Wrong Device answering PPPoE auth request

point-to-point-protocolpppoe

The basic configuration is a CentOS machine running rp-pppoe and a separate router, both connected to a DSL modem through a simple switch. Each device has it's own separate PAP id/password.

This configuration has worked fine for years, until the linux machine was replaced and a new version of rp-pppoe installed. Now what seems to happen is that when the router tries to authenticate, the centos machine responds instead and replies it does not have the password for the provided account. Connecting the router directly to the modem to allow it to authenticate, then quickly plugging it back into the switch temporally alleviates the problem.

pppoe-server[26658]: Session 40 created for client 00:17:c5:14:0a:b9 (10.67.15.40) on eth0 using Service-Name ''
pppd[26658]: pppd 2.4.5 started by admin, uid 0
pppd[26658]: Using interface ppp1
pppd[26658]: Connect: ppp1 <--> /dev/pts/3
pppd[26658]: no PAP secret found for user@host.net
pppd[26658]: PAP peer authentication failed for user@host.net
pppd[26658]: Connection terminated.

My question is is this a problem with rp-pppoe/its configuration or an inherent problem in my setup?

Best Answer

rp-pppoe employs pppd and supplies the options provided in /etc/ppp/pppoe-server-options. From man pppd:

login

Use the system password database for authenticating the peer using PAP

[...]

require-pap

Require the peer to authenticate itself using PAP

So you should care to remove the login and require-pap directives from your config files - they are not needed to perform a dialup but result in a PPPoE "server" setup on your CentOS box.

Related Solutions

Linux – How to quickly configure a pppd server on “linux”

You need to do a lot more then just configure pppd options; you also need the PPPoE server to handle the ethernet stuff.

#!/bin/bash

killall pppoe-server

MAX=250
INTERFACE=eth0
BASE=10.10.100.1 # clients get an IP starting here.
MYIP=10.10.10.252 # set to your eth0 IP address.
/usr/sbin/pppoe-server -T 60 -I $INTERFACE -N $MAX -C CANADA -S PPPoE7 -L $MYIP -R $BASE

This is basically the script we use with our test DSLAM and PPPoE stuff in our office. We are running on Debian Lenny so it should all work similiarly on Ubuntu. You also may need an /etc/ppp/pppoe-server-options file with just the following in it:

login

You might also need to at least add the username (with a bogus password) in /etc/ppp/pap-secrets?

The man page for pppd says to use the following in the options file to disable CHAP:

disable-chap

PPPoE Connection : “Generic-Error “RP-PPPoE: Child pppd process terminated”

"peer refused to authenticate" is the explanation. It's logged by your client's pppd, so the server is the peer that it's referring to.

PPP is not inherently a client-server protocol. It's symmetric. That means each end of the connection can require the other end to authenticate itself. In ISP-like configurations, authentication goes only one way. The client proves its identity to the server, but the server doesn't prove its identity to the client.

If you want to use that type of setup, you have to give the client's pppd the noauth option, which tells it not to require authentication from the server. Adding it to /etc/ppp/peers/myisp should do it.

If you want to authenticate both ways, that should be doable too.

update

Since you've posted the latest logs, the new problem is the login option. login means that the client's PAP password is expected to match the user's password in the system user database (i.e. /etc/passwd and friends). If you're trying to define the password exclusively through pap-secrets, remove the login option.

Best Answer

Related Solutions

Linux – How to quickly configure a pppd server on “linux”

PPPoE Connection : “Generic-Error “RP-PPPoE: Child pppd process terminated”

update

Related Topic