[c-nsp] xDSL LLU Provider - L2TP from BRAS to LNS & FreeRADIUS

Wed Sep 16 03:53:22 EDT 2015

On 16 September 2015 at 01:34, Neil Morris <nmorris at tibus.com> wrote:
> Hi Folks,
>
> Looking some advice where possible.  Been going round in circles somewhat
> with the provider.  When returning the initial RADIUS auth, tunnel ID &
> tunnel IP attribs to the provider, the next step is for the tunnel to be
> landed on my LNS for further user auth & reply with various attributes etc.?
>
> Issue I am having is that despite returning the requested attribs to the
> provider, I am not getting a tunnel on the LNS and hence no further auth
> requests to my additional RADIUS servers for allocation of static IP & VRF
> details.

Hi Neil,

We crossed paths over on the FreeRADIUS list. This configuration
really isn't very complex, and as per the post you linked that I made
last year, that is all that is required. You can use one RADIUS server
(the wholesale provider has no idea if you have 1 RADIUS server
performing both functions or 2 RADIUS servers each providing seperate
functions, they will only ever query one IP to get the tunnel
end-point IPs, build the tunnel and leave the rest up to you).

So as per the post I made and from your posts on the FreeRADIUS list,
when using file based RADUIS you can simply put two entries in your
users.conf file and that will work, one for the user and one for the
domain/realm (if you can test it in your lab, see here:
http://null.53bits.co.uk/index.php?page=lac-wholesale-pppoa-e-l2tp-tunnelling-with-freeradius-2).

You haven't diagnosed exactly what is wrong here. You are saying your
L2TP tunnel isn't coming up, have run a packet capture on your LNS
port to see if the provider is attempting to establish one?

Have you run any L2TP debugs on your LNS?

Have you asked the provider exactly what the problem is, are they
trying to build a tunnel to you but it fails?

Are they not even trying to build a tunnel because the info your
RADIUS returned to them is not correct ontheir sytems, if so what
exactly is wrong with it?

Are they expecting the standard attributes or some
extra/customer/bespoke values? Have they confirmed the exact response
they expect from your RADIUS to theirs?

Do they not understand the attributes, the values, or the syntax you
are returning, does it cause an error on their LAC or BRAS nodes, if
so what is the error?

There answer is there somewhere, but first you need to pint point the
problem "LNS tunnels not working" isn't a "problem".

Cheers,
James.