| Appendix G. Supported RADIUS Attribute/Value Pairs for L2TP operation | ||
|---|---|---|
 |  | |
| Appendix G. Supported RADIUS Attribute/Value Pairs for L2TP operation | ||
|---|---|---|
| | | |
RADIUS is used for authentication and accounting of L2TP connections. If no authentication servers are configured then authentication is not performed. If no accounting servers are configured then no accounting is generated. Multiple servers can be configured and they are processed in order. Each can have multiple IP addresses. The IP addresses are tried based on the previous performance (response time, etc). If a server does not respond a number of times as configured then it is blacklisted for a configurable period.
It is possible to configure local configurations which are checked before any RADIUS authentication.
It is possible to configure L2TP so that RADIUS accounting must respond, and if not then the sessions are disconnected.
Table G.1. Access-request
| AVP | No. | Usage |
| Message-Authenticator | 80 | Message signature as per RFC2869 |
| User-Name | 1 | Username from authentication (PAP/CHAP) or proxy authentication received on L2TP |
| Called-Station-Id | 30 | Called number as received on L2TP |
| Calling-Station-Id | 31 | Calling number as received on L2TP |
| Acct-Session-Id | 44 | Unique ID (hex string) for session as used on all following accounting records |
| NAS-Identifier | 32 | Configured hostname of FireBrick |
| NAS-IP-Address | 4 | NAS IPv4 address if using IPv4 |
| NAS-IPv6-Address | 95 | NAS IPv6 address if using IPv6 |
| NAS-Port | 5 | L2TP session ID |
| Service-Type | 6 | Framed |
| Framed-Protocol | 7 | PPP |
| CHAP-Password | 3 | CHAP ID and response |
| CHAP-Challenge | 60 | CHAP challenge (only present if not the same as RADIUS authenticator) |
| Framed-MTU | 12 | MTU requested by PPP, if one was requested (even if 1500) |
| Connect-Info | 77 | Text Tx speed/Rx speed from L2TP connection if known |
| Tunnel-Client-Endpoint | 66 | Indicates the L2TP tunnel configured name attribute, allowing connections via different L2TP incoming configurations to be identified |
Note that the NAS-IP-Address is normally the local end of the L2TP connection for the incoming connection. However, there is a configuration option to pass the remote end of the L2TP as the NAS-IP-Address as this is often more useful. If the remote Ip is used the NAS-Port is set to the far end L2TP session ID rather than the local end session ID. The NAS-Identified remains the name of the FB6000. This option is separately available for accounting messages.
Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id.
Table G.2. Access-Accept
| AVP | No. | Usage |
| Reply-Message | 18 | Reply message sent on PPP authentication response |
| MS-Primary-DNS-Address | 311/28 | Primary DNS address used in PPP IPCP (Vendor 311 specific) |
| MS-Secondary-DNS-Address | 311/29 | Secondary DNS address used in PPP IPCP (Vendor 311 specific) |
| Framed-Interface-ID | 96 | Peer IPv6 Interface ID expected in PPP IPV6CP |
| Framed-IP-Address | 8 | Peer IPv4 address expected in PPP IPCP (does not support 255.255.255.255 or 255.255.255.254 yet). Maximum localpref used. |
| NAS-IP-Address | 4 | Our end IPv4 address to in IPCP negotiation. Does not add loopback route. This is non standard. |
| Framed-Route | 22 | May appear more than once. Text format is IPv4-Address/Bits 0.0.0.0 metric. The target IP is ignored but must be valid IPv4 syntax. The metric is used as localpref in routing. |
| Delegated-IPv6-Prefix | 123 | IPv6 prefix to be routed to line. Maximum localpref used. |
| Framed-IPv6-Prefix | 97 | IPv6 prefix to be routed to line. Maximum localpref used. |
| Framed-IPv6-Route | 99 | May appear more than once. Text format is IPv6-Address/Bits :: metric. The target IP is ignored but must be valid IPv6 syntax. The metric is used as localpref in routing. Alternative format IPv6/Bits IPv4-Address metric defines that prefix is to be protocol 41 IPv4 tunneled to specified target via this link. |
| User-Name | 1 | Username may be specified - this replaces the username already present and is then used on accounting start and relay L2TP. |
| CHAP-Password | 3 | CHAP-Password may be specified - this replaces the CHAP ID and response that is then sent on to a tunnel. |
| Called-Station-Id | 30 | Called number may be specified - this replaces the number already present and is then used on the accounting start and relay L2TP |
| Calling-Station-Id | 31 | Calling number may be specified - this replaces the number already present and is then used on the accounting start and relay L2TP |
| Chargeable-User-Identity | 89 | This is used as the preferred CQM graph name. |
| Class | 25 | Secondary CQM graph name to group sessions allowing group logging or shaping. |
| Session-Timeout | 27 | Absolute limit on session, in seconds |
| Filter-Id | 11 | See filter ID section |
| Framed-MTU | 12 | Set MTU for session |
| Connect-Info | 77 | Text tx speed limit to apply to session |
| Tunnel-Type | 64 | If specified must be 3 (L2TP), L2TP is assumed |
| Tunnel-Medium-Type | 65 | If specified must be 1 (IPv4) or 2 (IPv6), syntax of endpoint is used if this is not specified |
| Tunnel-Server-Endpoint | 67 | Text IPv4 or IPv6 address of endpoint (FQDN is not accepted) |
| Tunnel-Client-Auth-ID | 90 | Hostname to quote on outgoing tunnel, if omitted then configured FireBrick hostname is used |
| Tunnel-Password | 69 | Shared secret to use on outgoing tunnel (encrypted), if omitted then assumed no secret |
| Tunnel-Assignment-ID | 81 | Name of outgoing tunnel shaper/graph. Also groups sessions together in a tunnel as per RFC. Only use valid text graph names. |
| Tunnel-Preference | 83 | Specifies preference order when multiple tagged endpoints sent |
Note that whilst a RADIUS response is normally relatively small in can get larger when multiple tunnel endpoints are included. Fragmented responses are handled but there is an internal limit to the size of response that can be processed - as such we recommend keeping the response to a single un-fragmented packet of up to 1500 bytes. You can use tag 0 for common settings such as Tunnel-Client-Auth-ID or Tunnel-Password when using multiple endpoints in order to reduce the size of the response.
The RADIUS authentication response can include Delegated-IPv6-Prefix, Framed-IPv6-Prefix, and Framed-IPv6-Route in order to route native IPv6 prefixes to the line. If there are any native IPv6 routes, or the Framed-IPv6-Interface attribute was specified, then IPV6CP negotiation is started. Framed-IPv6-Route can also be used to added IPv4 tunneled routes to the line. The FE80::/10 link local address negotiated with IPV6CP is not added to the routing for the line.
The client can send a Router solicitation to which the FireBrick will reply advising to use DHCPv6 for addressing. Once a router solicitation is sent, periodic Router Advertisements will then be sent on the connection by the Firebrick.
The client can use DHCPv6 to request an IA_NA (/128 link address), IA_TA (/128 temp link address), IA_PD (Prefic delegation) and DNS servers. Prefixes are delegated based on the order in the DHCPv6 request and the order of Delegated-IPv6-Prefix, Framed-IPv6-Prefix, and then Framed-IPv6-Route, with multiple such entries in the order that they appeared in the RADIUS response. Such prefixes are not split up if a smaller prefix is requested, but the first part of a prefix is delegated.
Note that an authentication reject will normally cause the reply message to be sent as an authentication reject message. The reply "Try another" causes the L2TP session to be closed with result/error 2/7 (Try another) without sending an authentication reply on PPP.
Table G.4. Accounting-Start
| AVP | No. | Usage |
| Acct-Status-Type | 40 | 1 Start |
| User-Name | 1 | Username from authentication (PAP/CHAP) or proxy authentication received on L2TP or received in authentication response |
| Class | 25 | From authentication response if present |
| Chargeable-User-Identity | 89 | Graph name that applies, sanitised to comply with CQM graph name rules.. |
| Called-Station-Id | 30 | Called number as received on L2TP |
| Calling-Station-Id | 31 | Calling number as received on L2TP |
| Service-Type | 6 | Framed |
| Framed-Protocol | 7 | PPP |
| Framed-MTU | 12 | Final MTU being used for session |
| Filter-Id | 11 | Filters in use |
| Session-Timeout | 27 | Absolute limit on session, in seconds, if specified in authentication reply |
| Framed-Interface-ID | 96 | Peer IPv6 Interface ID from PPP IPV6CP |
| Framed-IP-Address | 8 | Peer IPv4 address negotiated in PPP (normally from authentication response) |
| Connect-Info | 77 | Text Tx speed/Rx speed in use |
| Acct-Delay-Time | 41 | Seconds since session started |
| Acct-Event-Timestamp | 55 | Session start time (unix timestamp) |
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| NAS-Identifier | 32 | Configured hostname of FireBrick |
| NAS-IP-Address | 4 | NAS IPv4 address if using IPv4 |
| NAS-IPv6-Address | 95 | NAS IPv6 address if using IPv6 |
| NAS-Port | 5 | L2TP session ID |
| Tunnel-Type | 64 | Present for relayed L2TP sessions, L2TP |
| Tunnel-Medium-Type | 65 | Present for relayed L2TP, 1 (IPv4) or 2 (IPv6) |
| Tunnel-Client-Endpoint | 66 | Present for relayed L2TP, text IPv4 or IPv6 address of our address on the outbound tunnel |
| Tunnel-Server-Endpoint | 67 | Present for relayed L2TP, text IPv4 or IPv6 address of the far end address of the outbound tunnel |
| Tunnel-Assignment-ID | 82 | Present for relayed L2TP, text local L2TP tunnel ID |
| Tunnel-Client-Auth-ID | 90 | Present for relayed L2TP, local end hostname quoted by outgoing tunnel |
| Tunnel-Server-Auth-ID | 91 | Present for relayed L2TP, far end hostname quoted by outgoing tunnel |
Note that most parameters are not included in interim and stop accounting records. The acct-session-id should be used by accounting servers to correlate interim and stop records with the start record. The graph name could be used, but is only available where there is a graph. If too many different graphs then that is not present. Some exceptions apply as they can be changed by a change of authorisation RADIUS request, such as Connect-Info.
Table G.5. Accounting-Interim
| AVP | No. | Usage |
| Acct-Status-Type | 40 | 3 Interim-Update |
| Acct-Delay-Time | 41 | Seconds since accounting data collected |
| Acct-Event-Timestamp | 55 | Data collected time (unix timestamp) |
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| Chargeable-User-Identity | 89 | Graph name that applies, sanitised to comply with CQM graph name rules.. |
| Connect-Info | 77 | Text Tx speed/Rx speed in use |
| NAS-Identifier | 32 | Configured hostname of FireBrick |
| NAS-IP-Address | 4 | NAS IPv4 address if using IPv4 |
| NAS-IPv6-Address | 95 | NAS IPv6 address if using IPv6 |
| NAS-Port | 5 | L2TP session ID |
| Acct-Input-Octets | 42 | Rx byte count |
| Acct-Input-Gigawords | 52 | Rx byte count (high 4 bytes) |
| Acct-Output-Octets | 43 | Tx byte count |
| Acct-Output-Gigawords | 53 | Tx byte count (high 4 bytes) |
| Acct-Input-Packets | 47 | Rx packet count |
| Acct-Output-Packets | 48 | Tx packet count |
| Tunnel-Type | 64 | Present for relayed L2TP sessions, L2TP |
| Tunnel-Medium-Type | 65 | Present for relayed L2TP, 1 (IPv4) or 2 (IPv6) |
| Tunnel-Client-Endpoint | 66 | Present for relayed L2TP, text IPv4 or IPv6 address of our address on the outbound tunnel |
| Tunnel-Server-Endpoint | 67 | Present for relayed L2TP, text IPv4 or IPv6 address of the far end address of the outbound tunnel |
| Tunnel-Assignment-ID | 82 | Present for relayed L2TP, text local L2TP tunnel ID |
| Tunnel-Client-Auth-ID | 90 | Present for relayed L2TP, local end hostname quoted by outgoing tunnel |
| Tunnel-Server-Auth-ID | 91 | Present for relayed L2TP, far end hostname quoted by outgoing tunnel |
As accounting interim update plus
Cause codes of note are 2(Lost-Carrier) which is sent if LCP echos do not reply for several seconds, and 14(Port-Suspended) which is sent if the dos-limit is exceeded on a session. For DOS handling is is recommended that subsequent authentication requests are rejected for several minutes or a fake accept is and session-timeout is used as DOS attacks usually continue until the customer is off-line.
A disconnect message is accepted as per RFC5176, if the session can be disconnected, and ACK is sent, else a NAK
Table G.7. Disconnect
| AVP | No. | Usage |
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| Chargeable-User-Identity | 89 | This is used as CQM graph name. |
| Acct-Terminate-Cause | 49 | Cause code as appropriate to be used in accounting stop message |
The session is identified by Acct-Session-Id if present, else by Chargeable-User-Identity. No other identification parameters are supported. If sent then they are ignored.
A change of authorisation message is accepted as per RFC5176
Table G.8. Change-of-Authorisation
| AVP | No. | Usage |
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| Chargeable-User-Identity | 89 | This is used as CQM graph name. |
| Framed-Route | 22 | May appear more than once. Text format is IPv4-Address/Bits 0.0.0.0 metric. The target IP is ignored but must be valid IPv4 syntax. The metric is used as localpref in routing. |
| Delegated-IPv6-Prefix | 123 | IPv6 prefix to be routed to line. Maximum localpref used. |
| Framed-IPv6-Prefix | 97 | IPv6 prefix to be routed to line. Maximum locapref used. |
| Framed-IPv6-Route | 99 | May appear more than once. Text format is IPv6-Address/Bits :: metric. The target IP is ignored but must be valid IPv6 syntax. The metric is used as localpref in routing. Alternative format IPv6/Bits IPv4-Address metric defines that prefix is to be protocol 41 IPv4 tunneled to specified target via this link. |
| Session-Timeout | 27 | Absolute limit on session, in seconds |
| Terminate-Action | 29 | If not specified, or 0, then terminate on Session-Timeout or Quota reached, else send RADIUS Interim accounting update (not an Access Request) |
| Connect-Info | 77 | Text tx speed limit to apply to session |
| Filter-Id | 11 | See filter ID section |
The session is identified by Acct-Session-Id if present, else by Chargeable-User-Identity. No other identification parameters are supported. If sent then they are ignored.
Parameters are left unchanged if not specified.
No other parameters are supported, and if sent then they are ignored
The Filter-ID can be set in authentication response and change of authorisation. There can be many records. Each can have many filters. Each filter is of the form of a letter possibly followed by number digits. The accounting start lists relevant filters that have been set, each in a separate filter-id AVP. Unknown filters are ignored.
Table G.9. Filter-ID
| Filter | meaning |
| Tn | Set routing table for payload traffic. This can be used for private routing, and for walled garden / credit control |
| An | Specify this connection is a member of a closed user group n (1-32767) but has normal IP access as well. This connection is not filtered by traffic can go to/from connections that are filtered in the same CUG |
| Rn | Specify this connection is a member of a closed user group n (1-32767) and is restricted to sending traffic to/from connections in the same CUG. |
| H | Sets the connection to send HDLC framing headers on all PPP packets. This adds 2 extra byte to the packet. This is the default setting. |
| h | Sets the connection not to send HDLC framing headers on all PPP packets. This is in accordance with the L2TP/PPP RFCs. This does not work on BT 21CN BRASs. |
| F | Sets TCP MTU fix flag which causes the MTU option in TCP SYN to be adjusted if necessary to fit MTU. |
| f | Sets no TCP MTU fix |
| M | Sets the connection to ignore the MRU. Actually, the MRU is used to generate ICMP errors for IPv6 and IPv4 with DF set, but otherwise full size packets are sent on the connection even if a lower MRU was advised. This is in accordance with the PPP RFC but breaks some routers that do not accept 1500 byte packets (e.g. PPPoE) |
| m | Sets the connection to fragment IPv4 packets with DF not set that are too big for the advised MRU. This is teh default |
| L | This is not a filter and not confirmed back on accounting start and not valid on Change of Authorisation. It forces a restart of LCP negotiation. This is useful when BRASs lie about negotiated LCP (such as BTs 21CN BRASs) |
| l | This is not a filter and not confirmed back on accounting start and not valid on Change of Authorisation. It stops an LCP negotiation restart that may be planned, e.g. due to an MRU mismatch. |
| X | Pad packets to 74 bytes if length fields appears to be less - needed to work around bug in BT 20CN BRAS for IPv6 in IP over LCP mode |
| C | Send all IPv4 and IPv6 using the LCP type code (only works if FireBrick doing PPP at far end) |
| O | Mark session as low-priority (see shaper and damping) |
| P | Mark session as premium (see shaper and damping) |
| Sn | Set LCP echo rate to n seconds (default 1) |
| sn | Set LCP timeout rate to n seconds (default 10) |
| bn | Disable anti-spoofing source filtering |
| q[+]n | Specify [or add to] quota for tx bytes. Use either q or Q. Action depends on Terminate-Action. |
| Q[+]n | Specify [or add to] quota for total (tx+rx) bytes. |
For change of authorisation the absence of a filter has no effect. To set normal routing table 0 zero, send T0. To set not a member of a CUG send A0.
L2TP relay means that an incoming call (ICRQ) is relayed to another L2TP endpoint. The decision of which calls to relay to what endpoint can be made in one of two ways:-
A test is made against the config on the initial connection based on known data. This is calling number (if present), called number (if present) and login (proxy_auth_name if present). If a match is found the call is relayed with no additional PPP packets exchanged.
If there is no proxy LCP provided, or the provided negotiation conflicts with the configuration, then LCP negotiation is completed.
If there is no proxy authentication, PPP authentication is start until a response/login is received from the peer (assuming authentication is required in the config).
At this point a further check is made for a configured relay which can now be based on a login if one was not present before.
RADIUS authentication is completed, and if the response indicates a relay then the call is relayed.
The relayed call includes the incoming call parameters, and any LCP and authentication parameters that may have been negotiated at that point.
Depending on configuration, LCP echos are faked both ways from the FireBrick, and LCP echos are generated by the FireBrick and responses checked. This allows the CQM graphs to be created. The graph is only created for the outgoing part of the connection. If not configured to fake LCP echos, then these are passed through as normal and no graph is created.
Each session gets a CQM graph which uses one second LCP requests and produces detailed loss/latency graphs for the session. The graph name is picked based on the first available of :-
If a second session starts with the same graph name as an existing session then the existing session is cleared with cause 13(Preempted). It is recommended that a unique circuit ID is passed as the Chargeable-User-Identity in the authentication response to allow simple location of graphs.
IP over LCP is a non standard coding of PPP packets for IPv4 and IPv6. The coding uses the LCP code (C021) instead of the IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping or DPI.
Each session can have a CUG defined (1-32768) which may be allow or restrict. Interfaces (port/VLAN) may also be defined in the same way. A packet from an interface/session with a CUG is tagged with that packet. If the source is restricted that packet can only leave via an interface/session with the same CUG. Similarly if the target interface/session is restricted than only a packet tagged with the same CUG can be sent to it.
The FireBrick operates independent routing cores allowing a totally independent routing table to be used for L2TP wrapper traffic and payload traffic. It is also possible to set the payload table in use on a per session basis from RADIUS thus allowing a walled garden to be set up, or a private network, or simple an unusable session.
| | | |
| Appendix F. Supported L2TP Attribute/Value Pairs |  | Appendix H. Supported RADIUS Attribute/Value Pairs for VoIP operation |