H OTS POT GATEWAY320 Appendix B: AddendumDefine Realm Routing PoliciesRealm routing policies are used to determine how supplied username/password inputis used to authenticate users.z Create a realm routing policy for each realm that will be handled. The realmrouting policy will reference either a RADIUS service profile or a tunnelprofile. Many different realm routing policies can reference the sameRADIUS service or tunnel profile.See next figure for a realm routing policy that handles prefix-based usernames using aRADIUS service profile. Notice that “Specific Realm” is clicked and the “Realmname” is “cisp”. Also notice that “Prefix match only” is clicked and that the delimiteris “/”. This means that this realm routing policy will match usernames that are of theformat “cisp/username”.This policy references a RADIUS service profile so a realm match will result in anaccess request being sent to the RADIUS server(s) specified in the RADIUS serviceprofile. In this case, the RADIUS service profile “RadiusPrefix” is referenced and sothe RADIUS server(s) defined therein will receive RADIUS access requests.Notice that the checkbox is unchecked for “Strip off routing information whensending to RADIUS server”. This box must always be unchecked in order to passrealm information to the RADIUS server(s) for matching of realm information to itsdefined tunnel profiles, which contain the needed tunnel parameters.The checkbox “Strip off routing information when sending to tunnel server” may ormay not be checked depending on the configuration of the tunnel server and how itwill be authenticating subscribers. In this example, it is checked and so realminformation will be stripped leaving only the simple username and password to bepassed to the tunnel server.The tunnel server in this case is configured to authenticate users via another RADIUSserver that handles a single realm. Since it handles a single realm, no realminformation is needed for users and so must be stripped. In this case, it is stripped bythe HSG, but it could easily have been stripped by the tunnel server, or by the tunnelserver’s RADIUS server. This was designed for maximum flexibility.Also note that the “Local hostname” field is blank which means that the HSG’sdefault local hostname of “usg_lac” will be used by the HSG. This allows for settingthe local hostname to any desired value other than the default. The L2TP peersexchange their local hostnames during tunnel negotiation.
