X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/38e422ebb66c5de3811adce8b675ba5415d598b9..ee333473dbe84443a0eb7f358f89e3d9993b8d9c:/Docs/manual.html?ds=sidebyside diff --git a/Docs/manual.html b/Docs/manual.html index aa99e38..b95858b 100644 --- a/Docs/manual.html +++ b/Docs/manual.html @@ -52,7 +52,8 @@ H3 {
  • Interception
  • Authentication
  • Plugins
  • -
  • Walled Garden
  • +
  • Walled Garden
  • +
  • Filtering
  • Clustering
  • Routing
  • Performance
  • @@ -66,7 +67,7 @@ L2TP (Layer 2 Tunneling Protocol) is designed to allow any layer 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP connection. l2tpns implements PPP over L2TP only.

    -There are a couple of other L2TP imlementations, of which l2tpd is probably the most popular. l2tpd also will handle being either end of a tunnel, and is a lot more configurable than l2tpns. However, due to the way it works, @@ -86,7 +87,7 @@ included.


    Documentation is not my best skill. If you find any problems with this document, or if you wish to contribute, please email david@dparrish.com.

    +HREF="mailto:l2tpns-users@lists.sourceforge.net?subject=L2TPNS+Documentation">the mailing list.

    Installation

    Requirements

    @@ -146,6 +147,7 @@ set ipaddress 192.168.1.1 set boolean true +

    +

    BGP routing configuration is entered by the command: +The routing configuration section is entered by the command +

    router bgp as
    +where as specifies the local AS number. + +

    Subsequent lines prefixed with +

    neighbour peer
    +define the attributes of BGP neighhbours. Valid commands are: +
    +
    neighbour peer remote-as as +
    neighbout peer timers keepalive hold +
    + +Where peer specifies the BGP neighbour as either a hostname or +IP address, as is the remote AS number and keepalive, +hold are the timer values in seconds. + +

    Named access-lists are configured using one of the commands: +

    +
    ip access-list standard name +
    ip access-list extended name +
    + +

    Subsequent lines prefixed with permit or deny +define the body of the access-list. Standard access-list syntax: +

    +
    {permit|deny} + {host|source source-wildcard|any} + [{host|destination destination-wildcard|any}] +
    + +Extended access-lists: + +
    +

    {permit|deny} ip + {host|source source-wildcard|any} + {host|destination destination-wildcard|any} [fragments] +

    {permit|deny} udp + {host|source source-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + {host|destination destination-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + [fragments] +

    {permit|deny} tcp + {host|source source-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + {host|destination destination-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + [{established|{match-any|match-all} + {+|-}{fin|syn|rst|psh|ack|urg} + ...|fragments] +

    +

    users

    Usernames and passwords for the command-line interface are stored in @@ -399,8 +437,7 @@ A running l2tpns process can be controlled in a number of ways. The primary method of control is by the Command-Line Interface (CLI).

    You can also remotely send commands to modules via the nsctl client -provided. This currently only works with the walled garden module, but -modification is trivial to support other modules.

    +provided.

    Also, there are a number of signals that l2tpns understands and takes action when it receives them. @@ -505,19 +542,19 @@ IP Address Used Session User

  • show radius
    -Show a summary of the in-use radius sessions. This list should not be very -long, as radius sessions should be cleaned up as soon as they are used. The +Show a summary of the in-use RADIUS sessions. This list should not be very +long, as RADIUS sessions should be cleaned up as soon as they are used. The columns listed are: - + - -
    RadiusThe ID of the radius request. This is - sent in the packet to the radius server for identification.
    RadiusThe ID of the RADIUS request. This is + sent in the packet to the RADIUS server for identification.
    StateThe state of the request - WAIT, CHAP, AUTH, IPCP, START, STOP, NULL.
    SessionThe session ID that this radius +
    SessionThe session ID that this RADIUS request is associated with
    RetryIf a response does not appear to the request, it will retry at this time. This is a unix timestamp.
    TryRetry count. The radius request is +
    TryRetry count. The RADIUS request is discarded after 3 retries.

    @@ -558,7 +595,7 @@ current session for that username will be forwarded to the given host/port. Specify no snoop username to disable interception for the session.

    -If you want interception to be permanent, you will have to modify the radius +If you want interception to be permanent, you will have to modify the RADIUS response for the user. See Interception.

  • @@ -569,7 +606,7 @@ session. Specify no throttle username to disable throttling for the current session.

    If you want throttling to be permanent, you will have to modify the -radius response for the user. See Throttling. +RADIUS response for the user. See Throttling.

    @@ -630,16 +667,13 @@ this way, although some may require a restart to take effect.

    nsctl

    -nsctl was implemented (badly) to allow messages to be passed to modules.

    +nsctl allows messages to be passed to plugins.

    -You must pass at least 2 parameters: host and command. The -host is the address of the l2tpns server which you want to send the message -to.

    +Arguments are command and optional args. See +nsctl(8) for more details.

    -Command can currently be either garden or ungarden. With -both of these commands, you must give a session ID as the 3rd parameter. -This will activate or deactivate the walled garden for a session -temporarily. +Built-in command are load_plugin, unload_plugin and +help. Any other commands are passed to plugins for processing.

    Signals

    @@ -668,7 +702,7 @@ desire. You must first enable the global setting throttle_speed before this will be activated.

    If you wish a session to be throttled permanently, you should set the -Vendor-Specific radius value Cisco-Avpair="throttle=yes", which +Vendor-Specific RADIUS value Cisco-Avpair="throttle=yes", which will be handled by the autothrottle module.

    Otherwise, you can enable and disable throttling an active session using @@ -692,7 +726,7 @@ and no snoop username CLI commands. These will enable interception immediately.

    If you wish the user to be intercepted whenever they reconnect, you will -need to modify the radius response to include the Vendor-Specific value +need to modify the RADIUS response to include the Vendor-Specific value Cisco-Avpair="intercept=yes". For this feature to be enabled, you need to have the autosnoop module loaded.

    @@ -702,11 +736,11 @@ Whenever a session connects, it is not fully set up until authentication is completed. The remote end must send a PPP CHAP or PPP PAP authentication request to l2tpns.

    -This request is sent to the radius server, which will hopefully respond with +This request is sent to the RADIUS server, which will hopefully respond with Auth-Accept or Auth-Reject.

    If Auth-Accept is received, the session is set up and an IP address is -assigned. The radius server can include a Framed-IP-Address field in the +assigned. The RADIUS server can include a Framed-IP-Address field in the reply, and that address will be assigned to the client. It can also include specific DNS servers, and a Framed-Route if that is required.

    @@ -716,7 +750,7 @@ walled garden module is loaded, in which case the user still receives the PPP AUTHACK, but their session is flagged as being a garden'd user, and they should not receive any service.

    -The radius reply can also contain a Vendor-Specific attribute called +The RADIUS reply can also contain a Vendor-Specific attribute called Cisco-Avpair. This field is a freeform text field that most Cisco devices understand to contain configuration instructions for the session. In the case of l2tpns it is expected to be of the form @@ -766,7 +800,7 @@ supplied structure: - - -
    EventDescriptionParameters
    pre_authThis is called after a radius response has been + This is called after a RADIUS response has been received, but before it has been processed by the code. This will allow you to modify the response in some way. @@ -783,7 +817,7 @@ supplied structure:
    post_authThis is called after a radius response has been + This is called after a RADIUS response has been received, and the basic checks have been performed. This is what the garden module uses to force authentication to be accepted. @@ -863,7 +897,7 @@ supplied structure:
    radius_responseThis is called whenever a radius response includes a + This is called whenever a RADIUS response includes a Cisco-Avpair value. The value is split up into key=value pairs, and each is processed through all modules. @@ -909,7 +943,7 @@ Walled Garden is implemented so that you can provide perhaps limited service to sessions that incorrectly authenticate.

    Whenever a session provides incorrect authentication, and the -radius server responds with Auth-Reject, the walled garden module +RADIUS server responds with Auth-Reject, the walled garden module (if loaded) will force authentication to succeed, but set the flag garden in the session structure, and adds an iptables rule to the garden_users chain to force all packets for the session's IP @@ -934,6 +968,14 @@ command: iptables -t nat -L garden -nvx +

    Filtering

    + +Sessions may be filtered by specifying Filter-Id attributes in +the RADIUS reply. filter.in specifies that the named +access-list filter should be applied to traffic from the +customer, filter.out specifies a list for traffic to the +customer. +

    Clustering

    An l2tpns cluster consists of of one* or more servers configured with @@ -992,6 +1034,6 @@ That's really what it looks like.


    David Parrish
    -david@dparrish.com +l2tpns-users@lists.sourceforge.net