Table of Contents

1 PPP Configuration· 1-1

Introduction to PPP· 1-1

PPP· 1-1

Configuring PPP· 1-4

Configuring PPP· 1-4

Configuring PAP Authentication· 1-5

Configuring CHAP Authentication· 1-6

Configuring PPP Negotiation· 1-8

Enabling the Generating of PPP Accounting Statistics· 1-9

Troubleshooting PPP Configuration· 1-9

2 PPPoE Configuration· 2-1

Introduction to PPPoE· 2-1

PPPoE· 2-1

Configuring a PPPoE Client 2-2

Configuring a Dialer Interface· 2-2

Configuring a PPPoE Session· 2-2

Resetting/Terminating a PPPoE Session· 2-3

Displaying and Maintaining PPPoE· 2-3

PPPoE Configuration Example· 2-4

PPPoE Client Configuration Example· 2-4

 

 

This chapter includes these sections:

l          Introduction to PPP

l          Configuring PPP

l          Troubleshooting PPP Configuration

Introduction to PPP

PPP

Point-to-Point Protocol (PPP) is a link layer protocol that carries network layer packets over point-to-point links. It gains popularity because it provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension.

PPP contains a set of protocols, including a link control protocol (LCP), a network control protocol (NCP), and authentication protocols such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Among these protocols,

l          The LCP is responsible for establishing, tearing down, and monitoring data links.

l          The NCP is used for negotiating the packet format and type of data links.

l          PAP and CHAP are for network security.

PAP authentication

PAP is a two-way handshake authentication protocol using plain text passwords. It operates as follows.

1)        The requester sends its username and password to the authenticator.

2)        The authenticator then checks the local user list to see if the username and password are correct and returns an acknowledgement or negative acknowledge.

Figure 1-1 PAP Authentication

 

During PAP authentication, the password is transmitted on the link in plain text. In addition, the authenticatee sends the username and the password repeatedly through the established PPP link until the authentication is over. Therefore, PAP is not a secure authentication protocol. It cannot prevent attacks.

CHAP authentication

CHAP is a three-way handshake authentication protocol using cipher text password.

Currently, two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP authentication. In one-way CHAP authentication, one side of the link acts as the authenticator and the other acts as the authenticatee. In two-way authentication, each side serves as both the authenticator and the authenticatee. Normally, one-way CHAP authentication is adopted.

In one-way CHAP authentication, the authenticator may or may not be configured with a username. It is recommended that you configure a username for the authenticator, which makes it easier to identify the authenticator.

When the authenticator is configured with a username, CHAP authentication is performed as follows:

1)        The authenticator initiates an authentication by sending a randomly-generated packet (Challenge) to the authenticatee. The packet carries the local username with it.

2)        When the authenticatee receives the authentication request, it searches the local user list for the password of the username carried in the received packet, encrypts the packet using the MD5 algorithm, with the packet ID and the password as the parameters, and then sends the encrypted packet and the local username to the authenticator (Response).

3)        The authenticator encrypts the original randomly-generated packet using the MD5 algorithm, with the password of the authenticatee it maintains as the parameter, compares the encrypted packet with the one received from the authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on the comparison result.

When the authenticator is not configured with a username, the CHAP authentication is performed as follows:

1)        The authenticator initiates an authentication by sending a randomly-generated packet (Challenge) to the authenticatee.

2)        When the authenticatee receives the authentication request, it encrypts the packet using the MD5 algorithm, with the packet ID and the default CHAP password as the parameters, and then sends the encrypted packet and its own username to the authenticator (Response).

3)        The authenticator encrypts the original randomly-generated packet using the MD5 algorithm, with the password of the authenticatee it maintains as the parameter, compares the encrypted packet with the one received from the authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on the comparison result.

Figure 1-2 CHAP Authentication

 

How PPP Works

Figure 1-3 illustrates the PPP operating mechanism.

1)        A PPP link is in the Establish phase when it is about to be established. In this phase, LCP negotiation is performed, where LCP-related settings are determined, including operating mode (SP or MP), the authentication mode, and the Maximum Transmission Unit (MTU). If the negotiation is successful, the link enters the Opened state, indicating that the underlying layer link has been established.

2)        If the authentication (the remote authenticates the local or the local authenticates the remote) is configured, the PPP link goes to the Authenticate phase, where CHAP or PAP authentication is performed.

3)        If the authenticate fails to pass the authentication, the link goes to the Terminate phase, where the link is torn down and LCP goes down. If the authenticatee passes the authentication, the link goes to the Network phase. In this phase, NCP negotiation is performed, the LCP state remains Opened, and the state of IP Control Protocol (IPCP) transitions from Initial to Request.

4)        NCP negotiation supports the negotiation of IPCP, through which the IP addresses of both sides can be determined. NCP negotiation also determines and configures the network layer protocol to be used. Note that a PPP link can carry a network layer protocol only after the NCP negotiation is successful.

5)        After the NCP negotiation is performed, the PPP link remains active until an LCP or NCP frame closes it explicitly or some external events take place (for example, the intervention of a user).

Figure 1-3 PPP operation flow chart

 

For more information about PPP, see RFC 1661.

Configuring PPP

Configuring PPP

Follow these steps to configure PPP:

To do...		Use the command...	Remarks
Enter system view		system-view	—
Enter interface view		interface interface-type interface-number	—
Configure PPP as the data link layer protocol		link-protocol ppp	Optional By default, PPP is used.
Set the polling interval		timer hold seconds	Optional 10 seconds by default
Configure PPP authentication mode	Configure PAP authentication	For more information, see Configuring PAP Authentication.	Optional Select either authentication mode By default, PPP authentication is disabled.
	Configure CHAP authentication	For more information, see Configuring CHAP Authentication.
Configure PPP negotiation		For more information, see Configuring PPP Negotiation.	Optional
Enable the generating of PPP accounting statistics		For more information, see Enabling the Generating of PPP Accounting Statistics	Optional

 

This document only discusses local authentication. For more information about remote AAA authentication, see AAA in the Security Configuration Guide.

Configuring PAP Authentication

Configuring the authenticator

Follow these steps to configure the authenticator:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure the local device to authenticate the peer using PAP	ppp authentication-mode pap [ [ call-in ] domain isp-name ]	Required By default, PPP authentication is not performed.
Quit to system view	quit	—
Create a local user account	local-user username	Required This command also leads you to local user view.
Configure a password for the local user	password { cipher | simple } password	Required
Configure service type of the local user as well as other attributes	service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ :subcall-number ] ]	Required
Quit to system view	quit	—
Create an ISP domain or enter an existing ISP domain view	domain isp-name	Optional
Configure to authenticate domain users locally	authentication ppp local	Optional

 

 

Configuring the authenticatee

Follow these steps to configure the authenticatee:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure the PAP username and password sent by the local device to the peer when the local device is authenticated by the peer using PAP	ppp pap local-user username password { cipher | simple } password	Required By default, when being authenticated by the peer using PAP, the local device sends null username and password to the peer.

 

Configuring CHAP Authentication

According to whether the authenticator is configured with a username or not, the configuration of CHAP authentication falls into the following two types:

Configuring CHAP authentication when the authenticator name is configured

1)        Configuring the authenticator

Follow these steps to configure the authenticator:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure the local device to authenticate the peer using CHAP	ppp authentication-mode chap [ [ call-in ] domain isp-name ]	Required By default, PPP authentication is not performed.
Assign a username to the CHAP authenticator	ppp chap user username	Required The username you assign to the authenticator here must be the same as the local username you assign to the authenticator on the authenticatee.
Quit to system view	quit	—
Create a local user account for the authenticatee and enter local user view	local-user username	Required
Configure the password for the local user	password { cipher | simple } password	Required
Configure the service type of the local user and other attributes	service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ :subcall-number ] ]	Required
Quit to system view	quit	—
Create an ISP domain, or enter an existing ISP domain view	domain isp-name	Optional
Configure to authenticate the domain user locally	authentication ppp local	Optional

 

 

2)        Configuring the authenticatee

Follow these steps to configure the authenticatee:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enter interface view		interface interface-type interface-number	—
Assign a username to the CHAP authenticatee		ppp chap user username	Required The username you assign to the authenticatee here must be the same as the local username you assign to the authenticatee on the authenticator.
Create a local user account for the authenticator and set the password	Quit to system view	quit	—
	Create a local user account and enter local user view	local-user username	Required
	Set the password	password { cipher | simple } password	Required

 

Configuring CHAP authentication when no authenticator name is configured

1)        Configuring the authenticator

Follow these steps to configure the authenticator:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure the local device to authenticate the peer using CHAP	ppp authentication-mode chap [ [ call-in ] domain isp-name ]	Required By default, PPP authentication is not performed.
Quit to system view	quit	—
Create a local user account for the authenticatee and enter local user view	local-user username	Required
Configure the password for the local user	password { cipher | simple } password	Required
Configure the service type of the local user and other attributes	service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ :subcall-number ] ]	Required
Quit to system view	quit	—
Create an ISP domain, or enter an existing ISP domain view	domain isp-name	Optional
Configure to authenticate the domain user locally	authentication ppp local	Optional

 

For more information about local user and domain configuration, see AAA in the Security Configuration Guide.

2)        Configuring the authenticatee

Follow these steps to configure the authenticatee:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Assign a username to the CHAP authenticatee	ppp chap user username	Required The username you assign to the authenticatee here must be the same as the local username you assign to the authenticatee on the authenticator.
Set the default CHAP authentication password	ppp chap password { cipher | simple } password	Required

 

Configuring PPP Negotiation

Introduction to PPP negotiation parameters

PPP negotiation parameters that can be configured include: negotiation timeout time, IP address negotiation mode, and DNS server address negotiation mode.

Negotiation timeout time determines the interval to send request packets. During PPP negotiation, if no response is received from the peer during a specific period after the local AP sends a packet, the AP sends another one. The period is known as negotiation timeout time, which ranges from 1 to 10 seconds.

IP address negotiation can be implemented in the following two modes.

l          The AP operates as the client. You can configure the local interface to operate in this mode if it uses PPP at the data link layer but it does not have an IP address, whereas the peer is configured with an IP address, after which the interface can receive an IP address allocated by its peer. This configuration applies to the situations where you access the Internet through ISP.

l          The AP operates as the server. In this case, you must configure a local IP address pool in domain view or system view to specify the range of the IP addresses to be allocated, and then bind the address pool to the interface.

PPP address negotiation can also determine the DNS server address. You can configure the AP to allocate the DNS server address to the peer or receive the DNS server address from the peer. Normally, for a PPP link between a PC and the AP, the DNS server address is usually allocated by the AP, through which the PC can access the Internet directly by using domain names. For a PPP link established between the AP and the access server of a carrier, the DNS server address is usually allocated by the access server, through which the AP can resolve domain names through the DNS server address allocated by the access server.

 

 

Configuring PPP negotiation parameters

Follow these steps to configure PPP negotiation parameters:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure the negotiation timeout time	ppp timer negotiate seconds	Optional 3 seconds by default
Configure the IP address negotiation	ip address ppp-negotiate	Optional

 

Enabling the Generating of PPP Accounting Statistics

Introduction to PPP accounting statistics

PPP can generate traffic-based accounting statistics on each PPP link. The statistics include the amount of the inbound and outbound information (in terms of bytes and the number of the packets) on a link. The information can be used by AAA application modules for accounting and control purpose.

Enabling the generating of PPP accounting statistics

Following these steps to enable the generating of PPP accounting statistics:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Enable the generating of PPP accounting statistics	ppp account-statistics enable	Required Disabled by default.

 

Troubleshooting PPP Configuration

Symptom 1: PPP authentication fails and the link cannot be brought up.

Solution: This problem may arise if the parameters for authentication are incorrect.

Enable the debugging of PPP, and you can see the information showing that LCP went up upon a successful LCP negotiation but went down after PAP or CHAP negotiation.

Check the PPP authentication settings at the local and peer ends to make sure that they are consistent. See the part talking about PPP authentication configuration for reference.

Symptom 2: Physical link is down.

Solution: The physical link is down when:

l          The interface is not brought up.

l          The interface is shut down by the administrator.

l          LCP negotiation fails.

Execute the display interface command to check the state of the interface. The output information can be:

l          serial number is administratively down, line protocol is down, which indicates that the interface is shut down by the administrator.

l          serial number is down, line protocol is down, which indicates that the interface is not activated or the physical layer has not gone up yet.

l          serial number is up, line protocol is up, which indicates that LCP negotiation succeeded.

l          serial number is up, line protocol is down, which indicates that the interface is active, but LCP negotiation failed.

 

This chapter includes these sections:

l          Introduction to PPPoE

l          Configuring a PPPoE Client

l          Displaying and Maintaining PPPoE

l          PPPoE Configuration Example

Introduction to PPPoE

PPPoE

 

 

Point-to-Point Protocol over Ethernet (PPPoE) uses the client/server model. It establishes point-to-point links over Ethernet, and encapsulates PPP packets in Ethernet frames.

APs configured as PPPoE clients can access the Internet through a remote access device, and access control and accounting can be implemented on a per-AP basis.

PPPoE undergoes two phases: discovery and PPP session, as described below:

l          Discovery phase, where a PPPoE session is initiated. In this phase, the host obtains the MAC address of the access end and generates the PPPoE session ID. When the discovery phase ends, the PPPoE session ID between the host and the server is determined, and the PPP session phase begins.

l          PPP session phase, where PPP packets are encapsulated in Ethernet frames before being sent to the peer. In the frame, the session ID must be the one determined in the discovery phase, the MAC address must be that of the peer, and the PPP packet section begins from the Protocol ID field. In Session phase, either end of the link can terminate the session by sending PPPoE Active Discovery Terminate (PADT) packets.

For more information about PPPoE, see RFC 2516.

Figure 2-1 Network diagram for PPPoE configuration

 

Configuring a PPPoE Client

PPPoE client configuration includes dialer interface configuration and PPPoE session configuration.

Configuring a Dialer Interface

Before establishing a PPPoE session, you must first create a dialer interface and configure a dialer bundle on the interface. Each PPPoE session uniquely corresponds to a dialer bundle and each dialer bundle uniquely corresponds to a dialer interface. Thus, a PPPoE session uniquely corresponds to a dialer interface.

Follow these steps to configure a dialer interface:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Configure a dialer rule	dialer-rule dialer-group { protocol-name { permit | deny } | acl acl-number }	Required
Create a dialer interface	interface dialer number	Required
Create a dialer user	dialer user username	Required
Assign an IP address to the interface	ip address { address mask | ppp-negotiate }	Required
Create a dialer bundle on the interface	dialer bundle bundle-number	Required
Create a dialer group on the interface	dialer-group group-number	Required

 

 

Configuring a PPPoE Session

PPPoE sessions fall into these categories: permanent PPPoE session, packet-triggered PPPoE session, and diagnostic PPPoE session.

l          A permanent PPPoE session is established immediately when the line is physically up. It remains valid till a user terminates it explicitly.

l          A packet-triggered PPPoE session is established when there is a demand for data transmitting. It is terminated when idled for a specific period of time. That is, a packet-triggered PPPoE session may not be established even if the line is physically up.

l          A diagnostic PPPoE session is established immediately after the AP configuration is complete. The AP automatically terminates and then tries to re-establish diagnostic PPPoE sessions at a pre-configured interval, and by doing so, monitors the status of the PPPoE links.

You can establish a PPPoE session on a VLAN interface.

Follow these steps to configure a PPPoE session:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Enter VLAN interface view	interface ethernet interface-number	—
Create a PPPoE session, and specify a dialer bundle for the session	pppoe-client dial-bundle-number number [ no-hostuniq ] [ diagnose [ interval seconds ] | idle-timeout seconds [ queue-length packets ] ]	Required

 

 

Resetting/Terminating a PPPoE Session

Follow these steps to reset/terminate a PPPoE session:

To do…	Use the command…	Remarks
Reset a PPPoE session on a PPPoE client	reset pppoe-client { all | dial-bundle-number number }	Available in user view
Terminate a PPPoE session on a PPPoE client	undo pppoe-client dial-bundle-number number	Available in VLAN interface view

 

Displaying and Maintaining PPPoE

To do…	Use the command…	Remarks
Display the statistics and state information about a PPPoE client	display pppoe-client session { packet | summary } [ dial-bundle-number number ]	Available in any view

 

PPPoE Configuration Example

PPPoE Client Configuration Example

Network requirements

As shown in Figure 2-2, Ethernet 1/0/1 on Router A and VLAN-interface 1 on AP are connected to each other. It is required that Router A authenticates AP using PAP or CHAP.

Figure 2-2 Network diagram for PPPoE client configuration

 

Configuration procedure

l          Configuring PAP authentication:

1)        Configure Router A as the PPPoE server

# Add a PPPoE user.

<RouterA> system-view

[RouterA] local-user user2

[RouterA-luser-user2] password simple hello

[RouterA-luser-user2] service-type ppp

[RouterA-luser-user2] quit

# Configure virtual template 1.

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ppp authentication-mode pap

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Configure the PPPoE server.

[RouterA] interface ethernet 1/0/1

[RouterA-Ethernet1/0/1] pppoe-server bind virtual-template 1

2)        Configure AP as the PPPoE client.

<AP> system-view

[AP] dialer-rule 1 ip permit

[AP] interface dialer 1

[AP-Dialer1] dialer user user2

[AP-Dialer1] dialer-group 1

[AP-Dialer1] dialer bundle 1

[AP-Dialer1] ip address ppp-negotiate

[AP-Dialer1] ppp pap local-user user2 password simple hello

[AP-Dialer1] quit

# Configure the PPPoE session.

[AP] interface Vlan-interface 1

[AP-Vlan-interface1] pppoe-client dial-bundle-number 1

l          Configuring CHAP authentication:

1)        Configure Router A as the PPPoE server

# Add a PPPoE user.

<RouterA> system-view

[RouterA] local-user user2

[RouterA-luser-user2] password simple hello

[RouterA-luser-user2] service-type ppp

[RouterA-luser-user2] quit

# Configure virtual template 1.

[RouterA] interface virtual-template 1

[RouterA-Virtual-Template1] ppp authentication-mode chap

[RouterA-Virtual-Template1] ppp chap user user2

[RouterA-Virtual-Template1] ip address 1.1.1.1 255.0.0.0

[RouterA-Virtual-Template1] remote address 1.1.1.2

[RouterA-Virtual-Template1] quit

# Configure the PPPoE server.

[RouterA] interface ethernet 1/0/1

[RouterA-Ethernet1/0/1] pppoe-server bind virtual-template 1

2)        Configure AP as the PPPoE client.

<AP> system-view

[AP] dialer-rule 1 ip permit

[AP] interface dialer 1

[AP-Dialer1] dialer user user2

[AP-Dialer1] dialer-group 1

[AP-Dialer1] dialer bundle 1

[AP-Dialer1] ip address ppp-negotiate

[AP-Dialer1] ppp chap user user2

[AP-Dialer1] quit

[AP] local-user user2

[AP-luser-user1] password simple hello

[AP-luser-user1] quit

# Configure the PPPoE session.

[AP] interface Vlan-interface 1

[AP-Vlan-interface1] pppoe-client dial-bundle-number 1