Raisecom
ISCOM2600G-HI (A) Series Configuration Guide
10 Security
Raisecom Proprietary and Confidential
Copyright © Raisecom Technology Co., Ltd.
445
server cannot match with the configured one, authentication will fail. This helps prevent
illegal users from stealing accounts of other legal users for accessing the network.
The PPPoE protocol adopts Client/Server mode, as shown in Figure 10-11. The Switch acts as
a relay agent. Users access the network through PPPoE authentication. If the PPPoE server
needs to locate users, more information should be contained in the authentication packet.
Figure 10-11
Accessing the network through PPPoE authentication
To access the network through PPPoE authentication, you need to pass through the following
2 stages: discovery stage (authentication stage) and session stage. PPPoE+ is used to process
packets at the discovery stage. The following steps show the whole discovery stage.
Step 1
To access the network through PPPoE authentication, the client sends a broadcast packet
PPPoE Active Discovery Initiation (PADI). This packet is used to query the authentication
server.
Step 2
After receiving the PADI packet, the authentication server replies a unicast packet PPPoE
Active Discovery Offer (PADO).
Step 3
If multiple authentication servers reply PADO packets, the client selects one from them and
then sends a unicast PPPoE Active Discovery Request (PADR) to the authentication server.
Step 4
After receiving the PADR packet, if the authentication server believes that the user is legal, it
sends a unicast packet PPPoE Active Discovery Session-confirmation (PADS) to the client.
PPPoE is used to add user identification information in to PADI and PADR. Therefore, the
server can identify whether the user identification information is identical to the user account
for assigning resources.
10.9.2 Preparing for configurations
Scenario
To prevent illegal client access during PPPoE authentication, you need to configure PPPoE+
to add additional user identification information in PPPoE packets for network security.
Because the added user identification information is related to the specified switch and
interface, the authentication server can bind the user with the switch and interface to
effectively prevent account sharing and theft. In addition, this helps users enhance network
security.