Appendix G. Supported RADIUS Attribute/Value Pairs for L2TP operation
Prev   Next

Appendix G. Supported RADIUS Attribute/Value Pairs for L2TP operation

Table of Contents

G.1. Authentication request
G.2. Authentication response
G.2.1. Accepted authentication
G.2.1.1. Prefix Delegation
G.2.2. Rejected authentication
G.3. Accounting Start
G.4. Accounting Interim
G.5. Accounting Stop
G.6. Disconnect
G.7. Change of Authorisation
G.8. Filter ID
G.9. Notes
G.9.1. L2TP relay
G.9.2. LCP echo and CQM graphs
G.9.3. IP over LCP
G.9.4. Closed User Group
G.9.5. Routing table

RADIUS is used for authentication and accounting of L2TP connections. If no authentication servers are configured then authentication is not performed. If no accounting servers are configured then no accounting is generated. Multiple servers can be configured and they are processed in order. Each can have multiple IP addresses. The IP addresses are tried based on the previous performance (response time, etc). If a server does not respond a number of times as configured then it is blacklisted for a configurable period.

It is possible to configure local configurations which are checked before any RADIUS authentication.

It is possible to configure L2TP so that RADIUS accounting must respond, and if not then the sessions are disconnected.

G.1. Authentication request

Table G.1. Access-request

AVPNo.Usage
Message-Authenticator80Message signature as per RFC2869
User-Name1Username from authentication (PAP/CHAP) or proxy authentication received on L2TP
Called-Station-Id30Called number as received on L2TP
Calling-Station-Id31Calling number as received on L2TP
Acct-Session-Id44Unique ID for session as used on all following accounting records
NAS-Identifier32Configured hostname of FireBrick
NAS-IP-Address4NAS IPv4 address if using IPv4
NAS-IPv6-Address95NAS IPv6 address if using IPv6
NAS-Port5L2TP session ID
NAS-Port-Id87For PPPoE "port{:vlan}/MAC"
Service-Type6Framed
Framed-Protocol7PPP
CHAP-Password3CHAP ID and response
CHAP-Challenge60CHAP challenge (only present if not the same as RADIUS authenticator)
Framed-MTU12MTU requested by PPP, if one was requested (even if 1500)
Connect-Info77Text Tx speed/Rx speed from L2TP connection if known
Tunnel-Client-Endpoint66Indicates the L2TP tunnel configured name attribute, allowing connections via different L2TP incoming configurations to be identified
Proxy-State33Added to session steering RADIUS requests (i.e. previous RADIUS returned type S tunnel)

Note that the NAS-IP-Address is normally the local end of the L2TP connection for the incoming connection. However, there is a configuration option to pass the remote end of the L2TP as the NAS-IP-Address as this is often more useful. If the remote Ip is used the NAS-Port is set to the far end L2TP session ID rather than the local end session ID. The NAS-Identified remains the name of the FB6000. This option is separately available for accounting messages.

Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id.

Prev   Next
F.15. Notes Home G.2. Authentication response