[cisco-nas] include extra attribute in the auth request

Tassos Chatzithomaoglou achatz at forthnet.gr
Thu Apr 6 12:28:02 EDT 2006 


Tassos Chatzithomaoglou wrote on 6/4/2006 19:20:

> 
> 
> Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:45:
> 
>> Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on Thursday,
>> April 06, 2006 3:39 PM:
>>
>>
>>> Oliver Boehmer (oboehmer) wrote on 6/4/2006 16:30:
>>>
>>>
>>>> Tassos Chatzithomaoglou <mailto:achatz at forthnet.gr> wrote on
>>>> Thursday, April 06, 2006 3:24 PM:
>>>>
>>>>
>>>>>> Not sure there is an easy solution on the routers, but maybe you
>>>>>> can make your session control on the Radius a bit more intelligent?
>>>>>>
>>>>>
>>>>> Any idea about that?
>>>>>
>>>>> I can make a lot of customizations on the radius server, but i
>>>>> couldn't think of any that would help in our case.
>>>>
>>>>
>>>>
>>>> well, a crude one would be not enforcing any session control/resource
>>>> management for these ISDN calls ;-)
>>>
>>>
>>> That is too crude for our logistics :p, because it would allow many
>>> simultaneus logins for each isdn call....
>>
>>
>>
>> I was afraid you were going to say this :-)
>>
>> But honestly: Even if we had some magic attribute we could pass within
>> the chap/pap challenge to the NAS/BRAS in order to send it along in the
>> access-request, this magic thingy could be passed on to buddies just
>> like the username/password to abuse your service.
>>
> 
> That is why i was hoping for something unique, created randomly by the 
> client router each time it boots...ex. based on its serial number.
> 

For example on some MS machines i get the following IDENTIFY on my NAS:

Apr  6 19:19:20.948: As67 LCP: State is Open
Apr  6 19:19:20.948: As67 PPP: Phase is FORWARDING, Attempting Forward
Apr  6 19:19:20.952: As67 PPP: Phase is ESTABLISHING, Finish LCP
Apr  6 19:19:20.952: As67 PPP: Phase is UP
Apr  6 19:19:20.952: As67 IPCP: O CONFREQ [Closed] id 1 len 10
Apr  6 19:19:20.952: As67 IPCP:    Address 194.219.252.131 (0x0306C2DBFC83)
Apr  6 19:19:20.952: As67 PPP: Process pending packets
Apr  6 19:19:21.252: As67 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x33916C90 
MSRASV5.10
Apr  6 19:19:21.284: As67 LCP: I IDENTIFY [Open] id 3 len 30 magic 0x33916C90 
MSRAS-1-I-R-GENDWER-64

Maybe the "Identification" code from "PPP LCP extensions" could be used for 
transferring it?

>> But maybe a less crude (but more complex) policy would be not to enforce
>> session control for ISDN calls coming from known CLIDs, which would
>> obviously require for your customers to register their ISDN number with
>> you...
>>
> 
> We have though of that also, but we met 2 problems:
> 
> 1) many customers have disabled CLID on their isdn line
> 2) our telco doesn't provide CLID/DNIS information for E1s in all 
> geographical areas, especially the ones using Siemens equipment due to 
> some "incompatibility" on its software.
> 
> Tassos
> 
>>     oli
>>
> 

-- 
***************************************
         Tassos Chatzithomaoglou
Network Design & Development Department
              FORTHnet S.A.
          <achatz at forthnet.gr>
***************************************

More information about the cisco-nas mailing list