Thanks Tony, that was great,
Allow me to rephrase this information a little bit
The way to have roaming enabled between 2 ISP's is to enable conditional
username is ISP2\User) then forward to ISP2
to scale this to 5 ISP's it's the same thing,
If ISP1 gets a request for
ISP4 he forwards to ISP4 ..
Now for larger deployments, the architecture might want to be modified a
little bit, but this is basically the way to do it.
You might want to have a central server which will make all the decisions or
ISP1 gets the access request, checks if it doesn't include any additional
domain info then it's his and makes a decision
If it does contain domain info, and it's not his info, he can just
forward it to a Central Server
Central Server gets the request, and determines if the domain info is for
one of the domains he serves, and forwards it if that is true. Else, Central
Server rejects the request
Second ISP gets the request, evaluates it, (accepts or rejects) And sends
the request back to central server which will forward the response to ISP.
In the second approach you have all your forwarding logic done in one place,
so it might be easier to manage
Lastly, Cross Domain and Cross Forest authentication
This is off the original topic, but related....
If you have a company that manages 2 domains, then you don't even need to
forward requests between the 2 domains IAS can look up the users in both
domains if there is a trust between them
New for WS2003, if you have 2 Forests, with Multiple domains in each, then
again, IAS can look up users anywhere in both forests just by establishing
the new WS2003 Forest trust. (You might want to add IAS to the RAS and IAS
servers group on the GC of the forest)
This posting is provided "AS IS" with no warranties and confers no rights
> The user's account/password is usually hosted by 1 of the isps. The rest
> just proxy that user's realm (ex. ford.com) to the hosted isp.
> The real problem occurs when the customer has separate contracts with each
> ISP for the same realm. Then the three parties need to work out some sort
> of deal. Though typically when a customer has separate contracts, they
> a "large enterprise" (like ford). In which case, there is a very good
> chance that they (ford) host their own user store with a connected RADIUS
> server. In that case, all of the ISPs just proxy the requests to Ford for
> authentication and/or accounting. If the ISP needs to inject "special"
> attributes into the packets (to support weird NAS features like filters,
> etc.), they can do so with their (the ISP's) proxies.
> > In basic, high level terms, how would two ISP's allow for roaming
> > their networks? Would each have a proxy radius for the other ISP
> > within its own network? Or rather, could the radius servers of each be
> > somehow interlinked without the database of each being replicated?
> > If we scale this scenario up to five ISP's with reciprocity agreements
> > amongst all of them, how would this be arrange. Some vendors are
> > advertising "Roaming Servers", which I assume implies some table to
> > incoming requests. If not, could each [roaming] request be sequentially
> > checked against the five other databases. I would assume this would be
> > very inneficient.
> > thanks in advance,
> > Scott
> > pspope at noesis-strategy.com