Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

Radius to authenticate DSL user.

I have DSLAM and I connect my DSL routers with DHCP.
Now I want my user to connect with PPP to authenticate.
My routeres accept both static ip Dhcp and PPP.
I have about 300 customer.


I want to use Windows 2003 or Windows 2012 as Radius server

Where is best to begin ?
0
soffcec
Asked:
soffcec
  • 8
  • 7
  • 4
  • +1
10 Solutions
 
agonza07Commented:
0
 
pergrCommented:
http://www.broadband-forum.org/technical/download/TR-101.pdf

Start having a look at the report above. Especially the appendices.

Note that when you use PPPoE you have the option of either using a username and password configured on the modem, or you can use Agent Circuit Id that will be added by the DSLAM.
0
 
arnoldCommented:
Here are the steps:
win2k3 IAS server NPS on win2k12.
Your HW should include AAA/radius info i.e. vendor-specific attributres if any what options  etc.  

Is windows  a requirement?such that

Using freeradius+mysql has many examples.

The remote routers would have to be configured with AAA.
You may have to define IP pools one pool will allocate IPs via DHCP the other parameter your will validate static IP usage.

F
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
soffcecAuthor Commented:
We connect our routers to DSLAM who is owned by third party company (TPC).
After we get dsl-sync our mode sends user information and password on the form user@domain.is
to the TPC's radius server who looks at the domanin name (domain.is) and sends the information to our Radius server who confirm the connection.
Our routers uses PPP to connect.
0
 
pergrCommented:
It seems you may have a LAC, LNS, setup. That means you need L2TP sessions from your network provider to your BRAS, and then inside that tunnel you have PPPoE.

You need to check if this is the design that TPC has. You also need to tell us what type of bras you have.
0
 
arnoldCommented:
That is common.  They have a realm (domain.is in your example) that is configured to forward the requests to your radius server/servers. i.e. they proxy the requests

use PPP to connect to the DSLAM?

the connection configuration is part of the reply data once the user/password and other parameters are validate.

It can be done with either/both windows 2003 and windows 2012 (you should always have at least two raidus auth/accounting systems just in case one goes down)
you need to know the routers you use and what responses they expect back.
Framed-User=ppp
NAS-ID

Your configuration will need to validate that the requests you are being forwarded are coming from your routers using the nas-id, nas-ipaddress, etc.

.....


Your question includes many aspects, and I am unclear of the distinction you make.

1) you have routers connected to a provider's DSLAM that is extended to individuals that are customers of yours.

When the user's DSL adapter is turned on, the DSLAM gets the event and forwards you the authentication packet which can be username/password for dynamic/static IP allocations or they can just the IP. Your response options are assigned an IP using DHCP, or when users have static IPs and the IP is part of the auth packet, accept or reject the connection,

ppp is an encapsulation which I think is used on a dsl connection.

is your disctinction in the DHCP or ppp deals with whether it is PPPoE where a username/password is provided versus when the user is requesting a specific static IP?
0
 
soffcecAuthor Commented:
Síminn is the company I am going to buy DSL service from and they are going to host the LNS. I am the TSC ISP

Radius
Radius server  
      Who has access to TSC user database
      Accept and answars authentications messages from LNS (Radius authentication)  
      Answars with IP@ for end user.
      Accepts Radius Accounting messages from LNS for traceability.
L3 router
      Connects with vrf LNS_TSC
      Radius communication goes thru this connection and usertraffic to/from LNS
      Routes to the Internet (vrf Internet at Símanum or thru others ISP's)
0
 
pergrCommented:
So both BRAS (LAC) and LNS is done by Siminn.

Your L3 Router only needs routes for the IP addresses you allocate to users, and for the RADIUS client IP of the LNS.

(You should also clarify who gives DNS service to the users - and how the DNS servers are communicated to users. It is possible to send the DNS server IPs in the RADIUS Accepts message, which the LNS will then forward to the PPPoE client.)

So, you really only need to configure the RADIUS server.
You will receive AUTH Request with Username and Password, which you need to check. You will then need to return Accept, and Framed-IP, Primary-DNS, Secondary-DNS - and possibly Framed-Protocol. If your customers has additional IP networks routed to them, you can also return Framed-Route.

The above are the RADIUS attributes you will send.
They are all 'standard' attributes that should be understood by all LNS.
However, the LNS will send Accounting data too, and these may be 'vendor specific' attributes, and it is best to ask the LNS operator which RADIUS 'dictionary' will be used.

If you do not want to assign specific IP to each user, you can return Framed-Pool, which is the name of a pool of addresses configured on the LNS.

First you need to configure the LNS as a NAS Client, with the correct shared key.

http://technet.microsoft.com/en-us/library/dd197596(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd197472(WS.10).aspx
0
 
arnoldCommented:
Does the simini allocate Their own IP space that they allocated to you. Or do you have your own IP space that they preconfigured as pools on their equipment.
And all you need to do is within the reply items indicate which pool this user should get their IP from , or allocate a specific IP to the user.
0
 
soffcecAuthor Commented:
I will run DHCP server and allocate IP addresses to subscribers.
0
 
arnoldCommented:
Because of your separation, using your own DHCP would require the provider of the DSLAM to setup dhcp relay agents which makes things more complicated than necessary.
It is much more efficient for the DSLAM provider to define a pool of IPs and have them allocate the IP when radius-accept is received with the reference to the ip pool to use.

for record keeping, use radius accounting data which is where you will have the IP, username if any, and times for start/stop and possibly keep alive.

The only time the radius accept packet should include an IP is for a statically allocated one to a user.
0
 
pergrCommented:
Some radius servers can handle also pools, like FreeRadius.

It does means the radius server will be "stateful", meaning it keeps track of which IP is allocated to which user, and which addresses are still free. It is important that information is not lost when you restart the server.
0
 
soffcecAuthor Commented:
I need every use to have static ip address.
0
 
arnoldCommented:
If every user has a static IP, the IP you want the user to have has to be part of their record.

I.e. If you go with freeradius, part of the configuration there is a section dealing with reply items, this is where you would have ipaddress:=user1ip etc.
How far along have you gotten with freeradius+mysql setup?
Or do you have a preference for other backend DB/resources?
0
 
soffcecAuthor Commented:
I prefer to use only Windows server for the the radius. I am still not understanding all of this.  Maybe it is better form to  let the DSLAM provider assign the ip addresses.
We need to measure all foreign download usage of the subscriber and today we use his ip address to identify him.
0
 
arnoldCommented:
You can stil identify the user based on the IP address no matter who assigns it.  Enabling accounting on the DSLAM side and having the accounting portion functioning on the radius side.

Which windows radius are you looking at?

You can use the IAS/NPS depending on the version of windows you are using.

You have to pick one version and then configure it. Test it locally to make sure the requests you send get the appropriate responses.
Then you can test the interconnection between your radius servers and the DSLAM to make sure you get the request you expect and respond accordingly.

Since it seems you are setting this up from scratch, you have to take it a step at a time.
0
 
soffcecAuthor Commented:
I would prefer Windows 2012 but I am more familiar with 2003. What do you recommend ?
0
 
arnoldCommented:
Whatever you have on hand can be configured to do what you want/need.
It is easier to deal with setting something, rather than discussing the various options.
At this stage you want to use a windows platform for your radius setup.

I find the flexibility available in freeradius + mysql backend. is one thing,

There are many guides on line for whichever system you pick.
My guess you currently have a setup, but would like further control versus what you currently have from the DSLAM provider.

Once you start the configuration/setup process, you'll become more familiar with what is involved and thus have more practical information than can be conveyed in an abstract discussion.
The way the user/accounts need to be configured setup, etc. would guide you.
0
 
soffcecAuthor Commented:
Ok. I will ask the DSL provider if he will make a dynamic  pool in his LNS, that should take work off me. Am I right ?
0
 
soffcecAuthor Commented:
I ended up with using Windows 2012 NPS and it is working fine.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 7
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now