Operator change post proxy

Dan Fisher | Fluidata DanFisher at fluidata.co.uk
Thu Oct 20 11:09:42 CEST 2011


Hi,

We are using Cisco and Juniper devices as LAC's to terminate DSL sessions before sending on via L2TP to customer LNS's. We allow our customers to use radius Attribute 67 via our radius servers to specify the tunnel-server-endpoint for their sessions.

We have been using Cisco LACs predominantly over the last couple of years but now have a need to move to Juniper kit for scalability constraints. The issue I have is how we allow customers to specify groups of radius reply values for failover/load balancing across their LNS's.

Below is an example showing what we are sending back to our Cisco LAC's (please note the use of += as the operator for the "second" group in the list):

Sending Access-Accept of id 216 to 192.168.1.1 port 50075
        Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
       Tunnel-Type:1 = L2TP
        Tunnel-Password:1 = "yyyyyyy"
        Tunnel-Server-Endpoint:1 = "1.2.3.4"
        Tunnel-Preference:1 = 10
        Tunnel-Client-Auth-Id:2 += " xxxxxxxx"
        Tunnel-Type:2 += L2TP
        Tunnel-Password:2 += " yyyyyyy"
        Tunnel-Server-Endpoint:2 += "1.2.3.5"
        Tunnel-Preference:2 += 10


The issue I have is that the Juniper device will not process the += operator based results, so in order to have the same functionailty, the radius result would have to look like below (please note there is no += anymore):

Sending Access-Accept of id 217 to 192.168.1.1 port 50075
        Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
       Tunnel-Type:1 = L2TP
        Tunnel-Password:1 = "yyyyyyy"
        Tunnel-Server-Endpoint:1 = "1.2.3.4"
        Tunnel-Preference:1 = 10
        Tunnel-Client-Auth-Id:2 = " xxxxxxxx"
        Tunnel-Type:2 = L2TP
        Tunnel-Password:2 = " yyyyyyy"
        Tunnel-Server-Endpoint:2 = "1.2.3.5"
        Tunnel-Preference:2 = 10

I have a case open with Juniper to resolve the +=/= issue, but I haven't got an ETA of the fix yet, and I cannot just wait for it. I cannot force all of my customers to change the attributes they send me back from proxying based on the NAS-IP-Address, so I have to make the necessary changes myself on my radius servers. I know I can add a bit of code in post proxy using ulang to carry out something when the Juniper devices IP's are listed as the NAS-IP-Address, but I cannot see how to change the operator that is sent from += to =. The only complication I have is that people could send back upto 8 groups to me, and there is no guarantee that the groups will be number 1,2,3,4 etc, the customer could choose anything they like.

Anyone got any ideas or able to point me in the right direction?

Thanks
Dan


Technical Manager

T 0845 868 7848
F 0845 868 7858
www.fluidata.co.uk<http://www.fluidata.co.uk/>
www.twitter.com/fluidata<http://www.twitter.com/fluidata>
2 More London SE1 2AP

get your data flowing ...

This message is intended solely for the use of the individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Fluidata Ltd. Fluidata accepts no responsibility for loss or damage arising from its use, including damage from virus.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111020/b62b775c/attachment.html>


More information about the Freeradius-Users mailing list