cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2417
Views
0
Helpful
5
Replies

PPPoE Server Local Users

Daniel Vieceli
Level 1
Level 1

Hello, i need configure Cisco as PPPoE-Server using local username.
i get Authentication Failure on server side:

 

PPP Server Conf:

hostname ISP
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login PPP local
aaa authentication ppp default local
aaa authentication ppp PPP local
aaa authorization network default local
aaa authorization network PPP local
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username client password 0 pppoe
username daniel privilege 15 password 0 cisco
!
!
bba-group pppoe global
 virtual-template 1
 sessions per-mac limit 2
!
!
interface FastEthernet0/0
 no ip address
 duplex half
 pppoe enable group global
!
interface Virtual-Template1
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip route-cache cef
 peer default ip address pool PPPOE
 ppp mtu adaptive
 ppp authentication chap callin
 ppp authorization PPP
!
ip local pool PPPOE 192.168.12.10 192.168.12.50
ip forward-protocol nd
no ip http server
no ip http secure-server

 

Client Conf:

interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 mtu 1492
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap
 ppp chap hostname client
 ppp chap password 0 pppoe

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Hi Daniel,

Where do you see the authentication failure comes from the server?

From the screenshot of the sniffer trace you included previously we see that PPPoE PADS packet comes from device with MAC ca:01:21:4c:00:00 to MAC ca:02:16:b8:00:00. This means, you client is ca:02:16:b8:00:00 and the server is ca:01:21:4c:00:00 (since PADS is a packet that goes from server to client).

If we see the authentication failure packet we see it comes from MAC ca:02:16:b8:00:00, so it's coming from the client, not from the server.

Did you try the suggestion I made before? What was the result?

If it doesn't help, can you provide the outputs of the following debugs from client and server side:

- debug ppp negotiation

- debug ppp authentication

- debug aaa authentication

Regards

View solution in original post

5 Replies 5

Manuel Rodriguez
Cisco Employee
Cisco Employee

Hi Daniel,

This is because you are configuring 'ppp authentication chap' on the client side. In PPP you can do authentication on each peer independently. In this case, on the server side you configured:

ppp authentication chap callin
ppp authorization PPP

This indicated that your server will authenticate incoming calls and authorize them using the PPP authorization method list (which points to local as per your config)

On the client side you have:

 ppp authentication chap
 ppp chap hostname client
 ppp chap password 0 pppoe

This means that your client will authenticate other end using CHAP and it will use username "client" and password "pppoe" in authentication request (challenge).

If you do not want to authenticate the server, simply remove " ppp authentication chap" from the client config. If you want to authenticate the server, configure the corresponding CHAP CHAP hostname and password

Hope it works

Regards

Hello Manuel.
I need authenticate about 10 pppoe-clients and i configured on server side AAA using local username and password i would not like to use radius server.

aaa authentication login default local
aaa authentication login PPP local
aaa authentication ppp default local
aaa authentication ppp PPP local
aaa authorization network default local
aaa authorization network PPP local
username client password 0 pppoe

but client request username and password and get Authentication failure on server side,
you can help me ?

Hi Daniel,

Where do you see the authentication failure comes from the server?

From the screenshot of the sniffer trace you included previously we see that PPPoE PADS packet comes from device with MAC ca:01:21:4c:00:00 to MAC ca:02:16:b8:00:00. This means, you client is ca:02:16:b8:00:00 and the server is ca:01:21:4c:00:00 (since PADS is a packet that goes from server to client).

If we see the authentication failure packet we see it comes from MAC ca:02:16:b8:00:00, so it's coming from the client, not from the server.

Did you try the suggestion I made before? What was the result?

If it doesn't help, can you provide the outputs of the following debugs from client and server side:

- debug ppp negotiation

- debug ppp authentication

- debug aaa authentication

Regards

Hello Manuel
Thanks, now i understand it.
i removed ppp authentication chap from client and worked!

before i didn't understand what the ppp authentication chap do now i know

Thanks for help!

Hi Daniel,

No problem. Good to hear it worked!

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: