[c-nsp] PPPoE and RADIUS

Dennis Peng dpeng at cisco.com
Thu Jul 29 16:52:54 EDT 2004


The problem is that the client is trying to authenticate the LAC (we
see an input challenge from the client). We cannot respond to the
challenge since you are using RADIUS, so we drop the connection. Stop
the peer from trying to authenticate us and it should work better.

Dennis

Carlson Per [Per.Carlson at banetele.com] wrote:
> 
> Hi.
> 
> I'm trying to get PPPoE sessions authenticated and authorized by a
> RADIUS-server, but
> without any luck.
> 
> The config:
> 
> First some login/enable stuff...
> 
> aaa group server radius rad_login
>  server 10.0.0.1 auth-port 1812 acct-port 1813
> !
> aaa authentication login authlist_login group rad_login local
> aaa authentication enable default group rad_login enable
> !
> radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key yyy
> !
> ip radius source-interface Loopback0
> !
> line vty 0 4
>  login authentication authlist_login
> !
> 
> ...then the PPP related...
> 
> aaa group server radius rad_ppp
>  server-private 10.0.0.1 auth-port 1645 acct-port 1646 key xxx
> !
> aaa authentication ppp authlist_ppp group rad_ppp
> aaa authorization network authlist_ppp group rad_ppp
> !
> vpdn enable
> !
> vpdn-group PPPoE
>  accept-dialin
>   protocol pppoe
>   virtual-template 1
> !
> interface Loopback0
>  ip address 192.168.1.12 255.255.255.255
> !
> interface FastEthernet0/1.51
>  encapsulation dot1Q 51
>  pppoe enable
> !
> interface Virtual-Template1
>  ip unnumbered Loopback0
>  ppp authentication chap authlist_ppp
>  ppp authorization authlist_ppp
> !
> 
> ...end of config
> 
> 
> Login and enable works like a breeze, but PPPoE-sessions are never even
> tried AAAed at the RADIUS-server:
> 
> Jul 29 17:11:08 CEST: ppp568 LCP: State is Open
> Jul 29 17:11:08 CEST: ppp568 PPP: Phase is AUTHENTICATING, by both
> Jul 29 17:11:08 CEST: ppp568 CHAP: O CHALLENGE id 1 len 29 from "lac"
> Jul 29 17:11:08 CEST: ppp568 CHAP: I CHALLENGE id 1 len 30 from
> "pppoe_client"
> Jul 29 17:11:08 CEST: RADIUS/ENCODE(00000262): sendauth, failing over
> Jul 29 17:11:08 CEST: RADIUS/ENCODE(00000262): send packet; BEGIN
> Jul 29 17:11:08 CEST: ppp568 CHAP: Unable to authenticate for peer
> Jul 29 17:11:08 CEST: ppp568 PPP: Sending Acct Event[Down] id[262]
> Jul 29 17:11:08 CEST: ppp568 PPP: Phase is TERMINATING
> Jul 29 17:11:08 CEST: ppp568 LCP: O TERMREQ [Open] id 4 len 4
> Jul 29 17:11:08 CEST: ppp568 LCP: I TERMACK [TERMsent] id 4 len 4
> Jul 29 17:11:08 CEST: ppp568 LCP: State is Closed
> Jul 29 17:11:08 CEST: ppp568 PPP: Phase is DOWN
> 
> Yes, the RADIUS-server is active and responding, so that's not the issue.
> 
> Any clues?
> 
> 
> 
> Another thing that puzzles me is the double sided authentication. If the
> configuration of the virtual-template is
> 
>   ppp authentication chap
> 
> then only single sided authentication is done (no CHAP challenge is sent
> from the LNS).
> But as soon as a method-list is used, a CHAP challenge is sent out. That
> doesn't seam
> logical to me. 
> 
> Changing the authentication to PAP doesn't improve thing either.
> 
> The LAC is a 7200 running 12.3.9a Enterprise, and I've tried 12.2.15T13 as
> well.
> 
> I should also probably mention that the LNS is running MPLS (that's why the
> Enterprise
> feature set), but as long as everything is done in global IP-space, that
> shouldn't
> interfere (I hope).
> 
> TIA, Per
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list