Implementation of L2TP Compulsory Tunneling via RADIUS
RFC 2809

Document Type RFC - Informational (April 2000; No errata)
Authors Glen Zorn  , Bernard Aboba 
Last updated 2013-03-02
Stream Internet Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2809 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          B. Aboba
Request for Comments: 2809                                    Microsoft
Category: Informational                                         G. Zorn
                                                             April 2000

         Implementation of L2TP Compulsory Tunneling via RADIUS

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


   This document discusses implementation issues arising in the
   provisioning of compulsory tunneling in dial-up networks using the
   L2TP protocol.  This provisioning can be accomplished via the
   integration of RADIUS and tunneling protocols. Implementation issues
   encountered with other tunneling protocols are left to separate

1. Terminology

   Voluntary Tunneling
              In voluntary tunneling, a tunnel is created by the user,
              typically via use of a tunneling client.

   Compulsory Tunneling
              In compulsory tunneling, a tunnel is created without any
              action from the user and without allowing the user any

   Tunnel Network Server
              This is a server which terminates a tunnel. In L2TP
              terminology, this is known as the L2TP Network Server

Aboba & Zorn                 Informational                      [Page 1]
RFC 2809          L2TP Compulsory Tunneling via RADIUS        April 2000

   Network Access Server
              The Network Access Server (NAS) is the device that clients
              contact in order to get access to the network. In L2TP
              terminology, a NAS performing compulsory tunneling is
              referred to as the L2TP Access Concentrator (LAC).

   RADIUS authentication server
              This is a server which provides for
              authentication/authorization via the protocol described in

   RADIUS proxy
              In order to provide for the routing of RADIUS
              authentication requests, a RADIUS proxy can be employed.
              To the NAS, the RADIUS proxy appears to act as a RADIUS
              server, and to the RADIUS server, the proxy appears to act
              as a RADIUS client.  Can be used to locate the tunnel
              endpoint when realm-based tunneling is used.

2.  Requirements language

   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
   described in [4].

3.  Introduction

   Many applications of tunneling protocols involve dial-up network
   access.  Some, such as the provisioning of secure access to corporate
   intranets via the Internet, are characterized by voluntary tunneling:
   the tunnel is created at the request of the user for a specific
   purpose. Other applications involve compulsory tunneling: the tunnel
   is created without any action from the user and without allowing the
   user any choice.

   Examples of applications that might be implemented using compulsory
   tunnels are Internet software upgrade servers, software registration
   servers and banking services.  These are all services which, without
   compulsory tunneling, would probably be provided using dedicated
   networks or at least dedicated network access servers (NAS), since
   they are characterized by the need to limit user access to specific

   Given the existence of widespread support for compulsory tunneling,
   however, these types of services could be accessed via any Internet
   service provider (ISP).  The most popular means of authorizing dial-
   up network users today is through the RADIUS protocol. The use of
   RADIUS allows the dial-up users' authorization and authentication

Aboba & Zorn                 Informational                      [Page 2]
RFC 2809          L2TP Compulsory Tunneling via RADIUS        April 2000

   data to be maintained in a central location, rather than on each NAS.
   It makes sense to use RADIUS to centrally administer compulsory
   tunneling, since RADIUS is widely deployed and was designed to carry
   this type of information.  New RADIUS attributes are needed to carry
   the tunneling information from the RADIUS server to the NAS. Those
   attributes are defined in [3].

3.1.  Advantages of RADIUS-based compulsory tunneling

   Current proposals for routing of tunnel requests include static
   tunneling, where all users are automatically tunneled to a given
   endpoint, and realm-based tunneling, where the tunnel endpoint is
   determined from the realm portion of the userID. User-based tunneling
   as provided by integration of RADIUS and tunnel protocols offers
Show full document text