish between NASes I am sending the same Tunnel
>> Attributes to my LNS which causes my LNS to try to initiate a tunnel back to
>> itself (because the Tunnel-Server-Endpoint attribute is the actual LNS).
>> ++++++++++++++++++++++++++++++++++++++
>>
>
> This is very strange.
No, that's a pretty standard setup for resold ADSL, certainly in the UK
and I think other countries as well.
> That information should be on telco radius server,
> not yours. It should not have to proxy requests to you. They ought to
> know the tunnel endpoint - *they* gave you the IP to set on your
> router when they leased you the line.
From the sound of it, it's not a leased line or similar; as I say,
resold ADSL generally works this way.
More information about the Freeradius-Users
mailing list