Hi,
We are using Cisco and Juniper devices as LAC's to terminate DSL sessions
before sending on via L2TP to customer LNS's. We allow our customers to use
radius Attribute 67 via our radius servers to specify the
tunnel-server-endpoint for their sessions.
We have been using Cisco LACs predominantly over the last couple of years but
now have a need to move to Juniper kit for scalability constraints. The issue I
have is how we allow customers to specify groups of radius reply values for
failover/load balancing across their LNS's.
Below is an example showing what we are sending back to our Cisco LAC's (please
note the use of += as the operator for the "second" group in the list):
Sending Access-Accept of id 216 to 192.168.1.1 port 50075
Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
Tunnel-Type:1 = L2TP
Tunnel-Password:1 = "yyyyyyy"
Tunnel-Server-Endpoint:1 = "1.2.3.4"
Tunnel-Preference:1 = 10
Tunnel-Client-Auth-Id:2 += " xxxxxxxx"
Tunnel-Type:2 += L2TP
Tunnel-Password:2 += " yyyyyyy"
Tunnel-Server-Endpoint:2 += "1.2.3.5"
Tunnel-Preference:2 += 10
The issue I have is that the Juniper device will not process the += operator
based results, so in order to have the same functionailty, the radius result
would have to look like below (please note there is no += anymore):
Sending Access-Accept of id 217 to 192.168.1.1 port 50075
Tunnel-Client-Auth-Id:1 = "xxxxxxxx"
Tunnel-Type:1 = L2TP
Tunnel-Password:1 = "yyyyyyy"
Tunnel-Server-Endpoint:1 = "1.2.3.4"
Tunnel-Preference:1 = 10
Tunnel-Client-Auth-Id:2 = " xxxxxxxx"
Tunnel-Type:2 = L2TP
Tunnel-Password:2 = " yyyyyyy"
Tunnel-Server-Endpoint:2 = "1.2.3.5"
Tunnel-Preference:2 = 10
I have a case open with Juniper to resolve the +=/= issue, but I haven't got an
ETA of the fix yet, and I cannot just wait for it. I cannot force all of my
customers to change the attributes they send me back from proxying based on the
NAS-IP-Address, so I have to make the necessary changes myself on my radius
servers. I know I can add a bit of code in post proxy using ulang to carry out
something when the Juniper devices IP's are listed as the NAS-IP-Address, but I
cannot see how to change the operator that is sent from += to =. The only
complication I have is that people could send back upto 8 groups to me, and
there is no guarantee that the groups will be number 1,2,3,4 etc, the customer
could choose anything they like.
Anyone got any ideas or able to point me in the right direction?
Thanks
Dan
Technical Manager
T 0845 868 7848
F 0845 868 7858
www.fluidata.co.uk<http://www.fluidata.co.uk/>
www.twitter.com/fluidata<http://www.twitter.com/fluidata>
2 More London SE1 2AP
get your data flowing ...
This message is intended solely for the use of the individual or organisation
to whom it is addressed. It may contain privileged or confidential information.
If you have received this message in error, please notify the originator
immediately. If you are not the intended recipient, you should not use, copy,
alter, or disclose the contents of this message. All information or opinions
expressed in this message and/or any attachments are those of the author and
are not necessarily those of Fluidata Ltd. Fluidata accepts no responsibility
for loss or damage arising from its use, including damage from virus.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
