Operator change post proxy

Bjørn Mork bjorn at mork.no
Thu Oct 20 11:54:37 CEST 2011 

Dan Fisher | Fluidata <DanFisher at fluidata.co.uk> writes:

> Hi,
>
> We are using Cisco and Juniper devices as LAC's to terminate DSL
> sessions before sending on via L2TP to customer LNS's. We allow our
> customers to use radius Attribute 67 via our radius servers to specify
> the tunnel-server-endpoint for their sessions.
>
> We have been using Cisco LACs predominantly over the last couple of
> years but now have a need to move to Juniper kit for scalability
> constraints. The issue I have is how we allow customers to specify
> groups of radius reply values for failover/load balancing across their
> LNS's.
>
> Below is an example showing what we are sending back to our Cisco
> LAC's (please note the use of += as the operator for the "second"
> group in the list):
>
> Sending Access-Accept of id 216 to 192.168.1.1 port 50075
>         Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
>        Tunnel-Type:1 = L2TP
>         Tunnel-Password:1 = "yyyyyyy"
>         Tunnel-Server-Endpoint:1 = "1.2.3.4"
>         Tunnel-Preference:1 = 10
>         Tunnel-Client-Auth-Id:2 += " xxxxxxxx"
>         Tunnel-Type:2 += L2TP
>         Tunnel-Password:2 += " yyyyyyy"
>         Tunnel-Server-Endpoint:2 += "1.2.3.5"
>         Tunnel-Preference:2 += 10
>
>
> The issue I have is that the Juniper device will not process the +=
> operator based results, so in order to have the same functionailty,
> the radius result would have to look like below (please note there is
> no += anymore):
>
> Sending Access-Accept of id 217 to 192.168.1.1 port 50075
>         Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
>        Tunnel-Type:1 = L2TP
>         Tunnel-Password:1 = "yyyyyyy"
>         Tunnel-Server-Endpoint:1 = "1.2.3.4"
>         Tunnel-Preference:1 = 10
>         Tunnel-Client-Auth-Id:2 = " xxxxxxxx"
>         Tunnel-Type:2 = L2TP
>         Tunnel-Password:2 = " yyyyyyy"
>         Tunnel-Server-Endpoint:2 = "1.2.3.5"
>         Tunnel-Preference:2 = 10


Huh?  The NAS won't see the operator and therefore cannot process it in
any way.  It is parsed and interpreted by the radius server, which will
convert the above entries into a list of attribute codes and values.

But those two configurations will look very different on the wire. The
difference is that the last one will be collapsed to

        Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
        Tunnel-Type:1 = L2TP
        Tunnel-Password:1 = "yyyyyyy"
        Tunnel-Server-Endpoint:1 = "1.2.3.4"
        Tunnel-Preference:1 = 10


> I have a case open with Juniper to resolve the +=/= issue, but I
> haven't got an ETA of the fix yet, and I cannot just wait for it. 

What kind of Juniper?  ERX or MX makes a lot of difference...

You may also want to experiment with the ERX-Tunnel-Password VSA instead
of Tunnel-Password.

FWIW, we have been using ERXes as LACs for ages, and have not had any
problems using a failover configuration similar to your first example.



Bjørn

More information about the Freeradius-Users mailing list