Page 1 of 1

Centralized RADIUS for PPPoE Authentication

Posted: Tue Jan 13, 2015 11:41 pm
by ScottReed
I have a test lab setup with three routers using OSPF. I'm currently working on a project to implement PPPoE authentication into our production network.

One one router I am running UserManager and on the other two I have setup PPPoE Servers/Profiles and have opted to have the authentication requests be sent to my router where UserManager is installed. In the lab I am using a laptop behind the routers to simulate a PPPoE connection. I have created a test user in UserManager and added both routers.

I turned on pppoe and radius debug logging and I keep seeing this on my UserManager router when I try to authenticate a user with PPPoE:
radius,debug received remote request from 10.10.1.6:35096 with unknown address, dropping
If I instead setup the user on the local router, the authentication occurs instantly.

I have found some posts about this debug message, but none have pointed me in the right direction.

Re: Centralized RADIUS for PPPoE Authentication

Posted: Wed Jan 14, 2015 3:25 am
by NathanA
radius,debug received remote request from 10.10.1.6:35096 with unknown address, dropping
I'm pretty sure this means basically what it says: that you have no entry under '/tool user-manager router' with 'ip-address' that matches 10.10.1.6. Every RADIUS client (PPP server) *must* have a unique entry under '/tool user-manager router', as they are matched by IP address. This is no different than any other RADIUS server...all RADIUS clients (NAS) are authorized by the RADIUS server using a combination of source IP address and shared secret. Both must match or the RADIUS request is rejected by the server.

Perhaps you think you have an entry for your NAS/PPP server under '/tool user-manager router' on your User Manager router, but the NAS has multiple IP addresses and is sourcing RADIUS requests to your User Manager router using a different IP than what you specified for 'ip-address'. Since you said you are using OSPF, this seems to me to be a possibility. I am guessing you have a loopback IP set up on your test NAS, and this is what you added as the IP address of the RADIUS client on User Manager, but the NAS is instead sourcing packets to the User Manager server from whatever IP address is on the interface that the packets are being sent out. You can either add multiple entires to '/tool user-manager router', one for each IP address that each NAS is likely to source RADIUS requests from, or you can try to change the 'pref-src' attribute for the routes in your routing table on each NAS (easiest way is by using routing filters) so that they source traffic from the loopback IP at all times.

-- Nathan

Re: Centralized RADIUS for PPPoE Authentication

Posted: Wed Jan 14, 2015 4:18 am
by ScottReed
@NathanA

I wish that was the case. I went into /tool user-manager router and ensured I had an entry for each external facing IP of each router.