I was bored and wanted to get my hands a little dirty with radius
again so I decided to try labbing this up using PPPoE with a single
virtual-template, you need to pre-configure the keys for the spokes on
the PPPoE Server and RADIUS (through authorization) tells the server
what key should be attached to the virtual-access interface..
Configurations:
hostname R1
aaa new-model
aaa authentication login default none
aaa authentication enable default none
aaa authentication ppp default group radius
aaa authorization network default group radius
!
key chain R1-R2
key 1
key-string cisco
key chain R1-R3
key 1
key-string ccie
!
bba-group pppoe global
virtual-template 1
!
interface FastEthernet0/0
description To Ethernet Switch
no ip address
duplex auto
speed auto
pppoe enable group global
!
interface Virtual-Template1
ip address 1.0.0.1 255.255.255.0
ip authentication mode eigrp 123 md5
peer default ip address pool PPPoE
ppp authentication chap
!
router eigrp 123
network 1.0.0.0 0.0.0.255
no auto-summary
!
ip local pool PPPoE 1.0.0.2 1.0.0.254
!
radius-server host 192.168.100.253 auth-port 1812 acct-port 1813 key cisco
hostname R2
key chain R1-R2
key 1
key-string cisco
!
interface FastEthernet0/0
description To Ethernet Switch
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip authentication mode eigrp 123 md5
ip authentication key-chain eigrp 123 R1-R2
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname R2
ppp chap password 0 R2
!
router eigrp 123
network 1.0.0.0 0.0.0.255
no auto-summary
!
hostname R3
key chain R1-R3
key 1
key-string ccie
!
interface FastEthernet0/0
description To Ethernet Switch
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip authentication mode eigrp 123 md5
ip authentication key-chain eigrp 123 R1-R3
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp chap hostname R3
ppp chap password 0 R3
!
router eigrp 123
network 1.0.0.0 0.0.0.255
no auto-summary
!
radius-server:~# cat /etc/freeradius/users
R2 Cleartext-Password := "R2"
Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=ip authentication
key-chain eigrp 123 R1-R2"
R3 Cleartext-Password := "R3"
Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=ip authentication
key-chain eigrp 123 R1-R3"
Verification:
R1#sh pppoe session all
Total PPPoE sessions 2
session id: 19
local MAC address: c200.0740.0000, remote MAC address: c201.0740.0000
virtual access interface: Vi3, outgoing interface: Fa0/0
424 packets sent, 425 received
25488 bytes sent, 25558 received
session id: 20
local MAC address: c200.0740.0000, remote MAC address: c202.0740.0000
virtual access interface: Vi4, outgoing interface: Fa0/0
274 packets sent, 274 received
16475 bytes sent, 16626 received
R1#sh ip route | b Gate
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 1.0.0.0/24 is directly connected, Virtual-Access3
is directly connected, Virtual-Access4
C 1.0.0.3/32 is directly connected, Virtual-Access4
C 1.0.0.2/32 is directly connected, Virtual-Access3
C 192.168.100.0/24 is directly connected, FastEthernet1/0
R1#sh ip eigrp interfaces detail | i ^V|Authentication
Vt1 0 0/0 0 0/1 0 0
Authentication mode is md5, key-chain is not set
Vi3 1 0/0 28 0/1 129 0
Authentication mode is md5, key-chain is "R1-R2"
Vi4 1 0/0 37 0/1 209 0
Authentication mode is md5, key-chain is "R1-R3"
R2#sh ip route | b Gate
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 3 subnets
C 1.0.0.1 is directly connected, Dialer1
D 1.0.0.3 [90/48786176] via 1.0.0.1, 00:13:23
C 1.0.0.2 is directly connected, Dialer1
R2#sh ip eigrp interfaces detail
IP-EIGRP interfaces for process 123
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Di1 1 0/0 11 11/434 50 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/3 Un/reliable ucasts: 3/2
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is md5, key-chain is "R1-R2"
Use multicast
R2#show key chain R1-R2
Key-chain R1-R2:
key 1 -- text "cisco"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R3#sh ip route | b Gate
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 1.0.0.1/32 is directly connected, Dialer1
D 1.0.0.0/24 [90/48786176] via 1.0.0.1, 00:14:45
C 1.0.0.3/32 is directly connected, Dialer1
D 1.0.0.2/32 [90/48786176] via 1.0.0.1, 00:14:45
R3#show ip eigrp interfaces detail
IP-EIGRP interfaces for process 123
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Di1 1 0/0 19 11/434 68 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/2 Un/reliable ucasts: 1/3
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is md5, key-chain is "R1-R3"
Use multicast
R3#show key chain R1-R3
Key-chain R1-R3:
key 1 -- text "ccie"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R3#ping 1.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/28 ms
R3#ping 1.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/16 ms
R3#trace 1.0.0.2
Type escape sequence to abort.
Tracing the route to 1.0.0.2
1 1.0.0.1 4 msec 16 msec 4 msec
2 1.0.0.2 12 msec 8 msec *
On Wed, May 9, 2012 at 8:08 AM, Jay McMickle <[email protected]> wrote:
> You must use a diaper for the virtual-template and PPPoE.
>
> Regards,
> Jay McMickle- CCIE #35355
> Sent from iJay
>
> On May 7, 2012, at 7:31 PM, George Leslie <[email protected]>
> wrote:
>
>>
>>
>>
>>
>> Hello all,Jay McM and I had an offline chat about my previous posting, which
>> was trying to do the EIGRP authentication on a hub and spoke network, where
>> the hubs use different authentication keys from each other. I was playing
>> around with frame hub and spoke. To recap, I previously found that the hub,
>> despite having the two different keys in its key chain, both of which had
>> valid lifetimes, refused to send using key 2. It would only send with key 1
>> despite correctly authentication spoke 2 which was using key 2. Therefore,
>> hub authenticated spoke, but not vice versa. On frame, you could use PPPoFr,
>> and use different virtual templates on each DLCI, and therefore have
>> different key chains on each. What I actually did was use point to point
>> tunnels over the frame, which worked a treat. In what my old physics teacher
>> used to call, "a thought experiment", I was thinking about what you could
>> do, just on a bog standard Ethernet segment. The tunnel approach would
>> still work. H
> ow
>> ever, with PPPoE, the server virtual template is tied to the physical, via
>> the bba-group. Therefore the key chain would be applied to all clients that
>> use the virtual template, which presents the same problem as on the frame
>> network. My question: is there any way that you can configure a PPPoE
>> virtual template on the hub that is somehow tied to each individual client?
>> For example, is there a mechanism to tie the virtual template to the PPP
>> chap username? Bit of chicken and egg here, as you need the virtual
>> template to know to authenticate by chap, but need chap to know the virtual
>> template to apply.....My head hurts. Regards, George.
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>> http://onlinestudylist.com/mailman/listinfo/ccie_rs
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
> http://onlinestudylist.com/mailman/listinfo/ccie_rs
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
