[cisco-nas] include extra attribute in the auth request

[Tassos Chatzithomaoglou]

Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:45:

> Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on Thursday,
> April 06, 2006 3:39 PM:
> 
> 
>>Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:30:
>>
>>
>>>Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on
>>>Thursday, April 06, 2006 3:24 PM: 
>>>
>>>
>>>
>>>>>Not sure there is an easy solution on the routers, but maybe you
>>>>>can make your session control on the Radius a bit more intelligent?
>>>>>
>>>>
>>>>Any idea about that?
>>>>
>>>>I can make a lot of customizations on the radius server, but i
>>>>couldn't think of any that would help in our case.
>>>
>>>
>>>well, a crude one would be not enforcing any session control/resource
>>>management for these ISDN calls ;-)
>>
>>That is too crude for our logistics :p, because it would allow many
>>simultaneus logins for each isdn call....
> 
> 
> I was afraid you were going to say this :-)
> 
> But honestly: Even if we had some magic attribute we could pass within
> the chap/pap challenge to the NAS/BRAS in order to send it along in the
> access-request, this magic thingy could be passed on to buddies just
> like the username/password to abuse your service.
> 

That is why i was hoping for something unique, created randomly by the client 
router each time it boots...ex. based on its serial number.

> But maybe a less crude (but more complex) policy would be not to enforce
> session control for ISDN calls coming from known CLIDs, which would
> obviously require for your customers to register their ISDN number with
> you...
> 

We have though of that also, but we met 2 problems:

1) many customers have disabled CLID on their isdn line
2) our telco doesn't provide CLID/DNIS information for E1s in all geographical 
areas, especially the ones using Siemens equipment due to some "incompatibility" 
on its software.

Tassos

> 	oli
>