A question regarding radius attribute tagging
Hi, I'm running FreeRadius 0.4 on Sparc/Solaris 8 (latest patches) for some testing i'm conducting with 3Com/Cisco L2TP tunnels - please bear with me i'm a radius newbie and have only been running FR for a week. I have FR up and running nicely, sending back attributes to the nas's in question to setup tunnels. I've heard about a tunnel feature that allows the nas to receive multiple tunnel-endpoint attributes and then load balance the tunnels it builds, i'd like to try this! The nas can cope with receiving multiple tunnel-endpoint attributes, so I presume I can just create a user.conf profile with multiple endpoint attributes like this: USR-Tunnel-Security = none, USR-Tunnel-Type = L2TP, USR-Tunnel-Endpoint = 10.0.0.100, USR-Tunnel-Endpoint = 10.0.0.101, USR-Tunnel-Endpoint = 10.0.0.102, Under Steel Belted Radius multiple attributes are refered to as tagging where the attributes in question are tagged with something like [1] [2] [3] so that SBR can distinguish them - or something like that :) So the big question is, can FreeRadius handle sending back multiple instances of the same attribute with different values? If it can is there anything inparticular that I need to do to set it up or can I just add multiple instances of the attribute as in the example above? And has anyone else ever tried this with FR ?? Kind Regards John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question regarding radius attribute tagging
At 04:47 PM 3/14/2002 +, [EMAIL PROTECTED] wrote: Hi, I have FR up and running nicely, sending back attributes to the nas's in question to setup tunnels. I've heard about a tunnel feature that allows the nas to receive multiple tunnel-endpoint attributes and then load balance the tunnels it builds, i'd like to try this! The nas can cope with receiving multiple tunnel-endpoint attributes, so I presume I can just create a user.conf profile with multiple endpoint attributes like this: USR-Tunnel-Security = none, USR-Tunnel-Type = L2TP, USR-Tunnel-Endpoint = 10.0.0.100, USR-Tunnel-Endpoint = 10.0.0.101, USR-Tunnel-Endpoint = 10.0.0.102, Those are USR specific attributes. Use the RFC standard attrbiutes, as described in 'raddb/dictionary.tunnel'. And that's not quite how it works. See below for an example. Under Steel Belted Radius multiple attributes are refered to as tagging where the attributes in question are tagged with something like [1] [2] [3] so that SBR can distinguish them - or something like that :) So the big question is, can FreeRadius handle sending back multiple instances of the same attribute with different values? Yes. You can use something like this for your users file: tunneluser Auth-Type := Local, Password == foobar Tunnel-Type:1 = L2TP Tunnel-Medium-Type:1 = IP Tunnel-Server-Endpoint:1 = 10.20.30.2 Tunnel-Password:1 = secret Tunnel-Preference:1 = 1 Tunnel-Type:2 = GRE Tunnel-Medium-Type:2 = IP Tunnel-Server-Endpoint:2 = 10.99.98.67 Tunnel-Preference:2 = 2 The :X after the attribute is the 'tag'. The attributes that share a common tag value become a group. The group with the lowest tunnel-pref value is tried first. In the example above, that would be the L2TP tunnel, if the NAS can't do the L2TP tunnel, it will then try the GRE tunnel. You can understand more if you read: http://www.freeradius.org/rfc/rfc2868.html There isn't a readme on this yet, so I guess I should create one. :) -Chris -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question regarding radius attribute tagging
At 06:48 PM 3/14/2002 +, [EMAIL PROTECTED] wrote: Hi Chris, thanks for the help! I'll give it a go right now and take a look at the RFC you mentioned. This may seen a naive question but i only have 5 days worth of radius experience under my belt, when should i/should not use VSA (like the tunnel VSA's in my original post)?? VSA is a Vendor Specific Attribute, IE, it only works for one vendor's NAS. A Cisco VSA will not be understood by a 3Com NAS. If there is a standard attribute ( non-VSA ) that does what you want, I highly urge the use of that, over the VSA, as it will be more portable. If there isn't a standard attribute to accomplish it, then you don't have a choice, so you have to use the VSA. I come from a multi-vendor NAS environment, so using the most commonly understood attributes is highly desirable. Example: 'Ascend-Idle-Limit' is a VSA that only works on Ascend NAS. 'Idle-Timeout' does the same thing, and works on all NAS. So, you'd want to use Idle-Timeout, as it's more portable. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question regarding radius attribute tagging
SNIP Yes. You can use something like this for your users file: tunneluser Auth-Type := Local, Password == foobar Tunnel-Type:1 = L2TP Tunnel-Medium-Type:1 = IP Tunnel-Server-Endpoint:1 = 10.20.30.2 Tunnel-Password:1 = secret Tunnel-Preference:1 = 1 Tunnel-Type:2 = GRE Tunnel-Medium-Type:2 = IP Tunnel-Server-Endpoint:2 = 10.99.98.67 Tunnel-Preference:2 = 2 The :X after the attribute is the 'tag'. The attributes that share a common tag value become a group. The group with the lowest tunnel-pref value is tried first. In the example above, that would be the L2TP tunnel, if the NAS can't do the L2TP tunnel, it will then try the GRE tunnel. SNIP -Chris SNIP Hi Chris, thanks for the help! I'll give it a go right now and take a look at the RFC you mentioned. This may seen a naive question but i only have 5 days worth of radius experience under my belt, when should i/should not use VSA (like the tunnel VSA's in my original post)?? Cheers John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question regarding radius attribute tagging
Chris Parker wrote: SNIP If there is a standard attribute ( non-VSA ) that does what you want, I highly urge the use of that, over the VSA, as it will be more portable. If there isn't a standard attribute to accomplish it, then you don't have a choice, so you have to use the VSA. I come from a multi-vendor NAS environment, so using the most commonly understood attributes is highly desirable. Example: 'Ascend-Idle-Limit' is a VSA that only works on Ascend NAS. 'Idle-Timeout' does the same thing, and works on all NAS. So, you'd want to use Idle-Timeout, as it's more portable. -Chris Hi, Thanks for the good advice Chris! Cheers John -- oJohn Benge - Development o o Email: [EMAIL PROTECTED] Mobile: +44 7887796300 thus[tm] Fax: +44 870 051 Work: +44 208 371 3739 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html