cancel
Showing results for 
Search instead for 
Did you mean: 

PPPOE authentication with Plusnet FTTP not working

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

PPPOE authentication with Plusnet FTTP not working

Hi I wonder if someone from plusnet can help as the telephone support have been useless, the "back office" staff have said I need to take the issue to my firewall vendor however the issue isn't with the firewall 😐

Below is the issue:

it's a weird one I have a Palo alto firewall connected directly to the ONT provided by BT and I am trying to get FTTP broadband working using PPPOE, the interface on the PA-220 that is connected to the ONT (ethernet 1/1) is configured to use PPPOE however the interface does not obtain a public IP address. The username and password are correct, I can test that they are correct by logging into my plusnet account online or using the plusnet provided router and ensuring it is configured to use the username and password which is identical to the one entered on the Palo alto firewall, when using the plusnet router which I am now it works just fine.

 

However the logs show an authentication failure, I have also changed the password, and still no luck.

 

Initiate connection:

PPPoE session was initiated for user:xxxxxxxx@plusdsl.net on interface:ethernet1/1

 

Error:

PPPoE session failed to connect for user:xxxxxxx@plusdsl.net on interface:ethernet1/1. Reason: Failed to authenticate ourselves to peer, LCP down

 

I have attached a couple of packet capture screenshots, the CHAP authentication is failing for some reason, the hashed response my end is sending back to the access concentrator on the Plusnet or BT network is not matching what the access concentrator is expecting.

The access concentrator in question is: acc-aln2.nao

106 REPLIES 106
witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

Other file attached

Dan_the_Van
Aspiring Hero
Posts: 2,484
Thanks: 1,117
Fixes: 73
Registered: ‎25-06-2007

Re: PPPOE authentication with Plusnet FTTP not working

Have you by chance enabled VLAN 101 on your router as the is not required for the ONT.

HTH

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

No, the Palo alto's do not allow you to define a VLAN for PPPOE interfaces the traffic is sent untagged.

RichardB
Seasoned Champion
Posts: 1,038
Thanks: 385
Fixes: 39
Registered: ‎19-11-2008

Re: PPPOE authentication with Plusnet FTTP not working

Hi witherford

Are any of the characters which can't be used shown in:

https://www.plus.net/help/archive/other/username-and-password-security/

used in the password?

Regards

Richard

Dan_the_Van
Aspiring Hero
Posts: 2,484
Thanks: 1,117
Fixes: 73
Registered: ‎25-06-2007

Re: PPPOE authentication with Plusnet FTTP not working

My thinking was also around the password makeup, although the current one works with a plusnet router.

I was going to suggest using a simple password as a test, Alpha and Numeric characters only

Dan

 

MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: PPPOE authentication with Plusnet FTTP not working

It looks like the pppoe client on the pa220 may not support mschapv2 https://www.reddit.com/r/paloaltonetworks/comments/b9ar1m/help_pa220_and_pppoe_mschapv2/

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

Thanks for the info however one thing I forgot to add, the same PA-220 worked fine on plusnet fibre VDSL (copper to the premises) using the same username and password, it's only as I have switched over to FTTP that it is not working.

MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: PPPOE authentication with Plusnet FTTP not working

Ah! Im assuming you had a modem in front of the pa220 then. Was the 220 configured for pppoe in that setup ?

In which case it should have worked with no change to the configuration.

I can assure you there is no problem with  pppoe on fttp,

i use a tplink er605 on my fttp connection.

Are you absolutely sure there no vlan id being set on the 220 ? 

Thats the main differerence between fttc and fttp , fttc used vlan id 101 whereas fttp does not use vlan id.

Having said that , the vlan id is usually handled by the modem so even on fttc the router doesnt need it

 

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

I did have a modem yes to handle the RJ11 connectivity to the master socket as the PA-220 does not have that built in.

I agree it should work with no change to the configuration.

Yes, PPPOE worked just fine with the setup on VDSL through the modem.

Yes, the traffic is being sent without a VLAN tag, I have referred to the ethernet section of the packet payload within the packet captures and there are no 802.1Q headers anywhere.

 

The physical setup I am trying at the moment is:

Palo alto ethernet port 1/1 which is configured for PPPOE --> ONT RJ45 port, this to me should work just fine, both devices attempt PPPOE when connected this way as the ONT is just acting as a Layer 2 bridge to the access concentrator.

 

The workaround I have is:

L3 P2P link between Palo alto and Plusnet router so ethernet 1/1 configured with an IP on the 192.168.1.x range connected into LAN port 1 on the Plusnet router, the Palo Alto then performs NAT of all outbound traffic behind the one IP address which is then routed to the plusnet router which then NAT's behind it's public IP (so twice NAT)

This works fine so their is something different about the Plusnet router authenticating with the remote end vs the Palo alto and it's not the username and password, so what is it? I have a suspicion that it might be an extra security measure such as MAC address authentication.

Can I ask on your device did you have to configure a MAC address anywhere or perform any kind of MAC address spoofing?

 

 

MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: PPPOE authentication with Plusnet FTTP not working

I have a suspicion that it might be an extra security measure such as MAC address authentication.

I can assure you there isn't. I have used a few different (third party) routers on my PN connection over the years.

Can I ask on your device did you have to configure a MAC address anywhere or perform any kind of MAC address spoofing?

No.

Attached my WAN configuration if it helps

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

Cheers, if that is the case then I am going to dig out and try configuring one of my cisco routers and see if that works. If the Cisco router works then it looks like it might be the firewall that is causing the problem.

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

Are you connected to FTTP?

MisterW
Superuser
Superuser
Posts: 14,575
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: PPPOE authentication with Plusnet FTTP not working

Yes, a 900/115Mb connection.

Looking back at your log screenshots for the PPP setup. It looks like its definitely failing CHAP authentication ( you can ignore my previous comment re MS_CHAP V2 )

The username it appears to be sending is 'name@plusdsl...' ?? it should be 'name@plusdsl.net' . Does it really not have the .net or is that just being dropped by the log ?

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

witherford
Rising Star
Posts: 81
Thanks: 16
Registered: ‎19-07-2019

Re: PPPOE authentication with Plusnet FTTP not working

Dropped by the log, it does indeed have the full username