Internet access and telco usage patterns
Barry James
bjames at BJsUnixBox.terraware.net
Mon Jul 8 20:16:28 UTC 1996
On Sat, 6 Jul 1996, Eric Woodward wrote:
> I looked at this doing this about a year ago but the major stumbling block
> was that if ISPs share the authentication responsibility using distributed
> RADIUS, they have the capability of keeping each other's passwords for the
> user's that used the global access service.
This has changed slightly, now. We are able to use the "realm" concept
and have the end-user travel to, say, ISP-B (with which end-user's ISP
has reciprocity) and given that his login is joeblow, then he could login
as: joeblow at isp-a and the TS would then relay to the default RADIUS
server at which point that RADIUS server would ensure it had reciprocity
with the "ISP-A" realm and then forward that authentication request onto
ISP-A's RADIUS server. After being authenticated, the TS would then
issue an IP and accounting would be sent off to the appropriate ISP(s).
So, the only "secrets" that are shared are the md5 digest keys used
between the RADIUS server and TS.
Barry
Barry James | Mikrotec Internet Services, Inc (AS3801)
Sr Internet Engineer | 1001 Winchester Rd
bjames at mis.net | Lexington KY 40505
http://www.mis.net/ | 606/225.1488
More information about the NANOG
mailing list