Mailing List Archive

Hi Paul,

Did you consider L2TP model, in which you control LAC and your customer
control LNS. In that approach your Customer is responsible for IP address
pool, and for authorization of the customers. Similar like on picture:

user@realm -------PPPoE-----LAC----------L2TP--------LNS
|
|
|
|
|
|
SP Wholesale Radius ISP
Customer Radius

L2TP is opening based on "realm".

Tiho

----- Original Message -----
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: <cisco-nas@puck.nether.net>
Sent: Tuesday, September 12, 2006 5:01 PM
Subject: [cisco-nas] Cisco 7206VXR for BBA


> Hi there..
>
> We have a Cisco 7206VXR that is currently doing broadband aggregation
> for our ADSL services.... It uses our Cistron radius servers for
> authentication and accounting with no problem.....
>
> Now, we have a need to bring on a proxy-radius setup because we have a
> customer who wants to wholesale DSL services from us and they run their
> own radius servers. Proxy radius seems to be the best way to offer this
> (long theads on cisco-nsp about that topic) so have some questions....
>
> It seems that we need to use [ cisco-avpair = "ip:addr-pool=POOL-A" ] on
> the radius side to instruct the router to use a specific pool such as [
> ip local pool POOL-A <start-ip> <end-ip> ]
>
> Because this is proxy radius, how do we send this attribute back to the
> router based on the realm name?? I realize this is probably a
> discussion for the Cistron list but wanted to start here first...
> The user is going to connect, get an ack or nack from the remote radius
> server - but then how do we tell it to specifically send back a
> cisco-avpair based on the realm name??
>
> Basically, stepping back a bit... We have three user@realm coming in
> across the same physical connection. Our requirement is to take one of
> these realms and have it use it's own radius servers and ip pools.
>
> Thanks for any input...
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>
>


_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Hi there.. Thanks for the response.

We need to be the LAC and LNS in this setup.... I wish there was a way
right on the 7206 to break things out purely based on the user@realm
portion and skip radius all together (except for auth/acct) like you can
on the Redbacks...;)

Paul



-----Original Message-----
From: Tihomir Dragas [mailto:tiho.dragas@telekomcg.com]
Sent: Tuesday, September 12, 2006 11:23 AM
To: Paul Stewart; cisco-nas@puck.nether.net
Subject: Re: [cisco-nas] Cisco 7206VXR for BBA

Hi Paul,

Did you consider L2TP model, in which you control LAC and your customer
control LNS. In that approach your Customer is responsible for IP
address pool, and for authorization of the customers. Similar like on
picture:

user@realm -------PPPoE-----LAC----------L2TP--------LNS
|
|
|
|
|
|
SP Wholesale Radius ISP
Customer Radius

L2TP is opening based on "realm".

Tiho

----- Original Message -----
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: <cisco-nas@puck.nether.net>
Sent: Tuesday, September 12, 2006 5:01 PM
Subject: [cisco-nas] Cisco 7206VXR for BBA


> Hi there..
>
> We have a Cisco 7206VXR that is currently doing broadband aggregation
> for our ADSL services.... It uses our Cistron radius servers for
> authentication and accounting with no problem.....
>
> Now, we have a need to bring on a proxy-radius setup because we have a
> customer who wants to wholesale DSL services from us and they run
their
> own radius servers. Proxy radius seems to be the best way to offer
this
> (long theads on cisco-nsp about that topic) so have some questions....
>
> It seems that we need to use [ cisco-avpair = "ip:addr-pool=POOL-A" ]
on
> the radius side to instruct the router to use a specific pool such as
[
> ip local pool POOL-A <start-ip> <end-ip> ]
>
> Because this is proxy radius, how do we send this attribute back to
the
> router based on the realm name?? I realize this is probably a
> discussion for the Cistron list but wanted to start here first...
> The user is going to connect, get an ack or nack from the remote
radius
> server - but then how do we tell it to specifically send back a
> cisco-avpair based on the realm name??
>
> Basically, stepping back a bit... We have three user@realm coming in
> across the same physical connection. Our requirement is to take one
of
> these realms and have it use it's own radius servers and ip pools.
>
> Thanks for any input...
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>
>



_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Paul,

If you are doing authentication and authorization on your radius for one of
your users based on realm, than you have to do it for all others.

Tiho

----- Original Message -----
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: "Tihomir Dragas" <tiho.dragas@telekomcg.com>;
<cisco-nas@puck.nether.net>
Sent: Tuesday, September 12, 2006 5:26 PM
Subject: RE: [cisco-nas] Cisco 7206VXR for BBA


Hi there.. Thanks for the response.

We need to be the LAC and LNS in this setup.... I wish there was a way
right on the 7206 to break things out purely based on the user@realm
portion and skip radius all together (except for auth/acct) like you can
on the Redbacks...;)

Paul



-----Original Message-----
From: Tihomir Dragas [mailto:tiho.dragas@telekomcg.com]
Sent: Tuesday, September 12, 2006 11:23 AM
To: Paul Stewart; cisco-nas@puck.nether.net
Subject: Re: [cisco-nas] Cisco 7206VXR for BBA

Hi Paul,

Did you consider L2TP model, in which you control LAC and your customer
control LNS. In that approach your Customer is responsible for IP
address pool, and for authorization of the customers. Similar like on
picture:

user@realm -------PPPoE-----LAC----------L2TP--------LNS
|
|
|
|
|
|
SP Wholesale Radius ISP
Customer Radius

L2TP is opening based on "realm".

Tiho

----- Original Message -----
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: <cisco-nas@puck.nether.net>
Sent: Tuesday, September 12, 2006 5:01 PM
Subject: [cisco-nas] Cisco 7206VXR for BBA


> Hi there..
>
> We have a Cisco 7206VXR that is currently doing broadband aggregation
> for our ADSL services.... It uses our Cistron radius servers for
> authentication and accounting with no problem.....
>
> Now, we have a need to bring on a proxy-radius setup because we have a
> customer who wants to wholesale DSL services from us and they run
their
> own radius servers. Proxy radius seems to be the best way to offer
this
> (long theads on cisco-nsp about that topic) so have some questions....
>
> It seems that we need to use [ cisco-avpair = "ip:addr-pool=POOL-A" ]
on
> the radius side to instruct the router to use a specific pool such as
[
> ip local pool POOL-A <start-ip> <end-ip> ]
>
> Because this is proxy radius, how do we send this attribute back to
the
> router based on the realm name?? I realize this is probably a
> discussion for the Cistron list but wanted to start here first...
> The user is going to connect, get an ack or nack from the remote
radius
> server - but then how do we tell it to specifically send back a
> cisco-avpair based on the realm name??
>
> Basically, stepping back a bit... We have three user@realm coming in
> across the same physical connection. Our requirement is to take one
of
> these realms and have it use it's own radius servers and ip pools.
>
> Thanks for any input...
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>
>




_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Thanks.. Yes, I understand that... I just wish there was a way to break
apart the realms on the NAS level before it hits Radius itself...

In other words,

Realm A - Radius Server 10.10.10.1 - IP Pool 10.254.254.1-10.254.254.254
Realm B - Radius Server 192.168.0.1 - IP Pool
192.168.10.1-192.168.10.254

But do this right on the Cisco ;)

Paul


-----Original Message-----
From: Tihomir Dragas [mailto:tiho.dragas@telekomcg.com]
Sent: Tuesday, September 12, 2006 11:34 AM
To: Paul Stewart; cisco-nas@puck.nether.net
Subject: Re: [cisco-nas] Cisco 7206VXR for BBA

Paul,

If you are doing authentication and authorization on your radius for one
of your users based on realm, than you have to do it for all others.

Tiho

----- Original Message -----
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: "Tihomir Dragas" <tiho.dragas@telekomcg.com>;
<cisco-nas@puck.nether.net>
Sent: Tuesday, September 12, 2006 5:26 PM
Subject: RE: [cisco-nas] Cisco 7206VXR for BBA


Hi there.. Thanks for the response.

We need to be the LAC and LNS in this setup.... I wish there was a way
right on the 7206 to break things out purely based on the user@realm
portion and skip radius all together (except for auth/acct) like you can
on the Redbacks...;)

Paul



-----Original Message-----
From: Tihomir Dragas [mailto:tiho.dragas@telekomcg.com]
Sent: Tuesday, September 12, 2006 11:23 AM
To: Paul Stewart; cisco-nas@puck.nether.net
Subject: Re: [cisco-nas] Cisco 7206VXR for BBA

Hi Paul,

Did you consider L2TP model, in which you control LAC and your customer
control LNS. In that approach your Customer is responsible for IP
address pool, and for authorization of the customers. Similar like on
picture:

user@realm -------PPPoE-----LAC----------L2TP--------LNS
|
|
|
|
|
|
SP Wholesale Radius ISP
Customer Radius

L2TP is opening based on "realm".

Tiho

----- Original Message -----
From: "Paul Stewart" <pstewart@nexicomgroup.net>
To: <cisco-nas@puck.nether.net>
Sent: Tuesday, September 12, 2006 5:01 PM
Subject: [cisco-nas] Cisco 7206VXR for BBA


> Hi there..
>
> We have a Cisco 7206VXR that is currently doing broadband aggregation
> for our ADSL services.... It uses our Cistron radius servers for
> authentication and accounting with no problem.....
>
> Now, we have a need to bring on a proxy-radius setup because we have a

> customer who wants to wholesale DSL services from us and they run
their
> own radius servers. Proxy radius seems to be the best way to offer
this
> (long theads on cisco-nsp about that topic) so have some questions....
>
> It seems that we need to use [ cisco-avpair = "ip:addr-pool=POOL-A" ]
on
> the radius side to instruct the router to use a specific pool such as
[
> ip local pool POOL-A <start-ip> <end-ip> ]
>
> Because this is proxy radius, how do we send this attribute back to
the
> router based on the realm name?? I realize this is probably a
> discussion for the Cistron list but wanted to start here first...
> The user is going to connect, get an ack or nack from the remote
radius
> server - but then how do we tell it to specifically send back a
> cisco-avpair based on the realm name??
>
> Basically, stepping back a bit... We have three user@realm coming in
> across the same physical connection. Our requirement is to take one
of
> these realms and have it use it's own radius servers and ip pools.
>
> Thanks for any input...
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>
>





_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Hi Paul,

Paul Stewart wrote:
> Basically, stepping back a bit... We have three user@realm coming in
> across the same physical connection. Our requirement is to take one of
> these realms and have it use it's own radius servers and ip pools.

In your users file, do something to this extent:

DEFAULT Suffix = "@special_pool_realm"
Cisco-AVPair = "ip:addr-pool=specific_pool"
Fall-Through = No

DEFAULT Cisco-AVPair = "ip:addr-pool=default_pool"

In your realms file:

special_pool_realm 172.22.10.12:1812:1813 nostrip


This will proxy all requests for someuser@special_pool_realm to
172.22.10.12, and when it sends the request back to the NAS, it'll send
the Cisco-AVPair back, and the IP address pool should be set to
"specific_pool".

If you don't come right, drop me a mail off-list, and I'll assist further.

Cheers,
Jaco

--
bje@serendipity.org.za
the faculty of making fortunate discoveries
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas