Figure 4-11 multiprovider network -70, How to configure double radius lookups – Lucent Technologies 6000 User Manual

4-70

MAX 6000/3000 Network Configuration Guide

Configuring Individual WAN Connections
Configuring bidirectional CHAP support

Consider the network in Figure 4-11:

Figure 4-11. Multiprovider network

During an outgoing call with bidirectional authentication, the MAX unit first recovers the
dialout profile. Once the call is brought up, the MAX unit needs to authenticate the called
party, in this case a Pipeline unit. The authentication decision must be made by the ISP’s
RADIUS server, requiring a second RADIUS lookup.

How to configure double RADIUS lookups

When you set up double RADIUS lookups, the dialout profile is split into two profiles—the
first-tier dialout profile and the second-tier user profile. The dialout profile contains all dialout
parameters needed to establish the outgoing call, and the user profile contains information for
authenticating the called device.

Consider the following first-tier dialout profile, configured for bidirectional CHAP
authentication:

pipe-pat-outUser-Password="ascend"

Service-Type=Outbound-User,

Framed-Protocol=PPP,

Framed-IP-Address=10.4.8.8,

Pipeline unit

MAX unit

Proxy
RADIUS

Ethernet

PRI

BRI

RADIUS
server #1

RADIUS
server #2

RADIUS
server #3

PSTN

ISP #1

ISP #2

ISP #3