After the pppoe between the user and the Access Server is established, a PPP session can be established on it. PPP sessions are established in three phases: LCP negotiation, authentication, and ipcp negotiation.
The LCP negotiation phase is the same for PPP termination and PPP resumption. Authentication and ipcp negotiation are different.
LCP negotiation
The LCP negotiation mainly completes the negotiation of some trace features and authentication methods. After the LCP negotiation is successful, the user initiates an authentication request to the Access Server Based on the negotiated authentication method, user Authentication uses pap or chap.
Authentication and IP Address allocation at the end of PPP
PAP indicates two handshakes and the password is plain text. The PAP authentication process is as follows: the dial-up user sends the user name and password to the Access Server, and the access server sends the user name and password to the RADIUS server through the RADIUS protocol to check whether the user exists, the password is correct, and then sends the corresponding response.
CHAP is a three-way handshake and the password is ciphertext. Chap dial-up users send user names to access servers, access servers send random messages to the dial-up users, and dial-up users use their own passwords to use MD5AlgorithmEncrypted and the ciphertext is returned. The access server uses the User Password obtained from the RADIUS server and the random packet to encrypt it using the MD5 algorithm. The ciphertext of the two is compared, and the response of successful or failed authentication is returned based on the comparison result.
The access server and the RADIUS server communicate in ciphertext through a shared key.
In the authentication phase, if an IP address is configured for the user name in the user database, the RADIUS server returns the IP address to the Access Server as the IP address used by the user to access the Internet.
If you have not obtained an IP address in the authentication phase, you need to negotiate the IP address in the ipcp phase. Generally, when a carrier provides users with access services, there should be a batch of IP addresses, that is, the IP address pool. The IP addresses required by users to access the Internet come from this. When users access the Internet, assign an IP address from the IP address pool. When the user goes offline, the IP address is returned to the address pool. When the carrier activates the access service, it configures the IP address pool to the access server. In the ipcp stage, the access server allocates an idle IP address from the IP address pool to the user as the IP address for accessing the Internet. If no IP address is available, ipcp negotiation fails and the PPP connection is closed. In the user's opinion, the dialing fails, and the ISP cannot provide access services for the user.
Authentication and IP Address allocation during PPP resume
After the LCP negotiation ends, if the RADIUS server checks that this is a VPN user, the Access Server creates a session to the LNS for this user. If there is no tunnel, a tunnel is required. There are two types of authentication: One authentication and two authentication.
One authentication is performed only once on the RADIUS server of the LAC. The lNS trusts the RADIUS server of the LAC. The user's IP address can be specified by the RADIUS server of the LAC, or by ipcp negotiation between the user and LNS.
Two authentication means that the user needs to enter the user name and password twice. One is the permission verification for accessing the Internet, and the other is the permission verification for accessing the VPN. During authentication, the RADIUS server of the lac and the radius server of the LNS must work together. The IP address can be specified by the RADIUS server of LNs, or by ipcp negotiation between the user and LNS.
RADIUS protocol Extension
To achieve more comprehensive user management, at least the following attributes should be extended in the RADIUS protocol: user access bandwidth and PVC used for user access. If users want to communicate with each other, specify the user name or IP address of the other party. Both client and server support