📄 rfc2809.txt
字号:
its own user database, or it MAY send a RADIUS Access-Request. After
the tunnel has been brought up, the NAS and tunnel server can start
accounting.
在进行PPP认证的时候,隧道服务器能访问自己的用户数据库,或者可以(MAY)
发送RADIUS认证请求。在隧道建立以后,NAS和隧道服务器可以开始计费。
The interactions involved in initiation of a compulsory tunnel with
dual authentication are summarized below.、
使用双重认证的强制隧道初始化涉及的交互过程简述如下:
Aboba & Zorn Informational [Page 14]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
INITIATION SEQUENCE
NAS Tunnel Server RADIUS Server
--- ------------- -------------
Call accepted
LCP starts
PPP authentication
phase starts
Send RADIUS
Access-Request
with userID and
authentication data
呼叫接受
LCP 协商开始
PPP 认证阶段开始
发送 RADIUS 认证请求
包含用户ID和认证数据
IF authentication
succeeds
Send ACK
ELSE Send NAK
如果 认证成功
发送 ACK
否则
发送 NAK
IF NAK DISCONNECT
ELSE
IF no control
connection exists
Send
Start-Control-Connection-Request
to Tunnel Server
如果 NAK 切断连接
否则
如果 没有控制连接存在
发送 Start-Control-Connection-Request
到隧道服务器
Send
Start-Control-Connection-Reply
to NAS
发送Start-Control-Connection-Reply
到 NAS
ENDIF
结束
Send
Incoming-Call-Request
message to Tunnel Server
发送Incoming-Call-Request
消息到隧道服务器
Send Incoming-Call-Reply
to NAS
发送Incoming-Call-Reply
到 NAS
Send
Incoming-Call-Connected
message to Tunnel Server
发送Incoming-Call-Connected
消息到隧道服务器
Send data through the tunnel
通过隧道传送数据
Re-negotiate LCP,
authenticate user,
bring up IPCP,
start accounting
重新协商 LCP
认证用户
建立IPCP
开始计费
ENDIF
结束
Aboba & Zorn Informational [Page 15]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
5. Termination sequence
终结步骤
The tear down of a compulsory tunnel involves an interaction between
the client, NAS and Tunnel Server. This interaction is virtually
identical regardless of whether telephone-number based
authentication, single authentication, or dual authentication is
being used. In any of the cases, the following events occur:
Tunnel Server to NAS: L2TP Call-Clear-Request (optional)
NAS to Tunnel Server: L2TP Call-Disconnect-Notify
Tunnel termination can occur due to a client request (PPP
termination), a tunnel server request (Call-Clear-Request), or a line
problem (call disconnect).
强制隧道的拆除涉及用户客户端的交互、NAS和隧道服务器间的交互。此交互过程
实质上是相同的,不管使用的是基于电话号码的认证,单一认证还是双重认证。在
所有的情形下,如下的事件发生:
隧道服务器到NAS:L2TP Call-Clear-Request(optional)
NAS 到 隧道服务器:L2TP Call-Disconnect-Notify
隧道终结会由于用户客户端请求(PPP 终结)、隧道服务器请求(Call-Clear-Request)
或者线路问题(呼叫断线)而发生。
In the case of a client-requested termination, the tunnel server MUST
terminate the PPP session. The tunnel server MUST subsequently send a
Call-Clear-Request to the NAS. The NAS MUST then send a Call-
Disconnect-Notify message to the tunnel server, and will disconnect
the call.
The NAS MUST also respond with a Call-Disconnect-Notify message and
disconnection if it receives a Call-Clear-Request from the tunnel
server without a client-requested termination.
In the case of a line problem or user hangup, the NAS MUST send a
Call-Disconnect-Notify to the tunnel server. Both sides will then
tear down the call.
The interactions involved in termination of a compulsory tunnel are
summarized below. In order to simplify the diagram that follows, we
have left out the client. However, it is understood that the client
MAY participate via PPP termination and disconnection.
在用户客户端请求的终结情况下,隧道服务器应该(MUST)终结PPP会话。隧道
服务器应该(MUST)随后发送一个Call-Clear-Request到NAS。然后NAS必须
(MUST)发送一个Call-Disconnect-Notify消息到隧道服务器,并将切断呼叫
连接。
如果NAS从隧道服务器收到一个没有用户客户端请求终结的Call-Clear-Request,
NAS 也必须(MUST)回应一个Call-Disconnect-Notify消息并切断连接。
在线路问题或用户挂断的情形下,NAS必须(MUST)发送一个Call-Disconnect-Notify
到隧道服务器。两端都将拆除呼叫连接。
强制隧道终结涉及的交互过程简述如下。为了简化下面的流程,我们忽略了用户
客户端。但是,用户客户端通过PPP终结和切断来参与流程是可理解的。
Aboba & Zorn Informational [Page 16]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
TERMINATION SEQUENCE
NAS Tunnel Server RADIUS Server
--- ------------- -------------
IF user disconnected
send
Call-Disconnect-Notify
message to tunnel server
如果 用户断线
发送Call-Disconnect-Notify
消息到隧道服务器
Tear down the call
stop accounting
拆除呼叫连接
停止计费
ELSE IF client requests
termination
否则如果 用户客户端请求终结
send
Call-Clear-Request
to the NAS
发送 Call-Clear-Request
到 NAS
Send
Call-Disconnect-Notify
message to tunnel server
Disconnect the user
发送 Call-Disconnect-Notify
消息到隧道服务器
切断用户
Tear down the call
stop accounting
拆除呼叫连接
停止计费
ENDIF
结束
6. Use of distinct RADIUS servers
使用独立的RADIUS服务器
In the case that the NAS and the tunnel server are using distinct
RADIUS servers, some interesting cases can arise in the provisioning
of compulsory tunnels.
在NAS和隧道服务器各自使用独立的RADIUS服务器的情况下,强制隧道提供中
一些有趣的情况会出现。
6.1. Distinct userIDs
独立的用户ID(userIDs)
If distinct RADIUS servers are being used, it is likely that distinct
userID/password pairs will be required to complete the RADIUS and
tunnel authentications. One pair will be used in the initial PPP
authentication with the NAS, and the second pair will be used for
authentication at the tunnel server.
This has implications if the NAS attempts to forward authentication
information to the tunnel server in the initial setup notification.
Since the userID/password pair used for tunnel authentication is
different from that used to authenticate against the NAS, forwarding
authentication information in this manner will cause the tunnel
authentication to fail. As a result, where user-based tunneling via
RADIUS is implemented, L2TP authentication forwarding SHOULD NOT be
employed.
如果独立的RADIUS服务器被使用,可能将需要独立的用户ID/密码对
(userID/password pairs)来完成RADIUS和隧道认证。一对将被用作NAS的初始化
PPP认证,第二队将被用作在隧道服务器的认⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -