PPP server¶
Overview¶
The Point-to-Point Protocol PPP is a data link protocol commonly used in establishing a direct connection between two networking nodes. It provides a standard method for transporting multi-protocol datagrams over point-to-point links. Virtual Service Router supports PPPoE protocol.
Multiple PPP server instances can be hosted in Virtual Service Router. Using different VRs allows complete separation of those instances.
Supported services & features¶
Multi-VRF support
RADIUS support
User authentication
Multi-session support
IPv6 Autoconfiguration
IPv6 Prefix Delegation
IPv4 and IPv6 routing context
Hierarchical QoS
RADIUS support¶
Virtual Service Router supports interacting with a RADIUS server in order to assure authentication, authorization and accounting (AAA) functions. It also supports dynamic-request change of authorization (CoA) as well as disconnect operations.
- Authentication and Authorization:
Besides local authentication, Virtual Service Router offers remote authentication, where user information, including username, password, and other attributes, are configured on a remote RADIUS server. Virtual Service Router will send an
Access-RequestwithNAS-Identifier,NAS-IP-Addressand user information to the RADIUS server. If the RADIUS server is unable to perform the requested authentication and doesn’t return a response within a length of time, the request is re-sent multiple times according to the configuration. If no response is provided by this server, Virtual Service Router attempts to send theAccess-Requestto other backup RADIUS servers if any are configured. If no response is received, the session fails.If the RADIUS server successfully authenticates the user, it will reply with an
Access-Accept. The authorization is defined by the set of attributes contained in this reply which determines the actual capabilities and restrictions applied to that subscriber.- Accounting:
Virtual Service Router supports sending user accounting information showing how much time, packets, bytes, and other resources were consumed during the session to a RADIUS accounting server.
See also
Refer to command reference ppp-server radius for configuration details.
- Change of Authorization
Virtual Service Router supports the change of authorization for online users through
CoApackets. This means that Virtual Service Router can dynamically update user authorization information for specific RADIUS attributes. The supported attributes can be found in the section 6WIND vendor-specific RADIUS attributesSee also
Refer to command reference ppp-server radius change-of-authorization-server for configuration details.
The following tables list the supported RADIUS attributes. A more detailed explanation for each attribute can be found in the sections below.
RADIUS standard-attributes support:
Number |
Attribute name |
AAA packet presence |
|---|---|---|
1 |
Access-Request, Access-Accept |
|
2 |
Access-Request |
|
3 |
Access-Request |
|
4 |
Access-Request |
|
6 |
Access-Request, Access-Accept |
|
7 |
Access-Request, Access-Accept |
|
8 |
Access-Accept |
|
22 |
Access-Accept |
|
27 |
Access-Accept |
|
28 |
Access-Accept |
|
30 |
Access-Request |
|
31 |
Access-Request |
|
32 |
Access-Request |
|
44 |
Access-Request, Accounting-Request |
|
61 |
Access-Request |
|
60 |
Access-Request |
|
85 |
Access-Accept |
|
87 |
Access-Request, Accounting-Request |
|
96 |
Access-Accept |
|
97 |
Access-Accept |
|
99 |
Access-Accept |
6WIND vendor-specific RADIUS attributes:
Number |
Attribute name |
AAA packet presence |
|---|---|---|
7 |
Access-Accept, COA |
|
23 |
Access-Accept, COA |
|
24 |
Access-Accept, COA |
Microsoft vendor-specific RADIUS attributes:
Number |
Attribute name |
AAA packet presence |
|---|---|---|
28 |
Access-Accept |
|
1 |
Access-Request |
|
11 |
Access-Request |
|
25 |
Access-Request |
|
26 |
Access-Accept |
RADIUS standard-attributes support¶
User-Name¶
The user to be authenticated in the
Access-Request. It may be sent in anAccess-Acceptpacket, in which case Virtual Service Router will use this User-Name in allAccounting-Requestpackets for this session.
User-Password¶
This attribute is sent in
Access-Requestpackets when the peer authentication mode is PAP and PPP client is configured accordingly.
CHAP-Password¶
This attribute is sent in
Access-Requestpackets when Challenge-Handshake Authentication Protocol (CHAP) is enabled for peer authentication mode and PPP client is configured accordingly.
CHAP-Challenge¶
This attribute contains the CHAP Challenge sent by Virtual Service Router to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is sent in the
Access-Requestpackets.
NAS-IP-Address¶
This attribute indicates the identifying IP Address of Virtual Service Router. It is sent in
Access-RequestandAccounting-Requestpackets.
Service-Type¶
The type of service the PPPoE user has requested, or the type of service to be provided for the PPPoE user. Included as “
Service-Type= Framed-User” in theAccess-Requestas a hint to the RADIUS server that this user is looking for PPP.
Framed-Protocol¶
This attribute indicates the framing to be used for framed access. Virtual Service Router includes it as “
Framed-Protocol= PPP” in theAccess-Requestas a hint to the RADIUS server that this user is looking for PPP.
Framed-IP-Address¶
An IPv4 address provided by the RADIUS server to assign to the user’s PPP interface.
Framed-Route¶
A static IPv4 route provided by RADIUS server to install in Virtual Service Router routing table for the PPP user.
Session-Timeout¶
This attribute sets the maximum number of seconds of service to be provided to the PPP user before the Virtual Service Router terminates the session.
Idle-Timeout¶
This attribute defines the maximum number of consecutive seconds a user can remain connected without activity before the Virtual Service Router terminates the session.
Called-Station-Id¶
This attribute is included in the
Access-Requestand is set to the MAC address of the PPP server interface that received the PPP client’s access request.
Calling-Station-Id¶
This attribute is included in the
Access-Requestand is set to the MAC address of the PPP client.
NAS-Identifier¶
This attribute contains a configured string identifying the Virtual Service Router. It is sent in
Access-RequestandAccounting-Requestpackets.
Acct-Session-Id¶
This attribute is a unique Accounting ID. It is included by the Virtual Service Router in the
Access-Requestand in all the accounting packets.
NAS-Port-Type¶
This attribute indicates the type of the physical port of the NAS which is authenticating the user. It is only used in
Access-Requestpackets.
NAS-Port-Id¶
This attribute contains a text string which identifies the port of the NAS authenticating the user. It is included in
Access-RequestandAccounting-Requestpackets. InAccounting-Request, this attribute is duplicated, the second instance contains the name of the NAS PPP interface.
Acct-Interim-Interval¶
This attribute indicates the number of seconds between each interim update in seconds for the session.
Framed-Interface-Id¶
An IPv6 interface identifier to be configured on the user’s PPP interface.
Framed-IPv6-Prefix¶
An IPv6 prefix to be configured for the user. The prefix should have a 64 bit mask. For example 2001:db8:0:100::/64.
Framed-IPv6-Route¶
IPv6 routing information provided by RADIUS to be configured for the user in Virtual Service Router routing table. It should be described as follows “PREFIX/MASK USER-IPv6-ADDRESS METRICS”.
For example: 2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1.
PREFIX/MASK is the destination prefix optionally followed by a mask.
USER-IPv6-ADDRESS is the gateway address. This parameter can be omitted. For instance, the following format is also accepted: 2000:0:0:106::/64 :: 1.
Delegated-IPv6-Prefix-Pool¶
The IPv6 prefix delegation pool name to use for the user.
6WIND vendor-specific RADIUS attributes¶
The following section defines the 6WIND proprietary RADIUS attributes. Note that a RADIUS attribute dictionary is provided with Virtual Service Router. the dictionary includes the attribute number, attribute name, attribute type as well as 6WIND vendor ID. So it may be loaded to RADIUS servers.
6WIND-limit¶
- Type
string- Description
This is the Traffic Limiting IPv4 attribute, PPP server supports the basic rate-limiting QoS policy which means that if the rate-limit parameters are exceeded, the traffic is dropped. the attribute is a string with the following format “type=cir cbs eir ebs unit”.
type: can take either “in” for ingress or “out” for egress.
cir: Committed Information Rate.
cbs: Committed Burst Size.
eir: Excess Information Rate.
ebs: Excess Burst Size.
unit: in pps or bps. The unit could also be set in kilo (kbps/kpps), in mega (mpps/mbps) or in giga (gpps/gbps).
This attribute may be present in
Access-AcceptorCoApackets.
6WIND-iface-rpf¶
- Type
integer- Description
This is the Reverse Path Filtering attribute. The value “0” means disabling the Reverse Path Filtering. This attribute may be present in
Access-AcceptorCoApackets.
6WIND-qos-template-name¶
- Type
string- Description
This attribute contains the name of an hierarchical QoS template to be applied to the user. The template has to be configured on the Virtual Service Router, otherwise the default template is applied. This attribute may be present in
Access-Accept.
Microsoft vendor-specific RADIUS attributes¶
The following Microsoft vendor-specific attributes are supported by the Virtual Service Router.
MS-Primary-DNS-Server¶
Used to supply the IPv4 address of a DNS server to the PPP client. It may be included the
Access-Requestpacket.
MS-CHAP-Response¶
This attribute contains the response value provided by a PPP user when Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is configured for the PPP peer authentication mode. It is only used in
Access-Requestpacket.
MS-CHAP-Challenge¶
This attribute contains the challenge sent by Virtual Service Router when a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is configured for the PPP peer authentication mode. It is included in the
Access-Requestpacket.
MS-CHAP2-Response¶
This attribute contains the response value provided by an MS-CHAP-V2 peer in response to the challenge. It is used when MS-CHAP-V2 is enabled for PPP peer authentication mode. It is only used in
Access-Requestpackets.
MS-CHAP2-Success¶
This attribute is used when MS-CHAP-V2 is configured for PPP peer authentication mode. The string contained in this attribute is included in the Success Message sent from Virtual Service Router to the PPP client. It is only used in
Access-Acceptpackets.
A FreeRADIUS configuration example¶
Here is a configuration file example with FreeRadius.
client_1 Cleartext-Password := "test123"
Acct-Interim-Interval = 15,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.4.128.1,
Framed-Route = 15.200.0.0/24,
Session-Timeout = 1200,
6WIND-limit += "in=10 10 10 10 Kpps",
6WIND-limit += "out=5 5 5 5 Kpps"
Note
It’s necessary to include the 6WIND vendor-specific dictionary in the FreeRADIUS dictionary list for this example to work.
Here is the client state on the Virtual Service Router:
dut-vm> show state vrf main ppp-server instance ppp-server-1 session-state
session-state ppp0
username client_1
peer-ip 10.4.128.1
local-ip 192.168.0.1
type pppoe
state active
uptime 00:02:10
rx-bytes 272
tx-bytes 1238
IPv6 Autoconfiguration Support¶
Currently PPP server supports IPv6 stateless autoconfiguration. Stateless means that there is no database used to keep track of what addresses have been assigned and what addresses are still available for assignment. PPP server sends a router advertisement message (as described in RFC 4861) with an IPv6 prefix and a non zero router lifetime to the user so it can create a global unicast IPv6 address through stateless autoconfiguration. DNS information such as RDNS and DNS search list can also be included in the message.
Note
An IPv6 prefix configured locally in the PPPoE configuration section
of a PPP server has a higher priority over an IPv6 prefix specified
by the attribute Framed-IPv6-Prefix of a RADIUS Access-Accept message.
IPv6 Prefix Delegation Support¶
PPP server supports IPv6 prefix delegation. When a PPP session is established, the PPP server listens for DHCPv6 packets in order to send the IPv6 prefix to use on LAN side.
Configuration examples¶
By default, the PPP server is disabled. Through the CLI you can enable a PPP server over an Ethernet connection.
First, configure the Ethernet interface:
dut-vm running config# vrf main interface
dut-vm running interface# physical eth1
dut-vm running physical eth1#! port pci-b0s5
dut-vm running physical eth1# enabled true
dut-vm running physical eth1# commit
Configuration committed.
Then, enable a PPP server over an Ethernet connection using the interface eth1:
dut-vm running config# vrf main ppp-server instance ppp-server-1
dut-vm running instance ppp-server-1# pppoe interface eth1
dut-vm running interface eth1# commit
Configuration committed.
Example 1: Without a RADIUS server¶
Here are some features configuration examples without using RADIUS.
Choosing an authentication method & adding a user’s authentication information:
dut-vm running instance ppp-server-1# auth peer-auth-mode chap
dut-vm running instance ppp-server-1# auth peer-secrets secrets john.doe password test123*
Enabling IPCP and configuring peers IPv4 address pools:
dut-vm running instance ppp-server-1# ppp ipcp allow
dut-vm running instance ppp-server-1# ip-pool default-local-ip 192.164.0.2
dut-vm running instance ppp-server-1#! ip-pool pool pool1 peer-pool 192.164.0.2/32
dut-vm running instance ppp-server-1# pppoe ip-pool pool1
Enabling IP6CP and IPv6 autoconfiguration:
dut-vm running instance ppp-server-1# ppp ipv6cp allow
dut-vm running instance ppp-server-1# ipv6-neighbor-discovery enabled true
dut-vm running instance ppp-server-1# ipv6-pool pool pool2 prefix 2001:db8:22:33::/48 prefix-len 64
dut-vm running instance ppp-server-1# pppoe ipv6-pool pool2
Adding DNS information:
dut-vm running instance ppp-server-1# dns server 8.8.8.8
dut-vm running instance ppp-server-1# dns server 2001:4860:4860::8888
dut-vm running instance ppp-server-1# dns dns-search-list google.com dns-search-list 6wind.com
Example 2: With a RADIUS server¶
Here is another configuration example where a RADIUS server will be used for authentication, accounting and change of authorization.
First, configure the interface to use for RADIUS communication:
dut-vm running config# vrf main
dut-vm running vrf main# interface
dut-vm running interface# physical ntfp2
dut-vm running physical ntfp2#! port pci-b0s4
dut-vm running physical ntfp2# enabled true
dut-vm running physical ntfp2# ipv4
dut-vm running ipv4# address 10.100.0.2/24
Then, add RADIUS information:
dut-vm running config# vrf main ppp-server instance ppp-server-1
dut-vm running instance ppp-server-1# auth radius enabled true
dut-vm running instance ppp-server-1#! auth radius nas ip-address 10.100.0.2 identifier vsr
dut-vm running instance ppp-server-1#! auth radius server address 10.100.0.1 auth-port 1812 acct-port 1813 secret 'test#%&123*123*'
dut-vm running instance ppp-server-1# auth radius backup-server address 10.100.1.1 auth-port 1814 acct-port 1815 secret 'test#456*123*'
dut-vm running instance ppp-server-1# auth radius default-local-ip 19.168.100.1
dut-vm running instance ppp-server-1# auth radius change-of-authorization-server secret testing123
dut-vm running instance ppp-server-1# auth radius accounting session-id-in-authentication true interim-interval 5
Quality of Service Support¶
Virtual Service Router provides support for multi-level hierarchical quality of service for PPPoE sessions. This feature allows latency and throughput optimization and ensures that each subscribers gets the appropriate network resources. This is achieved through classifying, policing and scheduling the traffic.
The QoS is configured in the CLI, triggered by RADIUS and dynamically applied by the PPP server for each subscriber session.
The deployment of QoS involves two main components, an HTB based scheduler and a PPP server QoS template:
The HTB scheduler:
All subscriber queues will be organized in a tree structure scheduler that determines how available bandwidth is distributed among them.
The user should first create the root queue as well as the default queue of this HTB scheduler in the global QoS context and associate it to the PPP server interface, as described in the chapter scheduling.
The user can also add inner static queues to suit his bandwidth redistribution and his different subscriber plans. This part of the scheduler is static and is called the base-scheduler, it is referenced by the
scheduler-interfaceconfiguration node.When a PPPoE session is established, all its queues will be appended dynamically as child queues to the base-scheduler according to PPP server QoS template.
PPP server QoS template:
The PPP server QoS template is a profile that provides queue models for BNG subscribers. A queue model allows the user to configure minimum guaranteed bandwidth, maximum authorized bandwidth, priority, traffic mark and other related QoS parameters.
Once the subscriber authenticates to the network and its session is established, QoS queues will be dynamically created according to the queue models configured in its template. The template name must be received in the RADIUS
Access-Acceptpacket via the 6WIND attribute6WIND-qos-template-name. Please refer to 6WIND attributes section for more details.
- Traffic classification:
Each queue can be associated with a different form of traffic like video, data, VOIP and so on. This traffic classification into the queues is achieved through the mark of the queue template. When a packet mark matches a queue mark, the packet is classified into the matching queue.
- Restrictions:
Users can configure up to 255 queue marks.
Only egress is supported.
The sum of CIR bandwidth of all existing dynamic queues must not exceed the CIR bandwidth of the parent queue
Unlike the queue configuration in the global QoS context, it’s not possible to add a policer for a queue in the PPP server QoS template.
Static inner queues can’t be assigned QoS classes.
To reach good performance, the NIC must support RSS on PPPoE protocol.
Let’s consider the following example, where the service provider offers 2 subscriber plans premium and non-premium. Each plan provides its user with specific guaranteed bandwidth for voip and data traffic.
Step 1: Configure the fast path limits¶
Set the maximum number of QoS policies to the number of the subscribers, and the maximum number of QoS classes to the number of subscribers times the maximum number of QoS queues per subscribers.
For instance, with 10K subscribers and 3 queues per subscriber, use the following fast path limits:
vsr running config# / system fast-path limits
vsr running limits# qos-max-classes 31500
vsr running limits# qos-max-policies 10500
Step 2: Configure the static base-scheduler¶
vsr running config# / qos
vsr running qos# scheduler scheduler-1
vsr running scheduler scheduler-1#! htb
vsr running htb# queue 1
vsr running queue 1#! bandwidth 40G
vsr running queue 1# ceiling 40G
vsr running queue 1# ceiling-priority 1
vsr running queue 1# child-queue 2
vsr running queue 1#! child-queue 3
vsr running queue 1#! child-queue 4
vsr running queue 1#! ..
vsr running htb#! queue 2
vsr running queue 2#! description "This is the static parent queue for premium subscribers queues"
vsr running queue 2#! bandwidth 30G
vsr running queue 2#! ceiling 40G
vsr running queue 2#! ceiling-priority 1
vsr running queue 2#! ..
vsr running htb#! queue 3
vsr running queue 3#! description "This is the static parent queue for non-premium subscribers queues"
vsr running queue 3#! bandwidth 10G
vsr running queue 3#! ceiling 40G
vsr running queue 3#! ceiling-priority 2
vsr running queue 3#! ..
vsr running htb#! queue 4
vsr running queue 4#! description "This is the default queue"
vsr running queue 4#! bandwidth 10K
vsr running queue 4# ceiling 40G
vsr running queue 4# ceiling-priority 9
vsr running queue 4# ..
vsr running htb# default-queue 4
Step 3: Add the base-scheduler to the PPP server interface¶
vsr running config# vrf main interface physical eth1 qos egress scheduler scheduler-1
Step 4: Configure the templates¶
The base-scheduler is referenced by the interface on which it is set as an
egress scheduler, as done in previous step. Here, it is eth1. The
static-parent node references queue indexes in this base-scheduler.
vsr running config# / vrf main ppp-server instance ppp-server-1 qos
vsr running qos# template premium-subscribers scheduler-interface eth1
vsr running qos#! template premium-subscribers queue prem static-parent 2
vsr running qos#! template premium-subscribers queue prem bandwidth 7M
vsr running qos# template premium-subscribers queue prem ceiling 2G
vsr running qos# template premium-subscribers queue prem-voip dynamic-parent prem
vsr running qos#! template premium-subscribers queue prem-voip bandwidth 5M
vsr running qos# template premium-subscribers queue prem-voip ceiling 2G
vsr running qos# template premium-subscribers queue prem-voip mark 0x1
vsr running qos# template premium-subscribers queue prem-data dynamic-parent prem
vsr running qos#! template premium-subscribers queue prem-data bandwidth 2M
vsr running qos# template premium-subscribers queue prem-data ceiling 2G
vsr running qos# template premium-subscribers queue prem-data mark 0x0
vsr running qos# template non-premium-subscribers scheduler-interface eth1
vsr running qos#! template non-premium-subscribers queue non-prem static-parent 3
vsr running qos#! template non-premium-subscribers queue non-prem bandwidth 4M
vsr running qos# template non-premium-subscribers queue non-prem ceiling 1G
vsr running qos# template non-premium-subscribers queue non-prem-voip dynamic-parent non-prem
vsr running qos#! template non-premium-subscribers queue non-prem-voip bandwidth 3M
vsr running qos# template non-premium-subscribers queue non-prem-voip ceiling 1G
vsr running qos# template non-premium-subscribers queue non-prem-voip mark 0x1
vsr running qos# template non-premium-subscribers queue non-prem-data dynamic-parent non-prem
vsr running qos#! template non-premium-subscribers queue non-prem-data bandwidth 1M
vsr running qos# template non-premium-subscribers queue non-prem-data ceiling 1G
vsr running qos# template non-premium-subscribers queue non-prem-data mark 0x0
vsr running qos# default-template non-premium-subscribers
Once the configuration in place, the RADIUS setup of a user should include its QoS template name,
for instance, for a premium user the attribute is 6WIND-qos-template-name = premium-subscribers
If no attribute can be retrieved from RADIUS server, the default template is
used (non-premium-subscribers).
Step 5: Configure the flow marking¶
In this example, the VOIP traffic has to be marked with 0x1. The other traffic
has the mark 0x0 (equivalent to no mark).
The marking can be done using the IP packet filtering context.
PPP server state and KPIs¶
In order to display a PPP server state use the following command:
dut-vm running vrf main# show state vrf main ppp-server instance ppp-server-1
instance ppp-server-1
enabled true
single-session disable
max-sessions 0
max-starting 0
log-level debug
ppp
verbose false
min-mtu 100
ipcp allow
ipv6cp deny
lcp
echo-interval 0
echo-failure 0
..
..
pppoe
enabled true
verbose true
padi-limit 0
interface ntfp2
padi-limit 5
..
ip-pool pool1
ip-pool pool2
The CLI also provides KPIs support via the command show ppp-server statistics:
dut-vm> show ppp-server statistics vrf main instance ppp-server-1
Sessions counters
active : 2
starting : 0
finishing : 0
PPPoE counters
active : 2
starting : 0
PADI received : 2
PADI dropped : 0
PADO sent : 2
PADR received : 2
PADS sent : 2
Radius counters
Radius server 1
IP address : 10.100.0.1
state : active
auth sent : 88
acct-start-stop sent : 2
acct-interim-update sent : 344
See also
Please refer to PPP server command reference for the complete list of supported options.