Configuring RADIUS Authentication for L2TP
The LNS sends RADIUS authentication requests or accounting requests. Authentication requests are sent out to the authentication server port. Accounting requests are sent to the accounting port. To configure the RADIUS authentication for L2TP on an M10i or M7i routing platform, include following statements at the hierarchy level:
[edit access]
[edit access]
radius-server server-address {
accounting-port port-number;
port port-number;
retry attempts;
routing-instance routing-instance-name;
secret password;
source-address source-address;
timeout seconds;
}
 |
NOTE: The RADIUS servers at the |
You can specify an accounting port number on which to contact the accounting server (in the accounting-port statement). Most RADIUS servers use port number 1813 (as specified in RFC 2866, Radius Accounting).
server-address specifies the address of the RADIUS authentication server (in the radius-server statement).
You can specify a port number on which to contact the RADIUS authentication server (in the port statement). Most RADIUS servers use port number 1812 (as specified in RFC 2865, Remote Authentication Dial In User Service [RADIUS] ).
You must specify a password in the secret statement. Passwords can contain spaces. The secret used by the local router must match that used by the RADIUS authentication server.
Optionally, you can specify the amount of time that the local router waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router attempts to contact a RADIUS authentication server (in the retry statement). By default, the router waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds. By default, the router retries connecting to the server three times. You can configure this to be a value in the range from 1 through 10 times.
In the source-address statement, specify a source address for each configured RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 address configured on one of the router interfaces.
To configure multiple RADIUS servers, include multiple radius-server statements. For information about how to configure the RADIUS disconnect server for L2TP, see Configuring the RADIUS Disconnect Server for L2TP.
Example: RADIUS Authentication for L2TP
[edit access]
profile sunnyvale_bldg_2 {
client green {
chap-secret "$9$24gGiPfz6CuQFu1EyW8VwYgZUik.5z3";
ppp {
interface-id west;
}
group-profile sunnyvale_users;
}
client red {
chap-secret "$9$24gGiPfz6CuQFu1EyW8VwYgZUik.5z3";
group-profile sunnyvale_users;
}
authentication-order radius;
}
radius-server {
192.168.65.213 {
port 1812;
accounting-port 1813;
secret "$9$24gGiPfz6CuQFu1EyW8VwYgZUik.5z3"; # SECRET-DATA
}
192.168.65.223 {
port 1812;
accounting-port 1813;
secret "$9$24gGiPfz6CuQFu1EyW8VwYgZUik.5z3"; # SECRET-DATA
}
}
radius-disconnect-port 2500;
radius-disconnect {
192.168.65.152 secret "$9$rtkl87ws4ZDkgokPT3tpEcylWL7-VY4a";
# SECRET-DATA
192.168.64.153 secret "$9$gB4UHf5F/A0z30Ihr8Lbs24GDHqmTFn";
# SECRET-DATA
192.168.64.157 secret "$9$Hk5FCA0IhruOrv87sYGDikfTFn/t0B";
# SECRET-DATA
192.168.64.173 secret "$9$Hk5FCA0IhruOrv87sYGDikfTFn/t0B";
# SECRET-DATA
}