We are interested in using the LAC-LNS setup with a customer of ours.
This setup will be used with xDSL circuits.
I'm aware that you can configure an access domain map which matches the domain part in the AAA service request, like @example.com.
Now, with xDSL it's possible to have the client send an ADSL Agent Remote Id.
The content of that attribute can be matched on records in our FreeRADIUS database and send IP address information back to the access concentrator.
What we want is to match the content of the ADSL Agent Remote Id attribute to a domain map or L2TP tunnel group.
Meaning that when the customer fills in 'admin' 'admin' as the username and password when dialing PPPoE (something other than the correct credentials, or no credentials at all), the request gets fowarded to the remote LNS.
How would something like this be done?
You don't need this VSA. Basically, you can return all attributes pertaining to the tunnel(s) in the Access-Accept (if your box is LAC):
user Cleartext-Password := password (or based on Agent Remote Id, etc.)
Service-Type = Framed-User,
Tunnel-Client-Endpoint:1 += 10.120.230.100,
Tunnel-Server-Endpoint:1 += 10.120.230.1,
Tunnel-Type:1 += l2tp,
Tunnel-Medium-Type:1 += IP,
Tunnel-Client-Endpoint:2 += 10.120.230.100,
Tunnel-Server-Endpoint:2 += 10.120.230.2,
Tunnel-Type:2 += l2tp,
Tunnel-Medium-Type:2 += IP
Please accept the solution if your problem is resolved
Yes, our box will the LAC, just forwarding access request packets.
Remote LNS is in customer domain, ultimately handling the request.
Customer will also terminate the subscribers.
I just got a couple of questions, if I may 🙂
Answering your questions - yes, the profile I provided above is a subscriber profile configured on FreeRadius. An excerpt from your link:
RADIUS attributes and VSAs can override the values you configured by a tunnel profile in a domain map. In the absence of a domain map, RADIUS can supply all the characteristics of a tunnel. The steps in the following procedure list the corresponding standard RADIUS attribute or VSA that you can configure on your RADIUS server to modify or configure the tunnel profile.
Essentially it means that no additional configuration is needed on LAC - all tunnel attributes can be sourced from Radius in the Access-Accept for the particular user that will be tunneled to LNS.
Regarding number of L2TP tunnels you may want to provide some level of redundancy (just in case one of LNSs fails), so it's better to return at least two destinations for a tunneled subscriber. I'm not 100% sure, but I think by default the same L2TP tunnel is used for the subsequent subscribers tunneled to the same destination (if not, you'll need to add exactly the same tunnel-assignment-id to the subscriber profile to force usage of the same tunnel).
Thank you very much!
I have accepted your first response as the solution, even though I haven't tried anything yet.
This is just the push in the right direction I needed 🙂
Awesome, thank you! I'm glad I could help, please feel free to update this thread or create a new topic should you require any further assistance during your tests.