Thanks for your responses and correcting my understanding. What i understand is policies are stored in a centralized policy server, and these are pushed to the Access Servers thru some mechanism, like SNMP or file transfer, etc. What is achieved by RADIUS is just getting pointer (like filter name) to the policy corresponding to a subscriber when a subscriber dials in, and dynamically binding that to the access interface in the access server. How are these policies then dynamically generated, based on the IP address that is dynamically assigned? Do policy servers also have policies based on subscriber-name (or ID)? What is the interaction between policy server and RADIUS? Thanks again. - elwin --- Brett Frankenberger <rbf@rbfnet.com> wrote:
A Service Provider, having several POPs, I presume will be using at least one RADIUS server that is associated to each POP, and are usually colocated at the POP, along with the RAS, aggregation and other IP service devices.
For most providers, you presume incorrectly. RADIUS is generally hosted centrally.
And the IP address assigned for a subscriber dialing up from one location is assigned by the corresponding RADIUS server, after authentication.
The IP Address is generally assigned by the access server.
To take it further, when policies are associated with this subscriber that are based on IP address, how is that handled when the subscriber travels?
Static IP addresses that give a customer the same IP address ragardless of what POP he dials are rarely offered by dial-up providers. Those that do necessarily have some sort of routing hack to get their routing tables updated when the ustomer dials into a remote POP. Policy is generally implemented by filters on the Access Server that are dynamically created (by the RADIUS server) when the customer dials in, so it isn't necessary that the customer always have the same IP address.
-- Brett
__________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text
* Mohan Sundar <xmohnsundar@yahoo.com> [20010328 11:56]:
What i understand is policies are stored in a centralized policy server, and these are pushed to the Access Servers thru some mechanism, like SNMP or file transfer, etc. What is achieved by RADIUS is just getting pointer (like filter name) to the policy corresponding to a subscriber when a subscriber dials in, and dynamically binding that to the access interface in the access server.
Yes and no. :) It is somewhat implementation dependent. There are some RADIUS client/servers that can transfer and install the filter directly via RADIUS. While others build the filters in other ways -- some directly on the NAS or with some other daemon that works in conjunction with RADIUS and the NAS.
How are these policies then dynamically generated, based on the IP address that is dynamically assigned? Do policy servers also have policies based on subscriber-name (or ID)? What is the interaction between policy server and RADIUS?
See above. :) Livingston (the now defunct maker of the PortMaster line) had a separate RADIUS-like protocol called ChoiceNet(tm) that you could use to dump dynamic/static filters to the NAS. It had no direct interaction with the RADIUS server but the RADIUS client (the PortMaster) had to know to request the filter from the ChoiceNet server. The filter name itself would typically be specified in the RADIUS profile. You might get better answers from the RADIUS IETF WG list (which I believe is still active...I dropped myself from it several months ago) and perhaps more "bigger picture" answers from the NASREQ IETF WG. <URL:http://www.ietf.org/> Regards, -jr ---- Josh Richards [JTR38/JR539-ARIN] <jrichard@geekresearch.com/cubicle.net/fix.net/freedom.gen.ca.us> Geek Research LLC - <URL:http://www.geekresearch.com/> IP Network Engineering and Consulting
participants (2)
-
Josh Richards -
Mohan Sundar