Page MenuHomeVyOS Platform

IPoE server with mac authentication generates a wrong dictionary
Open, Requires assessmentPublicBUG

Description

Report from the forum
IPoE server with mac authentication generates a wrong dictionary
Example of configuration:

set service ipoe-server authentication interface eth1.50 mac-address 00:0c:29:67:ad:e1 vlan-id '50'
set service ipoe-server authentication interface eth1.51 mac-address 00:0c:29:0a:ef:70 vlan-id '51'
set service ipoe-server authentication mode 'local'
set service ipoe-server client-ipv6-pool delegate 2001:db8:8002::/48 delegation-prefix '56'
set service ipoe-server client-ipv6-pool prefix 2001:db8:8001::/48 mask '64'
set service ipoe-server interface eth1.50 client-subnet '172.16.50.0/24'
set service ipoe-server interface eth1.51 client-subnet '172.16.98.0/24'
set service ipoe-server name-server '10.17.6.120'
set service ipoe-server name-server '8.8.8.8'
set service ipoe-server name-server '2001:4860:4860::8888'
set service ipoe-server name-server '2001:4860:4860::8844'

In the commit we don't see mac list for eth1.51

[email protected]# commit
[ service ipoe-server ]
DEBUG: interface: eth1.50, mac: 00:0c:29:67:ad:e1
{'auth_interfaces': [{'mac': [{'address': '00:0c:29:67:ad:e1',
                               'rate_download': '',
                               'rate_upload': '',
                               'vlan': '50',
                               'vlan_id': ''}],
                      'name': 'eth1.50'},
                     {'mac': [], 'name': 'eth1.51'}],
 'auth_mode': 'local',
 'chap_secrets_file': '/run/accel-pppd/ipoe.chap-secrets',
 'client_ipv6_delegate_prefix': [{'mask': '56',
                                  'prefix': '2001:db8:8002::/48'}],
 'client_ipv6_pool': [{'mask': '64', 'prefix': '2001:db8:8001::/48'}],
 'client_named_ip_pool': [],
 'dnsv4': ['10.17.6.120', '8.8.8.8'],
 'dnsv6': ['2001:4860:4860::8888', '2001:4860:4860::8844'],
 'interfaces': [{'ifcfg': '1',
                 'mode': 'L2',
                 'name': 'eth4.50',
                 'range': '172.16.50.0/24',
                 'sess_start': 'dhcpv4',
                 'shared': '1',
                 'vlan_mon': []},
                {'ifcfg': '1',
                 'mode': 'L2',
                 'name': 'eth4.51',
                 'range': '172.16.98.0/24',
                 'sess_start': 'dhcpv4',
                 'shared': '1',
                 'vlan_mon': []}],
 'radius_acct_inter_jitter': '',
 'radius_acct_tmo': '3',
 'radius_dynamic_author': '',
 'radius_max_try': '3',
 'radius_nas_id': '',
 'radius_nas_ip': '',
 'radius_server': [],
 'radius_shaper_attr': '',
 'radius_shaper_enable': False,
 'radius_shaper_multiplier': '',
 'radius_shaper_vendor': '',
 'radius_source_address': '',
 'radius_timeout': '3',
 'thread_cnt': 2}

[edit]
[email protected]#

As a result chap-secrets file incorrect

[email protected]# sudo cat /run/accel-pppd/ipoe.chap-secrets
# username  server  password  acceptable local IP addresses   shaper
eth1.50 * 00:0c:29:67:ad:e1  *
[edit]
[email protected]#

Possible reason wrong list build here https://github.com/vyos/vyos-1x/blob/bdd7f6be4afae6dd8ccefede5de809f9bb73ee1d/src/conf_mode/service_ipoe-server.py#L120-L146

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202209020217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Needs to check, maybe fixed with rewriting in T4678

This issue also present in 1.3.0-1.3.2. Latest rolling 1.4-rolling-202210040218 also affected, it has empty user list in chap-secrets

[email protected]:~$ sudo cat /run/accel-pppd/ipoe.chap-secrets 
# username  server  password  acceptable local IP addresses   shaper
[email protected]:~$

Update: latest rolling has a bit different syntax. I think users just not migrated properly on update. After adding

set service ipoe-server authentication interface eth1.50 mac 00:50:79:66:68:03
set service ipoe-server authentication interface eth1.51 mac 00:50:79:66:68:04

I see that chap-secrets file generated properly and users getsIPs

[email protected]# sudo cat /run/accel-pppd/ipoe.chap-secrets 
# username  server  password  acceptable local IP addresses   shaper
eth1.50     * 00:50:79:66:68:03 * 
eth1.51     * 00:50:79:66:68:04
[email protected]# run show ipoe-server sessions 
ifname | username |    calling-sid    |     ip      | rate-limit | type | comp | state  |  uptime  
--------+----------+-------------------+-------------+------------+------+------+--------+----------
 ipoe0  | eth1.50  | 00:50:79:66:68:03 | 172.16.50.2 |            | ipoe |      | active | 00:05:21 
 ipoe1  | eth1.51  | 00:50:79:66:68:04 | 172.16.98.2 |            | ipoe |      | active | 00:03:43

Hi @Dmitry,

I just checked based on your comment and I can also confirm that with 1.4-rolling-202210050218 (using also different syntax) is working perfectly with the authentication.

[email protected]:~$ sudo cat /run/accel-pppd/ipoe.chap-secrets
# username  server  password  acceptable local IP addresses   shaper
eth4.50     * 00:0c:29:b7:49:a7 *
eth4.51     * 00:0c:29:b7:49:a7 *


[email protected]:~$ sh ipoe-server sessions
ifname | username |    calling-sid    |     ip      | rate-limit | type | comp | state  |  uptime
--------+----------+-------------------+-------------+------------+------+------+--------+----------
 ipoe0  | eth4.50  | 00:0c:29:b7:49:a7 | 172.16.50.2 |            | ipoe |      | active | 00:08:52
 ipoe1  | eth4.51  | 00:0c:29:b7:49:a7 | 172.16.98.2 |            | ipoe |      | active | 00:08:51

As additional information it was not an update with migration in place but direct installation of a rolling release and using the syntax command available in that release (1.4-rolling-202209060217)