Date created: Monday, July 8, 2013 5:10:07 PM. Last modified: Wednesday, March 28, 2018 5:11:46 PM

LNS L2TP termination of PPPoE sessions with FreeRADIUS 2

Initial test scenario for PPPoE/A tests over L2TP from LAC to LNS;

CPE has two fixed ethernet links to LAC with PPPoE encapsualtion and authentication enabled on these links -> LAC is accepting PPPoE requests over this link -> LAC is checking for domain @example.net and building L2TP tunnel to LNS to hand over PPP sessions for authentication and session set up (IP address etc) -> LNS is accepting L2TP tunnel from LAC and talking to a FreeRADIUS2 server attached to the cloud, for PPP authentication (using CHAP). P can now reach through to Internal with static route point to LNS.

CPE Config:

interface FastEthernet0/0
 description Link to fa/0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
 description Link to fa0/1
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface Dialer1
 description PPPoE client
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 ppp authentication chap callin
 ppp chap hostname testuser@example.net
 ppp chap password 0 testpassword
!
interface Dialer2
 description PPEoE Client 2
 ip address negotiated
 encapsulation ppp
 dialer pool 2
 dialer idle-timeout 0
 dialer persistent
 ppp authentication chap callin
 ppp chap hostname testuser2@example.net
 ppp chap password 0 testpassword2

LAC Config:

! enable VPDN networking
vpdn enable
vpdn multihop
vpdn logging
vpdn logging local
vpdn search-order domain  

! This is our VPDN L2TP tunnel to LNS to carry PPP sessions
! No authentication is configured here between LAC and LNS!
! Note, we are doing this for users authenticating to realm @example.net
vpdn-group PPPoEClient
 request-dialin
  protocol l2tp
  domain example.net
 initiate-to ip 192.0.2.5
 source-ip 192.0.2.4
 local name l2tp-tunnel
 no l2tp tunnel authentication

! Create and assign the global default bba-group for pppoe session to use vi-1
bba-group pppoe global virtual-template 1

interface Loopback0 
ip address 192.0.2.4 255.255.255.255
ip ospf 1 area 0

interface FastEthernet0/0
no ip address
pppoe enable group global

interface FastEthernet0/1
no ip address
pppoe enable group global

interface FastEthernet1/0
description Link to LNS [f1/0]
 ip address 192.0.2.8 255.255.255.254
 ip ospf 1 area 0

! Here on the LAC we aren't actually doing much because we're passing the
! ppp session on to LNS, but we could!
interface Virtual-Template1
description PPPoE Test
no ip address
no peer default ip address
keepalive 30
ppp authentication chap

LNS Config:

! set up aaa to allow RADIUS authentication for ppp sessions
aaa new-model
aaa authentication login default local
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting network default action-type start-stop group radius
aaa session-id common

! We could pull this from RADIUS also, done here to focus more on IOS config that RADIUS
ip dhcp pool PPPoEPool
   network 192.0.2.128 255.255.255.128

no ip domain lookup
ip domain name example.net

! Enable VPDN networking
vpdn enable
vpdn multihop

vpdn-group PPPoEClient
 accept-dialin
  protocol any
  virtual-template 1
 terminate-from hostname l2tp-tunnel
 local name tunnel-gate
 no l2tp tunnel authentication
 l2tp tunnel timeout no-session 15

bba-group pppoe global virtual-template 1

interface Loopback0
 ip address 192.0.2.5 255.255.255.255
 ip ospf 1 area 0

interface FastEthernet0/0
 no ip address
 shutdown

interface FastEthernet0/1
 description Link to P [0/0]
 ip address 192.0.2.12 255.255.255.254
 ip ospf 1 area 0

interface FastEthernet1/0
 description Link to LAC [f1/0]
 ip address 192.0.2.9 255.255.255.254
 ip ospf 1 area 0

interface FastEthernet1/1
 description Link to tap0
 ip address 192.0.2.2 255.255.255.252
 ip ospf 1 area 0 

interface Virtual-Template1
 ip unnumbered Loopback0
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 peer default ip address dhcp-pool PPPoEPool
 ppp authentication chap pap

router ospf 1 log-adjacency-changes

ip route 192.0.2.4 255.255.255.255 192.0.2.8

radius-server host 192.0.2.1 auth-port 1812 acct-port 1813 key 7 04490A0206345F450C00

FreeRADIUS clients.conf:

client 192.0.2.2 {
        secret          = radiuskey
        shortname       = lns
        nastype         = cisco
}

FreeRADIUS users:

testuser@example.net Cleartext-Password := "testpassword"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-MTU = 1480

testuser2@example.net Cleartext-Password := "testpassword2"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-MTU = 1480