9.4 Tunneling Protocols
With the advent of
work-from-home strategies and the
branch-office concept becoming ever more popular, the dependence on
access to corporate networks and privatized ISPs has become stronger.
There exists a way to use a sort of tunnel to log in to corporate
network over the Internet and access that network's
resources as though you were locally attached to it. Although
discussing tunnels is beyond the scope of this book, RADIUS does
support a variety of tunneling protocols, both voluntary and
compulsory. New RADIUS attributes were introduced with RFC 2868 that
provide support for this emerging technology.
As well, private ISPs and even some corporate IT data centers want to
be able to account for the use of their service for accounting,
billing, and auditing purposes. RADIUS accounting, of course
supporting the AAA model as discussed in Chapter 1, is an obvious way to collect this data,
especially with the new tunneling-support attributes, some
modifications to the Acct-Status-Type attribute,
and some entirely new attributes specifically focused at RADIUS
accounting.
The new values for the Acct-Status-Type attribute
are listed in Table 9-1.
Table 9-1. New values per RFC 2867 for Acct-Status-Type
|
9
|
Tunnel-Start
|
Marks the creation of a tunnel with another end point.
|
User-Name, NAS-IP-Address, Acct-Delay-Time, Event-Timestamp,
Tunnel-Type, Tunnel-Medium-Type, Tunnel-Client-Endpoint,
Tunnel-Server-Endpoint, Acct-Tunnel-Connection
|
|
10
|
Tunnel-Stop
|
Marks the destruction of a tunnel with another node.
|
User-Name, NAS-IP-Address, Acct-Delay-Time, Acct-Input-Octets,
Acct-Output-Octets, Acct-Session-ID, Acct-Session-Time,
Acct-Input-Packets, Acct-Output-Packets, Acct-Terminate-Cause,
Acct-Multi-Session-Id, Event-Timestamp, Tunnel-Type,
Tunnel-Medium-Type, Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,
Acct-Tunnel-Connection, Acct-Tunnel-Packets-Lost
|
|
11
|
Tunnel-Reject
|
Marks the rejection of an attempt to establish a tunnel with another
node.
|
User-Name, NAS-IP-Address, Acct-Delay-Time, Acct-Terminate-Cause,
Event-Timestamp, Tunnel-Type, Tunnel-Medium-Type,
Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,
Acct-Tunnel-Connection
|
|
12
|
Tunnel-Link-Start
|
Marks the creation of a tunnel link; for those protocols that support
multiple links per tunnel.
|
User-Name, NAS-IP-Address, NAS-Port, Acct-Delay-Time,
Event-Timestamp, Tunnel-Type, Tunnel-Medium-Type,
Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,
Acct-Tunnel-Connection
|
|
13
|
Tunnel-Link-Stop
|
Marks the destruction of a tunnel link; for those protocols that
support multiple links per tunnel.
|
User-Name, NAS-IP-Address, NAS-Port, Acct-Delay-Time,
Acct-Input-Octets, Acct-Output-Octets, Acct-Session-Id,
Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets,
Acct-Terminate-Cause, Acct-Multi-Session-Id, Event-Timestamp,
NAS-Port-Type, Tunnel-Type, Tunnel-Medium-Type,
Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,
Acct-Tunnel-Connection, Acct-Tunnel-Packets-Lost
|
|
14
|
Tunnel-Link-Reject
|
Marks the rejection of an attempt to establish a tunnel link; for
those protocols that support multiple links per tunnel.
|
User-Name, NAS-IP-Address, Acct-Delay-Time, Acct-Terminate-Cause,
Event-Timestamp, Tunnel-Type, Tunnel-Medium-Type,
Tunnel-Client-Endpoint, Tunnel-Server-Endpoint,
Acct-Tunnel-Connection
|
The new tunnel-accounting attributes are integrated with the rest of
the RADIUS extensions attributes in the next section.
|
