Hi Norbert, > I also think that 2b is the way to go. Even for those who have a working > radius it is not simple to use radius for the purpose of administrating > ippools. What I understand from David's postings in case of using radius > for this job: > -You need a modified radius and you need a special configuration for this. > -It only works in collaboration with the ppp-radius plugin. > To me it seems, using the dhcp-radius plugin is the more "generic" way > to go.
Did you mean "ppp-dhcp plugin"? If so, then I only agree for _fully dynamic_ IP address assignment. There also needs to be a way to assign static IP addresses to some or all clients in many situations (it provides better security, for example). Luckily, pppd has its own mechanism using pap-secrets or the RADIUS plugin, so we aren't obliged to invent a new way of doing this. Unluckily, we lose the ability to configure both static and dynamic addresses from one place, if change the client identifier to something other than the user name. However, this feature was never tested anyway and is probably not compatible with at least some DHCP servers. > As we use l2tp over ipsec on the same machine, the question might be > answered, before l2tp comes into business. > At least in our scenario every user has its own X.509 certificate for > ipsec. When someone wants to esablish a second ipsec tunnel with a > certificate which has been used to establish a still existing tunnel, > the first ipsec connection will be shut down and a l2tp tunnnel using > this connection will at least stop working. l2tpd/pppd will take some time to notice that this has happened and to kill itself. During that time, the route for the IP address will still be via the old device, so initially the new connection will be unable to receive and packets. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
