Internet access and telco usage patterns

As a matter of fact, it is quite doable. Aimnet developed a roaming
server (check that allows international ISPs to
use each other's network to provide dialup services. A group of
ISPs have joined a consortium GRIC (Global Reach Internet
Consortium) lead by Aimnet. The roaming server is based
on Radius protocol.

A telco company can install modems and route the authentication to
the specific ISP for authentication.


I looked at this doing this about a year ago but the major stumbling block
was that if ISPs share the authentication responsibility using distributed
RADIUS, they have the capability of keeping each other's passwords for the
user's that used the global access service.

Also, a service you likely know about, started up around the same time in
Vancouver, where I was living at the time, called GeoAccess
(, was going to target this idea much more
aggressively than I (and plus I did not feel like competing with him in
particular), and decided on the model on centralized authentication,
effectivele becoming a worldwide access ISP without purchasing a single modem
or terminal server. But even ISPs participating in his "network" can log
the entered passwords.

Telephone companies might have a problem with the legal ramifications of this
"roaming" service.

I just came back from Montreal INet 96 last week and a new roaming
IETF group will be started. We are working on the IETF draft
for the roaming and stay tuned.

Please let me know what the name of working group is, and perhaps take this
to private email. I would be very interested to know how the password
access problem is worked around, or at very least, rationaly pushed aside,
and even contribute.

Eric Woodward.

This has changed slightly, now. We are able to use the "realm" concept
and have the end-user travel to, say, ISP-B (with which end-user's ISP
has reciprocity) and given that his login is joeblow, then he could login
as: joeblow@isp-a and the TS would then relay to the default RADIUS
server at which point that RADIUS server would ensure it had reciprocity
with the "ISP-A" realm and then forward that authentication request onto
ISP-A's RADIUS server. After being authenticated, the TS would then
issue an IP and accounting would be sent off to the appropriate ISP(s).
So, the only "secrets" that are shared are the md5 digest keys used
between the RADIUS server and TS.


Barry James | Mikrotec Internet Services, Inc (AS3801)
Sr Internet Engineer | 1001 Winchester Rd | Lexington KY 40505 | 606/225.1488

Not quite. The user must "share" their password with the first RADIUS
client in order for it to be encrypted via MD5 in the first place. There
is a hole here. But there is a solution as well.

Michael Dillon ISP & Internet Consulting
Memra Software Inc. Fax: +1-604-546-3049 E-mail: