Hi,
I'm looking at using one of our Aruba controllers to provide an l2tp/ipsec service for network staff who need to have unfettered access to our network from outside our network. Back end auth is against our RADIUS service and I'm generating a specific Filter-Id radius attribute to indicate that they're l2tp/ipsec users. A successful auth then places them in a specific role and away they go.
My concern however is that I've set up the correct Filter-Id attribute value. The radius server copes with eap and mschapv2 auths from all over the place and may well have Service-Type=Login-User from other devices
Looking at the the RADIUS Access-Request packet sent by the controller, I've got
NAS-IP-Address -- <ip address of controller>
NAS-Port = 0
Nas-Port-Type - Wireless-802.11
User-name - me
Calling station id - 000000000000
Called-Station-Id - mac address of client
Framed-ip address - ip address of client machine
MS-CHap stuff
Service-Type - Login-User
Aruba-Location-Id - "N/A"
Aruba-AP-Group - "default"
Message-Authenticator - <stuff>
At the moment I'm checking for my username, the Aruba-Location-Id, the Aruba-AP-Group and the Service-Type but I'm not entirely convinced that the combination of those 3 uniquely identify an auth request associated with an l2tp?ipsec connection.
Any way of really really identifying the auth request as being associated with an l2tp/ipsec connect request? Can I add an atribute at the controller end to say this is an l2tp/ipsec auth request?
Rgds
Alex