Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

About RADIUS Tunnels

A tunnel is a uniquely secure type of remote connection. A tunnel passes data between a remote site and an enterprise site, providing an additional layer of encrypted protocol wrapper around the data. A tunnel offers authentication and encryption features that help secure the connection against network vandals and eavesdroppers. In addition, a tunnel can provide quality of service features such as guaranteed bandwidth.

Note: SBR Carrier does not add tunnel functionality to your network. SBR Carrier is able to support the authentication and accounting needs of any tunnels that you have already set up.

Administration and configuration of the tunnel happens at the remote site, since this is the side of the connection that requests remote access and opens the tunnel. An administrator at the remote site must configure the tunnel with various attributes: its destination IP address, what security protocols it supports, its password, and so on. These attributes are stored in a database to be retrieved when needed to set up a connection.

Storing tunnel attributes on a RADIUS server simplifies tunnel connections. At connection time, the tunnel is established by a network access server at the remote site. The NAD retrieves the tunnel configuration attributes from the RADIUS server and uses them to open the tunnel into the carrier’s network. After the tunnel is open, the user can be authenticated at the carrier’s network.

A RADIUS server is said to support tunnels if it has the ability to store and retrieve the configuration data that a NAD needs to open a tunnel. SBR Carrier fully supports tunnels:

  • SBR Carrier can determine from the attributes in the incoming Access-Request whether the connection request involves a tunnel, and if so, which tunnel.
  • SBR Carrier can store and retrieve tunnel configuration data.
  • SBR Carrier can track the number of tunnels currently in use, compare to a maximum number, and refuse the connection if the number is exceeded.

Tunnel Authentication Sequence

  1. SBR Carrier receives an Access-Request message.
  2. SBR Carrier checks whether the Access-Request contains a Called-Station-Id attribute. If it does, SBR Carrier searches its database for a tunnel entry that contains the indicated telephone number in its called station ID list.

    If a match between the Called-Station-Id and a tunnel entry can be found, SBR Carrier constructs an Access-Accept message using the Attributes list in the matching tunnel entry. It then returns the Access-Accept to the client NAD. If a match exists, then skip to step 4; if no match exists, continue with step 3.

    Note: If realms are in use, SBR Carrier also searches for the called station ID number in its realm configuration files. If a match is found, the Access-Request is routed to the realm, and the quest for a tunnel is abandoned. For this reason, make sure that DNIS numbers are unique across all tunnel entries and across all realm configuration files.

  3. If no match was found in step 2, then SBR Carrier checks whether the Access-Request contains a username in the form User<Delimiter>TunnelName or TunnelName<Delimiter>User. <Delimiter> is a single character that must match the server’s tunnel delimiter character. The order of the realm name relative to the username must match the server’s tunnel naming convention (prefix or suffix). Both of these values are determined per server (that is, all tunnels that use this server must follow the same conventions) by entering them in the Name Parsing page (Figure 61). If a match exists, continue with step 4; if no match exists, then skip to step 6.
  4. SBR Carrier searches its database for a tunnel entry whose name matches the incoming TunnelName. If a match can be found, SBR Carrier constructs an Access-Accept message using the Attributes list in the matching tunnel entry. It then returns the Access-Accept to the client NAD.
  5. If SBR Carrier was able to match the Access-Request with a tunnel entry, the NAD uses the attributes returned in the Access-Accept message to open a tunnel into the enterprise site. Authentication of the User-Name is attempted, usually at the carrier’s site. If user authentication succeeds, the connection is complete. Otherwise, the user’s connection request is denied.
  6. If no matching tunnel entry was found in steps 2 or 3, SBR Carrier concludes that a tunnel is not involved in making this connection. It then continues with its User-Name parsing sequence determine a destination for the authentication request.

Configuring Tunnel Support

You can configure SBR Carrier to support a tunnel using the Web GUI. A tunnel entry allows you to specify a list of connection Attributes such as the tunnel password, the IP address of the NAD at the enterprise site, encryption conventions to use, and so on. You can also enter the maximum number of tunnels that can be open at one time. You need to coordinate with the administrator at the enterprise site to get some of this information.

Called Station ID

DNIS (Dialed Number Information Services) refers to a capability that many network access servers have to determine and use the telephone number that was dialed to make a connection request. The RADIUS standard supports DNIS by specifying the following attributes:

  • Calling-Station-Id is the number from which the user originated the request.
  • Called-Station-Id is the telephone number that was dialed to make the network connection.

When setting up a tunnel entry for the SBR Carrier database, you can enter a telephone number or list of numbers. This list identifies Called-Station-Id attribute values that the server should expect to find in tunnel connection requests.

Dictionaries for Tunnel Support

You can use the Web GUI to create the attributes list. The available selections include attributes from all standard and vendor-specific RADIUS dictionaries installed on the SBR Carrier server.

When the server can accept a tunnel connection request, it consults the corresponding tunnel entry for the list of Attributes to return in the Access-Accept packet. SBR Carrier always returns any standard RADIUS attributes that appear in the Attributes list. It also returns any vendor-specific attributes that are appropriate for the NAD that requested the tunnel connection. Vendor-specific attributes in the Attributes list that do not apply to the requesting NAD are ignored.

Concurrent Tunnel Connections

SBR Carrier tracks the number of active connections for each tunnel. You can limit the number of concurrent connections that can be open through a specific tunnel. When a user requests a new connection through a tunnel, SBR Carrier compares the number of active connections in a tunnel to the maximum number of connections: if a new connection would exceed the limit, SBR Carrier rejects the additional connection.

For concurrent connection limits to work, each NAD that can open a tunnel must be configured for RADIUS accounting and the same SBR Carrier server must be specified for both authentication and accounting.

Note: If you are using a clustered solution with SSR, concurrent tunnel connections are not tracked. They are tracked individually using an in memory store on each SBR Carrier server. So if a tunnel exceeds its maximum concurrent connections on one SBR Carrier server it may be able to authenticate on another SBR Carrier server.

Modified: 2018-01-11