[cisco-nas] include extra attribute in the auth request
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Thu Apr 6 09:45:50 EDT 2006
Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on Thursday,
April 06, 2006 3:39 PM:
> Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:30:
>
>> Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on
>> Thursday, April 06, 2006 3:24 PM:
>>
>>
>>>> Not sure there is an easy solution on the routers, but maybe you
>>>> can make your session control on the Radius a bit more intelligent?
>>>>
>>>
>>> Any idea about that?
>>>
>>> I can make a lot of customizations on the radius server, but i
>>> couldn't think of any that would help in our case.
>>
>>
>> well, a crude one would be not enforcing any session control/resource
>> management for these ISDN calls ;-)
>
> That is too crude for our logistics :p, because it would allow many
> simultaneus logins for each isdn call....
I was afraid you were going to say this :-)
But honestly: Even if we had some magic attribute we could pass within
the chap/pap challenge to the NAS/BRAS in order to send it along in the
access-request, this magic thingy could be passed on to buddies just
like the username/password to abuse your service.
But maybe a less crude (but more complex) policy would be not to enforce
session control for ISDN calls coming from known CLIDs, which would
obviously require for your customers to register their ISDN number with
you...
oli
More information about the cisco-nas
mailing list