Hi Norbert,

> I also think that 2b is the way to go. Even for those who have a working 
> radius it is not simple to use radius for the purpose of administrating 
> ippools. What I understand from David's postings in case of using radius 
> for this job:
> -You need a modified radius and you need a special configuration for this.
> -It only works in collaboration with the ppp-radius plugin.
> To me it seems, using the dhcp-radius plugin is the more "generic" way 
> to go.

Did you mean "ppp-dhcp plugin"? If so, then I only agree for _fully 
dynamic_ IP address assignment. There also needs to be a way to assign 
static IP addresses to some or all clients in many situations (it provides 
better security, for example).

Luckily, pppd has its own mechanism using pap-secrets or the RADIUS
plugin, so we aren't obliged to invent a new way of doing this.

Unluckily, we lose the ability to configure both static and dynamic 
addresses from one place, if change the client identifier to something 
other than the user name. However, this feature was never tested anyway 
and is probably not compatible with at least some DHCP servers.

> As we use l2tp over ipsec on the same machine, the question might be 
> answered, before l2tp comes into business.
> At least in our scenario every user has its own X.509 certificate for 
> ipsec. When someone wants to esablish a second ipsec tunnel with a 
> certificate which has been used to establish a still existing tunnel, 
> the first ipsec connection will be shut down and a l2tp tunnnel using 
> this connection  will at least stop working.

l2tpd/pppd will take some time to notice that this has happened and to 
kill itself. During that time, the route for the IP address will still 
be via the old device, so initially the new connection will be unable to 
receive and packets.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |


Reply via email to