khodor/documentation
0
0
Fork 0
forked from spinesystemspublic/documentation
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check for pppoe servers

Browse Source
This commit is contained in:
Denys Fedoryshchenko
2023-05-13 22:29:29 +03:00
parent 7827ed22ec
commit ed5ba02743
1 changed files with 66 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
PPPOE_management.md
View File

@@ -172,64 +172,6 @@ Most important message here is:
``` ```
As you can see, CHAP authentication failed. This is because of wrong password, MAC mismatch, or duplicate session (check billing logs). As you can see, CHAP authentication failed. This is because of wrong password, MAC mismatch, or duplicate session (check billing logs).
### Troubleshooting examples
Verify if PPPoE handshake is working:
The only fact is important is to trace sequence for specific user MAC if he sends correct PADI and receives correct PADO, and then sends PADR. For example:
```
tcpdump -ni bond0.2529 -vvv -e pppoed and ether host 6c:3b:6b:81:XX:XX
21:35:47.131362 6c:3b:6b:81:XX:XX (oui Unknown) > Broadcast, ethertype PPPoE D (0x8863), length 60: PPPoE PADI [Host-Uniq 0x500FF5C517B8000005020600] [Service-Name "pr"]
21:35:47.131408 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADO [AC-Name "united"] [Service-Name "pr"] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [Host-Uniq 0x500FF5C517B8000005020600]
21:35:47.143621 6c:3b:6b:81:XX:XX (oui Unknown) > 90:e2:ba:ae:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADR [Host-Uniq 0x500FF5C517B8000005020600] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [AC-Name "united"] [Service-Name "pr"]
21:35:47.143936 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 52: PPPoE PADS [ses 0x8a48] [AC-Name "united"] [Service-Name "pr"] [Host-Uniq 0x500FF5C517B8000005020600]
```
Here we see complete handshake, PADI, PADO, PADR, PADS. If you see this sequence - PPPoE handshake is working.
### Troubleshooting pppoe packets by tcpdump
Monitor what PPPoE answer to client PADI:
```
tcpdump -nei bond0.372|grep PADO
```
Monitor traffic from specific mac
```
tcpdump -nei bond0.372 ether host 00:00:00:00:00:00
```
### Decoding values in accel-cmd pppoe interface show
```
interface: connections: state: service-name policy:
-----------------------------------------------------------
bond0.2622 0 active 3
bond0.2529 2251 active 3
bond0.368 530 active 3
bond0.923 0 active 1
```
* service-name policy is bitmask value - 1 means service-blank, 3 means service-blank+service-name-by-list,2 means service-name-by-list (only)
```
/* Answer requests with empty (0 size) service name */
#define PPPOE_FLAG_ANSWER_BLANK (1 << 0)
/* Answer to assigned service names */
#define PPPOE_FLAG_ANSWER_LIST (1 << 1)
/* Answer to ANY service name */
#define PPPOE_FLAG_ANSWER_ANY (1 << 2)
/* Answer to global service name list */
#define PPPOE_FLAG_ANSWER_GLOBAL (1 << 3)
```
So for example 3 means bit 0 and bit 1 is set - so service-name policy is service-blank+service-name-by-list.
### Troubleshooting radius packets by tcpdump ### Troubleshooting radius packets by tcpdump
Usually when user try to authenticate, radius server receives Access-Request packet from pppoe. If user is authenticated, radius server sends Access-Accept packet. If user is not authenticated, radius server sends Access-Reject packet. If radius server is not responding, it means that there is no connection between radius server and router or secret is invalid.<br> Usually when user try to authenticate, radius server receives Access-Request packet from pppoe. If user is authenticated, radius server sends Access-Accept packet. If user is not authenticated, radius server sends Access-Reject packet. If radius server is not responding, it means that there is no connection between radius server and router or secret is invalid.<br>
@@ -293,3 +235,69 @@ tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144
0x0000: 011c f55c 5141 d61d f602 f854 f32b 6455 0x0000: 011c f55c 5141 d61d f602 f854 f32b 6455
0x0010: da 0x0010: da
``` ```
### Troubleshooting PPPoE session example
Verify if PPPoE handshake is working:
The only fact is important is to trace sequence for specific user MAC if he sends correct PADI and receives correct PADO, and then sends PADR. For example:
```
tcpdump -ni bond0.2529 -vvv -e pppoed and ether host 6c:3b:6b:81:XX:XX
21:35:47.131362 6c:3b:6b:81:XX:XX (oui Unknown) > Broadcast, ethertype PPPoE D (0x8863), length 60: PPPoE PADI [Host-Uniq 0x500FF5C517B8000005020600] [Service-Name "pr"]
21:35:47.131408 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADO [AC-Name "united"] [Service-Name "pr"] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [Host-Uniq 0x500FF5C517B8000005020600]
21:35:47.143621 6c:3b:6b:81:XX:XX (oui Unknown) > 90:e2:ba:ae:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 80: PPPoE PADR [Host-Uniq 0x500FF5C517B8000005020600] [AC-Cookie 0x6F71CC054D13DCE911CC1341F1FBDCE7A16830B204F2BEF7] [AC-Name "united"] [Service-Name "pr"]
21:35:47.143936 90:e2:ba:ae:XX:XX (oui Unknown) > 6c:3b:6b:81:XX:XX (oui Unknown), ethertype PPPoE D (0x8863), length 52: PPPoE PADS [ses 0x8a48] [AC-Name "united"] [Service-Name "pr"] [Host-Uniq 0x500FF5C517B8000005020600]
```
Here we see complete handshake, PADI, PADO, PADR, PADS. If you see this sequence - PPPoE handshake is working.
### Decoding values in accel-cmd pppoe interface show
```
interface: connections: state: service-name policy:
-----------------------------------------------------------
bond0.2622 0 active 3
bond0.2529 2251 active 3
bond0.368 530 active 3
bond0.923 0 active 1
```
* service-name policy is bitmask value - 1 means service-blank, 3 means service-blank+service-name-by-list,2 means service-name-by-list (only)
```
/* Answer requests with empty (0 size) service name */
#define PPPOE_FLAG_ANSWER_BLANK (1 << 0)
/* Answer to assigned service names */
#define PPPOE_FLAG_ANSWER_LIST (1 << 1)
/* Answer to ANY service name */
#define PPPOE_FLAG_ANSWER_ANY (1 << 2)
/* Answer to global service name list */
#define PPPOE_FLAG_ANSWER_GLOBAL (1 << 3)
```
So for example 3 means bit 0 and bit 1 is set - so service-name policy is service-blank+service-name-by-list.
### Verify for other PPPoE servers in the network
```
pppoe01 ~ # pppoe-discovery -I bond0.2529
Detected PPPoE server at interface bond0.2529
Detected PPPoE server at interface bond0.2529
Access-Concentrator: MikroTik
Detected PPPoE server at interface bond0.2529
Service-Name: AL
--------------------------------------------------
AC-Ethernet-Address: 74:4d:28:c2:XX:XX
Detected PPPoE server at interface bond0.2529
Detected PPPoE server at interface bond0.2529
Access-Concentrator: ahZZZ ZZZ
Detected PPPoE server at interface bond0.2529
Service-Name: ahm
--------------------------------------------------
AC-Ethernet-Address: 6c:3b:6b:67:XX:XX
Detected PPPoE server at interface bond0.2529
Detected PPPoE server at interface bond0.2529
Access-Concentrator: diab-AHHDJFDF
Detected PPPoE server at interface bond0.2529
Service-Name: TR
...
```
As you can see there are 3 other PPPoE servers in the network, and they are all detected by pppoe-discovery. They might cause conflicts during PPPoE session establishment, so it is recommended to find and remove them.