Using PPPoE and PPP Files to Configure an Access Server

This section contains samples of all files that are used to configure an access server. The access server is multihomed. The server is attached to three subnets: green, orange, and purple. pppoed runs as root on the server, which is the default.

PPPoE clients can access the orange and purple networks through interfaces hme0 and hme1. Clients log in to the server by using the standard UNIX login. The server authenticates the clients by using PAP.

The green network is not advertised to clients. The only way clients can access green is by directly specifying “green-net” and supplying CHAP authentication credentials. Moreover, only clients joe and mary are allowed to access the green network by using static IP addresses.

Example 22–3 /etc/ppp/pppoe File for an Access Server

service orange-net
     device hme0,hme1
     pppd "require-pap login name orange-server orange-server:"
service purple-net
     device hme0,hme1 
     pppd "require-pap login name purple-server purple-server:"
service green-net
     device hme1 
     pppd "require-chap name green-server green-server:"
     nowildcard

This sample describes the services that are available from the access server. The first service section describes the services of the orange network.

service orange-net
     device hme0,hme1
     pppd "require-pap login name orange-server orange-server:"

Clients access the orange network over interfaces hme0 and hme1. The options that are given to the pppd command force the server to require PAP credentials from potential clients. The pppd options also set the server's name to orange-server, as used in the pap-secrets file.

The service section for the purple network is identical to the service section of the orange network except for the network and server names.

The next section describes the services of the green network:

service green-net
     device hme1 
     pppd "require-chap name green-server green-server:"
     nowildcard

This section restricts client access to interface hme1. Options that are given to the pppd command force the server to require CHAP credentials from prospective clients. The pppd options also set the server name to green-server, to be used in the chap-secrets file. The nowildcard option specifies that the existence of the green network is not advertised to clients.

For this access server scenario just discussed, you might set up the following /etc/ppp/options file.

Example 22–4 /etc/ppp/options File for an Access Server

 	auth
 	proxyarp
 	nodefaultroute
 	name no-service	# don't authenticate otherwise

The option name no-service overrides the server name that is normally searched for during PAP or CHAP authentication. The server's default name is the one found by the /usr/bin/hostname command. The name option in the previous example changes the server's name to no-service. The name no-service is not likely to be found in a pap or chap-secrets file. This action prevents a random user from running pppd and overriding the auth and name options that are set in /etc/ppp/options. pppd then fails because no secrets can be found for the client with a server name of no-service.

The access server scenario uses the following /etc/hosts file.

Example 22–5 /etc/hosts File for an Access Server

     172.16.0.1	orange-server
     172.17.0.1	purple-server
     172.18.0.1	green-server
     172.18.0.2	joes-pc
     172.18.0.3	marys-pc

Here is the /etc/ppp/pap-secrets file that is used for PAP authentication for clients that attempt to access the orange and purple networks.

Example 22–6 /etc/ppp/pap-secrets File for an Access Server

* orange-server "" 172.16.0.2/16+
* purple-server "" 172.17.0.2/16+

Here is the /etc/ppp/chap-secrets file that is used for CHAP authentication. Note that only clients joe and mary are listed in the file.

Example 22–7 /etc/ppp/chap-secrets File for an Access Server

 joe green-server "joe's secret" joes-pc
mary green-server "mary's secret" marys-pc