The Merit AAA Server supports the concept of roaming, which is actually just another name for the modem pool sharing currently occurring in Merit's MichNet. It enables customers (users) of one ISP (institution) to dial into another ISP's (institution's) modem pool and authenticate just like dialing in from home to their own ISP (institution).
Here is an illustration of how two ISP's can setup their dial-in
service to allow roaming users to dial into any of their modem
pools. For the sake of representation, we call them isp-a.com
and isp-b.com. They all use the UNIX password file /etc/passwd
for user authentication. The three files which must be configured
are the authfile, the clients file and the las.conf
file:
isp-a.com UNIX-PW NULL UNIX-PW isp-b.com RADIUS radius.isp-b.com
Where radius.isp-b.com is a RADIUS server at isp-b.com.
2. Similarly, the authfile on isp-b.com
would look like:
isp-b.com UNIX-PW NULL UNIX-PW isp-a.com RADIUS radius.isp-a.com
Where radius.isp-a.com is a RADIUS server at isp-a.com.
3. The clients file on isp-a.com would have the following entries:
radius.isp-a.com dummysecret radius.isp-b.com realsecret
4. The clients file on isp-b.com would have the following entries:
radius.isp-b.com dummysecret radius.isp-a.com realsecret
5. Each realm acts as a LAS authorizing its own users. So for isp-a.com, its las.conf file would contain entries for itself only:
Realm NULL End-Realm Realm isp-a.com End-Realm
6. The same for isp-b.com:
Realm NULL End-Realm Realm isp-b.com End-Realm
7. The users file of both realms stay the same.
That's all!
With this setup, radius.isp-a.com would be able to authenticate its own users who authenticate themselfs as joe or joe@isp-a.com. The radius.isp-b.com server will also recognize joe@isp-a.com and ask the server radius.isp-a.com to authenticate that user. The same goes for isp-b.com.
The standard LAS finite state machine (FSM) would also pass accounting records between the two LAS'es, so that they will be able to bill their own as well as the other realm's users.
Copyright © 1994-1997, Merit Network, Inc., All Rights Reserved