diff --git a/PPPOE_management.md b/PPPOE_management.md index 9781b81..966bb13 100644 --- a/PPPOE_management.md +++ b/PPPOE_management.md @@ -229,3 +229,67 @@ bond0.923 0 active 1 ``` So for example 3 means bit 0 and bit 1 is set - so service-name policy is service-blank+service-name-by-list. + +### Troubleshooting radius packets by tcpdump + +Usually when user try to authenticate, radius server receives Access-Request packet from pppoe. If user is authenticated, radius server sends Access-Accept packet. If user is not authenticated, radius server sends Access-Reject packet. If radius server is not responding, it means that there is no connection between radius server and router or secret is invalid.
+To check if PPPoE send requests radius server is responding, you can use tcpdump on PPPoE: +``` +tcpdump -ni bond0 port 1812 and host 10.0.0.1 -vvv +tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144 bytes +22:03:44.241046 IP (tos 0x0, ttl 64, id 29938, offset 0, flags [DF], proto UDP (17), length 145) + 10.168.100.11.40469 > 10.0.0.1.1812: [bad udp cksum 0xdeeb -> 0xd6b4!] RADIUS, length: 117 + Access-Request (1), id: 0x01, Authenticator: 1bcd5d43815f3215390182adc83dab1b + User-Name Attribute (1), length: 7, Value: username + 0x0000: 7377 3130 31 + NAS-Identifier Attribute (32), length: 8, Value: bras01 + 0x0000: 6272 6173 3031 + NAS-IP-Address Attribute (4), length: 6, Value: 10.1.100.11 + 0x0000: 0aa8 640b + NAS-Port-Type Attribute (61), length: 6, Value: Virtual + 0x0000: 0000 0005 + Service-Type Attribute (6), length: 6, Value: Framed + 0x0000: 0000 0002 + Framed-Protocol Attribute (7), length: 6, Value: PPP + 0x0000: 0000 0001 + Calling-Station-Id Attribute (31), length: 19, Value: 04:5e:a4:f5:xx:xx + 0x0000: << hidden >> + 0x0010: XX + Called-Station-Id Attribute (30), length: 2, Value: + CHAP-Challenge Attribute (60), length: 18, Value: ..]C._2.9....=.. + 0x0000: 1bcd 5d43 815f 3215 3901 82ad c83d ab1b + CHAP-Password Attribute (3), length: 19, Value: + 0x0000: 0170 22f4 3826 6e16 54b6 0f4c 901e 1e00 + 0x0010: c5 +22:03:44.243758 IP (tos 0x0, ttl 64, id 34019, offset 0, flags [DF], proto UDP (17), length 187) + 10.168.100.11.53632 > 10.168.101.2.1812: [bad udp cksum 0xdf15 -> 0x89b4!] RADIUS, length: 159 + Access-Request (1), id: 0x01, Authenticator: 2b7da77c13ff40bff0073397f6973096 + User-Name Attribute (1), length: 11, Value: jadnet392 + 0x0000: 6a61 646e 6574 3339 32 + NAS-Identifier Attribute (32), length: 8, Value: bras01 + 0x0000: 6272 6173 3031 + NAS-IP-Address Attribute (4), length: 6, Value: 10.1.100.11 + 0x0000: 0aa8 640b + NAS-Port-Type Attribute (61), length: 6, Value: Virtual + 0x0000: 0000 0005 + Service-Type Attribute (6), length: 6, Value: Framed + 0x0000: 0000 0002 + Framed-Protocol Attribute (7), length: 6, Value: PPP + 0x0000: 0000 0001 + Calling-Station-Id Attribute (31), length: 19, Value: c4:ad:34:5f:xx:xx + 0x0000: << hidden >> + 0x0010: XX + Called-Station-Id Attribute (30), length: 2, Value: + Vendor-Specific Attribute (26), length: 24, Value: Vendor: The Broadband Forum (3561) + Vendor Attribute: 1, Length: 16, Value: CSS-ABC eth 0/19 + 0x0000: 0000 0de9 0112 4353 532d 4a61 6420 6574 + 0x0010: 6820 302f 3139 + Vendor-Specific Attribute (26), length: 14, Value: Vendor: The Broadband Forum (3561) + Vendor Attribute: 2, Length: 6, Value: Port20 + 0x0000: 0000 0de9 0208 506f 7274 3230 + CHAP-Challenge Attribute (60), length: 18, Value: +}.|..@...3...0. + 0x0000: 2b7d a77c 13ff 40bf f007 3397 f697 3096 + CHAP-Password Attribute (3), length: 19, Value: + 0x0000: 011c f55c 5141 d61d f602 f854 f32b 6455 + 0x0010: da +```