Re: (RADIATOR) Value of Attribute replacement
Hello Dmitry - The simplest way to deal with the Password problem is to just ignore it. Something like this: #Test account for WorldCom L2TP service uunoc Service-Type = Framed-User Tunnel-Type = L2TP, . regards Hugh On Mon, 3 Dec 2001 21:47, Dmitry Kopylov wrote: > Hello Hugh, > > I know this is not a best approach, and as you asked here is design: > > We termanate L2TP tunnels from Worldcom LAC (Max TNT) on our Cisco LNS. > Worldcom can only support IETF Radius Tunnelling attributes. The idea is to > keep one radius profile combining both L2TP and PPP stuff: > > # > #Test account for WorldCom L2TP service > #uunoc User-Password = "xx",Service-Type = Framed-User > # Tunnel-Type = L2TP, > # Tunnel-Medium-Type = IP, > # Tunnel-Server-Endpoint = 195.129.20.13, > # Tunnel-Password = x, > # Tunnel-Client-Auth-ID = WCOM01, > # Service-Type = Framed-User, > # Framed-Protocol = PPP, > # Framed-IP-Address = 62.177.172.10, > # Framed-IP-Netmask = 255.255.255.255 > > Fisrt time Worldcom's LAC looks up our radius and gets Tunnel attributes > and establishes l2tp tunnel. The problem starts when LNS looks up Radius > for the second time for PPP attributes. At that point we have PPP > Authorization problem, it looks like LNS doesn't correctly accept IETF > Tunnel attributes. We have already escalated this issue to Cisco and it > seems to be a bug. > > The workaround I'm thinking of is to create one generic radius account with > L2TP parameters which is common for all L2TP customers, and separately many > radius profiles with PPP parameters. Than based on the NAS-IP-Address and > the Realm in the Access-Request I can rewrite requests from LAC into > generic L2TP profile name, and from LNS - into normal PPP profiles. > > At this point I need to solve problem with password for the generic L2TP > profile. That's why I ment to replace the value of CHAP-Password attributes > in the requests designated for generic L2TP profile. > > > Best Regards, > > Dmitry Kopylov > BBned > > > -----Original Message- > > From: Hugh Irvine [mailto:[EMAIL PROTECTED]] > > Sent: 30 November, 2001 23:47 > > To: Dmitry Kopylov; [EMAIL PROTECTED] > > Subject: Re: (RADIATOR) Value of Attribute replacement > > > > > > > > Hello Dmitry - > > > > At 19:13 +0100 01/11/30, Dmitry Kopylov wrote: > > >Hi everyone, > > > > > > > > >I've got a standard Access-Request: > > > > > >*** Received from 62.177.143.122 port 1645 > > >Code: Access-Request > > >Identifier: 13 > > >Authentic: 0<184><145><169><164>,<132>xsz<26>O<168><129><127><237> > > >Attributes: > > > NAS-IP-Address = 62.177.143.122 > > > NAS-Port = 1 > > > NAS-Port-Type = Virtual > > > User-Name = "[EMAIL PROTECTED]" > > > Called-Station-Id = "97532120" > > > Calling-Station-Id = "31235652175" > > > CHAP-Password = > > ><6>~<174><192><10><252>;<23><202>l<20><14>fDQ<142><179> > > > Service-Type = Framed-User > > > Framed-Protocol = PPP > > > > > > > > >I need to replase the value of the CHAP-Password attribute > > > > before Radiator > > > > >will check the users file. If it's possible, what is the > > > > best way to do > > > > >this? > > > > You could use a PreAuthHook to do it. Have a look at the example > > hooks in the file "goodies/hooks.txt" in the Radiator distribution. > > > > However, I wonder if this is the best approach? If you could describe > > your requirements in a bit more detail, perhaps I can suggest a > > better way. > > > > regards > > > > Hugh > > > > -- > > > > NB: I am travelling this week, so there may be delays in our > > correspondence. > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Value of Attribute replacement
Hello Hugh, I know this is not a best approach, and as you asked here is design: We termanate L2TP tunnels from Worldcom LAC (Max TNT) on our Cisco LNS. Worldcom can only support IETF Radius Tunnelling attributes. The idea is to keep one radius profile combining both L2TP and PPP stuff: # #Test account for WorldCom L2TP service #uunoc User-Password = "xx",Service-Type = Framed-User # Tunnel-Type = L2TP, # Tunnel-Medium-Type = IP, # Tunnel-Server-Endpoint = 195.129.20.13, # Tunnel-Password = x, # Tunnel-Client-Auth-ID = WCOM01, # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 62.177.172.10, # Framed-IP-Netmask = 255.255.255.255 Fisrt time Worldcom's LAC looks up our radius and gets Tunnel attributes and establishes l2tp tunnel. The problem starts when LNS looks up Radius for the second time for PPP attributes. At that point we have PPP Authorization problem, it looks like LNS doesn't correctly accept IETF Tunnel attributes. We have already escalated this issue to Cisco and it seems to be a bug. The workaround I'm thinking of is to create one generic radius account with L2TP parameters which is common for all L2TP customers, and separately many radius profiles with PPP parameters. Than based on the NAS-IP-Address and the Realm in the Access-Request I can rewrite requests from LAC into generic L2TP profile name, and from LNS - into normal PPP profiles. At this point I need to solve problem with password for the generic L2TP profile. That's why I ment to replace the value of CHAP-Password attributes in the requests designated for generic L2TP profile. Best Regards, Dmitry Kopylov BBned > -Original Message- > From: Hugh Irvine [mailto:[EMAIL PROTECTED]] > Sent: 30 November, 2001 23:47 > To: Dmitry Kopylov; [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Value of Attribute replacement > > > > Hello Dmitry - > > > At 19:13 +0100 01/11/30, Dmitry Kopylov wrote: > >Hi everyone, > > > > > >I've got a standard Access-Request: > > > >*** Received from 62.177.143.122 port 1645 > >Code: Access-Request > >Identifier: 13 > >Authentic: 0<184><145><169><164>,<132>xsz<26>O<168><129><127><237> > >Attributes: > > NAS-IP-Address = 62.177.143.122 > > NAS-Port = 1 > > NAS-Port-Type = Virtual > > User-Name = "[EMAIL PROTECTED]" > > Called-Station-Id = "97532120" > > Calling-Station-Id = "31235652175" > > CHAP-Password = > ><6>~<174><192><10><252>;<23><202>l<20><14>fDQ<142><179> > > Service-Type = Framed-User > > Framed-Protocol = PPP > > > > > >I need to replase the value of the CHAP-Password attribute > before Radiator > >will check the users file. If it's possible, what is the > best way to do > >this? > > > > You could use a PreAuthHook to do it. Have a look at the example > hooks in the file "goodies/hooks.txt" in the Radiator distribution. > > However, I wonder if this is the best approach? If you could describe > your requirements in a bit more detail, perhaps I can suggest a > better way. > > regards > > Hugh > > -- > > NB: I am travelling this week, so there may be delays in our > correspondence. > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Value of Attribute replacement
Hello Dmitry - At 19:13 +0100 01/11/30, Dmitry Kopylov wrote: >Hi everyone, > > >I've got a standard Access-Request: > >*** Received from 62.177.143.122 port 1645 >Code: Access-Request >Identifier: 13 >Authentic: 0<184><145><169><164>,<132>xsz<26>O<168><129><127><237> >Attributes: > NAS-IP-Address = 62.177.143.122 > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "[EMAIL PROTECTED]" > Called-Station-Id = "97532120" > Calling-Station-Id = "31235652175" > CHAP-Password = ><6>~<174><192><10><252>;<23><202>l<20><14>fDQ<142><179> > Service-Type = Framed-User > Framed-Protocol = PPP > > >I need to replase the value of the CHAP-Password attribute before Radiator >will check the users file. If it's possible, what is the best way to do >this? > You could use a PreAuthHook to do it. Have a look at the example hooks in the file "goodies/hooks.txt" in the Radiator distribution. However, I wonder if this is the best approach? If you could describe your requirements in a bit more detail, perhaps I can suggest a better way. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.