From ImageStream Router Documentation
(→Advanced Configuration Example)
|Line 110:||Line 110:|
Latest revision as of 15:39, 27 January 2012
This sample configuration shows an ImageStream router configured as a PPPoE Server connected to a Ethernet segment with PPPoE Clients.
|- RADIUS Server IP: 192.168.1.200 | ====ETHERNET===================== 192.168.1.0/24 === | | LAN IP: 192.168.1.100 +-------+--------+ | | | Router A | | Ethernet1 | +-------+--------+ | ====ETHERNET===================== | | | PPPoE Clients
Be sure to have three separate IP subnets, one for the WAN network and two for the Ethernets connected to the routers. Each WAN port connected to the point-to-point WAN must have it's own IP address from the same IP network. Since they are on the same IP network, they will have the same netmask.
Configuring The WAN Ports
In this example, we are going to assume the following: Router A has an Ethernet IP address of 192.168.1.100 with a netmask of 255.255.255.0 The RADIUS authentication server has an IP address of 192.168.1.200 Router A has Ethernet1 connected to a segment that is connected to PPPoE clients.
Each PPPoE server instance is assigned a virtual template. You may define as many virtual templates as is necessary for each configuration scenario for your customers. The command to assign a virtual template is added to each Ethernet interface that needs to serve PPPoE clients. The command follows the format "protocol pppoe virtual-template XX" where XX corresponds the virtual template defined below.
The virtual template includes 4 key pieces of information: the IP address used by the router; the IP address pool for the user; the RADIUS server IP address, port and key; and the valid authentication types for the RADIUS server. The IP address may be set using a normal IP address command, but the most common configuration is to run an unnumbered configuration using a user-defined Loopback device as in the example below. In case the RADIUS server does not assign an IP address to the authenticating client, the router must have a default IP address pool to use for dynamic address assignment. The command follows the format "peer default ip pool XXXX" where XXXX refers to the pool name defined below. The name of the pool is arbitrary and may contain any combination of numbers or letters.
Each virtual template must also point to at least 1 RADIUS server for authentication using the "radius-server" command. The command follows the format "radius-server host a.b.c.d key XXXX" where a.b.c.d is the IP address of the RADIUS server and XXXX is the key used with authentication requests. You must specify at least one and as many RADIUS servers as necessary by adding additional commands. The configuration for Virtual-Template1 below includes 2 RADIUS servers. If the RADIUS servers do not use the standard ports, you may manually specify the accounting port and authentication port using the format in the example below. Each template must also contain a "ppp authentication" command. This command lists the type of authentication schemes supported by the RADIUS server(s). The authentication types must match the settings on your RADIUS server. Many RADIUS servers do not support any authentication type other than PAP. Specifying unsupported authentication schemes may cause problems with user authentication requests.
The example below also includes an "ip local pool" command that specifies local address ranges to use for dynamic address assignment. This pool is used only when the RADIUS server does not assign an IP address in its authentication message. The command follows the format "ip local pool NAME STARTING_IP ENDING_IP" where NAME is the user-defined name of the pool used in the virtual template reference, STARTING_IP is the first IP address in the pool and ENDING_IP is the last IP address in the pool.
While it is possible to assign DNS servers to Microsoft clients and other RADIUS clients that support the special Microsoft extensions to RADIUS, some configurations may require the router to assign DNS servers directly. The example below includes the optional "ip name-server" command that follows the format "ip name-server SERVER1 SERVER2" where SERVER1 is the primary DNS server and SERVER2 is the secondary DNS server. This command is optional and may not be necessary in all configurations.
! interface Loopback0 ip address 192.168.54.1 255.255.255.255 ! interface Ethernet0 ip address 192.168.1.100 255.255.255.0 ! interface Ethernet1 protocol pppoe virtual-template 1 ! interface Virtual-Template1 ip unnumbered Loopback0 peer default ip pool pool1 radius-server host 192.168.1.200 key password ppp authentication pap chap ms-chap ! ip local pool pool1 126.96.36.199 188.8.131.52 ip name-server 184.108.40.206 220.127.116.11 ! end
The router will automatically handle setting up a PPP session for each successfully authenticated user. The PPP user sessions will appear in the interface statistics ("stats") output when the sessions are active.
Advanced Configuration Example
This example shows a router with three Vlan interfaces serving up two different PPPoE virtual templates. In addition this configuration allows non-pppoe devices to connect Ethernet1.200(vlan id 200) using static ip addressing in the 18.104.22.168/24 netblock.
! interface Loopback0 ip address 192.168.54.1 255.255.255.255 ! interface Loopback1 ip address 172.16.70.1 255.255.255.255 ! interface Ethernet0 ip address 192.168.1.100 255.255.255.0 ! interface Ethernet1 ! interface Ethernet1.100 protocol pppoe virtual-template 1 ! interface Ethernet1.101 protocol pppoe virtual-template 1 ! interface Ethernet1.200 ip address 22.214.171.124 255.255.255.0 protocol pppoe virtual-template 2 ! interface Virtual-Template1 ip unnumbered Loopback0 peer default ip pool pool1 radius-server host 192.168.1.200 key password ppp authentication pap chap ms-chap ! interface Virtual-Template2 ip unnumbered Loopback1 peer default ip pool pool2 radius-server host 126.96.36.199 acct-port 1645 auth-port 1646 key itsasecret ppp authentication pap ! ip local pool pool1 188.8.131.52 184.108.40.206 ip local pool pool1 10.0.0.10 10.255.255.255 ip local pool pool2 192.168.199.1 192.168.199.3 ip name-server 220.127.116.11 18.104.22.168 ! end