ComOS 4.2 adds the new Layer 2 Tunneling Protocol (L2TP) set l2tp id-for-host command and the new L2TP Bearer Type attribute, and supports RADIUS enhancements for authorization, authentication, and accounting of L2TP users.
New L2TP Command
You can set an L2TP access concentrator (LAC) to use the RADIUS Tunnel-Assignment-ID value instead of its IP address or hostname during L2TP tunnel negotiations with its peer--the L2TP network server (LNS). This attribute allows for more precise tracking of tunnel usage for accounting.
To specify whether a LAC uses the RADIUS Tunnel-Assignment-ID value or its IP address or hostname during L2TP tunnel negotiations, use the following command:
Command> set l2tp id-for-host on | off
Setting id-for-host to on sets a LAC host to identify itself by its RADIUS Tunnel-Assignment-ID value. Setting id-for-host to off sets a LAC host to use its hostname or IP address during tunnel negotiations. This is the default.
New L2TP Bearer Type Attribute
The Bearer Type L2TP attribute identifies the type of calling device used in an L2TP connection as analog or digital. The LAC sends this information to its L2TP peer (the LNS). The LNS then passes the information to the RADIUS accounting server in the NAS-Port-Type attribute.
New RADIUS Tunnel Attributes for L2TP
The RADIUS Attributes for Tunnel Protocol Support Internet-draft defines a set of RADIUS attributes to implement compulsory tunneling. To provide this functionality, ComOS 4.2 supports the following new RADIUS tunnel attributes for L2TP with Lucent RADIUS 2.1 or a RADIUS server with equivalent functionality:
Tunnel-Client-Endpoint--this attribute contains the address of the initiating end of the L2TP tunnel (the LAC). This attribute can be used to provide a globally unique way to identify a tunnel for accounting and auditing uses.
Tunnel-Password--this attribute supports an encrypted password between a RADIUS server and a LAC.
Tunnel-Assignment-ID--this attribute enables RADIUS to inform the tunnel initiator (the LAC) about how to assign the session--to a multiplexed tunnel or to a separate tunnel.
Tunnel-Preference--this attribute indicates the relative preference assigned to each tunnel if more than one set of tunneling attributes is returned by the RADIUS server. For example, if two different tunnel end points are included in the RADIUS attributes, the tunnel end point with the lowest value specified in the value field is given preference.
If these attributes are not already in your RADIUS dictionary, add them as follows:
ATTRIBUTE
Tunnel-Client-Endpoint
66
string
ATTRIBUTE
Tunnel-Password
69
string
ATTRIBUTE
Tunnel-Assignment-ID
82
string
ATTRIBUTE
Tunnel-Preference
83
integer
RADIUS Tunnel Attribute Tags
In versions of RADIUS that support this feature, you can now tag all RADIUS tunnel attributes so that ComOS can manage redundant tunnels more easily. The tag field can assign the same ID to each attribute for a particular tunnel server end point to group the attributes and identify the tunnel more clearly.
Note ¯
Lucent RADIUS 2.1 does not currently support the tagging feature.
Lucent RADIUS 2.1 does not currently support the tagging feature.