Hindsight being what it is, we would have likely had a separate account/password for the PPP account.
I guess we could theoretically have two layers of RADIUS checking, the first layer being the application-layer username/password, and failing that, the original username/password that we assigned to the PPP device. Frank -----Original Message----- From: Sean Donelan [mailto:[email protected]] Sent: Saturday, October 31, 2009 3:14 PM To: NANOG list Subject: RE: PPPoE vs. Bridged ADSL On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote: > Others commented on things I already had in mind only the username/password > thing of PPPoE. We use the same username/pw on the modem as the customer > users for their e-mail, so a password change necessitates a truck roll (I > know, I know, TR-069). We started with PPPoE for our FTTH, because we were > familiar with it, but we moved over to a "VLAN per service" model which ends > up something like RBE in function. We can track customers based on the > Option 82 info, so we're good to go in terms of tracking them. You can have a "network username/password" for the customer different from the mail and other application-layer username/password. Some ISPs did that in the dial-up days, and also with PPPOx. The network account information is configured in the dialer or router/modem; and most users never need to know the network-layer stuff. The user can change their mail/application password (and use it for off-network access) without affecting their network-layer pasword. The same network account may have multiple mail/application accounts associated with it. It also helps in the debate whether you store unreversable passwords or cleartext passwords for things like CHAP/PAP; need to split accounts because people change households; network re-architecture moves circuits around or users move and re-associating the connections with the correct accounts. Yep, I sometimes found two households with swapped VPI/VCI, VLAN or PORT identifiers because someone/something made a data entry or circuit termination mistake. I like a combination of 802.1x and Option 82 as way of cross-checking, and layer 2/3 anti-spoof protection. I also like handling network things mostly at the network/hardware level, separate from the application layer identity so the user changes aren't affected. But there are almost always multiple ways to solve a problem.
