On Wed, 16 Feb 2000, Kalev Nurklik wrote:
Hi.
Can anybody help me with this? To clarify - 1. When I define the tunnel user on HARC the "system transmit authentication name" will be used as the l2tp tunnel authentication secret. No system transmit name is used to authenticate with a salt generated by the ARC - AS a LAC the hiper arc has to tell the LNS its identification, this idenficationis the sytem tranmit name is used for. Its used in both cases for with or without radius
2. When I configure an l2tp tunnel user on a radius server then the "system transmit authentication name" won't be used. The HARC gets all the attributes but won't use the secret opposed to what is written in the "Hiper ARC product reference" subsection "Configuring an L2TP Tunnel on a RADIUS Server". Any ideas what I'm doing wrong?
Regards,
------- Forwarded message follows ------- From: "Kalev Nurklik" <kalev@mail.lbi.ee> Organization: Delfi Online To: usr-tc@lists.xmission.com Date sent: Wed, 9 Feb 2000 16:10:57 +0200 Subject: (usr-tc) l2tp tunnel authentication secret Send reply to: usr-tc@lists.xmission.com
Hi.
What's the radius attribute for l2tp tunnel authentication secret? Tunnel-Hostname (from HARC product reference) or Tunnel-Auth-Hostname in USR dictionary does not seem to work. Neither does Tunnel-Password or other similar attributes. I have tried different attributes but with no success whatsoever. All the time I get "Could not get password from radius" from l2tp debug output. Maybe I got wrong attribute numbers but I doubt that because I checked all of them with "mon radius". On the other hand "mon radius" is not be very reliable as I found out - inconsistencies with USR dictionary names (similar but not exact) and not reporting right values for at least one attribute - Tunnel-Security.
When I define a local HARC user with "set tunnel user ... password etc." then the l2tp tunnel secret is equivalent to the "system transmit authentication name" and authenticating works. For the radius equivalent HARC product reference just states dryly - "You can also set this from RADIUS by using a VSA"(page 180). So what's the VSA?
Or am I missing something else?
One thing that I noticed is that when I use radius defined tunnel account then there is no challenge AVP present in SCCRQ from LAC(HARC) and if I turn off the tunnel authentication on the LNS then l2tp tunneling works. I guess I need to turn off authentication on LNS because HARC has no clue about what the secret might be and just drops the connection attempt with l2tp debug message "Unauthenticated message from remotehost" when the LNS presents the challenge AVP in SCCRP. With local HARC user there's always an challenge AVP in SCCRQ from LAC and as I stated before authenticating works... This (I guess again) is probably due to HARC knowing what the tunnel secret is for that user e.g. the "system transmit authentication name".
So obviously there something missing or wrong with the radius defined user. Anyone have any ideas what that something might be?
Regards, __________________________________ Kalev Nurklik Delfi Online Pa"rnu mnt. 158, 11317 Tallinn, Estonia Tel: +372 6501709 Fax: +372 6501708 E-mail: k.nurklik@online.ee http://online.delfi.ee
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message. ------- End of forwarded message ------- __________________________________ Kalev Nurklik Delfi Online Pa"rnu mnt. 158, 11317 Tallinn, Estonia Tel: +372 6501709 Fax: +372 6501708 E-mail: k.nurklik@online.ee http://online.delfi.ee
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.