HOTSPOT GATEWAY
320 Appendix B: Addendum
Define Realm Routing Policies
Realm routing policies are used to determine how supplied username/password input
is used to authenticate users.
z Create a realm routing policy for each realm that will be handled. The realm
routing policy will reference either a RADIUS service profile or a tunnel
profile. Many different realm routing policies can reference the same
RADIUS service or tunnel profile.
See next figure for a realm routing policy that handles prefix-based usernames using a
RADIUS service profile. Notice that “Specific Realm” is clicked and the “Realm
name” is “cisp”. Also notice that “Prefix match only” is clicked and that the delimiter
is “/”. This means that this realm routing policy will match usernames that are of the
format “cisp/username”.
This policy references a RADIUS service profile so a realm match will result in an
access request being sent to the RADIUS server(s) specified in the RADIUS service
profile. In this case, the RADIUS service profile “RadiusPrefix” is referenced and so
the RADIUS server(s) defined therein will receive RADIUS access requests.
Notice that the checkbox is unchecked for “Strip off routing information when
sending to RADIUS server”. This box must always be unchecked in order to pass
realm information to the RADIUS server(s) for matching of realm information to its
defined tunnel profiles, which contain the needed tunnel parameters.
The checkbox “Strip off routing information when sending to tunnel server” may or
may not be checked depending on the configuration of the tunnel server and how it
will be authenticating subscribers. In this example, it is checked and so realm
information will be stripped leaving only the simple username and password to be
passed to the tunnel server.
The tunnel server in this case is configured to authenticate users via another RADIUS
server that handles a single realm. Since it handles a single realm, no realm
information is needed for users and so must be stripped. In this case, it is stripped by
the HSG, but it could easily have been stripped by the tunnel server, or by the tunnel
server’s RADIUS server. This was designed for maximum flexibility.
Also note that the “Local hostname” field is blank which means that the HSG’s
default local hostname of “usg_lac” will be used by the HSG. This allows for setting
the local hostname to any desired value other than the default. The L2TP peers
exchange their local hostnames during tunnel negotiation.
To Next Page
Loading...
