Community discussions

 
User avatar
ScottReed
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Sep 24, 2009 9:47 pm
Location: Montana / Western Massachusetts

Centralized RADIUS for PPPoE Authentication

Tue Jan 13, 2015 11:41 pm

I have a test lab setup with three routers using OSPF. I'm currently working on a project to implement PPPoE authentication into our production network.

One one router I am running UserManager and on the other two I have setup PPPoE Servers/Profiles and have opted to have the authentication requests be sent to my router where UserManager is installed. In the lab I am using a laptop behind the routers to simulate a PPPoE connection. I have created a test user in UserManager and added both routers.

I turned on pppoe and radius debug logging and I keep seeing this on my UserManager router when I try to authenticate a user with PPPoE:
radius,debug received remote request from 10.10.1.6:35096 with unknown address, dropping
If I instead setup the user on the local router, the authentication occurs instantly.

I have found some posts about this debug message, but none have pointed me in the right direction.
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 801
Joined: Tue Aug 03, 2004 9:01 am

Re: Centralized RADIUS for PPPoE Authentication

Wed Jan 14, 2015 3:25 am

radius,debug received remote request from 10.10.1.6:35096 with unknown address, dropping
I'm pretty sure this means basically what it says: that you have no entry under '/tool user-manager router' with 'ip-address' that matches 10.10.1.6. Every RADIUS client (PPP server) *must* have a unique entry under '/tool user-manager router', as they are matched by IP address. This is no different than any other RADIUS server...all RADIUS clients (NAS) are authorized by the RADIUS server using a combination of source IP address and shared secret. Both must match or the RADIUS request is rejected by the server.

Perhaps you think you have an entry for your NAS/PPP server under '/tool user-manager router' on your User Manager router, but the NAS has multiple IP addresses and is sourcing RADIUS requests to your User Manager router using a different IP than what you specified for 'ip-address'. Since you said you are using OSPF, this seems to me to be a possibility. I am guessing you have a loopback IP set up on your test NAS, and this is what you added as the IP address of the RADIUS client on User Manager, but the NAS is instead sourcing packets to the User Manager server from whatever IP address is on the interface that the packets are being sent out. You can either add multiple entires to '/tool user-manager router', one for each IP address that each NAS is likely to source RADIUS requests from, or you can try to change the 'pref-src' attribute for the routes in your routing table on each NAS (easiest way is by using routing filters) so that they source traffic from the loopback IP at all times.

-- Nathan
 
User avatar
ScottReed
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Sep 24, 2009 9:47 pm
Location: Montana / Western Massachusetts

Re: Centralized RADIUS for PPPoE Authentication

Wed Jan 14, 2015 4:18 am

@NathanA

I wish that was the case. I went into /tool user-manager router and ensured I had an entry for each external facing IP of each router.

Who is online

Users browsing this forum: No registered users and 35 guests