Hello,
I hope that somebody can provide information and guidance.
We are an ISP and we are planning to implement PPPOE for our services. Our main concern is our individual subscribers, we are currently using Mikrotiks and Radius Manager as authentication server. Can somebody guide how would it affects our current configuration/setup? Will it affects the entire setup?
Any suggestion and input is highly appreciated.
Thanks in advance.
Andrew
All depend on what your current configuration is.
I recently setup PPPoE base setup for around 2000-2500 Users. PPPoE is more secure in some aspects, But every type service have its cons / limitations and pros. This setup was previously VPN base, but they were annoyed by ARP poising issues, they also don’t have manageable switches/routers, therefore moved to ipless pppoe base service.
Mikrotik as PPPoE Server along with DMSFOTLAB Radius Manager 3.9 for Self Registration / Refill scratch Card base setup , SQUID acting as GW/CACHING server with ZPH .
Working really nice so far :~) with about 35% Cache Hit Ratio.
Hi Syed,
Thank you for your prompt input.
As of now we have about the same number of users (except corporate accounts). Our users are connecting via hotspot on Mikrotiks and authenticated by the Radius server. We just use the main router as GW and have no proxy/caching server yet.
I would like to test on a workbench but I am very much new and will need a basic implementation assistance. What are the equipments and software should I prepare to implement and how a client connects and be authenticated on the radius server? Please guide.
Another issue that we are experiencing is customers using a unauthorized routers. I can block them by MAC address but there are smart users that knows how to change their MAC or clone their PC MAC address for their router. Have you experienced this and how do you address it?
Thanks,
Andrew
My setup details.
Main Mikrotik = v4.17 x86 / Xeon 3.6Ghz Dual / 2 GB Ram / WD 500 GB Sata Hdd
Mikrotik 8x DSL (8MB Each) WAN L.B = v4.17 x86 / Xeon 3.6Ghz Dual / 2 GB Ram / WD 500 GB Sata Hdd
(This is temporarily, soon it will be replaced by Fiber Optics Bandwidth)
Mikrotik RB750 = Just for HOTSPOT to redirect users to self care portal.
(This can be done on Main MT also, but I prefer it this way)
Radius = DMASoftlab RM 3.9 installed on Fedora v10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB x2 Sata Hdd
SQUID + GW = SQUID v2.7 on UBUNTU Karmic Koala v9.10 / Xeon 3.6Ghz Dual / 16 GB Ram /
WD 500 GB x3 SATA HDD (2 HDD reserved for Cache)
In my setup , I have setup HOTSPOT on extra RB750 only to redirect user to my advertisement page,
where he is informed that he is not logged in via dialer, either create / refresh his ID from RM User Self Care
Portal, or if he already have an id, connect it via dialer. I don’t prefer HotSpot due to various
security reasons]
User PC MAC Address is binded with user ID upon first Login via Radius. Only single session is
allowed. No multiple session is allowed This is fully automated system, I provide user with
scratch card (with refill code) only, which he can use to refill his account according to card
amount/package from RM User self care portal. RM demo can be viewed at
http://www.dmasoftlab.com/cont/radman
I have provided users with dialer package, when they try to connect to main Miktotik
(via pppoe dialer) , MT verify it by asking Radius Server for the account validity, if the ID is
valid, user connects fine and can use internet , otherwise he gets disconnected.
Please find along with attachment is my Network Diagram (This was initially designed, I made few changes
afterward, I removed Linux Transparent Bridge due to heavy FTP usage on intranet, I also intend to move
FTP from MT DMZ to User Subnet with Radius authentication so only valid users can access FTP.
Hi Syed,
Thank you very much for this very informative reference. I will definitely use this as reference on implementing our own.
Again, thank you very much.
Andrew