[c-nsp] PPPoE and RADIUS

Carlson Per Per.Carlson at banetele.com
Thu Jul 29 11:55:07 EDT 2004 

Hi.

I'm trying to get PPPoE sessions authenticated and authorized by a
RADIUS-server, but
without any luck.

The config:

First some login/enable stuff...

aaa group server radius rad_login
 server 10.0.0.1 auth-port 1812 acct-port 1813
!
aaa authentication login authlist_login group rad_login local
aaa authentication enable default group rad_login enable
!
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key yyy
!
ip radius source-interface Loopback0
!
line vty 0 4
 login authentication authlist_login
!

...then the PPP related...

aaa group server radius rad_ppp
 server-private 10.0.0.1 auth-port 1645 acct-port 1646 key xxx
!
aaa authentication ppp authlist_ppp group rad_ppp
aaa authorization network authlist_ppp group rad_ppp
!
vpdn enable
!
vpdn-group PPPoE
 accept-dialin
  protocol pppoe
  virtual-template 1
!
interface Loopback0
 ip address 192.168.1.12 255.255.255.255
!
interface FastEthernet0/1.51
 encapsulation dot1Q 51
 pppoe enable
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ppp authentication chap authlist_ppp
 ppp authorization authlist_ppp
!

...end of config


Login and enable works like a breeze, but PPPoE-sessions are never even
tried AAAed at the RADIUS-server:

Jul 29 17:11:08 CEST: ppp568 LCP: State is Open
Jul 29 17:11:08 CEST: ppp568 PPP: Phase is AUTHENTICATING, by both
Jul 29 17:11:08 CEST: ppp568 CHAP: O CHALLENGE id 1 len 29 from "lac"
Jul 29 17:11:08 CEST: ppp568 CHAP: I CHALLENGE id 1 len 30 from
"pppoe_client"
Jul 29 17:11:08 CEST: RADIUS/ENCODE(00000262): sendauth, failing over
Jul 29 17:11:08 CEST: RADIUS/ENCODE(00000262): send packet; BEGIN
Jul 29 17:11:08 CEST: ppp568 CHAP: Unable to authenticate for peer
Jul 29 17:11:08 CEST: ppp568 PPP: Sending Acct Event[Down] id[262]
Jul 29 17:11:08 CEST: ppp568 PPP: Phase is TERMINATING
Jul 29 17:11:08 CEST: ppp568 LCP: O TERMREQ [Open] id 4 len 4
Jul 29 17:11:08 CEST: ppp568 LCP: I TERMACK [TERMsent] id 4 len 4
Jul 29 17:11:08 CEST: ppp568 LCP: State is Closed
Jul 29 17:11:08 CEST: ppp568 PPP: Phase is DOWN

Yes, the RADIUS-server is active and responding, so that's not the issue.

Any clues?



Another thing that puzzles me is the double sided authentication. If the
configuration of the virtual-template is

  ppp authentication chap

then only single sided authentication is done (no CHAP challenge is sent
from the LNS).
But as soon as a method-list is used, a CHAP challenge is sent out. That
doesn't seam
logical to me. 

Changing the authentication to PAP doesn't improve thing either.

The LAC is a 7200 running 12.3.9a Enterprise, and I've tried 12.2.15T13 as
well.

I should also probably mention that the LNS is running MPLS (that's why the
Enterprise
feature set), but as long as everything is done in global IP-space, that
shouldn't
interfere (I hope).

TIA, Per

More information about the cisco-nsp mailing list