Service name tag ignored with PPPOE

Ken Wold · ‎12-03-2010

I have a c3745 setup up as a PPPOE server for testing. The problem is the c3745 is accepting any service name tags.

In my case, I want to have the client use the following attributes:

username: local

password: local

service name: test

In my tests, I set up a negative test where the client sends foobar as a service name. I would like the router to deny the PPPOE connection attempt because the service name is incorrect or does not exist. Instead, the c3745 accepts the service name of foobar in the PADI and echos the service name foobar back in the PADO.

Not sure how to configure the c3745 to deny connections based on service tag. Any help would be appreciated!

Here is the config:

!

version 12.4

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname c3745

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$J70H$cHLxuWuGLAM7GwS/Oz45R1

!

aaa new-model

!

aaa authorization network default local

!

aaa session-id common

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.0.0 172.16.98.255

ip dhcp excluded-address 172.16.100.0 172.16.255.255

!

ip dhcp pool pppoe

network 172.16.99.0 255.255.255.0

default-router 172.16.0.20

dns-server 12.127.16.67 12.127.16.68

domain-name quijibozen.com

!

ip domain name quijibozen.com

ip name-server 12.127.16.68

ip name-server 12.127.16.67

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

! Default PPTP VPDN group

accept-dialin

protocol any

virtual-template 1

local name fudge

!

username admin privilege 15 secret 5 $1$14OU$iJcsUWd.HEYRWi/tqu1AC/

username cisco secret 5 $1$z6B1$XF6VSpN16hv7.J.3Fpr2r1

username local secret 5 $1$E2FX$.AyToxxNawuXQHAhVqYGr.

!

bba-group pppoe global

!

interface FastEthernet0/0

ip address 172.16.0.20 255.255.0.0

speed 100

full-duplex

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Virtual-Template1

description PPPOE

ip unnumbered FastEthernet0/0

peer default ip address dhcp-pool pppoe

ppp authentication pap chap

ppp accounting pppoe

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.0.1

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

logging synchronous

speed 115200

line aux 0

line vty 0 4

logging synchronous

transport input none

line vty 5 15

logging synchronous

transport input none

!

Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 18-Aug-10 08:18 by prod_rel_team

ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)

c3745 uptime is 11 minutes

System returned to ROM by reload

System image file is "flash:c3745-adventerprisek9-mz.124-25d.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.

Processor board ID JMX0838L2SU

R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache

2 FastEthernet interfaces

DRAM configuration is 64 bits wide with parity disabled.

151K bytes of NVRAM.

125440K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x3922

debug output:

Mar 2 04:44:31.831: ppp2 PPP: Send Message[Dynamic Bind Response]

*Mar 2 04:44:31.831: ppp2 PPP: Using vpn set call direction

*Mar 2 04:44:31.831: ppp2 PPP: Treating connection as a callin

*Mar 2 04:44:31.831: ppp2 PPP: Session handle[14000003] Session id[2]

*Mar 2 04:44:31.831: ppp2 PPP: Phase is ESTABLISHING, Passive Open

*Mar 2 04:44:31.831: ppp2 LCP: State is Listen

*Mar 2 04:44:32.823: ppp2 LCP: I CONFREQ [Listen] id 138 len 10

*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x0EC26814 (0x05060EC26814)

*Mar 2 04:44:32.823: ppp2 LCP: O CONFREQ [Listen] id 1 len 18

*Mar 2 04:44:32.823: ppp2 LCP: MRU 1492 (0x010405D4)

*Mar 2 04:44:32.823: ppp2 LCP: AuthProto PAP (0x0304C023)

*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x12037372 (0x050612037372)

*Mar 2 04:44:32.823: ppp2 LCP: O CONFACK [Listen] id 138 len 10

*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x0EC26814 (0x05060EC26814)

*Mar 2 04:44:32.823: ppp2 LCP: I CONFACK [ACKsent] id 1 len 18

*

c3745#Mar 2 04:44:32.823: ppp2 LCP: MRU 1492 (0x010405D4)

*Mar 2 04:44:32.823: ppp2 LCP: AuthProto PAP (0x0304C023)

*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x12037372 (0x050612037372)

*Mar 2 04:44:32.823: ppp2 LCP: State is Open

*Mar 2 04:44:32.823: ppp2 PPP: Phase is AUTHENTICATING, by this end

*Mar 2 04:44:32.823: ppp2 PAP: I AUTH-REQ id 11 len 16 from "cisco"

*Mar 2 04:44:32.823: ppp2 PAP: Authenticating peer cisco

*Mar 2 04:44:32.823: ppp2 PPP: Phase is FORWARDING, Attempting Forward

*Mar 2 04:44:32.823: ppp2 PPP: Phase is AUTHENTICATING, Unauthenticated User

*Mar 2 04:44:32.831: ppp2 PPP: Phase is FORWARDING, Attempting Forward

*Mar 2 04:44:32.831: ppp2 PPP: Send Message[Connect Local]

*Mar 2 04:44:32.831: ppp2 PPP: Bind to [Virtual-Access1.1]

*Mar 2 04:44:32.831: Vi1.1 PPP: Send Message[Static Bind Response]

*Mar 2 04:44:32.831: Vi1.1 PPP: Phase is AUTHENTICATING, Authenticated User

*Mar 2 04:44:32.831: Vi1.1 PAP: O AUTH-ACK id 11 len 5

*Mar

c3745#2 04:44:32.831: Vi1.1 PPP: Phase is UP

*Mar 2 04:44:32.831: Vi1.1 IPCP: O CONFREQ [Closed] id 1 len 10

*Mar 2 04:44:32.831: Vi1.1 IPCP: Address 172.16.0.20 (0x0306AC100014)

*Mar 2 04:44:32.831: Vi1.1 PPP: Process pending ncp packets

*Mar 2 04:44:32.835: Vi1.1 IPCP: I CONFREQ [REQsent] id 37 len 22

*Mar 2 04:44:32.835: Vi1.1 IPCP: Address 0.0.0.1 (0x030600000001)

*Mar 2 04:44:32.835: Vi1.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)

*Mar 2 04:44:32.835: Vi1.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)

*Mar 2 04:44:32.835: Vi1.1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.1, we want 0.0.0.0

*Mar 2 04:44:32.835: Vi1.1 AAA/AUTHOR/IPCP: Reject 0.0.0.1, using 0.0.0.0

*Mar 2 04:44:32.835: Vi1.1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.1, we want 0.0.0.0

*Mar 2 04:44:34.835: Vi1.1 IPCP: O CONFNAK [REQsent] id 37 len 22

*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)

*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 172.16.0.7 (0x8106A

c3745#

%Error opening tftp://172.16.0.7/network-confg (Timed out)C100007)

*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)

*Mar 2 04:44:34.835: Vi1.1 IPCP: I CONFACK [REQsent] id 1 len 10

*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.0.20 (0x0306AC100014)

*Mar 2 04:44:34.835: Vi1.1 IPCP: I CONFREQ [ACKrcvd] id 39 len 22

*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 0.0.0.1 (0x030600000001)

*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)

*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)

*Mar 2 04:44:34.835: Vi1.1 IPCP: O CONFNAK [ACKrcvd] id 39 len 22

*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)

*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 172.16.0.7 (0x8106AC100007)

*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)

*Mar 2 04:44:34.835: Vi1.1 IPCP: I CONFREQ [ACKrcvd] id 40 len 22

*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)

*Mar 2 04:44:34.835: Vi1.1 IPCP:

c3745# PrimaryDNS 172.16.0.7 (0x8106AC100007)

*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)

*Mar 2 04:44:34.835: Vi1.1 IPCP: O CONFACK [ACKrcvd] id 40 len 22

*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)

*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 172.16.0.7 (0x8106AC100007)

*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)

*Mar 2 04:44:34.835: Vi1.1 IPCP: State is Open

*Mar 2 04:44:34.835: Vi1.1 IPCP: Install route to 172.16.99.1

and more debug output

*Mar 2 04:53:24.295: PPPoE 0: I PADI R:001f.f342.81fc L:ffff.ffff.ffff Fa0/0

FF FF FF FF FF FF 00 1F F3 42 81 FC 88 63 11 09

00 00 00 12 01 01 00 06 66 6F 6F 62 61 72 01 03 ...

*Mar 2 04:53:24.295: PPPoE 0: O PADO, R:0012.0007.f700 L:001f.f342.81fc Fa0/0

*Mar 2 04:53:24.295: Service tag: foobar

00 1F F3 42 81 FC 00 12 00 07 F7 00 88 63 11 07

00 00 00 2F 01 01 00 06 66 6F 6F 62 61 72 01 03 ...

*Mar 2 04:53:24.299: PPPoE 0: I PADR R:001f.f342.81fc L:0012.0007.f700 Fa0/0

00 12 00 07 F7 00 00 1F F3 42 81 FC 88 63 11 19

00 00 00 26 01 01 00 06 66 6F 6F 62 61 72 01 04 ...

*Mar 2 04:53:24.299: [3]PPPoE 2: O PADS R:001f.f342.81fc L:0012.0007.f700 Fa0/0

c3745#

00 1F F3 42 81 FC 00 12 00 07 F7 00 88 63 11 65

00 02 00 26 01 01 00 06 66 6F 6F 62 61 72 01 04 ...

Ken Wold · ‎12-04-2010

Bump!