Question

Locked

Service name tag ignored with PPPOE

By tobylion ·
I have a c3745 setup up as a PPPOE server for testing. The problem is the c3745 is accepting any service name tags.

In my case, I want to have the client use the following attributes:

username: local
password: local
service name: test

In my tests, I set up a negative test where the client sends foobar as a service name. I would like the router to deny the PPPOE connection attempt because the service name is incorrect or does not exist. Instead, the c3745 accepts the service name of foobar in the PADI and echos the service name foobar back in the PADO.

Not sure how to configure the c3745 to deny connections based on service tag. Any help would be appreciated!

Here is the config:

!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c3745
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$J70H$cHLxuWuGLAM7GwS/Oz45R1
!
aaa new-model
!
!
aaa authorization network default local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.0 172.16.98.255
ip dhcp excluded-address 172.16.100.0 172.16.255.255
!
ip dhcp pool pppoe
network 172.16.99.0 255.255.255.0
default-router 172.16.0.20
dns-server 12.127.16.67 12.127.16.68
domain-name quijibozen.com
!
!
ip domain name quijibozen.com
ip name-server 12.127.16.68
ip name-server 12.127.16.67
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
local name fudge
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$14OU$iJcsUWd.HEYRWi/tqu1AC/
username cisco secret 5 $1$z6B1$XF6VSpN16hv7.J.3Fpr2r1
username local secret 5 $1$E2FX$.AyToxxNawuXQHAhVqYGr.
!
!
!
!
!
!
bba-group pppoe global
!
!
interface FastEthernet0/0
ip address 172.16.0.20 255.255.0.0
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
description PPPOE
ip unnumbered FastEthernet0/0
peer default ip address dhcp-pool pppoe
ppp authentication pap chap
ppp accounting pppoe
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
speed 115200
line aux 0
line vty 0 4
logging synchronous
transport input none
line vty 5 15
logging synchronous
transport input none
!
!
Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 18-Aug-10 08:18 by prod_rel_team
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
c3745 uptime is 11 minutes
System returned to ROM by reload
System image file is "flash:c3745-adventerprisek9-mz.124-25d.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
Processor board ID JMX0838L2SU
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of NVRAM.
125440K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x3922
debug output:
Mar 2 04:44:31.831: ppp2 PPP: Send Message[Dynamic Bind Response]
*Mar 2 04:44:31.831: ppp2 PPP: Using vpn set call direction
*Mar 2 04:44:31.831: ppp2 PPP: Treating connection as a callin
*Mar 2 04:44:31.831: ppp2 PPP: Session handle[14000003] Session id[2]
*Mar 2 04:44:31.831: ppp2 PPP: Phase is ESTABLISHING, Passive Open
*Mar 2 04:44:31.831: ppp2 LCP: State is Listen
*Mar 2 04:44:32.823: ppp2 LCP: I CONFREQ [Listen] id 138 len 10
*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x0EC26814 (0x05060EC26814)
*Mar 2 04:44:32.823: ppp2 LCP: O CONFREQ [Listen] id 1 len 18
*Mar 2 04:44:32.823: ppp2 LCP: MRU 1492 (0x010405D4)
*Mar 2 04:44:32.823: ppp2 LCP: AuthProto PAP (0x0304C023)
*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x12037372 (0x050612037372)
*Mar 2 04:44:32.823: ppp2 LCP: O CONFACK [Listen] id 138 len 10
*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x0EC26814 (0x05060EC26814)
*Mar 2 04:44:32.823: ppp2 LCP: I CONFACK [ACKsent] id 1 len 18
*
c3745#Mar 2 04:44:32.823: ppp2 LCP: MRU 1492 (0x010405D4)
*Mar 2 04:44:32.823: ppp2 LCP: AuthProto PAP (0x0304C023)
*Mar 2 04:44:32.823: ppp2 LCP: MagicNumber 0x12037372 (0x050612037372)
*Mar 2 04:44:32.823: ppp2 LCP: State is Open
*Mar 2 04:44:32.823: ppp2 PPP: Phase is AUTHENTICATING, by this end
*Mar 2 04:44:32.823: ppp2 PAP: I AUTH-REQ id 11 len 16 from "cisco"
*Mar 2 04:44:32.823: ppp2 PAP: Authenticating peer cisco
*Mar 2 04:44:32.823: ppp2 PPP: Phase is FORWARDING, Attempting Forward
*Mar 2 04:44:32.823: ppp2 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 2 04:44:32.831: ppp2 PPP: Phase is FORWARDING, Attempting Forward
*Mar 2 04:44:32.831: ppp2 PPP: Send Message[Connect Local]
*Mar 2 04:44:32.831: ppp2 PPP: Bind to [Virtual-Access1.1]
*Mar 2 04:44:32.831: Vi1.1 PPP: Send Message[Static Bind Response]
*Mar 2 04:44:32.831: Vi1.1 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar 2 04:44:32.831: Vi1.1 PAP: O AUTH-ACK id 11 len 5
*Mar
c3745#2 04:44:32.831: Vi1.1 PPP: Phase is UP
*Mar 2 04:44:32.831: Vi1.1 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 2 04:44:32.831: Vi1.1 IPCP: Address 172.16.0.20 (0x0306AC100014)
*Mar 2 04:44:32.831: Vi1.1 PPP: Process pending ncp packets
*Mar 2 04:44:32.835: Vi1.1 IPCP: I CONFREQ [REQsent] id 37 len 22
*Mar 2 04:44:32.835: Vi1.1 IPCP: Address 0.0.0.1 (0x030600000001)
*Mar 2 04:44:32.835: Vi1.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Mar 2 04:44:32.835: Vi1.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Mar 2 04:44:32.835: Vi1.1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.1, we want 0.0.0.0
*Mar 2 04:44:32.835: Vi1.1 AAA/AUTHOR/IPCP: Reject 0.0.0.1, using 0.0.0.0
*Mar 2 04:44:32.835: Vi1.1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.1, we want 0.0.0.0
*Mar 2 04:44:34.835: Vi1.1 IPCP: O CONFNAK [REQsent] id 37 len 22
*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)
*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 172.16.0.7 (0x8106A
c3745#
%Error opening tftp://172.16.0.7/network-confg (Timed out)C100007)
*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)
*Mar 2 04:44:34.835: Vi1.1 IPCP: I CONFACK [REQsent] id 1 len 10
*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.0.20 (0x0306AC100014)
*Mar 2 04:44:34.835: Vi1.1 IPCP: I CONFREQ [ACKrcvd] id 39 len 22
*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 0.0.0.1 (0x030600000001)
*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Mar 2 04:44:34.835: Vi1.1 IPCP: O CONFNAK [ACKrcvd] id 39 len 22
*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)
*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 172.16.0.7 (0x8106AC100007)
*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)
*Mar 2 04:44:34.835: Vi1.1 IPCP: I CONFREQ [ACKrcvd] id 40 len 22
*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)
*Mar 2 04:44:34.835: Vi1.1 IPCP:
c3745# PrimaryDNS 172.16.0.7 (0x8106AC100007)
*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)
*Mar 2 04:44:34.835: Vi1.1 IPCP: O CONFACK [ACKrcvd] id 40 len 22
*Mar 2 04:44:34.835: Vi1.1 IPCP: Address 172.16.99.1 (0x0306AC106301)
*Mar 2 04:44:34.835: Vi1.1 IPCP: PrimaryDNS 172.16.0.7 (0x8106AC100007)
*Mar 2 04:44:34.835: Vi1.1 IPCP: SecondaryDNS 12.127.16.67 (0x83060C7F1043)
*Mar 2 04:44:34.835: Vi1.1 IPCP: State is Open
*Mar 2 04:44:34.835: Vi1.1 IPCP: Install route to 172.16.99.1
and more debug output
*Mar 2 04:53:24.295: PPPoE 0: I PADI R:001f.f342.81fc L:ffff.ffff.ffff Fa0/0
FF FF FF FF FF FF 00 1F F3 42 81 FC 88 63 11 09
00 00 00 12 01 01 00 06 66 6F 6F 62 61 72 01 03 ...
*Mar 2 04:53:24.295: PPPoE 0: O PADO, R:0012.0007.f700 L:001f.f342.81fc Fa0/0
*Mar 2 04:53:24.295: Service tag: foobar
00 1F F3 42 81 FC 00 12 00 07 F7 00 88 63 11 07
00 00 00 2F 01 01 00 06 66 6F 6F 62 61 72 01 03 ...
*Mar 2 04:53:24.299: PPPoE 0: I PADR R:001f.f342.81fc L:0012.0007.f700 Fa0/0
00 12 00 07 F7 00 00 1F F3 42 81 FC 88 63 11 19
00 00 00 26 01 01 00 06 66 6F 6F 62 61 72 01 04 ...
*Mar 2 04:53:24.299: [3]PPPoE 2: O PADS R:001f.f342.81fc L:0012.0007.f700 Fa0/0
c3745#
00 1F F3 42 81 FC 00 12 00 07 F7 00 88 63 11 65
00 02 00 26 01 01 00 06 66 6F 6F 62 61 72 01 04 ...

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Back to Networks Forum
1 total post (Page 1 of 1)  

Related Forums