RFC 2809 (rfc2809) - Page 2 of 23


Implementation of L2TP Compulsory Tunneling via RADIUS



Alternative Format: Original Text Document



RFC 2809          L2TP Compulsory Tunneling via RADIUS        April 2000


   Network Access Server
              The Network Access Server (NAS) is the device that clients
              contact in order to get access to the network. In L2TP
              terminology, a NAS performing compulsory tunneling is
              referred to as the L2TP Access Concentrator (LAC).

   RADIUS authentication server
              This is a server which provides for
              authentication/authorization via the protocol described in
              [1].

   RADIUS proxy
              In order to provide for the routing of RADIUS
              authentication requests, a RADIUS proxy can be employed.
              To the NAS, the RADIUS proxy appears to act as a RADIUS
              server, and to the RADIUS server, the proxy appears to act
              as a RADIUS client.  Can be used to locate the tunnel
              endpoint when realm-based tunneling is used.

2.  Requirements language

   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
   described in [4].

3.  Introduction

   Many applications of tunneling protocols involve dial-up network
   access.  Some, such as the provisioning of secure access to corporate
   intranets via the Internet, are characterized by voluntary tunneling:
   the tunnel is created at the request of the user for a specific
   purpose. Other applications involve compulsory tunneling: the tunnel
   is created without any action from the user and without allowing the
   user any choice.

   Examples of applications that might be implemented using compulsory
   tunnels are Internet software upgrade servers, software registration
   servers and banking services.  These are all services which, without
   compulsory tunneling, would probably be provided using dedicated
   networks or at least dedicated network access servers (NAS), since
   they are characterized by the need to limit user access to specific
   hosts.

   Given the existence of widespread support for compulsory tunneling,
   however, these types of services could be accessed via any Internet
   service provider (ISP).  The most popular means of authorizing dial-
   up network users today is through the RADIUS protocol. The use of
   RADIUS allows the dial-up users' authorization and authentication



Aboba & Zorn                 Informational