[cisco-nas] Cisco 7206VXR for BBA
Paul Stewart
pstewart at nexicomgroup.net
Tue Sep 12 11:44:19 EDT 2006
Thanks.. Yes, I understand that... I just wish there was a way to break
apart the realms on the NAS level before it hits Radius itself...
In other words,
Realm A - Radius Server 10.10.10.1 - IP Pool 10.254.254.1-10.254.254.254
Realm B - Radius Server 192.168.0.1 - IP Pool
192.168.10.1-192.168.10.254
But do this right on the Cisco ;)
Paul
-----Original Message-----
From: Tihomir Dragas [mailto:tiho.dragas at telekomcg.com]
Sent: Tuesday, September 12, 2006 11:34 AM
To: Paul Stewart; cisco-nas at puck.nether.net
Subject: Re: [cisco-nas] Cisco 7206VXR for BBA
Paul,
If you are doing authentication and authorization on your radius for one
of your users based on realm, than you have to do it for all others.
Tiho
----- Original Message -----
From: "Paul Stewart" <pstewart at nexicomgroup.net>
To: "Tihomir Dragas" <tiho.dragas at telekomcg.com>;
<cisco-nas at puck.nether.net>
Sent: Tuesday, September 12, 2006 5:26 PM
Subject: RE: [cisco-nas] Cisco 7206VXR for BBA
Hi there.. Thanks for the response.
We need to be the LAC and LNS in this setup.... I wish there was a way
right on the 7206 to break things out purely based on the user at realm
portion and skip radius all together (except for auth/acct) like you can
on the Redbacks...;)
Paul
-----Original Message-----
From: Tihomir Dragas [mailto:tiho.dragas at telekomcg.com]
Sent: Tuesday, September 12, 2006 11:23 AM
To: Paul Stewart; cisco-nas at puck.nether.net
Subject: Re: [cisco-nas] Cisco 7206VXR for BBA
Hi Paul,
Did you consider L2TP model, in which you control LAC and your customer
control LNS. In that approach your Customer is responsible for IP
address pool, and for authorization of the customers. Similar like on
picture:
user at realm -------PPPoE-----LAC----------L2TP--------LNS
|
|
|
|
|
|
SP Wholesale Radius ISP
Customer Radius
L2TP is opening based on "realm".
Tiho
----- Original Message -----
From: "Paul Stewart" <pstewart at nexicomgroup.net>
To: <cisco-nas at puck.nether.net>
Sent: Tuesday, September 12, 2006 5:01 PM
Subject: [cisco-nas] Cisco 7206VXR for BBA
> Hi there..
>
> We have a Cisco 7206VXR that is currently doing broadband aggregation
> for our ADSL services.... It uses our Cistron radius servers for
> authentication and accounting with no problem.....
>
> Now, we have a need to bring on a proxy-radius setup because we have a
> customer who wants to wholesale DSL services from us and they run
their
> own radius servers. Proxy radius seems to be the best way to offer
this
> (long theads on cisco-nsp about that topic) so have some questions....
>
> It seems that we need to use [ cisco-avpair = "ip:addr-pool=POOL-A" ]
on
> the radius side to instruct the router to use a specific pool such as
[
> ip local pool POOL-A <start-ip> <end-ip> ]
>
> Because this is proxy radius, how do we send this attribute back to
the
> router based on the realm name?? I realize this is probably a
> discussion for the Cistron list but wanted to start here first...
> The user is going to connect, get an ack or nack from the remote
radius
> server - but then how do we tell it to specifically send back a
> cisco-avpair based on the realm name??
>
> Basically, stepping back a bit... We have three user at realm coming in
> across the same physical connection. Our requirement is to take one
of
> these realms and have it use it's own radius servers and ip pools.
>
> Thanks for any input...
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>
>
More information about the cisco-nas
mailing list