RADIUSdesk

logo
Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
technical:ppp-pppoe-basic [2023/09/26 22:01]
admin [Our setup] 		technical:ppp-pppoe-basic [2023/10/15 06:56] (current)
admin [Connecting a Client]
Line 4: Line 4:
   * It will consist of the following:   * It will consist of the following:
         * A PPPoE server using RADIUS for AAA.         * A PPPoE server using RADIUS for AAA.
-        * Host machine act as a router.+        * The host machine running the PPPoE server will also act as a router.
   * What will **not be** configured here:   * What will **not be** configured here:
         * COA / Disconnection of users.         * COA / Disconnection of users.
  
-===== Our setup =====+===== Our Setup =====
   * We will use a standard Ubuntu 22.04 VM which is running in Virtual-box with **one** network interface.   * We will use a standard Ubuntu 22.04 VM which is running in Virtual-box with **one** network interface.
-  * We use one network interface to prove that since PPPoE is a layer 2 protocol; it can live together on the same network running TCP/IP without interfering.+<code> 
 +ip -brief address show enp0s3 
 +enp0s3           UP             192.168.8.119/24 metric 100 fd00:add5:73db:f600:a00:27ff:fe08:a18/64 fe80::a00:27ff:fe08:a18/64  
 +</code> 
 +  * We use one network interface (enp0s3) to prove that since PPPoE is a layer 2 protocol; it can live together on the same network running TCP/IP without interfering.
   * A more robust and scalable option can be using a Virtial Machine with two network interfaces or use VLANs.   * A more robust and scalable option can be using a Virtial Machine with two network interfaces or use VLANs.
  
 ===== Config file ===== ===== Config file =====
-  * Accel-ppp has a single configuration file with various sections. +  * Accel-ppp has a single configuration file with various sections. //(/etc/accel-ppp.conf)// 
-  * Below is our slimmed down config file which removed some sections which we will not use to make it less intimidating. +  * Below is our slimmed down **accel-ppp.conf** file
-<code>+  * We removed unused sections to make it less intimidating. 
 +<file bash accel-ppp.conf>
 [modules] [modules]
 log_file log_file
Line 34: Line 39:
 mtu=1400 mtu=1400
 mru=1400 mru=1400
-#accomp=deny 
-#pcomp=deny 
-#ccp=0 
-#mppe=require 
 ipv4=require ipv4=require
 ipv6=deny ipv6=deny
Line 44: Line 45:
 ipv6-accept-peer-intf-id=1 ipv6-accept-peer-intf-id=1
 lcp-echo-interval=20 lcp-echo-interval=20
-#lcp-echo-failure=3 
 lcp-echo-timeout=120 lcp-echo-timeout=120
 unit-cache=1 unit-cache=1
-#unit-preallocate=1 
  
 [pppoe] [pppoe]
 verbose=1 verbose=1
-#ac-name=xxx 
-#service-name=yyy 
-#pado-delay=0 
-#pado-delay=0,100:100,200:200,-1:500 
 called-sid=mac called-sid=mac
-#tr101=1 
-#padi-limit=0 
-#ip-pool=pppoe 
-#ipv6-pool=pppoe 
-#ipv6-pool-delegate=pppoe 
-#ifname=pppoe%d 
-#sid-uppercase=0 
-#vlan-mon=eth0,10-200 
-#vlan-timeout=60 
-#vlan-name=%I.%N 
-#interface=eth1,padi-limit=1000 
 interface=enp0s3 interface=enp0s3
  
Line 82: Line 66:
 dae-server=127.0.0.1:3799,testing123 dae-server=127.0.0.1:3799,testing123
 verbose=1 verbose=1
-#timeout=3 
-#max-try=3 
-#acct-timeout=120 
-#acct-delay-time=0 
-#acct-delay-start=0 
-#acct-on=0 
-acct-interim-interval=120 
-#acct-interim-jitter=0 
-#default-realm= 
-#strip-realm=0 
-#attr-tunnel-type=My-Tunnel-Type 
-#nas-port-id-in-req=1 
  
 [client-ip-range] [client-ip-range]
Line 101: Line 73:
 [ip-pool] [ip-pool]
 gw-ip-address=192.168.0.1 gw-ip-address=192.168.0.1
-#vendor=Cisco 
-##attr=Cisco-AVPair 
 attr=Framed-Pool attr=Framed-Pool
 192.168.0.2-255 192.168.0.2-255
Line 115: Line 85:
 log-emerg=/var/log/accel-ppp/emerg.log log-emerg=/var/log/accel-ppp/emerg.log
 log-fail-file=/var/log/accel-ppp/auth-fail.log log-fail-file=/var/log/accel-ppp/auth-fail.log
-#log-debug=/dev/stdout 
-#syslog=accel-pppd,daemon 
-#log-tcp=127.0.0.1:3000 
 copy=1 copy=1
-#color=1 
-#per-user-dir=per_user 
-#per-session-dir=per_session 
-#per-session=1 
 level=3 level=3
  
Line 128: Line 91:
 vendor=Mikrotik vendor=Mikrotik
 attr=Mikrotik-Rate-Limit attr=Mikrotik-Rate-Limit
-#rate-multiplier=10000 
-#attr=Filter-Id 
-#down-burst-factor=0.1 
-#up-burst-factor=1.0 
-#latency=50 
-#mpu=0 
-#mtu=0 
-#r2q=10 
-#quantum=1500 
-#moderate-quantum=1 
-#cburst=1534 
-#ifb=ifb0 
 up-limiter=police up-limiter=police
 down-limiter=tbf down-limiter=tbf
-#leaf-qdisc=sfq perturb 10 
-#leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn] 
-#rate-multiplier=1 
-#fwmark=1 
-#rate-limit=2048/1024 
-#attr-down=PPPD-Downstream-Speed-Limit 
-#attr-up=PPPD-Upstream-Speed-Limit 
 verbose=1 verbose=1
  
Line 155: Line 99:
 telnet=127.0.0.1:2000 telnet=127.0.0.1:2000
 tcp=127.0.0.1:2001 tcp=127.0.0.1:2001
-#password=123 
-#sessions-columns=ifname,username,ip,ip6,ip6-dp,type,state,uptime,uptime-raw,calling-sid,called-sid,sid,comp,inbound-if,service-name,rx-bytes,tx-bytes,rx-bytes-raw,tx-bytes-raw,rx-pkts,tx-pkts,netns,vrf 
  
-</code+</file
-  * Some of the sections merits more discussion which will follow.+  * Next we can look at some of these sections in more detail.
  
 ==== Modules ==== ==== Modules ====
Line 165: Line 107:
   * The following modules are crucial in our setup:   * The following modules are crucial in our setup:
      * **pppoe** This module is used to create the PPPoE server.      * **pppoe** This module is used to create the PPPoE server.
-     * **auth_pap** We will use PAP authentication to keep it simple. There are however also support for other authentication protocols like CHAP and MSCHAP. So You can include those modules if you want to include support for additional authentication protocols.+     * **auth_pap** We will use PAP authentication to keep it simple. There are however also support for other authentication protocols like CHAP and MSCHAP. Include those modules if you want to support additional authentication protocols.
      * **radius** The PPP part of PPPoE will communicate with RADIUS in order to try and authenticate a user. The reply from RADIUS can be used to determine / set items like the IP Pool from which the client needs to get an IP Address, and the bandwidth allocated to the connection.      * **radius** The PPP part of PPPoE will communicate with RADIUS in order to try and authenticate a user. The reply from RADIUS can be used to determine / set items like the IP Pool from which the client needs to get an IP Address, and the bandwidth allocated to the connection.
-     * **shaper** In order to throttle / shape the bandwidth of the connection the shaper module is used. can get a per user instruction from RADIUS or can apply a global defined default value for all the other connections. The shaper also include support for more advanced features like bursting.+     * **shaper** In order to throttle / shape the bandwidth of the connection the shaper module is used. It can get a per user instruction from RADIUS or can apply a global defined default value for all the other connections. The shaper also includes support for more advanced features like bursting.
  
 ==== pppoe ==== ==== pppoe ====
Line 176: Line 118:
  
 ==== radius ==== ==== radius ====
-  * We comment the following out. If we don'accel-ppp will not start up when the values specified there does not match the IP setup of the machine.+  * We comment the following out. If we don't, Accel-ppp will not start up when the values specified does not match the IP setup of the machine.
 <code> <code>
 #nas-ip-address=192.168.8.118 #nas-ip-address=192.168.8.118
Line 189: Line 131:
  
 ==== shaper ==== ==== shaper ====
-  * We use machine as a ** drop-in replacement for a Mikrotik router**. We then have to specify to the shaper to look for Mikrotik reply attributes and apply them.+  * We use this machine as a ** drop-in replacement for a Mikrotik router**.  
 +  * We have to inform the shaper to look for Mikrotik reply attributes and apply them.
 <code> <code>
 vendor=Mikrotik vendor=Mikrotik
Line 245: Line 188:
   * There are a couple of log files which you can **tail -f** in order to help troubleshoot if things are not working as intented.   * There are a couple of log files which you can **tail -f** in order to help troubleshoot if things are not working as intented.
 <code> <code>
-system@osboxes:/var/log/accel-pppls -l+cd /var/log/accel-ppp 
 +ls -l
 total 2576 total 2576
 -rw------- 1 root root 1781664 Sep 26 19:05 accel-ppp.log -rw------- 1 root root 1781664 Sep 26 19:05 accel-ppp.log
Line 364: Line 308:
   261 36732 MASQUERADE  all  --  any    enp0s3  anywhere             anywhere               261 36732 MASQUERADE  all  --  any    enp0s3  anywhere             anywhere            
 </code> </code>
 +
 +===== Connecting a Client =====
 +  * Everything is now set up and ready for the first client to connect.
 +  * We will use OpenWrt with the following ///etc/config/network// config.
 +  * The PPPoE username is ''dirk'' and  password is ''testing123''.
 +<code bash>
 +
 +config interface 'loopback'
 +        option device 'lo'
 +        option proto 'static'
 +        option ipaddr '127.0.0.1'
 +        option netmask '255.0.0.0'
 +
 +config device
 +        option name 'br-lan'
 +        option type 'bridge'
 +        list ports 'wan'
 +
 +config interface 'lan'
 +        option device 'br-lan'
 +        option proto 'pppoe'
 +        option username 'dirk'
 +        option password 'testing123'
 +</code>
 +  * This device has to be connected to the **same network** (broadcast domain) where our Accel-ppp server is running in order for the network packets to reach the PPPoE server.
 +
 +===== Checking The Log File =====
 +  * The Accel-ppp log file will give us more feedback when a client connects.
 +  * Run the following command
 +<code>
 +sudo tail -f /var/log/accel-ppp/accel-ppp.log 
 +</code>
 +  * Here is the output we got
 +<code>
 +[2023-10-15 02:53:26]:  info: enp0s8: send [RADIUS(1) Access-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "c4:4b:d1:00:97:49"> <Called-Station-Id "08:00:27:08:25:67"> <User-Password 0xa8b2cc499a76d411bc05892369653482>]
 +[2023-10-15 02:53:26]:  info: enp0s8: recv [RADIUS(1) Access-Accept id=1 <Framed-Pool "pool1"> <Framed-Protocol PPP> <Mikrotik-Rate-Limit "512k/512k 1024k/1024k 1024k/1024k 100/100"> <Framed-Compression Van-Jacobson-TCP-IP> <Vendor-Specific 0x0000372a080600000200> <Vendor-Specific 0x0000372a070600000200>]
 +[2023-10-15 02:53:26]:  info: ppp1: connect: ppp1 <--> pppoe(c4:4b:d1:00:97:49)
 +[2023-10-15 02:53:26]:  info: ppp1: dirk: authentication succeeded
 +[2023-10-15 02:53:26]:  warn: ppp1: IPV6CP: discarding packet
 +[2023-10-15 02:53:26]:  info: ppp1: send [RADIUS(1) Accounting-Request id=1 <User-Name "dirk"> <NAS-Identifier "accel-ppp"> <NAS-Port 1> <NAS-Port-Id "ppp1"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "c4:4b:d1:00:97:49"> <Called-Station-Id "08:00:27:08:25:67"> <Acct-Status-Type Start> <Acct-Authentic RADIUS> <Acct-Session-Id "f2119cecef0b3356"> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 192.168.1.3>]
 +[2023-10-15 02:53:26]:  info: ppp1: recv [RADIUS(1) Accounting-Response id=1]
 +
 +</code>
 +
 +===== Using accel-cmd =====
 +  * You can get more information on the current running instance of Accel-ppp by using the accel-cmd program.
 +<code>
 +accel-cmd show stat
 +</code>
 +  * Results in the following in our case
 +<code>
 +accel-cmd show stat
 +uptime: 0.08:17:34
 +cpu: 0%
 +mem(rss/virt): 5240/244536 kB
 +core:
 +  mempool_allocated: 177084
 +  mempool_available: 165700
 +  thread_count: 4
 +  thread_active: 1
 +  context_count: 9
 +  context_sleeping: 0
 +  context_pending: 0
 +  md_handler_count: 8
 +  md_handler_pending: 0
 +  timer_count: 3
 +  timer_pending: 0
 +sessions:
 +  starting: 0
 +  active: 1
 +  finishing: 0
 +pppoe:
 +  starting: 0
 +  active: 1
 +  delayed PADO: 0
 +  recv PADI: 4
 +  drop PADI: 0
 +  sent PADO: 4
 +  recv PADR(dup): 4(0)
 +  sent PADS: 4
 +  filtered: 0
 +radius(1, 164.160.89.129):
 +  state: active
 +  fail count: 0
 +  request count: 0
 +  queue length: 0
 +  auth sent: 4
 +  auth lost(total/5m/1m): 0/0/0
 +  auth avg query time(5m/1m): 0/0 ms
 +  acct sent: 7
 +  acct lost(total/5m/1m): 0/0/0
 +  acct avg query time(5m/1m): 0/0 ms
 +  interim sent: 254
 +  interim lost(total/5m/1m): 6/0/0
 +  interim avg query time(5m/1m): 59/0 ms
 +
 +</code>
 +  * To see the current active sessions
 +<code>
 +accel-cmd show sessions
 +</code>
 +  * Result in the following:
 +<code>
 + ifname | username |    calling-sid    |     ip      | rate-limit | type  | comp | state  |  uptime  
 +--------+----------+-------------------+-------------+------------+-------+------+--------+----------
 + ppp0   | dirk     | c4:4b:d1:00:97:49 | 192.168.1.4 | 512/512    | pppoe |      | active | 00:48:53 
 +
 +</code>
 +
 +
 +
 +
 +
  
  
  
  
Last modified: 2023/09/26 22:01