EdgeRouter - Configuring the PPPoE RADIUS Disconnect daemon

The PPPoE RADIUS Disconnect is wrapped into the 1.4 package, please follow these instructions to complete the setup.

====================
UPDATE: A Wizard has been created and can be added to "Feature Wizard" section of the ERL for GUI configuration. The .tar file has been added to the bottom of this article. To add the wizard Click the plus (+) symbol next to "Feature Wizard" and upload the tar file and name the Wizard your own custom name like "PPPoE RADIUS Disconnect" 
====================

This daemon listens on port 3779 for RADIUS Disconnect Requests. It verifies the IP address the request is coming from is that of the RADIUS Server, that the RADIUS password is correct, and that a username is in the request. If these requirements pass, the command "clear pppoe-server user [username]" is completed. This will in turn disconnect ALL pppoe sessions registered under that username.

** For users using RADIUS MANAGER 4.1; set the NAS to Chillispot and disconnects will function as expected.

The daemon does extensive logging to /var/log/pppoe-radius-disconnect.log

Step 1:

Set the correct EdgeMAX (NAS) IP in host file. You need to use the override command to set yourEdgeMAX IP address to the IP address your RADIUS Server uses when talking to theEdgeMAX.

Example network: RADIUS IP is 192.168.100.253 and the EdgeMAX (NAS) internal IP is 192.168.100.254

Use the following command:

configure
set system ip override-hostname-ip 192.168.100.254
commit
save

The step above is required so the RADIUS Server knows to which EdgeMAX [PPPoE server (NAS)] the user session is connected.

Step 2:

sudo cp /opt/vyatta/etc/pppoe-server/start-pppoe-radius-disconnect /config/scripts/post-config.d/

Step 3:

reboot

 Once the reboot is complete, you can verify the daemon is running by using the following commad:

tail /var/log/pppoe-radius-disconnect.log

Testing the RADIUS Disconnect daemon

 To test the radius disconnect daemon ssh into your RADIUS server and run the following command:

echo "User-Name=[username]" | radclient -x XXX.XXX.XXX.XXX:3779 disconnect [yourradiussecret]
EXAMPLE:
echo "User-Name=ajbtv2" | radclient -x 192.168.1.254:3779 disconnect testing123

You should then see the following return in the CLI:
Remember: The Disconnect daemon only verifies the receipt and acceptance of the request, it does not verify the user was found and successfully disconnected.

Sending Disconnect-Request of id XXX to XXX.XXX.XXX.XXX port 3779
 User-Name = "[username]"
rad_recv: Disconnect-ACK packet from host XXX.XXX.XXX.XXX port 3779, id=XXX, length=26
 Acct-Terminate-Cause = Admin-Reset

If you do not receive the above Disconnect-ACK message, you can review the log messages on the EdgeMAX at /var/log/pppoe-radius-disconnect.log

Review that the requesting IP address is the address listed in your PPPOE Server configuration and the secret matches as well. You can review what the Disconect daemon is using by reviewing the logs to the point of the last restart.

READING THE DISCONNECT DAEMON LOG


The following describes what the disconnect daemon logs:

Upon restart of the daemon, it will read the PPPoE radius server IP address and and secret, this is then logged and used to verify the RADIUS disconnect requests.

===========USING RADIUS ATTRIBUTES============
Radius Server: 192.168.1.253
Radius Secret: testing123

When a new request is sent to port 3779, the connection is logged and RADIUS packet is displayed. If the request passes verification it will require a response, the decoded response is also logged.

============START NEW REQUEST============
*** DUMP OF RADIUS PACKET (Net::Radius::Packet=HASH(0xb80268))
Code: Disconnect-Request
Identifier: 49
Authentic: \x{ef}\x{a5}\x{fb}USn\x{ac}\x{ed}o@\x{b3}\x{a7}\x{fc}\x{d8}0
Attributes:
 User-Name: [userid]
*** END DUMP
============SENDING RESPONSE============
*** DUMP OF RADIUS PACKET (Net::Radius::Packet=HASH(0xb803c8))
Code: Disconnect-ACK
Identifier: 49
Authentic: \x{ef}\x{a5}\x{fb}USn\x{ac}\x{ed}o@\x{b3}\x{a7}\x{fc}\x{d8}0
Attributes:
 Acct-Terminate-Cause: 6
*** END DUMP

If a User-ID is not found in the request as a RADIUS attribute, the log will state *******NO ID FOUND***** followed by the Date/Time the request was sent, the IP address of the requestor and Port, and finally the complete request as it was recieved.

============RESULTS============
***********NO ID FOUND************ Tue Nov 26 18:17:19 2013 : (192.168.1.253 , 51672) : THIS IS A NONRAD PACKET TEST MESSAGE ============END REQUEST============

If the RADIUS request is found to have a USER ID the following will be displayed:
Date/Time of request, IP Address and Port of requestor, the RADIUS request Code, the user-id, and the Results.

============RESULTS============
Tue Nov 26 18:17:19 2013 : (192.168.1.253 , 51672) Disconnect-Request : [user-id] : COMPLETE
============END REQUEST============

The Results will be determined by the following:
If the system finds that the IP address is not that of the RADIUS Server or the RADIUS code is not "Disconnect-Request" - the result will be INCORRECT NAS IP OR NOT DISCONNECT REQUEST

If the system finds that the RADIUS secret does not match the result will be "FAILED NAS PASSWORD VERIFICATION". 
NOTE:  If you have changed your RADIUS password or IP address, you will need to restart the EdgeMAX for the change to take effect in the Disconnect daemon. For those more advanced users, you can kill the pppoe-radius-disconnect daemon and restart it.

If the request is successfully verified, the result will be COMPLETE. The complete message only means that the RADIUS request had the proper password, came from the correct IP address, and had a user-id in the request. Thus the "clear pppoe-server user [userid]" was completed. This does not confirm that the userid was found and successfully disconnected, you will need to review your log of connected users and the session time to verify.

Written by ajbtv2

 
Powered by Zendesk