In this guide I'll show you how to quickly set up an IOS-based PPPoE access concentrator and a RADIUS server for it to authenticate against. As part of the setup I'll include both dynamic (pool based) IP subscribers and a fixed IP subscriber, which should cover most basic use cases.
The setup I describe will look like this (we will only build the RADIUS and the AC):
If you need a client to go with it, please check out my post titled
Quick build - PPPoE Client on Cisco IOS
Stage 1 - The RADIUS Server
Firstly we'll configure the RADIUS server - the starting point for this is a completely clean install of Kali Linux. It makes no difference if this is running as a VM or on a physical box but you will probably run out of "disk space" if you try to do this from a live CD boot. This assumes that you either have configured an Internet connection or have a full Kali disc / image from which to install packages.
Task 1 - Configure the Network Interface
Edit
/etc/networks/interfaces and add the following (adjust interface names as necessary):
auto eth1
iface eth1 inet static
address 10.0.0.10
netmask 255.255.255.0
Save the file, then run:
ifdown eth1
ifup eth1
Task 2 - Install FreeRADIUS
Assuming your Internet connection / Kali disc is accessible, just run:
apt-get update
apt-get install freeradius
Task 3 - Configure FreeRADIUS
The FreeRADIUS config files are pretty big and are mostly full of examples that aren't relevant to this setup, so we'll just set them aside and create new ones from scratch. Firstly we will replace the clients.conf file which tells FreeRADIUS which devices are allowed to authenticate against it.
Firstly, ditch the old one:
mv /etc/freeradius/clients.conf /etc/freeradius/ORIG-clients.conf
Next, edit
/etc/freeradius/clients.conf and add:
client 10.0.0.100/32 {
secret = b0dges
shortname = PE1
nastype = cisco
}
Save the file and exit. Now do a similar thing with the
users file (which is used to define how the users will be authenticated):
mv /etc/freeradius/users /etc/freeradius/ORIG-users
Edit
/etc/freeradius/users and add:
DEFAULT Auth-Type := CHAP, Cleartext-Password := "password1"
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254
foeh@fixed Auth-Type := CHAP, Cleartext-Password := "password2"
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.100.1
Save the file and exit. Note that the special "
255.255.255.254" address above instructs the access concentrator to assign an IP locally from its pool.
Task 4 - Restart FreeRADIUS with the New Config
Simply run:
service freeradius restart
The service should restart without error. That's the difficult RADIUS config done, now onto the access concentrator!
Stage 2 - Configure the Access Concentrator
I'll go into a little more detail on this part as it's not quite as intuitive. The base device here is an IOS 12.3 router, Cisco's licensing model is complex and seems to vary wildly between platforms so I'll let you poke around in feature navigator to work out which feature set and release will work on your device... It seems to work fine on a 3845 running security services if that helps.
Task 1 - Configure Interfaces
We need a couple of interfaces configured here:
- An interface towards RADIUS (obviously)
- A loopback interface (used to address the "unnumbered" PPPoE tunnel interfaces)
- A client interface (where the PPPoE users will attach)
interface FastEthernet1/0
description To RADIUS
ip address 10.0.0.100 255.255.255.0
no shutdown
!
interface Loopback0
description IP for Unnumbered Tunnel Interfaces
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/1
description To Clients
no shutdown
!
We won't configure anything on the client interface for the moment but we will return to it momentarily...
Task 2 - Configure PPPoE
Firstly we need to configure a BBA group, which is just a way to associate a bunch of settings with a particular interface. We'll use the default "global" group and configure it to use virtual-template 1:
bba-group pppoe global
virtual-template 1
Next, we need to define what
Virtual-Template1 is. Virtual template interfaces are used to define a prototype on which to base the Virtual-Access (tunnel) interfaces which are automatically created when a PPPoE user connects. In this most simple of examples we just define where the interface's local IP address should be cloned from, where the PPPoE user's IP address should be allocated from and the authentication protocol we want to use:
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool localpool
ppp authentication chap
The "
peer default ip address" command above refers to a pool called "
localpool", so we'd better create that:
ip local pool localpool 172.16.0.1 172.16.0.100
Now that we've defined all that good stuff, we need to apply the BBA group to the client interface:
interface FastEthernet0/1
pppoe enable group global
Pretty simple so far and, in fact, that's most of the config done. All we need to do now is to...
Task 3 - Point the Router at the RADIUS
There are three relatively straightforward steps here, firstly we have to enable AAA new model on the device and then define the RADIUS server details (note, FreeRADIUS' ports differ from Cisco's defaults so we need to specify them):
aaa new-model
radius server kali
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
key b0dges
Then we have to tell the router to go to RADIUS when authenticating PPPoE users:
aaa authentication ppp default group radius
aaa authorization network default group radius
The second line is not necessary for dynamic IP users but instructs the router that it should allow RADIUS to tell it what the user's IP (and some other things) should be. If you leave out the last line then users with a RADIUS defined static IP will get one out of the pool like everyone else, so if RADIUS Framed-IP attributes are being ignored this is probably the cause.
Note: You may want to configure some local usernames for access to the CLI and add "
aaa authentication login default local" or similar.
At this point, your PPPoE Access Concentrator with RADIUS authentication is ready for use!
If you're unsure how to set up a client, I've also written quick build posts for that:
Debugging
No build would be complete without a little bit of debugging. This is such a straightforward setup that, barring layer 3 issues, there's not a lot that can go wrong. Troubleshooting would pretty much be as follows:
- Verify that you are getting PPPoE control traffic in from your client (debug pppoe packet, debug pppoe event). The sequence should be PADI, PADO, PADR, PADS. PADT indicates someone is pulling down the session, the debugs should show you who!
- Check IP reachability to the RADIUS box using ping
- Verify that FreeRADIUS is running (ps -aux | grep freeradius), start it if necessary (/etc/init.d/freeradius start)
- If your client can't authenticate, check the password matches what's in FreeRADIUS (/etc/freeradius/users), not forgetting to restart FreeRADIUS if you make changes (/etc/init.d/freeradius restart)
- If the passwords match but you are still getting authentication errors, verify that your secrets match between the router ("key" under "radius-server") and FreeRADIUS (/etc/freeradius/clients.conf), the NAS IP matches your router and that FreeRADIUS has been restarted since the last change (/etc/init.d/freeradius restart)
- Check your PPP is negotiating OK (debug ppp negotiation)
Some more tips that may be helpful can be found on
my post about debugging Cisco PPPoE clients.
