Other services / PPPoE server
Parent topic: PPPoE server

Tutorial: Setting Up a PPPoE Server with RADIUS for IPv4 and IPv6

This tutorial describes how to configure a (dual-stack) PPPoE client via RADIUS. The client receives an IPv4 address, optionally an IPv6 prefix via router advertisement, and a delegated DHCPv6 prefix.

  1. Open the configuration under Communication > General.
    1. Enable the PPPoE server enabled option.
    2. Under Server name, assign a name to the PPPoE server. This name is displayed to the PPPoE clients for identification in the status display




  2. Open the Remote sites (PPPoE) table.
  3. Edit the DEFAULT remote site.
    1. Leave the name of the Remote site as "DEFAULT". This entry is used for all PPPoE clients that are to be authenticated via RADIUS.
    2. Leave the MAC address field empty.
    3. Set the Short hold to 0. This means that the PPPoE client actively establishes the connection, and the server does not actively terminate it, except in the event of an LCP polling timeout




  4. Open the PPP list under Communication > Protocols. Edit the DEFAULT remote site and make the following adjustments:
    1. Use Activate IPv4 routing to enable or allow IPCP negotiation and the assignment of IPv4 addresses to the client.
    2. Optionally, you can also use Activate IPv6 routing to allow IPv6CP negotiation and the use of IPv6 for the PPPoE client.
    3. Under Authentication of the remote site (request), enable the permitted authentication methods with the PPPoE client.
    4. Under Authentication by the remote site (response), the selection must be left empty. The PPPoE server is not supposed to authenticate itself to the client.
    5. Under LCP Polling, set the Time value to 3 (internally multiplied by 10 for 30 seconds) and the Retries value to 5.




  5. Open the configuration under Communication > RADIUS.
  6. Configure the necessary settings for Authentication via RADIUS for PPP:
    Option Description
    RADIUS server Activated
    Address IP address of the RADIUS server. If the internal RADIUS server is to be used, 127.0.0.1 can be entered as the IP address.
    Secret Password for communication with the RADIUS server.
    PPP operation Exclusive. This means that only the RADIUS server is to be used for authentication and not the internal PPP user table as well.




  7. Open the configuration under IPv4 > Addresses.
  8. Configure the DNS server addresses for the clients as Primary DNS and Secondary DNS.




  9. If the optional IPv6 was enabled above, then also carry out the following steps:
    1. Enable the IPv6 RAS templates under IPv6 > General > RAS templates > Edit the RAS-TEMPLATE > Entry active.




    2. Under IPv6 > Router Advertisements > Interface options, create a new table entry. For Interface name, select the "RAS-TEMPLATE" you just activated, and for Default router select "Always".




    3. Under IPv6 > DHCPv6 > DHCPv6 server > DHCPv6 networks, create a new table entry. For Interface name/Relay IP, select "RAS-TEMPLATE". Set the option DHCPv6 server activated to "On". Under Primary DNS, configure which IPv6 DNS server address is to be assigned to the client. Under Prefix delegation pool, configure the name of the previously created DHCPv6 PD pool "PD-POOL".




  10. Enable RADIUS authentication active under RADIUS > Server > RADIUS service.




  11. Create a new user on the RADIUS server under RADIUS > Server > User database > User table with the following attributes:
    Option Description
    Name / MAC address Required.
    Password Required.
    Framed IP address Required for assigning the IPv4 address.
    Framed IPv6 prefix Required for IPv6 for the IPv6 router advertisement prefix.
    Delegated IPv6 prefix Optional. Used for IPv6 DHCPv6.
    TX bandwidth limit Optional.
    RX bandwidth limit Optional.
    Routing tag Optional. The PPPoE client is created in the corresponding routing context.
    Attribute values Optional. E.g. "Reply-Message=SRU=10000#SRD=60000#". Certain information can be transmitted here to the PPPoE client during authentication, e.g. the bandwidth information for correct QoS functionality.




  12. Open the configuration under Firewall/QoS > IPv6 Rules and make sure that the prefixes and services used are also enabled in the IPv6 firewall. The predefined object "RASCLIENTS" applies to PPPoE clients created via the "RAS-TEMPLATE" interface.
  13. Check in the IPv6 inbound rules that "Allow-DHCP-Server" is allowed from the source stations "RASCLIENTS". In addition, "Allow-DNS-Server" must be allowed from the source stations "RASCLIENTS" if the LANCOM router itself is to act as the IPv6 DNS server for the PPPoE clients.




  14. Check in the IPv6 forwarding rules that the "Allow-RASCLIENTS" rule is allowed. The IPv6 prefixes used in this scenario for router advertisements or DHCPv6 PD pools must generally be allowed by a firewall rule in the forwarding case and must not be blocked by a DENY-ALL rule




Status information for all active PPPoE clients is displayed in the table under Status > PPPoE Server > Connections.

Detailed information about an individual client can be displayed with the show command "show pppoe-user-detail <user-name>".

Analysis options are provided by the trace command "trace # ppp".

Parent topic: PPPoE server

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo