Authentication via RADIUS

For this reason, the configuration of the RADIUS server for L2TP-tunnel authentication and the PPP user data are carried out independently of one another.

In the case of tunnel authentication by RADIUS, the settings in LANconfig are configured under Communication > RADIUS in the section Tunnel authentication via RADIUS for L2TP.

RADIUS server

Enables or disables the RADIUS server for the authentication of the tunnel endpoint, regardless of a PPP-session authentication. The following options are possible:

• Deactivated: The RADIUS server is not enabled for the authentication of tunnel endpoints.
• Activated: The RADIUS server handles the authentication of tunnel endpoints.
• Exclusive: Enables the use of the external RADIUS server as the only possibility for authenticating PPP remote sites. The PPP list is ignored.

Protocols

Protocol for communication between the internal RADIUS server and the tunnel endpoint.

Address

IP address or DNS name of the RADIUS server.

Port

The port the RADIUS server

Source address

Optional sender address of the device. If you have configured loopback addresses, these can also be specified here. Following input formats are allowed:

• Name of the IP network (ARF network) whose address is to be used instead
• "INT" for the address of the first intranet
• "DMZ" for the address of the first DMZ
• LB0 to LBF for the 16 loopback addresses
• Any valid IP address

Attribute values

LCOS allows the configuration of the RADIUS attributes used to communicate with a RADIUS server (for authentication and accounting). The attributes are specified by means of a semicolon-separated list of attribute numbers or names and a corresponding value in the form <Attribute_1>=<Value_1>;<Attribute_2>=<Value_2>. As the number of characters is limited, the name can abbreviated. The abbreviation must be unique, however. Examples:

• NAS-Port=1234 is not allowed, because the attribute is not unique (NAS-Port, NAS-Port-Id or NAS-Port-Type).
• NAS-Id=ABCD is allowed, because the attribute is unique (NAS-Identifier).

Attribute values can be used to specify names or RFC-compliant numbers. For the device , the specifications Service-Type=Framed and Service-Type=2 are identical. Specifying a value in quotation marks ("<Value>") allows you to specify special characters such as spaces, semicolons or equals signs. The quotation mark requires a leading backslash (\"), as does the backslash itself (\\). The following variables are permitted as values:

%n

Device name

%e

Serial number of the device

%%

Percent sign

%{name}

Original name of the attribute as transferred by the RADIUS application. This allows attributes to be set with the original RADIUS attributes, for example: Called-Station-Id=%{NAS-Identifier} sets the attribute Called-Station-Id to the value with the attribute NAS-Identifier.

Secret

Shared secret between the RADIUS server and the device

Password

Dummy password for tunnel authentication

If an L2TP tunnel request arrives from a remote host (Start Control Connection Request), the device sends a request to the RADIUS server that has been enabled for L2TP. This request contains among other things the name of the host, the dummy password, the IP address of the device, and also the service type "Outbound User". The RADIUS server authenticates the host and sends a "RADIUS accept" to the device together with; the tunnel password to be used; the tunnel type "L2TP" with the tag "0"; and also the Tunnel-Client-Auth-ID, which must match with the host name transmitted earlier by the device. The device checks this data and, if the result is positive, it takes the tunnel password to authenticate the dial-in client and, if applicable, to obfuscate the L2TP tunnel negotiations.