Solved

Radius to authenticate DSL user.

Posted on 2014-03-07
20
299 Views
Last Modified: 2015-06-13
I have DSLAM and I connect my DSL routers with DHCP.
Now I want my user to connect with PPP to authenticate.
My routeres accept both static ip Dhcp and PPP.
I have about 300 customer.


I want to use Windows 2003 or Windows 2012 as Radius server

Where is best to begin ?
0
Comment
Question by:soffcec
  • 8
  • 7
  • 4
  • +1
20 Comments
 
LVL 20

Accepted Solution

by:
agonza07 earned 50 total points
Comment Utility
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
http://www.broadband-forum.org/technical/download/TR-101.pdf

Start having a look at the report above. Especially the appendices.

Note that when you use PPPoE you have the option of either using a username and password configured on the modem, or you can use Agent Circuit Id that will be added by the DSLAM.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 300 total points
Comment Utility
Here are the steps:
win2k3 IAS server NPS on win2k12.
Your HW should include AAA/radius info i.e. vendor-specific attributres if any what options  etc.  

Is windows  a requirement?such that

Using freeradius+mysql has many examples.

The remote routers would have to be configured with AAA.
You may have to define IP pools one pool will allocate IPs via DHCP the other parameter your will validate static IP usage.

F
0
 

Author Comment

by:soffcec
Comment Utility
We connect our routers to DSLAM who is owned by third party company (TPC).
After we get dsl-sync our mode sends user information and password on the form user@domain.is
to the TPC's radius server who looks at the domanin name (domain.is) and sends the information to our Radius server who confirm the connection.
Our routers uses PPP to connect.
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 150 total points
Comment Utility
It seems you may have a LAC, LNS, setup. That means you need L2TP sessions from your network provider to your BRAS, and then inside that tunnel you have PPPoE.

You need to check if this is the design that TPC has. You also need to tell us what type of bras you have.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 300 total points
Comment Utility
That is common.  They have a realm (domain.is in your example) that is configured to forward the requests to your radius server/servers. i.e. they proxy the requests

use PPP to connect to the DSLAM?

the connection configuration is part of the reply data once the user/password and other parameters are validate.

It can be done with either/both windows 2003 and windows 2012 (you should always have at least two raidus auth/accounting systems just in case one goes down)
you need to know the routers you use and what responses they expect back.
Framed-User=ppp
NAS-ID

Your configuration will need to validate that the requests you are being forwarded are coming from your routers using the nas-id, nas-ipaddress, etc.

.....


Your question includes many aspects, and I am unclear of the distinction you make.

1) you have routers connected to a provider's DSLAM that is extended to individuals that are customers of yours.

When the user's DSL adapter is turned on, the DSLAM gets the event and forwards you the authentication packet which can be username/password for dynamic/static IP allocations or they can just the IP. Your response options are assigned an IP using DHCP, or when users have static IPs and the IP is part of the auth packet, accept or reject the connection,

ppp is an encapsulation which I think is used on a dsl connection.

is your disctinction in the DHCP or ppp deals with whether it is PPPoE where a username/password is provided versus when the user is requesting a specific static IP?
0
 

Author Comment

by:soffcec
Comment Utility
Síminn is the company I am going to buy DSL service from and they are going to host the LNS. I am the TSC ISP

Radius
Radius server  
      Who has access to TSC user database
      Accept and answars authentications messages from LNS (Radius authentication)  
      Answars with IP@ for end user.
      Accepts Radius Accounting messages from LNS for traceability.
L3 router
      Connects with vrf LNS_TSC
      Radius communication goes thru this connection and usertraffic to/from LNS
      Routes to the Internet (vrf Internet at Símanum or thru others ISP's)
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 150 total points
Comment Utility
So both BRAS (LAC) and LNS is done by Siminn.

Your L3 Router only needs routes for the IP addresses you allocate to users, and for the RADIUS client IP of the LNS.

(You should also clarify who gives DNS service to the users - and how the DNS servers are communicated to users. It is possible to send the DNS server IPs in the RADIUS Accepts message, which the LNS will then forward to the PPPoE client.)

So, you really only need to configure the RADIUS server.
You will receive AUTH Request with Username and Password, which you need to check. You will then need to return Accept, and Framed-IP, Primary-DNS, Secondary-DNS - and possibly Framed-Protocol. If your customers has additional IP networks routed to them, you can also return Framed-Route.

The above are the RADIUS attributes you will send.
They are all 'standard' attributes that should be understood by all LNS.
However, the LNS will send Accounting data too, and these may be 'vendor specific' attributes, and it is best to ask the LNS operator which RADIUS 'dictionary' will be used.

If you do not want to assign specific IP to each user, you can return Framed-Pool, which is the name of a pool of addresses configured on the LNS.

First you need to configure the LNS as a NAS Client, with the correct shared key.

http://technet.microsoft.com/en-us/library/dd197596(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd197472(WS.10).aspx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 300 total points
Comment Utility
Does the simini allocate Their own IP space that they allocated to you. Or do you have your own IP space that they preconfigured as pools on their equipment.
And all you need to do is within the reply items indicate which pool this user should get their IP from , or allocate a specific IP to the user.
0
 

Author Comment

by:soffcec
Comment Utility
I will run DHCP server and allocate IP addresses to subscribers.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 76

Assisted Solution

by:arnold
arnold earned 300 total points
Comment Utility
Because of your separation, using your own DHCP would require the provider of the DSLAM to setup dhcp relay agents which makes things more complicated than necessary.
It is much more efficient for the DSLAM provider to define a pool of IPs and have them allocate the IP when radius-accept is received with the reference to the ip pool to use.

for record keeping, use radius accounting data which is where you will have the IP, username if any, and times for start/stop and possibly keep alive.

The only time the radius accept packet should include an IP is for a statically allocated one to a user.
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 150 total points
Comment Utility
Some radius servers can handle also pools, like FreeRadius.

It does means the radius server will be "stateful", meaning it keeps track of which IP is allocated to which user, and which addresses are still free. It is important that information is not lost when you restart the server.
0
 

Author Comment

by:soffcec
Comment Utility
I need every use to have static ip address.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 300 total points
Comment Utility
If every user has a static IP, the IP you want the user to have has to be part of their record.

I.e. If you go with freeradius, part of the configuration there is a section dealing with reply items, this is where you would have ipaddress:=user1ip etc.
How far along have you gotten with freeradius+mysql setup?
Or do you have a preference for other backend DB/resources?
0
 

Author Comment

by:soffcec
Comment Utility
I prefer to use only Windows server for the the radius. I am still not understanding all of this.  Maybe it is better form to  let the DSLAM provider assign the ip addresses.
We need to measure all foreign download usage of the subscriber and today we use his ip address to identify him.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 300 total points
Comment Utility
You can stil identify the user based on the IP address no matter who assigns it.  Enabling accounting on the DSLAM side and having the accounting portion functioning on the radius side.

Which windows radius are you looking at?

You can use the IAS/NPS depending on the version of windows you are using.

You have to pick one version and then configure it. Test it locally to make sure the requests you send get the appropriate responses.
Then you can test the interconnection between your radius servers and the DSLAM to make sure you get the request you expect and respond accordingly.

Since it seems you are setting this up from scratch, you have to take it a step at a time.
0
 

Author Comment

by:soffcec
Comment Utility
I would prefer Windows 2012 but I am more familiar with 2003. What do you recommend ?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Whatever you have on hand can be configured to do what you want/need.
It is easier to deal with setting something, rather than discussing the various options.
At this stage you want to use a windows platform for your radius setup.

I find the flexibility available in freeradius + mysql backend. is one thing,

There are many guides on line for whichever system you pick.
My guess you currently have a setup, but would like further control versus what you currently have from the DSLAM provider.

Once you start the configuration/setup process, you'll become more familiar with what is involved and thus have more practical information than can be conveyed in an abstract discussion.
The way the user/accounts need to be configured setup, etc. would guide you.
0
 

Author Comment

by:soffcec
Comment Utility
Ok. I will ask the DSL provider if he will make a dynamic  pool in his LNS, that should take work off me. Am I right ?
0
 

Author Closing Comment

by:soffcec
Comment Utility
I ended up with using Windows 2012 NPS and it is working fine.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now