Point-to-point L2TP tunnel to Radius server (not in BCP mode)

I need point-to-point L2TP tunnel from cnPilot to my Linux server with Radius, as my cnPilots installed inside NAT and does not have reachable IP (from outside). Tunnel need only for Radius traffic (auth/acct). I can't setup such tunnel with Linux machine because cnPilot supports L2TP only in BCP mode (Bridge Control Protocol). I can't find any actual L2TP server for Linux with BCP support. 

Question to developers: is it possible to addpoint-to-point L2TP support (not BCP) to cnPilot firmware?


cnPiolt AP carry only WLAN user traffic on to tunnel. cnPilot AP can’t put control traffic or device self generated traffic on tunnel. With this functionality cnPilot AP can’t be used for taking RADIUS authentication traffic on Tunnel.

Let me reiterate once again only WLAN clients data traffic can tunnelled on L2TP tunnel.

With Regards,

If your cnPilot APs are inside the NAT and the RADIUS server is outside, authentication and accounting should still work. The device doing the NAT typically also handles UDP and all the auth/acct connections are initiated from the AP side so it should be able to map and make this work.

Two things to note:

1. the client entry (where IP and shared-secret are defined) on the RADIUS server side should be the public IP of the device doing the NAT (not the local IP of the AP). 

2. dynamic authorization will not work without port forwarding (since unlike auth/acct this is initiated from the server side)

We are developers of out-of-the-box authorization portal. We success with Mikrotik: it establish L2TP connection to server and then all Radius traffic uses this connection. The main goal - user doesn't carry about NAT and dynamic IP adresses, Mikrotik can be put to any network with internet access (NAT, dynamic IP...) and start working immediately. We have a lot of requests for cnPilot support in our portal but we can't handle APs inside NAT and APs with dynamic IP in this situation.


I hope this is the topology you have it, please confirm it, we can think of possible solution for it

Radius Server ---- Mikrotik Router---- internet ------NAT box — cnPilot AP

Radius Server is in private network which can be reachable via GRE tunnel to Mikrotik router.

WLAN has been configured with 802.1x EAP aithentication

With Regards,


We have also question about this network topology

 Mikrotik Router I----GRE/(l2TP)- internet ------NAT box --- GRE/(l2TP)-cnPilot AP 1

                             I----GRE/(l2TP)- internet ------NAT box --- GRE/(l2TP)-cnPilot AP2

Can OKC/802.11r roaming messages, that are  generated by AP1 reach  AP2  via GRE(L2TP) tunnel ?