Date created: Thursday, January 22, 2015 10:48:42 AM. Last modified: Wednesday, March 28, 2018 5:11:38 PM

LAC wholesale PPPoA/E L2TP tunnelling with FreeRADIUS 2

This is an example of a wholesale configuraion fora LAC:

In this example DSL PPPoA sessions establish between the CPE and DSLAM. The DSLAM re-encapsulates the session as PPPoE and bridges it up towards the LAC. The LAC strips off the PPPoE header and authenticates the PPP session. It queries a RADIUS server (in this example the same RADIUS server is used for the LAC and LNS rather than a RADIUS proxy at the LAC that queries the Wholesale customer's RADIUS used by the LNS). The RADIUS server returns the tunnel-endpoint of the LNS and the LAC. The LAC now brings up an L2TP tunnel to the LNS and encapsulates the PPP session over L2TP to the LNS. The LNS terminates the L2TP tunnel and the PPP session, it queries the RADIUS server and retied the session properties like Framed-IP address, mask, Cisco-AV pairs etc.

These routers are on c7200-advipservicesk9-mz.152-4.M7.bin.

LAC Config:

hostname LAC
!
aaa new-model
!
aaa group server radius CUST-RAD
 server name radius1
 ip radius source-interface FastEthernet0/1
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
!
vpdn enable
vpdn multihop
vpdn search-order domain
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback0
 no ip address
!
interface FastEthernet0/0
 description Link to GNS3 test CPE fa0/0
 no ip address
 speed auto
 duplex auto
 pppoe enable group global
 shutdown
!
interface FastEthernet0/1
 description Link to GNS3 LNS fa0/1
 mtu 1530
 ip address 192.0.2.8 255.255.255.254
 speed auto
 duplex auto
!
interface FastEthernet1/0
 description Link to DSLAM and 1941 CPE
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 speed auto
 duplex auto
 pppoe enable group global
 no cdp enable
!
interface Virtual-Template1
 description PPPoE for Wholesale-Customer-1
 no ip address
 no ip redirects
 no ip proxy-arp
 no logging event link-status
 no peer default ip address
 ntp disable
 keepalive 20 3
 ppp authentication chap callin
!
ip route 192.0.2.0 255.255.255.0 192.0.2.9 name RADIUS-SERVER
!
ip radius source-interface FastEthernet0/1
!
radius server radius1
 address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
 key 7 04490A0206345F450C00

LNS Config:

hostname LNS
!
aaa new-model
!
aaa group server radius ISP-RAD
 server name radius1
 ip radius source-interface FastEthernet0/0
!
aaa authentication ppp default group ISP-RAD
aaa authorization network default group ISP-RAD
aaa accounting delay-start
aaa accounting network default start-stop group ISP-RAD
!
aaa session-id common
!
ip domain name example.net
!
vpdn enable
vpdn logging
vpdn logging local
!
vpdn-group Wholesale-Provider-1
 description PPPoE from LAC for Example.net
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname lac-provider1
 source-ip 192.0.2.2
 local name lns-provider1
 lcp renegotiation on-mismatch
 l2tp tunnel password 0 L2TPPassword
 ip pmtu
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback0
 ip address 192.0.2.5 255.255.255.255
!
interface FastEthernet0/0
 description Link to RADIUS
 ip address 192.0.2.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 speed auto
 duplex auto
 no keepalive
 no cdp enable
!
interface FastEthernet0/1
 description link to LAC fa0/1
 mtu 1530
 ip address 192.0.2.9 255.255.255.254
 speed auto
 duplex auto
!
interface Virtual-Template1
 no ip address
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 no logging event link-status
 no peer default ip address
 ntp disable
 qos pre-classify
 keepalive 20 3
 ppp authentication pap chap callin
 ppp ipcp ignore-map
 ppp multilink
 ppp timeout authentication 100
!
radius server radius1
 address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
 key 7 04490A0206345F450C00

FreeRADIUS 2 configs:

clients.conf

client 192.0.2.2 {
	secret = radiuskey
	shortname = lns
	nastype = other
	require_message_authenticator = no
}

client 192.0.2.8 {
	secret = radiuskey
	shortname = lac
}


users.conf


example.net Cleartext-Password := "cisco"
	Service-Type = Outbound-User,
	Tunnel-Type = L2TP,
	Tunnel-Medium-Type = IP,
	Tunnel-Client-Auth-ID = lac-provider1,
	Tunnel-Server-Auth-ID = lns-provider1,
	Tunnel-Password = L2TPPassword,
	Tunnel-Server-Endpoint = 192.0.2.2

testuser@example.net Cleartext-Password := "testpassword"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-MTU 1500,
	Framed-IP-Address = 10.0.0.1,
	Framed-IP-Netmask = 255.255.255.255,
	Session-Timeout = 0,
	Idle-Timeout = 300,
	Cisco-AVPair = "lcp:interface-config=ip unnumbered Loopback0"

testuser2@example.net Cleartext-Password := "testpassword"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-MTU 1500,
	Framed-IP-Address = 10.0.0.2,
	Framed-IP-Netmask = 255.255.255.255,
	Session-Timeout = 0,
	Idle-Timeout = 300,
	Cisco-AVPair = "ip:ip-unnumbered=Loopback0"