I’ve been working with a lot of PPPoE deployments in the past few weeks, and decided to post a short template of the Cisco side of things. Note that I will not be blogging on how to set up a radius server in this post or how to set up the AV-Pairs to rate-limit etc…
First you need to set up aaa authentication. The Cisco aaa framework is rather rich and I encourage you to study the many options that are available. Please note that in the example I set the router to use local authentication of management access and to use radius for the ppp users
aaa new-model ! ! aaa authentication login default local aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default action-type start-stop group radius
Next you enable vpdn(virtual private dial-up networking) and set the global bba (broad band access) group to use virtual-template 1
vpdn enable ! bba-group pppoe global virtual-template 1 sessions per-vlan limit 3000 !
Then you set up which interfaces terminate PPPoE, put the ip’s on the loopback interface, set up the virtual template, and set up the ip pools
interface Loopback0 ip address 192.0.2.1 255.255.255.0 ! interface GigabitEthernet0/1 no ip address load-interval 30 duplex auto speed auto media-type rj45 negotiation auto ! interface GigabitEthernet0/1.1 description To Back End Equipment encapsulation dot1Q 1 native ip address 198.51.100.1 255.255.255.0 ! interface GigabitEthernet0/1.2 description DSLAMs encapsulation dot1Q 2 ip address 203.0.113.1 255.255.255.0 secondary pppoe enable group global ! interface Virtual-Template1 mtu 1492 ip unnumbered Loopback0 peer default ip address pool pppoepool ppp authentication pap ! ip local pool pppoepool 192.0.2.2 192.0.2.254
Last we set up the radius servers. Note, that I have the router set to strip out the domain name so that I can hardcode the realm in the radius configuration based on the NAS.
ip radius source-interface Loopback0 ! radius-server host 198.51.100.9 auth-port 1815 acct-port 1816 key superSecretPassword radius-server domain-stripping
In future blog post I plan to look again at the Cisco aaa framework to do other things using radius, tacacs+, local, and other authentication protocols.