[cisco-nas] include extra attribute in the auth request
Tassos Chatzithomaoglou
achatz at forthnet.gr
Thu Apr 6 12:20:56 EDT 2006
Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:45:
> Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on Thursday,
> April 06, 2006 3:39 PM:
>
>
>>Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:30:
>>
>>
>>>Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on
>>>Thursday, April 06, 2006 3:24 PM:
>>>
>>>
>>>
>>>>>Not sure there is an easy solution on the routers, but maybe you
>>>>>can make your session control on the Radius a bit more intelligent?
>>>>>
>>>>
>>>>Any idea about that?
>>>>
>>>>I can make a lot of customizations on the radius server, but i
>>>>couldn't think of any that would help in our case.
>>>
>>>
>>>well, a crude one would be not enforcing any session control/resource
>>>management for these ISDN calls ;-)
>>
>>That is too crude for our logistics :p, because it would allow many
>>simultaneus logins for each isdn call....
>
>
> I was afraid you were going to say this :-)
>
> But honestly: Even if we had some magic attribute we could pass within
> the chap/pap challenge to the NAS/BRAS in order to send it along in the
> access-request, this magic thingy could be passed on to buddies just
> like the username/password to abuse your service.
>
That is why i was hoping for something unique, created randomly by the client
router each time it boots...ex. based on its serial number.
> But maybe a less crude (but more complex) policy would be not to enforce
> session control for ISDN calls coming from known CLIDs, which would
> obviously require for your customers to register their ISDN number with
> you...
>
We have though of that also, but we met 2 problems:
1) many customers have disabled CLID on their isdn line
2) our telco doesn't provide CLID/DNIS information for E1s in all geographical
areas, especially the ones using Siemens equipment due to some "incompatibility"
on its software.
Tassos
> oli
>
More information about the cisco-nas
mailing list