Configuring Tms Using Local Radius; How It Works - Bay Networks Baystream 7 Configuration And Troubleshooting Manual

An alternative way to configure the TMS database is to use a RADIUS server on
the service provider (ISP) network, instead of using the Reliable Access Control
Protocol (RACP) erpcd between the Network Access Server (NAS) and the local
authentication server, as described in
In the all-RADIUS solution, tunnel management system (TMS) database
functions reside on an enhanced RADIUS server on the service provider's
network. This allows the elements of the domain/tunnel decision to reside on the
same server as the normal authentication policies. If no VPN identifier match
exists, the RADIUS server can further process the authentication.

How It Works

Upon receiving a call from a remote user, the NAS determines whether the call is
from a tunnel user. The RADIUS server on the service provider's network
recognizes the format of the VPN identifier in the user name and returns tunnel
information to the NAS. TMS database specifies
•
•
•
The NAS uses the tunnel information to establish a connection to the gateway.
Once the tunnel is available, the NAS forwards the user authentication
information to the gateway for confirmation at the remote authentication server;
that is, by the BSAC RADIUS server on the home network. The home network
retains the authentication information, providing an extra measure of security
Figure 6-1
115623B Rev. 00
Configuring TMS Using Local RADIUS
Where dial-in user authentication takes place
Which servers authenticate dial-in users
Where the other endpoint of the tunnel is (given that the NAS is the first
endpoint)
shows an example of such a network.
BayStream Multiservice Software Version 7.2
Chapter 5.
Chapter 6
6-1