Hindsight being what it is, we would have likely had a separate account/password for the PPP account. I guess we could theoretically have two layers of RADIUS checking, the first layer being the application-layer username/password, and failing that, the original username/password that we assigned to the PPP device. Frank -----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Saturday, October 31, 2009 3:14 PM To: NANOG list Subject: RE: PPPoE vs. Bridged ADSL On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote:
Others commented on things I already had in mind only the username/password thing of PPPoE. We use the same username/pw on the modem as the customer users for their e-mail, so a password change necessitates a truck roll (I know, I know, TR-069). We started with PPPoE for our FTTH, because we were familiar with it, but we moved over to a "VLAN per service" model which ends up something like RBE in function. We can track customers based on the Option 82 info, so we're good to go in terms of tracking them.
You can have a "network username/password" for the customer different from the mail and other application-layer username/password. Some ISPs did that in the dial-up days, and also with PPPOx. The network account information is configured in the dialer or router/modem; and most users never need to know the network-layer stuff. The user can change their mail/application password (and use it for off-network access) without affecting their network-layer pasword. The same network account may have multiple mail/application accounts associated with it. It also helps in the debate whether you store unreversable passwords or cleartext passwords for things like CHAP/PAP; need to split accounts because people change households; network re-architecture moves circuits around or users move and re-associating the connections with the correct accounts. Yep, I sometimes found two households with swapped VPI/VCI, VLAN or PORT identifiers because someone/something made a data entry or circuit termination mistake. I like a combination of 802.1x and Option 82 as way of cross-checking, and layer 2/3 anti-spoof protection. I also like handling network things mostly at the network/hardware level, separate from the application layer identity so the user changes aren't affected. But there are almost always multiple ways to solve a problem.