The Cisco and AT&T SIG tunnel servers communicate with AT&T Administration Server using the RADIUS protocol. There are two possible modes of operation in this case

• In the first mode, the VPN Gateway sends the authentication information directly to the tunnel endpoint. AT&T authentication requires an Account and Service to be identified in addition to the User ID and Password. The standard RADIUS protocol that is initiated by the tunnel servers does not support these additional fields. During the authentication flow, the VPN Gateway creates a User ID that includes the Account and Service fields by including them as part of the User ID string using specific delimiters. The tunnel servers pass the additional information as part of the User ID field to AT&T Administration Server for authentication.
• In the second mode, the VPN Gateway first authenticates to AT&T Administration Server and gets back a limited-use session token and a tunnel server list. The VPN Gateway sends the session token to the tunnel endpoint which sends it on to AT&T Administration Server. The AT&T Administration Server checks its validity. Upon completing the authentication/ authorization tests, the AT&T Administration Server returns a simple pass/fail answer to the tunnel server to allow/disallow access to the tunnel.

The AT&T developed tunnel servers (AT&T SIG and AT&T VIG Gateways) support the ability to perform an AT&T proprietary authentication/authorization flow to AT&T Administration Server. This flow requires the Account, Service, User ID and Password to be specified. The proprietary information flow takes place down the encrypted IPSec tunnel. By using a proprietary flow, additional information can be returned to the AT&T developed tunnel servers. For instance when authenticating an VPN Gateway for tunnel access, the AT&T VIG uses BGP routing information returned in the data flow to initiate a BGP session with the PE router.