Sunday, 19 April 2015

Quick Build - Cisco IOS PPPoE Server with RADIUS Authentication

In this guide I'll show you how to quickly set up an IOS-based PPPoE access concentrator and a RADIUS server for it to authenticate against. As part of the setup I'll include both dynamic (pool based) IP subscribers and a fixed IP subscriber, which should cover most basic use cases.

The setup I describe will look like this (we will only build the RADIUS and the AC):



If you need a client to go with it, please check out my post titled Quick build - PPPoE Client on Cisco IOS

Stage 1 - The RADIUS Server


Firstly we'll configure the RADIUS server - the starting point for this is a completely clean install of Kali Linux. It makes no difference if this is running as a VM or on a physical box but you will probably run out of "disk space" if you try to do this from a live CD boot. This assumes that you either have configured an Internet connection or have a full Kali disc / image from which to install packages.

Task 1 - Configure the Network Interface


Edit /etc/networks/interfaces and add the following (adjust interface names as necessary):

auto eth1
iface eth1 inet static
    address 10.0.0.10
    netmask 255.255.255.0


Save the file, then run:

ifdown eth1
ifup eth1


Task 2 - Install FreeRADIUS


Assuming your Internet connection / Kali disc is accessible, just run:

apt-get update
apt-get install freeradius


Task 3 - Configure FreeRADIUS


The FreeRADIUS config files are pretty big and are mostly full of examples that aren't relevant to this setup, so we'll just set them aside and create new ones from scratch. Firstly we will replace the clients.conf file which tells FreeRADIUS which devices are allowed to authenticate against it.

Firstly, ditch the old one:
mv /etc/freeradius/clients.conf /etc/freeradius/ORIG-clients.conf

Next, edit /etc/freeradius/clients.conf and add:

client 10.0.0.100/32 {
    secret        = b0dges
    shortname    = PE1
    nastype        = cisco
}


Save the file and exit. Now do a similar thing with the users file (which is used to define how the users will be authenticated):

mv /etc/freeradius/users /etc/freeradius/ORIG-users

Edit /etc/freeradius/users and add:

DEFAULT         Auth-Type := CHAP, Cleartext-Password := "password1"
                    Framed-Protocol = PPP,
                    Framed-IP-Address = 255.255.255.254
foeh@fixed      Auth-Type := CHAP, Cleartext-Password := "password2"
                    Framed-Protocol = PPP,
                    Framed-IP-Address = 192.168.100.1


Save the file and exit. Note that the special "255.255.255.254" address above instructs the access concentrator to assign an IP locally from its pool.

Task 4 - Restart FreeRADIUS with the New Config


Simply run:

service freeradius restart


The service should restart without error. That's the difficult RADIUS config done, now onto the access concentrator!

Stage 2 - Configure the Access Concentrator


I'll go into a little more detail on this part as it's not quite as intuitive. The base device here is an IOS 12.3 router, Cisco's licensing model is complex and seems to vary wildly between platforms so I'll let you poke around in feature navigator to work out which feature set and release will work on your device... It seems to work fine on a 3845 running security services if that helps.

Task 1 - Configure Interfaces


We need a couple of interfaces configured here:
  • An interface towards RADIUS (obviously)
  • A loopback interface (used to address the "unnumbered" PPPoE tunnel interfaces)
  • A client interface (where the PPPoE users will attach)

interface FastEthernet1/0
 description To RADIUS
 ip address 10.0.0.100 255.255.255.0
 no shutdown
!
interface Loopback0

 description IP for Unnumbered Tunnel Interfaces
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/1
 description To Clients
 no shutdown
!


We won't configure anything on the client interface for the moment but we will return to it momentarily...

Task 2 - Configure PPPoE


Firstly we need to configure a BBA group, which is just a way to associate a bunch of settings with a particular interface. We'll use the default "global" group and configure it to use virtual-template 1:

bba-group pppoe global
 virtual-template 1

Next, we need to define what Virtual-Template1 is. Virtual template interfaces are used to define a prototype on which to base the Virtual-Access (tunnel) interfaces which are automatically created when a PPPoE user connects. In this most simple of examples we just define where the interface's local IP address should be cloned from, where the PPPoE user's IP address should be allocated from and the authentication protocol we want to use:

interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool localpool
 ppp authentication chap


The "peer default ip address" command above refers to a pool called "localpool", so we'd better create that:

ip local pool localpool 172.16.0.1 172.16.0.100

Now that we've defined all that good stuff, we need to apply the BBA group to the client interface:

interface FastEthernet0/1
 pppoe enable group global


Pretty simple so far and, in fact, that's most of the config done. All we need to do now is to...

Task 3 - Point the Router at the RADIUS


There are three relatively straightforward steps here, firstly we have to enable AAA new model on the device and then define the RADIUS server details (note, FreeRADIUS' ports differ from Cisco's defaults so we need to specify them):

aaa new-model
radius server kali
 address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
 key b0dges


Then we have to tell the router to go to RADIUS when authenticating PPPoE users:

aaa authentication ppp default group radius
aaa authorization network default group radius


The second line is not necessary for dynamic IP users but instructs the router that it should allow RADIUS to tell it what the user's IP (and some other things) should be. If you leave out the last line then users with a RADIUS defined static IP will get one out of the pool like everyone else, so if RADIUS Framed-IP attributes are being ignored this is probably the cause.

Note: You may want to configure some local usernames for access to the CLI and add "aaa authentication login default local" or similar.

At this point, your PPPoE Access Concentrator with RADIUS authentication is ready for use!

If you're unsure how to set up a client, I've also written quick build posts for that:



Debugging


No build would be complete without a little bit of debugging. This is such a straightforward setup that, barring layer 3 issues, there's not a lot that can go wrong. Troubleshooting would pretty much be as follows:

  • Verify that you are getting PPPoE control traffic in from your client (debug pppoe packet, debug pppoe event). The sequence should be PADI, PADO, PADR, PADS. PADT indicates someone is pulling down the session, the debugs should show you who!
  • Check IP reachability to the RADIUS box using ping
  • Verify that FreeRADIUS is running (ps -aux | grep freeradius), start it if necessary (/etc/init.d/freeradius start)
  • If your client can't authenticate, check the password matches what's in FreeRADIUS (/etc/freeradius/users), not forgetting to restart FreeRADIUS if you make changes (/etc/init.d/freeradius restart)
  • If the passwords match but you are still getting authentication errors, verify that your secrets match between the router ("key" under "radius-server") and FreeRADIUS (/etc/freeradius/clients.conf), the NAS IP matches your router and that FreeRADIUS has been restarted since the last change (/etc/init.d/freeradius restart)
  •  Check your PPP is negotiating OK (debug ppp negotiation)
Some more tips that may be helpful can be found on my post about debugging Cisco PPPoE clients.

6 comments:

  1. hi, thank you for this great tutorial but I have some PROBLEM WITH FREERADIUS, The request from the AC is always rejected ...

    "freeradius -X" output is like that:

    1) if I use CHAP in AC and client, the error is---> [chap] Cleartext-password is required for authentication
    And the attribute in the request is "CHAP-Password" and value crypted I think ...
    2) if I use PAP in AC and client, the error is ---> No authentication method found for the request
    3) if I run "test aaa group radius my_user my_password legacy" , request is accepted if "Auth-Type:=PAP" in Freeradius user file but i get the same error like in first case if I put "Auth-Type:=CHAP"


    I work with:
    AC [c3700 then c7200]
    Client [c3700 and Mikrotik]
    Radius Server [Freeradius 2.5 , Debian7 packets...]

    Sorry, i'm bad in English but I REALLY NEED YOUR HELP .................... PLEASE

    ReplyDelete
    Replies
    1. Hi,

      First, make sure you are editing the correct users file. In the example above I say to delete the whole contents of that file rather than edit, otherwise if you add to the end your config can be ignored.

      Next, check that your FreeRADIUS users file is correct - the first error message suggests that the username with which you tried to authenticate does not have a Cleartext-Password set - check for typos, quote marks, etc. and also ensure that your request is matching against the correct user entry (should say what user you match in the debug). If it's hitting a DEFAULT, try configuring a specific username at the start of the file and see whether that matches - if not then either your RADIUS config is strange or you are editing the wrong file.

      PAP won't work while you have "Auth-Type := CHAP" configured under the user, you can delete that statement if you want to allow PAP or CHAP authentications or change it to PAP for PAP only. I guess from your last point that you already know this.

      I hope this helps. To suggest anything else I'd need to see the config files, user file and the debug output - if you want to upload them somewhere I can take a look.

      Delete
    2. Oups ...
      The problem is that I've edited "user" file instead of create new one ...
      Now, everything is OK
      THANK YOU SO MUCH

      howether i've a question, Why the config is ignored in some case but it isn't when I use "RADTEST" on linux or "TEST AAA" on IOS ????

      Delete
    3. I think it is because the default users.conf file contains a DEFAULT section which matches requests with a Framed-Protocol of PPP - the CLI tools will not trigger that rule because they don't set a framed protocol whereas the "real" users will be PPP so that rule will fire.

      Delete
  2. Hi,

    how many users can I support with a Router and a Free Radius Server?
    I need 10.000 users autenticating.

    ReplyDelete
    Replies
    1. Hi, Felipe.

      10,000 users should be no problem for FreeRADIUS but you may need to use a SQL database backend for that. Getting 10k subscribers up on one router is going to be tricky, I seem to remember hitting a limit of 4k subscribers on a Cisco 3845, however now I look at the scaling document it suggests the maximum should be 1.2k. I wouldn't like to make promises about the scalability of any particular platform, if one device doesn't cut it then you can put multiple on the same segment to try and load balance. Most clients will connect to the first AC that responds, you can use PADO delay to favour one over another.

      If this is for lab use then you could just set up a wildcard in RADIUS to accept any username - just create a DEFAULT entry (check the FreeRADIUS documentation, it's possible to set the values of attributes based on the offered username and so on).

      Regards,

      Foeh

      Delete