Linux PPPoE Server With RADIUS support

January 25th, 2010 | Tags:

In this tutorial I’ll show you how to configure Roaring Penguin PPPoE server, on Ubuntu 9.10 server (amd64). Check if you have PPP development files.

nas100 ~ # dpkg -l | grep ppp
ii  ppp                               2.4.5~git20081126t100229-0ubuntu2 Point-to-Point Protocol (PPP) - daemon
ii  pppconfig                         2.3.18ubuntu2                     A text menu based utility for configuring pp
ii  pppoeconf                         1.18ubuntu1                       configures PPPoE/ADSL connections

and install ppp-dev:

 apt-get install ppp-dev

Download rp-pppoer server from http://www.roaringpenguin.com/products/pppoe. Before compiling we need to install gcc:

apt-get install gcc binutils

Extract and install rp-pppoe:

tar xvzf rp-pppoe-3.10.tar.gz
cd rp-pppoe-3.10/src/
 ./configure --enable-plugin
 make && make install

Don’t forget “–enable-plugin” – this will build pppd plugin.
Now we need radiusclient support:

apt-get  install radiusclient1

PPPoE server configuration file ( /etc/ppp/pppoe-server-options ) :

# PPP options for the PPPoE server
# LIC: GPL
require-pap
ms-dns xxx.xxx.xxx.xxx
ms-dns xxx.xxx.xxx.xxx
lcp-echo-interval 10
lcp-echo-failure 5
plugin radius.so
plugin radattr.so
debug
kdebug 1

require-pap – you can use PAP, CHAP or MS-CHAP
ms-dns – sepcify DNS servers
lcp-echo-interval n -If  this option is given, pppd will send an LCP echo-request frame to the peer every n seconds.  Normally the peer should respond to the echo-request by sending an echo-reply.  This option can be used with the lcp-echo-failure option to detect that the peer is no longer connected.
lcp-echo-failure n – If this option is given, pppd will presume the peer to be dead if n LCP echo-requests are sent without receiving a valid  LCP  echo-reply.   If  this happens,  pppd  will terminate the connection.  Use of this option requires a non-zero value for the lcp-echo-interval parameter.  This option can be used to enable pppd to terminate after the physical connection has been broken (e.g., the modem has hung up) in situations where  no  hardware  modem control lines are available.

Taken from syslog:

Feb  1 07:04:51 hostname pppd[1433]: No response to 5 echo-requests
Feb  1 07:04:51 hostname pppd[1433]: Serial link appears to be disconnected.
Feb  1 07:04:51 hostname pppd[1433]: Connect time 488.3 minutes.
Feb  1 07:04:51 hostname pppd[1433]: Sent 2157465 bytes, received 674186 bytes.
Feb  1 07:04:51 hostname pppd[1433]: sent [LCP TermReq id=0x2 "Peer not responding"]

In our configuration lcp-echo-interval is 10 sec. and lcp-echo-failure is 5 packets: if ppp cleint is dead, pppoe-server will disconnect ppp interface after 50 sec.

plugin radius.so , plugin radattr.so – load RADIUS plugin and attributes.

kdebug 1- Enable debugging code in the kernel-level PPP driver.  The argument values depend on the specific kernel driver, but in general a  value  of  1  will enable  general  kernel  debug  messages.

debug - Enables  connection  debugging facilities.  If this option is given, pppd will log the contents of all control packets sent or received in a readable form.

Now we need ppp radius client support. Install :

apt-get  install radiusclient1

Configuration files are located in /etc/radiusclient/ :

First edit /etc/radiusclient/radiusclient.conf :

# General settings
auth_order      radius
login_tries     4 # maximum login tries a user has
login_timeout   60 # timeout for all login tries,  if this time is exceeded the user is kicked out
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver      xxx.xxx.xxx.xxx # set IP address of RADIUS authentication server
acctserver      xxx.xxx.xxx.xxx # set IP address of RADIUS  accounting server
servers         /etc/radiusclient/servers #  file holding shared secrets used for the communicationclient and server
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10 #  time to wait for a reply from the RADIUS server
radius_retries  3
login_local     /bin/login #  program to execute for local login
nas_identifier nas100 # set NAS indentifier name

The seconf file we need to edit is /etc/radiusclient/servers :

# Make sure that this file is mode 600 (readable only to owner)!
#
#Server Name or Client/Server pair              Key
#----------------                               ---------------

xxx.xxx.xxx.xxx                                     RADIUS_server_secret

That’s all, start the server :

/usr/sbin/pppoe-server -L xxx.xxx.xxx.xxx -I vlan23 -I vlan25 -N 1200 -C rtr-nas100 -S nas100 -T 300 -k

where:

-I if_name — Specify interface (default eth0.)
-T timeout — Specify inactivity timeout in seconds.
-C name — Set access concentrator name.
-L ip — Set local IP address.
-S name — Advertise specified service-name.
-N num — Allow ‘num’ concurrent sessions.
-k — Use kernel-mode PPPoE.

Leave a comment | Trackback
  1. Charles
    June 21st, 2011 at 01:42
    Reply | Quote | #1

    brilliant! worked first time, really needed this for some testing. Many thanks!!!