Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Zyxel DSLAM on pfSense PPPoE server

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gridrun
      last edited by

      Hi!

      Got a bunch of zyxel dslams that I'd like to connect to a pfsense pppoe server that authenticates via freeradius2 on a mysql backend. Radtest and others confirm our particular user/pass authenticating fine against the RADIUS. But, a DSL modem connected to the dslam won't authenticate. I suspect PAP is in use; the radius DB stores clear-text passwords. Not very hip, I know - but that's what I' have to work with.

      Logs indicate the PPP login request makes it to the RADIUS, but the clear text pwd auth fails there. Supposedly because the passwords don't match, and the session is denied. Enabling "log bad logins" gives strange strings where the password is supposed to show up in the radius logs.

      I found http://forum.pfsense.org/index.php/topic,56497.0.html and had a look at /var/etc/pppoeX-vpn/mpd.conf.

      Now I'm confused! From said (machine generated) file:

      
        set link no pap chap
        set link enable pap

      Checking the dox at http://mpd.sourceforge.net/doc5/mpd20.html#20 left me none the wiser.

      The enable and disable commands determine whether we want the corresponding option. The accept and deny commands determine whether we will allow the peer to request the corresponding option.

      Note that when talking about the authentication options PAP and CHAP, when you enable an option you're saying you are going to require a login and password from the peer. When you accept an option you're saying you will allow the peer to require a login and password from us.

      The yes command is the same as enable and accept. The no command is the same as disable and deny.

      There's set link no pap chap. From the above info I infer that this statement will disable (we don't want) and deny (we don't allow) both pap and chap. But the next statement set link enable pap means we're going to require PAP authentication.

      Now what's the resulting mode of operation? Do later statements in the config perhaps override earlier ones?

      Well - If so, then this seems to contradict itself as we don't allow neither PAP nor CHAP authentication, but require a PAP login from the peer next. Not very useful, it seems.

      So, two questions:

      1. What's the correct mpd.conf setting for enabling PAP? And if it's set link enable pap, this appears to request PAP auth from the client. But if so, why does PAP not work?
      2. Which files need to be hacked to add a checkbox/dropdown for pap/auth settings? One file is the corresponding .php - but what is the other?

      Tech stuff on my blog: http://niston.wordpress.com

      1 Reply Last reply Reply Quote 0
      • G
        gridrun
        last edited by

        I got it to work :D

        As it turns out, there was no problem with PAP. So the information in the thread linked above is probably outdated and no longer true - it certainly had me confused. The actual problem was much simpler: The shared secrets on PPPoE server and FreeRADIUS didn't match. Other then that, PAP works out of the box.

        Tech stuff on my blog: http://niston.wordpress.com

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.