John,

The concern for PPPOE is wether client sessions will re-establish automatically after disconnects of the link. For example, if a Pre-n BElkin router is used for a end user link, and I did connect there service, for example by rebooting a trango AP at the cell site or from significant packet loss causing the link to degrade for too long a period, the Belkin will NOT try to re-establish the PPPOE connection unitl the Belkin router is physycally rebooted. This was a problem for us, because it generated support calls to get users backup after a reboot of our APs, and oftenm customers would experience much longer outages before they realized they jsut needed to reboot their own in house Belkin router. We also ran into this with several Netgear router models. What you want is a router that tries to login automatically continuously if it losses connection. Our linksys routers work great, and auto-reconnect with no problems. So PPPOE had created an issue where we had to dictate what equipment an end user could use on our network, if we set them up as PPPOE. PPPOE is a tunnel client to server protocol so both a server and client need to be aware of wether a session is connected or disconnected, and can be disconnected from either side. This timeout for disconnect can be set on the server side. For example, if you set a disconnect time of 5 second at the server, if there is some packet loss, the server might terminate a session prematurely waiting for communication that it never receives from teh CPE at that time, and then the client router does not know that the connection is terminated and doesn't know to try to re-stablish a connection because it does not know its down, or atleast not for a period of time. So you don't want the timeout at the server to be to small. Now if you make the time out large, let say1 minute. IF their is packet loss, and the client thinks the connection has been terminated because its inability to get o the server for a short period, it will disconnect and try to re-establish a connection, however it wil not be able to for 1 minute. This is because the server things the original session is still active and will not clear the original session to allow the next session to reconnect, and two session are not allowed at the same time. This can cause outages longer than normal, where a 5 second outage turns into a 1 minutes outage. Not a big deal for residential, but for business where the links may be monitored by third parties, it can be an added pain in the neck. The problem can be solved by allow multiple connection of a PPPOE login, but then there is a security issue where two people can connect at the same time with the same password. These problems are not a big deal to deal with, you just need to be aware of them, for designing your PPPOE system.

When PPPOE is established, you can not access the client via an Arpping, because the protocol does not support that. I forget the exact technical explanation, but its sometthing like it does support broadcasts because its not using tcpip at that point its using its own protocol at layer two for communication. So to tell if a client is up, you do it by monitoring the session logs at the server.

We do the PPPOE server apps at the first hop. We do the authentication at the cell router with our own implementation that integrates to our router provisioning system, but most people have it relay to a remote authentication system centrally such as a radius server.

PPPOE now means every client needs either a PPPOE router or software load ed that supprots PPPOE. Many represent that XP's built in PPPOE support works well, but we don't use it yet.

PPPOE does reduce the packet size, so it is no longer a full 1500 bytes. So end users sometimes need to configurare their VPN software if using one, to adjust for that situation, and added headache. However, most VPNs we tested pass through PPPOE OK.

PPPOE also does have significant overhead. You could limit the total number of connections you can support, because of the badnwdith that is wasted for the tunneling protool. However I do not remember what that limit is, we have not hit it yet. But that is why we operate the PPPOE server at the first hop, to reduce the PPPOE server traffic/over head accross the network, it also makes it more reliable for session management. The more links, and packet loss possible end to end increases the change of session disconnects. The fact that many hops may be needed to get to the authenticatioion system (radious) really doesn't matter because its not part of the client server session end to end.

We have chosen not to use PPPOE because of these issues, exept for some residential customers that are required to use Linksys routers. However, I'm aware of some ISPs that have successfully used PPPOE as a protocol for EVERY customer as a requirement. They generally do it to ease their management. You no longer need to be aware of the path a customer takes to connct to the network because the routes will be auto created where ever the customer connects from. For example if you have a three sector cell site, clients could connect from any sector without your reconfiguraton of teh PPPOE for the client, so redundancy could be built in very easilly. Where as with a routed connection to a client from a specific sector, if they change secotrs , I need toc hange my routing for them. The trade off, is when I manually route, I am always aware of what path the custoemr travels so I can monitor their link path for reliabilty, with PPPOE if they complain about performance I really don't know what path an end user took after a session gets disconencted.

I do not have a recommendation on wether PPPOE should or shouldn't be used for your implementation, but those are some things for you to consider when making the determination.

Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband


----- Original Message ----- From: "John Scrivner" <[EMAIL PROTECTED]>
To: <wireless@wispa.org>
Sent: Wednesday, November 30, 2005 10:54 AM
Subject: [WISPA] Ethernet based authentication


Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have.
Many thanks,
Scriv
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005



--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to